Outlook Web Access Server Publishing in ISA Server 2004

Outlook Web Access Server Publishin...

Collapse All

Microsoft Internet Security and Acceleration Server 2004

Microsoft® Internet Security and Acceleration (ISA) Server 2004 and Microsoft Outlook® Web Access work together, to enhance security for e-mail messages. This document describes how to securely publish Outlook Web Access servers with mail server publishing rules. It describes the concepts and provides step-by-step instructions for configuring Outlook Web Access solutions.

On This Page

Scenarios
Solutions
References

Outlook Web Access and ISA Server

Outlook Web Access provides Web browser access to e-mail, scheduling (including group scheduling), contacts, and collaborative information stored in Microsoft Exchange Storage System folders. Outlook Web Access is used by remote, home, and roving users.

When you publish Outlook Web Access servers through ISA Server, you are protecting the Outlook Web Access server from direct external access because the name and IP address of the Outlook Web Access server are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the Outlook Web Access server according to the conditions of your mail server publishing rule.

Further, ISA Server enables you to easily configure forms-based authentication and to control e-mail attachment availability, to protect your corporate resources when accessed through Outlook Web Access.

The ISA Server Outlook Web Access publishing feature also enables you to publish Outlook Mobile Access and Exchange ActiveSync. Outlook Mobile Access provides users with access to Outlook from mobile devices. Using Exchange ActiveSync, you can synchronize with high levels of security, directly to your Exchange mailboxes from Microsoft Windows® Mobile™-based devices, such as Pocket PC, Pocket PC Phone Edition, and Smartphone.

Forms-Based Authentication

Forms-based authentication is a type of ASP.NET-based authentication in which an unauthenticated user is directed to an HTML form. After the user provides credentials, the system issues a cookie containing a ticket. On subsequent requests, the system first checks the cookie to see if the user was already authenticated, so that the user does not have to supply credentials again.

Most importantly, the credential information is not cached on the client computer. This is particularly important in a scenario where users are connecting to your Outlook Web Access server from public computers, where you would not want user credentials to be cached. Users are required to reauthenticate if they close the browser, log off from a session, or navigate to another website. Also, you can configure a maximum idle session time-out, so that if a user is idle for a prolonged period of time, reauthentication is required.

We recommend that when using forms-based authentication, you use HTTPS for all communications with the site to prevent hackers from stealing the user’s cookie. HTTPS is recommended in general for Outlook Web Access server publishing.

The procedure for configuring forms-based authentication is provided in Secure Outlook Web Access through the Listener in this document.

Note:
ISA Server supports forms-based authentication for Exchange Server 2003, Exchange 2000 Server, and Exchange Server 5.5. When you use ISA Server 2004 with Exchange Server 2003, you must choose to use forms-based authentication of only one of the products. If you use ISA Server forms-based authentication, you retain the ISA Server functionality to inspect response bodies, as well as request URLs, request headers, request bodies, and response headers. ISA Server forms-based authentication provides the additional benefits of authentication at the edge of the network and RADIUS-based authentication without domain membership. However, if you use ISA Server forms-based authentication, you cannot use the Exchange data compression feature. If you use Exchange Server 2003 forms-based authentication, ISA Server inspects request URLs, request headers, request bodies, and response headers, but does not inspect response bodies. However, you retain the Exchange data compression feature. When you use ISA Server 2004 with Exchange Server 2000 or Exchange Server 5.5, which do not provide forms-based authentication or data compression, we recommend that you use the ISA Server forms-based authentication feature. Outlook Web Access includes optional functionality that allows a user to change the password. If a user changes the password during an Outlook Web Access session, the cookie provided after the user initially logged on will no longer be valid. When forms-based authentication is configured on ISA Server, the user who changes the password during an Outlook Web Access session will receive the logon page the next time a request is made.

