Can OWA Replace the Outlook Client and the VPN? 73
IPAQ2000 writes "This past week, I attended a
panel discussion sponsored by Microsoft and
other major players in the space. One of the ideas brought up by one of the expert panel attendees from a company called
Seaside Software claimed that large organizations should rely mainly on Outlook Web Access (OWA) for Exchange 2K access for remote users. He claimed that OWA access with SSL makes it perfect for secure access and saves the hassle of the VPN client support. I can see how avoiding the VPN client and the Outlook client together on desktops around large organizations (like mine) could be a good thing (by saving money), and how moving to OWA for remote users makes sense. In fact, it looks like
MS themselves are putting much more emphasis on the browser in Exchange 2003 (OWA
and Outlook are almost identical) so that users can run whatever version is appropriate for their needs, according to connectivity speeds, location, etc. There was a discussion regarding mobility and remote solutions in the enterprise. I thought that this might be a good subject for a
Slashdot discussion, especially as it relates to Exchange. What do you think about OWA as main way of accessing Exchange, especially as OWA keeps getting richer with each version of Exchange?"
Not as great as it looks (Score:3, Informative)
Re:Not as great as it looks (Score:5, Informative)
* IIS must be secured against cross-site and Unicode attacks. In reality, this means URLScan and IISLockdown. URLScan often makes undeliverable, messages which can be accessed via the Outlook 'fat' client. Example: the message with a subject-line 'This is the Visio...' will be acceptable to Outlook. OWA will turn this subject-line into the document name at the end of a URL. URLScan sees 'https://(fq.servername)/exchange/This is the Visio....msg', and parses the sequence of four 'dots' as a possible directory traversal. Access is denied! User sees a 404, big PITA. Expect lots of tech support calls on issues similar to this one.
* All the groovy advanced features are supported only under IE. Other browsers get a functional, if unexceptional subset. There is no activeX plugin or anything - MS just uses nifty, DHTML and VBScript for drag-n-drop, etc. in OWA. The server-side ASP on OWA effectively generates a different, alternate interface for non-IE clients.
Weigh your options, and see if it isn't better to publish Exchange access through an SSL-style VPN appliance like Neoteris or Aventail.
Re:Not as great as it looks (Score:2)
IMO, the OWA is doing somewhat stupid thing here, but that should work anyway. URLScan [microsoft.com] seems seriously broken. Perhaps I'm a little stupid but could somebody explain how string "This is the Visio....msg" could be ever interpreted to mean "directory travelsal" instead of simple file name? And while you're on it, could you please also explain why IIS doesn't include equivalent functionality (sensible logging, file size limits etc) by default. It cannot be because of "bloat".
All the groovy advanced features are supported only under IE.
Are you really surprised that MS product (OWA) works better with MS product (IE) than with some competing browser? Me neither.
Re:Not as great as it looks (Score:2)
I think that Exch4/5 used a MAPI-style client-connection to get to the message store. In 2000, the M: drive is browsable -with the right perms- and full of sub-dirs named for each of the NetBIOS compatible logon names of the recipients. These appear to contain subdirs for mailbox folders, with messages as discreet filesystem objects. These are in the form [subject-line text].msg.
For message access, OWA constructs mailboxes by pointing to the .msg files as URLS - including ASCII/Unicode conversion to Hex for delimiter chars ( [subject-line%20text%2Emsg] ).
URLScan is pretty 'dumb'. It doesn't have complex rules, just a text-file config, with prohibited extensions (.exe, .com, .bat) and prohibited URL combos (%2E%2E%5C, %2E%65%78%65). I'm pretty sure that if ".." is prohibited, then the first two "dots" match the rule, URL is blocked, and a 404 is generated by IIS. You never parse farther down the URL. You will also block attachments with .exe extensions, because they are represented as URLs too. URLScan behaves just like you are trying to submit input to an .exe on the webhost, even though this is a simple GET, without a form.
The point is, this works most of the time. When it doesn't, you have a high-frustration situation for the user, with arelatively involved technical explaination. Do you want this situation when the user is a Senior Vice-President?
Re:Not as great as it looks (Score:1)
"Pretty"? "Really" would be a better word.
You will also block attachments with .exe extensions, because they are represented as URLs too.
Oh.. and attachments without ".exe" extension but with MIME-type that tell the system it's an executable get through? Nice system...
I'm not familiar with URLScan or ISSLockdown but they sound a lot like a hacky patch to a broken architecture. I'm happy I don't need to use any of those pieces of software :-)
Re:Not as great as it looks (Score:2)
Yes, MS IE dones NOT respect MIME types, and MS has no fix here! I think IIS may well respect these - but URLScan is tasked to protect the clients too.
