Notes

Exchange Server 2007
Learn to Configure and Manage Your

Own Exchange Server!
By David Shackelford
© Train Signal, Inc., 2002-2007
Video 1
Introduction to Video Series
Learning
Exchange
Server 2007
• Hands on coverage of this product
• 24 lessons, each between 35 and 70
minutes in length
• Why Exchange 2007?
1
Instructor
• Who am I?
– Dave Shackelford
– Network/System Engineer
– Owner of Shackelford Consulting, Inc.
• What I bring to the table:
– Ten years of Exchange administration
– Microsoft Exchange MVP from 2004 through 2008
– MCSE and CCNA
– Partnering consultant
– Occasional technical trainer and user group speaker
Areas we’re
going to cover –
Part 1
• Pre-installation prep
• Installation
• Console tour
• Exchange PowerShell
• The Exchange 2007 database
• What it takes to “go live”
• Recipients and mailboxes
• Public folders
• Address lists
• Autodiscover
• Client Access Server role
• Outlook Web Access
Areas we’re
going to cover –
Part 2
• POP3 and IMAP
• Hub Transport Server Role
• Compliance
• Edge Server Role
• Anti-Spam
• Anti-Virus
• Backup
• Recovery
• Transport Layer Security
• Advanced Mailbox Topics
• Exchange Tools
• SharePoint Integration
2
Video 2
Introduction to Exchange
2007
Where we’re
going:
• Our Scenario
• Our Lab Setup
• My approach
Scenario –
Part 1
$ $
$
• Company Name
– Cash Cow Capital Group
• Company Location
– Chicago, IL – main location
– Other small office locations: Albany, NY and
Krakow, Poland
• Domain Name
– cccapitalgroup.com
3
Scenario –
Part 2
• Type of Business
– Cash Cow Capital Group (3CG) has been a small but dynamic presence
in niche foreign exchange markets since 1976. 3CG has historically
been recognized for its expertise in Czech dormitory bonds, but more
recently has experienced rapid growth due to the maturing of its dairy
methane pollution credit exchange market in the European Union. The
company is expanding its operations and has opened 2 other small
satellite offices in the US and Europe. Due to the large volume of mail
generated by trades and research and the importance of giving its field
agents and brokers real-time collaborative access to information, the
company has decided to deploy Exchange 2007.
– The company has far outgrown its ISP-based POP3 mail server and is
eager to move into a twenty-first century solution. The company director
has decided to outsource a technical person who can come in and
install Exchange Server 2007 in the Chicago office and begin to
integrate its new features into the organization's technology platform.
Scenario Diagram
(Pre)
Cash Cow Capital Group
General Network Architecture
Public Krakow Branch Office

Internet
WAN
ISP Mailserve r
WAN and VPN
PN
dV
N an
Main Chicago Office
W
WA
AN
an
Router
d
VP
Users
N
Boston Branch Office
F irew all
S witch Fa rm U sers
Notes:
Internal Active Directory Domain : CDB.LOCAL

Public Domain Names : czechdormbo .com
C3DB C3DC C3FILE1 Chicago Network Subnet : 192.168.67.0/24

SQL DC, DNS Fileserver Krakow Network Subnet : 192.168.68. 0/24
Boston Network Subnet : 192.168.69.0/24
U sers
Scenario Diagram
(Post)
Cash Cow Capital Group
General Network Architecture
Krakow Branch
Public Internet Office
W AN and VPN
VP N
and
WA
Main Chicago Office WAN

N
an
R outer U sers
dV
PN
Boston Branch Office
Firewall
Users
Switch Farm
Notes: Us ers
Internal Active Directory Domain : C3G.LOCAL

