Segmentation is a technique that lets you control Outlook Web Access on a component-by-component basis. For example, you might allow users to access their email through OWA, but not allow them to access their calendar.
Exchange Server has supported segmentation since the release of Exchange 2000 Server SP2. However, implementing segmentation in earlier versions of Exchange Server required administrators to modify the registry. The process also required modifying individual mailboxes using ADSI Edit to manually change an Active Directory database. You can safely perform segmentation in Exchange Server 2007 through the GUI.
There are at least three valid reasons to segment OWA:
- Profit -- Nearly all ISPs include email access with a user's subscription, but some ISPs give users access to other Microsoft Outlook features - calendar or contacts - for a premium. Segmentation lets ISPs reserve more advanced OWA features for clients who are paying higher subscription fees.
- Reduce Client Access Server workload -- Client Access Servers (CAS) can handle several users, but some circumstances could cause sub-par CAS performance. By eliminating access to the premium OWA client, or to individual features, you can reduce a Client Access Server's resource consumption, if the disabled features were being used.
- Security -- OWA isn't inherently insecure, but there are security concerns when users access OWA from a public kiosk. Web browsers keep a copy of website data in a browser cache, and it's possible to retrieve sensitive information from there. While this isn't extremely likely, a skilled hacker could retrieve sensitive information from the machine's cache under the right circumstances. Therefore, if you know that your user's contact list contains confidential customer data, you may want to consider disabling contacts for OWA users.
To segment OWA:
- Open the Exchange Management Console and navigate to Server Configuration -> Client Access.
- Select the Client Access Server that you want to segment, and right click on the listing for OWA (Default Web Site).
- Select Properties from the menu and the console will display the OWA (Default Website) Properties sheet.
- To segment OWA, go to the Segmentation tab (Figure 23).
- Select the OWA feature that you want to disable, and click Disable. To re-enable a feature, select it and click Enable.
- Click OK. Remember -- any changes that you make to a server's segmentation won't go into effect until you restart IIS.
OWA segmentation features
Segmentation lets you enable and disable individual OWA features. Following are a few OWA segmentation features.
Exchange ActiveSync Integration -- Generally, OWA offers a user interface to Exchange ActiveSync that lets users remotely wipe a mobile device. The interface also lets users associate specific mobile devices with their Exchange mailbox, and perform various device maintenance functions. Disabling Exchange ActiveSync Integration removes this user interface.
All Address Lists -- When this feature is enabled, users can access all address lists. If you disable this feature, users will only have access to the Global Address List (GAL).
Calendar -- This controls whether or not users can access their calendar. Because the calendar is a primary feature of OWA, it's best to leave it enabled unless you have a compelling reason to disable it.
Contacts -- Disabling this feature prevents users from accessing their contact list. You may want to occasionally disable this feature for security reasons; however, this generally isn't advised.
Journal -- Disabling this feature prevents users from accessing the journal.
Junk Email Filtering -- Disabling the Junk Email Filtering feature doesn't disable spam filtering. Instead, it prevents users from setting spam filtering options in OWA. Any junk email filtering settings that were made using a regular Outlook client will still be in effect when a user views his mailbox through OWA.
Reminders and Notifications -- This feature is new to OWA in Exchange Server 2007. Disabling the Reminders and Notifications feature prevents users from receiving notifications of new email messages, task reminders, calendar reminders and automatic folder updates.
Notes -- If this feature is disabled, users cannot access notes.
Premium Client -- When a user logs into OWA, the premium client is used by default. The OWA sign-on screen contains an option that lets users access the OWA Light instead. The light client typically is used when bandwidth limitations are a problem, or when a user isn't using a full-featured Web browser. For example, if a user signs onto OWA using a Web-enabled cell phone's browser, they would benefit from OWA Light. Disabling the premium client feature forces users to use OWA Light.
Search Folders -- Disabling this feature prevents users from accessing Microsoft Exchange search folders.
Email Signature -- Disabling this feature prevents OWA users from editing email signatures. They also cannot choose whether or not signatures are included in outbound messages. Additionally, automatic signatures won't be appended to the end of messages sent through OWA, even if a user has configured the Exchange server to do so in Microsoft Outlook.
Spelling Checker -- When enabled, this feature lets users spell-check messages.
Tasks-- Disabling the Tasks feature prevents users from accessing their task list.
Theme Selection -- A user can revert to a built-in theme, instead of a custom theme. Disabling the Theme Selection feature forces users to use the theme that you specify.
Unified Messaging Integration -- If unified messaging has been enabled in an OWA client, then OWA displays a unified messaging interface. Disabling the Unified Messaging Integration feature lets you hide this interface.
Change Password -- Because a user may or may not use a secure machine to access OWA, you may want to disable his or her ability to change the Windows password through OWA. Users will receive warnings that their password will expire 14 days before it actually does. This gives them enough time to change their password before being locked out.
User-level segmentation applies to the Client Access Server that you selected at the beginning of the segmentation procedure. Any changes that you make to a Client Access Server's segmentation will apply to any user accessing OWA through that server. Keep in mind: user-level segmentation always takes precedence over server-level segmentation.
Exchange Server 2007 supports user-level segmentation, but this feature isn't available through the GUI. You can use the Exchange Management Shell to segment OWA at the user level via the Set-CasMailbox command.
TUTORIAL: Customizing Outlook Web Access in Exchange Server 2007
Part 1: Modifying the look of OWA in Exchange Server 2007
Part 2: Using cascading style sheets to change a color in OWA
Part 3: How to handle file attachment access in OWA
Part 4: Control how users access files with WebReady Document Viewing
Part 5: Enable user-level segmentation to control OWA components
|ABOUT THE AUTHOR:|
Brien M. Posey, MCSE|
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
This was first published in April 2008