Demonstration Steps for Module 6: Managing Client

Access

Demonstration: Process for Securing Client Access Servers

Preparation
Ensure that the 5047B-SYD-DC1 virtual machine is running. Log on to the SYD-DC1 as
Administrator with the password of Pa$$w0rd.

Important: When you start the virtual machines, ensure that you start 5047B-SYD-
DC1 first and that it is fully started before starting any other virtual machines. If you
receive a notification that one or more services failed to start when starting a virtual
machine, open the Services console on the virtual machine and ensure that all
Microsoft Exchange services that are configured to start automatically are started.

 Demonstration Steps
1. On SYD-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type copy “E:\Program Files\Microsoft\Exchange
Server\Scripts\Exchange2007_WinSrv2008.xml”
C:\Windows\Security\msscw\kbs, and then press ENTER. This copies the XML
configuration file for Exchange 2007 into the directory with other XML files used by
SCW.
3. Type scwcmd, and then press ENTER. Notice the options available:
 Analyze. Compares a policy with the existing security configuration on the local
computer and generates a report.
 Configure. Applies a policy to the local computer.
 Register. Configures SCW to use a new XML configuration file that describes
server roles.
 Rollback. Rolls back the most recent policy application.
 Transform. Converts an SCW policy into a Group Policy object that can be
applied in Active Directory. IIS settings from an SCW policy are not converted
to Group Policy settings.
4. Type scwcmd register, and then press ENTER. This displays the Help file for the
scwcmd command. This command is used to register the Exchange2007.xml or
Exchange2007_WinSrv2008.xml file with SCW. The options are:
 /kbName. Specifies the name for the extension in SCW. The parameter is
required except when using the /d option.

1
  /kbfile. Specifies the name of the file being registered. This parameter is
required.
 /kb. Specifies the path to the file. The path can also be included with the /kbfile
option.
 /d. Specifies that an XML configuration file should be unregistered.
5. Type scwcmd register /kbName:Exchange2007 /kbfile:C:\Windows\security\
msscw\kbs\Exchange2007_WinSrv2008.xml, and then press ENTER. This
command configures SCW to use the Exchange 2007_WinSrv2008.xml
configuration file. Now SCW can secure Exchange 2007 servers properly.
6. Close the command prompt window.
7. Click Start, point to Administrative Tools, and then click Server Manager.
8. In the Security Information section, click Run Security Configuration Wizard.
9. Click Next to begin SCW.
10. Accept the default of Create a new security policy, and then click Next.
11. In the Server box, accept the default of SYD-DC1, and then click Next.
12. Click View Configuration Database. In the Internet Explorer dialog box, click
Yes. This lists the server roles that are part of the SCW security configuration
database and which ones are enabled on this server.
13. Expand Server Roles, scroll down and then click Exchange 2007 Client Access
Services. You can see that SCW has detected that this server is a Client Access
server because the role is listed as installed.
14. Click Exchange 2007 Mailbox Cluster. You can see that SCW has detected that this
server is not a Mailbox Cluster server because the role is listed as not installed. SCW
uses the list of installed and not installed roles when it secures the computer.
15. Close the SCW Viewer window, and then click Next.
16. Click Next to begin role-based service configuration. This section of the wizard
configures services.
17. Review the list of installed roles. For each role that is not selected on this list, SCW
will disable ports and services for that role. Roles that are selected will be unaffected
by SCW. Notice that Exchange 2007 Mailbox and Exchange 2007 Hub Transport are
not listed here.
18. Click Next.
19. Review the list of installed features, and then click Next.
20. Review the list of installed options, and then click Next.
21. Review the list of additional services, and then click Next.

