By having an installation guide, Contoso will be able to ensure standardization across the enterprise, reducing Total Cost of Ownership, and easing troubleshooting steps.

The scope of this document is limited to installation of an Exchange 2007 Client Access server for Contoso on the Windows Server 2003 Enterprise x64 Edition operating system platform.

The operator should have working knowledge of Windows Server 2003 Enterprise x64 Edition concepts, Exchange Server 2007 concepts, the Exchange Management Console and Exchange Management Shell, the command line, and various system utilities. This document does not elaborate on the details of any system utility except as necessary to complete the tasks within.

In addition, the operator should review the Planning for Client Access Servers topic in the Exchange 2007 Online Help before they implement the server role.

This document assumes that Windows Server 2003 Enterprise x64 Edition is installed per company baseline regulations which include the latest approved service pack and hotfixes. The current service pack level is Windows Server 2003 Service Pack 2 for x64 Editions.

It is also assumed that the following are installed:

• Windows Server 2003 Service Pack 2 32-bit Support Tools are installed on the server as the tools are useful for troubleshooting.
  
  
• Windows Server 2003 Resource Kit Tools are installed on the server as the tools are useful for troubleshooting.
  
  

This document assumes that forest and domain preparation steps have been performed per How to Prepare Active Directory and Domains topic in the Exchange 2007 Online Help.

This document assumes that both Exchange 2007 and Windows Server 2003 will be secured following the best practices found in:

• Exchange Server 2007: Security and Protection
  
  
• Windows Server 2003: Windows Server 2003 Security Guide
  
  

  Important:
  The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.

1. Verify that Remote Desktop is enabled.
   
   
2. As an optional process, install Microsoft Network Monitor.
   
   

1. Log on to the server with an account that has at least local administrative access.
   
   
2. Click Start, Control Panel and right-click Network Connections. Then select Open.
   
   
3. Locate the connection for the internal network and rename it appropriately.
   
   
4. For the TCP/IP Protocol, add the following:
   
   
   1. Static IP Address, Subnet Mask, and Gateway
      
      
   2. DNS Server IP Addresses
      
      
   3. Check the box to Append parent suffixes of the primary DNS suffix
      
      
   4. WINS IP Addresses (if using WINS)
      
      

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Open the Disk Management Microsoft Management Console (MMC) and format, rename, and assign the appropriate Drive Letters so that the volumes and DVD drive match the appropriate server configuration. At the very least, there should be a D drive for the Exchange binaries and the DVD drive should be configured as the Z drive. Refer to the Database Log logical unit number (LUN) Appendix at the end of this document for the actual drive configuration that should be used.
   
   

   Drive configuration

   LUN	Drive letter	Usage
   1	C	Operating system
   2	D	Exchange binaries
   3	Z	DVD drive

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Insert the Windows Server 2003 Enterprise x64 Edition media.
   
   
3. Click Start, Control Panel and then double-click Add or Remove Programs.
   
   
4. Click Add/Remove Windows Components.
   
   
5. Click Application Server and select Details.
   
   
6. Click Internet Information Services and then click Details.
   
   

   Note:
   Enabled network COM+ access will be enabled also.

   1. Verify the World Wide Web service is selected.
      
      
   2. Click OK.
      
      
7. Click OK.
   
   
8. Click Next.
   
   
9. Click Finish.
   
   

You only need to install the RPC over HTTP Proxy Windows networking component on the Client Access servers that are providing Microsoft Outlook Anywhere access.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Insert the Windows Server 2003 Enterprise x64 Edition media.
   
   
3. Click Start, Control Panel and select Add/Remove Programs.
   
   
4. Click Add/Remove Windows Components.
   
   
5. Click Networking Services.
   
   
6. Click Details and add the following sub-component. If any other sub-components are installed, remove them.
   
   
   1. Click the check box next to RPC over HTTP Proxy.
      
      
   2. Click OK.
      
      
7. Click Next.
   
   
8. Click Finish.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Browse to \IE7\ and double-click IE7-install.bat.
   
   
4. Click Yes for any Digital Signature not Found dialog boxes that may appear.
   
   

   Note:
   These dialog boxes will not appear in environments that have not deployed the Windows Security templates.

5. Wait for all file copies to complete and restart the server.
   
   

All hotfixes are installed through a batch file. For a complete list of hotfixes that are installed, see Contoso server build DVD hotfix list. A sample hotfix list can be seen at Server Build DVD - Sample Hotfix List.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated local Administrator access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Browse to \W2K3-PostSP2\ and double-click W2K3-post-sp2.bat.
   
   
4. Click Yes for any Digital Signature not Found dialog boxes that may appear.
   
   

   Note:
   These dialog boxes will not appear in environments that have not deployed the Windows Security templates.

5. Wait for all file copies to complete and restart the server.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, right-click My Computer and select Properties.
   
   
3. Click the Computer Name tab.
   
   
4. Click Change.
   
   
5. Choose the Domain option button and enter the appropriate Domain name.
   
   
6. Enter the appropriate credentials.
   
   
7. Click OK and OK.
   
   
8. Click OK to close the System Properties.
   
   
9. Restart the server.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Verify (or add if not already there) that the following accounts are members of the local administrators group on this server.
   
   

   Local administrators

   Item	Account	Description	Role
   1	Domain Admins	Domain Administrative Global Group	Administrator
   2	Root Domain\Exchange Organization Administrators	Exchange Administrators	Administrator

3. Verify that your user account is a member of a group which is a member of the local administrators group on the Windows Server 2003 server. If it is not, use an account that is a member of the local administrators group before continuing.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, right-click My Computer and select Manage.
   
   
3. Expand to Local Users and Groups\Users.
   
   
4. Right-click Administrator and select Set Password. Change the password so that it meets strong complexity requirements.
   
   
5. Optional: Right-click Administrator and select Rename. Rename the account according to company regulations.
   
   

This section installs several useful tools that will aid administrators in Exchange administration and in troubleshooting support issues.

Note:
Debugging Tools for Windows will allow administrators to debug processes that are affecting service and determine root cause. For more information, please see Install Debugging Tools for Windows 32-bit Version.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Open a command prompt and browse to the \Support folder.
   
   
4. Run the following command where DVDROM-Drive is the DVD Drive: E2K7Toolsinstall.cmd DVDROM-Drive (ex: E2K7Toolsinstall.cmd Z:).
   
   
5. Right-click the c:\Tools folder and select Properties.
   
   
6. Click the Security tab.
   
   
7. Click the Advanced button.
   
   
8. Clear Inheritance and copy the permissions.
   
   
9. Remove the Everyone (and if listed, the Authenticated Users) security principal.
   
   
10. Add the following groups, granting FULL CONTROL:
    
    
    1. SYSTEM
       
       
    2. The local Administrators group
       
       
    3. Creator Owner
       
       

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, right-click My Computer and select Properties.
   
   
3. Select the Advanced tab.
   
   
4. Under Startup and Recovery, click the Settings button.
   
   
   1. Under Write Debugging Information, change the memory dump drop-down list to Kernel Memory Dump.
      
      
   2. Click OK.
      
      
5. Under Performance, click the Settings button.
   
   
6. Click the Advanced tab.
   
   
7. Under Virtual Memory, click the Change button.
   
   
8. On servers that have a dedicated page file drive, follow these steps:
   
   
   1. For the C: drive, set the Initial Size (MB) value to a minimum of 200 MB. (Windows requires between 150 MB and 2 GB of page file space. The amount depends on server load and on the amount of physical RAM that is available for page file space on the boot volume when Windows is configured for a kernel memory dump. Therefore, you may be required to increase the size.)
      
      
   2. For the C: drive, set Maximum Size (MB) to the value of Initial Size.
      
      
   3. For the P: drive, type the result of one of the following calculations in the Initial Size (MB) box:
      
      - If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.
      
      - If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.
      
      
   4. For the P: drive, set Maximum Size (MB) to the value of Initial Size.
      
      
   5. Delete any other page files.
      
      
   6. Click OK.
      
      
9. On servers that do not have a dedicated page file drive, follow these steps:
   
   
   1. For the C: drive, type the result of one of the following calculations in the Initial Size (MB) box:
      
      - If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.
      
      - If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.
      
      
   2. For the C: drive, set Maximum Size (MB) to the value of Initial Size.
      
      
   3. Delete any other page files.
      
      
   4. Click OK.
      
      
10. Click OK to close the System Properties dialog box.
    
    
11. Click No if you are prompted to restart the system.
    
    

    Note:

    For more information on Page File recommendations, see the following articles: Configuring paging files for optimization and recovery in Windows Server 2003, in Windows 2000, and in Windows NT; How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP; and Overview of memory dump file options for Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start and select My Computer.
   
   
3. Right-click the D Drive and select Properties.
   
   
4. Click the Security tab.
   
   
5. Select the Everyone group and then click Remove.
   
   
6. Select Users and then click Remove.
   
   
7. Click Add and select the local server from Locations.
   
   
8. Grant the following rights as outlined in the following table.
   
   

   Drive permissions

   Account	Permissions
   Administrators	Full Control
   SYSTEM	Full Control
   Authenticated Users	Read and Execute, List, Read
   CREATOR OWNER	Full Control

9. Click the Advanced button.
   
   
10. Select the CREATOR OWNER permission entry and then click View/Edit.
    
    
11. Select Subfolders and Files Only from the drop-down list.
    
    
12. Click OK two times.
    
    
13. Click OK to close the drive properties.
    
    
14. Repeat Steps 3-10 for each additional drive (other than the C Drive).
    
    

The values selected in Network Load Balancing must be the same across all nodes in the cluster.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, Control Panel and right-click Network Connections, and then click Open.
   
   
3. Locate the connection for the appropriate network connection, right-click and select Properties.
   
   
4. Check the box for Network Load Balancing and select Properties.
   
   
5. On the Cluster Parameters tab, enter the following information:
   
   
   1. IP Address
      
      
   2. Subnet Mask
      
      
   3. Full Internet Name (for example, mail.contoso.com).
      
      
6. Click on the Port Rules tab.
   
   
7. Select the default rule and click Edit.
   
   
8. Under Port Range, change the From value to 80 and the To value to 80.
   
   
9. Under Protocols, select TCP.
   
   
10. Click OK.
    
    
11. Click Add to create a new port rule.
    
    
    1. Under Port Range, change the From value to 443 and the To value to 443.
       
       
    2. Under Protocols, select TCP.
       
       
    3. Click OK.
       
       

       Note:
       If using IMAP and/or POP in the environment, be sure to create the appropriate rules.

12. Click Add to create a new port rule.
    
    
    1. Under Port Range, change the From value to 143 and the To value to 143.
       
       
    2. Under Protocols, select TCP.
       
       
    3. Click OK.
       
       
13. Click Add to create a new port rule.
    
    
    1. Under Port Range, change the From value to 110 and the To value to 110.
       
       
    2. Under Protocols, select TCP.
       
       
    3. Click OK.
       
       
14. Click Add to create a new port rule.
    
    
    1. Under Port Range, change the From value to 993 and the To value to 993.
       
       
    2. Under Protocols, select TCP.
       
       
    3. Click OK.
       
       
15. Click Add to create a new port rule.
    
    
    1. Under Port Range, change the From value to 995 and the To value to 995.
       
       
    2. Under Protocols, select TCP.
       
       
    3. Click OK.
       
       

       Note:
       If using IPSec in the environment, be sure to create a rule for UDP 500.

16. Click Add to create a new port rule.
    
    
    1. Under Port Range, change the From value to 500 and the To value to 500.
       
       
    2. Under Protocols, select UDP.
       
       
    3. Click OK.
       
       
17. Click OK.
    
    
18. Click OK to acknowledge the resulting dialog.
    
    
19. While still in the internal network connection properties, click Internet Protocol (TCP/IP) and select Properties.
    
    
20. Click Advanced.
    
    
21. Under IP Addresses, click Add.
    
    
    1. Enter in the virtual IP Address and Subnet Mask and click OK.
       
       
    2. Click OK.
       
       
22. Click Close to close the connection properties.
    
    

Submit a change request and have the domain name specified in the Network Load Balancing Installation and Configuration section for the Network Load Balancing cluster (for example, mail.contoso.com) created as a host record associated to the Network Load Balancing cluster’s IP Address.

Submit a change request and have the computer object moved to the appropriate organizational unit (OU). If following the recommendations in the Exchange 2007 Security Guide, the OU will be \Member Servers\Exchange Backend Servers\Exchange Mailbox Servers.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Open a command prompt.
   
   
3. Verify that the server is in the correct domain and Active Directory site. At the command line type:
   
   

   	Copy Code
   NLTEST /server:%COMPUTERNAME% /dsgetsite

4. The name of the Active Directory site to which the server belongs will be displayed. If the server is not in the correct Active Directory site, submit a change request to the appropriate operations group and have the server moved to the appropriate Active Directory site.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Open a command prompt and change paths to the C drive.
   
   
3. Run the following command:
   
   

   	Copy Code
   dcdiag /s:<Domain Controller> /f:c:\dcdiag.log

   Note:
   Change <domain Controller> to a domain controller contained within the same Active Directory site as the Exchange server.

4. Review the output of C:\dcdiag.log file and verify that there are no connectivity issues with the local domain controller.
   
   
5. Repeat steps 3 and 4 for each domain controller in the local Active Directory site.
   
   

   Note:

   Domain Controller Diagnostics (DCDiag) is a Windows support tool that tests network connectivity and DNS resolution for domain controllers. If the account being used does not have administrative rights, several tests under the Doing primary tests heading may not pass. These tests can be ignored if the connectivity tests pass. In addition, the log file may report that some service validation tests did not pass. These messages can be ignored if the services do not exist on the domain controller.

Network Diagnostics (NETDIAG) is a Windows support tool that tests network connectivity and DNS resolution for workstations and servers. Look for tests that failed and messages designated as "FATAL," and use this information to isolate network and connectivity problems.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Open a command prompt and change paths to the C drive.
   
   
3. Type the following command: netdiag /Q /L.
   
   
4. Review the output of C:\netdiag.log file and verify that there are no network or connectivity issues with the Exchange Server.
   
   

Connect to a server in the environment that either has the Exchange Best Practices Analyzer installed or the Exchange 2007 Management tools installed through Remote Desktop and log on with an account that has local administrative access. Depending on the configuration, do the following:

1. Click Start, All Programs, Microsoft Exchange and select Best Practices Analyzer.
   
   
2. Click Start, All Programs, Microsoft Exchange Server 2007 and select Exchange Management Console.
   
   
3. Click Toolbox.
   
   
4. Double-click Best Practices Analyzer.
   
   
5. Check and apply any updates for the Best Practices Analyzer engine.
   
   
6. Provide the appropriate information to connect to Active Directory and then click Connect to the Active Directory server.
   
   
7. In the Start a New Best Practices Scan, select Exchange 2007 Readiness Check and then click Start Scanning.
   
   
8. Review the report and take action on any errors or warnings that are reported by following the resolution articles that are provided within the Best Practices Analyzer.
   
   

   Note:
   The Microsoft Exchange Analyzers help Microsoft Exchange Server administrators troubleshoot various operational support issues.

The following prerequisites will be installed through a batch file.

(This note should be updated to list the appropriate list of hotfixes for your environment.)

• Microsoft .NET Framework Version 2.0 Redistributable Package (x64).
  
  
• MMC 3.0 update is available for Windows Server 2003 and for Windows XP.
  
  
• .NET FW 2.0 Hotfix.
  
  
• Windows PowerShell 1.0 English Language Installation Packages for Windows Server 2003 and for Windows XP.
  
  

The installation steps are as follows:

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Browse to \E2K7-PreReqs\ and double-click E2K7-prereqs.bat.
   
   
4. Click Yes for any Digital Signature not Found dialog boxes that may appear.
   
   

   Note:
   These dialog boxes will not appear in environments that have not deployed the Windows Security templates.

5. Wait for all file copies to complete and restart the server.
   
   

Though this document uses the command line method for installing the Exchange roles, the GUI can also be used. For more information about how to use the setup GUI to install an Exchange role, see the Exchange 2007 Online Help topic How to Perform a Custom Installation Using Exchange 2007.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated the Exchange Server Administrator role (or higher) if the server was pre-created.
   
   
2. Follow the procedure from the Exchange 2007 Online Help topic How to Install Exchange 2007 in Unattended Mode. For example, setup.com /r:MB /t:d:\exchsrvr.
   
   

All hotfixes are installed through a batch file. For a complete list of hotfixes that are installed, see the Contoso server build DVD hotfix list.

A sample hotfix list can be seen at Server Build DVD - Sample Hotfix List.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated local Administrator access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Browse to \E2K7-PostSP1\ and double-click E2K7-postsp1.bat.
   
   
4. Click Yes for any Digital Signature not Found dialog boxes that may appear.
   
   

   Note:
   These dialog boxes will not appear in environments that have not deployed the Windows Security templates.

5. Wait for all file copies to complete and restart the server.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated the Exchange Organization Administrator role.
   
   
2. Follow the procedure outlined in the Exchange 2007 Online Help topic How to Enter the Product Key.
   
   

This section is optional and may be skipped.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Follow the procedures from the Exchange 2007 Online Help topic How to Install the Security Configuration Wizard to install the Security Configuration Wizard.
   
   
3. Follow the procedures from the Exchange 2007 Online Help topic How to Register Exchange Server Role SCW Extensions to register the Exchange 2007 Edge Transport Server SCW extension.
   
   
4. Follow the procedures from the Exchange 2007 Online Help topic How to Create a New Exchange Server Role SCW Policy to configure and apply the policy.
   
   

By default, Exchange Server 2007 optimizes the server’s memory management for programs, which configures the server’s system cache as the default size.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, right-click My Computer and select Properties.
   
   
3. Select the Advanced tab.
   
   
4. Under Performance, click the Settings button.
   
   
   1. Click the Advanced tab.
      
      
   2. Verify that the Processor Scheduling is set to Background Services.
      
      
   3. Verify that the Memory Usage is set to System Cache.
      
      
5. Click OK.
   
   

A commercial certificate is only needed if the Client Access server will service client requests from the Internet or to facilitate un-trusted cross-forest communication between Client Access servers.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher). For more information about using the certificate tasks, see the Exchange 2007 Online Help topic Creating a Certificate or Certificate Request for TLS.
   
   

   Note:
   If generating a certificate that will utilize Subject Alternative Names, be sure that the certificate’s principal name will be the one that the clients (Outlook) will use to connect (for example, mail.contoso.com). In other words, do not list the Autodiscover namespace as the principal name in the certificate.

2. Generate the certificate request using the following Exchange Management Shell command where the FriendlyName parameter includes the domain name that will be utilized by Outlook Web Access and Outlook Anywhere. The DomainName parameter includes the friendly name, the Autodiscover FQDN, the server NetBIOS name, and the server FQDN.
   
   

   	Copy Code
   New-ExchangeCertificate -GenerateRequest -SubjectName [Full Subject Path] -DomainName mail.contoso.com, autodiscover.contoso.msft, CAS01, CAS01.contoso.com -FriendlyName mail.contoso.com -privatekeyexportable:$true -path c:\cert.txt

   Note:
   An example of [Full Subject Path] is "c=US, o=Company, cn=CAS01.contoso.com".

3. Submit the request file to the Certificate Authority (CA) and have the CA generate the certificate.
   
   
4. After receiving the certificate, import and enable the certificate using the following Exchange Management Shell command where [services] can be POP, IMAP, IIS, or a combination:
   
   

   	Copy Code
   Import-ExchangeCertificate -path c:\newcert.cer | Enable-ExchangeCertificate -services "[services]"

5. To mandate SSL on the default Web site, open Internet Information Services Manager and then do the following:
   
   
   1. Right-click the Default Web Site and select Properties.
      
      
   2. Click the Directory Security tab.
      
      
   3. Click the Edit button listed under Secure Communications.
      
      
   4. Verify that Require secure channel (SSL) is enabled.
      
      

      Note:
      If you require 128-bit encryption, also verify Require 128-bit encryption is enabled.

An example script that performs the steps outlined in this section is included in the Exchange 2007 Configuration DVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureAutoDiscover.ps1. For more information about how to use the script, execute .\ConfigureAutoDiscover.ps1 –help.

Note:
For more information about deployment considerations for the Autodiscover service, see the Exchange 2007 Online Help topic Deployment Considerations for the Autodiscover Service.

1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. Configure the internal Autodiscover URL by running the following command within the Exchange Management Shell where CAS01 is the name of the Client Access server and internal.domain.fqdn is the name of the internal namespace used for Autodiscover:
   
   

   	Copy Code
   Set-ClientAccessServer -Identity CAS01 -AutoDiscoverServiceInternalUri "https://internal.domain.fqdn/autodiscover/autodiscover.xml"

3. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Configure Exchange Services for the Autodiscover Service to configure the Autodiscover service for usage by Internet clients. This will enable Outlook Anywhere and set the offline address book (OAB), Web services, and Unified Messaging virtual directories external URL parameter.
   
   
4. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Configure Autodiscover for Exchange ActiveSync for usage by Internet clients.
   
   
5. Optional: Enable site affinity by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure the Autodiscover Service to Use Site Affinity.
   
   
6. Verify that Autodiscover functions correctly by following the procedure outlined in the Exchange 2007 Online Help topic How to Test Outlook 2007 Autodiscover Connectivity.
   
   

An example script that performs the steps outlined in this section is included in the E2K7CONFIGDVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureOLAnywhere.ps1. For more information about how to use the script, execute .\ConfigureOLAnywhere.ps1 –help.

Note:
If step 3 from the Autodiscover Configuration section was followed, then this section can be skipped.

1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Enable Outlook Anywhere to enable Outlook Anywhere.
   
   
3. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Configure an External Host Name for Outlook Anywhere if the server will be servicing Outlook Anywhere clients on the Internet.
   
   

An example script that performs the steps outlined in this section is included in the E2K7CONFIGDVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureOAB.ps1. For more information about how to use the script, execute .\ConfigureOAB.ps1 –help.

Note:

If the Client Access server will not be a distribution point for the OAB, this section can be skipped. By default, the OAB virtual directory does not require SSL. By default Client Access servers utilize self-signed certificates for providing HTTP and RPC encryption. Clients that utilize the BITS service to download files (like OAB) cannot use self-signed certificates. If a commercial certificate is going to be used and ISA 2006 is not going to be used to enforce SSL, then SSL should be enabled on the OAB virtual directory.

1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   

   Note:
   In order to use OAB Web distribution, the OAB must be generated on an Exchange 2007 Mailbox server. If the offline address book is not generated on an Exchange 2007 Mailbox server, step 2 can be skipped.

2. Open the Exchange Management Shell and run the following commands where CAS01 is the name of the Client Access server and mail.contoso.com is the name of the external URL:
   
   

   	Copy Code
   $a=get-oabvirtualdirectory -Server CAS01 Set-oabvirtualdirectory $a -ExternalURL https://mail.contoso.com/OAB Set-OfflineAddressBook "default offline address book" -VirtualDirectories $a iisreset /noforce

3. Optional: Follow the procedure outlined in the Exchange 2007 Online Help topic How to Require SSL for Offline Address Book Distribution if the server has a commercial certificate and will be servicing requests from the Internet and ISA 2006 will not be in use to enforce SSL for Internet requests.
   
   

If the Client Access server will not allow IMAP4 connections, this section may be skipped.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. Open the Exchange Management Shell.
   
   
   1. To configure the IMAP4 bindings, run the following command where CAS01 is the Client Access server and 0.0.0.0 implies any IP address:
      
      

      	Copy Code
      Set-ImapSettings -server CAS01 -UnencryptedOrTLSBindings "0.0.0.0:143" -SSLBindings "0.0.0.0:993"

   2. To disable plain text authentication and enable custom calendar item retrieval option for IMAP4, run the following command where mail.contoso.com is the certificate name and external URL:
      
      

      	Copy Code
      Set-ImapSettings -server CAS01 -X509CertificateName "mail.contoso.com" -LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa

   3. To enable the Microsoft Exchange IMAP4 service for automatic startup, run the following command:
      
      

      	Copy Code
      Set-Service MSExchangeIMAP4 -StartupType automatic

If the Client Access server will not allow POP3 connections, this section may be skipped.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. Open the Exchange Management Shell.
   
   
   1. To configure the POP3 bindings, run the following command where CAS01 is the Client Access server and 0.0.0.0 implies any IP address:
      
      

      	Copy Code
      Set-PopSettings -server CAS01 -UnencryptedOrTLSBindings "0.0.0.0:110" -SSLBindings "0.0.0.0:995"

   2. To disable plain text authentication and enable custom calendar item retrieval option for POP3, run the following command where mail.contoso.com is the certificate name and external URL:
      
      

      	Copy Code
      Set-PopSettings -server CAS01 -X509CertificateName "mail.contoso.com" -LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa

   3. To enable the Microsoft Exchange POP3 service for automatic startup, run the following command:
      
      

      	Copy Code
      Set-Service MSExchangePOP3 -StartupType automatic

Follow the steps in this section if the Client Access server will service directly from the Internet and ISA 2006 pre-authentication mechanisms are not in use.

If either is true, then skip this section and follow the steps outlined in the Outlook Web Access Configuration (Proxy Scenario) section later in this topic.

Note:
An example script that performs the steps 1-8 in this section is included in the Exchange 2007 Configuration DVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureOWA.ps1. For more information about how to use the script, execute .\ConfigureOWA.ps1 –help.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. By default, when the Client Access server role is installed, forms-based authentication is enabled. Ensure forms-based authentication is enabled by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Forms-Based Authentication for Outlook Web Access.
   
   
3. Configure the public and private cookie timeouts by following the procedures outlined in the Exchange 2007 Online Help topic How to Set the Forms-Based Authentication Public Computer Cookie Time-Out Value and How to Set the Forms-Based Authentication Private Computer Cookie Time-Out Value.
   
   
4. Optional: Configure GZip compression by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Gzip Compression Settings.
   
   
5. Configure WebReady Document Viewing by following the procedure outlined in the Exchange 2007 Online Help topic How to Manage WebReady Document Viewing.
   
   
6. Configure private and public computer file access by following the procedure outlined in the Exchange 2007 Online Help topic How to Manage Public and Private Computer File Access.
   
   
7. Configure Windows SharePoint and Windows File Share integration by following the procedure outlined in the Exchange 2007 Online Help topic How to Enable or Block Access from Public and Private Computers.
   
   
8. Optional: If redirection is to be used, then run the following command from the Exchange Management Shell where CAS01 is the name of the Client Access server and mail.contoso.com is the name of the external URL:
   
   

   	Copy Code
   Set-OwaVirtualDirectory -identity "CAS01\owa (Default Web Site)" -ExternalURL https://mail.contoso.com/owa

9. If legacy Mailbox servers exist within the organization, then you will need to follow these steps:
   
   
   1. Follow the procedures outlined in the following topics, but replace the value of the identity parameter with ”CAS01\exchange (Default Web Site)” (where CAS01 is the name of the Client Access server).
      
      
   2. By default, when the Client Access server role is installed, forms-based authentication is enabled. Ensure forms-based authentication is enabled by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Forms-Based Authentication for Outlook Web Access.
      
      
   3. Optional: Configure GZip compression by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Gzip Compression Settings.
      
      
   4. Repeat Step a, but this time use "CAS01\exchweb (Default Web Site)” for the value of the identity parameter.
      
      
   5. Repeat Step a, but this time use "CAS01\public (Default Web Site)” for the value of the identity parameter.
      
      
10. Optional: To simplify the Outlook Web Access URL and redirect users to HTTPS, follow the procedure outlined in the Exchange 2007 Online Help topic How to Simplify the Outlook Web Access URL.
    
    
11. Reboot the Client Access server.
    
    

Follow the steps in this section if the Client Access server meets the following conditions.

• Will not service requests directly from the Internet, but instead will receive requests from other Client Access servers that are located in other Active Directory sites.
  
  
• Will be utilizing ISA 2006 to pre-authenticate Internet requests.
  
  

For more information about how to configure ISA Server, see Configuring ISA Server 2006 for Exchange Client Access.

If neither statement applies, skip this section and follow the Outlook Web Access Configuration (Internet Scenario) section earlier in this topicCNDJ6nn5us4RjIIAqgBLqQsCAAAACAAAAA4AAABfAFIAZQBmADEANgAwADYAMAA1ADgAMAAwAAAA REF _Ref160605800 \n \h 0.

Note:
An example script that performs steps 1-8 in this section is included in the E2K7CONFIGDVD. It is located within the E2K7-Scripts\CAS folder and is named ConfigureOWA.ps1. For more information about how to use the script, execute .\ConfigureOWA.ps1 –help.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. Configure Windows Integrated Authentication by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Integrated Windows Authentication.
   
   
3. Optional: Configure GZip compression by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Gzip Compression Settings.
   
   
4. Configure WebReady Document Viewing by following the procedure outlined in the Exchange 2007 Online Help topic How to Manage WebReady Document Viewing.
   
   
5. Configure private and public computer file access by following the procedure outlined in the Exchange 2007 Online Help topic How to Manage Public and Private Computer File Access.
   
   
6. Configure Windows SharePoint and Windows File Share integration by following the procedure outlined in the Exchange 2007 Online Help topic How to Enable or Block Access from Public and Private Computers.
   
   
7. If legacy Mailbox servers exist within the organization, you will need to follow these steps:
   
   
   1. Follow the procedures outlined in the following topics, but replace the value of the identity parameter with ”CAS01\exchange (Default Web Site)” (where CAS01 is the name of the Client Access server).
      
      
   2. Configure Windows Integrated Authentication by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Integrated Windows Authentication.
      
      
   3. Optional: Configure GZip compression by following the procedure outlined in the Exchange 2007 Online Help topic How to Configure Gzip Compression Settings.
      
      
   4. Repeat step a, but use "CAS01\exchweb (Default Web Site)” for the value of the identity parameter.
      
      
   5. Repeat step a, but use "CAS01\public (Default Web Site)” for the value of the identity parameter.
      
      
8. Optional: To simplify the Outlook Web Access URL and redirect users to HTTPS, follow the procedure outlined in the Exchange 2007 Online Help topic How to Simplify the Outlook Web Access URL.
   
   
9. Reboot the Client Access server.
   
   

Follow the steps in this section if the Client Access server will not service requests directly from the Internet, but instead will receive requests from other Client Access servers that are located in other Active Directory sites. If that is not a true statement, skip this section.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. Click on Start, Administrative Tools and select Internet Information Services (IIS) Manager.
   
   
3. Expand the hierarchy nodes <Server>, Web Sites, Default Web Site.
   
   
4. Right click Microsoft-Server-ActiveSync and select Properties.
   
   
5. Click the Directory Security tab.
   
   
6. Under Authentication and Access Control click the Edit… button.
   
   
7. Uncheck Basic Authentication.
   
   
8. Check Integrated Windows Authentication.
   
   
9. Click OK.
   
   
10. Click OK.
    
    

In order for mobile devices to synchronize using Client Access servers when the mailbox resides on Exchange Server 2003, Microsoft-Server-ActiveSync virtual directory must be configured to use Windows Integrated Authentication.

If there are no legacy Exchange Mailbox servers in the organization, this section can be skipped.

Note:
You can manually configure the Microsoft-Server-ActiveSync virtual directory to use Windows Integrated Authentication by installing http://support.microsoft.com/?id=937031 on a workstation running the Exchange 2003 System Manager.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Organization Administrator role.
   
   
2. Insert the E2K7 CONFIG DVD.
   
   
3. Open a command prompt and navigate to the \E2K7-Scripts\CAS directory on the share and run the following command:
   
   

   	Copy Code
   legacyEAS.vbs -d:DomainController -a:AdminGroup

   Note:
   Replace DomainController with a domain controller that is in the same Active Directory site as the Exchange Server (optional parameter). Replace Exchange Server with the name of the server to be modified.

4. The output will be similar to the following if successful.
   
   

   Copy Code

   Z:\E2K7-Scripts\CAS>legacyeas.vbs -d:W2K3-DC-01 -a:NorthAmerica Microsoft (R) Windows Script Host Version 5.1 for Windows Copyright (C) Microsoft Corporation 1996-1999. All rights reserved. Exchange Server Container - cn=Microsoft-Server-Activesync,cn=1,cn=HTTP,cn=Protocols,cn=<Server>,cn=Servers,cn=NorthAmerica,cn=Administrative Groups,cn=<OrgName>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<root domain> Attribute Name & Value - msExchAuthenticationFlags: 6 Attribute Set!!

The diagnostics tasks used in this section require test mailboxes to be created on the Exchange 2007 Mailbox servers. For more information on how to use the Test- script to create the test mailboxes, please see the Monitoring for Agentless Servers topic in the Exchange 2007 Online Help.

1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. If the server had not been rebooted as a result of a previous section’s instructions, then open a command prompt and start the Web service by executing the command net start w3svc.
   
   
3. Click Start, All Programs, Microsoft Exchange Server 2007 and select Exchange Management Shell.
   
   
4. To test Exchange ActiveSync connectivity, run the following command where <Server> is the name of the Client Access server:
   
   

   	Copy Code
   Test-ActiveSyncConnectivity -ClientAccessServer <Server>

5. To test Autodiscover connectivity, run the following command where <EmailAddress> is the name e-mail address of a mailbox:
   
   

   	Copy Code
   Test-OutlookWebServices -ClientAccessServer <Server>

6. To test Outlook Anywhere connectivity, run the following command:
   
   

   	Copy Code
   Test-WebServicesConnectivity -ClientAccessServer <Server> -AllowUnsecureAccess

7. To test Outlook Web Access connectivity, run the following command where <Server> is the name of the Client Access server:
   
   

   	Copy Code
   Test-OwaConnectivity -ClientAccessServer:<Server> -AllowUnsecureAccess