Exchange 2010 – Part 20 – A look at the Hub and Edge Transport Server Roles

The Hub and Edge Transport Server Roles

The purpose of this post is to explain the differences between the two transport role servers, the Hub Transport and the Edge Transport.

We will look at some of the key aspects of transport servers including:

  • Send/Receive Connectors
  • Anti-spam and Anti-virus protection
  • Transport Rules
  • Hub/Edge Synchronization

Take for example a scenario where your company has configured enough of it’s organization that they want to be able to send and receive email in full production. Because of this, we should discuss the configuration elements involved in our transport role servers. In our example, we have more than just a Hub Transport server, we also have an Edge Transport server that we installed but never configured to work with our Hub.

You’re never really completely done with Exchange, there’s always something left to do, to monitor etc.

So to start, in the Hub Transport server in the EMC, and click on Organization Configuration -> Hub Transport, we have several tabs:

Click Image to Enlarge

Send Connectors – Here you might not see any send connectors if none have been setup. Receive connectors are located under the Server Configuration-> Hub Transport. We don’t have any Anti-spam settings here yet in our Hub Transport role.

Edge Subscriptions – Here we will create a connection to our Edge Transport Server

Global Settings – we will go over this later

Email Address Policies – we will go over this later

Transport Rules – Here we can create transport rules, with conditions, actions, and exceptions – by default none.

Journal Rules – by default are blank

Remote Domains – we will go over this later

Accepted Domains – we will go over this later

 

If we remote into our “Edge” transport server, our EMC will be pretty much empty except for our Edge Transport settings. It’s one of the easiest server roles to work with because there is not much here to configure:

Click Image to Enlarge

The five tabs we have to work with are:

Anti-Spam

Send Connectors

Receive Connectors

Transport Rules

Accepted Domains

Hub vs. Edge: – Hub is on the inside of the firewall

Edge Transport sits on the edge of the network, in the DMZ. It it isolated, but is there to defend the network. Edgesynch synchrononization is the connection between the hub and edge transport servers.

Hub handles all of the mail flow within the company: Applies Transport Rules, Journaling policies, delivers messages to mailboxes and more.

 

If there is no Edge transport role, the Hub will relay messages to the internet. The Edge Transport server minimizes attacks from the internet – virus, spam, etc. . You can have more than one Hub or Edge Transport servers for failover capabilities.

You can export settings from one Edge Transport server to a 2nd Edge.

Do you need to have an Edge Transport Server? No. However, it is recommended that you have some kind of protector in se.

Without an Edge Transport Server, by default you will be missing Anti-Spam solution, and certain Transport Rules.

You can enable Anti-Spam on the Hub transport server, or a 3rd party solution.

Mail will go through Hub and Edge transport servers. All mail will flow between them.

  • If you have one HT and one ET, all mail will flow between them, both incoming and outgoing
  • To make the connection between the HT and ET you need to make a manually configured synchronization. It is also called a subscription or an “edge synch process”
The Edge Transport Role is engineered to protect on the front lines of your network
  • It isn’t part of the domain
  • It can cut down the spam at the front door
The Hub Transport role, although it can protect the front lines to a degree, is designed to be a second layer of defense and has a greater role in message compliance, internal mail flow and policy enforcement.

 

 

 

A large majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

Exchange 2010 – Part 19 – Client Access Server Security and Secure Socket Layer Certificates

Client Access Server Security and Secure Socket Layer Certificates

In this post we will review:

– CAS security through digital certificates and how these vary.

– We’ll also review the different SSL certificate types.

– Lastly, we’ll work through the following:

  1. Create a Certificate Signing Request (CSR)
  2. Obtain a certificate from a Certification Authority (CA)
  3. Install the SSL Certificate on the Client Access Server

Up until this point in your Exchange deployment, you may have configured access with the default self-signed certificate. This may be problematic because it doesn’t support all of the access methods (Outlook Anywhere) and isn’t the most secure method of authentication. You may decide to obtain a trusted certificate from a third-party commercial Certification Authority (CA) and install that certificate on the Client Access Server. You do also have the ability to use a PKI certificate through Microsoft Certificate Services which you can setup internally, however, the infrastructure costs and labor may not be worth the trouble.

Managing Authentication

  • A digital certificate will authenticate to the client that the server with the certificate is trust-worthy. The server can prove, they are who they say they are.
  • In addition, a digital certificate will ensure the data that is exchanged is protected.
  • By default, with Exchange 2010, client communications are encrypted using SSL with Outlook Web App, Exchange ActiveSync, and Outlook Anywhere (SSL will not use the Self-Signed Certificates). By default, POP and IMAP aren’t configured to communicate over SSL. You will use the IIS Manager to ensure SSL is enabled on the virtual directory.

Go to the IIS Manager on your mailbox server. Select the server itself, scroll down to Server Certificates. Here you’ll find the Microsoft Exchange Certificate (Issued to itself by itself).

Click Image to Enlarge

You can double-click on the certificate and check out the properties and see that it’s not trusted.

In IIS, expand Sites and then Default Web Site.  If we look at the different sites in IIS, as far as SSL turned on, click on OWA, and then Secure Socket Layer settings, and see if it says “Require SSL”. We can test to see if that works by browsing to localhost in the web browser. An easy way to do this is to click on the “Browse: 443 (https)” link in the Actions pane:

iissslbrowse443
Click Image to Enlarge

This will open the browser and we’ll be brought to our Outlook Web App. We will have a certificate error. Users will have to install the certificate if they want to get rid of the Red Security Trust Bar in their browser. In this case we will want to install the certificate into the Trusted Certificate Store. Windows cannot validate the certificate, but since we know where the certificate is from we can install it and accept the warning.

Three types of Certificates:

  1. Self-signed: Signed by the application itself (in our case Exchange 2010) and will allow for OWA and/or ActiveSync functionality but not Outlook Anywhere. *For these to work you have to manually copy them over to the trusted root certificate store of the client computer or mobile device.
  2. Public Key Infrastructure (PKI): Requires setting up certificate servers and establishing the certificates for communication.
  3. Trusted Third-Party Certificates: Provided by a CA, these are automatically trusted by clients (unlike the two options above), so the deployment is simplified.

Certificate Types

When you go to purchase a certificate from a CA you’re going to find that different types to purchase.

  • Wildcard Certificates: Can represent multiple domain names (for example *.jasoncoltrin.com), however these types of certs provide a less secure method because the wildcard can be used for any sub-domain. Microsoft does not recommend wildcard certs, but to use SAN’s.
  • Subject Alternative Name (SAN) or Unified Communications Certificates (UCC) certificates are considered better in this regard because you specifically list out each of the trusted domain names. *It is considered best practice to use as few host names as possible (perhaps as few as three).

