User Self-Service: Message Tracking from OWA

One of the things on top of my Exchange wish lists, and I'm sure on the Exchange wish lists of many Exchange folks, is allowing users to help themselves with common tasks such as managing Distribution Groups, and tracking the status of their own messages as I suggested in Message Tracking as part of OWA/Outlook (hard to believe this was posted in July 2005!).

Yes, Exchange has had Message Tracking for administrators, but this results in the waste of valuable IT resources when users call/e-mail/shoutout (depending on location and position... ) why a particular message they were supposed to receive hasn't yet made it, or why someone never received a message they sent.

Exchange 2010 allows users to track their own messages using the Exchange Control Panel (ECP). Head over to Spotlight on Exchange 2010: Delivery Reports on the Exchange team blog for more info.

I'll gladly admit the final implementation of this feature is a lot better than the way I thought it should work 4 years ago. Allowing users to perform common tasks using easy-to-use web-based self-service options, using functionality found out-of-the-box in Exchange Server, should help you reduce administration costs and resources.

What's your take on these self-service features?

Internet Explorer 8 and OWA: Where Are The Images?

Internet Explorer 8 was released last week at MIX09. It's likely many users may already be running either the RTM version or one of the earlier betas.

IE 8 is more secure than previous versions (see Stay Safer Online for a list of IE8's security features), including some of the default settings. Here's one of those changes and how it may impact your OWA users (and potentially result in a helpdesk call).

A user gets an HTML message with images. When viewing the message in OWA, the user sees missing images, as shown below:


Figure 1: An HTML message rendered in OWA with missing images

Instead of this:


Figure 2: HTML message with images rendered in OWA

Is that the web beacon and form filtering feature of OWA 2007 at work?

OWA 2007: Web beacon and form filtering

Web beacons (aka "web bugs") are very small, transparent image files in web pages and HTML email. These 'invisible' images are commonly used by web sites to track visitors, along with cookies. When you inadvertently download such an image in an HTML email message, it calls home and tells Mr. Spammer: "I made it! The email address is valid, and someone even viewed the message!"

In Exchange 2007, OWA blocks web beacons, and displays the following prompt inline in the information bar (where header information such as subject, sender, recipient, and timestamp are displayed).


Figure 3: The web beacon and form filtering feature displays a prompt in the information bar to allow user to unblock content

If users determine the message is from a trusted sender and safe to open, they can unblock the blocked content by clicking on the "Click here" link in the information bar (highlighted in Figure 3 above).

Web beacon and HTML form filtering behavior can be controlled for an OWA virtual directory. Use the Set-OwaVirtualDirectory cmdlet to toggle the FilterWebBeaconsAndHtmlForms property, as shown in How to Control Web Beacon and HTML Form Filtering for Outlook Web Access.

But you don't see the familiar click here link in the message!

The Tale of The Two Prompts
You're accessing OWA (or any other web page for that matter) over a secure HTTPS session. The page has images or other unsecure content (not unsecure as in malicious content, but the content is accessed using HTTP) it wants the browser to display. The first time the browser faces this scenario, it sends alarm bells ringing. It warns you, the user almighty, and asks you what you wish to do.

You may even remember the IE prompt— even if vaguely so. Yes, the one you dismissed by clicking the "Yes" button, without giving it any thought? Afterall, what harm could a lowly web page do to your highly secure computer?

In IE8, the prompt has been reworded, and the choices reordered. Here's what the shiny new prompt looks like.


Figure 4: Security warning in Internet Explorer 8, clearly informing users about blocked content, and the potential security impact of displaying such content

As you can see, users instinctively clicking the "Yes" button continue to be protected by Internet Explorer 8. They do not end up in an insecure state! Moreover, the dialog is clearer and more informative, compared to the one found in previous versions of IE. Here's the dialog from IE 7:


Figure 5: The 'Security Information' prompt in Internet Explorer 7, prompting users about nonsecure items

Did pigs fly? Exchange embraces FireFox, Safari

It was a common belief Microsoft would never support the premium Outlook Web Access (OWA) experience on web browsers other than Internet Explorer (IE). OWA Premium, as you may already know, is the feature-rich OWA. Non-IE browsers such as FireFox and Safari have been relegated to the “reach” experience of OWA Light, with a reduced feature set. When asked if Microsoft would ever support the OWA Premium experience on other browsers, the common response from the skeptics has forever been: Sure, when pigs fly.

