In an Exchange Server 2007 CAS and Mailbox environment, you may need to configure access between CAS servers, or between CAS and Mailbox servers.
Table 9-2shows the additional steps required for different Exchange Server 2007 configurations.
139 Configuring OWA access to Enterprise Vault Configuring Enterprise Vault access for OWA users
Table 9-2 Configuration required for different Exchange Server 2007 CAS Mailbox Role on both CAS server and remote servers”on page 141.
and See“Setting up constrained delegation”
on page 143.
See“Configuration for Mailbox Role on both CAS server and remote servers”
on page 141. CAS to CAS with
Mailbox role
Not applicable See“Setting up
constrained delegation”
on page 143. and See
“Additional Configuring OWA access to Enterprise Vault Configuring Enterprise Vault access for OWA users 140
Table 9-2 Configuration required for different Exchange Server 2007 CAS
Mailbox Role on both CAS server and remote servers”on page 141.
and See“Setting up constrained delegation”
on page 143. and See
“Additional configuration for linked mailboxes”
on page 144.
Not applicable CAS to CAS with
Mailbox role to Mailbox server
Configuration for Mailbox Role on both CAS server and remote servers If you have an environment that includes Exchange 2007 Mailbox Role installed on the Exchange 2007 CAS server computer and also remote Exchange 2007 Mailbox servers, you need to perform additional configuration as described in this section. The steps differ depending on whether you want the Exchange 2007 CAS server to connect to remote Exchange 2007 Mailbox servers using HTTPS or HTTP.
The configuration includes adding settings to the configuration file,Exchange installation path\ClientAccess\Owa\Web.Config, on the Exchange 2007 CAS server.
Table 9-3shows the relevant settings that you can add to this file. These should be added to the AppSettings section of the file using the following format:
<add key="setting" value="value"/>
Note that entries in this file are case sensitive.
Table 9-3 Web.Config settings
Notes Default Value
Setting
The protocol used by the Exchange 2007 CAS server when making WebDav requests.
https EnterpriseVault_WebDAVRequestProtocol
141 Configuring OWA access to Enterprise Vault Configuring Enterprise Vault access for OWA users
Table 9-3 Web.Config settings (continued)
Notes Default Value
Setting
The target server for WebDav requests.
If the setting is not specified (that is, the name of the Mailbox server for the mailbox is used), then either the protocol must be set to http, or a certificate must be installed on each Mailbox server.
Value set to
"localhost" at installation. Also, if you repair the extensions in Add or Remove Programs, the value is reset to
“localhost”.
If the setting is not specified, then the
The virtual directory used by the Exchange 2007 CAS server when making WebDav requests.
exchange EnterpriseVault_
WebDAVRequestVirtualDirectory
To connect to remote Exchange 2007 Mailbox servers using HTTPS 1 Open theweb.configfile (Exchange installation
path\ClientAccess\Owa\Web.Config) in a text editor.
2 Delete or comment out the following entry:
<add key="EnterpriseVault_WebDAVRequestHost" value="localhost"/>
3 Save and close the file.
4 Install a certificate for IIS on each of the remote Exchange 2007 Mailbox servers.
To connect to remote Exchange 2007 Mailbox servers using HTTP 1 Open theweb.configfile (Exchange installation
path\ClientAccess\Owa\Web.Config) in a text editor.
2 Delete or comment out the following entry:
<add key="EnterpriseVault_WebDAVRequestHost" value="localhost"/>
Configuring OWA access to Enterprise Vault Configuring Enterprise Vault access for OWA users 142
3 Add the following entry:
<add key="EnterpriseVault_WebDAVRequestProtocol" value="http"/>
4 Save and close the file.
You do not need to install a certificate for IIS on the remote Exchange 2007 Mailbox servers.
Setting up constrained delegation
It is necessary to configure constrained delegation for use with the Enterprise Vault OWA 2007 Extensions if the mailbox being accessed is located on a server which is separate from the CAS computer, and users are authenticated to OWA using Integrated Windows Authentication (IWA).
Note that IWA is a requirement to support Client Access Server (CAS) proxying.
For information on CAS proxying, see
http://msexchangeteam.com/archive/2007/09/04/446918.aspx
Configuring constrained delegation requires a domain functional level of Windows Server 2003 or later. For more information about domain functional levels, see
"Domain and forest functionality" in the Help and Support Center for Windows Server 2003.
For each CAS configured for IWA, perform the following steps:
1 Using Active Directory Users and Computers, locate the CAS computer account.
2 Right-click the computer object, and click Properties.
3 Click the Delegation tab.
4 On the Delegation page, click Trust this computer for delegation to specified services only.
5 Click Use any authentication protocol.
6 Click Add, and then Users or Computers.
7 In the box, Enter the object names to select, type the name of an Exchange Server 2007 computer which has mailbox role installed and will be accessed through this CAS.
If the Mailbox role is clustered, be sure to use the Clustered Mailbox Server name instead of the node name.
8 Click Check Names, and then OK.
143 Configuring OWA access to Enterprise Vault Configuring Enterprise Vault access for OWA users
9 In the Available services list, click http, and then OK.
10 Repeat steps6to9to add additional Exchange Server 2007 Mailbox computers that will be accessed through this CAS.
For constrained delegation to work properly, Exchange Server 2007 computers with Mailbox roles must have IWA enabled on the/Exchangevirtual directory.
Additional configuration for linked mailboxes
When implementing CAS proxying in a Resource Forest topology, you need to perform the following, additional configuration steps to enable OWA users to access linked mailboxes using Integrated Windows Access (IWA):
■ Ensure that the account used by the Enterprise Vault Exchange Mailbox archiving task is in the Resource Forest. Typically the task runs as the Vault Service account.
■ If calls are to be made from a user in a different forest from the one in which Exchange Server is installed, then you must ensure that a bi-directional Forest trust is configured.
Note:This is not the same as a bi-directional external trust, which is a trusted domain object (TDO). A trusted domain object does not contain the required forest trust information to manage authentication requests to the remote forest.
For more information on this requirement, see the following technical note on the Symantec Support Web site,
http://entsupport.symantec.com/docs/308042.
■ Using Exchange Management Shell, run the following command line to give the Enterprise Vault Exchange Mailbox task account the required access rights on the linked mailbox:
Add-ADPermission -Identity LinkedMailboxName
-User MailboxTaskAccount -AccessRights ExtendedRight -ExtendedRights "Send As"
For example,
Add-MailboxPermission -Identity "Service Requests"
-User vsa -AccessRights ExtendedRight -ExtendedRights "Send As"
To set the permission on many mailboxes, you can use the Get-Mailbox cmdlet in a PowerShell pipeline.
Configuring OWA access to Enterprise Vault Configuring Enterprise Vault access for OWA users 144
■ On the CAS Servers associated with each user who will access the linked mailbox, edit the OWA configuration file,Web.Config, as follows:
■ Take a backup copy of the file,
Exchange installation folder\ClientAccess\Owa\Web.Config and then open the file for editing.
■ Add the following entry to the AppSettings section of the file:
<add key="EnterpriseVault_VaultServiceAccountUPN"
value="MailboxTaskAccountUPN">
For example,
<add key="EnterpriseVault_VaultServiceAccountUPN"
value="[email protected]">
Note that the value given must be the User Principal Name (UPN) for the Exchange Mailbox task account, and this account must be in the Resource Forest.
Entries in this file are case sensitive.