Tips on Remote File Access in Exchange 2007


EDIT 10/14/2009: Made a few readability improvements as well as added a section based on feedback.


Traditionally, in order to access an internal share or site link posted within an email, one had to be connected to the company network. In addition, access to internal files was not available directly from a mobile device using Exchange ActiveSync unless the mobile device was tethered to the network.


With Remote File Access in Exchange 2007, one can access files as read-only from anywhere using Outlook Web Access (OWA) or Exchange ActiveSync.


The basic steps on how to configure Remote File Access are posted on TechNet here.


What follows here is an overview (including a few screenshots) of what to expect as far as configuration goes and some of the caveats to look out for before implementing Remote File Access.


First, let’s take a look at Exchange ActiveSync!


The Remote File Servers tab is configurable in both OWA and Exchange ActiveSync using the Exchange Management Console. Once those settings are stored in Active Directory, the CAS references Active Directory to detect what internal servers are accessible for Remote File Access. For an explanation of each setting available, refer to TechNet here.



Here is a sample command using the Exchange Management Shell to enable Remote File Access for Exchange ActiveSync:


Set-ActiveSyncVirtualDirectory -Identity:”ServerName\Microsoft-Server-ActiveSync (Default Web Site)” -RemoteDocumentsBlockedServers:”ServerName1,ServerName2″ -RemoteDocumentsAllowedServers:”ServerName3″ – RemoteDocumentsInternalDomainSuffixList:”DomainSuffix” -RemoteDocumentsActionForUnknownServers:”Block”


For Remote File Access in Exchange ActiveSync to work correctly, one must also configure the Exchange ActiveSync Policy to allow WSS/UNC access.



Moving on to OWA.


There are three tabs to configure Remote File Access in OWA. They are the Remote File Servers tab in addition to Public and Private Computer File Access tabs. The Remote File Servers tab looks and can be configured the same as the Remote File Servers tab for Exchange ActiveSync.


The Public and Private Computer File Access tabs allow for more stringent file access based on OWA Public or Private computer connections.




Here is a sample command using the Exchange Management Shell to enable Remote File Access for OWA: (look familiar???)


Set-OWAVirtualDirectory -Identity:”ServerName\OWA (Default Web Site)” -RemoteDocumentsBlockedServers:”ServerName1,ServerName2″ -RemoteDocumentsAllowedServers:”ServerName3″ – RemoteDocumentsInternalDomainSuffixList:”DomainSuffix” -RemoteDocumentsActionForUnknownServers:”Block”



NOTE: Once Remote File Access for OWA is configured, one can access internal shares via links in e-mail or by using the Documents button.



Be aware the caveats before implementing Remote File Access:


1) Only mobile devices connecting through the new Exchange ActiveSync protocols (introduced in Exchange 2007) can take advantage of the Remote File Access functionality. Windows Mobile 6 and above have this capability.


NOTE: This functionality may vary depending on vendor and model. If unsure, consult the device log. A way to test is by using the Windows Mobile Emulator. Steps to install and configure Mobile Emulators can be found here.


2) Although OWA can access links to sites or files, any link within an e-mail on an Exchange ActiveSync client must be to the file (not to parent site where the file exists) in order for the device to be able to open the file Example – ( A WSS link http://wss/sites/testfile.doc or a UNC link \\server1\testfile.doc )


3) For any link within an e-mail on an Exchange ActiveSync client that contains a period in the DNS name such as http://wss.contoso.com/sites/testfile.doc, the URL must be placed within the Exceptions list in the device to recognize the address as an intranet address and not an internet address.


Take the following actions on the Windows Mobile device



1) Click Start, Settings, Connections…



2) Click the Connections icon



3) Choose Advanced tab, then Exceptions…



4) Add the FQDN or wildcard in the URL list by Clicking the Add new URL.





5) Click Ok and test the link in the email again.


NOTE: The above steps may differ depending on the device model. If unsure, one should consult the device manual.


NOTE: One will know if the device is attempting to connect to the remote file using Exchange ActiveSync if “ActiveSync:” is appended in front of the URL on the device’s IE browser’s Address bar.


Example: ( activesync:http://wss.contoso.com/sites/testfile.doc )


The “activesync:” appended in front is the encapsulated redirect that CAS sends back to the mobile device so the device knows to connect through the CAS in order to get to the internal file. By default, the device will always attempt to connect through Exchange ActiveSync first when opening an email link unless the FQDN is not listed in the Exceptions list as shown above.



To test these settings, one can do so using the Windows Mobile Emulator. Steps to install and configure Mobile Emulators can be found on EHLO here.


4) Accessing Remote Files using Exchange ActiveSync does not work from a mailbox logged on via CAS to CAS proxy. If one is using on a Mailbox Server in Site2 and the Internet facing CAS is in Site1, the request must proxy from the CAS in Site1 to the CAS in Site2 in order to access the mailbox. Therefore, the Remote File Access request would fail in this scenario.


