Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows Server 2008 R2. The network contains two Active Directory sites named Los Angeles and
San Francisco. All traffic to and from the Internet is routed through Los Angeles. You have an
Exchange Server 2010 Service Pack 1 (SP1) organization that contains three servers. The servers are
configured as shown in the following table.
Server1 has Windows Integrated Authentication enabled for the default OWA virtual directory. You
need to configure the Exchange environment to meet the following requirements. Ensure that users
can access their mailbox from the Internet by using the light version of Outlook Web App. Prevent
users from being prompted for a username and a password when they connect to Outlook Web App
from a domain-joined client computer on the internal network. What should you do? (Choose all
that apply.)
A.
From the Exchange Management Console (EMC), enable Windows Integrated Authentication for
OWA2.
B.
From the Exchange Management Console (EMC) on Server1, enable forms-based authentication
for the default OWA virtual directory on Server1.
C.
Create a new OWA virtual directory named OWA2 on Server1.
D.
From Internet Information Services (IIS) Manager on Server2, enable forms-based authentication
for the default OWA virtual directory.
E.
From Internet Information Services (IIS) Manager on Server1, enable forms-based authentication
for the default OWA virtual directory.
F.
From the Exchange Management Console (EMC), enable Windows Integrated Authentication for
the default OWA virtual directory on Server2.
Explanation:
This question had A, B, C and F as the answer however I do not see how that is correct.
As I understand the question Windows Integrated Authentication has already been enabled on
Server 1 default OWA directory. I do not see a need to create a second OWA directory named OWA2
as it is Los Angeles that excepts all connections so it should use either Client Access Proxy, or a
redirection to the Client Access Server in San Francisco.
I also don’t see how forms – based authentication will achieve anything. The Light Version of Outlook
Web App will be supported regardless as it is based not on the authentication methods but whatbrowser is being used. If you do not use a supported browser then only the light version will be
available.
Forms Based Authentication
Forms-based authentication enables a sign-in page for Exchange Server 2010 Outlook Web App that
uses a cookie to store a user’s encrypted sign-in credentials in the Internet browser. Tracking the use
of this cookie enables the Exchange server to monitor the activity of Outlook Web App sessions on
public and private computers. If a session is inactive for too long, the server blocks access until the
user re-authenticates. The first time that the user name and password are sent to the Client Access
server to authenticate an Outlook Web App session, an encrypted cookie is created that’s used to
track user activity. When the user closes the Internet browser or clicks Sign Out to sign out of their
Outlook Web App session, the cookie is cleared. The user name and password are sent to the Client
Access server only for the initial user sign-in. After the initial sign-in is complete, only the cookie is
used for authentication between the client computer and the Client Access server.
Setting the Value for Cookie Time-Out on Public Computers
By default, when a user selects the This is a public or shared computer option on the Outlook Web
App sign-in page, the cookie on the computer expires automatically and the user is signed out when
they haven’t used Outlook Web App for 15 minutes.
Automatic time-out is valuable because it helps protect users’ accounts from unauthorized access.
To match the security requirements of your organization, you can configure the inactivity time-out
values on the Exchange Client Access server.
Although automatic time-out greatly reduces the risk of unauthorized access, it doesn’t eliminate the
possibility that an unauthorized user might access an Outlook Web App account if a session is left
running on a public computer. Therefore, make sure to warn users to take precautions to avoid risks.
For example, tell them to sign out from Outlook Web App and close the Web browser when they’ve
finished using Outlook Web App.For more information about how to configure cookie time-out
values for public computers, see Set the Forms-Based Authentication Public Computer Cookie TimeOut Value.
Integrated Windows Authentication
You can configure Integrated Windows authentication for Outlook Web App in Microsoft
Exchange Server
2010. Integrated Windows authentication enables the server to authenticate users who are signed in
to the network without prompting them for their user name and password and without transmitting
information that isn’t encrypted over the network.
Understanding Proxying and Redirection
In a Microsoft Exchange Server 2010 organization, a Client Access server can act as a proxy for other
Client Access servers within the organization. This is useful when multiple Client Access servers are
present in different Active Directory sites in an organization and at least one of those sites isn’t
exposed to the Internet. A Client Access server can also perform redirection for Microsoft Office
Outlook Web App URLs and for Exchange ActiveSync devices. Redirection is useful when a user
connects to a Client Access server that isn’t in their local Active Directory site or if a mailbox has
moved between Active Directory sites. It’s also useful if the user should be using a better URL, for
example, one that’s closer to the Active Directory site their mailbox resides in.
Although the Client Access server’s response can vary by protocol, when a Client Access server
receives a request for a user whose mailbox is in an Active Directory site other than the one the
Client Access server belongs to, it looks for the presence of an ExternalURL property on the relevant
virtual directory on a Client Access server that’s in the same Active Directory site as the user’s
mailbox. If the ExternalURL property exists, and the client type supports redirection (for example,
Outlook Web App or Exchange ActiveSync), the Client Access server will issue a redirect to thatclient. If there’s no ExternalURL property present, or if the client type doesn’t support redirection
(for example, POP3 or IMAP4), the Client Access server will try to proxy the connection to the target
Active Directory site.
Client Access Proxy
I think the correct answer is just F as the Client Access Server in Los Angeles should perform either a
Client Access Proxy or a redirection to the Client Access Server in San Francisco.
