Customize/Create Outlook Web Access 2007 Themes

27. August 2008 by Myke.

OWA 2007 comes stock with 4 themes but if you require more or want to make a Corporate based theme, use these instructions.

A theme in OWA is a collection of media (e.g. .GIF and .WAV files) and .CSS files. These files are installed in folders under in the vroot under ‘version\themes’.

Out of the box, we ship with three themes: blue “Seattle Sky” (folder name ‘base’) and black “Carbon Black” (folder name ‘1′) and a mountain image “Olympic Sunrise” (folder name ‘2′). Customers can add more themes by creating new folders and adding their own customized files.

We recommend here that you optimize your theme by changing only the logo, top banner area and the selection highlights so the theme will have less potential for destabilization and bugs. Using very bright or very light dark for the selection colors and the top banner are not advised - try to use subtle or primary colors for the banner area and medium-hued colors for the selection/highlight colors. If you want to use darker or very light colors, you’ll need to also adjust the text for the appropriate level of contrast and the best legibility by testing on various monitors at different resolutions.

The base theme

The base theme lives under ‘themes\base’ and it contains all of the themeable files. Any other themes are built by overriding files in the base theme.

Say for example the base theme is made of files A, B, C and D. I can create a new theme by changing say, C and D, and leaving A and B untouched. Thus for the new theme, C and D will come from the new theme folder, while A and B will come from the base theme.

What’s in a theme folder

The two most important types of files in a theme folder are icons (GIF files) and styles (CSS files). Specifically, premium.css is the style sheet file for Premium OWA (the OWA Light client is not themeable).

Premium.css can be edited to change things like colors, gradients and font styles.

The GIF files can be edited to change any icons in the UI. Keep in mind that the sizes of the images should not be changed.

This is an improvement over Titanium, where only a handful of GIFs could be themed (the logo and a couple of others), and only the colors in the .CSS file could be changed.

How to install a theme

Create a new folder under version\themes (e.g. “themes\viayoga”).

Copy the files from the base theme that you will want to alter for your new theme. If for example, you want to change the logo, then copy ‘logop.gif’ from ‘themes\base’ to ‘themes\viayoga. The viayoga folder at this point will contain only one file. If you also want to change some of the styles, then copy premium.css. You can do this with any files in the base theme. As they are copied to the new theme folder, the theming engine will pull the modified files from the ‘viayoga’ folder while still using the unchanged files from the ‘base’ theme.

You can give a name to the theme in two ways:

Adding a file called themeinfo.xml and specifying the name in it (see below).

Leave it like this, and the name will come from the folder name (in this case, “viayoga”).

Restart IIS so OWA automatically picks up the new theme.

Themeinfo.xml

The syntax of this optional file is very simple:

<theme displayname=”theme name“/>

If present, the value of the displayname attribute is used as the name of the theme.

The themes we ship with contain a macro like this:

<theme displayname=”$$_BASE_$$”/>

…which we use internally to map to localized strings.

How to create themes

First, start by setting up the theme without changing any files. Create a new folder under themes (call it ‘test theme’), then copy premium.css, logopt.gif, logopb.gif and nbbkg.gif (the files for the top banner “brand bar”) to begin with, which are probably the first files that you will be editing for your theme.

Changing the top banner can be done most easily using a solid color or a vertical gradient similar to what is already in place. Your custom nbbkg.gif (repeating background image) can be any width but must remain the same height.

If you want to include a more complex or interesting image as your background, be sure to create the right and left edges as a mirror so that the strip meets when it repeats and appears as a single image so it will work on a variety of screen resolutions. Or, you can create one long image for the target width you’d like to support.

Looking at these files in an image editing tool, you can see that logopt.gif and logopb.gif are the top and bottom of the OWA logo including a background, and nbbkg.gif is a gif that repeats as the background.

We split the images up so that we can add “Connected to Microsoft Exchange” as a live text string that can be localized into different languages. You can create one image and remove this string by editing the style sheet. Simply add “display:none” to the tdLogoB class, then save your image as one piece, 238 x 49 pixels, and edit the height of the image here:

}

td.tdLogoT

{

width:238;

height:49;

background:url(”logopt.gif”) no-repeat

}

td.tdLogoB

{

vertical-align:top;

height:16;

padding-left:42;

font-size:7pt;

font-family:tahoma;

color:#EEEEEE;

background:url(”logopb.gif”) no-repeat;

display:none;

}

Example theme

As an example, we created a theme for a Seattle yoga company that provides yoga retreats and surfing lessons in Mexico (yes, you should go!).

