Planning for Client Access Servers

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic provides an overview of planning considerations for deploying the Client Access server role on a computer that is running Microsoft Exchange Server 2007. The Client Access server role supports the Microsoft Outlook Web Access, Outlook Anywhere, Microsoft Entourage 2004 and Entourage 2008 for Mac, and Microsoft Exchange ActiveSync client applications, in addition to the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) protocols. For more information about Entourage 2008 for Mac, see the Microsoft Office 2008 for Mac Administrator’s Guide.

The Client Access server role also hosts several key services, such as the Autodiscover service and Exchange Web Services.

You must have the Client Access server role installed in every Active Directory site within your organization that contains an Exchange 2007 server that has the Mailbox server role installed. If your organization has only one Active Directory site, the Client Access server role must be installed on at least one computer within your Exchange organization.

Installation of a Client Access server in a perimeter network is not supported. The Client Access server must be a member of an Active Directory directory service domain, and the Client Access server machine account must be a member of the Exchange Servers Active Directory security group. This security group has read and write access to all Exchange servers within your organization. Communications between the Client Access server and the Mailbox servers within the organization occurs over RPC. It is because of these requirements that installing a Client Access server in a perimeter network is not supported.

Overview of the Client Access Server Role Features

The Client Access server role manages client access to your Exchange 2007 server. The following client applications require the Client Access server role:

• Exchange ActiveSync   Users can establish a partnership between their Exchange server and their mobile device by using Exchange ActiveSync. Users can synchronize e-mail messages, contacts, tasks, and calendar data.

  Note

  Exchange ActiveSync can synchronize messages in all the mail folders that are stored on the Exchange server, except for the Drafts and Outbox folders.

• Outlook Web Access   Users can access their Exchange mailbox data from a Web browser by using Office Outlook Web Access. The virtual directories for Outlook Web Access are stored on the Client Access server.

  Note

  Outlook Web Access is not supported with Pocket Internet Explorer on a mobile device.

  Note

  Outlook Web Access in Exchange 2007 is accessed by using the URL https://servername/owa. To access public folders through Outlook Web Access in Exchange 2007, use the URL https://servername/public. Outlook Web Access for earlier versions of Exchange is accessed through the URLs https://servername/exchange, https://servername/exchweb, and https://servername/public. If your users have mailboxes on an Exchange 2000 or Exchange 2003 server, they must use these legacy URLs.

• Microsoft Office Outlook   Although Office Outlook 2007 accesses Microsoft Exchange messaging data directly on the Mailbox server, it relies on the Client Access server role for such services as the Autodiscover service and the Availability service.

• Outlook Anywhere   Outlook can connect to your Exchange mailbox over the Internet without using a VPN connection to your internal network if you have enabled Outlook Anywhere. Outlook Anywhere was formerly known as RPC over HTTP.

• POP3 and IMAP4 Clients   If your users connect to Exchange 2007 by using a POP3 or IMAP4 client, their connections will pass through the Client Access server. When Exchange 2007 is installed, all required services for POP3 and IMAP4 are installed. However, they are disabled. To use POP3 or IMAP4 to connect to Exchange 2007, you must enable either the POP3 service or the IMAP4 service.

In addition to providing a connection point for client applications, the Client Access server role provides support for the following services:

• Autodiscover service   Exchange 2007 includes a new Microsoft Exchange service named the Autodiscover service. The Autodiscover service configures client computers that are running Outlook 2007. The Autodiscover service can also configure supported mobile devices. The Autodiscover service provides access to Microsoft Exchange features for Outlook 2007 clients that are connected to your Exchange messaging environment. The Autodiscover service must be deployed and configured correctly for Outlook 2007 clients to automatically connect to Microsoft Exchange features, such as the offline address book, the Availability service, and Unified Messaging (UM). Additionally, these Exchange features must be configured correctly to provide external access for Outlook 2007 clients. For more information, see How to Configure Exchange Services for the Autodiscover Service.

• Exchange Web Services   Exchange Web Services provides the functionality to enable client applications to communicate with the Exchange server. Exchange Web Services provides access to much of the same data made available through Outlook. Exchange Web Services clients can integrate Outlook data into line-of-business (LOB) applications. LOB applications that use Exchange Web Services can use the Autodiscover service to obtain profile settings for a particular client.

Understanding the Differences Between a Front End Server and a Client Access Server

Earlier versions of Microsoft Exchange supported a front-end server within an organization. A computer that is running the Exchange 2007 Client Access server role is very different from an Exchange 2003 front-end server. In earlier versions of Microsoft Exchange, the front-end server accepted requests from clients and sent them to the appropriate back-end server for processing. This provided increased capacity for the number of concurrent client sessions within an organization and decreased the load on the back-end server that housed the mailboxes. A front-end server was frequently located in a perimeter network between the external and internal firewalls. One of the primary advantages to a front-end server was the ability to expose a single, consistent namespace when multiple back-end servers were present. Without a front-end server, Outlook Web Access users would have to know the name of the server that stored their mailbox. By including a front-end server, users could access a single URL for Outlook Web Access. The front-end server would proxy the user's request to the appropriate back-end server.