I do not know if the architecture is "broken". Many parts are implemented poorly, or with a bias to err on the side of user simplicity - without regard to systemic consequence. I agree that the net effect of these manifests the same behavior as a fundamental architectural deficiency.
I work in InfoSec. The longer I do this, the less bias I have towards one imlementation or another. You move your problem around the system - like a puzzle of sliding tiles. That said, I use *N?X systems as a matter of course, and don't have a Win box without Cygwin...
Cross Platform as well as remote users (Score:4, Insightful)
Up to this point, OWA hasn't been an acceptable subsitute for me, but I would like it to be. It's lightweight (esp. compared to Outlook), cross platform and definitely better in X2K than it was in X5.5.
I wonder what MS will have as the additional features you get in 'real' Outlook as OWA gets better. I have heard they're considering a native OS X Outlook client, but I'm not holding my breath.
This would be great for cross platform users. One of the reasons people like the mac is that you can use Office on a unix workstation, but without Outlook, it's still slightly kludgy.
Re:Cross Platform as well as remote users (Score:2)
I'm just waiting for that moment to go to my boss and make him swap by current (crap) dell laptop for a powerbook.
Mac Office software (Score:2)
Unless each new MS-Office has some amazingly useful new features, assessors won't be asking of OpenOffice.org, `is it good enough to replace MS-Office' but `why shouldn't we replace MS-Office with this faster, portable, safer and more useful office suite'? Especially since it's both Free and free.
There are quite a few webmail apps, but since web and direct connection are quite different environments, it's not really that flash an idea to try to make them indistinguishable.
The issue is Exchange (Score:2)
Re:The issue is Exchange (Score:1)
And the Ximian connector uses OWA to gain access to the calendar/contact information from Exchange Server that is not available by IMAP...
Until we get standard protocols for calendars & contacts and Exchange supports them, we're stuck with OWA...
BalamWell, there's KMail and Kolab... (Score:2)
KMail is being groomed as an Exchange client and married to Kolab, which is being constructed (indirectly by the German government) as a FOSS replacement for Exchange.
Web access: ugh. (Score:2)
Back to e-mail, all I want is the ability to forward my mail to an address of my choosing (at least so I can do better filtering and sorting with Procmail). If I have that (which I do), I couldn't care less what e-mail servers they run.
I want all my mail in one place (in my mail spool on my home mail server) so I can check all my mail just by hitting Tab. I don't want to have to log in to some lame web client several times a day just to read mail.
VPN not used for just Outlook though (Score:4, Insightful)
Also AFAIK OWA doesn't let you do things like set up filtering rules, personal folders, and other things that the Outlook client allows you to do.
Re:VPN not used for just Outlook though (Score:1)
CliffH
Can OWA do Mozilla? (Score:1, Interesting)
Re:Can OWA do Mozilla? (Score:2)
Re:Can OWA do Mozilla? (Score:2, Insightful)
Re:Can OWA do Mozilla? (Score:1)
UT arlington (Score:3, Informative)
i hate having to delete all my sent/recieved email with attachements. could they make deleting email any less intutitve?
all in all it works for me and the rest of campus of 22-23 thousand people + faculty. what was the question again?
Re:UT arlington (Score:2)
they've got exchange setup for that here, and it works great, except when exchange decides it wants to lose some of the mail (yay!)
Why OWA? (Score:2, Interesting)
But I won't and I won't burn the karma.
I guess I am just one of the luckier ones. We have several thousand users streched all over the globe and we don't touch Outlook or Exchange. We never will.
But since there still isn't an enterprise open source offering that compares. We are Novell Groupwise, all the way. And guess what? We have never had a attachment virus, ever.
Okay, drunkin troll read head... Fook Exchange!
Re:Why OWA? (Score:2)
Re:Why OWA? (Score:1)
File Sharing (Score:2)
Yeah, maybe, as far as email goes. But you'll still need VPN to access the file server, where the resources/research/collabrative documents live. Maybe you could do that through an https login, which has a familiar interface and is compatible with nearly everything that can use a web browser. But then the docs themselves wouldn't be secure, right? So forget it.
The browser matters... (Score:2)
Won't do jack for me. (Score:2)
Then store your email on the server (Score:1)
But what if it WAS on the server? What if you DID have that 3GB of archived mail on the server? Would OWA be okay for you then?
And what's keeping you from putting it on the server? Your mailadmins setting quotas? Concerned about privacy? Performance?
Re:Then store your email on the server (Score:3, Insightful)
Yes indeedy. I cringe when people proclaim their utter reliance on PST files; they're not impervious to corruption, you know.
