So, what do you need to do? Assume
you have a single Exchange 2007 server
called exchserver1 running the Mailbox,
Hub Transport, and Client Access roles and
you want to access the server using OWA
internally via the URL https://owa.example.local and externally via the URL https://owa.example.com.
First, you need the relevant DNS A records
in your internal and external DNS zones so
that the URLs resolve to the IP address of
the server. For external access, make sure
incoming traffic traverses any firewalls over
port 443. When DNS resolution is working,
you create a certificate request by running the
following PowerShell command in EMS:
New-ExchangeCertificate
-GenerateRequest:$True
-SubjectName "c=US, o=company,
cn=owa.example.com"
-DomainName owa.example.com,
autodiscover.example.com,
exchserver1, example.local,
example.com,
exchserver1.example.local
-FriendlyName ExchOWACert
-PrivateKeyExportable:$True
-Path C:\ExchOWACert.req
This command creates a request file, which
you then send to your certificate authority
(CA), be it an internal or public one. It’s
important that the SubjectName parameter
is correct and represents your company. Otherwise, it’s unlikely a public CA such
as VeriSign will be able to authorize your
request.
After your CA authorizes your server, it
sends you a .cer file. You must import that
file to the server using the command
Import-ExchangeCertificate
-Path C:\ExchOWACert.cer
The output of this command shows that the
certificate has been imported and lists the
certificate’s thumbprint. Copy the thumbprint
to the clipboard; you’ll need it to
enable the certificate. To enable the certificate,
use the following command, where thumb is the copied thumbprint:
Enable-ExchangeCertificate
-Thumbprint thumb
-Services "IIS,POP,IMAP,SMTP"
You’re almost done. All that remains is to
set the URLs required to access Exchange.
But first, I should introduce a couple of
parameters. The InternalURL and ExternalURL
parameters can be specified on
web-accessible virtual directories such as
OWA, Offline Address Book, Autodiscover,
Exchange ActiveSync, Unified Messaging,
and Exchange Web Services. Each of these
virtual directories has a URLs property
page that lets you configure its internal
and external URLs. The InternalURL and
ExternalURL parameters let you specify different
URLs for access to the Client Access
server. The InternalURL parameter is set
by default on installation and is what the
default self-signed certificate uses for its
principal name. When a Client Access server
is externally accessible, the ExternalURL
parameter should be configured with the
URL used to access the service, such as owa.example.com/owa.
Setting these parameters in larger
Exchange deployments can be complex, but
in this scenario, things are fairly simple. Use
this command to set up the virtual directory
for OWA:
Set-OWAVirtualDirectory
-Identity "OWA (Default Web Site)"
-InternalURL https://owa.example
.local/owa
-ExternalUrl https://owa
.example.com/owa
The command is the same for other virtual
directories, but substitute the corresponding EMS cmdlet (i.e., Set-OABVirtualDirectory,
Set-UMVirtualDirectory, Set-WebServices-
VirtualDirectory) and identity parameter.
Having completed these steps, you
should now have secure access to OWA
both internally and externally from the URLs
specified. You should also have a solid base
to begin the process of enabling Outlook
Anywhere with Autodiscover because the
certificate and InternalURL/ExternalURL
configurations are already in place.
Lack of Native Backup in
Server 2008
My final annoyance is the lack of a built-in
backup utility for Exchange 2007 running
on Windows Server 2008. Exchange needs
an Exchange-aware backup program. Ever
since the first version of Exchange (4.0)
shipped, the Exchange installation has
modified NTBackup to provide just such a
program. However, with the move to Volume
Shadow Copy Service (VSS)-based backups
on Server 2008—and consequently, the
removal of NTBackup—Exchange no longer
has a usable backup utility. The only options
left are to purchase Microsoft System Center
Data Protection Manager or third-party
backup software. Unfortunately, right now
there’s nothing else that can be done, but in
June 2008 a member of the Exchange Server
product team announced that Microsoft
plans to release a VSS-based plug-in for
Windows Server Backup. The plug-in will let
customers take Exchange-aware VSS backups
on Server 2008. At press time, however,
no updates have been released about the
plug-in.
As someone who has worked with
Exchange 2007 for a while now, I often have
clients moan to me about the bits they don’t
like. I hope this article gives you ideas about
how to work around some of the challenging
areas of Exchange—and I hope Microsoft will
improve some of these problem areas in the
next version of Exchange.