Public Domain Names : cccapitalgroup .com
cashcowcapital .com
C3DB C3DC C3FILE1 C3MAIL07
SQL DC, DNS Fileserver Exchange 2007 Chicago Network Subnet : 192.168.67.0/24
Krakow Network Subnet : 192 .168.68.0/24
Boston Network Subnet : 192.168.69.0/24
4
Lab Setup
Pu bli c D NS Serve r
Public Internet
Vi sta 1
R outer
Firewa ll
Vi sta 2
Mobi le1
3C GMAIL 07 3CG-D C
Excha ng e 20 07 AD and D NS
Video 3
Pre-Installation Preparation
Where we're
going
• Hardware Requirements
• Creating infrastructure.
– Physical Disk configuration
– DNS Setup
– AD Installation (Dcpromo)
– Domain Registration
• Requirements for AD and older Exchange orgs
• AD Schema changes
• Readiness Scan
• Editions and CAL types
• Wrap-up
5
Requirements
• Hardware minimums:
– A 64-bit processor - AMD or Intel (EM64T, not Itanium)
– 2gb of RAM plus 5mb per mailbox (200 users, 3gb RAM) -- more!
– 1.2gb of free space for installation location and 200mb free on system
drive
• Software:
– Windows 2003 SP1 on a domain controller (schema master & global
catalog)
– Windows 2003 x64 with SP1 or R2
– .Net Framework 2.0
– MMC 3.0 (comes with R2)
– PowerShell 1.0
– Internet Information Server (without SMTP or NNTP)
• File System: All locations with NTFS
Planning Disks –
Part 1
Preparing the disk subsystem
• Best Practices
– Hardware RAID solutions
– Spindles, not size, but less critical than with earlier
versions of Exchange
– Separate Exchange databases from the operating
system
– If possible separate out transaction logs from
databases
Planning Disks –
Part 2
6
DNS Setup
• Setting up the name resolution environment

– External and internal name resolution
• .com vs .local
– Installing DNS on your future DC
– Configuring local adapters
– Forward lookup zones
– Reverse Lookup zones
– External DNS configuration
Active Directory
• Building your domain

– Running dcpromo
– Confirming Active Directory creation
– Making DNS AD-integrated
– Checking schema master & global catalog
roles
– Creating users
Domain
Registration
• Public Namespaces and Registration

– Registering an external domain name
– Setting DNS settings
• A-records - map names to IP Addresses
• MX-records - make mail for a domain go to a
specific named host
7
AD Requirements
• Check for these things:

– Make sure domain functionality level is
Windows 2000 native or higher
– Running Exchange 2007 on a domain
controller
AD Schema
Changes
• Preparing the Schema for Exchange 2007

– Setup /PrepareLegacyExchangePermissions if legacy
Exchange exists
– If there are Windows 2000 DCs, use setup
/DomainController servername
– /PrepareSchema
– /PrepareAD *
– /PrepareDomain
Readiness
Check
• Using the Exchange Best Practices

Analyzer
– Download the latest ExBPA from the Microsoft
Exchange Downloads site.
– Run a Readiness Check to determine whether
you've missed anything
– Use any actionable data to fix problems
8
Editions
• Basic Differences between the two editions
CAL Types
• Standard CAL
– Standard mailbox access
– Outlook Web Access
– Mobile access (Exchange Active Sync)
• Enterprise CAL (is an add-on)
– Unified Messaging
– Managed Folders
– Advanced Journaling
– ForeFront anti-virus security
Wrap-up
• Where we've been:

– Going over hardware requirements and disk
recommendations
– Setting up DNS
– Installing Active Directory
– Registering a domain
– Updating the Active Directory Schema
– Running the Readiness Check
– Examining Editions and CALs
9
Video 4
Installation of Exchange 2007
Where we're
going
• Going through the installation

– Pre-install splash
– Error Reporting
– Install Type and Roles Selection
– Server Name
– Client Settings
– Readiness Check #2
• Verifying install
• Finalize Deployment Task List
• End-to-End Scenario Task List
• Editing Installed Roles
• Installing SP1
Verifying the
Install
• Post-install checks
– New service creation
– Best Practices Analyzer
– Taking care of licensing
10
Finalizing
Deployment
• Tasks for Finalizing Deployment

– Product Key entry
– ExBPA
– Offline Address Book Configuration
– SSL configuration
– ActiveSync configuration
– List of domains to accept mail from
– Set up the postmaster mailbox
– And more...
End-to-End
Scenario
• Optional Tasks
– Monitoring
– Anti-Spam settings
– Document Retention/Compliance (MRM)
– And more….
Editing Roles
• Adding or Removing Exchange Roles