* Put it on the server. If there are quotas and it's that important, work with the admins or your manager to devise a proper and workable resolution.
* Alternately, and again, if it's truly that important, consider a document management system or some other real mail handling system.
Either it really is that crucial, in which case you're living on a wing and a prayer with your current procedures, or it isn't that crucial, in which case you may need to re-evaluate your procedures.
Re:Won't do jack for me. (Score:2, Insightful)
Re:Won't do jack for me. (Score:2)
Re:Won't do jack for me. (Score:1)
Backing up a pst of this size is a ridiculous venture.
With OWA you keep your ridiculous amounts of c.y.a material on the exchange server where it is more efficiantly maintained *and* accessible from OWA.
Re:Won't do jack for me. (Score:2)
Unlike others in my department, I have a minimal number of items in my Inbox and I know exactly where items are when I need to go splelunking for them.
(also, our server admins have draconian mailbox size limits, so anything else is impossible)
OWA isn't that great (Score:4, Informative)
I have used both Outlook and OWA. I did not like OWA. I found that OWA was slow. Meeting reminders did not work. Autosave was tempremental. I lost a few emails when OWA lost its connection to the server (the fault of my ISP). In short useing real Outlook was better.
There are also security risks with OWA. Unless you outfit every user's browser with a SSL cert then a user can use any web browser to read their email. Before you know it you have your users checking their coporate email from Internet cafes and other insecure places. Furthure an attacker would like nothing better to do then start guessing at passwords and reading coporate email.
If you are going to manage SSL certs you might as well go whole hog and run a VPN. A VPN provides both security and an additional ammount of control to system administrators.
As others have written accessing the intranet is more then just access to email. VPNs also allow users to access file servers, and company internal webservers.
VPNs work and provide your users with more then just email. OWA over SSL is a hack.
Re:OWA isn't that great (Score:2)
The lack of harware crypto does limit the VPN in theory but most software solutions seem to be able to saturate a 100mbit/s ethernet given enough CPU.
I will have to go and poll my colleagues and maybe set up MS VPN myself to get you a better answer then that.
Re:OWA isn't that great (Score:2)
Exactly. And that is a good thing. From a security point of view allowing email to be read anywhere is a risk. The user has no idea how secure the web terminal is. It could have been installed by a malicious party hopeing to collect credit card numbers and username/password pairs.
Re:OWA isn't that great (Score:1)
Re:OWA isn't that great (Score:2)
Great point about client certs! Users and admins seem to forget that the client computer itself may not be secure, in which case you can't trust SSL.
There are also many other features you lose without a full client application; especially the ability to have your entire mail folder on your own computer (so that you only have to retrieve new mails).
Outlook plugins a necessity. (Score:3, Interesting)
Re:Outlook plugins a necessity. (Score:2)
Why not use evolution? Buy the Exchange connector and you should be good to go.
It can synchronize with palm pilots by default and using MultiSync [sourceforge.net] works with a whole bunch of other devices.
PDA sync (Score:2)
MS can die (Score:1)
Really not there yet. (Score:2, Informative)
Re:Really not there yet. (Score:1)
So learn CDO and vbs and alter OWA. It's not that hard.
Re:Really not there yet. (Score:1)
not now but maybe later. (Score:1)
Please, No! (Score:2)
The objectives are productivity first, while maintaining security. People need to remember this first!
That said, the concept of web access for remote resources is a good idea. You just can't loose ANY of the functionality that you rely on for the normal product. Just for starters, we have spell check, signatures, reminders, and accurate rendering of attachments (no more "This file type is not yet supported" HTML files when you save an attachment!!!). If you really want to get fancy, you need to have a means for offline access too!
Until the product lets you at least do as much as Pine 1.0, give me a hole in the firewall!
this post reminded me of an exchange 2003 feature (Score:2)
if you use windows 2003 server, AND you use exchange 2003 server, AND you use outlook 11 you can connect to exchange directly w/outlook via ssl w/o a vpn. this is good enough for many people.
they've changed the exchange/outlook pair to be much more remote-friendly and less bandwidth intensive.
Re:this post reminded me of an exchange 2003 featu (Score:2)
OWA is close, but not quite. (Score:2, Informative)
* Offline Access: If your organization, like ours, has a lot of travelling users, they will not be able to catch up on email while they are, for example, catching a flight. This can be mitigated with Mobile Information Server. (ActiveSync your PDA over the 'net before you get on the plane.)