The CA Process for Obtaining and Installing Certs

  • Take a look at the GoDaddy website for SSL Certificates
  • Begin the process of managing a purchased certificate
  • We will return to our Exchange Server and use the Exchange Certificate Wizard to obtain a Certificate Signing Request (CSR)
  • Use the CSR to complete the GoDaddy certificate process
  • Once that certificate is provided (up to 72 hours), we will install it on our Client Access Server
On our Mailbox Server, open the EMC, browse to Server Configuration.
Under the Server Config Node, beneath the servers, we will have our Exchange Certificates.
What we really want is an SSL certificate from a CA.
In the GoDaddy website, we’ll purchase our cert, manage our Products -> manage my certificates, and then in the SSL management, we will click “Request Certificate”. It will ask where the cert will be hosted. We will want to choose Third Party or dedicated server. Now we will need to Enter your Certificate Signing Request (CSR). Use at least a 2048 bit key.

 

Go back to the EMC, under server configuration, in the Actions Pane, click on New Exchange Certificate. For Starters, enter a friendly name for the certificate.
If we want to Enable Wildcard Certificate we can do that here. But we don’t want that at this time, we want a literal domain name so leave unchecked and click next.
Now depending on the cert purchased, our options here will be different. For example we have 5 certs purchased and can only use 5 names.
For Federated Sharing, we will place a checkmark in the Public Certificate because in the future we may want to Federate with a different site.
For Client Access Server (Outlook Web App), for the Intranet – you may want to use a local name like mail.jasoncoltrin.local and for the Internet – use mail.jasoncoltrin.com
New Exchange Certificate
Click Image to Enlarge
We want Exchange ActiveSync, so perhaps sync.jasoncoltrin.com is the name we’ll want to use. Most use mail.domainname.com.
Go down the list and have Exchange Web services enabled; Outlook Anywhere enabled.
Autodiscover used on the internet: Autodiscover URL to use: autodiscover.jasoncoltrin.com.
The use of sync.jasoncoltrin.com differentiates and relates to mobile devices. When you set up the cert, that’s when it (the name) counts. For the dropping of POP and IMAP support, in all honesty is probably a good thing, and we prefer a more secure protocol and have everyone come in through ActiveSync. With ActiveSync we have the ability to wipe devices.
At this time we don’t need a cert that supports POP or IMAP.
For Unified Messaging, you can go with a self-signed cert.
At this time we are going to skip Hub Transport server mutual TLS and Hub Transport server for POP/IMAP.
At this time we are not going to use Legacy Exchange Server.
Clicking next will give us a review of our cert (request). In our case we have 6 names. To bring this down to 5, we can change intranet/internet mail.jasoncoltrin.local to mail.jasoncoltrin.com and save a name.
Click next, and the wizard will ask for some information. The full legal organization name, Org unit (none), Country, City, State, Certificate Request File Path – name the file something like “SSLRequest”, then New and Finish. Make sure the CSR generated is 2048 bit. Once finished, browse to where the file was placed, open the Certificate request with notepad, and copy and paste the entire string including –Begin new cert —  to   —End New Cert..— into the GoDaddy.com CSR text box.
SSLCertcopytoCSR
Click Image to Enlarge

After submitting the encrypted data to GoDaddy, you will see the Subject Alt Names and Primary Domain Name. Your cert will be issued shortly (72hrs), and at that time we will be able to import it. Once the cert is issued, you can download it from GoDaddy. The cert will come down zipped, so unzip it.

Go back to the EMC, You will still see your requests and your self signed cert. Right-click on the SSL Cert and choose Complete Pending Request.

CompleteCertRequest
Click Image to Enlarge

Browse to the downloaded cert (domain.com – not the intermediate cert), click complete, and that’s all there is to it. So we’ve installed it but don’t have any services using it. Right-click on the cert and choose Assign Services to Certificate.

AssignCertServices
Click Image to Enlarge

Use SMTP, IIS, click Next, and then Assign.

AssignServices
Click Image to Enlarge

Do we want to override? Yes.

When we downloaded and unzipped the SSL Certificate, we also received an Intermediate Certificate. The intermediate certificate is used to enhance the security of the root certificate. These are also called a Chained Root Certificates. There are instructions on the GoDaddy site for installing the Intermediate Certificate. It is optional, but you should install the Intermediate certificate if the CA provides you with one, but we will forego that for now. Your CA may or may not issue Intermediate certificates.

In conclusion, in this lesson we discussed the benefits of SSL digital certificates, encouraged SAN certificates, worked through the process of requesting a certificate from the GoDaddy Certificate Authority, and installed and enabled services using that cert on our Exchange Client Access Server.

 

 

 

 

A large majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

Sharing a Windows 7 Notebook/Laptop Wireless Connection with a Desktop PC Using A Bridge

I have a notebook that is connected to a wireless network and also has a Cat5 network port. I also have a desktop PC with no wireless card, but is too difficult to run a cable to the wireless router. How do you easily share your notebook laptop wireless connection in Windows 7 via a notebook’s Ethernet NIC port, so that the PC will pick up a DHCP address from the router, and not have to use Windows 7 ICS (Internet Connection Sharing) service?

It’s actually pretty easy to share your laptop’s wireless connection through the notebook’s NIC, to a Desktop PC’s network card. You can do this without an additional (second) router, or a crossover cable, or setting static IP addresses, etc.

1. Go into your laptop’s Network Sharing Center and then click on the “Change Adapter Settings” link.

2. Next, you’ll see your Local Area Connection is in Network Cable Unplugged status (hold off on plugging in the network cable). You should also see your Wireless Network Connection is connected to the network/internet. I like change the view settings on the screen to View Details, and sort the adapters so that the two you’re trying to share are right next to each other.

Click Image to Enlarge

3. Next, hold down the Ctrl button and click on both adapters so that they are both highlighted. You can also click-drag your mouse highlight/select both adapters. After they are both selected, right-click on the two and choose “Bridge Connections.”

Click image to enlarge

4. After a few moments you should see a Network Bridge adapter created and then connected to the internet.

click image to enlarge

5. Now take a simple Cat5e/ethernet cable (not cross-over) and plug it into your PC’s NIC, and the other end into the laptop’s NIC port. The Local Area Connection adapter should change to “Enabled, Bridged”.

click image to enlarge

6. Your Desktop PC should pick up a new IP address from the same router as your laptop, and go online. If not, make sure the Local Area Connection adapter on the Desktop PC is set to DHCP, and then then hit “Troubleshoot Problems” on the network connection, or do a DHCP address release/renew. During testing, my PC warned me that there was an IP address conflict when first plugging in the cable from the laptop to the PC. I did a release/renew on the adapter and received a new IP address from the router, and all is well.

Hopefully this post will save you a little time when trying share your wireless internet connection on your laptop out to your PC.

 

 

Exchange 2010 – Part 18 – Understanding and Managing Outlook Anywhere and POP/IMAP

Exchange 2010 – Part 18 – Understanding and Managing Outlook Anywhere and POP/IMAP

In this post, we’ll look at two main parts to Outlook Anywhere and the POP/IMAP protocols:

  1. We will explain the concepts of Outlook Anywhere, POP, and IMAP.
  2. We will look at the implementation of Outlook Anywhere, POP and IMAP.