If Microsoft licensing ActiveSync to Google (earlier this week..!) was a precursor of things to come, this year may prove to be the Year-of-the-Flying-Pig!

In a video just posted on the Exchange team blog, KC Lemson announces full browser parity in Exchange14, the next version of Exchange Server, and ExchangeLabs— the services offering already running on Exchange14. The video includes a demo of Exchange 14’s support for FireFox, and Safari, in all its premium goodness. This puts all the three popular browsers on par for accessing Exchange14 using Outlook Web Access.

ExchangeLabs, the hosted Exchange service (aka "Exchange-in-the-cloud", or the "cloud offering") Microsoft provides for free to students and alumni is now called Outlook Live. It already hosts 3.5 million mailboxes, and is now available to faculty and staff as well.

Also demoed in the video is the new Conversation view of email threads, something that's been on many users' wishlists. The ability to view an entire conversation together, being able to delete it together, and Exchange14’s implementation should make our lives more productive dealing with the ever-increasing volume of email.

Wait, that’s not all – Outlook Web Access/Outlook Live also includes integrated instant messaging, bringing email, voicemail, and instant messaging (IM) into a single client. Now you can see presence information integrated within OWA, and start a conversation from within the browser window.

To find out more and watch the video (including what may be the first-ever demo of Exchange features on a MacBook Pro :-), head over to ‘Introducing Outlook Live for schools – and cool new features for everyone’ on the Exchange team blog. Make sure you post what you think of the dramatic intro music in the video! :)

Resource Mailbox Calendar Settings: Configuring resource mailboxes using OWA

Have you been using the Set-MailboxCalendarSettings cmdlet to configure scheduling settings for resource mailboxes? Wish there was a graphical interface to configure these settings?

[PS] C:\>get-mailboxcalendarsettings cf-oahu | fl

AutomateProcessing : AutoAccept
AllowConflicts : False
BookingWindowInDays : 180
MaximumDurationInMinutes : 1440
AllowRecurringMeetings : True
EnforceSchedulingHorizon : True
ScheduleOnlyDuringWorkHours : False
ConflictPercentageAllowed : 0
MaximumConflictInstances : 0
ForwardRequestsToDelegates : True
DeleteAttachments : True
DeleteComments : True
RemovePrivateProperty : True
DeleteSubject : True
DisableReminders : True
AddOrganizerToSubject : True
DeleteNonCalendarItems : True
TentativePendingApproval : True
EnableResponseDetails : True
OrganizerInfo : True
ResourceDelegates : {}
RequestOutOfPolicy :
AllRequestOutOfPolicy : False
BookInPolicy :
AllBookInPolicy : True
RequestInPolicy :
AllRequestInPolicy : False
AddAdditionalResponse : False
AdditionalResponse :
RemoveOldMeetingMessages : True
AddNewRequestsTentatively : True
ProcessExternalMeetingMessages : False
DefaultReminderTime : 15
RemoveForwardedMeetingNotifications : False
Identity : MDomain.com/Conference Rooms/CF-Oahu

Output of Get-MailboxCalendarSettings cmdlet

Christian Schindler, MCT, MCA (Messaging), from Austria points out the little known fact that you can use OWA to configure calendar settings for resource mailboxes. Note, the user accounts for resource mailboxes are disabled by default. You would need to enable the account in ADUC before you try to logon using OWA.

An alternative to enabling resource mailboxes

If you want to avoid enabling resource mailbox accounts, here's an alternative. You can assign yourself (or any other account) FullAccess permission on the resource mailbox(es) you want to configure. Use the following command:

Get-Mailbox -Filter {RecipientTypeDetails -eq "RoomMailbox"} | Add-MailboxPermission -User "YourAccount" -AccessRights FullAccess

With the permission assigned, you can log on to OWA using your account, and open the resource mailboxes using OWA 2007's ability to open additional mailboxes, as shown in the following screenshot.

If you look at Options in OWA when logged in as an ordinary mailbox user (that is, not logged on to a resource mailbox), you see Calendar Options.