* Convenience: Checking email over the web is generally considered not as easy as checking it w/ a dedicated client. That's why many folks, like Yahoo!, no longer offer free POP3 services unless you pay up--because many people are willing to spend money for the convenience. Further, many users navigate to sites by typing in the URL in the "Start | Run" dialog box, which will cause them to inadverdently navigate out of their OWA client and thus stop new mail notification.
* Security: Since you mentioned SSL... Many firewalls, for obvious reasons, cannot inspect traffic encapsulated in a SSL tunnel. So any application-level protocol protection provided by the firewall will be rendered useless. Example of this would be the Cisco PIX 515's "fixup" commands.
* More security: Having OWA generally means that users can access your email system with non-company issued systems. You can secure your servers all day long, but a simple key logger on a non-company system can bring you down to your knees. Especially since many Windows shop does unified login user/pass w/ Active Directory.
That said though, I use OWA to check work email every night on my Mac when I make it home. It works fine. When implemented properly it's a great compliment to Outlook, but IMHO it's probably not suitable as a replacement of Outlook
Similar, but different.. (Score:1)
For almost all of the "remote email" use people need, WebAccess does the job nicely. It's generally people just checking email/appointments from home or when they're at client sites - they can just type in a URL, put in username/password and be there. Even the people who use VPN also use WebAccess from time to time because it's often more convenient than getting out the laptop, hooking it up to LAN/modem/mobile and syncing.
We have a few people who work from home most of the time and are perfectly happy with WebAccess. I've not used OWA recently, but WebAccess does almost everything people would need, works properly across different browsers, it's very light so it works acceptably even on 9600bps mobile connections (there's even WAP and Palm VI versions) and handles things like spellchecking and addressbooks via Java apps. People can set up and change rules, change passwords, proxy to other people's accounts, access shared folders. If OWA is at that kind of state now then it should also be fine for most.
We also have some people who need to be running the full client and VPN. People who need to sync then work offline or who have more complicated calendars that are better managed by dragging things about than editing individual appointments.
I wouldn't drop VPN, but a decent web frontend for your groupware stuff can reduce a lot of the need for it, and those who just need a quick and easy check of their mail can do it with far less complexity.
Another alternative (Score:2)
But it isn't as powerful in some regards as full Outlook, and in my mind the best way to get full Outlook on Linux etc. is Terminal Server to a real copy. The Linux RDP client is in great shape.
Of course, there are costs associated with this, so an OWA solution is also an important part.
Not quite trolling, but... (Score:2)
You could also consolidate a bunch of Exchange servers onto one iSeries box, and cut your costs. Domino on iSeries has been shown to deal happily with up to 10,000 simultaneous mail users on one server.
Offline synchronization (Score:2, Informative)
Internet connectivity is still not ubiquitous, but as long as you've synched your laptop, you at least have your old email, and can compose new emails, queueing them up until you have a chance to synchronize again. Given that email tends to be one of the primary means of communication when working in large, geographically disperse teams, having offline access to old emails can be a lifesaver at times (say, when you're onsite with no Net access and need to make an emergency phone call, but the contact info happens to be in an email somewhere).
Other than that, OWA is usable, but not great.. In my experience, I've had formatting issues, and the occaisional IE crash. Of course, Outlook crashes too, so there's not really much difference there..
- Sean
Always Improving (Score:2)
Of course, as more and more people started using it (and our call volume on it rose!) MS started to concentrate on improving the web client more. The jump from OWA in 5.5 to 2000 is terrific, and I expect that progress to keep getting better. Hell, even between 5.5 service packs OWA improved significantly.
I already have an SSL cert on the OWA server that I work on now, so I'm looking forward to the next incarnation of OWA.
URLscan, properly tweaked for use with OWA, isn't as bad as some have said, but it isn't perfect either. I consider it a necessary evil which is far better than the possible alternative of not using it at all. It might choke on an attachment here or there with an odd character in the name, but overall the negative effect is minimal.
OWA in heavy use where I work (Score:2)
The Outlook Web Client is limited compared to the full Outlook client. Those heavy email users would find it unacceptable for frequent use. It's fine for getting one's email remotely but it's not good enough for constant use.
Since the OWA runs on Microsoft IIS on the NT/2000 platform, you have GOT TO MAKE SURE that it is patched and updated very frequently. I know of smaller outfits who didn't do this and when Code Red and Nimda were rampant they were infected.
In addition to OWA we also use some Citrix abilities for Intranet and other access via a web interface but the encryption is increased for these services using the RSA SecurID fob and high encryption.
We run VPN as well for those work at home or frequent travelers (high speed hotel access). I've got a laptop hooked up right now running VPN using the RSA SecurID system for high encryption. This is preferred! I can access everything exactly as if I was in the office and it's just slightly slower than being on the WAN in a field office. It is completely acceptable. I can access client/server systems, Intranet, Host, etc. All from the comfort of my home.