We removed the “Connected to…” string by editing the style sheet as shown above. You can see how it looked before and after editing the style sheet and adjusting the images slightly. The background image is simply filled with a solid, bold color. The resulting background image - nbbkg.gif - only needs to be 1 pixel wide.

Changing colors and other styles in premium.css is the tricky part:

Use an image editing tool like PhotoShop or PainShop Pro to take screenshots and sample colors that you want to change. For instance, to change the yellow color of the selected module in the secondary navigation:

First, obtain the html RGB values (#RRGGBB) for that yellow: that value is #FFEFB2.

Then look for this in premium.css:

/* NavBar buttons selection color */

a.nbHiLt

{

background-color:#FFEFB2;

}

Here’s where the tricky part comes. In debug builds, we know this is the color because in most cases we have a comment above the style. As an OWA dev, we also have access to the sources so we can verify this is the color we want. For people without access or familiarity with the source code, this is a trial and error process: guess if this is the right style by the name of the class (which is relatively hard, because our names are shortened and not too easy to decipher unless you are an OWA dev), then apply the change, refresh your browser and see if you are lucky.

Continue changing the colors until the theme is starting to look right to you. For some pieces of the interface, there are two values specified for each end of a gradient, when a lighter color blends into a darker color. These work best with lighter hues of colors.

When creating your theme, you may find a color and want to do a straight find and replace action on the entire style sheet file. Be careful when doing this. For the areas defined as gradients (Find = “gradient” to see all the instances of these) you might accidentally change all the light grays to your new highlight color. Try saving and refreshing your build with your new theme selected in Options > General Settings > Appearance in order to make sure you’ve changed only the intended elements.

We don’t recommend changing the colors of the red and yellow informational messages that appear at the top of the message forms, alerting users to potentially harmful content, phishing attacks, viruses and blocked or missing content. We call these “infobars” (non-phishing are yellow:#FFEFB2 ) and “error infobars” (errors and phishing alerts are light red:#FFAEB9). There is also an infobar for meeting conflicts on meeting invitations:

/* Non-phishing infobar messages */

div#divIB div#dvExp, div#divIB div#dvInf, div#divIB div#dvExpErr, div#divIB div#dvErr,

div#divIB div#dvJnkMl

{

margin:2 0;

padding:1 3;

background-color:#FFEFB2;

border:solid 1 #FDD981;

}

/* Phishing */

div#divIB div#dvPhsh

{

padding:1 3;

background-color:#FFAEB9;

border:solid 1 #FF99CC;

Main Selection Colors

Selection in mail list is probably one of the most important highlight colors. This is the color over the selected message which tells users what item they are currently reading. There is a primary color to indicate focus and a secondary highlight color that is slightly lighter to show selection when the focus moves away from the item, like the currently selected folder or the current day in the Calendar. For each theme, these two colors are the same color that we use for the primary and secondary highlight colors.

Shown below, the primary color is on the left, the secondary color on the right. You can see the difference is quite subtle.

In the premium.css style sheet, this highlight in the mail list is specified as:

tr.sel, tr.srsel, tr.lrsel

{

background-color: #FFEFB2;

color:#000000;

}

tr.shdw, tr.srshdw, tr.lrshdw

{

background-color:#F8F0D2;

Icons

In order to change icons, the process is quite similar, find out which icon it is you want to change in your theme, copy it to your theme folder and then change it there. Then verify the change in the product with your new theme name selected. We use .gif files with transparent backgrounds. Make sure to keep the image sizes unchanged.

Customize the Logon Screen

To customize the logon (and log off) screen, update the images and the background color to create a custom look. You can create your own custom look and feel by updating the image files that create the logon screen. Note that the logon screen cannot be customized per theme since the user needs to enter their credentials and be authenticated prior to accessing their own user settings (theme selection) for each session. Therefore, you’ll need to directly manipulate the files in the base folder starting with the style sheet “logon.css” and the images that create the border and the main logo for the screen.