Outlook Anywhere, POP and IMAP are different from Outlook Web App and ActiveSync. You can get OWA and ActiveSync to work with an Exchange self-signed certificate. Although for a production environment, it’s best to setup your own cert server or purchase a certificate from a Third-Party Certificate Authority. But with Outlook Anywhere, POP/IMAP, to go live, you need valid certificates. If you’re tempted to setup a PKI infrastructure, it’s not as easy as you might think. It usually isn’t worth the headache when you can purchase certs from CA’s for a very low cost.

Outlook Anywhere Overview

  • Outlook Anywhere allows external clients to use Outlook 2003/2007/2010 to connect directly to their corporate network email, without using a VPN connection.
  • Outlook Anywhere uses a networking feature called RPC over HTTP (in fact, in legacy Exchange versions that was the name of Outlook Anywhere). RPC over HTTP is a component in Windows – where Outlook Anywhere takes client connections using Remote Procedure Calls, boxes it up in HTTP and passes it through the firewall.
  • All you have to do is enable Outlook Anywhere on a CAS server
  •      *Install a valid SSL certificate – because certs touches on many areas which we will cover in a later post.
  •      *Install the RPC over HTTP component – this component is probably installed already during an initial installation. If we still need to install, you go to Server Manager -> Features -> Add Feature
  •      *Enable Outlook Anywhere.
  • You can enable Outlook Anywhere from EMC or EMS
  •      *”Enable-OutlookAnywhere” cmdlet.
  • To test Outlook Anywhere you can use the following tools:
  •      *Run the Test-OutlookConnectivity cmdlet to ensure your RPC over HTTP connections and TCP/IP settings are right.
  •      *Run the Exchange Remote Connectivity Analyzer (ExRCA) tool.
  • Testing looks for the following:
  1. Autodiscover connectivity
  2. DNS validation
  3. Certificate Validation
  4. Firewall configuration
  5. Client connectivity

POP and IMAP Overview

  • Protocols for connecting to Exchange (disabled by default) most organizations would prefer you do not use POP as a security liability.
  • The old standard: POP was designed for ‘offline mail processing’
  •       * POP removes emails from the server and brings them down to a local client (unless configured otherwise)
  •       * POP doesn’t provide calendaring, contacts, or tasks
  • The new standard: IMAP
  •      * Provides both online and offline access but still no extra features like calendaring, contacts, or tasks
  • Note: These are ‘receive protocols’ not ‘send protocols’ so they still rely on SMTP to send email
  • With both POP and IMAP, the client is responsible for checking in for mail, it isn’t pushed down to the client.
  • Enabling POP and IMAP is as easy as enabling the services on the system
  • After the services are running you can enable your users to use POP or IMAP
  • You can configure various properties for each protocol including:
  •      * Connection Limits
  •      * Security
  •      * Message Retrieval format options

To enable Outlook Anywhere, open the EMC and browse to Server Configuration and then the Client Access Role:

OutlookAnywhereCA1

Click Image to Enlarge
In the screenshot above, you can see that Outlook Anywhere is already enabled. However if it was not, and you wanted to enable it, you’d highlight the Client Access server, and then in the Action Pane, click on Enable Outlook Anywhere.
ScreenShot004
Click Image to Enlarge

From here you will be directed to a simple Wizard. Here you will enter the External Host Name:

ScreenShot005

Click Image to Enlarge

Here we will want to provide an External Host Name that an external client will use to connect to the server, something like site.jasoncoltrin.com or mail.jasoncoltrin.com.

Client Authentication method:

Basic Authentication – A client will need to provide a domain/username/password and will need to be entered every time when connecting to the server. When Basic Authentication is used, the information will be sent in clear-text over the wire.

NTLM Authentication – The user doesn’t have to enter a Username/Password, the windows network authentication is used and is encrypted and a hash is passed through the networks. NTLM Authentication can cause problems when trying to pass the encrypted traffic through firewalls, and some Exchange Admins will want to use Basic authentication if users are not members of the Exchange Server’s domain. Clients that have already logged into a domain, are simply passing cached credentials to Exchange.

Allow Secure Channel (SSL) offloading – This is all about if you have a separate server for SSL encryption/decryption. Some choose to use a SSL accelerator to offload the CPU processing power used for SLL.

First, make sure that under the Server Manager -> Features -> make sure the RPC over HTTP Proxy feature is Installed/Added.

The command for enabling Outlook Anywhere with the Exchange Management Shell will something like the following:

enable-OutlookAnywhere -Server ‘EXCH1’ -ExternalHostname ‘mail.jasoncoltrin.com’ -DefaultAuthenticationMethod ‘Basic’ -SSLOffloading $false

 To configure POP3 and IMAP4, we do not enable/configure it through the Exchange Console, we will actually go into the server’s services:

Start -> Administrative Tools -> Services (control panel)

Find the service named Microsoft Exchange POP3 ->Startup = Automatic -> Startuptype: Automatic (then start the service)

Find the service named Microsoft Exchange IMAP4 ->Startup = Automatic -> Startuptype: Automatic (then start the service)

To make changes to the protocols, you can change them in the EMC -> Client Access -> POP3 and IMAP4 tab.

To Configure the Clients i.e., to decide which recipients are allowed access to Outlook Anywhere/POP3/IMAP4, go into EMC ->Recipients ->Right-click on users -Properties ->Mailbox Features Tab -> Enable/disable POP3/IMAP4

Using the Set-CASMailbox cmdlet

In order to control the access to some of our client access server settings, we want to use the Set-CASMailbox cmdlet.

  •  The Set-CASMailbox cmdlet is used to set attributes related to client access for ActiveSync, OWA, Outlook Anywhere, POP and IMAP for specified users.
  • You can use the command with the -MAPIBlockOutlookRpcHttp parameter to determine if clients can connect to Outlook using Outlook Anywhere. For example, if you want make sure users in a certain location deny them the ability to use Outlook Anywhere.
  •      * Get-Mailbox “UserHere” | Set-Casmailbox -mapiblockoutlookrpchttp:$true
  •      * Get-Mailbox -OrganizationalUnit “OU here” | Set-Casmailbox -mapiblockoutlookrpchttp:$true (anyone who has this applied will not be allowed to use Outlook Anywhere).
  • Or you can use ISA or some other solution to block entry (or other proxy filtering software)
To verify Outlook Anywhere has been enabled, you can see an event in the Application Log event 3006, “The Outlook Anywhere feature has been enabled.”

In review, we learned the purpose of Outlook Anywhere, POP and IMAP. We reviewed the initial configuration of these different access methods. It’s not all that complicated to setup.

