Installation Guide Template - Client Access Server (Windows Server 2008)

Exchange 2007

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2016-11-10

The following Microsoft Exchange Server 2007 installation guide template can be used as a starting point for formally documenting your organization's server build procedures for Exchange 2007 servers that have the Client Access server role installed.

The purpose of this document is to explain the installation and configurations necessary to install Exchange 2007 Client Access server role on the Windows Server 2008 platform.

By having an installation guide, Contoso will be able to ensure standardization across the enterprise, reducing Total Cost of Ownership, and easing troubleshooting steps.

The scope of this document is limited to installation of an Exchange 2007 Client Access server for Contoso on the Windows Server 2008 x64 Edition operating system platform.

The operator should have working knowledge of Windows Server 2008 x64 Edition concepts, Exchange Server 2007 concepts, the Exchange Management Console and Exchange Management Shell, the command line, and various system utilities. This document does not elaborate on the details of any system utility except as necessary to complete the tasks within.

In addition, the operator should review the Planning for Client Access Servers topic in the Exchange 2007 Online Help before implementing the server role.

This document assumes that Windows Server 2008 x64 Edition is installed per company baseline regulations which include the latest approved service pack and hotfixes.

This document assumes that forest and domain preparation steps have been performed per How to Prepare Active Directory and Domains topic in the Exchange 2007 Online Help.

This document assumes that both Exchange 2007 and Windows Server 2008 will be secured following the best practices found in the following documentation:

importantImportant:
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.

The following media are required for this section.

  1. Verify that Remote Desktop is enabled.

  2. As an optional process, install Microsoft Network Monitor.

  1. Log on to the server with an account that has at least local administrative access.

  2. Click Start, Control Panel and double-click Network and Sharing Center.

  3. Click Manage Network Connections.

  4. Locate the connection for the internal network and rename it appropriately.

  5. Right-click the connection and select Properties.

  6. For the TCP/IP Protocol add the following:

    1. Static IP Address, Subnet Mask, and Gateway

    2. DNS Server IP Addresses

    3. Check the box to Append parent suffixes of the primary DNS suffix

    4. WINS IP Addresses (if using WINS)

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Click Start, Administrative Tools, and select Computer Management.

  3. Expand Storage and click on Disk Management.

  4. Open the Disk Management Microsoft Management Console (MMC) and format, rename, and assign the appropriate Drive Letters so that the volumes and DVD drive match the appropriate server configuration. At the very least, there should be a D drive for the Exchange binaries and the DVD drive should be configured as the Z drive. Refer to the Database Log logical unit number (LUN) Appendix at the end of this document for the actual drive configuration that should be used.

    Drive configuration

    LUN Drive letter Usage

    1

    C

    Operating system

    2

    D

    Exchange binaries

    3

    Z

    DVD drive

All hotfixes are installed through a batch file. For a complete list of hotfixes that are installed, see Contoso server build DVD hotfix list. A sample hotfix list can be seen at Server Build DVD - Sample Hotfix List.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and has been delegated local Administrator access.

  2. Insert the Exchange 2007 Configuration DVD.

  3. Browse to \W2K8-HotFix\ and double-click W2K8-hotfix.bat.

  4. Click Yes for any Digital Signature not Found dialog boxes that may appear.

    noteNote:
    These dialog boxes will not appear in environments that have not deployed the Windows Security templates.
  5. Wait for all file copies to complete and restart the server.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Click Start, right-click My Computer and select Properties.

  3. Under the Computer Name, domain, and workgroup settings, click Change Settings.

  4. Click Change.

  5. Choose the Domain option button and enter the appropriate Domain name.

  6. Enter the appropriate credentials.

  7. Click OK and OK.

  8. Click OK to close the System Properties.

  9. Restart the server.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Verify (or add if not already there) that the following accounts are members of the local administrators group on this server.

    Local administrators

    Item Account Description Role

    1

    Domain Admins

    Domain Administrative Global Group

    Administrator

    2

    Root Domain\Exchange Organization Administrators

    Exchange Administrators

    Administrator

  3. Verify that your user account is a member of a group which is a member of the local administrators group on the Windows Server 2008 server. If it is not, use an account that is a member of the local administrators group before continuing.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Click Start, right-click Computer and select Manage.

