Customizing OWA in Exchange Server 2010

Outlook Web App (OWA) in Exchange Server 2010 is the new name for Outlook Web Access, which has been around for 15 years, ever since Exchange Server 5.0.Since the release of the first version of Exchange Server with OWA, companies and administrators have maintained a desire to make OWA unique, even beyondthe supported options. Company customization of OWA ranges from superficial color changes, to full branding, to radical interface changes. The ease ofactually accomplishing OWA customization varies greatly, depending on the version of Exchange Server, the available customization tools, andadministrators' skill sets. (See also, "OWA Customization in Exchange 2010" and "Bringing OWA to Your Desktop.")

OWA has come a long way from the basic Active Server Pages (ASP) application of Exchange 5.0 and 5.5. Microsoft Exchange Web Services, added in ExchangeServer 2007, makes Exchange data accessible from a variety of sources following the Web services API. Exchange Server 2010 with Exchange Web Services hasmade it easier to develop custom web applications to access Exchange Server data. Exchange 2007 included four user-initiated themes in OWA. In ExchangeServer 2010 RTM, OWA customization options weren't yet supported; the old Exchange 2007 theme content was still part of the installation, though not afunctional one. It wasn't until Exchange Server 2010 Service Pack 1 (SP1) that Microsoft brought back support for OWA customization. (Exchange Server 2010SP2, which is the current service pack as of this writing, doesn't add to the OWA customizations that we'll look at in this article.)

In this article, I'll discuss OWA segmentation, which is used to limit the components that users can access through the OWA interface, and customization ofthe OWA logon and logoff screens.

Microsoft Policy on Customizing OWA

For many of the OWA changes that we'll look at, you must replace existing files with your customized files. For themes, simple Cascading Style Sheets (CSS)changes, and logon- and logoff-screen changes, you're manipulating content at the file level. When Microsoft releases updates to Exchange Server -- whetherbug fixes, rollup packages, or service packs -- the company offers no guarantee that your changes won't be overwritten. Nor does it guarantee that codechanges in updates won't affect your customization efforts. Therefore, you should maintain a backup of any customization efforts and test Microsoft updatesto ensure that your OWA customization still works after they're applied. Microsoft outlines its support policy for OWA customization, for all versionsdating back to Exchange 5.5, in the article " Microsoft support policy for the customization of Outlook Web Access for Exchange." In addition, Irecommend that you develop and test your customizations, whether comprehensive OWA custom applications or file-level image updates to reflect a brandedlogon screen, in a lab deployment before putting your work into production.

Segmentation

Segmentation is a fully supported method of customization for OWA. With segmentation, an administrator simply controls which components of OWA are visibleto the end user. Many enterprises want their users to have access to the full range of functionality through the OWA client. However, some users mightrequire only a limited set of features to complete their daily duties. For example, I recently worked at a manufacturing plant in which the plant workersneeded access to email and contacts, but calendar, tasks, and public folder access was superfluous. Focused OWA access also helps to restrict users fromexposing or being exposed to content that might otherwise be considered off limits or confidential. Limiting access to components deemed unnecessary by useor policy is good security practice as well, reducing the risk surface area. Segmentation can also reduce bandwidth use during OWA sessions.

OWA is available by default on any Exchange 2010 server with the Client Access server role installed. No additional configuration is needed to enablesegmentation. As of Exchange 2007, segmentation has been readily managed through the Exchange Management Console (EMC). Segmentation is configured throughthe Client Access server in EMC.

In EMC, navigate to the Client Access server that hosts OWA, then right-click the OWA site and select Properties. The Segmentation tab, which Figure 1shows, lists the user-level OWA components that can be toggled on and off for users of the Client Access server. (Table 1 lists all the availablefeatures.) Select and enable or disable individual features, one at a time.

Figure 1: EMC Segmentation Tab 

Exchange Server 2010 introduces OWA mailbox policies. These policies allow administrators to apply segmentation selections to individual users or groups ofusers, rather than to everyone who connects to OWA on a specific Client Access server. Even though the feature includes "mailbox" in its name, thesepolicies are technically not applied to mailboxes but rather to the web application that's used to access mailbox data. When the Client Access server roleis installed, a default OWA mailbox policy is put in place. By default, all the listed, segmentable features are enabled in the default policy.

OWA mailbox policies are created in the EMC at the organization level, as reflected in Figure 2. Select Client Access under the Organization Configurationhub in the EMC; the OWA mailbox policies are listed in the middle pane. To add a new policy, right-click the open area in the middle pane and select New inthe context menu, or select the same option directly in the EMC Actions pane. As Figure 2 also shows, the primary function of the OWA mailbox policy is toconfigure a specific segmentation setup for a user or group, because there's nothing else to configure in the UI. Consider giving the policy a descriptivename, such as the region or department to which it will apply, or including the specific segmentation goal in the name, such as "No Journal." Figure 3shows the Outlook Web App Properties box, which allows you to apply an existing OWA mailbox policy to a mailbox or mailboxes. OWA mailbox policies can becreated or amended by using the Exchange Management Shell (EMS) or the New-OWAMailboxPolicy and Set-OWAMailboxPolicy cmdlets.