Note:

ISA Server supports forms-based authentication for Exchange Server 2003, Exchange 2000 Server, and Exchange Server 5.5.
When you use ISA Server 2004 with Exchange Server 2003, you must choose to use forms-based authentication of only one of the products. If you use ISA Server forms-based authentication, you retain the ISA Server functionality to inspect response bodies, as well as request URLs, request headers, request bodies, and response headers. ISA Server forms-based authentication provides the additional benefits of authentication at the edge of the network and RADIUS-based authentication without domain membership. However, if you use ISA Server forms-based authentication, you cannot use the Exchange data compression feature.
If you use Exchange Server 2003 forms-based authentication, ISA Server inspects request URLs, request headers, request bodies, and response headers, but does not inspect response bodies. However, you retain the Exchange data compression feature.
When you use ISA Server 2004 with Exchange Server 2000 or Exchange Server 5.5, which do not provide forms-based authentication or data compression, we recommend that you use the ISA Server forms-based authentication feature.
Outlook Web Access includes optional functionality that allows a user to change the password. If a user changes the password during an Outlook Web Access session, the cookie provided after the user initially logged on will no longer be valid. When forms-based authentication is configured on ISA Server, the user who changes the password during an Outlook Web Access session will receive the logon page the next time a request is made.

Controlling Attachment Availability

Because Outlook Web Access is often used from public computers, you may want to control the user’s ability to view and save attachments, so that private corporate information is not cached or saved to a public computer. ISA Server provides a mechanism for blocking e-mail attachments for users on public (shared) computers or users on private computers (or both). This prevents users from opening or saving attachments, although the attachments can be seen by the users. The procedure for blocking e-mail attachments is provided in Secure Outlook Web Access through the Listener in this document.

If you do not block attachments, note that some attachments, such as Windows Media® files and Excel spreadsheets, cannot be opened directly by a client connected remotely to an Outlook Web Access server. An attempt to open such a file will result in a failure of the application associated with the file. Those files must be saved locally and can then be opened. You can avoid this problem by configuring Exchange Server 2003 or Exchange 2000 Server to force users to save attachments. This feature is not available on Exchange Server 5.5. Configuring Exchange to force the saving of attachments is described in Require the Saving of Attachments in Exchange in this document.

Note:
Exchange 2003 provides an attachment blocking feature, which blocks some type of files even if the feature is disabled. When publishing Exchange Server 2007 with ISA Server 2004 with Service Pack 3 installed, note the following:

When publishing using Exchange Server 2007, we recommend you configure attachment blocking on the Exchange server, instead of enabling attachment blocking in the ISA Server 2004 Web listener. For more information about configuring attachment blocking on Exchange Server 2007, see Exchange Server 2007 product Help.
For authentication to succeed, the Exchange Client Access server must be configured for Basic authentication. For details about configuring the Exchange Client Access server, see Exchange Server 2007 product Help.
If your ISA Server firewall policy already includes a Web publishing rule for Exchange Server, you cannot modify the existing rule to publish Exchange Server 2007. You must delete the existing rule and run the Web Publishing Wizard to create a new rule.

Scenarios

Using Internet Security and Acceleration (ISA) Server 2004, you want to publish an Outlook Web Access server so that users can access their e-mail messages from home computers and from Internet kiosks. You want the connection to the Outlook Web Access server to be secure, and you do not want credentials or proprietary information stored on the client computers.

Solutions

The prescribed solution is to publish the Outlook Web Access server through Internet Security and Acceleration (ISA) Server 2004 using a mail server publishing rule. Communication from external clients to the ISA Server computer and from the ISA Server computer to the Outlook Web Access server will be encrypted using Secure Sockets Layer (SSL). Forms-based authentication will be enabled on the Web listener that listens for Outlook Web Access requests, and attachment availability may be controlled.

Publishing Outlook Web Access in ISA Server consists of these general steps.

Set up the Outlook Web Access server.
Install the digital certificates needed to securely publish Outlook Web Access.

Create a mail server publishing rule to publish the Outlook Web Access server.

Note:
We strongly recommend that you use the Mail Server Publishing Wizard to publish Outlook Web Access servers. This is because by default (with the exception of an Outlook Web Access publishing rule created with the Mail Publishing Rule Wizard), Web publishing rules do not forward the Accept-Encoding header to the published Web server. As a consequence, Web servers will not compress content returned to requesting clients.