  3. Expand the nodes to find Configuration\Local Users and Groups\Users.

  4. Right-click Administrator and select Set Password. Change the password so that it meets strong complexity requirements.

  5. As an optional step, right-click Administrator and select Rename. Rename the account according to company regulations.

This section installs several useful tools that will aid administrators in Exchange administration and in troubleshooting support issues.

noteNote:
Debugging Tools for Windows will allow administrators to debug processes that are affecting service and determine root cause. For more information, see Install Debugging Tools for Windows 32-bit Version.
  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Insert the Exchange 2007 Configuration DVD.

  3. Open a command prompt and navigate to the \Support folder.

  4. Run the following command where DVDROM-Drive is the DVD drive: W2K8Toolsinstall.cmd DVDROM-Drive (ex: W2K8Toolsinstall.cmd Z:).

  5. Right-click the c:\Tools folder and select Properties.

  6. Click the Security tab.

  7. Click the Advanced button.

  8. Uncheck Inheritance and copy the permissions.

  9. Remove the Everyone (and if listed, the Authenticated Users) security principal.

  10. Add the following groups, granting FULL CONTROL:

    1. SYSTEM

    2. The local Administrators group

    3. Creator Owner

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Click Start, right-click Computer and select Properties.

  3. Select the Advanced System Settings.

  4. Under Startup and Recovery, click the Settings button.

    1. Under Write Debugging Information, change the memory dump drop-down list to Kernel Memory Dump.

    2. Click OK.

  5. Under Performance, click the Settings button.

  6. Click the Advanced tab.

  7. Under Virtual Memory, click the Change button.

  8. On servers that have a dedicated page file drive, follow these steps:

    1. In the Drive list, click C:, and then click Custom size.

    2. For the C: drive, set the Initial Size (MB) value to a minimum of 200 MB. (Windows requires between 150 MB and 2 GB page file space, depending on server load and the amount of physical RAM that is available for page file space on the boot volume when Windows is configured for a kernel memory dump. Therefore, you may be required to increase the size.)

    3. For the C: drive, set the Maximum Size (MB) value to that of the Initial Size.

    4. In the Drive list, select the page file drive (for example, the P: drive), and then click Custom size.

    5. In the Initial Size (MB) box, type the result of one of the following calculations:

      If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5,.

      If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.

    6. In the Maximum Size (MB) box, type the same amount that you typed in the Initial Size box.

    7. Delete all other page files.

    8. Click OK.

  9. On servers that do not have a dedicated page file drive, follow these steps:

    1. In the Drive list, click C:, and then click Custom size.

    2. For the C: drive, in the Initial Size (MB) box, type the result of one of the following calculations:

      If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.

      If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.

    3. Delete all other page files.

    4. Click OK.

  10. Click OK two times to close the System Properties dialog box.

  11. Click No if prompted to restart the system.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Click Start and select Computer.

  3. Right-click the D Drive and select Properties.

  4. Click the Security tab.

  5. Click Edit.

  6. Click Add and select the local server from Locations.

  7. Grant the following rights as outlined in the following table.

    Drive permissions

    Account Permissions

    Administrators

    Full Control

    SYSTEM

    Full Control

    Authenticated Users

    Read and Execute, List, Read

    CREATOR OWNER

    Full Control

  8. Click the Advanced button.

  9. Select the CREATOR OWNER permission entry and click View/Edit.

  10. Select Subfolders and Files Only from the drop-down list.

  11. Click OK two times.

  12. Click OK to close the drive properties.

  13. Repeat steps 3-12 for each additional drive (other than the C drive).

This section only needs to be performed on Client Access servers that will be used in a load balanced array. In particular, this section focuses on Windows Network Load Balancing. For more information about Network Load Balancing within Windows Server, see Network Load Balancing Technical Reference and Network Load Balancing Clusters. If you are deploying a hardware load balancing array, review your vendor’s documentation and follow their guidance for configuration.