Figure 2: OWA Mailbox Policies 

Figure 3: Outlook Web App Properties 

When you use these cmdlets to create a new OWA mailbox policy or edit an existing policy, you can toggle a list of attributes on or off. These attributesapply directly to the features that are listed in Table 1. The features are enabled by default, so in general, when configuring an OWA mailbox policy inEMS, you would call the attributes you want to toggle and set them to false to disable them. See the Microsoft articles "Set-OwaMailboxPolicy" and " New-OWAMailboxPolicy" or the cmdlet Help for the list of applicable attributes for eachcmdlet.

Segmentation can also be configured by using the EMS at the server or user level. Use the Set-CASMailbox cmdlet to apply segmentation as defined in aspecific OWA mailbox policy. For example, the following code applies the OWA mailbox policy called North America Staff to the mailbox-enabled user Steve:

Set-CASMailbox -Identity Steve -OwaMailboxPolicy: 

"North America Staff"

If the OWA mailbox policy has spaces in its name, then quotation marks are required in EMS. To apply an OWA mailbox policy called Executives to all usersbelonging to the Active Directory (AD) organizational unit (OU) of the same name, use this code:

Get-CASMailbox -OrganizationalUnit Executives |Set-CASMailbox -OWAMailboxPolicy:Executives 

You can also use EMS to retrieve the list of mailbox-enabled users to which you want to apply an OWA mailbox policy, based on common existing attributes(e.g., Title, Location). To do so, use Get-User and pipe output to the Set-CASMailbox command. You can also pull from a text file through EMS, by using theGet-Content command as follows:

Get-Content "c:filesOWAPolicyList.txt" | Set-CasMailbox-OwaMailboxPolicy "North America Staff" 

OWAPolicyList.txt is a plaintext file that lists the email address for the mailboxes, using one address per line, as follows:

[email protected]@[email protected]@mojavemedia.com 

Of course, if you're administering Microsoft Office 365 for your company, you'll need to employ EMS to configure segmentation. The Exchange Control Panel(ECP) for Office 365 doesn't provide access to OWA policy administration.

Exchange 2010 SP2 brings back a previously deprecated version of web mail: OWA Mini, formerly known as Outlook Mobile Access (OMA) and last seen inExchange Server 2003. This renewed OWA Mini functions as a set of forms within OWA. As part of OWA, OWA Mini (for mobile browsers) and OWA Basic (foruntested browsers) also adhere to segmentation flags. Users who've been prevented access to basic folders, such as Calendar, can't access those foldersthrough OWA Mini (shown in Figure 4) or OWA Basic.

Figure 4: OWA Mini

Segmentation restricts and simplifies the OWA web interface for users. By default, OWA shows the primary Mail, Calendar, Contacts, and Tasks folders in thebottom left of the browser window. As a simple example, I take user Steve Bauer, who initially has no OWA mailbox policy applied and therefore has allavailable features enabled, and apply an OWA mailbox policy that disables calendar, task, and theme selection. Figures 5 and 6 show thedifferences in the interface before and after the application of this policy.

Figure 5: OWA Web Interface Before Policy Application

Figure 6: OWA Web Interface After Policy Application

Segmentation can also be applied at the server level, using the Set-VirtualDirectory cmdlet. Like the Set-OWAMailboxPolicy cmdlet, individual features canbe toggled on or off. In this case, everyone who connects to a specific server and virtual directory, such as "owa (Default Web Site)," will see the sameOWA features. If you're using some form of load balancing for OWA access across multiple Client Access servers, you need to ensure that segmentationconfiguration changes are applied to all the Client Access servers in your pool. Users might otherwise see different OWA configurations, depending on whichClient Access server they connect to through load balancing.

Finally, note that when you create a new OWA mailbox policy or make segmentation changes at the server level, and you want to immediately apply the policyor changes to users, you might need to restart the OWA site. Restarting Microsoft IIS also forces OWA to pick up these changes immediately. This is bestdone at the command line on the server, using the following command:

iisreset -noforceLogon- and Logoff-Screen Customization 

When users access the URL for OWA, the first screen is the logon screen (unless there's a certificate error, of course). In some companies, managementmight want to customize the logon or logoff screen to assert a brand or to assure users that they're in the correct place. A logon screen adorned with afamiliar corporate logo and color scheme can give users confidence that they're on the correct site. Management might also customize the logon screen toincorporate specific information or legal disclaimers. Logon and logoff screens can be customized without affecting the core OWA.

The OWA logon and logoff screens are standalone web forms that use several .gif graphic files and CSS for fonts and formatting. For users who log on to OWAfor the first time, there's an additional configuration screen, which is also affected by customization efforts because it shares the same image and CSSfiles as the logon screen. The initial logon screen is composed of nine .gif files, organized and placed according to logon.css. Other aspects of the logonscreen are also rendered according to information in that CSS file, including font type and colors used outside of the .gif image files. These same filesare incorporated into the first-time logon configuration screen and the logoff screen. If you're going to change these files, you need to update them onlyonce; the updates will be reflected in all three pages. The default, installed versions of the logon, first-time logon configuration, and logoff screensare shown in Figures 7, 8, and 9.