A couple of EMS points to remember:

*Enable-OutlookAnywhere (can enable through shell)

*Test-OutlookConnectivity (ensures connectivity is solid) – an excellent tutorial for using the Test-OutlookConnectivity cmdlet is located here: http://blogs.catapultsystems.com/tharrington/archive/2010/09/17/troubleshooting-the-client-access-server.aspx

*Set-CASMailbox (cmdlet configures users for access to the Client Access Server)

 

 

 

A large majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

Exchange 2010 – Part 17 – Using the ECP to manage ActiveSync

Using the ECP to Manage ActiveSync

In this post, we will be visiting the Exchange Control Panel (ECP) to see all the new administrative control we have been given with SP1, without having to work on a system with the EMC Management Tools installed. You may recall our first visit to the Exchange Mangement Console in Part 8 of this series.

To get to the Exchange Control Panel, log into your OWA site as an administrator. From here, you will see the options button in the upper right-hand corner of OWA, this contains the link to the ECP.

From within the Administrative Control Panel we can perform the following (new w/SP1) administrative tasks:

  • Manage default access for mobile devices
  • Configure email alerts when a mobile device is quarantined
  • Create personalized recognition or quarantined messages
  • List quarantined mobile devices
  • Create and manage device access rules
  • Allow/Block specific devices
  • Initiate password recovery or remote wipe of a user’s mobile device

To manage the default access for mobiles, go OWA as administrator, then go to options -> View all options -> Manage My Organization -> Phone and Voice:

ECP Mobile
Click Image to Enlarge

Here, when a device that isn’t managed by a rule or personal exemption connects to Exchange we can allow access, block, or quarantine (on a case by case basis) mobile devices. If we choose, we can send out notification warnings that will go out to administrators.

Under ActiveSync Device Policies, we have a duplicate of what is in the EMC, in that we have a default policy, and the ability to look at, and change, policy settings (Device Security, Sync Settings, Device Settings).

We can create additional activesync policies here as well. Polices created here will be replicated in the EMC. There are some options/tabs that exist only in the EMC however; Device Applications Tab and the “Other” tab: discrete management of Applications on Mobile Devices.

So this is a short post but I think is worthwhile looking at the new enhancements for the Exchange Control Panel in SP1.

 

 

 

 

A good majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

Exchange 2010 – Part 16 – Concepts and Management of Outlook Web App and ActiveSync

Concepts and Management of Outlook Web App and ActiveSync

In this post, first, we will explain virtual directories and how they are related to the CAS services.

Next we will help you understand Outlook Web App (OWA) and ActiveSync features.

Last, we will use a Scenario to help guide us in the creation and application of OWA and ActiveSync policies.

Scenario: OWA and ActiveSync Management

First, we will help our IT team gain a greater understanding of OWA and ActiveSync.

Next, we will perform the following OWA management tasks:

  • Adjust the authentication for the virtual directory to allow for Integrated Windows authentication. This allows for single sign-on for internal clients.
  • Disable WebReady Document Viewing for the virtual directory.
  • Create an OWA policy and apply it to a researcher user “Alex Heyne” that will ensure he only uses OWA Lite.

Finally, we will do the following ActiveSync management tasks:

  • Block “Unknown Servers” from the virtual directory.
  • Create an ActiveSync policy and apply to all users in the Chicago OU.

Virtual Directories

Web applications are represented by virtual directories that point off toward physical folders.

  • For example, Exchange Outlook Web App has an OWA virtual directory that points off to a literal folder on your system.

You access the virtual directory through its virtual directory name, not its physical folder name (although the two may be the same.)

You can see virtual directories in IIS and also quickly find the physical location on your system through the Properties of the virtual directory.

Although you have default virtual directories created for you when you install the CAS role, you can create additional virtual directories if you like.

In the EMC, go to Server Configuration -> Client Access. Here you will find owa (Default Web Site). Looking at the properties of OWA, we can see both the internal and external URL’s, as well as a number of tabs used to configure OWA.

Exchange Management Console OWA properties
Click Image to Enlarge

Each of the options in the tabs is part of IIS on the client access role. For the most part, if you want to see the location of the virtual directories and their physical location on the server, we would need to open ISS:

IIS Virtual and Application directories
Click Image to Enlarge

Here, take note that some of the sites are considered Virtual Applications (highlighted in red), as opposed to Virtual Directories (highlighted in green). Sometimes you’ll need to use IIS to configure things like SSL.

But for now, lets look more into OWA in the EMC.

Virtual Directory Settings vs. Policy Settings

Virtual directory settings are made through the Server Configuration node

  • Some virtual directory settings are only found under the Server node, whereas others may be configured in a policy as well.
Policies are created under the Organization Configuration node
  • Policies override virtual directory settings
  • There are default OWA and ActiveSync policies create
  • Only one policy (one for OWA and one for ActiveSync) can be applied to a mailbox at a time and if no policy is applied, the virtual directory settings apply.
Understanding OWA Features:
Virtual Directory Property Tabs:
  • General
  • Authentication
  • Segmentation
  • Public and Private Computer File Access – WebReady Document Viewing
  • Remote File Servers
Policy Setting Tabs:
  • General
  • Segmentation
  • Public and Private Computer File Access – WebReady Document Viewing
Note: Public and Private Computer File Access provides two tabs but you cannot have different settings on each one.
In the EMC -> Server Configuration -> Client Access -> OWA Settings for this virtual directory.
General Tab: shows internal url and external url (informational) -config is actually in DNS
Authentication Tab: Use forms-based authentication. Logon format – Domainusername is secure but not completely secure without SSL.
Use one or more standard authentication methods:
-Integrated Windows Authentication. The client computer has to be a member of the same domain or in a trusted domain.
-Digest authentication for windows domain servers (users have an account in AD)
-Basic authentication (password is sent in clear text). Can be used in a secure way if you use SSL.
Segmentation Tab: you can determine if you wan to enable or disable certain features.
For example “Premium Client” is the full version of Outlook Web App. You can choose to use a “Lite version” of OWA. You can force the lite version of OWA for users of Firefox or Safari. You can disable things like Instant Messaging and Text Messaging.
Public Computer File Access tab:
-Direct File Access – determines how files will be allowed or denied access. If you connect on a “Public” computer, you can enable or disable the ability for users to open file attachments. Direct File Access allows you to allow or block or Force Save of even unknown files.
-In the Private File Access tab: same exact settings as above.
WebReady Document Viewing: allows OWA documents to be converted to HTML and shown in the browsers. You can force docs to be changed to HTML before being opened in a supported application.
You may not want a certain document to be shown in the browser. This provides an opportunity for users to view the document at least even if they don’t have a supporting application.
Remote File Servers Tab: you might want to allow or block file servers here. You can enter the domain suffixes that should be treated as internal.
You have an opportunity to use Policies to override the settings placed on the virtual directory settings.
Under Organization Configuration -> Client Access role.
Provide a new policy name. Enable/disable features -> New. Now after creating the policy, go back and open up the policy. You will have more features available now that the policy has been created. It’s important to consider these items again. If you do not enable direct file access, users will not be able to download attachment files.
Once the policy has been created, you need to apply the policy. Take for example, you wish to apply a new policy to an individual user. Go into Recipient Configuration, pick the mailbox, go to Mailbox Features tab -> Select OWA ->Properties. Now you can choose an OWA mailbox policy to take precedence over the virtual directory settings.
Outlook ActiveSync Features:
Virtual Directory Property Tabs:
  • General
  • Authentication
  • Remote File Servers
Policy Setting Tabs:
  • General (Allow non-provision-able devices -this allows mobile phones to sync even if they do not support policy settings)
  • Password
  • Sync Settings
  • Device
  • Device Applications
  • Other
Note: Some features require Exchange Enterprise Client Access Licenses for mailboxes that have policy setting restrictions
Go to the EMC ->Server configuration -> Client Access -> Exchange Activesync tab properties.
3 tabs:
General tab – internal and external urls
Authentication tab – Basic authentication/certificates
Remote File Servers – same configuration of virtual directories
EMC -> Organization Configuration -> Client Access -> Exchange ActiveSync Mailbox Policies
-allow non-provision-able devices
Password tab -> many options here for passwords (length, expiration, require encryption, etc.)
Sync Settings -> Include past calendar items, Include past email items, Allow Direct Push when roaming (you can force it so that roaming users will not get Direct Push). Allow attachments.. etc.
Device tab -> Allow removable storage, allow camera, allow wifi, allow infared, allow bluetooth etc.
Device Appliations tab -> Allow browser, allow unsigned applications (Need enterprise CAL)
Other tab -> (Need Enterprise CAL)
To block unknown servers from the virtual directory (by default is allow), go to the EMC -> Server Configuration -> Client Access -> Exchange ActiveSync Tab -> Virtual Directory Properties. Go to the Remote file servers tab -> Unknown servers by default is set to allow. OWA has the ability to access file shares and SharePoint libraries. If there are no dots in a URL a user clicks, it is considered internal. If there are one or more dots in the URL, then it will only be considered internal if the domain suffix has been added to the configuration.
The following Exchange Management Console Shell commandlet will apply a custom activesync mailbox policy to the OU Chicago:
Get-Mailbox -OrganizationalUnit Chicago | Set-CASMailbox ActiveSyncMailboxPolicy “ASChicago”
So in this post, we reviewed:
  • The feature settings for Outlook Web App and ActiveSync
  • Both virtual directory settings (found under the Server Configuration node) and policy settings (found under the Organization Configuration note)
  • Made virtual directory adjustments and created policies and then applied those to users within our organization using a powershell commandlet.