The values selected in Network Load Balancing, must be the same across all nodes in the cluster.

  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.

  2. Install Network Load Balancing by opening an administrative command prompt and executing the following command:

    servermanagercmd.exe -i nlb
    
  3. Click Start, Administrative Tools and right-click Network Load Balancing Manager.

  4. Click Cluster-New.

  5. In the New Cluster wizard, enter the local server’s computer name and click Connect and select the appropriate network connection.

  6. Click Next.

  7. In the Host Parameters section, verify the host’s IP address and subnet mask.

  8. Click Next.

  9. In the Cluster IP Address section, click Add and enter:

    1. IP Address

    2. Subnet Mask

  10. Click Next.

  11. In the Cluster Parameters section, enter in the Full Internet Name (for example, mail.contoso.com) that will be used by the cluster and ensure Unicast is selected.

  12. Click Next.

  13. In the Port Rules section, select the default rule and click Edit.

  14. Under Port Range, change the From value to 80 and the To value to 80.

  15. Under Protocols, select TCP.

  16. Click OK.

  17. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 443 and the To value to 443.

    2. Under Protocols, select TCP.

    3. Click OK.

      noteNote:
      If using IMAP or POP in the environment, be sure to create the appropriate rules.
  18. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 143 and the To value to 143.

    2. Under Protocols, select TCP.

    3. Click OK.

  19. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 110 and the To value to 110.

    2. Under Protocols, select TCP.

    3. Click OK.

  20. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 993 and the To value to 993.

    2. Under Protocols, select TCP.

    3. Click OK.

  21. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 995 and the To value to 995.

    2. Under Protocols, select TCP.

    3. Click OK.

      noteNote:
      If using IPSec in the environment, be sure to create a rule for UDP 500.
  22. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 500 and the To value to 500.

    2. Under Protocols, select UDP.

    3. Click OK.

  23. Click OK.

  24. Click OK to acknowledge the resulting dialog.

  25. While still in the internal network connection properties, click Internet Protocol (TCP/IP) and select Properties.

  26. Click Advanced.

  27. Under IP Addresses, click Add.

    1. Enter the virtual IP Address and Subnet Mask and click OK.

    2. Click OK.

  28. Click Finish to complete the New Cluster wizard.

Submit a change request and have the domain name that was specified in the Network Load Balancing Installation and Configuration section for the Network Load Balancing cluster (for example, mail.contoso.com) created as a host record associated to the Network Load Balancing cluster’s IP address.

Submit a change request and have the computer object moved to the appropriate organizational unit (OU). If following the recommendations in the Exchange 2007 Security Guide, the OU will be \Member Servers\Exchange Backend Servers\Exchange Client Access Servers.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Open a command prompt.

  3. Verify that the server is in the correct domain and Active Directory site. At the command line type the following:

    NLTEST /server:%COMPUTERNAME% /dsgetsite
    
  4. The name of the Active Directory site to which the server belongs will be displayed. If the server is not in the correct Active Directory site, submit a change request to the appropriate operations group and have the server moved to the appropriate Active Directory site.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Open a command prompt and change paths to the C drive.

  3. Run the following command:

    dcdiag /s:<Domain Controller> /f:c:\dcdiag.log
    
    noteNote:
    Change <domain Controller> to a domain controller contained within the same Active Directory site as the Exchange server.
  4. Review the output of C:\dcdiag.log file and verify that there are no connectivity issues with the local domain controller.

  5. Repeat steps 3 and 4 for each domain controller in the local Active Directory site.

    noteNote:
    Domain Controller Diagnostics (DCDiag) is a Windows support tool that tests network connectivity and DNS resolution for domain controllers. If the account being used does not have administrative privileges, several tests under the Doing primary tests heading may not pass. These tests can be ignored if the connectivity tests pass. In addition, the log file may report that some service validation tests did not pass. These messages can be ignored if the services do not exist on the domain controller.

