In this blog post, which is a continuation of previous post on the subject of WebReady document viewing, I'll go over how to customize the settings for attachments when using Exchange Server 2007 Outlook Web Access.
OWA 2007 allows you to specify which file and MIME types to allow, block, and force the user to save. The following properties control this behavior. They are shared between public and private logons, so there is no way to provide access to some file types for a private logon, but block them for a public logon. In the Exchange Management Console see (Server Configuration/Client Access/Outlook Web Access/owa (Default Web Site), Public Computer Access/ Enable direct file access, Customize)
Allowed{File,Mime}Types (string)
Blocked{File,Mime}Types (string)
ForceSave{File,Mime}Types (string)
ActionForUnknownFileAndMIMETypes (enumeration): what to do for files and MIME types not in the above three lists
- Allow
- Block
- ForceSave (default)
On the command line, the easiest way to work with these lists is to save the vdir object to a variable, change the properties, and then save the configuration. For example, if you wanted to move ".tif" files from the AllowedFileTypes list to the BlockedFileTypes list, you could do the following:
[PSH] D:\>$owa = Get-OwaVirtualDirectory "owa (default web site)"
[PSH] D:\>$owa.AllowedFileTypes.Remove(".tif")
True
[PSH] D:\>$owa.ForceSaveFileTypes.Add(".tif")
[PSH] D:\>$owa | Set-OwaVirtualDirectory
[PSH] D:\>
WebReady Document Viewing options:
WebReadyDocumentViewingForAllSupportedTypes: enables/disables WebReady Document Viewing of all supported types
WebReadyFileTypes: list of file types that should be converted for WebReady Document Viewing
WebReadyMimeTypes: list of MIME types that should be converted for WebReady Document Viewing
Note that '*' (meaning all file types) is not valid for WebReady{File,MIME}Types. To gain the equivalent behaviour, set WebReadyDocumentViewingForAllSupportedTypes to $true:
[PSH]>Set-OwaVirtualDirectory "owa (default web site)" -WebReadyDocumentViewingForAllSupportedTypes:$true
If you need to customize the list, you can view which file and mime types are supported by the WebReady Document Viewing engine by looking at the WebReadyDocumentViewingSupportedFileTypes and WebReadyDocumentViewingSupportedMIMETypes properties:
[PSH] D:\>Get-OwaVirtualDirectory "owa (default web site)" | fl WebReadyDocumentViewingSupported*Types
WebReadyDocumentViewingSupportedMimeTypes : {application/msword, application/vnd.ms-excel, application/x-msexcel, application/vnd.ms-powerpoint...}
WebReadyDocumentViewingSupportedFileTypes : {.doc, .xls, .ppt, .pdf}
While these changes make the design a lot cleaner, it makes it harder to disable access to attachments altogether. Instead of un-checking a couple of boxes in EMC or running a simple PowerShell command, you'll have to uncheck the following boxes in both "Public Computer File Access" and "Private Computer File Access" tabs for the "owa" vdir properties page in the Exchange Management Console:
- Enable direct file access
- Enable WebReady Document Viewing
For the PowerShell-inclined, run this command:
[PSH]>Set-OwaVirtualDirectory "owa (default web site)" -DirectFileAccessOnPublicComputersEnabled:$false -DirectFileAccessOnPrivateComputersEnabled:$false -WebReady DocumentViewingOnPublicComputersEnabled:$false -WebReadyDocumentViewingOnPrivateComputersEnabled:$false
It's important that they disable both direct file access as well as WebReady viewing. If they only disable the former, WebReady Document Viewing types (doc, xls, ppt, pdf) can still be viewed as html. If they only do the latter, users can still access attachments by saving them or opening them in locally installed apps, but they won't be able to access them via WebReady Document Viewing.
Notes
You might notice that there are checkboxes to enable or disable access to Windows File Shares and Windows SharePoint Services.
These don't actually control attachment access. They control access to OWA's Document Proxy feature (the "Documents" tab in OWA). In fact, they are segmentation options.
If you uncheck both sets of boxes on the "Public Computer File Access" and "Private Computer File Access" tabs, the "Documents" tab will disappear. We included them in these tabs because we thought that they fit better under the grouping of "file access" than "segmentation".
You Had Me at EHLO.