This Bulletin goes over some of major features of Exchange 2007 SP1 OWA.

Majority of this
material has been published here and here publicly already and the rest is easily visible
once Exchange 2007 SP1 is installed. Please note that not all features might be listed here
for brevity sake. Sorry for the large size of this Bulletin - it's eye-candy time! 

SOME MAJOR FEATURES OF EXCHANGE 2007 SP1 OWA

This Bulletin is a compilation - please see Credits

This is broken down as follows:

1. Secure Messaging with S/MIME and OWA

2. Managing your Active Sync Device from OWA
3. Public folder access from OWA
4. Rules
5. Calendar monthly view
6. Additional reading
7. Credits
8. Tech Bulletin archive and subscription info

Here it is:

1. Secure Messaging with S/MIME and OWA

S/MIME support for Exchange Outlook Web Access (OWA) was introduced in Exchange
2003. In Exchange 2007 SP1, we are adding S/MIME support back and making it more
reliable and powerful. Below, is a short introduction to S/MIME and simple end-to-end steps
for how to use S/MIME with OWA on Exchange Server 2007 SP1.

Introduction

The S/MIME feature in OWA is about secure messaging - enabling OWA to send and receive
signed and encrypted email. Signed messages allow the recipient to verify that the
message came from the person that the message claims to be from. Encrypted messages
allow the sender to ensure that only the intended recipients can read messages that are
sent to them. While it’s true that the message is unreadable to anyone who might intercept
it while in transit, it is also true that even the Exchange administrator cannot read these
messages.

Install the S/MIME control

You need to install the S/MIME control to use S/MIME in OWA. Here’s how you do it:

1) Launch IE and log in to OWA.

2) In the main window, navigate to the Options page (top of the page on the right):
3) Click "E-Mail Security" and click "Download the Outlook Web Access 2007 S/MIME
control",

4) Follow the installation steps. After installation is complete, the "E-Mail Security" page
should look like this:

Get a certificate

You need to get an email certificate to send and receive signed/encrypted messages. Note:
if you sign a message without encrypting it, the message will be viewable by someone who
intercepts it in transit.

To get a certificate, you can either:

 1. Get a certificate from the certificate authority service in your organization. Contact
your IT department for that.
2. Get a certificate from the public certificate authority service

There are several public services issuing email certificates (ex. Comodo, VeriSign).

Once you have requested an email certificate from a certificate authority (e.g. Comodo),
you will receive an email informing you how to get, and install, the certificate on your local
machine.

If enrolling the certificate is completed successfully, your certificate, with private key, will be
installed on your computer (or in your smart card depending on the template you select).

Working with signed or encrypted messages in Exchange 2007 SP1 OWA

After installing the S/MIME control and getting an email certificate, you will be able to read,
send encrypt and sign messages in OWA.

Reading and verifying a signed message

Open a signed message. In the message window, you can verify the signature by reading
the "Signed By" information. This link tells you if the signature is valid, or not, and who
signed the message.

On the "Signed by" line:

 The icon is shown if the signature is valid. The icon is followed by the email
address of the signer.
 The icon is shown if the signature is invalid.

 The icon is shown if the signature is valid but the certificate that used to sign the
message has expired.

In a sample message:
Clicking the "more information" link will display a dialog with certificate information.

If the signature is valid, the dialog will show you additional details about the signature such
as who sent the mail, who the signer is identified as and who the certificate authority that
issued the certificate was.

If the signature is invalid, the dialog will show you why the signature is invalid.

Reading an encrypted message

 Insert your smart card if your email certificate is stored on your smart card.
 Open the encrypted message.

 You may be prompted with a dialog to enter the PIN of the smart card if your email
certificate is on the smart card. If so, enter the PIN and click "ok".
  The encrypted message will be shown in the message window.

Sending a signed message

 Insert your smart card if the email certificate is stored on your smart card.
 Compose a new message.

 Click the "signed" button on the message window toolbar.

 Send the message. You may be prompted with a dialog to enter the PIN of your
smart card if your email certificate is on your smart card. If so, enter the PIN and
click "ok".

Sending an encrypted message

 Insert your smart card if the email certificate is stored on your smart card.
 Compose a new message.

 Click the "encrypted" button on the message window toolbar.

 Send the message. You may be prompted with a dialog to enter the PIN of your
smart card if your email certificate is on your smart card. If so, enter the PIN and
click "ok".

2. Managing your Active Sync Device from OWA

In Exchange 2007, Outlook Web Access (OWA) offers a portal for users to manage their
Exchange Active Sync (EAS) devices.

How to access that information?