Figure 7: Default Logon Screen

Figure 8: Default First Time Logon Screen 

Figure 9: Default Logoff Screen 

The files that are used for the logon and logoff screens are on the Exchange server with the Client Access server role, at ProgramFilesMicrosoftExchange ServerV14ClientAccessOwaThemesResources. The variable refers to the level of Exchange Server.Exchange 2010 SP2 shows a folder labeled 14.2.247.5. Exchange 2010 SP2 Rollup 1 adds a folder 14.2.283.3. OWA uses the most recent source.

As I mentioned earlier, you should work through your customizations in a lab environment if possible. Otherwise, consider taking a backup of the originalfiles before you start making changes to OWA files. Thankfully, Microsoft has labeled the .gif files descriptively. Figure 10 shows the distribution of the.gif files in the logon screen; Table 2 lists the image filenames and their sizes (in pixels).

Figure 10: Distribution of GIF Files 

The simplest way to customize the logon screen is twofold: Replace the .gif files with ones more befitting of your corporate designs and amend logon.cssand owafont.css to complement those files. You certainly aren't limited to this superficial alteration, but it has the most impact with the least effort.The .gif file with the text "Outlook Web App," as seen in Figures 7, 8, and 9, is called lgntopl.gif (a filename standing for logon, top, left) and is theeasiest file to work with when you just want to add your logo, without changing the default OWA color scheme. For this article, I took this .gif file andadded a fictitious logo for Las Vegas Webmail, integrating the famous Las Vegas sign from the Las Vegas Strip in Nevada, as Figure 11 shows. I kept the.gif file at the set size of 456 ´ 115 pixels, so a straight file replacement on the Client Access server will return the new logo to users who log on toOWA on that Client Access server. If you use a different file size and don't make changes to the CSS file, then the formatting of the graphics will beincoherent. (The location on the page of each graphic is coded into the CSS file, based on pixel location, so if you change the sizes of the .gif files,you need to accommodate that change within the CSS file itself.) Clearly, if you want to make complete custom logon screens beyond manipulating theappearance of the existing graphics, you'll need some knowledge of CSS.

Figure 11: Customized OWA Logon Screen 

The text style in the logon screen is also governed by instructions in logon.css. CSS files are simply text files and can be edited by using a text editoror one of the many CSS editors. But these days, all web development applications also handle CSS. Microsoft Expression Web is a great tool for working withCSS files; Microsoft Visual Studio can also serve as an advanced CSS editor, although using it just for that purpose is a bit of overkill. Colors in CSSare defined by hexadecimal color codes: the hash sign (#) followed by a 6-character code. Most CSS editors have color palettes with hex numbersincorporated. Quick resources are available online as well (e.g., VisiBone). Your marketing, graphics, orweb-development people likely maintain exact print and web color codes that represent the color scheme for your corporate presence and logos.

Table 3 lists some of the colors that are identified in the logon.css file for the logon screen. For this example, I changed the font color withinlogon.css from orange to purple and changed the input field background for the username and password from light orange to light gray. I also made theborder around the input fields stand out with a more solid blue rather than a thin gray, by changing the color code and incrementing the pixel thickness ofthe border. To accomplish these changes, I changed fff3c0 to cccccc, ff6c00 to 800080, and a4a4a4 to 000080 within logon.css. (Some intelligent guessworkwas needed to determine exactly which elements in the CSS file to apply within the page.) After ensuring that I had a backup of logon.css, I saved the newfile to Program FilesMicrosoftExchange ServerV14ClientAccessOwa14.2.283.3ThemesResources on the Client Access server. I also copied my newlgntopl.gif to the same folder. Figure 12 shows the simple editing that I made to customize the OWA logon screen. Of course, you aren't limited to suchsimple customizations. With solid knowledge of CSS and graphics work, you can develop your own custom logon and logoff screens that will appearunrecognizable compared with the defaults that OWA renders.

Figure 12: Editing to Customize OWA Logon Screen 

You might need users to delete their local browser cache for the customizations to be immediately apparent. (In my on-premises lab installation, I found itunnecessary to restart the website for the changes to be served to clients.) If you use certain proxy applications or perimeter hardware, there might alsobe a delay before users receive updated content.

Applying Customizations

OWA changes aren't replicated between Client Access servers. If multiple Exchange servers with the Client Access server role installed serve OWA, you'llneed to apply any customizations to each of those servers if you want all users to see the same screens. Users will get the OWA screens that are specificto the Client Access server that they access with their browsers. This can work for you or against you. You might want different groups of users to havedifferent OWA experiences, including branded environments.

If you don't want to work at the file level in Exchange Server to make changes to the logon or logoff screens, some third-party companies that specializein branding offer this service for various customizable software solutions, including OWA 2010. Many make comprehensive changes to the OWA logon screens,to the point that the actual application is unrecognizable. An example of such a provider (with some screen shots of client solutions) is Techstur.com. If you use such a provider, you'll need to address anyissues that might arise when new service packs or updates make changes to OWA.