  1. Connect to a server in the environment that either has the Exchange Best Practices Analyzer installed or the Exchange 2007 Management tools installed through Remote Desktop and log on with an account that has local administrative access. Depending on the configuration, do the following:

  2. Click Start, All Programs, Microsoft Exchange and select Best Practices Analyzer.

  3. Click Start, All Programs, Microsoft Exchange Server 2007 and select Exchange Management Console.

  4. Click Toolbox.

  5. Double-click Best Practices Analyzer.

  6. Check and apply any updates for the Best Practices Analyzer engine.

  7. Provide the appropriate information to connect to Active Directory and then click Connect to the Active Directory server.

  8. In the Start a New Best Practices Scan, select Exchange 2007 Readiness Check and then click Start Scanning.

  9. Review the report and take action on any errors or warnings that are reported by following the resolution articles that are provided within the Best Practices Analyzer.

    noteNote:
    The Microsoft Exchange Analyzers help Microsoft Exchange Server administrators troubleshoot various operational support issues.

The following CD media are required for this section.

  • Microsoft Exchange 2007 DVD

  • Exchange 2007 Configuration DVD

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Open an administrative command prompt window.

  3. Run the following command where <path> references the E2K7 CONFIG DVD \E2K7-PreReqs folder:

    ServerManagerCmd -ip <path>\Exchange-Base.XML
    
  4. Run the following command where <path> references the E2K7 CONFIG DVD \E2K7-PreReqs folder and <Exchange-role> references the appropriate role XML file:

    ServerManagerCmd -ip <path>\<Exchange-role>.XML
    
  5. Restart the server if required.

Though this document uses the command line method for installing the Exchange roles, the GUI can also be used. For more information about how to use the setup GUI to install an Exchange server role, see the Exchange 2007 Online Help topic How to Perform a Custom Installation Using Exchange 2007.

  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher) if the server has been pre-created.

  2. Follow the procedure from the Exchange 2007 Online Help topic How to Install Exchange 2007 in Unattended Mode. For example, setup.com /r:CA /t:d:\exchsrvr.

  3. Restart the server, if required.

  4. To prevent the use of the server role before it is fully configured, open an administrative command prompt and stop the IIS services by running the following command:

    net stop iisadmin /y.
    

All hotfixes are installed through a batch file. For a complete list of hotfixes that are installed, see Contoso server build DVD hotfix list. A sample hotfix list can be seen at Server Build DVD - Sample Hotfix List.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated local Administrator access.

  2. Insert the Exchange 2007 Configuration DVD.

  3. Browse to \E2K7-PostSP1\ and double-click E2K7-postsp1.bat.

  4. Click Yes for any Digital Signature not Found dialog boxes that may appear

    noteNote:
    These dialog boxes will not appear in environments that have not deployed the Windows Security templates.
  5. Wait for all file copies to complete and restart the server.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated the Exchange Organization Administrator role.

  2. Follow the procedure outlined in the Exchange 2007 Online Help topic How to Enter the Product Key.

This section is optional and may be skipped.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Follow the procedures from the Exchange 2007 Online Help topic How to Install the Security Configuration Wizard to install the Security Configuration Wizard.

  3. Follow the procedures from the Exchange 2007 Online Help topic How to Register Exchange Server Role SCW Extensions to register the Exchange 2007 Server SCW extension.

  4. Follow the procedures from the Exchange 2007 Online Help topic How to Create a New Exchange Server Role SCW Policy to configure and apply the policy.

By default, Exchange 2007 optimizes the server’s memory management for programs, which configures the server’s system cache as the default size.

  1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.

  2. Click Start, right-click Computer and select Properties.

  3. Select the Advanced System Settings.

  4. Under Performance, click the Settings button.

    1. Click the Advanced tab.

    2. Verify that the Processor Scheduling is set to Background Services.

  5. Click OK.

A commercial certificate is only needed if the Client Access server will service client requests from the Internet or to facilitate un-trusted cross-forest communication between Client Access servers.