Note:

We strongly recommend that you use the Mail Server Publishing Wizard to publish Outlook Web Access servers. This is because by default (with the exception of an Outlook Web Access publishing rule created with the Mail Publishing Rule Wizard), Web publishing rules do not forward the Accept-Encoding header to the published Web server. As a consequence, Web servers will not compress content returned to requesting clients.

Configure caching

Note:
When you use ISA Server forms-based authentication as recommended, no objects are cached from the Outlook Web Access server. To take advantage of the ISA Server caching feature, you can create a cache rule to enable caching of the images served by Outlook Web Access. Do not enable caching of other objects, because this can lead to unexpected logging off of users. If you do not use ISA Server forms-based authentication, when the ISA Server caching feature is enabled, all Outlook Web Access objects will be cached. This can lead to unexpected logging off of users. To avoid this, you must create a cache rule to prevent the caching of Outlook Web Access objects except for images.

Note:

When you use ISA Server forms-based authentication as recommended, no objects are cached from the Outlook Web Access server. To take advantage of the ISA Server caching feature, you can create a cache rule to enable caching of the images served by Outlook Web Access. Do not enable caching of other objects, because this can lead to unexpected logging off of users.
If you do not use ISA Server forms-based authentication, when the ISA Server caching feature is enabled, all Outlook Web Access objects will be cached. This can lead to unexpected logging off of users. To avoid this, you must create a cache rule to prevent the caching of Outlook Web Access objects except for images.

Set Outlook Web Access options, such as forms-based authentication and blocking of attachments for public (shared) or private computers.

Note:
You can also publish an Outlook Web Access server using a server publishing rule for the HTTPS protocol. This is not a recommended ISA Server Outlook Web Access publishing solution, because it requires you to publish an entire server, rather than just the specific Exchange folders required for Outlook Web Access. Further, server publishing rules do not enable you to control user authentication requirements, as the mail server publishing rules do. Also, when you publish an Outlook Web Access server using mail server rules, you can take advantage of the added security provided by the HTTP filter. For information about server publishing rules or the HTTP filter, see the ISA Server 2004 product Help.

Note:

You can also publish an Outlook Web Access server using a server publishing rule for the HTTPS protocol. This is not a recommended ISA Server Outlook Web Access publishing solution, because it requires you to publish an entire server, rather than just the specific Exchange folders required for Outlook Web Access. Further, server publishing rules do not enable you to control user authentication requirements, as the mail server publishing rules do. Also, when you publish an Outlook Web Access server using mail server rules, you can take advantage of the added security provided by the HTTP filter.
For information about server publishing rules or the HTTP filter, see the ISA Server 2004 product Help.

Network Topology

Three computers are necessary to deploy this solution:

A computer to serve as the Outlook Web Access server on the Internal network. The Outlook Web Access server should run Microsoft Windows Server™ 2003 or Windows® 2000 Server Service Pack 3.
The ISA Server 2004 computer.
A computer on the External network, to test the solution.

Outlook Web Access Server Publishing - Walk-through

This walk-through contains the following procedures:

Back up your current configuration
Configure the Outlook Web Access server
Configure the ISA Server computer
Secure Outlook Web Access through the listener
Saving attachments in Exchange
Test the deployment
View Outlook Web Access session information in the ISA Server logs

Outlook Web Access Server Publishing Walk-through Procedure 1: Back Up your Current Configuration

We recommend that you back up your configuration before making any changes. If the changes you make result in behavior that you did not expect, you can revert to the previous, backed-up configuration. Follow this procedure to back up the complete configuration of your ISA Server computer.

Expand Microsoft ISA Server Management.
Right-click the name of the ISA Server computer, and then click Back up.
In Backup Array, provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportBackup2June2004.
Click Backup. Because you are exporting confidential information such as user passwords, you will be prompted to provide a password, which will be needed to restore the configuration from the exported file.
When the export operation has completed, click OK.

Note:
Because the .xml file is being used as a backup, a copy of it should be saved on another computer in case of catastrophic failure.

Note:
Because the .xml file is being used as a backup, a copy of it should be saved on another computer in case of catastrophic failure.

Outlook Web Access Server Publishing Walk-through Procedure 2: Configure the Outlook Web Access Server

Follow these steps to configure the Outlook Web Access server.