2
22. If necessary, click Do not change the startup mode of the service, and then click
Next. This configures SCW to leave unknown services with their startup status
unchanged.
23. Review the list of changed services, and then click Next.
24. Click Next to begin configuring network security. This portion of the wizard
configures the Windows Firewall service.
25. Review the list of open ports and approved applications, and then click Next. This
list contains TCP and UDP ports that SCW has detected are in use by applications.
26. Click Next to begin securing registry settings.
27. Review the configuration options for server message block (SMB) security, and then
click Next. This can be used for Windows Server 2008, Windows Server 2003 and
Windows 2000 Server without any additional service packs.
28. Select Windows 2000 Service Pack 3 or later to enable LDAP signing, and then
click Next.
29. In the list of authentication methods, confirm that only Domain Accounts is selected,
and then click Next.
30. Select the Clocks that are synchronized with the selected server’s clock check
box, and then click Next.
31. Clear Computers that require LAN Manager authentication. This option is only
required when using Windows 98 or Windows 95 clients.
32. Clear Computers that have not been configured to use NTLMv2 authentication.
Windows 2000 and Windows XP are able to use HTMLv2 authentication by default.
33. Clear Computers using RAS or VPN to connect to RAS server that are not
running Windows Server 2003 Service Pack 1 or later. This network is not using
Remote Access Service (RAS) or virtual private network (VPN) servers.
34. Click Next.
35. Review the registry changes, and then click Next.
36. Select the Skip this section check box and then click Next. This allows you to not
set auditing information when it is not required.
37. Click Next to begin saving the security policy.
38. In the Security policy file name box, type C:\Windows\security\msscw\
Policies\ExchangeDC.xml, and then click Next.
39. Click Apply now, and then click Next. The Apply later option can be used when
you are creating a policy that you want to convert to a Group Policy object. Applying
policies by using a Group Policy object is a fast and efficient way to configure
multiple servers with the same requirements for security. When applying policies by

3
 using a Group Policy object, you must be sure that the servers affected by the policy
are performing the same server roles. If the servers are not performing the same
server roles, required services may be disabled on some servers, or required ports
may be blocked. You can also apply existing policies to a server at the command line
by using the scwcmd utility.
40. Click Next, and then click Finish.
41. To prepare for the next demonstration, shut down all virtual machines without saving
changes. You can then restart SYD-DC1, SYD-EX2, and SYD-CL1.

Demonstration: How to Configure the Out-of-Office Features

Preparation
Ensure that the 5047B-SYD-DC1, 5047B-SYD-EX2, and 5047B-SYD-CL1 virtual
machines are running. Log on to the SYD-DC1 as Administrator with the password of
Pa$$w0rd.
 Demonstration Steps: Configuring Out-of-Office Features as an
Administrator
1. On SYD-DC1, click Start, point to All Programs, click Microsoft Exchange
Server 2007, and then click Exchange Management Console.
2. In the console tree, expand Organization Configuration, and then click Hub
Transport.
3. Click the Remote Domains tab, right-click Default, and then click Properties.
4. Read the options available to configure Out-of-Office messages that are sent to the
domain. In Exchange Server 2007, you can configure Out-of-Office message delivery
for each remote domain you have configured. The Default remote domain applies to
all domains that are not explicitly defined. The options are:
 Allow none. No external or internal Out-of-Office messages will be delivered to
this domain.
 Allow external out-of-office messages only. Only external Out-of-Office
messages will be delivered to this domain. This is the default configuration for
new remote domains. When this option is selected, the Out-of-Office messages
are not delivered to remote domains when configured by an Outlook 2003 or
clients running previous versions of Outlook. In addition, Out-of-Office
messages are not delivered for mailboxes on computers running Exchange Server
2003 or earlier versions. Clients running Outlook 2007 or earlier versions of
Outlook, and Exchange versions previous to Exchange Server 2007 cannot
specify internal and external Out-of-Office messages.

