EDIT 10/14/2009: Made a few readability improvements as well as added a section based on feedback.
Traditionally, in order to access an internal share or site link posted within an email, one had to be connected to the company network. In addition, access to internal files was not available directly from a mobile device using Exchange ActiveSync unless the mobile device was tethered to the network.
With Remote File Access in Exchange 2007, one can access files as read-only from anywhere using Outlook Web Access (OWA) or Exchange ActiveSync.
The basic steps on how to configure Remote File Access are posted on TechNet here.
What follows here is an overview (including a few screenshots) of what to expect as far as configuration goes and some of the caveats to look out for before implementing Remote File Access.
First, let’s take a look at Exchange ActiveSync!
The Remote File Servers tab is configurable in both OWA and Exchange ActiveSync using the Exchange Management Console. Once those settings are stored in Active Directory, the CAS references Active Directory to detect what internal servers are accessible for Remote File Access. For an explanation of each setting available, refer to TechNet here.
Here is a sample command using the Exchange Management Shell to enable Remote File Access for Exchange ActiveSync:
Set-ActiveSyncVirtualDirectory -Identity:”ServerName\Microsoft-Server-ActiveSync (Default Web Site)” -RemoteDocumentsBlockedServers:”ServerName1,ServerName2″ -RemoteDocumentsAllowedServers:”ServerName3″ – RemoteDocumentsInternalDomainSuffixList:”DomainSuffix” -RemoteDocumentsActionForUnknownServers:”Block”
For Remote File Access in Exchange ActiveSync to work correctly, one must also configure the Exchange ActiveSync Policy to allow WSS/UNC access.
Moving on to OWA.
There are three tabs to configure Remote File Access in OWA. They are the Remote File Servers tab in addition to Public and Private Computer File Access tabs. The Remote File Servers tab looks and can be configured the same as the Remote File Servers tab for Exchange ActiveSync.
The Public and Private Computer File Access tabs allow for more stringent file access based on OWA Public or Private computer connections.
Here is a sample command using the Exchange Management Shell to enable Remote File Access for OWA: (look familiar???)
Set-OWAVirtualDirectory -Identity:”ServerName\OWA (Default Web Site)” -RemoteDocumentsBlockedServers:”ServerName1,ServerName2″ -RemoteDocumentsAllowedServers:”ServerName3″ – RemoteDocumentsInternalDomainSuffixList:”DomainSuffix” -RemoteDocumentsActionForUnknownServers:”Block”
NOTE: Once Remote File Access for OWA is configured, one can access internal shares via links in e-mail or by using the Documents button.
Be aware the caveats before implementing Remote File Access:
1) Only mobile devices connecting through the new Exchange ActiveSync protocols (introduced in Exchange 2007) can take advantage of the Remote File Access functionality. Windows Mobile 6 and above have this capability.
NOTE: This functionality may vary depending on vendor and model. If unsure, consult the device log. A way to test is by using the Windows Mobile Emulator. Steps to install and configure Mobile Emulators can be found here.
2) Although OWA can access links to sites or files, any link within an e-mail on an Exchange ActiveSync client must be to the file (not to parent site where the file exists) in order for the device to be able to open the file Example – ( A WSS link http://wss/sites/testfile.doc or a UNC link \\server1\testfile.doc )
3) For any link within an e-mail on an Exchange ActiveSync client that contains a period in the DNS name such as http://wss.contoso.com/sites/testfile.doc, the URL must be placed within the Exceptions list in the device to recognize the address as an intranet address and not an internet address.
Take the following actions on the Windows Mobile device
1) Click Start, Settings, Connections…
2) Click the Connections icon
3) Choose Advanced tab, then Exceptions…
4) Add the FQDN or wildcard in the URL list by Clicking the Add new URL.
5) Click Ok and test the link in the email again.
NOTE: The above steps may differ depending on the device model. If unsure, one should consult the device manual.
NOTE: One will know if the device is attempting to connect to the remote file using Exchange ActiveSync if “ActiveSync:” is appended in front of the URL on the device’s IE browser’s Address bar.
Example: ( activesync:http://wss.contoso.com/sites/testfile.doc )
The “activesync:” appended in front is the encapsulated redirect that CAS sends back to the mobile device so the device knows to connect through the CAS in order to get to the internal file. By default, the device will always attempt to connect through Exchange ActiveSync first when opening an email link unless the FQDN is not listed in the Exceptions list as shown above.
To test these settings, one can do so using the Windows Mobile Emulator. Steps to install and configure Mobile Emulators can be found on EHLO here.
4) Accessing Remote Files using Exchange ActiveSync does not work from a mailbox logged on via CAS to CAS proxy. If one is using on a Mailbox Server in Site2 and the Internet facing CAS is in Site1, the request must proxy from the CAS in Site1 to the CAS in Site2 in order to access the mailbox. Therefore, the Remote File Access request would fail in this scenario.
If one is a user on a Mailbox Server in Site2 and the Internet facing CAS is in Site2 and the File Server is in Site1, then the remote file access request will be successful in this scenario.
NOTE: One giveaway to detect if a user is logging into a mailbox through a CAS proxy is to check if the Documents button is showing in OWA.
In the scenario where CAS to CAS proxy is used and Remote File Access is a necessity, set the CAS (in the site where the user’s mailbox is located) as an internet facing CAS and create another public DNS record to point to it. All future requests at that point will redirect instead of proxy to the second site. This may require a second firewall or proxy server to handle requests from the internet to the new internet facing CAS.
When taking this approach, mobile devices must be changed to look at the DNS Name for the Exchange ActiveSync Server, otherwise the Exchange ActiveSync request mail fail instead of attempt a redirect.
A good blog post on how CAS to CAS Proxy works can be found here.
5) How to configure Remote File Access to connect to DFS: (Added based on feedback)
The domain suffix <contoso.com> must be placed in both the “Domain Suffixes” and “Allow” list under the Remote File Servers tab for this to work.
With Exchange ActiveSync, the device can access files within DFS.
With OWA, it depends on the DFS Share
If one wishes to access DFS pointing to a root drive of a server, one must browse to a specific file within that share.
If one wishes to access DFS pointing to a folder, then one can browse the top level of the share.