  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

    noteNote:
    For more information about using the certificate tasks, see the Exchange 2007 Online Help topic Creating a Certificate or Certificate Request for TLS.
    noteNote:
    If generating a certificate that will use Subject Alternative Names, be sure that the certificate’s principal name will be the one that the clients (for example, Outlook) will use to connect (for example, mail.contoso.com). In other words, do not list the Autodiscover namespace as the principal name in the certificate.
  2. Generate the certificate request by using the following Exchange Management Shell command. The DomainName parameter includes the principal URL, Autodiscover FQDN, and the server FQDN. The FriendlyName parameter matches the principal URL that is used by Outlook Web Access and Outlook Anywhere.

    New-ExchangeCertificate -GenerateRequest -SubjectName [Full Subject Path] -DomainName mail.contoso.com, autodiscover.contoso.msft, CAS01, CAS01.contoso.com -FriendlyName mail.contoso.com -privatekeyexportable:$true -path c:\cert.txt
    
    noteNote:
    An example of [Full Subject Path] is "c=US, o=Company, cn=CAS01.contoso.com".
    noteNote:
    In Windows Vista, the Windows RPC/HTTP client-side component required that the Subject Name (Common Name) on the certificate match the “Certificate Principal Name” configured for the Outlook Anywhere connection in the Outlook profile. This behavior was changed in Windows Vista Service Pack 1 (SP1). Therefore, as a best practice, make sure that mail.contoso.com is listed as the Subject Name in your certificate unless you plan to change the configuration. To change the configuration, use the Set-OutlookProvider cmdlet with the -EXPR parameter. For more information about how to change the configuration, see the Exchange Team Blog article, When, if and how do you modify Outlook Providers?
  3. Submit the request file to the Certificate Authority (CA) and have the CA generate the certificate.

  4. After receiving the certificate, import and enable the certificate by running the following Exchange Management Shell command where [services] can be POP, IMAP, IIS, or a combination:

    Import-ExchangeCertificate -path c:\newcert.cer | Enable-ExchangeCertificate -services "[services]"
    
  5. To mandate SSL on the default Web site, do the following:

    1. Open Internet Information Services (IIS) Manager.

    2. Expand the Server Node object and the Sites node.

    3. Click the Default Web Site.

    4. In the middle pane, double-click SSL Settings.

    5. Verify Require secure channel (SSL) is enabled.

    noteNote:
    If you require 128-bit encryption, also verify that Require 128-bit encryption is enabled.

An example script that performs the steps outlined in this section is included in the Exchange 2007 Configuration DVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureAutoDiscover.ps1. For more information about how to use the script, execute .\ConfigureAutoDiscover.ps1 –help.

For more information about deployment considerations for the Autodiscover service, see the Exchange 2007 Online Help topic Deployment Considerations for the Autodiscover Service.

  1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

  2. Configure the internal Autodiscover URL by running the following command within the Exchange Management Shell where CAS01 is the name of the Client Access server and internal.domain.fqdn is the name of the internal namespace used for Autodiscover:

    Set-ClientAccessServer -Identity CAS01 -AutoDiscoverServiceInternalUri "https://internal.domain.fqdn/autodiscover/autodiscover.xml"
    
  3. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Configure Exchange Services for the Autodiscover Service to configure the Autodiscover service for usage by Internet clients. This will enable Outlook Anywhere and set the offline address book (OAB), Web Services, and Unified Messaging virtual directories external URL parameter.

  4. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Configure Autodiscover for Exchange ActiveSync for usage by Internet clients.

  5. Optional: Enable site affinity by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure the Autodiscover Service to Use Site Affinity.

  6. Verify that Autodiscover functions correctly by following the procedure outlined in the Exchange 2007 Online Help topic How to Test Outlook 2007 Autodiscover Connectivity.

An example script that performs the steps outlined in this section is included in the Exchange 2007 Configuration DVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureOLAnywhere.ps1. For more information about how to use the script, execute .\ConfigureOLAnywhere.ps1 –help.

noteNote:
If step 3 from the Autodiscover Configuration section was followed, then this section can be skipped.
  1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

  2. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Enable Outlook Anywhere to enable Outlook Anywhere.