– Use Add/Remove Programs
– Choose Change
– Configure Roles in Maintenance Mode
11
Installing SP1
• What it adds to the installation

– Completes the GUI - POP & IMAP, public folders
– Ability to dump mailboxes to .PST files from console
– Adds features to OWA
• Deleted Item recovery
• Access to personal distribution lists
• Rules
• Calendar view - by month
• Downloading from Microsoft Download site
• Installing Process
Wrap-up

– Going through setup
– Looking at Role installation options
– The second Readiness Check
– Completing install
– Looking at some next-steps
– Setting up SP1
Video 5
Exchange Management
Console
12
Where we're
going
• Console Layout
• Architecture
• Role Delegation
• Grand Tour
• Finalization Tasks
• Toolbox and Extras
• 32-bit Edition
Layout of EMC
• How the Exchange Management Console is arranged

– Three work-panes
Architecture Tie-
in – Part 1
• The Console and Shell make changes

to data in three areas
– The Active Directory
– The Registry
– The Exchange Database
PowerShell "commandlets" are used to make
all changes:
13
Architecture Tie-
in – Part 2
AD
Power Shell
via Registry
Management Console Commandlets
Exchange
Databases
Management Shell
Role Delegation
• How roles work

– Roles give access to a specific sphere of
configuration
– Goal: No more Access Control List (ACL)
tweaking
– The EMC layout is broken down into the
spheres of control
Tour of EMC
• What sort of tour:

– High level
– Taking care of some finalization tasks
14
Toolbox
• Tools in the toolbox

– Disaster Recovery
– Mail Flow Tools
– Performance Tools
• More tools that are downloadable:
– Jetstress
– Load Generator
– Profile Analyzer
32-bit edition
• Hey wait a sec… 32-bit?

– Limitations
– Where to get it
– How to use it for management ease
Video 6
Exchange Management Shell
15
Where we're
going
• Shell usage overview

• Getting help with syntax
• Modifying a mailbox with the shell
• Pipelining
• Modifying lots of mailboxes with the
shell
• Other management cmdlets
Shell Usage
• How does this thing work?

– Includes the CMD environment…sort of
• Aliases
• Multiple commands per line
– What's a cmdlet?
• Cmdlets are not scripts, but programs that take input
– Cmdlets add a great deal of compact power
Demo: get-mailbox and set-mailbox
Syntax Help
• What commandlets are available and how do

they work?
– Using Get-Excommand
– Get-Help
– Verbs: Get, Set, New, Remove, Move, Enable and
Disable - (and more)
– Objects: Mailbox, User, DistributionList, Database,
etc.
– Using -whatif
– Outputting to a file
16
Pipelining
• Pipelining builds one-line scripts

– Use pipelines to process, specify or format output
– Get-Excommand *mailbox* | Format-list
name,definition
– Get-Mailbox | fl name,*email*
– Get-Mailbox | convertto-html name,WindowsEmail* |
set-content c:\addresses.html
Manage
Mailboxes
• Using the Shell to create or modify

mailboxes
– Bare minimum to create a user and mailbox:
• new-mailbox -database "mailbox database" -name dcho -
UserPrincipalName dcho@3cg.local
– Prompt for password
– Modifying mailbox properties
• Set-mailbox dshack -prohibitsendquota 5mb
– Setting properties on multiple mailboxes
• Get-User -organizationalunit "Brokers" | get-mailbox | set-
mailbox -prohibitsendquota 5mb
Management
• Try these out

– Test-ServiceHealth
– Get-MailboxStatistics
– Get-MailboxDatabase | format-list
17
Wrap-up
• Here's what we covered:

– Powershell and CMD: same or different?
– Figuring out what to type
– Getting help with cmdlets
– Using pipelines
– Managing mailboxes
– Some server management cmdlets
Video 7
Exchange 2007 Database
Where we're
going
• Exchange 2007 Database Overview

• What's changed from 2003?
• Storage Groups and Databases
• Limitations
• Best Practices
18
E-2007 Database
Database
Overview – Part 1
• How Exchange stores data:

– Databases built on a heavily extended version of JET
– Each database has a 16tb limit...
– Single Instance Storage (SIS) provides large space
savings
– Database uses transaction logs (and memory) to
initially store data
Database
Overview – Part 2
Exchange 2007 Server
In co ming data Transaction Log s Mailbox Store
19
What's Changed
• This is what's different with databases in

Exchange 2007:
– The names have changed: mail store = mail database
– There is no .stm file anymore. All data is in the .edb
– Transaction logs have shrunk from 5mb to 1mb
– Transaction log numbering limits have been
expanded from a million to 4 billion!
– Lost Log Resilience keeps last several log files in
memory
SGs and DBs –

Part 1
• The relationship between Storage Groups

and Databases
– Storage groups are virtual containers for databases
– They can hold up to five databases each
– Transaction logs are handled at the storage group
level
– Local Continuous Replication limits you to a single
database per storage group
SGs and DBs –

Part 2
F irst Storage Group
F: \Exchsvr\ G:\Exchsvr\ H:\Exchsvr\

mboxA.edb mboxB.edb mboxC.edb
Mail D atabase A Mail Database B Mail D atabase C
Replication Settings
Circular Logging
Transaction Logs
C:\P rogram F iles \Exchange S erver \Mail box\First Storage Group \
20
Limitations
• Limitations
– Theoretical size cap is not a practical size cap
– For Standard, there is an artificial 50gb cap
on database sizes (SP1 = 150gb)
– Memory Cost
– Default Mailbox size limit is 2gb (can be
changed)
Best Practices
• Try to follow these guidelines:

– Use the 1:1 model for storage groups and databases
– Isolate databases and transaction logs on separate disk
spindles/subsystems
– Leave Circular Logging disabled
– Perform regular FULL backups
– Store logs somewhere with plenty of space, just in case
– If you have multiple databases, set maintenance schedules so
they don't conflict
– Implement Local Continuous Replication, if nothing else
– Don't forget about the artificial 50gb limit
Wrap-up

– Architecture of the Exchange 2007 Database
– The ways the database has changed with
2007
– How Storage Groups and Databases work
– Limitations
– Best Practices
21
Video 8
Going Live
What We'll Be
Covering
• Scenario
• Checklist
• Checking DNS
• Checking listening ports
• Testing inbound/outbound email flow
Diagram
A Review of the Basics
Ca sh co wc ap ita lgr ou p.co m
na m e se rve r
MX -R E C O RD
A -R EC O RD 5 E xch an ge Se rve r
rt 2
Po
P ubl ic DN S S e rve r
t 25 N A T Fire w a ll
Po r
In te rn e t
P T R or R D NS Re co rd
R em o te M a il
S e rv er
ISP D N S S er ve r
Em a il Se nd er
22
Going Live
Checklist
• Here's what needs to be in place:

– External DNS
• MX-record for each domain & corresponding A-record
– cashcowcapitalgroup.com
– czechdormbro.com
• PTR or Reverse-DNS record for IP
– Firewall rule allowing inbound port 25
– Outbound port 25 access
– Exchange Server listening on port 25
– Authorized domains configured
– Email address policy configured
Testing Email
Manually sending an email
• Telnet to port 25 on the server: telnet cowmail.cashcowcapitalgroup.com 25
C: HELO trainsignal.com
C: MAIL FROM: <david@trainsignal.com>
C: RCPT TO: <dshack@cashcowcapitalgroup.com>
C: DATA
C: Subject: test message
C: From: david@trainsignal.com
C: To: dshack@cashcowcapitalgroup.com
C:
C: Hello,
C: This is a test.
C: Goodbye.
C: .
C: QUIT
Wrap-up

– Looking at the basic big picture
– Verifying DNS setup
– Checking firewall/ports setup
– Checking server configuration
– Setting the receive connector settings
– Testing email from the outside
– Setting up a send connector
– Testing outbound mail
23
Video 9
Working with Recipients
Where we're
going
• Configuring mailboxes
• Working with contacts
• Creating and using distribution groups
• Working with rooms and equipment
mailboxes
• Using recipient filtering
Scenario
• Management requests:
– Set storage quota of 1gb for all users
– Configure Clive with send-as for Henry
– Reject mail to Dot from Lance
– Disable OWA for Sui and Terra
– Create mail-enabled contacts for two contractors
– Create four security/distribution groups
– Set something up for conference room & portable
projector reservations
24
Configuring
Mailboxes
• Working in Recipient Properties