The screen is made up of several images for the border top, bottom, sides and also includes repeating images and corners for expansion. The images that create the logon screen are:

lgnbotl.gif

lgnbotm.gif

lgnbotr.gif

lgnexlogo.gif

lgnleft.gif

lgnright.gif

lgntopl.gif

lgntopm.gif

lgntopr.gif

To create a new look and feel, using a solid color is easiest since the screen uses the same collection of images for several screens and resizes horizontally and vertically based on the contents for each screen: logon, language selection (shown on the first logon per mailbox), and the log off screen that’s shown each time the user presses the Log Off button.

Before changing the images, you can make a backup of the image files in case you need to revert your changes to the original configuration. Start by opening the Microsoft Outlook Web Access logo (lgntopl.gif):

…and change it to your own company logo:

Here is a general idea of how all of the new image files will fit together on the logon screen:

Logon Screen: background color

Editing the logon.css is necessary if you want to change font styles and other colors, including the background color that exists behind the controls in the middle of the screen. Currently the background color is specified as #7F90B1. For our custom logon for Via Yoga, we need to replace this with orange #E48310 for the area behind the controls that is not colored by the other images.

Logon Screen: active text color

The active text color on the existing OWA logon screen is yellow: #F8D328 since that stood out best on the blue background as a secondary font color. We’ll want to change this for Via Yoga, but we still want the primary white text to come into focus first so we’ll leave all that text white. We’ll change the active text to the same blue used elsewhere in this theme to indicate that something is active or “clickable.” That blue RGB value is #266CBC. Do a find and replace to make this color change in the logon.css.

Logon Screen: final details

After logging off, this is looking pretty good, but the lines used to separate text and form elements are hard to see in the existing gray #A9AAC4. Open the logon.css file and find that color value. Change it to something a little lighter than your background but darker than the text so that the text still stands out as the most important information on the screen. We replaced the gray with a light orange RGB value #FFC279.

Voila - looks good:

posted by: Myke Reinhold
Info credit: Jorge Pereira and DJ Schwend

Posted in Exchange, Microsoft | Print | No Comments »

Applying Managed Folder Mailbox Policies via LDAP Filters

27. August 2008 by Myke.

In Exchange 2003 Mailbox Manager Policies could be applied to subsets of mailboxes using LDAP filters the same way Recipient Policies were applied. 

In Exchange 2007 this behavior changed.  Mailbox Manager Policies are now called Managed Folder Mailbox Polices and they are assigned on a per user level.  This new methodology allows more granularity and eliminates some of the confusion about which policy is being applied. 

However, in some cases the ability to apply these policies via LDAP filters is desired and the change is cumbersome.  If you prefer the filtered method for applying policies, you can write a script using the PowerShell function below:

functionApply-FilteredManagedFolderMailboxPolicies ($LDAPFilter, $ManagedFolderMailboxPolicy){      $root = [ADSI]”      $searcher = New-ObjectSystem.DirectoryServices.DirectorySearcher($root)      $searcher.Filter = $LDAPFilter      $searcher.PageSize = 500      $users = $searcher.findall()      foreach ($user in $users){            $UserDN = [String] $user.properties.distinguishedname            if ($UserDN -notlike “*SystemMailbox*”){                  $mailbox = get-mailbox $UserDN                  if ($mailbox.RecipientTypeDetails -ne “LegacyMailbox”){                        write-host “Updating: $UserDN”                        Set-Mailbox -Identity:$UserDN-ManagedFolderMailboxPolicy:$ManagedFolderMailboxPolicy-ManagedFolderMailboxPolicyAllowed:$true                  }            }      }}

This function will search your current domain for user accounts that match the supplied LDAP filter.  For each user returned, the account is checked to ensure that the mailbox is hosted on an Exchange 2007 server and will set the Managed Folder Mailbox Policy as desired.

Combining with the LDAP filters you have already created for your existing Mailbox Manager Policies, you can easily write a script to apply the appropriate policies via filters.

#Usage:#Apply-FilterdManagedFolderMailboxPolicies $LDAPFilter $PolicyName 

# Default PolicyApply-FilteredManagedFolderMailboxPolicies “(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))))” $null 

 

# Delete after 180 days policyApply-FilteredManagedFolderMailboxPolicies “(&(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) )))(objectCategory=user)(memberOf=CN=Delete After 180 Days,CN=Users,DC=domain,DC=com)))” “180 day policy” 

When writing the script, remember that the precedence of your policies should be lowest to highest.  The first policy you should apply should be your default policy (or $null if you don’t want one) and the last policy should be your most restrictive filter with the highest precedence.

