Importing SMTP or Custom Recipients into Exchange

Steps to Installing and Configuring Outlook Web Access

This document describes steps and issues pertaining to the installation and configuration of Outlook Web Access (OWA). It assumes version 5.5 of Microsoft Exchange Server and version 4.0 of Internet Information Server (IIS), which includes Active Server Pages (ASP).

CGNET is happy to provide this concise guide, which is based on its 20 years' experience providing managed email and managed network services. You may also be interested in our fairly extensive list of more resources for Installing and Administering Exchange 5.5 on Windows NT 4. CGNET provides many services, including consulting, network installation, managed email, network monitoring and management, Web hosting and global roaming Internet access. We have particular experience working with non-profits and NGOs, and our network currently serves users in 94 countries. Check out our home page for more information about how we can help you.

Contents

1. Important Considerations
2. Installing NT Option Pack 4.0
3. Installing Exchange OWA
4. Configuring NT Accounts and Directory Permissions
5. Configuring IIS
6. Configuring Exchange Server
7. Allowing Anonymous Access to Public Folders
8. Customizing Outlook Web Access
9. Testing
10. Other Issues

1. Important Considerations

• Outlook Web Access for Exchange 5.0 requires IIS 3.0 and Active Server Pages (ASP). If you wish to use IIS 4.0, you must upgrade to Exchange 5.5
• IIS and ASP must be installed prior to installing Exchange Outlook Web Access. If not, Outlook Web Access must be reinstalled.
• IIS 4.0 requires NT 4.0 with Service Pack 3. An additional hotfix, roll-upi.exe, contains patches not included on SP 3 and so must also be applied afterward.

2. Installing NT4.0 Option Pack

See the instructions on installing NT 4.0 Option Pack if you haven't already installed it. It needs to be installed prior to installing Exchange 5.5 Outlook Web Access.

3. Installing Exchange Outlook Web Access

1. Insert the Microsoft Exchange Server 5.5 CD. When the CD is inserted, it should AutoPlay.
2. Select Setup Server and Components.
3. Select Microsoft Exchange Server 5.5
4. If Exchange 5.5 was not yet installed, refer to the installation instructions for Exchange 5.5
5. If Exchange 5.5 was already installed, select Add/Remove Components.
6. Select Outlook Web Access and click 'Continue'
7. Messages will appear that IIS is being stopped and then restarted, files are copied from the CD and then Setup installs OWA
8. You may get the following message: "Setup has detected that you are not running a set of Windows NT related fixes required for Outlook Web Access. Please see the release notes for further instructions." This message refers to the hotfix, "roll-upi.exe", described in the NT 4.0 Option Pack Installation Instructions.
9. Click 'OK' when the setup is complete.
10. Apply the latest MS Exchange Server 5.5 Service Pack(s)
11. Reapply NT 4.0 Service Pack 3 and the roll-upi.exe hotfix.

4. Configuring NT Accounts and Directory Permissions

When you install IIS and Outlook Web Access, some accounts and directories are added to your system. You need to check that these accounts are configured properly and that permissions to these directories are set correctly.

Installing IIS creates a new account in user manager, whose name is IUSR_Machine_Name, where Machine_Name is the name of the server. This account is the anonymous access account for IIS; IIS uses this account to represent an (anonymous) web user's browser when accessing resources on the web server, including scripts.

Permissions:

1. In User Manager,
1. Select the IUSR_Machine_Name Account and edit its properties:
• Change its password and record the password you gave it.
• Make sure the account is enabled
• Make sure that the user cannot change the password, and that it never expires
• Click the 'Groups' button: this account should be a member of "Domain Users"
• Click the Accounts button: this account should be a global account.
2. Select the Guest account and edit its properties:
• Enable the account (uncheck the 'Disable account' checkbox) if you wish to allow anonymous access to public folders.
3. Select User Rights from the Policies pull-down menu. Make sure that the IUSR_Machine_Name account (or a group that it belongs to) has the Log on Locally and Access this Computer from the Network rights.
2. In NT Explorer, IUSR_Machine_Name must have at least Read permission for the subdirectory trees D:\INETPUB\WWWROOT\ and D:\EXCHANGE\WEBDATA\. Other recommended permissions for these two trees are:
• Administrators Group - Full Control
• Administrator - Full Control
• System - Full Control
• Network Group - Read
• Interactive Group - Read
• Everyone - Read (this is necessary only because IUSR_Machine_Name is a member of this group. If there is another, more restricted group on your system of which IUSR_Machine_Name is a member, then you could use that group instead, or even simply grant Read permission to the IUSR_Machine_Name account itself).
• ExchAdmin (The Exchange Administrator account) - Full Control on D:\EXCHANGE\ tree only, not on D:\INETPUB\WWWROOT\

Note: All Exchange users also have NT level accounts. These accounts should be set so that the user's password never expires. Make sure that the checkbox "User must change password" is deselected, because the user has no way to change his/her password via the web or via Outlook Web Access. If this checkbox is checked, the user will not be able to access her/his account.

5. Configuring IIS

The installation of Outlook Web Access should have created a virtual directory under the default web server, with the alias 'Exchange', pointing to the physical directory D:\EXCHANGE\WEBDATA (assuming that that's where Exchange and OWA were installed).