– Tasks:
• Set storage quota of 1gb for all users
• Configure Clive with send-as for Henry
• Reject mail to Dot from Lance
• Disable OWA for Sui and Terra
Mail Contacts
• Creating Mail-enabled Contacts

– Create mail-enabled contacts for two
contractors
Distribution
Groups
• Task:
– Create three security/distribution groups
• Security groups are extended distribution groups
• There's no great reason not to use security groups for
everything
• By default, mail-enabled groups not available from internet
• To change this:
– Set-distributiongroup Brokers -RequireSenderAuthenticationEnabled
$False
Or to change it on all security groups:
– Get-distributiongroup | set-distributiongroup -
RequireSenderAuthenticationEnabled $False
25
Rooms and
Equipment
• Working with Room and Equipment

mailboxes
– Set something up for conference room &
portable projector reservations
Wrap-up

– Configuring mailbox properties
– Setting mailbox properties in bulk
– Creating contacts
– Working with distribution groups
– Creating room and equipment mailboxes
– Creating filtered recipient views
Video 10
Configuring Public Folders
26
Where we're
going
• Public Folder Architecture

• Scenario
• Tools for managing Public Folders
• Creating new Public Folders
• Assigning Public Folder permissions
• Allowing Public Folders to receive and
send mail
PF Architecture
• How Public Folders Function

– Public Folders: a sense of history
• (what does "de-emphasized" mean?)
• Supported till 2016
– Public folder data is kept in the public folder database
– Multiple replicas of a public folder can be maintained
on separate servers
– Any sort of folder data can be kept in a public folder
– Public folders can be given their own email addresses
– You can configure Send-As permissions on a public
folder
Scenario
Management Requests
• New Public Folders need to be created and mail-enabled:
– Info
– InboundFax
– Research
– ClientSupport
– TradeConfirmations
• Clive needs to be able to create subfolders & assign
permissions on:
– Info
– Client Support
• Gandalf needs to have admin control over Research
• Data Entry group needs to have admin control over:
– InboundFax
– Trade Confirmations
27
PF Management
Tools
• What we can use to manage PFs.

– Public Folder Management Console (PFMC)
since SP1
– Outlook (with proper perms)
– Exchange Management Shell (EMS)
Creating Public
Folders
• Public folders are created as needed:

– With proper permissions, Outlook can be
used
– In the EMS
• New-PublicFolder -name "Faxes"
– In the EMC
– By default, users have Author rights
Assigning PF
Permissions
• Setting Permissions can be done from Outlook or the EMS

• There are two ways to give admin permissions via EMS:
– Add-PublicFolderAdministratorPermission
• Per-PF
– Add-ExchangeAdministrator
• General Admin rights, including to PF root
• The EASIEST way is to use Add-PublicFolderClientPermission
to assign ownership
• Check permissions in Outlook or in EMS with Get-
PublicFolderClientPermission
– Set perms with Add/Remove/Set-PublicFolderClientPermission
28
Mail-enabling
PFs
• Working with mail and public folders:

– You can use either the EMC or the EMS to
mail-enable a public folder
– Check whether a folder is mail-enabled
• Get-publicFolder | list mailenabled
Or
• Get-MailPublicFolder
– Setting Send-As permissions can be done in
the Console
Wrap-up

– Architecture overview
– Tools needed for PF administration
– Creating public folders
– Setting PF permissions
– Allowing mail to PFs and sending mail as PFs
Video 11
Configuring Address Lists
29
Where we're
going
• How server-side Address Lists work

• Creating a custom address list
• How the Global Address Book works
• Brief bit on Offline Address Books
• Dynamic Distribution Groups
• Best Practices for using this stuff
Address Lists
• What are address lists?

– Address lists are built to make lookups more
usable than the basic Global Address Book
– The "pre-canned" address books will suffice
for small-midsized businesses
– Custom address lists are just alternate filters
applied to data in the Active Directory
• Demo
Global Address
Book
• What's the Global Address Book?