4
  Allow external out-of-office messages and out-of-office messages sent by
Outlook 2003 or earlier clients, or sent by Exchange Server 2003 or earlier
servers. All external Out-of-Office messages will be delivered to this domain. In
addition, for Outlook 2003 clients and mailboxes stored on computers running
Exchange Server 2003 that cannot specify internal and external Out-of-Office
messages, the Out-of-Office messages are delivered to this domain.
 Allow internal out-of-office messages and out-of-office messages sent by
Outlook 2003 or earlier clients, or sent by Exchange Server 2003 or earlier
servers. All internal and external Out-of-Office messages will be delivered to this
domain. In addition, for Outlook 2003 clients and mailboxes stored on computers
running Exchange Server 2003 that cannot specify internal and external Out-of-
Office messages, the Out-of-Office messages are delivered to this domain.
5. Click Cancel, and then close the Exchange Management Console.
6. Click Start, point to All Programs, click Microsoft Exchange Server 2007, and
then click Exchange Management Shell. You can also configure remote domains
and Out-of-Office message options by using the Exchange Management Shell.
7. Type new-remotedomain –Name Contoso –domainname ‘Contoso.com’, and then
press ENTER. This command creates a new remote domain for Contoso.com.
8. Type set-remotedomain Contoso –allowedOOFType internalLegacy, and then
press ENTER. This command allows all internal, external, Outlook 2003 and earlier
version, and Exchange Server 2003 and earlier version Out-of-Office messages to be
delivered to this domain. The options for the –allowedOOFType option in the
Exchange Management Shell are:
 None. This is equivalent to Allow none in the Exchange Management Console.
 External. This is equivalent to Allow external Out-of-Office messages only in
the Exchange Management Console.
 ExternalLegacy. This is equivalent to Allow external Out-of-Office messages
and Out-of-Office messages set by Outlook 2003 or earlier clients and set on
Exchange 2003 or earlier servers in the Exchange Management Console.
 InternalLegacy. This is equivalent to Allow internal Out-of-Office messages
and Out-of-Office messages set by Outlook 2003 or earlier clients and set on
Exchange 2003 or earlier servers in the Exchange Management Console.
9. Type set-mailbox Arlene –externalOOFOptions external, and then press
ENTER. This command, which does not change the default setting, allows Arlene to
configure Out-of-Office messages delivered outside the company. You can configure
Out-of-Office options for each mailbox and domain. This option limits what the users
can configure, but does not override the Out-of-Office options configured for specific
domains. The options for the –externalOOFOptions option in the Exchange
Management Shell are:

5
  External. This option allows users to configure external Out-of-Office messages.
 InternalOnly. This option limits users to only internal Out-of-Office messages.
10. Close the Exchange Management Shell.

 Demonstration Steps: Configuring Out-of-Office Features as a User

1. On SYD-DC1, click Start, All Programs, and then click Internet Explorer.
2. In the Address bar, type https://syd-ex2/owa, and then press ENTER.
3. Click Continue to the website (not recommended).
4. Log on as Adatum\Arlene with a password of Pa$$w0rd.
5. Click OK to accept the default time zone and language.
6. In the upper-right corner, click Options.
7. In the Options pane, click Out-of-Office Assistant.
8. Click Send Out-of-Office auto-replies. This enables Out-of-Office replies starting
now.
9. Select the Send Out-of-Office auto-replies only during this time period option,
and configure a start time of this week Friday at 4:00 P.M. and ending Monday at
8:00 A.M. This option allows you to schedule Out-of-Office auto-replies to begin and
end at a specific time, such as at the beginning and ending of a vacation. This avoids
users having to remember to configure Out-of-Office auto-replies as they are leaving
for a vacation. It also avoids the need for users to remember to turn off Out-of-Office
auto-replies when they return.
10. In the Send an auto-reply once to each sender inside my organization with the
following message box, type I’m away on vacation for 3 days and will not be
checking messages. This message is sent only to internal users and is only sent once
to each user.
11. Ensure that the Send Out-of-Office auto-replies to External Senders check box is
selected. This option enables external Out-of-Office auto-replies for this user.
External Out-of-Office messages can be controlled by selecting one of the following
options:
 Send Out-of-Office auto-replies only to senders in my Contacts list. This limits
the Out-of-Office auto-replies to only external senders with whom you are
familiar.
 Send Out-of-Office auto-replies to anyone outside my organization. This allows
Out-of-Office auto-replies to be delivered to all external senders. Exceptions are
messages marked as junk mail or marked with the precedence of bulk.

