Recently, Microsoft Exchange administrators have renewed interest in segmentation with Exchange Server 2007. What
is segmentation? It's the ability to enable and disable various Outlook Web Access (OWA) features so that users have limited access to OWA capabilities.
There are two reasons segmentation has become more popular. First, many organizations are now heavily regulated and cannot allow OWA users to access certain features. Secondly, Exchange administrators view certain OWA features as security threats.
Segmentation has always been possible in Outlook Web Access 2003, but it has never been exposed through the Exchange System Manager (ESM). However, if you are interested in segmenting OWA 2003, or in performing other types of customizations, Microsoft offers a free utility that lets you point and click your way through the process.
The utility is called the Microsoft Exchange Server Outlook Web Access Web Administration tool, also known as the OWA Admin tool. Download the OWA Admin tool from the Microsoft website.
Next, copy the MSI file that you have downloaded to your Exchange 2003 OWA server. (Note: The OWA Admin tool will not work with Exchange 2007 Client Access servers). When you double-click on the file, Windows will launch the Setup Wizard, which guides you through a simple installation process.
For the OWA Admin tool to work properly, you must have an SSL certificate installed on your OWA server. This shouldn't be a problem, since operating OWA without SSL encryption isn't recommended.
You should now be able to access the OWA Admin tool by opening your Web browser and navigating to HTTPS://your_OWA_server_name/OWAAdmin. For example, my OWA server is named Tazmania, so I entered https://tazmania/OWAAdmin to access the OWA Admin tool. Enter a set of administrative credentials when prompted and you will be taken to the main OWA Admin screen (Figure 1).
The OWA Admin screen is divided into an Administration section and a Customization section. The Administration section lets you tune various OWA features. For example, if you click on the Attachment handling link, you will be taken to the screen that is shown in Figure 2.
This screen lets you enable or disable attachments through OWA. You can also specify which types of attachments you want to block. The OWA Admin tool has many similar administration screens.
To use segmentation to enable or to disable various OWA components, click the Server-wide feature support link, which is located in the Customization section of the main OWA Admin screen (Figure 1). This will take you to the Modify Server Features screen (Figure 3).
In this screen, note that there are a number of different OWA features that you can enable or disable by selecting or deselecting the corresponding checkbox. Blocking access to a user's mailbox is the only feature that cannot be disabled.
How useful is OWA segmentation? Here's an example. One company did not allow users to send or receive email attachments. They only allowed documents to be stored in Exchange public folders. To prevent OWA users from leaking sensitive data, the company chose to deny users access to public folders. In this case, Microsoft Outlook clients could only access public folders and their contents from within the company's perimeter network.
About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.