In this example, the default action is to no assign policy.  The “180 day policy” is applied to the members of the “Delete After 180 Days” group.

When using groups to apply policies it is important to remember that there must be a default policy in your script so that once a user is removed from the defined group, the existing policy applied will be updated to the default policy.

About LDAP Filters

To get the LDAP filters used with existing Mailbox Manager policies simply open the policy and copy the text in the Filter Rules:textbox.   Paste this filter encompassed in quotes into your script and you will be good to go.

If you want to manually create your own LDAP search string you can use the information at Creating an LDAP Search String to get you started.

If you prefer the GUI method open Active Directory Users and Computers, right-click the Saved Queries folder, select New, and Query. Click the Define Query box and select Users, Contacts, and Groups from the drop down box. On the Advanced tab select the attribute you would like to use from the filter from the Field box.  At the very minimum you should add the following filters to start:

User: E-Mail Address                 Starts with          *

User:Exchange Home Server      Starts with          *

Scheduling the Script

To ensure user policies are updated correctly based upon the filters, you must schedule this script to run sometime before the Managed Folder Assistant runs on the servers.  Therefore as the assistant runs daily at 5am, the script should run daily at 3am.

posted by: Myke Reinhold
Info credit: Nick Smith

Posted in Exchange, Microsoft | Print | No Comments »

Exchange 2007 SP1 ActiveSync issues

27. August 2008 by Myke.

ActiveSync Default Policy

Exchange 2007 RTM would allow you to assign ActiveSync policies on a per user level.  Exchange 2007 SP1 added the ability to define an ActiveSync policy as a default policy for all users.  You can read more about this and other changes to ActiveSync in SP1 on the “What’s New for Exchange ActiveSync Mailbox Policies in Exchange Server 2007 SP1?” post on the Exchange team blog.

However, if your environment does not utilize ActiveSync policies you should be aware that the default policy will be applied to all users after upgrading to SP1.  The default policy is pretty vanilla and would not really impose any configuration changes on mobile devices.  However, users will be prompted to apply required security settings before syncing.  The following Exchange Management Shell command can be used to prevent the default policy from being applied to all users, thus preventing the prompt on mobile phones.

Set-ActiveSyncMailboxPolicy Default -IsDefaultPolicy:$false

**Note: Each time a CAS server is upgraded this policy will be re-enabled as the default.

Load Balancer SSL Offloading

If you have multiple CAS servers and are using SSL offloading on your hardware load balancers you should be aware that installing SP1 will re-enable the SSL requirement at the root level of the “Default Web Site”. This will likely prevent the ‘http listener’ form detecting that your CAS servers are available and OWA access will be unavailable.

To resolve this, edit secure communications on the Directory Security tab of the “Default Web Site”.  Uncheck the Require secure channel (SSL)checkbox.

**Note: The option is also re-enabled when running the Enable-ExchangeCertificate cmdlet to apply a new certificate to IIS.

posted by: Myke Reinhold
info collected at: Nick’s Unified Communications and Scripting Blog

Posted in Exchange, Microsoft | Print | No Comments »

Secure mobile devices in Exchange 2003

31. July 2008 by Travis.

The device security policies are configured within the same place as the other mobile device related settings, and that is under the Property page of the Mobile Services object in the Exchange System Manager.  When you click the Device Security button you get to the page where you configure the different Device Security Settings.

As the device security settings are global, it’s rather important you know the exact purpose of each setting. I’ve therefore listed all of them with a description in the table below.

Device Security Setting	Description
Enforce password on device	Activates the device password policy. None of the device security settings will work before the feature has been enabled.
Minimum password length (characters)	Enable this option to specify the required length of the user’s device password. The default setting is 4 characters. You can specify a password length of 4 to 18 characters.
Require both numbers and letters	Enable this option if you want to require that users choose a password with both numbers and letters. This option is not selected by default.
Inactivity time (minutes)	Enable this option to specify if you want your users to log on to their devices after a specified number of minutes of inactivity. This option is not selected by default. If selected, the default setting is 5 minutes.
Wipe device after failed (attempts)	Enable this option to specify if you want the device memory wiped after multiple failed logon attempts. This option is not selected by default. If selected, the default setting is 8 attempts.
Refresh settings on the device (hours)	Enable this option to specify how often you want to send a provision request to devices. This option is not selected by default. If selected, the default setting is every 24 hours.
Allow access to devices that do not fully support password settings	Select this option if you want to allow devices that do not fully support the device security settings to be able to synchronize with Exchange Server. This option is not selected by default. If this option is not selected, devices that do not fully support device security settings (for example, devices that do not support provisioning) will receive a 403 error message when they attempt to synchronize with Exchange Server.