  3. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Configure an External Host Name for Outlook Anywhere if the server will be servicing Outlook Anywhere clients on the Internet.

importantImportant:
When installing the Exchange 2007 SP1 Client Access server role on Windows Server 2008 to support Outlook Anywhere, you will need to manually modify the default Internet Information Services (IIS) 7.0 concurrent connection limit. The default value is 5,000 concurrent connections. We recommend changing this setting to a value between 20,000 and 65,535 concurrent connections.
  1. Open an administrative command prompt and navigate to the %windir%\system32\inetsrv directory.

  2. Run the following commands:

    %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Rpc" -section:system.webServer/serverRuntime -appConcurrentRequestLimit:65535 -commitpath:apphost
    %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/RpcWithCert" -section:system.webServer/serverRuntime -appConcurrentRequestLimit:65535 -commitpath:apphost
    

An example script that performs the steps outlined in this section is included in the Exchange 2007 Configuration DVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureOAB.ps1. For more information about how to use the script, execute .\ConfigureOAB.ps1 –help.

noteNote:
If the Client Access server will not be a distribution point for the OAB, this section can be skipped.
By default, the OAB virtual directory does not require SSL. By default, Client Access servers use self-signed certificates for providing HTTP and RPC encryption. Clients that use the BITS service to download files (like OAB) cannot use self-signed certificates. If a commercial certificate is going to be used and ISA 2006 is not going to be used to enforce SSL, then SSL should be enabled on the OAB virtual directory.
  1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

    noteNote:
    To use OAB Web distribution, the OAB must be generated on an Exchange 2007 Mailbox server. If the OAB is not generated on an Exchange 2007 Mailbox server, step 2 can be skipped.
  2. Launch the Exchange Management Shell and run the following commands where CAS01 is the name of the Client Access server and mail.contoso.com is the name of the external URL:

    $a=get-oabvirtualdirectory -Server CAS01
    Set-oabvirtualdirectory $a -ExternalURL https://mail.contoso.com/OAB
    Set-OfflineAddressBook "default offline address book" -VirtualDirectories $a
    iisreset /noforce
    
  3. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Require SSL for Offline Address Book Distribution if the server has a commercial certificate and will be servicing requests from the Internet and ISA 2006 will not be in use to enforce SSL for Internet requests.

If the Client Access server will not allow IMAP4 connections, this section may be skipped.

  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

  2. Open the Exchange Management Shell.

    1. To configure the IMAP4 bindings, run the following command where CAS01 is the Client Access server and 0.0.0.0 implies any IP address:

      Set-ImapSettings -server CAS01 -UnencryptedOrTLSBindings "0.0.0.0:143" -SSLBindings "0.0.0.0:993"
      
    2. To disable plain text authentication and enable custom calendar item retrieval option for IMAP4, run the following command where mail.contoso.com is the certificate name and external URL:

      Set-ImapSettings -server CAS01 -X509CertificateName "mail.contoso.com" -LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa
      
    3. To enable the Exchange IMAP4 service for automatic startup, run the following command:

      Set-Service MSExchangeIMAP4 -StartupType automatic
      

If the Client Access server will not allow POP3 connections, this section may be skipped.

  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

  2. Open the Exchange Management Shell.

    1. To configure the POP3 bindings, run the following command where CAS01 is the Client Access server and 0.0.0.0 implies any IP address:

      Set-PopSettings -server CAS01 -UnencryptedOrTLSBindings "0.0.0.0:110" -SSLBindings "0.0.0.0:995"
      
    2. To disable plain text authentication and enable custom calendar item retrieval option for POP3, run the following command where mail.contoso.com is the certificate name and external URL:

      Set-PopSettings -server CAS01 -X509CertificateName "mail.contoso.com" -LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa
      
    3. To enable the Microsoft Exchange POP3 service for automatic startup, run the following command:

      Set-Service MSExchangePOP3 -StartupType automatic
      

Follow the steps in this section if the Client Access server will service directly from the Internet and ISA 2006 pre-authentication mechanisms are not in use.