In IIS Administrator (Microsoft Management Console), right-click on Default Web Site

1. Click the Documents tab, check that default document is enabled, and that default.htm and default.asp are included as default document names.
2. Click the Directory Security tab, and edit the anonymous access and authentication control. Make sure that the Allow Anonymous Access and Basic Authentication checkboxes are selected. Click on the button to edit Allow Anonymous Access. If the username doesn't correspond to IIS' anonymous user (IUSR_Machine_Name), click the browse button to browse accounts in User Manager, and select that account. Enter its password here, and confirm it. If you will be changing the anonymous user account's password, you can select the checkbox marked Enable Automatic Password Synchronization.

Note: If IIS will be running on a different computer than Exchange, you will need to disable the NT Challenge/Response checkbox.
3. When you click OK, you will be asked whether to apply any changes you made to the Default Web Site properties to its child nodes. One of these nodes is the Exchange virtual directory. Make sure that this node is selected so that the changes you just made apply to it as well.

In Microsoft Management Console, right-click on the Exchange virtual directory.

1. In the Virtual Directory tab, make sure that this directory has Execute Permissions (Including Script) enabled.

6. Configuring Exchange Server

In Exchange Administrator,

1. Open the Configuration Container. Select DS Site Configuration and double-click it or choose Properties from the File menu. On the General Page, enter the anonymous IIS user account (IUSR_Machine_Name), with the same password as defined under User Manager. Click on the Permissions tab, and make the IUSR_Machine_Name account has Search permissions; if not, add them.
2. Select Protocols and then LDAP. Double-click it or choose Properties from the File menu. Enable this protocol. Click on the Permissions tab and make sure the IUSR_Machine_Name account has Search permissions; if not, add them. Click on the Authentication tab and allow Basic Authentication (clear text) and make sure NT Challenge response is set the same way as under IIS.
3. Select Protocols and then HTTP. Double-click it or choose Properties from the File menu. Enable the protocol. Allow anonymous access to the global address list, if you wish to allow full domain browsing. Click on the Permissions tab and make sure the IUSR_Machine_Name account has Search permissions; if not, add them.

7. Setting Up Anonymous Access to Public Folders

If you wish to allow web access directly to public folders (without requiring a user to log in to his/her own Inbox), then do the following. In Microsoft Exchange Administrator:

1. Open the Configuration container.
2. Choose Protocols, and then double-click HTTP (Web) Site Settings
3. Select the Allow anonymous users to access the anonymous public folders check box.
4. Select the Folder Shortcuts tab.
5. Choose New to add folders for anonymous viewing, and select an existing folder in the Public Folders dialog box.
6. Choose OK.

Published folders must have at least Read permission granted to Anonymous. This is set in the Permissions tab for the specified folder. Folder permissions can be accessed from either the Microsoft Exchange Server Administrator program or from the client.

1. In the Microsoft Exchange Server Administrator program, browse to the public folder for which you created a shortcut.
2. From the File menu, choose Properties.
3. Choose Client Permissions.
4. In the box at the top of the Client Permissions dialog box, select Anonymous, and change its role from None to the desired level of access.
   If you want to publish all subfolders of this folder for anonymous access, select the Propagate these properties to all subfolders check box.
5. Choose OK.

8. Customizing Outlook Web Access

You can customize Outlook Web Access for your organization to make it easier for your Exchange users. See the instructions in the document Customizing Outlook Web Access.

9. Testing the Installation

To test Outlook Web Access, start up a web browser and point it at http://IIS_Machine_Name.organization.org/Exchange/, where "IIS_Machine_Name" is the name of the server where IIS is installed, and "organization" is your organization. If you've customized the web interface to Outlook Web Access as in step 8 above, you may be able to simply access the service as http://outlook.organization.org/.

The outlook web access logon screen appears.

Enter your username and click on the link. When the authentication dialogue appears, enter your username again (along with its NT domain if you haven't configured a default), and your password. When you click OK, the Outlook Web access screen appears.

Make sure that you test at least all of the following functions:

• Reading messages
• Composing new messages
• Replying to a message
• Checking for new mail
• Adding an attachment to a message
• Searching for names in the address book
• The Calendar
• Viewing and posting to public folders

If you have enabled anonymous access to public folders, test this too. Make sure that you click the logoff button, bringing up the logoff screen. Test the functionality of the log on again link. Finally, quit out of the browser.

10. Other Issues

If you install Microsoft Outlook version 8.03 on a Microsoft Exchange Server 5.5 computer, Outlook Web Access does not perform as expected. To solve this problem, run Regsvr32a.exe after you install Outlook. This utility resets the affected registry settings by reregistering Cdo.dll. You can download Regsvr32a.exe from the Microsoft web site at:

http://premium.microsoft.com/support/downloads/dp2439.asp

Run Regsvr32.exe from the command line using the full path to Cdo.dll as the argument. For example, the following command changes the registry settings by re-registering Cdo.dll:

Regsvr32.exe <systemroot>\system32\cdo.dll (where <systemroot> is your Windows NT directory)

For more information, see the Microsoft Knowledge Base article, Q176744: XCLN: Installing Outlook on OWA Server Causes Access Failure