6
 12. In the Send an auto-reply once to each sender outside of my organization with
the following message box, type I will not be in the office for 3 days and will not
be checking messages. Please contact John in my absence.
13. Click Save and close Internet Explorer.

Demonstration: How to Manage Outlook Web Access

Preparation
Ensure that the 5047B-SYD-DC1, 5047B-SYD-EX2, and 5047B-SYD-CL1 virtual
machines are running. Log on to the SYD-DC1 and SYD-EX2 as Administrator with
the password of Pa$$w0rd.
 Demonstration Steps
1. On SYD-EX2, click Start, point to All Programs, click Microsoft Exchange
Server 2007, and then click Exchange Management Console.
2. In the console tree, expand Server Configuration, and then click Client Access.
3. In the work pane, select SYD-EX2, and in the result pane, right-click owa (Default
Web Site), and then click Properties.
4. On the General tab, in the External URL box, type
https://syd-ex2.adatum.com/owa.
5. Click the Authentication tab, and verify that Use forms-based authentication is
selected.
6. Under Logon Format, click User name only, and then click Browse.
7. Click Adatum.com, and then click OK.
8. Click the Segmentation tab, click All Address Lists, and then click Disable. The
Segmentation tab allows you to enable and disable features for Outlook Web Access
users.
9. Select each option in the list of segmentation options and read the description.
10. Click OK, read the Microsoft Exchange Warning dialog box, and then click OK.
11. Close the Exchange Management Console.
12. Click Start, point to All Programs, click Microsoft Exchange Server 2007, and
then click Exchange Management Shell.
13. Type IISReset /noforce, and then press ENTER. This allows the logon and
segmentation changes to take effect.
14. Click Start, point to Administrative Tools, and then click Internet Information
Services (IIS) Manager.

7
15. Expand SYD-EX2 (ADATUM\Administrator), expand Sites, expand Default Web
Site, and then click owa.
16. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is
required by default.
17. Close Internet Information Services (IIS) Manager.
18. In the Exchange Management Shell, type set-owavirtualdirectory ‘owa (Default
Web Site)’ –ForceSaveFileTypes .xls, and then press ENTER. This command
forces attachments with a .xls extension to be saved to disk before they can be
opened. Any existing ForceSaveFileTypes are overwritten. The attachment control
settings for file types and MIME types can be configured by using the Set-
OwaVirtualDirectory cmdlet. File attachment control settings include:
 ActionForUnknownFileAndMIMETypes. Specifies how to handle files that are
not included in other file access management lists. Files can be allowed, blocked,
or force saved.
 AllowedFileTypes. Specifies the file extensions of attachments that the user is
allowed to save locally and view from a Web browser.
 AllowedMIMETypes. Specifies the MIME types of attachments that users can
save locally and view from a Web browser.
 BlockedFileTypes. Specifies the file extensions of attachments that are blocked.
 BlockedMIMETypes. Specifies the MIME types of attachments that are blocked.
 ForceSaveFileTypes. Specifies the file extensions of attachments that the user is
forced to save locally rather than view from a Web browser.
 ForceSaveMIMETypes. Specifies the MIME types of attachments that the user is
forced to save locally rather than view from a Web browser.

Note: In cases where there is a conflict between file access management settings,
the following precedence applies. Allow overrides Block and Force Save. Block
overrides Force Save. For example, if .doc files are configured as a blocked file
type and an allowed file type, .doc files will be allowed.

19. Type set-owavirtualdirectory ‘owa (Default Web Site)’ –GzipLevel Off, and then
press ENTER. This command disables Gzip compression for Outlook Web Access.
Gzip compression improves performance over slow network connections by
compressing content. Implementing Gzip compression may slow server performance
due to increased CPU utilization. Additional valid values for the GzipLevel options
are High and Low. The default value is Low.
20. Type IISReset /noforce, and then press ENTER.
21. Close the Exchange Management Shell.