If either is true, then skip this section and follow the steps outlined in the Outlook Web Access Configuration (Proxy Scenario) section below.

noteNote:
An example script that performs steps 1-8 in this section is included in the Exchange 2007 Configuration DVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureOWA.ps1. For more information about how to use the script, execute .\ConfigureOWA.ps1 –help.
  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

  2. By default, when the Client Access server role is installed, forms-based authentication is enabled. Ensure that forms-based authentication is enabled by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Forms-Based Authentication for Outlook Web Access.

  3. Configure the public and private cookie timeouts by following the procedures outlined in the Exchange 2007 Online Help topic How to Set the Forms-Based Authentication Public Computer Cookie Time-Out Value and How to Set the Forms-Based Authentication Private Computer Cookie Time-Out Value.

  4. Optional: Configure GZip compression by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Gzip Compression Settings.

  5. Configure WebReady Document Viewing by following the procedure outlined in the Exchange 2007 Online Help topic How to Manage WebReady Document Viewing.

  6. Configure private and public computer file access by following the procedure outlined in the Exchange 2007 Online Help topic How to Manage Public and Private Computer File Access.

  7. Configure Windows SharePoint and Windows File Share integration by following the procedure outlined in the Exchange 2007 Online Help topic How to Enable or Block Access from Public and Private Computers.

  8. Optional: If redirection is to be used, then run the following command from the Exchange Management Shell where CAS01 is the name of the Client Access server and mail.contoso.com is the name of the external URL:

    Set-OwaVirtualDirectory -identity "CAS01\owa (Default Web Site)" -ExternalURL https://mail.contoso.com/owa
    
  9. If legacy Mailbox servers exist within the organization, then you will need to follow these steps:

    1. Follow the procedures outlined in the following topics, but replace the value of the identity parameter with ”CAS01\exchange (Default Web Site)” (where CAS01 is the name of the Client Access server).

    2. By default, when the Client Access server role is installed, forms-based authentication is enabled. Ensure that forms-based authentication is enabled by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Forms-Based Authentication for Outlook Web Access.

    3. Optional: Configure GZip compression by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Gzip Compression Settings.

    4. Repeat step a, but use "CAS01\exchweb (Default Web Site)” for the value of the identity parameter.

    5. Repeat step a, but use "CAS01\public (Default Web Site)” for the value of the identity parameter.

  10. Optional: To simplify the Outlook Web Access URL and redirect users to HTTPS, follow the procedure outlined in the Exchange 2007 Online Help topic How to Simplify the Outlook Web Access URL.

  11. Restartt the Client Access server.

Follow the steps in this section if the Client Access server meets the following conditions.

  • Will not service requests directly from the Internet, but instead will receive requests from other Client Access servers that are located in other Active Directory sites.

  • Will be using ISA 2006 to pre-authenticate Internet requests.

For more information about how to configure ISA Server, see Publishing Exchange Server 2007 with Configuring ISA Server 2006 for Exchange Client Access.

If neither statement applies, skip this section and follow the Outlook Web Access Configuration (Internet Scenario) section above.

noteNote:
An example script that performs the steps 1-8 in this section is included in the Exchange 2007 Configuration DVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureOWA.ps1. For more information about how to use the script, execute .\ConfigureOWA.ps1 –help.
  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

  2. Configure Windows Integrated Authentication by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Integrated Windows Authentication.

  3. Optional: Configure GZip compression by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Gzip Compression Settings.

  4. Configure WebReady Document Viewing by following the procedure outlined in the Exchange 2007 Online Help topic How to Manage WebReady Document Viewing.

  5. Configure private and public computer file access by following the procedure outlined in the Exchange 2007 Online Help topic How to Manage Public and Private Computer File Access.

  6. Configure Windows SharePoint and Windows File Share integration by following the procedure outlined in the Exchange 2007 Online Help topic How to Enable or Block Access from Public and Private Computers.

  7. If legacy Mailbox servers exist within the organization, then you will need to follow these steps:

    1. Follow the procedures outlined in the following topics, but replace the value of the identity parameter with ”CAS01\exchange (Default Web Site)” (where CAS01 is the name of the Client Access server):

    2. Configure Windows Integrated Authentication by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Integrated Windows Authentication.