 

A good majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

 

 

 

 

 

Exchange 2010 – Part 15 – Overview of the Exchange CAS Server Role

The Exchange 2010 CAS Server Role

In this post, we will review the purpose of the Client Access Server (CAS) Role in Exchange 2010.

We will discuss the following CAS Role aspects:

  • Outlook Web App
  • Exchange Active Sync
  • Outlook Anywhere
  • POP3 and IMAP
  • The Availability Service
  • The Autodiscover Service

Take for example the scenario: a Team Meeting to Discuss CAS role

  • The more mobile your users wish to be, the more the CAS Role comes into focus
  • You most likely will have mobile users that want to connect to Exchange using their browser, mobile, smart phone or tablet, through Outlook or some POP/IMAP oriented mail application
  • The role of an administrator is to ensure connectivity from any remote location, and that connectivity is provided without compromising security

 

The Evolution of CAS

  • Exchange 2000/2003 didn’t have CAS servers, they had “Front End” servers
  •      – With “Front End” servers, internal clients connected with Outlook using MAPI. MAPI is “Messaging Application Program Interface” – it allows you to send email with Outlook. MAPI is the protocol Outlook uses to connect with Exchange. Internal Outlook clients connected directly to Mailbox servers using MAPI over RPC.
  •      – External clients used the “Front End” as more of a proxy that could handle RPC over HTTP (for Outlook Anywhere), HTTPS (for Outlook Web Access, or OWA), and POP/IMAP. Clients connect in, provide credentials, and the Front End server would decide which mailbox to connect.
  • Exchange 2007 introduces the CAS role which is more than a proxy server but offloads a significant amount of the load that the mailbox servers typically handled
  •      – Internal MAPI clients still connect directly to the MB role. In 2007, The Client Access Role started to handle middle tier of a three tier application (the logic tier).
  • Exchange 2010 introduces a new service (MSExchangeRPC) so that the CAS Role is “true” middle tier. It now takes on the brunt of the work that the MailBox Role had to do in the past.

The Exchange 2010 CAS Role is Middle Tier

  • In Exchange 2010, the CAS Role handles both external and internal connections to the Mailbox role; with the exception of Public Folder connections. So whether they’re coming from OWA or Outlook inside the LAN, they will both go through the CAS Role.
  • MAPI and directory connections are handled by thte CAS server now, relieving a ton of load off the Mailbox server role, and ultimately increasing the number of concurrent connections to a Mailbox server (in Exchange 2007, we had 64K and now we have 250K).
  • By offloading the CAS features, now we have a lot more responsibility with CAS, so we need to ensure load balancing and CAS Array concerns as well as security concerns are met.

CAS Role Aspects

  •  Outlook Web App: Allows you to access email through a web browser (including IE, Firefox, Safari and Chrome). This used to be called “Outlook Web Access”. The biggest change that users appreciate is that it works in different browsers on the same level. It is handled by the CAS Role and IIS
  • Exchange ActiveSync: Allows you to synch your data between your mobile device or smart phone and Exchange – There are varying levels of ActiveSync support in devices and one key security element is remote wipe, which is not available for all devices.
  • Outlook Anywhere: Allows you to connect to your Exchange Mailbox externally using Outlook (RPC over HTTP) without going through a VPN connection. Its great for Outlook at home with the “In-house” experience.
  • POP/IMAP support – Mail clients other than Outlook (e.g. Mozilla Thunderbird/Live Mail) that connect with POP or IMAP are supported through the CAS role.
  • Availability Service: Shows free/busy data to Outlook 2007/2010 users.
  • Autodiscover Service: Helps Outlook clients and some mobile phones to automatically receive profile settings and locate Exchange services.

Looking at the Exchange Management Console:

Under Organization Configuration, you can make changes to the Client Access Role:

ClientAccessRole

At this point you have two options, modify the default policy of Outlook Web App Policies or the Exchange ActiveSync Mailbox Policies.

As an administrator you can control functionality of the user experience and even the devices connecting to the CAS.

Is modifying the following options a good or bad April Fools joke to play on your User’s smart phones?

Click Image to Enlarge

 

ActiveSynchOptions2
Click Image to Enlarge

Maybe not such a good idea to mess with these…

Client Access under the Server Configuration Node in the EMC, provides us with much more configuration options.

