How Outlook Web Access 2000 and Outlook Web Access 2003 cache messages and attachments

This article describes how the Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 Outlook Web Access client caches messages and message attachments. This article does not describe how Outlook Web Access caches authentication credentials. The information in this article is current up to and including Exchange Server 2003 Service Pack 2 (SP2).

The message and file cache process in Outlook Web Access

How message information is cached

Outlook Web Access caches messages in the following ways:

• When you create a new e-mail message:
  When you create a new blank e-mail message, the whole form, including the window, the toolbar buttons, and other screen elements, is stored in cache memory. This behavior occurs for performance reasons and it makes sure that each newly created message can retrieve the form from the Web browser cache instead of obtaining it from the Exchange 2000 or Exchange 2003 server.
• When you open an existing e-mail message:
  When you open an existing e-mail message, a directive is sent from Exchange 2000 or Exchange 2003 to the client program that directs the Web browser to not cache the contents of the message. This directive (part of the Hypertext Transfer Protocol [HTTP] standard) is followed by all current browsers. The message content is stored in memory until you close the message. If you reopen that same message, the content is again retrieved from the Exchange 2000 or Exchange 2003 server.
• When you reply to or forward a message:
  When you reply to or forward an existing e-mail message, Exchange 2000 sends a directive to the client program that directs the Web browser not to cache the contents of the message. All current browsers follow this directive, which is part of the HTTP standard. The message content is stored in memory until you close or send the message. If you reply to or forward the same message again, the content is retrieved from the Exchange 2000 or Exchange 2003 server.

Message attachments

Message attachments differ from e-mail messages because attachments are not always opened directly by the Web browser. When you open a message that contains an attachment, a link to that attachment appears in the message. The attachment is not downloaded or opened until you click the link.

The following list describes the different behavior that occurs when you click the link to a message attachment in Outlook Web Access:

• When you right-click the link:
  When you right-click a link to an attachment, and then click Save As, you can save the file to the location that you specify. The Exchange 2000 server cannot prevent this file from remaining on the computer.
• When you click the link:
  • If you click the link to an attachment, and then click Save when you are prompted to open or save the file, you can save the file to the location that you specify. The Exchange 2000 server cannot prevent this file from remaining on the computer.
  • If you click the link to an attachment, and then click Open when you are prompted to open or save the file, the file is sent to the client with a directive that notifies the browser that the file expires "yesterday."
    
    NOTE: If Outlook Web Access directs the browser to refrain from caching the file attachment instead of assigning an expiration date, and if the client browser needs a helper program to open the file, the client browser may delete the file, and then call the helper program to open the now-deleted file.

Exchange 2000 notifies the browser not to cache e-mail messages at all. With attachments, Exchange 2000 notifies the browser that the file expires "yesterday." The file expiration tells the browser not to keep that attachment because it is outdated. However, this process does not guarantee that the browser deletes the file. Therefore, you must either make sure that users do not download attachments to publicly available computers or instruct the users to manually delete all attachments that they have downloaded. Temporary files that are created when attachments are opened from an e-mail message can remain in the browser cache until they are manually cleared by the user or by an administrative process, or until the browser replaces the older items in the cache with newer items.

Blocking file attachments

Exchange Server 2003 Outlook Web Access

In Exchange Server 2003 Outlook Web Access, you can block users from opening, sending, or receiving specified attachment types. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Exchange 2000 Server Outlook Web Access

Although you cannot block the cache process for file attachments in Exchange 2000 Server Outlook Web Access, you can block whether file attachments can be opened.

How to use URLSCAN to block attachments

When attachments are opened by using Outlook Web Access, the name of the file is part of the Uniform Resource Locator (URL), for example: Because of this, you can use a URL-blocking tool such as URLSCAN (part of the Microsoft Internet Information Services [IIS] Lockdown Wizard) to block users from downloading attachments. To do so, configure URLSCAN to block files with particular file name extensions that you do not want users to download, for example, .exe, .bat, and other file name extensions. If you configure URLSCAN in this way, users receive an HTTP 404 error message when they try to open the attachment. You can customize the 404.htm error file that is returned by IIS so that it informs the user that the error may be caused by the URLSCAN program configuration to block particular file attachments.

To obtain the latest version of the IIS Lockdown Wizard, visit the following Microsoft Web site: NOTE: If you do not configure URLSCAN specifically on an Exchange 2000 server, Outlook Web Access may stop working. For more information about how to configure URLSCAN on an Exchange 2000 server, click the following article number to view the article in the Microsoft Knowledge Base:

How to block an attachment with HTTP caching headers

If you want Exchange 2000 to send a "do not cache" directive in response to all Outlook Web Access client requests, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2. Locate the Exchange 2000 virtual directory that you want to configure.
3. Right-click the Exchange 2000 virtual directory, click Properties, and then click the HTTP Headers tab.
4. Under Custom HTTP Headers, click Add.
5. In the Custom Header Name box, type cache-control.
6. In the Custom Header Value box, type no-cache.
7. Click Apply, and then click OK.
8. Repeats steps 2 to 7 for each virtual directory for which you want to block the cache process.
   
   NOTE: You do not have to block the cache process for the Exchweb virtual directory because no user-sensitive content is stored in this directory.

When you use this procedure to configure the private and public virtual directories, Exchange 2000 performance may be reduced and you may experience the following behavior:

• Forms such as the Contact form or the New Mail form are downloaded by the client every time.
• Attachments may not open, and users may receive error messages when they try to open attachments.