Outlook Web Access

Multi-Server Environment

For multi-server organizations, Microsoft recommends a front-end/back-end deployment of Outlook Web Access. HTTP requests are proxied by the front-end server to a back-end server running Outlook Web Access and Exchange.

Front-End/Back-End Servers

When the front-end server receives a request, it uses LDAP to query Active Directory and determine the back-end server on which the resource is stored.

Using a front-end/back-end deployment has the following advantages:

Front-End/Back-End Authentication

The default Outlook Web Access authentication methods are Basic authentication (clear text) and Integrated Windows authentication.

In a multiple server environment, authentication occurs on both the front-end and back-end servers.

Important   Integrated Windows authentication works in a front-end/back-end configuration only in a pure Windows 2000 client/server environment. Specifically, all clients must be Windows 2000 clients using Internet Explorer 5.0 or later, which are accessing Windows 2000 servers.

The client's browser always uses the strongest authentication level possible. Microsoft recommends that a lowest level of authentication be set on the front-end server to ensure that authorized requests from all browsers are proxied successfully. This is the minimum level of security supported by every Outlook Web Access user in your organization.

If you have Integrated Windows authentication enabled on a front-end server, for example, a client using Internet Explorer 4.0 can negotiate successfully, but the authentication credentials cannot be relayed to the back-end server and the client's request fails. Only users with computers running Windows 2000 and Internet Explorer 5.0 can send Integrated Windows authentication between the front-end and back-end servers. Integrated Windows authentication should only be enabled at the front-end server if Internet Explorer 5.0 is the only browser used with Outlook Web Access in your organization.

If you are using a front-end and back-end configuration and clients are not using Windows 2000 Professional and Internet Explorer 5.0, you should set the authentication level on the front-end server to Basic. This level is supported by all browsers. After the client request is authenticated at the front-end server, you can then require more secure authentication levels on the back-end server.

For information on front-end/back-end configurations and custom HTTP virtual servers, see the following topics:

Related Topics

Configure a Front-End Server Single-Server Environment Create a New HTTP Server