If you log on to a resource mailbox using OWA, you also see Resource Settings as one of the options.


Figure 1: The Resource Settings option is available in OWA when logged on to a resource mailbox. Full size screenshot here.

Not only does this allow you to configure the settings for automated processing of meeting requests, there's also a rich text editor for creating a custom response message.


Figure 2: The Resource Settings option also has a rich text editor for creating a custom HTML response message.

Related posts and links:

• HOW TO: Convert a user mailbox to a resource mailbox
  
• Cmdlet help: Set-MailboxCalendarSettings
  
• Managing Resource Scheduling
  
• How to Enable or Disable Automatic Booking on a Resource Mailbox
  
• How to Enable Explicit Logons in Outlook Web Access

While you were out: Scheduling meetings and OOFs

Although it's been an accepted (and expected) practice to setup OOF auto-responses while you are out of office, I haven't been a big fan of OOFs in the past. My reasons:

1. I often forget to turn off OOFs once I'm back in the office, or forget to set these up in the first place— setting up OOFs isn't exactly a priority for many when leaving for a business trip or a vacation.
2. At times I don't want to provide the same information to external senders that I provide to internal ones.
3. I don't want to broadcast to the whole world about being out of office.
4. I hate to respond to spammers (or phishers and identity thieves) and confirm my email address with a nice little OOF response that may also have more personal details about me, including contact information.

Exchange Server 2007 and Outlook 2007/OWA have help for folks like me.

Schedule OOFs: You can beat the last minute OOF blues by scheduling OOF start and stop times using the Out Of Office Assistant in Outlook 2007 [Tools -> Out of Office Assistant] or OWA [Options -> Out of Office Assistant].
Different internal and external OOF responses: You can also setup different OOF messages for internal and external recipients.
Restrict external OOFs: You can restrict OOFs to internal senders or your Contacts only.


Figure 1: The Out of Office Assistant allows you to schedule OOFs, create different OOF messages for internal and external senders, and restrict external OOFs to your Contacts

However, OOF auto-responses are sent out exactly once per sender - the very first time the sender sends you a message.

When planning to be out of office, it's a great idea to setup a Calendar appointment for yourself and mark the status as out of office instead of busy.


Figure 2: When planning to be out of office, create an appointment on your Calendar and set the status to out of office

When another user tries to schedule a meeting with you during the period you're out of office, your Free/Busy information does not show your OOF status. Setting up the OOF appointment in your Calendar allows meeting organizers to instantly identify whether you're just busy or actually out of the office during the period.


Figure 3: Meeting organizers can instantly determine your out of office status

Related posts:
- The hilarious lingo of Exchange folks
- Why is OOF an OOF and not an OOO?
- Legacy client and Out of Office (OOF) interoperability
- OOF integration with Exchange Server 2007 Unified Messaging (UM)

Exchange Server 2007: Renewing the self-signed certificate

Exchange Server 2007 issues itself a self-signed certificate for use with services like SMTP, IMAP, POP, IIS and UM. The certificate is issued for a period of one year.

The self-signed certificate meets an important need - securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It's not recommended to use these for any client communication on an ongoing basis. For most deployments, you will end up procuring a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).

However, should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these need to be renewed - just as you would renew certificates from 3rd-party or in-house CAs.

 To renew the certificate for server e12postcard.e12labs.com, a server with CAS and HT roles installed:

Get-ExchangeCertificate -domain "e12postcard.e12labs.com" | fl

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.

Get a new certificate with a new expiration date:

Get-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F" | New-ExchangeCertificate

If the existing certificate is being used for SMTP, you will get the following prompt:

Confirm
Overwrite existing default SMTP certificate,
'C5DD5B60949267AD624618D8492C4C5281FDD10F' (expires 8/22/2008 7:20:34 AM), with certificate '3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):

Type y to continue. A new certificate is generated.

Thumbprint   Services   Subject
----------   --------   -------
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E   .....   CN=E12Postcard

The new certificate is generated and enabled. Examine the new certificate:

Get-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" | fl

 The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP - IIS is missing.

To enable the certificate for IIS:

Enable-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" -services IIS

This enables the certificate for IIS (in addition to any other services it may already be enabled for - it adds to existing values of the services property).