Installing a digital certificate on the Outlook Web Access server

Prepare and install a digital certificate on the Outlook Web Access server as described in the document Digital Certificates for ISA Server 2004 (http://go.microsoft.com/fwlink/?LinkId=20794).

Note:
The recommended configuration for Outlook Web Access publishing is to use SSL-encrypted communication (HTTPS) both from the external client to the ISA Server computer and from the ISA Server computer to the Outlook Web Access server. This is because the credential information used in the authentication process must be protected, and should not be exposed even within the Internal network. For this reason, you must install digital certificates on both the ISA Server computer and the Outlook Web Access server. ISA Server does not support Outlook Web Access publishing rules that forward HTTP requests from the external client to the Outlook Web Access server as HTTPS. If you create a publishing rule that forwards HTTPS requests from the external client to the Outlook Web Access server as HTTP, do not enable link translation.

Note:

The recommended configuration for Outlook Web Access publishing is to use SSL-encrypted communication (HTTPS) both from the external client to the ISA Server computer and from the ISA Server computer to the Outlook Web Access server. This is because the credential information used in the authentication process must be protected, and should not be exposed even within the Internal network. For this reason, you must install digital certificates on both the ISA Server computer and the Outlook Web Access server.
ISA Server does not support Outlook Web Access publishing rules that forward HTTP requests from the external client to the Outlook Web Access server as HTTPS.
If you create a publishing rule that forwards HTTPS requests from the external client to the Outlook Web Access server as HTTP, do not enable link translation.

Configuring IIS to support SSL-encrypted Basic authentication:

Open the Internet Services Manager or your custom Microsoft Management Console (MMC) containing the Internet Information Services (IIS) snap-in, and expand the server node, expand the Default Web Site node, select virtual path /Exchange, and then click Properties.
Click the Directory security tab and under Authentication and Access Control, click Edit.
Under Authenticated access, select Basic Authentication, and then provide the domain against which users should be authenticated. Clear Integrated Windows authentication if it is selected, because Basic authentication is the preferred authentication scheme.
Click OK. A dialog box will indicate that Basic authentication method is unsecured. Because you will encrypt this authentication protocol using SSL, you may click Yes to continue.
Click OK. A dialog box may appear, prompting you to specify how the authentication setting should propagate to child nodes in the default site. Click Select All and click OK.
Under Secure Communications, click Edit, select the Require secure channel (SSL) check box, and then click OK twice.
Repeat the preceding steps from step 3 for the virtual path /public.

Repeat the preceding steps from step 3 for the virtual path /exchweb, but select Enable anonymous access and disable all other authenticated access check boxes.

Important:
Exchange Server 2003 provides an option of enabling forms-based authentication. Do not select that option, because it will not work with ISA Server mail publishing rules. Forms-based authentication should be configured on the ISA Server computer.

Outlook Web Access Server Publishing Walk-through Procedure 3: Configure the ISA Server Computer

Follow these steps to configure the ISA Server computer.

Installing a digital certificate

Prepare and install a digital certificate on the ISA Server computer as described in the document Digital Certificates for ISA Server 2004 (http://www.microsoft.com).

Note:
The recommended configuration for Outlook Web Access publishing is to use SSL-encrypted communication (HTTPS) both from the external client to the ISA Server computer and from the ISA Server computer to the Outlook Web Access server. For this reason, you must install digital certificates on both the ISA Server computer and the Outlook Web Access server.

Creating a mail publishing rule

Create a new mail publishing rule using the New Mail Server Publishing Rule Wizard.

