Skip to main content
Version: 3.8.x.x LTS

Microsoft Exchange

Microsoft Exchange provides four types of web access:

  • Outlook Web Access (OWA) is the name of the web front end accessed by users who use a web browser. It uses the URL name spaces /owa/**, /OWA/**, and /ecp/*.
  • Active-Sync is used by mobile devices (smart phones). It uses the URL name space /Microsoft-Server-ActiveSync resp. /Microsoft-Server-ActiveSync/*.
  • Outlook Anywhere (OAW) is used when accessing the Exchange server over the Internet using Microsoft Outlook. It uses the URL name spaces /rpc/* and /Rpc/*. The request methods RPC_IN_DATA and RPC_OUT_DATA are used to access this interface. Connections to this service are long lived (many minutes).
  • Exchange Web Services (EWS) is used when accessing the Exchange server over the Internet using Microsoft Outlook for accessing additional services such as the address book or to fetch its configuration via autodiscovery. The required name spaces are /Autodiscover/*, /EWS, /EWS/**, /OAB/**, /autodiscover/**, /ews, and /ews/*.

The following configuration steps are necessary to integrate these applications using nevisAdmin.

info

You may use the configuration template "MS Exchange using dynamic certificates" to configure OWA, Active-Sync, and EWS. For more information, see the chapter MS Exchange using dynamic certificates.

Special nevisProxy settings

OWA uses proprietary HTTP status codes 242 and 449 that need to be registered within the nevisProxy context attributes. You do this in the Advanced Settings panel in the view of the relevant proxy service (Infrastructure tab).

Set the additional status codes within the nevisProxy service

Application settings

Microsoft Exchange requires the ALL-HTTP-WEBDAV pre-defined method group as well as the RPC_IN_DATA and RPC_OUT_DATA HTTP request methods being enabled. You do this in the view of the relevant application (here the "exchange_ad_dyncert" application, see the figure below). To open the application's view, navigate to the relevant application in the navigation pane of the Configuration tab.

HTTP methods

Mapping settings

OWA requests two path mappings: /owa/ for the main application and /ecp/ for administrative purposes, e.g., profile customization. Also, the /owa/ mapping requires the cookies UserContext, X-OWA-CANARY and msExchEcpCanary to be transparent. This is because the cookies are used to exchange state information between the browser and the application server. Therefore, go to the Cookie Manager panel in the /owa/ mapping view (Configuration tab). Set Type to "Allow" for each cookie (see the figure: Cookie settings below).

Cookie settings

OWA uses also many proprietary HTTP headers. Therefore, you need to increase the number of allowed HTTP headers by using an HTTP protocol limitation filter. In the filter's view, set the number of allowed HTTP headers in the Number of allowed HTTP request headers field of the HTTP Protocol Limitation Settings panel (see below).

Increase the number of allowed HTTP request headers

Active-Sync does not support session cookies. Instead, it performs authentication by means of HTTP basic auth. Use a dedicated identity creation filter ("IdentityCreationFilter") to support the initial login redirect. See no.1 in Figure 51. Here, Active-Sync uses the dedicated identity creation filter "EX_BasicAuthRenderer" to handle the authentication interception process.

Also, Active-Sync uses a rendering provider of the type "wwwauthenticate". If the client does not send an HTTP basic authentication header, this type of rendering provider requests the client to do so by sending a 401 response. You set the type of rendering provider in the RenderingProvider property of the servlet responsible for rendering login pages (see no.1 in the figure Login renderer servlet).

You connect the identity creation filter with the servlet used for rendering by means of the filter parameter LoginRendererServlet. See no.2 in the figure Dedicated identity creation filter. In this case, the identity creation filter "EX_BasicAuthRenderer" uses the servlet "EX_BasicAuthRendererServletServlet" for the rendering of the login pages.

Dedicated identity creation filter:
Dedicated identity creation filter
Login renderer servlet:
Login renderer servlet*
info

Using dynamic certificates is the recommended approach to integrate an MS Exchange server into a Nevis infrastructure with delegated user authentication, see the chapter: Dynamic certificates.

Check the chapter: Session expiration of web 2 applications, about dealing with timeouts of authenticated user sessions.

Outlook Anywhere (OAW)

OWA uses long-lasting TCP connections and you have to adapt the TCP idle timeout settings for incoming and outgoing TCP connections.

We also recommend enabling the parameter Poll within the mapping's custom parameters:

Custom mapping parameters for OAW using dynamic certificates