 1. Log on to OWA
2. Click "Options"

3. Click "Mobile Device"

Here is what the page looks like:

Note: If ActiveSync is not enabled for the Exchange user, "Mobile Device" tab won't be
shown. You can run the PowerShell command to check the status. Here is the result from a
test server for example:

[PS] D:\Documents and Settings\ Administrator >Get-CASMailbox -Identity:test |fl

ActiveSyncEnabled

ActiveSyncEnabled : True

What can the page do for you?

Note: The following includes the Exchange 2007 and Service Pack 1 (SP1) features:

1) Device status

As shown in the snapshot, the page will list all the Active Sync devices that the Exchange
user has ever synced. Each device will be identified with its Type, Last-Sync-Time, and
Status, which contains detailed device information, such as First-Sync-Time, User-Agent,
etc.

Note: Exchange has provided the protocol support to let the device send up the device-
related data (e.g. Friendly Name, OS, Phone number, etc) to the server. But not all devices
implement that part of protocol. Therefore, it's possible that you won't see all the data
shown in the screenshot.

On the server side, the Exchange administrator can use the following PowerShell command
to get the same data.

[PS] D:\Documents and Settings\Administrator>Get-ActiveSyncDeviceStatistics -

mailbox:test

FirstSyncTime : 5/11/2007 10:07:47 PM

LastPolicyUpdateTime :
LastSyncAttemptTime : 5/11/2007 10:07:56 PM
LastSuccessSync : 5/11/2007 10:07:56 PM
DeviceType : PocketPC
DeviceID : v120Device
DeviceUserAgent : NSync
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
LastPingHeartbeat :
RecoveryPassword : ********
DeviceModel :
DeviceIMEI :
DeviceFriendlyName :
DeviceOS :
DeviceOSLanguage :
DevicePhoneNumber :
Identity : test@contoso.com\AirSync-PocketPC-v120Device

2) Remote Wipe

This is a very handy feature that was only available to Exchange administrators in Exchange
2003. Now an EAS user can wipe his/her device, primarily in case of device loss. Once the
link is clicked and confirmed, the wipe command will be issued to the server and the link will
change to "Cancel Wipe Request". (SP1 feature)

As you can infer, there is still a chance for the EAS user to cancel a wipe request if he/she
initiated it by accident or subsequently found the device. But the courtesy time is short -
once the device initiates a sync to the server and picks up the wipe command, it will be too
late to undo the request.
Right before the device clears its data, it will send a last notice to the server. Accordingly,
the server will be very friendly to send the device owner a "Remote Device Wipe
Confirmation" email, telling you the device is cleared. (SP1 feature)

Note: After the remote wipe, if you luckily find your lost device and want to re-sync it, you
must remove it from the OWA device list (refer to "Remove mobile device" section for more
info). Otherwise, it will keep on re-wiping itself. This is a security feature by-design.

The following shows how to wipe and cancel wipe with corresponding PowerShell command:

[PS] D:\Documents and Settings\Administrator>Clear-ActiveSyncDevice -

Identity:test@contoso.com\AirSync-PocketPC-v120Device

Confirm
Are you sure you want to perform this action?
Clearing Mobile Device
"test@contoso.com\AirSync-PocketPC-v120Device". All the data on the device will be
permanently deleted.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):y
[PS] D:\Documents and Settings\Administrator>Clear-ActiveSyncDevice -
Identity:test@blah- dom.blah.com\AirSync-PocketPC-v120Device -Cancel:$true

3) Remove mobile device partnership

This is the first link above the device table. Basically what it does is to clean up the sync
state data of the selected device on the server. It's useful in several situations:

a. Clean up data: if you switch to a new device, the legacy data of the old device will still
hang around occupying your mailbox space. You can find the device and clean it out.

b. Terminate remote wipe: as being said, if you want to re-sync your device after a remote-
wipe, you have to come to here to remove it first.

c. Start from scratch: well, theoretically this wouldn't happen, but it might in the real life - if
you feel your device is not working properly and want to start a fresh sync from the scratch,
you can remove the device partnership from the server (i.e. here) and the device, then get
fresh restart.

The corresponding PowerShell command for the admin is as following:

[PS] D:\Documents and Settings\Administrator>Remove-ActiveSyncDevice -

Identity:test@contoso.com\AirSync-PocketPC-v120Device

Confirm
Are you sure you want to perform this action?
Removing mobile device
"test@contoso.com\AirSync-PocketPC-v120Device". All dataabout the device will be
removed. The device must be re-synchronized.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):y

4) Pin Recovery

This is a nice feature to give the EAS user a chance to unlock the device if he/she forgets
the device PIN. Clicking the "Display Recovery Password" will show a pop-up dialog bearing
the Recovery Password. Here, I'd like to call out that the recovery password is NEITHER
the same as the device PIN and, for example on Windows Mobile (WM) devices, NOR used in
the same way. Actually its usage is sort of tricky: Menu, then Reset Password, <type in new
password> then <type in Recovery Password>.