Expand Microsoft ISA Server Management and click Firewall Policy.
In the Firewall Policy task pane, on the Tasks tab, select Publish a Mail Server to start the New Mail Server Publishing Rule Wizard.
On the Welcome page of the wizard, provide a name for the rule, and then click Next.
On the Select Access Type page, select Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync, and then click Next.
On the Select Services page, select Outlook Web Access. You may also select Outlook Mobile Access and Exchange ActiveSync. These services are described in Outlook Web Access and ISA Server in this document.
On the Bridging Mode page, select which parts of the communication path will be secured by digital certificates and therefore take place using the HTTPS protocol. This can be the communication from the client to the ISA Server computer, the communication from the ISA Server computer to the Outlook Web Access server, both types of communication, or neither. We recommend that you select the default Secure connection to clients and mail server, so that both portions of the communications pathway are secured by digital certificates. This will require that a digital certificate be installed on the Outlook Web Access server and on the ISA Server computer, as described in the document Digital Certificates for ISA Server 2004 (http://go.microsoft.com/fwlink/?LinkId=20794).
On the Specify the Web Mail Server page, enter the name or IP address of the Outlook Web Access server. This name must match the name on the Outlook Web Access server digital certificate.
On the Public Name Details page, provide information regarding what requests will be received by the ISA Server computer and forwarded to the Outlook Web Access server. Under domain name, if you select Any domain name, any request that is resolved to the IP address of the external Web listener of the ISA Server computer will be forwarded to your Outlook Web Access server. If you select This domain name and provide a specific domain name, such as mail.fabrikam.com, then, assuming that domain is resolved to the IP address of the external Web listener of the ISA Server computer, only requests for https://mail.fabrikam.com will be forwarded to the Outlook Web Access server.

On the Select Web Listener page, specify the Web listener that will listen for Web page requests that should be redirected to your Web server, and then click Next. If you have not defined a Web listener, click New and follow these steps to create a new listener.

On the Welcome page of the New Web Listener Wizard, type the name of the new listener, such as Listener on External network for Outlook Web Access publishing, and then click Next.
On the Listener IP Addresses page, select the network that will listen for Web requests. Because you want ISA Server to receive requests from the External network (the Internet), the listener should be one or more IP addresses on the External network adapter of ISA Server. Therefore, select External, and then click Next.

On the Port Specification page, because you plan to listen only for SSL requests (as recommended), you should clear Enable HTTP, and select Enable SSL. Select Secure Socket Layer (SSL), make sure the SSL port is set to 443 (default setting), and provide the certificate name in the Certificate field. For more information on SSL, see Digital Certificates for ISA Server and Published Servers (http://go.microsoft.com/fwlink/?LinkId=20794). Click Next.

Important:
For secure Outlook Web Access publication, we recommend that you listen only for SSL requests. Use only the standard port numbers, which are the default settings, for Outlook Web Access publishing.

On the Completing the New Web Listener Wizard page, review the settings, and click Finish.

On the Select Web Listener page, click Next.

Note:
For security purposes, you should consider using forms-based authentication and limiting attachment access from public computers. These features are part of the listener used in the mail server publishing rule, but are not configured in the New Web Listener Wizard. For more information, see Secure Outlook Web Access through the Listener in this document.

On the User Sets page, the default, All users, is displayed. This will allow any authenticated user in the External network to access the Outlook Web Access server. To restrict the access to specific users, use the Remove button to remove All users, and the Add button to access the Add Users dialog box, from which you can add the user set to which the rule applies. The Add Users dialog box also provides access to the New User Sets Wizard through the New menu item. When you have completed the user set selection, click Next.
On the Completing the New Mail Server Publishing Rule Wizard page, scroll through the rule configuration to make sure that you have configured the rule correctly, and then click Finish.
In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

Creating a cache rule

Cache Rule Destination. A URL set containing only http://nameofowaserver/exchweb/img/*
Content Retrieval. Only if a valid version of the object exists in the cache.
Cache Content. If source and request headers indicate to cache and Content requiring user authentication for retrieval.
All other properties can be left in their default condition

If you do not use ISA Server forms-based authentication, when the ISA Server caching feature is enabled, all Outlook Web Access objects will be cached. This can lead to unexpected logging off of users. To avoid this, you must create a cache rule to prevent the caching of Outlook Web Access objects except for images. The cache rule must have the following properties

Cache Rule Destination. A URL set containing http://nameofowaserver/exchweb/*. After you create the rule using the New Cache Rule Wizard, open the rule properties, and on the To tab, add http://nameofowaserver/exchweb/img/* to the Exceptions. This will allow caching of the img (images) path.
Content Retrieval. Only if a valid version of the object exists in the cache.
Cache Content. Never, no content will ever be cached.