8
 22. On SYD-DC1, open Internet Explorer.
23. In the Address bar, type http://syd-ex2.adatum.com/owa, and then press ENTER.
You receive an error message that you do not have access to the page.
24. In the Address bar, type https://syd-ex2.adatum.com/owa, and then press ENTER.
25. Click Continue to the website (not recommended).
26. Notice that a new option for Outlook Web Access Light is available. Outlook Web
Access Light has fewer features that standard Outlook Web Access, but works with
almost all browsers, even mobile devices with limited screen size.
27. Close Internet Explorer.

Demonstration: Windows SharePoint Services and Windows Files

Shares Integration Configuration Options
 Demonstration Steps
1. On SYD-EX2, click Start, point to All Programs, click Microsoft Exchange
Server 2007, and then click Exchange Management Console.
2. In the console tree, expand Server Configuration, and then select Client Access.
3. In the result pane, click SYD-EX2, and in the work pane, right-click owa (Default
Web Site), and then click Properties.
4. Click the Public Computer File Access tab. These settings are used for file access
from public computers. Direct file access allows users to open files on Windows file
shares and Windows SharePoint Services document libraries. You can enable and
disable access to each location type.
5. Under Direct file access, click Customize. The Customize button provides access to
a dialog box to configure which file types are allowed, blocked, and force saved. In
addition, you can specify how unknown file types are handled. These settings apply
to direct file access for public and private computers and Outlook Web Access
attachments.
6. Click Cancel.
7. Under WebReady Document Viewing, click Supported. WebReady Document
Viewing renders supported document types as HTML rather than opening the
original file for the client. You can force clients to open a document with WebReady
Document Viewing before allowing clients to open the file directly. The Supported
button allows you to configure which document types can be viewed with WebReady
Document Viewing. The configuration options apply to public computer file access
and private computer file access.
8. Click Cancel.

9
9. Click the Private Computer File Access tab. This tab provides the same
configuration options as the Public Computer File Access tab. However, these
settings apply to accessing files from a private computer.
10. Click the Remote File Servers tab. On this tab, you can configure:
 Block List. Specify file servers (by host name) that Outlook Web Access clients
are unable to access.
 Allow List. Specify file servers (by host name) that Outlook Web Access clients
are able to access.
 Unknown servers. Specify whether to block or allow unknown file servers.
 Internal domain suffixes. Specify which domain suffixes will be treated as
internal servers. Only internal file and Windows SharePoint Services servers can
be accessed.
11. Click Allow, type SYD-DC1, click Add, and then click OK.
12. Click Configure, type Adatum.com, click Add, and then click OK.
13. Click OK.
14. Close the Exchange Management Console.
15. On SYD-DC1, open Internet Explorer.
16. In the Address bar, type https://syd-ex2.adatum.com/owa, and then press ENTER.
Click Continue to the website (not recommended).
17. Log on as Arlene with a password Pa$$w0rd.
18. Click New to create a new message.
19. In the To box, type Gregory.
20. In the Subject box, type Expense Report.
21. Click the Attach File icon, type \\SYD-DC1\CorpData\ExpenseReport.doc, and
then click Attach.
22. Click Send, and then close Internet Explorer.
23. Open Internet Explorer, connect to https://syd-ex2.adatum.com/owa. Click
Continue to this web site (not recommended).
24. Log on as Gregory with a password Pa$$w0rd. Click OK at the Language and Time
Zone page.
25. Click the Expense Report message, and in the reading pane, beside Attachments,
click Open as Web Page. This uses WebReady Document Viewing to render the
Word document as HTML.
26. Close the Expense Report window.

10
 27. In the reading pane, beside Attachments, click ExpenseReport.doc. This allows you
to open the file in Word or save the file.
28. Click Cancel. Because Microsoft Office Word is not installed on the computer, you
will not be able to open the document. The file is opened in a way you can edit.
29. Close all open windows.