If one is a user on a Mailbox Server in Site2 and the Internet facing CAS is in Site2 and the File Server is in Site1, then the remote file access request will be successful in this scenario.


NOTE: One giveaway to detect if a user is logging into a mailbox through a CAS proxy is to check if the Documents button is showing in OWA.


In the scenario where CAS to CAS proxy is used and Remote File Access is a necessity, set the CAS (in the site where the user’s mailbox is located) as an internet facing CAS and create another public DNS record to point to it. All future requests at that point will redirect instead of proxy to the second site. This may require a second firewall or proxy server to handle requests from the internet to the new internet facing CAS.


When taking this approach, mobile devices must be changed to look at the DNS Name for the Exchange ActiveSync Server, otherwise the Exchange ActiveSync request mail fail instead of attempt a redirect.


A good blog post on how CAS to CAS Proxy works can be found here.


5) How to configure Remote File Access to connect to DFS: (Added based on feedback)


The domain suffix <contoso.com> must be placed in both the “Domain Suffixes” and “Allow” list under the Remote File Servers tab for this to work.


With Exchange ActiveSync, the device can access files within DFS.
example: \\contoso.com\share\file.txt


With OWA, it depends on the DFS Share
If one wishes to access DFS pointing to a root drive of a server, one must browse to a specific file within that share.  
example: \\contoso.com\root\file.txt


If one wishes to access DFS pointing to a folder, then one can browse the top level of the share.  
example: \\contoso.com\share\


6) Last, but not least… Remote File Access (Document Access) has been discontinued for OWA in Exchange 2010, but still lives on for Exchange ActiveSync.


Steve Swift

Comments (8)
  1. Jason says:

    How would you make this work for Outlook Anywhere?  Same thing?

  2. Chris L says:

    What about connecting to a Domain DFS share?  I never got that to work right  :(

  3. sswift says:

    The Remote File Access feature above is only available through ActiveSync and OWA.

    Outlook Anywhere has a way to view Sharepoint files remotely by connecting a Sharepoint library to the Outlook client. For more details, see

    http://office.microsoft.com/en-us/outlook/HA100819571033.aspx#2

  4. sswift says:

    For connecting to a DFS, the CAS needs to connect directly to the Server that holds the sharename. In that case, it would be \ServerShare.

    In addition that <ServerHostName> must be specified in the Remote File Access tab.

    So to answer your question, I don’t believe connecting to DFS is possible, but I will look into it further for you.

  5. RUSerious says:

    Once again, another disaster as a result of the poorly designed CAS proxying "feature".

    WHY is it that every time I find another flaw in CAS proxying I always read/hear the "solution" to be, "Oh just create another url for the other CAS server and make it internet facing/etc".

    You do realize that almost NONE of my clients would be ok/accepting of needing more than one URL for webmail especially if its for multiple sites in the same country.  Can you imagine telling customers, "Yes, for the Detroit site you need to go to detroitmail.webmail.customer.com and for the Dallas site you need to go to dallas.webmail.customer.com".  

    Not going to happen.

    Also seriously consider the ramifications of what happens when you have multiple sites, one site that is Internet facing, cas proxying configured to the non-internet facing sites, and what the effect is on the non-internet facing sites when for some reason…oh lets say a WAN outtage….that they can’t contact the internet facing site.  Yep, I’m sitting next to my cas server and mbx server in site Y (non-internet facing) but I can’t access OWA.  Oh wait…I can add an A record (or modify the current one) to point to my CAS server (never mind the havoc it creates for the other sites if that record is replicated) and then I get to modify URIs as it has to be null for CAS proxying to work.

    Seriously, do you guys TEST any of this with customers IN THE REAL WORLD before releasing this crap?

  6. Zensig says:

    Domain DFS share works, we use it from OWA. Just add companyname.local (as our domain DFS is called) to domain suffixes treated as internal. Now from OWADocuments connect to \companyname.localdfsshare Voila!

    Didn’t know about the ActiveSync thingy though, you live you learn.

  7. sswift says:

    Thank you for your feedback RUSerious.

    I encourage everyone to submit any feedback or ideas about existing products to http://www.microsoft.com/globaldev/outreach/ideas/ideas.mspx

  8. sswift says:

    In response to the posts earlier by Chris L and Zensig…

    First, I’d like to say thank you for posting these questions. This helps us provide more examples to the public. And thank you Zensig for providing a quick response to the customer.

    I did some more testing and would like to provide some additional information regarding connecting to DFS through Remote File Access.

    The domain suffix <contoso.com> must be placed in both the "Domain Suffixes" and "Allow" list under the Remote File Servers tab for this to work.

    With ActiveSync, the device can access files within DFS.

    example: \contoso.comsharefile.txt

    With OWA, it depends on the DFS Share

    If one wishes to access DFS pointing to a root drive of a server, one must browse to a specific file within that share.  

    example: \contoso.comrootfile.txt

    If one wishes to access DFS pointing to a folder, then one can browse the top level of the share.  

    example: \contoso.comshare

Comments are closed.