– A list from the AD with all mail-enabled
containers in it
– By default it is provided to every user within
Outlook and OWA
– Additional GALs can be created for hosting
environments that need isolation
30
Offline Address
Books
• Pre-coverage for Offline Address Books

– Allow users to get AD info while offline
– Is essentially an offline copy of the GAL
– Are the address-book counterpart of offline mail data
– Are made available to both internal and external
users
– Are distributed via web-site and via Public Folder
Dynamic
Distribution
Groups
• Working with dynamic groups
– Groups can be built based on AD properties like Department, State or
Company
– Especially useful for location-specific communications
– Can't be used as security groups
– Create them in the Groups sub-node of the Recipient node
– Non-wizard filtering criteria can be used if you use the New-
DynamicDistributionGroup cmdlet.
• Example:
– New-DynamicDistributionGroup -Name "CashCowCapital Company"
-Alias "3CG_Company" -IncludedRecipients
"MailboxUsers,MailContacts"
-OrganizationalUnit "3CG.local/Users" -ConditionalCompany "3CG"
Best Practices
• Recommendations
– Address Lists:
• Don't create any unless you really need them, then keep it
simple.
• Make list names clearly descriptive of contents
– Global Address Books:
• Stick with the default one if at all possible
• Create new ones only for client-base isolation
– Dynamic Distribution Lists:
• Don't forget about the value of non-wizarded dynamic lists
31
Wrap-up
• Where we've been

– Creating a Custom Address List
– Global Address Book
– Offline Address Book
– Dynamic Distribution Groups
– Best Practices
Video 12
Configuring Outlook -
AutoDiscover
Where we're
going
• What is Autodiscover?
• How does it work?
• How do I set it up?
• How do I set up Outlook?
• Best Practices
32
Intro to
Autodiscover
• Autodiscover was built to:
– streamline Outlook configuration (both MAPI and Outlook Anywhere)
– Allow simpler access to the Offline Address Book (OAB) for external
users
– Facilitates access to the Availability service that handles Free/Busy data
– Simplifies setup for Unified Messaging
• Autodiscover requires some setup
• The services that work with it also need to be configured
• Autodiscover cannot provide services to Outlook client
versions before 2007
Autodiscover
Architecture
• How Autodiscover Works

– Autodiscover consists of these components:
• One service connection point (SCP) object in the AD for each CAS
• An IIS virtual directory called Autodiscover on each CAS
• Public DNS entries
• An appropriate SSL certificate
– Outlook 2007 queries Autodiscover:
• At startup
• Every 60 minutes
• Whenever there is a connection failure
– Autodiscover allows a user to automatically locate the right
mailbox server, even if the mailbox was recently moved to
another server
Internal
Autodiscover –
Part 1
• Process Outline
1. Client queries AD for the SCP object
2. AD hands back Autodiscover service URL
3. Client connects to Autodiscover virtual directory
using HTTPS
4. Autodiscover hands back addresses and information
for available services
After this, client is able to connect to the needed
resources.
33
Internal
Autodiscover –
Part 2
1
AD
2
3
4 MBox
Outloo k 2 00 7
Clien t
C AS
External
Autodiscover –
Part 1
• Process Outline
1. Client fails to connect to AD to query SCP
information
2. Client uses its primary SMTP address to query DNS
for an "autodiscover" record.
3. DNS provides the IP of the Autodiscovery server
4. Client contacts the Autodiscover virtual directory on
the CAS
5. CAS Autodiscover service provides the client with
information needed to connect to various Exchange
services
External
Autodiscover –
Part 2
Public
Private
Internet
D NS Network
2
F
3
I
1 R
E
AD
W
4 A
L
5 L
MBox
Outlook 200 7
Clien t
C AS
34
The Query
• What does the client ask DNS?