There is no related PowerShell command for an Exchange administrator to get this info due
to security reasons.

5) Retrieve Log
Starting with Exchange 2007, we provide a light-weight server logging to track details of the
last 15 (configurable) requests/responses and possible errors for problem diagnosis. By
default, the logging is off. It can be turned on and tweaked easily from web.config:

<add key="MailboxLoggingEnabled" value="true"></add>

<add key="NumOfQueuedMailboxLogEntries" value="15"></add>
<add key="MaxSizeOfMailboxLog" value="8000"></add>

After the Exchange administrator turns on the logging and device starts syncing, a "Retrieve
Log..." link will show on the OWA device page to let the device owner grab the log, which
will be dropped into the Inbox as an attachment of an Action email, titled as "Log retrieved
for device: XXXXXX". The log can be very useful to Microsoft support personnel in
diagnosing EAS issues.

The log can also be retrieved using the PowerShell Get-ActiveSyncDeviceStatistics command
by passing GetMailbxoLog/LogPath parameters: (SP1 feature)

[PS] D:\Documents and Settings\Administrator>Get-ActiveSyncDeviceStatistics -

Identity:test@contoso.com\AirSync-PocketPC-v120Device -GetMailboxLog:$true -
OutputPath:"C:\"

FirstSyncTime : 5/11/2007 10:30:16 PM

LastPolicyUpdateTime :
LastSyncAttemptTime : 5/11/2007 10:30:24 PM
LastSuccessSync : 5/11/2007 10:30:25 PM
DeviceType : PocketPC
DeviceID : v120Device
DeviceUserAgent : NSync
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
LastPingHeartbeat :
RecoveryPassword : ********
DeviceModel :
DeviceIMEI :
DeviceFriendlyName :
DeviceOS :
DeviceOSLanguage :
DevicePhoneNumber :

Exchange ActiveSync Mailbox Log will be stored at: C:\Exchange ActiveSync Mailbox Log
successfully retrieved.

3. Public folder access from OWA

Public Folder OWA access has been a very frequent request since Exchange 2007 released.
Well - the good news is - this is possible in Exchange 2007 SP1 OWA. To access the
functionality, click on the Public Folders in the left OWA frame and you will be presented
with public folder hierarchy:

(What? You did not know that XBOX and Zune themes are in SP1 OWA too? Read this!)

The public folder hierarchy can then be navigated as you were able to do in the past. Please
note that in case that you click on the public folder which has a replica let's say on an
Exchange 2003 only, OWA will tell you that it needs to open this folder in a separate
window:
The Exchange 2003 OWA view will not include the public folder hierarchy itself. To navigate
the public folder hierarchy again, you will have to close the new Exchange 2003 folder view
and use the original Exchange 2007 SP1 OWA view. Here is how the Exchange 2003 only
folder (meaning - the replica of the content is on Exchange 2003 only) looks like when
opened from Exchange 2007 SP1 OWA:

4. Rules

Exchange 2007 SP1 OWA allows us to create rules through OWA. To get to that
functionality, go to Options and then Rules.

To start creating a new rule, click on the New Rule:

A warning will be displayed, which will help you not have any rule compatibility issues
between your Outlook and OWA clients:

Once you have clicked "Delete Disabled Rules", you will get a window that allows you to
define conditions of the rule:
Click Save when done.

5. Calendar monthly view

When going to Exchange 2007 SP1 OWA Calendar, you will notice the new "Month" view!
Once you press it, you will be greeted by the monthly view:
(I wish my real calendar was that empty! )

6. Additional reading

At this time, not much - you will have to install SP1 B2 to see all of the above. When you do
so, the help file has a lot of good reading.

7. Credits

Thanks to James Chen for writing the blog post where the "Managing your Active Sync
Device" section was taken. Thanks to all reviewers too!

Thanks to Chongwen Xie for writing the blog post where "Secure Messaging with S/MIME
and OWA" section was taken from. Thanks to reviewers!

The rest was put together by Nino Bilic.

8. Tech Bulletin archive and subscription info

Nino Bilic

Microsoft Exchange Server - Supportability

ninob@microsoft.com, 469-775-7265, 11:00AM - 8:00PM CST

Manager:
Jason Stine, jstine@microsoft.com, (425) 7039360