Yeah VPN and RSA encryption are not cheap but neither is office space. Go ask someone in the know what it costs to maintain an office or cubicle for a single employee. You would be surprised. The ones in the know factor in electricity, floor space, heat, air-conditioning, parking, phone, network, etc. into the equation. Consider all these costs over the cost of VPN, encryption, cell phone, phone line and the power and flexibility of working remotely.
Heck, I pay for my own broadband connection out of my pocket anyway. Putting the work laptop on the home network was a no brainer. I am not looking for work to pay for the broadband connection at all. I just want to be able to utilize VPN to get to the corporate network.
I don't get to work at home but I am on call and I am able to respond to an outage much quicker using broadband and VPN. To dial into the network and then have to run my desktop remotely via pcANYWHERE is much slower then VPN. This remote control is a workaround for the low bandwidth. Just to reset a password could take me 40min. without remote control. With remote control it takes about 15min. With VPN, I can do it in about 10 seconds because the laptop is on my network and left booted up. I just have to login to the VPN and double-click a VB app, type in the ID to reset and click OK.
Everyday tasks are accomplished as easily as if I were in the office directly connected. The productivity gains of working at home are amazing. You would not believe the distraction in a busy office. Noise, chit-chat, waiting in line at the cafeteria, worthless meetings, etc. I get so much more done it's not funny!
Dire Straits would sing "I WANT MY VPN" instead of "I WANT MY MTV".
OWA vs imap (Score:2)
Someone who is used to the intermediate user features of Outlook (i.e. message filtering and folders [specifically, marking a group of message for moving into folders]) will find OWA a major PITA.
Sure, OWA is great for simple access to e-mail from a public kiosk. But OWA simply won't please the daily user of an Exchange e-mail system.
No contacts, calendars, etc... (Score:1)
I agree with you, and use IMAP (over SSL or VPN) myself when remote. However, e-mail's just the tip of the iceberg for most Outlook users. What do you do for Outlook's non-mail features i.e. the GAL (global address list), contacts, calendars, tasks, etc...? There's no way to access these over IMAP.
In my case I fall back to OWA or Outlook over VPN for those, but what if they weren't available?
BalamRe:No contacts, calendars, etc... (Score:1)
The global address list can be queried via LDAP.
But you're right about calendars and tasks. Those would not be accessible through imap. For those I'd have to send them to OWA.
Re:No contacts, calendars, etc... (Score:1)
LDAP also won't get you to the contacts in your Contacts folder or any other folders in your Mailbox or Public Folders either, which are often more relevant than the GAL.
Note that OWA 5.5 is also deficient in this area since it only allows you access to your primary Contacts folder, and not to any Public Folders that contain Contacts. OWA 2000 is supposed to improve on that but still has some restrictions I can't remember.
I still don't see why MS doesn't just make Contacts and Calendar items accessible ov
Small companies (Score:2)
They had the exchange services provided by the ISP, guess that is a good thing becouse they didn't have a local admin to reboot exchange server all the time.
Office/Outlook 2003 and Exchange 2003 (Score:1)
At the risk of running afoul of the anti-upgrade/anti-microsoft sentiments on Slashdot, it should be noted that the next version of Office (which just went beta 2), in combination with Windows Server 2003 and Exchange 2003 (Titanium) will allow remote users to use the native Outlook client to connect to an Exchange server using XML-RPC over HTTPS. This should allow remote users to dump the need for VPN if all they're doing is connecting to Exchange. Combined with some strides that Microsoft has made in making Outlook work better in an offline/caching mode, this is a really decent solution for using Outlook if you're a remote user.
So far as OWA, Titanium has a much better interface than Exchange 5.5 (ugh) and even Exchange 2000. OWA will support creating and editing server-side rules, and now includes integrated spell-checking, so if the Windows Server 2003/Exchange 2003/Outlook 2003 combination is too daunting (either financially or technically), Exchange 2003 OWA would be a good second choice.
Re:Office/Outlook 2003 and Exchange 2003 (Score:1)
from the seaside software web [seasidesw.com] site: What it is:
HiPerExchange is software only solution that is installed on the remote PC (Win '98 and
up; IE 5.0+). No server-side component whatsoever. Does require E2K
server, not 5.5, however.
Target user: remote/mobile Exchange user who faces Outlook slowdown over
low-speed lines
IT shops that wish to expand browser-based mail use
thru high performance, offline use
What it does:
Background http(s) synch to pull down user's mail store. Synchs hea