The OWA Evolution

In ancient times (say, 1996 or so), Exchange Server 5.5 introduced Outlook Web Access (OWA). Exchange 5.5 uses Microsoft's Active Server Pages (ASP) technology to implement OWA: A user logs on to an OWA server and fills out a Web form. An ASP running on the OWA server accepts the user's credentials and passes those credentials to a domain controller (DC) for authentication. After a successful logon, other ASP pages use Messaging API (MAPI) calls to retrieve email, then format messages for display in the user's browser.

This archaic OWA version was a terrific idea, but the implementation left something to be desired. Exchange 2000 Server includes a completely rebuilt OWA architecture that ties Exchange directly to Microsoft IIS so that OWA's rendering engine can take advantage of the fact that items in the Exchange store are addressable through individual URLs. This change provides a huge performance and stability boost over the earlier ASP-based OWA implementation, but it takes away something that many administrators want badly: customization. If you don't have any ASP pages, you don't have anything obvious to customize. In particular, many Exchange 5.5 sites had edited the OWA logon page to include a corporate logo, security warnings, disclaimers, and the like. Exchange 2000 doesn't have any good way to provide these elements in OWA, although many enterprising folks have found workarounds. Also, in Exchange 2000, the browser handles all authentication, requesting the user's credentials upon demand from the IIS server. This method is easy for users, particularly when you turn on integrated Windows authentication on the server, but it doesn't provide a clean method of applying timeout or expiry settings to open sessions, reducing OWA's security when used with public machines.

With Exchange Server 2003, Microsoft has hit a terrific middle ground. OWA still uses a direct interprocess communications (IPC) link to IIS, but you get a logon page that you can customize--provided that you turn on forms-based authentication, another throwback to Exchange 5.5's OWA version. To enable forms-based authentication, you must run Exchange 2003 on Windows Server 2003 or Windows 2000 Service Pack 4 (SP4) or later. To turn on forms-based authentication in Exchange 2003, open Exchange 2003's Exchange System Manager (ESM) and select the "Enable Forms Based Authentication" check box on the Settings tab of the ProtocolshttpExchange virtual server object (under your target server object). You'll need to restart the IIS Web Publishing service.

After you've turned on forms-based authentication, you can edit the logon.asp file, localized versions of which live in country-specific subfolders under the program filesexchsrvrexchwebbinauth directory. The standard US English page is in the "usa" subfolder; other supported languages include French, Korean, Polish, Russian, Spanish, and Swedish. By carefully editing this file, you can apply several customizations, including the following: - Add your corporate logo. The logon_logo.gif file in program filesexchsrvrexchwebimg is the Microsoft logo. You can replace this file with your own logo (be sure to update the height and width measurements in the logo's tag in logon.asp). - Change the appearance of the logon page according to client type. OWA understands two client types: "premium" (Microsoft Internet Explorer--IE--5.0 and later on Windows) and "basic" (everything else). You can present a different page with different text or images for each client type. - Add security disclaimers. You can even add a page that requires users to select a check box or click a button to indicate their acceptance of a security policy, then use that page to redirect them to logon.asp. If you don't want to write your own code, just add an appropriate statement to the logon.asp file.

Back up logon.asp before you make any of these changes. The file will be overwritten when you reinstall Exchange 2003; I wouldn't bet on the edited file surviving service pack installations, either. And of course (you knew this was coming), Microsoft can't support you if you break something by editing this file or any other OWA file, so be careful.

You can make plenty of other interesting customizations to OWA, and Microsoft's working on a white paper that explains them in more detail. In the meantime, Exchange 2003's OWA trial version ( http://www.microsoft.com/exchange/evaluation/ti/trial/owa.asp ) should have enough new features and settings to keep you occupied. Happy exploring!