 Test services are working with the new certificate. If it works as expected, the old certificate can be removed:

Remove-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F"

Related posts:
- Outlook Anywhere and Exchange's Self-Signed Certificate
- Which name should I use as Common Name for my UC certificate?
- DigiCert: A Certificate Authority with excellent customer service

Xbox 360 and Zune themes for Outlook Web Access

In line with the much sought-after :) Xbox theme for OWA 2003, the Exchange team just went live with the (drumroll) Xbox 360 and Zune themes OWA 2007 SP1. Get them from the team blog: "New OWA themes for Exchange Server 2007 SP1".

Next on the wish-list: A Mac OS X theme for OWA, to go with the cool new iMacs and Mac Book Pros...? :)

DigiCert: A Certificate Authority with excellent customer service

I finally took the plunge and decided to get a certificate from a public Certificate Authority (CA) for my Exchange Server 2007 server at home. A certificate that supports Subject Alternative Names (SAN certificate, aka "Unified Communications" certificate), no less. Having dealt with a number of CAs in the past, and having heard some horror stories about getting a certificate that supports Subject Alternative Names, I wasn't quite looking forward to the exercise.

Thanks to Office Communications Server (OCS) MVP (and fellow Zenpriser till recently... ) Lee Mackey, the CA he recommended - DigiCert - provided exemplary customer service.

Chain of events:
- Generate SAN certificate request using the New-ExchangeCertificate command from Exchange Server 2007 (for a couple of domains, includes the Autodiscover.domain.com fqdn).
- Submit request to DigiCert
- Get confirmation emails from DigiCert (for multiple domains)
- Within a few seconds, while I'm still clicking on the confirmation messages, I get a call from a DigiCert rep to confirm the details
- The rep informs me the physical/mailing address with the domain registrar for one of the domains is not current or not the same as the one I provided when requesting the cert
- Rep waits while I correct it on the domain registrar's web site
- Confirms the address is updated in the registrar's WHOIS info
- Asks for a photo ID to be uploaded on their secure site
- I email him the photoID instead of uploading it
- By the time I'm back from the scanner/copier to my desk, and hit refresh, the photo ID shows up on DigiCert's web site
- Within a few minutes I get the certificate in by email
- Install certificate and test it with the different domains - works!

An impressive and positive customer service experience - these guys rock! If you're in the market for a digital certificate, check them out.

Requesting and using certificates for Exchange Server 2007

- KB 929395 Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007
- Use the Import-ExchangeCertificate command to import the new certificate, and Enable-ExchangeCertificate command to enable the new certificate for Exchange services you want to use it with (IIS, SMTP, IMAP, POP, and UM)
- Also recommend reading the team blog post by John Speare: Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
- SAN certificates cost significantly more than regular SSL certificates as of now. Figure out if using multiple regular certificates (may require additional IP address) works out for your deployment.

ISA Server issues

- Forms-Based Authentication: If using ISA (ISA 2006 in my case) to publish Exchange CAS URLs for OWA, disable the Forms-Based Authentication on Exchange's OWA virtual directory, else you'll get two Forms-Based Auth pages and will end up having to authenticate twice - once with ISA, and once with Exchange.
- A useful doc if you're publishing with ISA 2006: Publishing Exchange Server 2007 with ISA Server 2006.
- ISA and SAN Certs: ISA 2004/2006 still have issues with SAN certs, discussed in the ISA team blog: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing.

SCRIPT: Turning on Filter Junk Email

OWA users who never logon using Outlook do not have their Junk Mail filtering option turned on by default. Exchange MVP Glen Scales has a script here that allows you to turn this on programmatically for Exchange Server 2007 users.

Happy Birthday OWA: Outlook Web Access Turns 10!

Outlook Web Access, the web-based interface for accessing Exchange, turns 10 today! Released on May 23, 1997, as part of Exchange 5.0, OWA went by the name "Exchange Web Access" back then.



