Overview of Exchange services publishing

  • Article

Updated: February 15, 2013

Applies To: Unified Access Gateway

Microsoft Exchange Server provides a reliable messaging system, with built-in protection against spam and viruses. Using Exchange, users throughout your organization can access email, voice mail, calendars, and contacts, from a wide variety of devices and from any location.

Forefront Unified Access Gateway (UAG) provides end users with secure remote access to the following Exchange mail services:

  • Outlook Web Access—Outlook Web Access (OWA) is the Exchange mail service that allows users to access their Exchange mailbox from any Web browser. There are two versions of Outlook Web Access: Outlook Web Access Light and Outlook Web Access Premium. The light version of Outlook Web Access is optimized to support users who are blind or have low vision, and supports older web browsers; it provides a simplified user interface and reduced feature set compared with Outlook Web Access Premium. Outlook Web Access Premium provides features that are currently not available in the light version, such as, Unified Messaging and the ability to check spelling.

    Note

    In Exchange Server 2013 and Exchange Server 2010, Outlook Web Access is referred to as Outlook Web App.

    When publishing Outlook Web Access, the following authentication methods are supported:

    • NTLM/KCD authentication—You can configure Forefront UAG such that NTLM is used to authenticate the user to the Forefront UAG server, and Kerberos constrained delegation (KCD) is used to authenticate the Forefront UAG server to the Client Access server. When using NTLM/KCD authentication, the user is not prompted for a user name and password.

      This form of authentication provides the most secure configuration, and requires users to provide only one set of credentials to gain access to the Exchange Client Access server.

    • Basic authentication—You can also configure Forefront UAG such that Basic is used to authenticate the user to the Forefront UAG server, and Basic is used to authenticate the Forefront UAG server to the Client Access server. When using Basic authentication, the user is prompted for a user name and password.

  • Outlook Anywhere (RPC over HTTP)—The Outlook Anywhere feature for Exchange lets your Microsoft Office Outlook 2013, Office Outlook 2010, and Outlook 2007 clients connect to their Exchange servers over the Internet, by using the RPC over HTTP Windows networking component. When Forefront UAG publishes Outlook Anywhere, Outlook clients can connect to Exchange from outside the organization’s firewall and have full functionality without using a VPN.

    Exchange Server provides Exchange Web Services alongside the Outlook Anywhere feature. Exchange Web Services is used by clients to connect to the Exchange server to consume and set information about user availability.

    Exchange Server includes a Microsoft Exchange service, named the Autodiscover service. The Autodiscover service automatically configures user profile settings for clients running Microsoft Office Outlook 2013, Outlook 2010, or Outlook 2007, as well as supported mobile phones. Phones running Windows Mobile 6.1 or a later version are supported. If your phone isn't a Windows Mobile phone, check your mobile phone documentation to see if it's supported.

    When publishing Outlook Anywhere, the following authentication methods are supported:

    • NTLM/KCD authentication—You can configure Forefront UAG such that NTLM is used to authenticate the user to the Forefront UAG server, and Kerberos constrained delegation (KCD) is used to authenticate the Forefront UAG server to the Client Access server. When using NTLM/KCD authentication, the user is not prompted for a user name and password.

      This form of authentication provides the most secure configuration, and requires users to provide only one set of credentials to gain access to the Exchange Client Access server.

    • Basic authentication—You can also configure Forefront UAG such that Basic is used to authenticate the user to the Forefront UAG server, and Basic is used to authenticate the Forefront UAG server to the Client Access server. When using Basic authentication, the user is prompted for a user name and password.

    • Pass-through—You can configure Forefront UAG so that users authenticate directly to the Exchange Client Access server without first authenticating to Forefront UAG.

  • Exchange ActiveSync—Exchange ActiveSync is a Microsoft Exchange synchronization protocol that is optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization's information on a server that is running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to access their email, calendar, contacts, and tasks, and to continue to access this information while they are working offline.

    In addition, Exchange ActiveSync enables administrators to perform a remote wipe on a lost mobile phone, or to block access for a mobile phone.

    When publishing Exchange ActiveSync, the following authentication methods are supported:

    • Basic authentication—You can also configure Forefront UAG such that Basic is used to authenticate the user to the Forefront UAG server, and Basic is used to authenticate the Forefront UAG server to the Client Access server. When using Basic authentication, the user is prompted for a user name and password.

    • Pass-through—You can configure Forefront UAG so that users authenticate directly to the Exchange Client Access server without first authenticating to Forefront UAG.

With Forefront UAG SP1, SP2, and SP3, Exchange mail services that you publish through Forefront UAG can be protected by Information Rights Management (IRM) using Active Directory Rights Management Services (AD RMS). IRM can be used to protect email messages and attachments. For information, see Understanding Information Rights Management.