To create a cache rule:

Expand Microsoft ISA Server Management, expand Configuration and click Cache.
In the task pane, on the Tasks tab, select Create a Cache Rule to start the New Cache Rule Wizard.
On the Welcome page of the wizard, provide a name for the rule, and then click Next.
On the Cache Rule Destination page, click Add to open the Add Network Entities dialog box, select the appropriate network entity, click Add, and then click Close. On the Access Rule Destination page, click Next.
On the Content Retrieval page, leave the default selection Only if a valid version of the object exists in the cache, and then click Next.
On the Cache Content page, select options as described earlier in this topic.
You can use the default selections on the remaining wizard pages. Information about cache rule properties is provided in the product Help. Review the information on the wizard summary page, and then click Finish.

Outlook Web Access Server Publishing Walk-through Procedure 4: Secure Outlook Web Access through the Listener

The listener that listens for Outlook Web Access server requests (created in Procedure 3) provides these important features for securing your Outlook Web Access server:

Forms-based authentication, described in Forms-Based Authentication in this document.
Control of attachment availability, described in Controlling Attachment Availability in this document.

These features cannot be configured in the New Web Listener Wizard. After you have created a new Web listener in the New Web Listener Wizard, use the following steps to configure the listener to use forms-based authentication and to limit attachment availability.

In ISA Server Management, select the Firewall Policy node. In the task pane, select the Toolbox tab and the Network Objects header.
In the Network Objects header, expand Web Listeners. Double-click the Web listener you created for Outlook Web Access publishing to open its properties.
On the Preferences tab, under Configure allowed authentication methods, click Authentication.
In the list of authentication methods, clear any authentication method that is selected (the default is Integrated), and then select OWA Forms-Based. This establishes forms-based authentication for the Outlook Web Access Web listener, and for the mail server publishing rule that uses this listener. You use the steps that follow to configure idle session time-out and attachment control options.
Under Configure OWA forms-based authentication, click Configure to open the Outlook Web Access Forms-Based Authentication dialog box.
Under Idle Session Timeout, configure the maximum time that clients can remain idle without being disconnected. Typically, you would configure Clients on public machines to have a shorter allowed idle time than Clients on private machines, to reduce the risk that someone will access e-mail if the user leaves the public machine and forgets to log off. Note that this is a global setting for all Web listeners.
Under E-mail attachments, you can select to block e-mail attachments for public and private computers.
You can select Log off OWA when the user leaves the OWA site if you want users to be automatically logged off when they close the Internet Explorer window, refresh the window, or navigate to another website.
Click OK to close the Web listener properties. In the Firewall Policy details pane, click Apply to apply the changes that you made.

Outlook Web Access Server Publishing Walk-through Procedure 5: Require the Saving of Attachments in Exchange

You can completely block attachments received through Outlook Web Access, so that the user cannot open or save any attachments. The procedure for blocking e-mail attachments is provided in Secure Outlook Web Access through the Listener in this document.

If you do not block attachments, note that some attachments, such as Windows Media files and Excel spreadsheets, cannot be opened directly by a client connected remotely to an Outlook Web Access server. An attempt to open such a file will result in a failure of the application associated with the file. Those files must be saved locally and can then be opened. You can avoid this problem by configuring Exchange Server 2003 and Exchange 2000 Server to force users to save attachments. This feature is not available on Exchange Server 5.5.

To force users to save attachments, configure the following registry key on the Exchange Server computer:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA\Level2FileTypes

This registry value specifies a set of file extensions that are potentially dangerous as attachments. Attachments matching these types will not be opened automatically. Instead, users will be prompted to save the attachments locally on their computers.

Note:
You cannot configure Exchange Server 5.5 to require the saving of attachments.

Outlook Web Access Server Publishing Walk-through Procedure 6: Test the Deployment

After you complete the configuration, you should test the features you configured.

Testing Outlook Web Access

An external client can access the Outlook Web Access server provided that it can resolve a fully qualified domain name to the external IP address of the ISA Server computer. This would usually be achieved by registering a public Internet domain name with a public DNS server that maps the website name to the external IP address of ISA Server. To test the deployment in a lab environment, you can specify the website host name resolution information using Notepad, in the client hosts file located under the following path: \system32\drivers\etc\hosts in the Windows installation directory.