OWA has come a long way since Exchange 5.0 - abandoning its ability to live on a separate (non-Exchange) IIS server on the way (amongst other things), and gaining exciting new capabilities. Here's an interesting post on the team blog about the evolution of OWA - "Outlook Web Access - A catalyst for web evolution"

OWA 2003 was a huge improvement over OWA 2000 - it became my client of choice to access Exchange. It also became one of the reasons a few deployments I was involved with chose to upgrade - once remote users got hooked to OWA 2003, many didn't want to go back to Outlook client over VPN. (Yes, RPC over HTTP has been around since then, but in the absence of stronger authentication support like RSA SecurID, it's been a challenge to have security folks agree to such access in many cases).



The shiny new OWA in Exchange Server 2007 is quite impressive - it's much closer to an Outlook client - including:
- capability to right-click items and get OWA/email related options (instead of those related to a web page)
- a "browsable" GAL/Address Book that was missing in previous versions (and added by third-party solutions like MessageWare)
- the Outlook-like behavior of new messages popping up without having to refresh
- the new OOF wizard with different OOF options for internal and external recipients and ability to restrict OOFs to a users' Contacts
- Junk Mail management options (Safe/Blocked senders)
- ability to manage Windows Mobile devices
- empty Deleted Items on exit/logoff
- and the less annoying pop-up meeting reminders to name a few.

(A more extensive list of the new features in OWA 2007 can be found in "Client Features in Outlook Web Access" in the product documentation).

Even "OWA Light" - the interface seen by legacy and non-IE browsers, is quite feature-rich and a pleasure to use.

The missing features like deleted item recovery, S/MIME support, Public Folder access, rules, etc. have been a thorny issue. Luckily, these are making their way back in SP1 [read previous post "Exchange Server 2007 SP1: A bag of goodies!"].

It'll be interesting to see what OWA has in store for E14 - the next version of Exchange (yes, I know Exchange 2007/E12 just RTMed, but that's the nature of software companies... with one product version shipped, it's time to work on the next one... :).

Windows Vista and Outlook Web Access

If you're using a version of Windows Vista since Beta 2 (including RTM), the version of IE7 included with Vista does not have or support the DHTML Editing (ActiveX) control that allows you to compose or reply to messages in Outlook Web Access. As a result, when you try to compose or reply to messages using OWA, you see the part of the message where you would type your message body is grayed out (like a missing image).

To fix it, you need to install the update in KB 911829. Requires Exchange Server 2003 SP2.

SCRIPT: Show OWA Users

This is a modified script that shows current OWA/HTTP logons to the Store(s) on a given server(s). The script takes NetBIOS names of servers as command-line arguments (separated by spaces), uses the Exchange_Logon WMI class to connect to a server and retrieve list of users currently logged on.

Usage:

ShowHTTPLogons.vbs EXCH1 EXCH2 EXCH3

If Cscript is not your default scripting engine, it is advisable to add Cscript before the script name when you run this:

cscript SHOWHTTPLogons.vbs EXCH1 EXCH2 EXCH3

The script ignores non-HTTP logons, and displays the mailbox (display name), logged on user, and the Store name in a comma-separated format.

To dump output to a CSV file, simply add >MyOutputFileName.csv to the end of the command when running it, as shown here:

Cscript ShowHTTPLogons.vbs EXCH1 EXCH2 EXCH3 >MyOutputFileName.csv

The script does not display logons by the System account (NT AUTHORITY\SYSTEM), but these are counted and displayed as a summary, in addition to the number of actual HTTP logons by users. Please note, a single OWA session can have multiple HTTP logons on the Store, so this is by no means a way to calculate the actual number of users currently logged on using OWA. You will see repeated entries for mailboxes because of this (... it's not a very tidy script, but written in a hurry.... hopefully I will be able to fix that at a later date).

File: showHTTPLogons.zip

Note: You will need to extract the file and rename it with a VBS extension.

Users Cannot Save or Send Mail in Japanese using OWA

Users in Japan cannot send and receive messages in Japanese. They get an error in Japanese.

Translation: You cannot send the message because the code page of this language was not found on the server. Contact your system administrator

This is actually documented in the Exchange Server 2003 RTM Release Notes. Go to Known Issues | Clients link.

Solution: Install the East Asian language files on all front-end and mailbox servers.
1. Go to Control Panel | Regional & Language options | Languages
2. Check the "Install files for East Asian languages" checkbox [screenshot]

Will require the Windows Server source files/CD, and will need to reboot as well.