    3. Optional: Configure GZip compression by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Gzip Compression Settings.

    4. Repeat step a, but use "CAS01\exchweb (Default Web Site)” for the value of the identity parameter.

    5. Repeat step a, but use "CAS01\public (Default Web Site)” for the value of the identity parameter.

  8. Optional: To simplify the Outlook Web Access URL and redirect users to HTTPS, follow the procedure outlined in the Exchange 2007 Online Help topic How to Simplify the Outlook Web Access URL.

  9. Restart the Client Access server.

Follow the steps in this section if the Client Access server will not service requests directly from the Internet, but instead will receive requests from other Client Access servers that are located in other Active Directory sites. If that is not a true statement, skip this section.

  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

  2. Click on Start, Administrative Tools and select Internet Information Services (IIS) Manager.

  3. Expand the hierarchy nodes <Server>, Web Sites, Default Web Site.

  4. Click on Microsoft-Server-ActiveSync.

  5. Double-click Authentication in the middle pane.

  6. Select Basic Authentication, right-click and select Disable.

  7. Select Integrated Windows Authentication, right-click and select Enable.

In order for mobile devices to synchronize using Client Access servers when the mailbox resides on Exchange Server 2003, Microsoft-Server-ActiveSync virtual directory must be configured to use Windows Integrated Authentication.

If there are no legacy Exchange Mailbox servers in the organization, this section can be skipped.

noteNote:
You can manually configure Microsoft-Server-ActiveSync virtual directory to use Windows Integrated Authentication by installing https://support.microsoft.com/?id=937031 on a workstation running the Exchange 2003 System Manager.
  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Organization Administrator role.

  2. Insert the Exchange 2007 Configuration DVD.

  3. Open a command prompt and navigate to the \E2K7-Scripts\CAS directory on the share and run the following command:

    legacyEAS.vbs -d:DomainController -a:AdminGroup
    
    noteNote:
    Replace Domain Controller with a domain controller that is in the same Active Directory site as the Exchange Server (optional parameter). Replace Exchange Server with the name of the server to be modified.
  4. The output will be similar to the following if successful:

    Z:\E2K7-Scripts\CAS>legacyeas.vbs -d:W2K3-DC-01 -a:NorthAmerica
    Microsoft (R) Windows Script Host Version 5.1 for Windows
    Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.
    Exchange Server Container - cn=Microsoft-Server-Activesync,cn=1,cn=HTTP,cn=Protocols,cn=<Server>,cn=Servers,cn=NorthAmerica,cn=Administrative Groups,cn=<OrgName>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<root domain>
    Attribute Name & Value - msExchAuthenticationFlags: 6
    Attribute Set!!
    

The diagnostics tasks used in this section require test mailboxes to be created on the Exchange 2007 Mailbox servers. For more information about how to use the Test script to create the test mailboxes, see the Monitoring for Agentless Servers topic in the Exchange 2007 Online Help.

  1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

  2. If the server had not been restarted as a result of a previous section’s instructions, then open a command prompt and start the Web service by executing the command net start w3svc.

  3. Click Start, All Programs, Microsoft Exchange Server 2007 and select Exchange Management Shell.

  4. To test Exchange ActiveSync connectivity, run the following command where <Server> is the name of the Client Access server:

    Test-ActiveSyncConnectivity -ClientAccessServer <Server>
    
  5. To test Autodiscover connectivity, run the following command where <EmailAddress> is the name e-mail address of a mailbox:

    Test-OutlookWebServices -ClientAccessServer <Server>
    
  6. To test Outlook Anywhere connectivity, run the following command:

    Test-WebServicesConnectivity -ClientAccessServer <Server> -AllowUnsecureAccess
    
  7. To test Outlook Web Access connectivity, run the following command where <Server> is the name of the Client Access server:

    Test-OwaConnectivity -ClientAccessServer:<Server> -AllowUnsecureAccess
    
 

Community Additions

ADD
Show: