Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-07-03
This topic provides an overview of planning considerations for deploying the Client Access server role on a computer that is running Microsoft Exchange Server 2007. The Client Access server role supports the Microsoft Outlook Web Access, Outlook Anywhere, Microsoft Entourage 2004 and Entourage 2008 for Mac, and Microsoft Exchange ActiveSync client applications, in addition to the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) protocols. For more information about Entourage 2008 for Mac, see the Microsoft Office 2008 for Mac Administrator’s Guide.
The Client Access server role also hosts several key services, such as the Autodiscover service and Exchange Web Services.
You must have the Client Access server role installed in every Active Directory site within your organization that contains an Exchange 2007 server that has the Mailbox server role installed. If your organization has only one Active Directory site, the Client Access server role must be installed on at least one computer within your Exchange organization.
Note: |
---|
You can install the Client Access server role on an Exchange 2007 computer that is running any other server roles except for the Edge Transport server role. You cannot install the Client Access server role on a computer that is installed in a cluster. Installation of a Client Access server in a perimeter network is not supported. |
Installation of a Client Access server in a perimeter network is not supported. The Client Access server must be a member of an Active Directory directory service domain, and the Client Access server machine account must be a member of the Exchange Servers Active Directory security group. This security group has read and write access to all Exchange servers within your organization. Communications between the Client Access server and the Mailbox servers within the organization occurs over RPC. It is because of these requirements that installing a Client Access server in a perimeter network is not supported.
Overview of the Client Access Server Role Features
The Client Access server role manages client access to your Exchange 2007 server. The following client applications require the Client Access server role:
- Exchange ActiveSync Users can establish
a partnership between their Exchange server and their mobile device
by using Exchange ActiveSync. Users can synchronize
e-mail messages, contacts, tasks, and calendar data.
Note: Exchange ActiveSync can synchronize messages in all the mail folders that are stored on the Exchange server, except for the Drafts and Outbox folders. - Outlook Web Access Users can access
their Exchange mailbox data from a Web browser by using
Office Outlook Web Access. The virtual directories
for Outlook Web Access are stored on the Client
Access server.
Note: Outlook Web Access is not supported with Pocket Internet Explorer on a mobile device. Note: Outlook Web Access in Exchange 2007 is accessed by using the URL https://servername/owa. To access public folders through Outlook Web Access in Exchange 2007, use the URL https://servername/public. Outlook Web Access for earlier versions of Exchange is accessed through the URLs https://servername/exchange, https://servername/exchweb, and https://servername/public. If your users have mailboxes on an Exchange 2000 or Exchange 2003 server, they must use these legacy URLs. - Microsoft Office Outlook Although
Office Outlook 2007 accesses
Microsoft Exchange messaging data directly on the Mailbox
server, it relies on the Client Access server role for such
services as the Autodiscover service and the Availability
service.
- Outlook Anywhere Outlook can
connect to your Exchange mailbox over the Internet without
using a VPN connection to your internal network if you have enabled
Outlook Anywhere. Outlook Anywhere was formerly known as RPC
over HTTP.
- POP3 and IMAP4 Clients If your users
connect to Exchange 2007 by using a POP3 or IMAP4 client,
their connections will pass through the Client Access server. When
Exchange 2007 is installed, all required services for
POP3 and IMAP4 are installed. However, they are disabled. To use
POP3 or IMAP4 to connect to Exchange 2007, you must enable
either the POP3 service or the IMAP4 service.
In addition to providing a connection point for client applications, the Client Access server role provides support for the following services:
- Autodiscover
service Exchange 2007 includes a new
Microsoft Exchange service named the Autodiscover
service. The Autodiscover service configures client computers that
are running Outlook 2007. The Autodiscover service can also
configure supported mobile devices. The Autodiscover service
provides access to Microsoft Exchange features for
Outlook 2007 clients that are connected to your
Exchange messaging environment. The Autodiscover service must
be deployed and configured correctly for Outlook 2007 clients
to automatically connect to Microsoft Exchange features,
such as the offline address book, the Availability service, and
Unified Messaging (UM). Additionally, these Exchange features
must be configured correctly to provide external access for
Outlook 2007 clients. For more information, see How to Configure
Exchange Services for the Autodiscover Service.
- Exchange Web Services Exchange Web
Services provides the functionality to enable client applications
to communicate with the Exchange server. Exchange Web
Services provides access to much of the same data made available
through Outlook. Exchange Web Services clients can
integrate Outlook data into line-of-business (LOB) applications.
LOB applications that use Exchange Web Services can use the
Autodiscover service to obtain profile settings for a particular
client.
Understanding the Differences Between a Front End Server and a Client Access Server
Earlier versions of Microsoft Exchange supported a front-end server within an organization. A computer that is running the Exchange 2007 Client Access server role is very different from an Exchange 2003 front-end server. In earlier versions of Microsoft Exchange, the front-end server accepted requests from clients and sent them to the appropriate back-end server for processing. This provided increased capacity for the number of concurrent client sessions within an organization and decreased the load on the back-end server that housed the mailboxes. A front-end server was frequently located in a perimeter network between the external and internal firewalls. One of the primary advantages to a front-end server was the ability to expose a single, consistent namespace when multiple back-end servers were present. Without a front-end server, Outlook Web Access users would have to know the name of the server that stored their mailbox. By including a front-end server, users could access a single URL for Outlook Web Access. The front-end server would proxy the user's request to the appropriate back-end server.
In Exchange 2007, the Client Access server role was designed specifically to optimize the performance of the Mailbox server role by handling much of the processing that previously occurred on back-end servers. Business logic processes, such as Exchange ActiveSync mailbox policies and Outlook Web Access segmentation, are now performed on the Client Access server instead of the Mailbox server. Because the Mailbox server role relies on the Client Access server role to handle incoming client connections, each Active Directory site that has a Mailbox server must also have a Client Access server. Both roles can run on one physical computer. If you have multiple Active Directory sites and want a single external URL for Outlook Web Access or Exchange ActiveSync, you must configure your Client Access servers for proxying.
An Exchange 2007 computer that is running the Client Access server role uses the Exchange RPC protocol to connect to the Mailbox server that it services. You must use a high-bandwidth and low-latency connection between the Client Access server and the Mailbox server. The minimum recommended bandwidth is 100 Mbps, but 1-Gpbs connections should be considered for enterprise datacenters.
Planning Considerations for Exchange ActiveSync
Exchange ActiveSync is a Microsoft Exchange synchronization protocol that is optimized to work together with high-latency and low-bandwidth networks. Exchange ActiveSync is based on HTTP and XML and lets devices such as browser-enabled cellular telephones or Microsoft Windows Mobile powered devices access an organization's information on a server that is running Microsoft Exchange. Exchange ActiveSync enables mobile device users to access their e-mail, calendar, contacts, and tasks, and to continue to be able to access this information while they are working offline.
Note: |
---|
Exchange ActiveSync can synchronize e-mail messages, calendar items, contacts, and tasks. You cannot use Exchange ActiveSync to synchronize notes in Outlook. |
When you deploy Exchange ActiveSync, consider the following issues:
- Exchange ActiveSync devices There are
several devices that support Exchange ActiveSync. These
devices include Windows Mobile powered devices and other
third-party devices. For more information about the devices that
support Exchange ActiveSync, see Exchange ActiveSync
Devices and Compatible Features.
- Device data
plans Exchange ActiveSync uses a
process that is known as Direct Push to keep messaging data
synchronized with mobile devices. With Direct Push, data is
exchanged over cellular connections. If your users' data plans
charge by the minute or the megabyte, the monthly cost can quickly
escalate. To use Direct Push with Exchange ActiveSync, your
users should have an unlimited data plan with their cellular
carrier.
Note: Direct Push does not work over a Wi-Fi Internet connection, such as an 802.11b connection. Direct Push works only over a cellular data connection. - Exchange ActiveSync security You should
have a security plan in place when you deploy
Exchange ActiveSync. We strongly recommend that you
use Secure Sockets Layer (SSL) with Exchange ActiveSync.
By default, when you install Exchange 2007,
Exchange ActiveSync is enabled for your users. The
Exchange ActiveSync virtual directory is configured to
use Basic authentication with SSL. You can configure the
Exchange ActiveSync virtual directory to use Integrated
Windows authentication or certificate-based authentication.
In addition to configuring authentication, we recommend that you deploy Exchange ActiveSync mailbox policies to control a variety of settings for your mobile users and their devices. You can require a password, allow or block attachment downloads, require device encryption, specify the maximum number of failed passwords, and enable password recovery. For more information about Exchange ActiveSync mailbox policies, see Understanding Exchange ActiveSync Mailbox Policies.
- Migrating from Exchange Server 2003 to Exchange Server
2007 If you are migrating from
Exchange Server 2003 to Exchange 2007, we
recommend that you first upgrade your front-end servers to the
Client Access server role. You must enable
Integrated Windows authentication on the
Exchange Server 2003 back-end server for
Exchange ActiveSync to function correctly. After you
migrate all front-end servers to Exchange 2007, you
can migrate your back-end servers to
Exchange 2007 Mailbox servers.
Planning Considerations for Outlook Web Access
Outlook Web Access uses an Internet browser to provide access to Exchange information. Outlook Web Access has a powerful, intuitive interface that resembles Outlook 2007 without the need to install Outlook 2007 on the computer. When you deploy your Exchange messaging infrastructure for Internet-based external access, users can use any computer in any location that has an Internet browser that supports HTML 3.2 and European Computer Manufacturers Association (ECMA) formats. Such browsers include Internet Explorer, Mozilla Firefox 1.8, Opera 7.54, and Safari 1.2, and others.
Outlook Web Access supports most of the features that are found in Outlook 2007. By default, all client features are enabled. For more information about the client features that are available in Outlook Web Access, see Client Features in Outlook Web Access.
You may want to limit the features that are available to users through Outlook Web Access, depending on your organization's security and information management needs. For information about how to enable and disable features by using the Exchange Management Console and the Exchange Management Shell, see Managing Outlook Web Access.
Outlook Web Access for Exchange 2007 offers several enhancements to security. You can configure SSL on the Outlook Web Access virtual directory in addition to standard and forms-based authentication. You can configure the following authentication methods for Outlook Web Access by using the Exchange Management Console or the Exchange Management Shell:
- Standard authentication
methods Standard authentication methods
include Integrated Windows authentication, Digest authentication,
and Basic authentication. For more information about how to
configure standard authentication methods for
Outlook Web Access, see Configuring Standard
Authentication Methods for Outlook Web Access.
- Forms-based authentication Forms-based
authentication creates a logon page for
Outlook Web Access. Forms-based authentication uses
cookies to store encrypted user logon credentials and password
information. For more information about forms-based authentication,
see Configuring
Forms-Based Authentication for Outlook Web Access.
Note: If you configure multiple authentication methods, IIS uses the most secure method first. IIS then searches the list of available authentication protocols, starting with the most secure, until it finds an authentication method that is supported by both the client and the server.
By default, when you install the Client Access server role on an Exchange 2007 server, four Outlook Web Access virtual directories are created in the default Internet Information Services (IIS) Web site on the Exchange server. By default, these virtual directories and the default Web site are configured to require SSL. For more information about how to configure SSL for Outlook Web Access, see How to Configure Outlook Web Access Virtual Directories to Use SSL.
If you want to use SSL to help secure additional Outlook Web Access virtual directories or Web sites, you must do so manually. To configure a site to use SSL, you must obtain a certificate and configure the Web site or virtual directory to require SSL by using that certificate.
Planning Considerations for Outlook Anywhere
Outlook Anywhere enables users who are running Outlook 2007 or Outlook 2003 to connect to your Microsoft Exchange messaging infrastructure from the Internet by using the Outlook Anywhere networking technology.
After you install the Client Access server role on a computer that is running Exchange Server 2007, you can enable Outlook Anywhere for your organization by using the Enable Outlook Anywhere wizard on any Client Access server in your organization. We recommend that you enable at least one Client Access server for Outlook Anywhere access in each site that you manage.
Before you plan your Outlook Anywhere deployment, make sure that you have read the following topics:
Planning Considerations for POP3 and IMAP4
Exchange 2007 provides support for clients that use the POP3 and IMAP4 protocols. However, by default, the POP3 and IMAP4 services are not started in Exchange 2007. To use these protocols, you must first start the POP3 and IMAP4 services on the Client Access server.
If you have to administer POP3 and IMAP4 in the original release (RTM) version of Microsoft Exchange Server 2007, you will perform all your administrative tasks in the Exchange Management Shell. In Exchange 2007 Service Pack 1 (SP1), you can manage POP3 and IMAP4 settings by using the Exchange Management Console.
For more information about how to manage POP3 and IMAP4, see Managing POP3 and IMAP4.
When you deploy Client Access servers to support POP3 and IMAP4 clients, there are physical limitations and security limitations if you use earlier versions of Microsoft Exchange, such as Exchange Server 2003. The main physical limitation in deploying POP3 and IMAP4 is that cross-site communication between Client Access servers and Mailbox servers in separate Active Directory sites is not supported. You must make sure that clients are connecting to the Client Access server that is located in the same site as the Mailbox server that contains their mailbox.
Note: |
---|
If the Client Access servers and Mailbox servers in your Active Directory sites are running Exchange 2007, you can configure a setting to enable cross-site connectivity for your POP3 and IMAP4 clients. For more information, see How to Enable Cross-Site Connectivity for POP3 and IMAP4 Clients. |
Planning Considerations for Exchange 2007 Web Services
An Exchange 2007 Client Access server supports a two Web services: Exchange Web Services and the Autodiscover service.
Exchange Web Services provides access to:
- Free/busy information, meeting suggestions, and Out of Office
functionality.
- Calendar, e-mail, contact, folder, and task items in a user's
mailbox.
- Notifications about events that occur in a user's mailbox.
- Synchronization features to synchronize clients with the
associated mailbox.
- Ambiguous name resolution.
- Distribution list expansion.
The Autodiscover service enables clients such as Outlook, custom applications, and some mobile devices to obtain settings for a variety of services such as the Availability service, Unified Messaging, and the offline address book (OAB). Clients try to connect to the Autodiscover service through two URLs that are based on the user's SMTP address. The two URLs are as follows:
-
https://autodiscover.<domain>/autodiscover/autodiscover.xml
- https://<domain>/autodiscover/autodiscover.xml
Outlook submits an XML request that includes the user's e-mail address. The Autodiscover service returns configuration information about the user in addition to the URLs and settings that are used to connect to various services. Exchange Web Services also provides a developer API for customers and partners to write their own custom applications. These custom applications can then interact with Exchange mailbox data.
Security Planning for Client Access Servers
There are many things to consider when you plan a secure messaging environment. Factors such as e-mail attachments and access to internal and external corporate data make it important to consider multiple security precautions before you deploy your messaging environment. We recommend that you use SSL encryption for all Client Access features, including Outlook Web Access and Outlook Anywhere. Additionally, we recommend that you select an authentication method such as Integrated Windows authentication, instead of Basic authentication. Basic authentication transmits user names and passwords in clear text. Choosing an alternative authentication method increases the security of your communications. You can customize each Client Access feature to use different security mechanisms.
One method to help you make your messaging environment more secure is to deploy an advanced firewall server solution such as Microsoft Internet Security and Acceleration (ISA) Server 2006. ISA Server 2006 helps provide an additional level of security and can also enhance client functionality through new features that are designed for Exchange 2007 and ISA Server 2006. For more information about how to use ISA Server 2006 together with Exchange 2007, see Configuring ISA Server 2006 for Exchange Client Access.