In addition to the settings in the table, there’s also an Exceptions button (see Figure 3.) After clicking this button you can specify the users who you want to be exempt from the settings that you have configured in the Device Security Settings dialog box. This exceptions list can be useful if you have specific trusted users (or perhaps managers!) of whom you do not need to require device security settings.

Be sure you don’t configure a device security policy that is too strict, as this could end up with frustrated users erasing their devices all the time. Also remember a user in some situations could have problems contacting the IT department if his device has just been erased. Users are already used to four-digit numbers (among other things from their credit cards) so requiring a four-digit number would in most situations be a good idea. Actually the best solution would be to use a four-digit number in combination with a reasonably configured wipe device after failed attempts setting to make sure you don’t become unpopular.

So where are all the device security settings stored? Almost all the values configured under the device security settings page are stored in Active Directory, more specifically in an attribute called msExchOmaExtendedProperties, which can be found under CN=Outlook Mobile Access,CN=Global Settings,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com using a tool such as ADSI Edit.

If you select the msExchOmaExtendedProperties attribute and click the Edit button you get to the screen shown in Figure 5 below.

 

As you can see, all the device security related values are stored in a string prefixed PolicyData. The values are encoded between the <wap-provisioningdoc> tags. Because this is nothing else than a XML blob, you have the possibility of provisioning your own custom policies by specifying the required values in an XML format similar to this one. It would have been nice to be able to set these policies per user via the GUI but for now the only way to configure these settings on a per user basis is to configure the msExchOmaExtendedPropertiesattribute on each user, but that’s not exactly a friendly method is it? Good thing is I’ve heard Microsoft will make it possible to configure these settings per user, using GPOs or a similar approach; the bad thing is this won’t be before Exchange 12 RTMs.

When you have configured and enabled the device security settings on the server, the dialog box shown below will appear on the device during the next synchronization with the server.

After clicking OK you need to specify and confirm the PIN or password you want to use. The PIN or password needs to be entered every time the device is unlocked or after you have issued a cold reset. If an incorrect password is entered, perhaps because one of your kids was playing with the device or if you forgot to lock the keypad while the device was in your pocket, you’ll get a message similar to the one below:

The password you typed is incorrect. Please try again. 1/5 attempts have been made.

This of course depends on how many allowed attempts you have specified under Wipe device after failed option in your Device Security Settings (refer back to Figure 2).

After the second failed attempt you’ll be notified that several incorrect passwords have been entered. In order to confirm the login attempt is not due to accidental button presses, you’re asked to enter A1B2C3 or something similar (depends on how the mobile provider configured this in the specific build). When you have entered these characters you’ll once again have the option of specifying your device password. Should you for some reason manage to enter it incorrectly once again, you’re faced with the incorrect password dialog box again. Before the last available attempt you’ll be informed that all information on the device will be erased after the next unsuccessful password attempt. An erase (similar to a local wipe) will clear out all memory on the device, i.e. the device will be reset back to its factory defaults. Bear in mind though that data on the storage card in the device will remain intact. You can argue whether this is a good design decision or not, personally I think this is a major security risk factor, especially because you can configure the device to store e-mail message attachments on the storage card!

Note:
If you know for a fact that a device has been lost or stolen, you can also initiate a remote wipe to the device, a remote wipe wipes the device immediately. We’ll talk more about this possibility in part 3 of this article series.

If you want to change your PIN or password, you do so by clicking Start > Settings > Lock.

You’ll now need to enter your current PIN or password in order to access the change password feature, when you have done so, you’ll get to the screen shown below.

It’s also interesting to note that a locked device that is connected to a PC using a USB cable won’t be accessible either, instead you’ll be faced with the dialog box shown below.

Posted by: Travis Sarbin
Tested by: Myke Reinhold

Posted in Exchange, Microsoft | Print | No Comments »