In Exchange 2007, the Client Access server role was designed specifically to optimize the performance of the Mailbox server role by handling much of the processing that previously occurred on back-end servers. Business logic processes, such as Exchange ActiveSync mailbox policies and Outlook Web Access segmentation, are now performed on the Client Access server instead of the Mailbox server. Because the Mailbox server role relies on the Client Access server role to handle incoming client connections, each Active Directory site that has a Mailbox server must also have a Client Access server. Both roles can run on one physical computer. If you have multiple Active Directory sites and want a single external URL for Outlook Web Access or Exchange ActiveSync, you must configure your Client Access servers for proxying.

An Exchange 2007 computer that is running the Client Access server role uses the Exchange RPC protocol to connect to the Mailbox server that it services. You must use a high-bandwidth and low-latency connection between the Client Access server and the Mailbox server. The minimum recommended bandwidth is 100 Mbps, but 1-Gpbs connections should be considered for enterprise datacenters.

Planning Considerations for Exchange ActiveSync

Exchange ActiveSync is a Microsoft Exchange synchronization protocol that is optimized to work together with high-latency and low-bandwidth networks. Exchange ActiveSync is based on HTTP and XML and lets devices such as browser-enabled cellular telephones or Microsoft Windows Mobile powered devices access an organization's information on a server that is running Microsoft Exchange. Exchange ActiveSync enables mobile device users to access their e-mail, calendar, contacts, and tasks, and to continue to be able to access this information while they are working offline.

When you deploy Exchange ActiveSync, consider the following issues:

• Exchange ActiveSync devices   There are several devices that support Exchange ActiveSync. These devices include Windows Mobile powered devices and other third-party devices. For more information about the devices that support Exchange ActiveSync, see Exchange ActiveSync Devices and Compatible Features.

• Device data plans   Exchange ActiveSync uses a process that is known as Direct Push to keep messaging data synchronized with mobile devices. With Direct Push, data is exchanged over cellular connections. If your users' data plans charge by the minute or the megabyte, the monthly cost can quickly escalate. To use Direct Push with Exchange ActiveSync, your users should have an unlimited data plan with their cellular carrier.

  Note

  Direct Push does not work over a Wi-Fi Internet connection, such as an 802.11b connection. Direct Push works only over a cellular data connection.

• Exchange ActiveSync security   You should have a security plan in place when you deploy Exchange ActiveSync. We strongly recommend that you use Secure Sockets Layer (SSL) with Exchange ActiveSync. By default, when you install Exchange 2007, Exchange ActiveSync is enabled for your users. The Exchange ActiveSync virtual directory is configured to use Basic authentication with SSL. You can configure the Exchange ActiveSync virtual directory to use Integrated Windows authentication or certificate-based authentication.

  In addition to configuring authentication, we recommend that you deploy Exchange ActiveSync mailbox policies to control a variety of settings for your mobile users and their devices. You can require a password, allow or block attachment downloads, require device encryption, specify the maximum number of failed passwords, and enable password recovery. For more information about Exchange ActiveSync mailbox policies, see Understanding Exchange ActiveSync Mailbox Policies.

• Migrating from Exchange Server 2003 to Exchange Server 2007   If you are migrating from Exchange Server 2003 to Exchange 2007, we recommend that you first upgrade your front-end servers to the Client Access server role. You must enable Integrated Windows authentication on the Exchange Server 2003 back-end server for Exchange ActiveSync to function correctly. After you migrate all front-end servers to Exchange 2007, you can migrate your back-end servers to Exchange 2007 Mailbox servers.

Planning Considerations for Outlook Web Access

Outlook Web Access uses an Internet browser to provide access to Exchange information. Outlook Web Access has a powerful, intuitive interface that resembles Outlook 2007 without the need to install Outlook 2007 on the computer. When you deploy your Exchange messaging infrastructure for Internet-based external access, users can use any computer in any location that has an Internet browser that supports HTML 3.2 and European Computer Manufacturers Association (ECMA) formats. Such browsers include Internet Explorer, Mozilla Firefox 1.8, Opera 7.54, and Safari 1.2, and others.

Outlook Web Access supports most of the features that are found in Outlook 2007. By default, all client features are enabled. For more information about the client features that are available in Outlook Web Access, see Client Features in Outlook Web Access.

You may want to limit the features that are available to users through Outlook Web Access, depending on your organization's security and information management needs. For information about how to enable and disable features by using the Exchange Management Console and the Exchange Management Shell, see Managing Outlook Web Access.

Outlook Web Access for Exchange 2007 offers several enhancements to security. You can configure SSL on the Outlook Web Access virtual directory in addition to standard and forms-based authentication. You can configure the following authentication methods for Outlook Web Access by using the Exchange Management Console or the Exchange Management Shell:

• Standard authentication methods   Standard authentication methods include Integrated Windows authentication, Digest authentication, and Basic authentication. For more information about how to configure standard authentication methods for Outlook Web Access, see Configuring Standard Authentication Methods for Outlook Web Access.