To connect to the Outlook Web Access site from the external client, type the Web address, such as https://mail.fabrikam.com/exchange. Be certain to specify https in the URL, as shown.

When you connect, you should see a logon page requesting credentials and the session type (public or private). You must provide this information before you can access your mailbox.

If you have set time-outs or blocked attachments, you can test those features by leaving the browser inactive for a period of time and then trying to access mail, and by trying to open or save attachments.

Testing Outlook Mobile Access

From a computer with Internet access, use Internet Explorer to connect to your Outlook Mobile Access DNS address and make sure that Outlook Mobile Access is working properly.

Note:
Although Internet Explorer is not a supported client for Outlook Mobile Access, it is useful to test whether you can communicate with your Exchange front-end server.

After you successfully connect to your Exchange server using Outlook Mobile Access, verify that you can connect to your Exchange server using a supported mobile device with Internet connectivity.

Testing Exchange ActiveSync

Configure a mobile device to connect to your Exchange server using Exchange ActiveSync, and make sure that ISA Server and Exchange ActiveSync are working properly.

Note:
You can also test Exchange ActiveSync using Internet Explorer. Open Internet Explorer, and in Address, type the URL https://published_server_name/Microsoft-Server-Activesync, where published_server_name is the published name of the Outlook Web Access server (the name a user would use to access Outlook Web Access). After you authenticate yourself, if you receive an Error 501/505 – Not implemented or not supported, ISA Server and Exchange ActiveSync are working together properly.

Note:

You can also test Exchange ActiveSync using Internet Explorer. Open Internet Explorer, and in Address, type the URL https://published_server_name/Microsoft-Server-Activesync, where published_server_name is the published name of the Outlook Web Access server (the name a user would use to access Outlook Web Access). After you authenticate yourself, if you receive an Error 501/505 – Not implemented or not supported, ISA Server and Exchange ActiveSync are working together properly.

Outlook Web Access Server Publishing Walk-through Procedure 7: View Outlook Web Access Session Information in the ISA Server Logs

ISA Server will log the requests that match the mail server publishing rule, if Log requests matching this rule is selected on the Action tab of the rule properties (this is the default condition).

Checking the logging property of the rule

In the Microsoft ISA Server Management console tree, select Firewall policy.
In the details pane, double-click the mail server publishing rule to open its properties dialog box.
Select the Action tab and confirm that Log requests matching this rule is selected.
Click OK to close the properties dialog box.

Viewing the information in the log

In the Microsoft ISA Server Management console tree, select Monitoring.
In the Monitoring details pane, select Logging.
Create a filter so that you receive only the log information regarding Outlook Web Access access attempts. In the task pane, on the Tasks tab, click Edit Filter Properties to open the Edit Filter dialog box. The filter has three default conditions, specifying that the log time is live, that log information from both the firewall and the Web Proxy should be provided, and that connection status should not be provided. You can edit these conditions, and add additional conditions to limit the information retrieved during the query.
Select Log Time. From the Condition drop-down menu, select Last 24 Hours, and then click Update.
Select Log Record Type. From the Value drop-down menu, select Firewall, and then click Update.
In the task pane, on the Tasks tab, click Edit Filter Properties to open the Edit Filter dialog box. Add another expression by selecting an item from the Filter by drop-down menu, and then provide a Condition and Value. For example, to limit the log to display access to your published Web servers, you can add the expressions Filter by: Log Record Type, Condition: Equals, Value: Web Proxy Filter, and Filter by: Service, Condition: Equals, Value: Reverse Proxy. This will limit the log to items that match Web publishing rules, including the Outlook Web Access publishing rule.
After you have created an expression, click Add to list to add it to the query list, and then click Start Query to start the query. The Start Query command is also available in the task pane on the Tasks tab.

References

For information about how to deploy Outlook Web Access in Exchange Server 2003, see the Exchange 2003 Deployment Guide (www.microsoft.com).

For information about how to deploy Outlook Web Access in Exchange 2000 Server, see the document Outlook Web Access in Exchange 2000 Server (www.microsoft.com), and Customizing Microsoft Outlook Web Access (www.microsoft.com).