Demonstration: How to Implement Exchange ActiveSync

 Demonstration Steps
1. On SYD-EX2, click Start, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager.
2. Expand SYD-EX2 (ADATUM\Administrator), expand Sites, expand Default Web
Site, and click Microsoft-Server-ActiveSync.
3. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is
required by default.
4. Close Internet Information Services (IIS) Manager.
5. Click Start, point to All Programs, click Microsoft Exchange Server 2007, and
then click Exchange Management Console.
6. In the console tree, expand Server Configuration, and then click Client Access.
7. In the result pane, click SYD-EX2, and in the work pane, click the Exchange
ActiveSync tab. Notice that SSL is enabled.
8. Right-click Microsoft-Server-ActiveSync, and then click Properties.
9. In the External url box, type https://SYD-EX2.adatum.com/Microsoft-Server-
ActiveSync.
10. Click the Authentication tab. Notice that Basic authentication is enabled. This is
acceptable because SSL is being used to secure the credentials in transit.
11. Click the Remote File Servers tab. The options on this tab are the same as the
Remote File Servers settings for accessing attachments by using Outlook Web
Access and are used for synchronizing file attachments. However, these settings are
independent of those for accessing attachments by using Outlook Web Access. Click
OK.
12. In the console tree, expand Organization Configuration, and then click Client
Access.
13. In the action pane, click New Exchange ActiveSync Mailbox Policy.
14. In the Mailbox policy name box, type EAS Policy 1.

11
15. Select the Allow non-provisionable devices option. This allows devices that cannot
be configured automatically.
16. Confirm that the Allow attachments to be downloaded to device option is selected.
This option is required for mobile devices to synchronize attachments and store them
locally on the device.
17. Select the Require password box. This forces all accounts that synchronize to have a
password. Any mailboxes without a password cannot be synchronized to a mobile
device when this option is enabled. There also are additional password requirements
you can enable:
 Require alphanumeric password. Requires a password to contain numeric
characters.
 Enable password recovery. Enables the device password to be recovered from the
server.
 Require encryption on device. Enables encryption on the device.
 Allow simple password. Allows simple passwords such as 1234.
 Minimum password length. Specifies a minimum password length.
 Time without user input before password must be re-entered (in minutes).
Specifies the length of time a device can go without user input before it locks.
 Password expiration. Specifies how frequently the device password will need to
be changed.
 Enforce password history. Specifies the number of past passwords stored in
Active Directory that cannot be reused.
18. Click New to create the mobile mailbox policy.
19. Read the completion summary and then click Finish. Notice the Exchange
Management Shell command that was used to create the new mobile mailbox policy.
20. Right-click EAS Policy 1, and then click Properties. Notice that the General tab has
additional options:
 Windows File Shares. Allows direct file access to Windows file shares during
synchronization.
 Windows SharePoint Services. Allows direct file access to Windows SharePoint
Services document libraries.
21. Click the Password tab. Notice that there is an additional password option list here
that was not available when creating the mobile mailbox policy: Number of failed
attempts allowed. After the specified number of failed attempts, the device is wiped
of all data.
22. On the Sync Settings tab, review the configuration options.

12
23. On the Device tab, review the configuration options. Most of these settings were
added in Exchange Server 2007 SP1.
24. On the Advanced tab, review the configuration options. To implement these settings,
you must have an Enterprise Client Access License for each mailbox.
25. Click OK.
26. In the console tree, expand Recipient Configuration, and then click Mailbox.
27. In the result pane, right-click Arlene Huff, and then click Properties.
28. Click the Mailbox Features tab, click Exchange ActiveSync, and then click
Properties.
29. Select Apply an Exchange ActiveSync mailbox policy, and then click Browse.
30. Select EAS Policy 1, and then click OK.
31. Click OK twice to save and apply the changes.
32. Close the Exchange Management Console.

13