by August 4, 2004 0 comments

Configure Exchange 2003 for more secure access through forms authentication and faster access through HTTP compression

Last month we took a look at some customization options for Exchange 2003’s OWA (Outlook Web Access). This month, we will work with some new and advanced features in this version of

Forms authentication
Whenever you visit the Exchange website, you are either logged in automatically and authenticated if you are in your Active Directory network, or you are given a standard Web popup authentication dialog box to enter your login details. 

In Exchange 2003, however, you can now have a Web-based login page that allows the user to log in from a Web form. Needless to say, this page can be customized to your liking. Enabling this behavior is quite simple. Open the Exchange System Manager and go to Servers>(Your Exchange Server)> Protocols>HTTP. Right click on the Exchange Virtual Server and select Properties. On the Settings tab, check ‘Enable Forms Based Authentication’. 

Applies to: MS Exchange system administrators
Customize Exchange 2003 to get more secure and faster OWA

The advantage of enabling forms authentication is that your users can enter the server using their domain and login information, which gets stored in a cookie. The cookie times out after a while of inactivity. The user can also choose between Premium, which is OWA with full Outlook 2003 type features, or Basic, which allows the OWA to run on older or different browsers but without all the functionality that makes the Premium version so cool (and also slightly heavier). The user can also specify whether he is on a private computer (say his note book or desktop in office) or a public computer (a cyber café or computer kiosk). The difference is in the cookie timing out.

Cookie timeouts
To control the security of the forms authentication, cookies are used to store the login credentials. There are two types of cookies that are used in storing. One is when the user selects ‘Public or shared computer’ in the forms login page. The cookie, by default, times out after 15 minutes of inactivity or when the user logs off. The other cookie is used when the user selects ‘Private Computer’. The default timeout value for this type of session is 24 hours (1440 minutes). 

As an administrator you might want to modify these values to provide better security. For this, you must modify two registry entries on the server providing OWA. To modify the first cookie timeout (that is, for the public computer), open the Registry Editor and browse to HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA. Create a new DWORD value and name it PublicClientTimeout. Edit the value and in the dialog box, select Decimal. For the value, you can specify any number from 1 to 432000. This number is the timeout in minutes. Remember that the default is 15. So, depending upon your situation, you can set it to something like 5 or 10.

The other entry is for the authenticated user (that is, private computer) login. You need to browse to the same registry key as above. But create a new DWORD value called TrustedClientTimeout instead. Again set the value of this should be between 1 and 432000, the default being 1440. 

HTTP compression
You can also set the HTTP compression level in the property page used for forms authentication. Select the level of compression you wish to achieve on the server from None, Low and High. The difference between Low and High is that in Low only static pages are compressed whereas in High, both static and dynamic pages are compressed. 

The new login screen for OWA allows you to choose whether you want the Premium or Basic interface and the kind of computer you are using for accessing it

Setting the compression level allows low bandwidth users to also connect to the server. Since the server compresses the HTTP stream and sends it over the wire to the client, where the browser uncompresses and renders the page, the bandwidth used is much less. However, there are a few conditions for this to occur. The two important ones being, the Exchange 2003 servers should be running on Windows Server 2003 systems and the client browser must be Internet Explorer 6 SP1 or above. If either of these conditions is not met, the HTTP stream is not compressed and the data is sent normally. Users can still use OWA without any issues, except that the bandwidth used will be higher.

URL redirection
By default, for accessing OWA, the user needs to enter the address as http://<server>/exchange to login. However, it would be nicer for the user to simply enter the name of the server, say com or http://mail to access the Exchange Web mail service. To do this, the administrator needs to perform some URL redirection. There are two ways this can be done. 

The first way involves just making a small change in the IIS settings. Open up Internet Service Manager on the server. Go to the properties for Default website. Select the Home Directory tab. Now select the ‘Redirection to a URL’ option and in the ‘Redirect to box’, enter ‘/exchange’. Now all requests to http://<servername> will be automatically redirected to http:// <servername>/ exchange. 

Enable OWA Forms Based Authentication and the compression levels using System Manager to make the access more secure and faster

You might want the user to be redirected to a secure version of OWA. In such a case, you will need to enter the absolute URL in the ‘Redirect to box’. For instance, you will need to enter https://<servername>/exchange. This will force the user to use the SSL protected version of

The other method involves writing a small ASP script that will perform the redirection for you. The one advantage that the script version has over the previous method is that in case you happen to change the name of the server or replicate the settings to another server, the script will detect the new name and function without requiring any manual changes. 
For this method, create a new file, say called OWAHTTPS.asp which contains the following code.

If Request.ServerVariables(“SERVER_PORT”)=80 Then
sURL = “https://” & Request.ServerVariables(“SERVER_NAME”) & “/exchange”
Response.Redirect sURL
End If

Save the file in inetpub\wwwroot. Now open up Internet Service Manager and the Default website. Right click on the Exchange folder and select Properties. Go to the Custom Errors tab and double click on the 403.4 (SSL Required) error. Change the Message Type to URL and URL to /OWAHTTPS.asp. Restart IIS and check by going to http://<servername>. You will automatically be redirected to https:// <servername>/exchange.

As you can see, OWA has a number of features that let you completely customize it. Use them not only to make your OWA look better, but also to secure it more.

Vinod Unny
Enterprise InfoTech

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.