ServerConfigCAS

Some of the different tabs located here are:

  • Outlook Web App – Config changes to owa Default Web Site
  • Exchange Control Panel – connected with IIS ecp default web site
  • Exchange ActiveSync – Configure IIS/ActiveSync default website
  • POP3/IMAP4 – configure these mail protocols
  • Offline Address Book Distribution – If you recall we talked about the OAB now being distributed through web services
  • Outlook Anywhere – in a future post we will hit the “Enable Outlook Anywhere…” feature and go through it’s configuration.

So in review we’ve explained the purpose of the Client Access Server roles, discussed the different CAS features, and toured the EMC locations for working with the Client Access Service.

 

 

 

A good majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

Exchange 2010 – Part 14 – Creating Recipient Types

Exchange 2010 – Part 14 – Creating Recipient Types

In Exchange 2010, you can have a wide variety of recipients. In this post we will discuss and create the various recipient types, including:

  • User Mailboxes
  • Resource Mailboxes (Room and Equipment)
  • Contacts
  • Mail Users
  • Distribution Groups
  • Dynamic Distribution Groups
If you have multiple sites or locations with their own Exchange servers, you may wish to prepare, or create and train, a “Recipient Creation Team” in each location. Often times the creation of recipients is something that can be handled by a junior level admin, and so you could give their user account permissions to do just that, after they have been trained.
A review of Recipient Types that we can create:
The EMC makes it easy for us to create recipient types. On our mailbox server, we can open the Exchange Management Console, and expand Recipient Configuration which is under Microsoft Exchange -> Microsoft Exchange On-Premises->Recipient Configuration
Click Image to Enlarge
– The Mailbox Type:
  • User Mailbox (can use an existing user account or create a user account at the same time if you have permission)
  • Resource Mailboxes: Room Mailbox/Equipment
  • Linked Mailbox
– The Mail Contact
– The Mail User
– The Distribution Group
– The Dynamic Distribution Group
The “Disconnected Mailboxes” feature controls mailboxes that you disconnect from their active directory user (and can be connected to a different user).
The “Move Requests” feature is used if we might need to move users from different versions of Exchange or move them from one MB DB to another, and can view those move requests here.
When we highlight the Recipient Configuration in the EMC, in the Actions pane we have two options:
  1. Modify Recipient Scope… Lets say we only want to see those recipients that are in a specific Organizational Unit (narrow the scope).
  2. Modify the Maximum Number of Recipients to Display… – lets say we have a large organization with over 2000 mailboxes, by default, in the Results Pane, the Maximum recipients to display is set at 1000. We can change this number higher or lower to organize the results to our preference.
We will typically use the Mailbox Type -> User Mailbox. A UM is an AD user account that is connected to a mailbox on the Exchange user.
The Resource Mailbox types:
  • Room mailbox – a mailbox that represents a conference room (we need one of these for the bathroom at home) *Note – when created, these accounts are disabled by default
  • Equipment – projector that has a schedule; is it available or not available

Linked Mailboxes: an individual in one forest may have a mailbox in another forest. Requires a specific scenario; linked mailboxes rarely created.

Mail Contacts: allow you to have an AD contact object that can be searched and located but is external mailbox and cannot be assigned to a user. Someone working with your company but not for your company. This user cannot log into the domain.

Mail User: AD user, someone that can log into the domain. From a recipient perspective, they may have a gmail or hotmail account. Has an AD account but not a mail account.

The Distribution Group: Groups of mail contacts and users

The Dynamic Distribution Group: For example, adding a user to a Dynamic Distribution group named Marketing, a marketing user will become a member of the Marketing Distribution group. If that person moves to sales, that attribute changes that they will automatically become a member of the Sales Distribution Group.

Creating the different recipient types in the EMC is pretty straight-forward with the Wizard. The only sticky part is when it asks for the Mailbox Database to use. You should by now know how to locate your current Mailbox Database, if not, see my earlier post.

Functionality Changes in SP1:

  • Hierarchical Address Books
  • Internet Calendar Publishing
  • The Calendar Repair Assistant enhancements

Hierarchical Address Books

With hierarchical address book support you have the ability to configure address lists and offline address books (OABs) in a hierarchical view for your users

  • Note: this is not new to SP1 but most admins never used this because it involved such convoluted adjustments through ADSI Edit that it was passed over as a feature.
  • Now? You still have to jump through many flaming hoops with doggies following behind  but you can now do it through the Exchange Management Shell and it isn’t as difficult.

For example in Outlook, in the Address Book – All Users – you typically have all the users listed. With SP1, you have a new organization tab. Once you set up a hierarchy, you will see the hierarchy in that tab.

Click Image to Enlarge

Internet Calendar Publishing

Exchange RTM allowed for the sharing of calendar information through a federation trust and an organization relationship or sharing policy. SP1 introduces Internet calendar publishing. Allows users of Exchange the ability to share calendar information to anyone on the internet.

Key points include:

  • Federation is not necessary
  • Internet users are not required to belong to any form of authentication group (like Windows Live) and all they require is a browser to access it.
  • Users can invite friends, family, business persons to view their calendar by providing them a link
  • Exchange admins can control who can publish their calendar and what can be shared

The Calendar Repair Assistant Enhancements

Introduced in the RTM of Exchange 2010, the CRA repairs problems with the calendar assistant

New scenarios that are detected and repaired with the Calendar Repair Assistant in SP1 include:

  • If an attendee’s calendar is missing an occurrence or an exception of a meeting
  • If an attendee’s start/end time doesn’t match the organizer’s star/end time (*includes time zone inconsistencies)
  • The location of the attendee is different from that of the organizer
  • Organizer is missing an item
  • Recurrence patterns of an attendee and an organizer are different

Thanks for reading through this post and I hope you gained some understanding of the different Recipient types in Exchange 2010 as well as learned about new SP1 features.

 

 

 

A good majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

Exchange 2010 – Part 13 – Address Lists and the Offline Address Book (OAB)

Address Lists and the Offline Address Book in Exchange 2010

In this post, we will review different address list types, including:

  • Global Address List
  • Custom Address Lists
  • Offline Address Lists
– We will try creating new address lists based on Organizational Units
– We will review the Offline Address Book (OAB) settings
– We will create new Offline Address Books and assign them
In review, let’s discuss and describe Address Lists and the OAB:
  • An address list allows persons to browse different recipients in your Exchange organization so that you can contact other persons easily. It’s difficult (for most people, not me) to remember email addresses for 100’s of associates.
  • In Exchange 2010 there are three different types of address lists
  •      – Global Address List (GAL): A collection of all mailbox-enabled users, mail-enabled users, mail-enabled contacts, dynamic distribution groups, mail-enabled groups, mail-enabled public folders, and system mailboxes. By default you have one Global Address List, but Exchange may handle multiple companies or organizations, with different GALs. If you have an organization with the need for multiple GALs, you will need to produce them using the Exchange Management Shell.
  •      – Custom Address Lists: Although typically there are breakdowns of the GAL into lists like All Contacts, All Groups, All Rooms, All Users and Public Folders (if you use these) you can create customized lists. You’re going to find that the custom lists are pretty flexible. Be sure you do not over-do the custom lists, but keep them in logical groups. You want to keep these as simple as possible.
  •      – Offline Address Book: Although a separate aspect of the Organization structure, this is connected with address lists. For users that are on the road a lot and are offline, they will still want to be able to find email addresses.
Now we can jump into a scenario:
– Create 3 new address lists (New York, Chicago, and Dallas). Note: These will be based off of Organizational Units.
– Create and configure a new Offline Address Book and apply it to the mailbox database.
– Create a special “Dallas” OAB and assign it only to those persons in the Dallas OU.
On your mailbox server, open Active Directory Users and Computers and ensure that the corresponding Organizational Units are available and ready.
For example, if a user is logged in, they will see all the users in the Global Address List. If the user goes offline (disable the Network Interface), and goes to the different address lists, they will be able to still view the Global Address List as it is set to be an Offline Address Book by default. However, the other Address Lists will be unavailable.
Go to the Exchange Management Console -> MS Exchange -> MS Exchange on-Premises -> Organization Configuration ->Mailbox ->Address Lists tab. Click on New Address List (wizard).
Place the new list in the top-level container (All Address Lists). Under Filter Settings, you will select the recipient container where you want to apply the filter (Organizational Unit). In our case we can select New York -> OK.
 ScreenShot042
Under Recipient Types, we can narrow down to specific types such as:
– Users with Exchange Mailboxes
– Users with external email addresses
– Resource mailboxes (Room or Equipment mailboxes)
– Contacts with external email addresses
– Mail-enabled groups
In our case we will use All recipient types.
At this point we can choose Conditions:ScreenShot0411
It depends on how involved you want to get in building an Address list and you can even apply Custom Attributes. Once you’ve selected the attributes you desire, go ahead and click the preview button at the bottom of the screen to get an idea of how the Address List will look.
Next you can schedule when the address list should be applied (perhaps in the evening/after hours.)
Now we’ve created our 3 Address Lists.
In the EMC, under Recipient Configuration, select one of your users and under the General Tab, you can see the Custom Attributes… button, where you can setup address lists that relate back to these custom Attributes. Under the General tab you can also hide a user from Exchange Address Lists.
However although we’ve created 3 new Address Lists, when a user is offline, they still will only see the Global Address List. First, lets look at the properties of our Default Offline Address Book.
In the EMC -> Org Config -> Mailbox ->Offline Address Book tab.
The default Generation Server will be a Mailbox Server. The distribution Mechanism is Web-Based. If you look at the properties of the Default Offline Address Book, under the General Tab, you can find Updates are scheduled to run at 5:00am. Under the Address Lists tab, you can add include other lists… Add -> so if you want an individual see lists exactly as they see it at work, but we will create a separate OAB. Now under the Distribution Tab, with modern Outlook clients, Exchange will use Web-based distribution from a virtual directory. The virtual directory may or may not reside on your Mailbox server. The Mailbox server provides the OAB, however, the OAB will be distributed by a Virtual Directory.
ScreenShot0431
Now we want to create a new Offline Address Book and apply it to our Mailbox database where all of our users reside.
Mailbox -> New Offline Address Book.
Name it something like New Default OAB. For the Address book generation server choose your Mailbox server. We will include the default Global Address List, and Include the following address lists:
We will select the three address lists New York, Dallas, and Chicago:ScreenShot044
After hitting Next, we will be prompted for Distribution Points.
We will Enable Web-Based distribution here and choose our default virtual directory (client-access server). If we had older Outlook clients we would Enable public Folder Distribution. We do have the option of choosing both Web-based and public folder distribution, however which is nice.
Now we have a new Offline Address Book. In Database Management, we will see our Mailbox Databases. We can organize our Offline Address Books to different Mailbox Databases. With a particular mailbox selected, in the action pane, you can set the default OAB as well.
If you want to apply an Offline Address book only to a limited amount of special recipients, first create the SpecialOAB, then open up the Exchange Management Shell. First we need to get the users who have the Organizational Unit Dallas, and pipe it out to set the OAB. Your code will look something like the following:
[PS] C:Windowssystem32>Get-User -OrganizationalUnit Dallas | set-Mailbox -OfflineAddressBook “SpecialOAB”
In review:
  • We looked at different address list types
  •      – Global Address List
  •      – Custom Address Lists
  •      – Offline Address Lists
  • We created several new address lists based on Organizational Units but also showed how to determine other conditions to filter which users are in an address list
  • We reviewed the settings for the Offline Address Book (OAB) and especially discussed the generation and distribution methods
  •      – Generation is done on the Mailbox server
  •      – Distribution is done through Public Folders or Web-based
  • We created new Offline Address Books and assigned one to the mailbox database and used the EMS to assign the other to individuals.
Lastly, in one of my previous posts http://www.jasoncoltrin.com/?p=77 , I explained how changes to these Offline Address Books in certain instances can take up to 56 hours to propagate down to the client. If you have changes you want to make available to clients who are going offline, there are some manual steps you need to take to ensure they get the latest Offline Address Book right away.
A good majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

Exchange 2010 – Working with Public Folders – Part 12

In this post, we will look at Public Folders in Exchange 2010. More specifically:

