WebDAV Evaluation Criteria
Topic Last Modified: 2008-04-14
Items in the Exchange store can be accessed remotely by using the WebDAV protocol, defined in RFC 2518. This protocol extends the HTTP 1.1 protocol, defined by RFC 2616, to provide additional methods and capabilities. It provides a means to access both the contents of an item and an extensible set of associated properties.
Caveats
When creating applications that use WebDAV to transmit sensitive information, or that communicate over the Internet, it is strongly recommended that the IIS virtual server use SSL/TLS encryption for better security. Within an intranet, NTLM or Kerberos authentication of WebDAV requests can also be used for authentication, but that does not provide data encryption.
Functional Criteria
| Criteria | HTTP/Web Distributed Authoring and Versioning (WebDAV) |
|---|---|
Application Domain |
Applications can use WebDAV to access folders, items, and item properties in the Exchange store. WebDAV is an extension to HTTP/1.1, and so can more easily be used across firewalls. Because WebDAV is a standard protocol, more choices are available for the client platform and client programming language. |
Major Objects |
WebDAV is a protocol, not an object model. Applications that use WebDAV can use the .NET Framework System.Net.HttpWebRequest object, Microsoft.HTTPRequest, or other HTTP request objects. |
Data access model |
WebDAV returns information in text and XML streams that contain the item data, properties, and error information. Additional information is available in the method response headers. |
Threading Models |
Application threading depends entirely on the client, and does not affect WebDAV. WebDAV is an extension of HTTP, so no connection state information is retained between transactions. However, items status is retained in the Exchange server, for example in response to a WebDAV resource lock command. |
Application Architectures |
Applications that use WebDAV are typically Web-based, thin-client applications. However, traditional Windows GUI applications can be developed that use WebDAV to communicate with the Exchange server. In addition, WebDAV is frequently used as the communication mechanism between an application middle tier and the Exchange server. |
Remote Usage |
WebDAV is often ideal for remotely accessing Exchange. Because it communicates by using the same ports that HTTP and HTTPS use, corporate firewalls and routers often do not require special configuration. |
Transactions |
WebDAV supports transactions. |
Management Capabilities |
WebDAV virtual servers can be managed manually and programmatically by using the Exchange administration console, CDOEXM, and WMI. |
Availability |
Currently shipping with Exchange 2000 Server and Exchange Server 2003. Future versions of Exchange might not include, or provide access to, this technology. |
Development Criteria
| Criteria | HTTP/Web Distributed Authoring and Versioning (WebDAV) |
|---|---|
Languages and Tools |
Because WebDAV is a protocol, any programming tool and language that correctly sends and receives HTTP requests and responses, for example, the MSXML HTTPRequest object, can be used to create applications that access Exchange by using WebDAV. |
Managed Implementation |
WebDAV is not a managed IIS extension. However, client applications that use WebDAV can use managed code as appropriate. Managed applications typically use the System.Net.HttpWebRequest object from the .NET Framework. |
Scriptable |
WebDAV can be used in scripts, by using the MSXML HTTPRequest object. |
Test/Debug Tools |
No special debugging tools are required to debug applications that use WebDAV. For particularly difficult protocol-interaction issues, a network monitoring tool may prove helpful. The NETMON.EXE tool can be very useful in debugging WebDAV protocol interactions. Because WebDAV queries are sometimes sensitive to minor syntactical differences, a WebDAV query tool can also be helpful. |
Expert Availability |
Finding developers who have created networked applications, or who have experience using networking protocols, should not be very difficult. For developers who have that type of experience, using WebDAV to access Exchange data should not pose significant problems. |
Available Information |
Because HTTP and WebDAV programming can be done within so many programming environments, there is a great deal of information about it. Microsoft and third-party books are available for information about using WebDAV to access Exchange information. In addition, provide information about using WebDAV to access Exchange information. Use the documentation appropriate to the version of Exchange you are developing for. To access the Exchange 2000 Server SDK and the Exchange Server 2003 SDK, see the Exchange Server Developer Center. |
Developer / Deployment Licensing |
Refer to your Exchange and MSDN subscription licensing agreements to determine whether additional licenses are required for the Exchange servers that store the data accessed by your WebDAV applications. |
Security Criteria
| Criteria | HTTP/Web Distributed Authoring and Versioning (WebDAV) |
|---|---|
Design-Time Permissions |
No special developer permissions are required for using WebDAV with an Exchange server. The Exchange server must be configured to allow WebDAV access, and the developer must have permissions to access the data the application will use. |
Setup Permissions |
Because applications that use WebDAV run on either the client or middle tier, typically no special Exchange server permissions are needed for setup. If the Setup program makes changes in the Exchange store, the user running Setup must have the necessary permissions to make those changes. |
Run-Time Permissions |
The run-time permissions needed by applications that use WebDAV depend entirely upon the authentication/authorization methods used between the client and the WebDAV virtual server. When the application tier that uses WebDAV to access the Exchange server is a small number of computers, often the virtual server is configured to allow connections from only those middle-tier computers. |
Built-in Security Features |
WebDAV virtual servers by default use Basic or NTLM authentication, and anonymous access is disabled. Because WebDAV transmits data in plaintext across the network, it is also recommended that Exchange WebDAV virtual servers that transmit sensitive data use SSL/TLS. |
Security Monitoring Features |
WebDAV virtual servers use the IIS security monitoring features. |
Deployment Criteria
| Criteria | HTTP/Web Distributed Authoring and Versioning (WebDAV) |
|---|---|
Server Platform Requirements |
The Exchange server that manages the store where your application data resides must have a WebDAV virtual server if the client application accesses it directly. Alternatively, WebDAV configured on Exchange front-end servers can be use to access all the stores in the domain on which the user has permissions. |
Client Platform Requirements |
WebDAV is not a client technology. The design and implementation of the application client determines the client requirements. |
Deployment Methods |
WebDAV client applications are deployed based on their client architecture and technology. The client or middle tier communicates via WebDAV with an Exchange server. |
Deployment Notes |
When using WebDAV with NTLM or Kerberos authentication to access Exchange data through a front-end server, the Keep-alive protocol header must be set to True. If it is not, the request might not be passed to the Exchange server. |