• Forms-based authentication   Forms-based authentication creates a logon page for Outlook Web Access. Forms-based authentication uses cookies to store encrypted user logon credentials and password information. For more information about forms-based authentication, see Configuring Forms-Based Authentication for Outlook Web Access.

  Note

  If you configure multiple authentication methods, IIS uses the most secure method first. IIS then searches the list of available authentication protocols, starting with the most secure, until it finds an authentication method that is supported by both the client and the server.

By default, when you install the Client Access server role on an Exchange 2007 server, four Outlook Web Access virtual directories are created in the default Internet Information Services (IIS) Web site on the Exchange server. By default, these virtual directories and the default Web site are configured to require SSL. For more information about how to configure SSL for Outlook Web Access, see How to Configure Outlook Web Access Virtual Directories to Use SSL.

If you want to use SSL to help secure additional Outlook Web Access virtual directories or Web sites, you must do so manually. To configure a site to use SSL, you must obtain a certificate and configure the Web site or virtual directory to require SSL by using that certificate.

Planning Considerations for Outlook Anywhere

Outlook Anywhere enables users who are running Outlook 2007 or Outlook 2003 to connect to your Microsoft Exchange messaging infrastructure from the Internet by using the Outlook Anywhere networking technology.

After you install the Client Access server role on a computer that is running Exchange Server 2007, you can enable Outlook Anywhere for your organization by using the Enable Outlook Anywhere wizard on any Client Access server in your organization. We recommend that you enable at least one Client Access server for Outlook Anywhere access in each site that you manage.

Before you plan your Outlook Anywhere deployment, make sure that you have read the following topics:

• Overview of Outlook Anywhere

• Recommendations for Outlook Anywhere

• White Paper: Outlook Anywhere Scalability with Outlook 2007, Outlook 2003, and Exchange 2007

Planning Considerations for POP3 and IMAP4

Exchange 2007 provides support for clients that use the POP3 and IMAP4 protocols. However, by default, the POP3 and IMAP4 services are not started in Exchange 2007. To use these protocols, you must first start the POP3 and IMAP4 services on the Client Access server.

If you have to administer POP3 and IMAP4 in the original release (RTM) version of Microsoft Exchange Server 2007, you will perform all your administrative tasks in the Exchange Management Shell. In Exchange 2007 Service Pack 1 (SP1), you can manage POP3 and IMAP4 settings by using the Exchange Management Console.

For more information about how to manage POP3 and IMAP4, see Managing POP3 and IMAP4.

When you deploy Client Access servers to support POP3 and IMAP4 clients, there are physical limitations and security limitations if you use earlier versions of Microsoft Exchange, such as Exchange Server 2003. The main physical limitation in deploying POP3 and IMAP4 is that cross-site communication between Client Access servers and Mailbox servers in separate Active Directory sites is not supported. You must make sure that clients are connecting to the Client Access server that is located in the same site as the Mailbox server that contains their mailbox.

Planning Considerations for Exchange 2007 Web Services

An Exchange 2007 Client Access server supports a two Web services: Exchange Web Services and the Autodiscover service.

Exchange Web Services provides access to:

• Free/busy information, meeting suggestions, and Out of Office functionality.

• Calendar, e-mail, contact, folder, and task items in a user's mailbox.

• Notifications about events that occur in a user's mailbox.

• Synchronization features to synchronize clients with the associated mailbox.

• Ambiguous name resolution.

• Distribution list expansion.

The Autodiscover service enables clients such as Outlook, custom applications, and some mobile devices to obtain settings for a variety of services such as the Availability service, Unified Messaging, and the offline address book (OAB). Clients try to connect to the Autodiscover service through two URLs that are based on the user's SMTP address. The two URLs are as follows:

• https://autodiscover.<domain>/autodiscover/autodiscover.xml

• https://<domain>/autodiscover/autodiscover.xml

Outlook submits an XML request that includes the user's e-mail address. The Autodiscover service returns configuration information about the user in addition to the URLs and settings that are used to connect to various services. Exchange Web Services also provides a developer API for customers and partners to write their own custom applications. These custom applications can then interact with Exchange mailbox data.

Security Planning for Client Access Servers

There are many things to consider when you plan a secure messaging environment. Factors such as e-mail attachments and access to internal and external corporate data make it important to consider multiple security precautions before you deploy your messaging environment. We recommend that you use SSL encryption for all Client Access features, including Outlook Web Access and Outlook Anywhere. Additionally, we recommend that you select an authentication method such as Integrated Windows authentication, instead of Basic authentication. Basic authentication transmits user names and passwords in clear text. Choosing an alternative authentication method increases the security of your communications. You can customize each Client Access feature to use different security mechanisms.

One method to help you make your messaging environment more secure is to deploy an advanced firewall server solution such as Microsoft Internet Security and Acceleration (ISA) Server 2006. ISA Server 2006 helps provide an additional level of security and can also enhance client functionality through new features that are designed for Exchange 2007 and ISA Server 2006. For more information about how to use ISA Server 2006 together with Exchange 2007, see Configuring ISA Server 2006 for Exchange Client Access.