  • We will review the purpose and use of Public Folders within your organization (and discuss the fact that they may no longer be used in some future version of Exchange).
  • We will go through the creation of a Public Folder database in the Exchange Management Console and see the properties that we can configure.
  • We will work with the Public Folder Management Console and the Outlook client to create and manage Public Folders.
  • We will review permission settings and delegating permissions for folders and sub-level folders.
In review, the purpose of Public Folders:
  • Public Folders are Nostalgic (out of date) – Public Folders were introduced with the first version of Exchange and have been used for many years as a means of collaborating with persons in your organization through a shared folder structure.
  • Users will see the Public Folder structure in their Outlook client and can view items that have been either posted or emailed to the folder (if it is mail-enabled) and they may have the ability to add content, create sub-folders and so-forth if they have permissions to do so.
  • Are Public Folders required in Exchange 2010?
  •      If you have Outlook 2007 and/or 2010 clients only, than the answer is no (it is completely optional if you want to).
  •      If you have Outlook 2003 clients, then the answer is yes. They use the Public Folder structure for Offline Address book distribution, free/busy lookups, organization form library, and security settings.
The Offline Address Book distribution in Exchange 2010 is now done with the BITS HTTP connection to the Exchange Client Access server. The Free/Busy look-ups are now done through the Availability Web Service. Security settings are done through Group Policy. Organizational Forms have been pushed aside in favor of InfoPath forms.
Starting with Exchange 2010, Public Folders are De-emphasized
  • Public Folders have become the dumping grounds for anything and everything your people want to share with each other. Public folders tend to sprawl out of control.
  • Public Folders are so late-1990’s. They aren’t designed for two very important 2010+ aspects of corporate life: Archiving data, and Document Sharing and Collaboration (check-in/check-out, versioning). Associates tend to try to hide their personal mail archives in Public Folders so that they are backed up.
  • As a result, the Microsoft Exchange Team has been making threats to pull Public Folder support from a future version of Exchange.
  • The idea is to encourage organizations toward SharePoint (although you are welcome to research and use some other collaboration solution).
  • While SharePoint has great features, any collaboration software has the potential to become the NEW dumping grounds for your organization.
How do I create the Public Folder database in Exchange 2010?
  • During the installation of the first Exchange 2010 Mailbox Server in your organization you see the question: “Do you have any client computers running Outlook 2003 and earlier or Entourage in your Organization?” If you answer “Yes” then the Public Folder database is automatically created.
  • You can also manually create a Public Folder database on any Mailbox Server in your organization and then determine if you want to replicate folders to that server.
How do I establish or create a High Availability structure for my Public Folders?
  • In Exchange 2010 there are no HA solutions you can use by default. The only way to ensure content is available is to create a new database and replicate content to that server.
Options for configuring Public Folder databases:
  • Maintenance Schedule
  • Replication Interval – specific to DB
  • Storage Limits
  • Deletion Settings
  • Age Limits
  • Public Folder Referral
Options for configuring individual Public Folders:
  • Replication (Both server choice and replication schedule)
  • Limits (Storage, Deleted Item, Age)
Path to managing the Public Folder in the Exchange Management Console (EMC):
MS Exchange -> MS Exchange On Premises -> Organization Configuration -> Mailbox -> Database Management Tab -> Right-click on Public Folder DB file and choose Properties.
Maintenance Schedules run from 1-5am by default. (ESE scanning check sum is an option as well. For smaller databases, you can get away with un-checking this option).
Circular Logging, again, is not having transaction logs building up. This is a space saver but not good when trying to recover from an emergency.
Replication Tab – replication of messages between PF databases.
Limits Tab – storage limits on the database. There is by default a maximum size of message of 10MB for each item placed in a Public Folder by default.
Public Folder Referral – Use Active Directory site costs. Essentially PFR comes into play with large organizations with multiple PF DBs, multiple Mail Box servers hosting PF DB’s. Certain PF’s may not be hosted at that same location. Site costs can be used to determine or manage PF locations.

You can configure  certain items on individual public folders like replication. Replication at the database level can be scheduled, or you can establish on the individual folder themselves.

Go to the Public Folder Console by going to the EMC -> Toolbox -> Public Folder Management Console:

Default Public Folders – include existing public folders created by an administrator. Try to maintain and organize Public Folders with a structure to maintain focus. One possibility is organizing by location. To add new folders, select New Public Folder… in the Action Pane. You can create sub-folders inside each Public Folder. You can delegate permissions on Public Folders to allow users the ability to create new sub-folders. Right-Click on a Public Folder, choose Properties. Under the Replication tab, you can add servers to replicate the content to and if you want High Availablity, you will select a different MailBox server and replicate the folder. You might replicate content to put them closer to actual user’s locations. You can use the default public folder replication schedule, or create your own. For limits, you can use the default quotas, or establish your own.

System Public Folders – we will cover these later.

 

Key Focus Points of Public Folders:

What are some of the key concepts of Public Folders?

  • Public Folder Trees
  •      Default Public Folders (IPM_Subtree – folders that users are typically aware of)
  •      System Public Folders (System PF structure known as the Non_IPM_Subtree – used by outlook for free/busy data, eforms registry and events root, for outlook clients that do not support 2010 or 2007 features (Availability service etc.) Legacy clients don’t know where to look for this, but can get their legacy data from these structures)
  • Replication
  •      Hierarchy – Properties of the folders, and organizational information, name of public folder, which server holds the replicas, and permissions are replicated with the heirarchy
  •      Content (Requires configured replication) – you decide which mailbox servers have copies of the content.
  • Referrals
  •      If a client looks for somethign in the Public Folder heirarchy, if they click on the folder, do they get it from their local Mailbox server? If it can’t find the data from their Mailbox, it will look for a replica in the same site. If it can’t find it there, it will look for the lowest cost site.
  • What are Mail-enabled Public Folders?
  •      They provide a bit more functionality to PFs
  •      Users can post to a PF through email.
Permissions: The Reality vs. The Potential
  • Exchange Administrators should consider delegating folder creation and management to others.
  • The easiest way to delegate is to assign persons to the Public Folder Management Group and let them worry about creating and managing Public Folders through Outlook
  • If you wanted to see the permissions or set the permissions on Public Folders, you cannot use the EMC/Public Folder Management Console. You must use the Exchange Management Shell.
  •      – Cmdlet used to add administrative permissions:  Add-PublicFolderAdministrativePermission
  •      – Cmdlet used to add client permissions: Add-PublicFolderClientPermission

In an Outlook 2010 client, if a user does not have permissions to create a sub-folder in a Public Folder, check the properties of the folder first -> Summary Tab.

To add a user to a Public Folder Management Group so that they can make changes/add folders to a Public Folder, you’ll need to open the Exchange Management Shell:

Edit – you can change permissions now through the Public Folders Management Console if Exchange 2010 SP1 is installed

[PS] c:windowssystem32>Add-RoleGroupMember -Identity “Public Folder Management” -Member User.Name 

After hitting Enter, nothing appears to happen, but when logged in as the user, and visiting the properties of a Public Folder in Outlook, you will see the additional properties/permissions available. And from here you can give additional permissions to other users.

If a Public Folder is mail-enabled, in the Global Address List, you can change the address book to Public Folders, which will list all available Mail-Enabled Public Folders.

Permissions: Rights vs. Roles

  • When using Outlook to assign permissions to a Public Folder you assign Roles (like Editor, Author and so forth).
  • Those Roles have underlying Rights assigned to them. For example, a Reviewer (role) has the rights ReadItems and FolderVisible.
  • There are 10 different Rights that mix and match for each role:
  1. ReadItems
  2. CreateItems
  3. EditOwnedItems
  4. DeleteOwnedItems
  5. EditAllItems
  6. DeleteAllItems
  7. CreateSubFolders
  8. FolderOwner
  9. FolderContact
  10. FolderVisible
Each of these is a different set of permissions that combine to create a different role. A “none” role doesn’t allow any permissions and the user will not be able to even view items.
If you are the type that doesn’t want to delegate to users rights and roles, and want to adjust them on the EMShell, you can use the following commands:
[PS] c:windowssystem32>Get-PublicFolderClientPermission -identity “PublicFolderName”
Let’s say we want to give Jason.Coltrin a role:
[PS] c:windowssystem32>Add-PublicFolderClientPermission -identity “PublicFolderName” -user “jason.coltrin” -accessrights Editor
It can be more simple to use the Outlook client GUI, but using the above commands, you can make the changes in the Exchange Management Shell.

With Exchange SP1, you can change permissions (rights and roles) for public folders using the Public Folder Management Console -> Right-click on Default Public Folders -> Choose Properties -> Permissions Tab. 

 

 

 

 

A good majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com