– After attempting to connect to these sites:
• https://cashcowcapitalgroup.com
• https://autodiscover.cashcowcapitalgroup.com
• http://autodiscover.cashcowcapitalgroup.com
– The client will ask DNS to resolve this SRV record:
• _autodiscover._tcp.cashcowcapitalgroup.com
– Depending on how you've configured the server, one
or more of these attempts may result in a valid connection.
– We're going to make sure that either of the first two attempts are
valid
Autodiscover
Setup
• Implementing AutoDiscover:
– Check on the virtual server
– Set up the DNS
– Obtain an SSL certificate
– Install and configure the cert
– Configure the virtual server
– Configure for OAB
– Configure for Outlook Anywhere
– Configure for Availability
The Certificate
• Working with the Subject Alternative Name (SAN)

Cert
– A SAN cert can provide SSL encryption for several FQDNs
– We'll include these names in the cert:
• 3cgmail07
• 3cgmail07.3cg.local
• cowmail.cashcowcapitalgroup.com
• autodiscover.cashcowcapitalgroup.com
– We'll register this cert at http://www.digicert.com
– Digicert has a nice little tool that will build a PowerShell request
script
35
Setting up
Outlook
• Connecting Outlook to Exchange 2007

– Outlook 2003 sets up the way it always has
• Provide Server Name and User Name
• Keep track of external servername vs. internal servername
– Outlook 2007 uses Autodiscover
• Provide email address
• Other Info
– Outlook 2007 licenses are not included in Exchange
2007
– You can now run a copy of Outlook on the Exchange
2007 server
Best Practices
• Recommendations:
– Use a SAN UCC cert to reduce complexity
– Don't try to use a self-signed cert, use a commercial cert
– Use a tool like Digicert's to make sure your cert request is
correct
– Leave punctuation out of the Subject Name fields of your cert
request
– Work slowly, don't make changes to IIS unless you know what
you're doing
– Use the Test Email Autoconfig Tool to troubleshoot Autodiscover
– Use Test-OutlookWebServices to help narrow down problems
Wrap-up

– A look at Autodiscover
– Autodiscover Infrastructure
– Autodiscover Implementation
– DNS Setup
– Certificate creation and installation
– How the versions of Outlook connect to Exchange
– Best Practices
36
Video 13
Configuring the Client Access
Server
Where we're
going
• CAS Role overview

• IIS virtual directories for Exchange
• Outlook Anywhere Architecture
• Setting up Outlook Anywhere
• Active-Sync Architecture
• New Active-Sync features
• Active-Sync configuration
• Best Practices
CAS Role
• What the Client Access Role is responsible

for:
– Autodiscover & Availability services
– Outlook Web Access
– POP and IMAP services
– Outlook Anywhere (RPC-over-HTTPS)
– Exchange Active-Sync
– Offline Address Book
Notes:
– Why is CAS not in the DMZ?
37
IIS Virtual
Directories –
Part 1
• Most of the CAS functionality is based in IIS:
– These virtual directories in the default web Site run
CAS services:
• OWA (connects to Exchange 2007 mailbox servers)
• RPC
• RPCwithCerts
• Microsoft-Server-ActiveSync
• OAB
• EWS
• Autodiscover
• UnifiedMessaging
IIS Virtual
Directories –
Part 2
• For OWA connections to Exchange 2003/2000 servers:
– Exchange
– Public (used for both legacy and 2007 PF access)
– Exadmin
– Exchweb
– All these directories are encrypted with the cert
installed on the root site
– To create a new CAS website, you'd use the New-
OWAVirtualDirectory cmdlet to create the requisite
virtual directories
Outlook
Anywhere
Architecture
• How Outlook Anywhere works:
– HTTPS tunnel created between client and CAS
– Standard MAPI/RPC traffic passed through tunnel to appropriate
Mailbox server
– Traffic is encrypted with cert installed on Default Web site
– Connection from client can be made from anywhere that HTTPS
is allowed
– Allows use of all "fat" client features that can be used internally
– .ost file caches data, keeping an offline copy of server-side
mailbox
38
Setting up
Outlook
Anywhere
• Configuring Outlook Anywhere
– Install certificate
– Make sure SSL is enabled on default web site (it is by default)
– Add the RPC over HTTP Proxy via Add/Remove Windows Components
– Enable Outlook Anywhere via the EMC (or EMS with Enable-
OutlookAnywhere)
• Set URL
• Set Authentication method (NTLM if you have ISA proxy, or Basic if not)
– Configure Outlook Anywhere on Outlook 2007
• Accounts -> profile properties -> More Settings -> Connection Tab
• URL: same URL you configured above (ex:
cowmail.cashcowcapitalgroup.com)
• Principal name: "msstd:cowmail.cashcowcapitalgroup.com"
• Auth: needs to match what was set on server
Active-Sync
Architecture
• How Exchange Active Sync works:

– Client sends an HTTPS "heartbeat" with info about folders to
sync, leaving an open session with the server.
– Server holds that message data until a certain timeout
• Default timeout (minimum) is 15 minutes. Max is 30 minutes
– When timeout arrives, server responds that nothing was there,
client resends heartbeat request
– If folders are updated in the interval, server notifies device
immediately
– If notified of changes, device contacts server for download, then
resends heartbeat
New Features
• What's been added:

– SharePoint and UNC access
– Follow-up flags
– HTML message support
– Autodiscover support
– Enhanced Exchange Search
– Fast message retrieval
– Device password policy enforcement
– Out of Office message setting
– Meeting requests and attendee availability
39
Setting up
Active-Sync
• Configuration
On the server:
– Determine the external URL
– Determine the auth method
– Determine which file resources should be made available
– Set up a policy if desired
On the mobile device:
– Setting up the device
– Managing the device
– Managing devices via OWA
Best Practices
• Recommendations
– Use a cert with Subject Alternative Names (SAN) and stick with
the default site
– For Outlook Anywhere, use NTLM authentication if possible
– To use NTLM, you will need an advanced firewall like ISA 2006
– Use cached-mode with Outlook Anywhere
– Watch the HTTP timeout interval on your firewalls for the sake of
ActiveSync
– Only allow SSL connections for ActiveSync
– Create and deploy a Windows Mobile password policy
Wrap-up

– The whole CAS
– How IIS fits in
– Outlook Anywhere
– Exchange ActiveSync
– Best Practices
40
Video 14
Outlook Web Access
Where we're
going
• New OWA features

• Requests from management relating to OWA
experience
• Light and Premium versions
• Authentication options
• Accessing Server-based shares and
SharePoint sites
• Changing the base URL for OWA
OWA Features
• Some key new OWA features:

– WebReady documents allow Office doc viewing
– Email headers view
– Customizable toolbars
– Out of Office configuration
– Deleted Item recovery
– Instant language options
– Cleaner calendar reminders
– Multiple calendars and draggable appointments
– Mobile device config page
– Change password interface
– Open other mailboxes within OWA
41
Scenario
• Requests from 3CG management

– Disable the use of themes and password changes via OWA
– Make it so that users don't have to specify the logon domain
– Set up access to a Marketing share on the DC
– Force users to save files before accessing them
– Don't let users access music or video files on the server via
OWA
– Allow OWA access to a simple URL with HTTP and no
subdirectory
Cowmail.cashcowcapitalgroup.com
Light/Premium
Client
Light vs. Premium Client

• Light version:
– For non-IE browsers
– For slow connections
– For older systems
– Most secure/best for kiosks
– Contains basic access to all resource types
• Full Version:
– More feature-rich
– Deeper interaction with mailbox content
– Drag-and-drop
– Access to file servers and SharePoint
Authentication
Options
• Authentication settings can be configured

– Forms-based authentication vs. standard auth.
– Configure the logon domain
– Basic Auth is least secure, but still in context of SSL
• Useful with ISA
– Default configuration best for most situations
42
Accessing
Server Files
• File Server Access

– OWA provides access to file shares and
SharePoint libraries
– Can greatly reduce the need for VPN access
– Read-only access to shares, but a copy can
be saved locally and written to
– Not available when Public Computer is
selected at OWA login screen (default setting)
Changing the
URL
• URL Simplification - Several ways to go about this

Here's mine:
– Make sure the internal DNS has an entry for the external URL
• That may involve creating a forward lookup zone
• Populate that zone with internal IP mappings to external hosts
– In the IIS manager, remove the "Require SSL" settings on the Default
Web Site
– On the Home Directory page, redirect to "https://externalURL/owa"
– Apply those settings.
– Now go through each of the other virtual directory properties (except
OAB) and make sure that SSL and 128-bit encryption is required.
– From the command-line on your server, do an "IISRESET /noforce"
– Test by going to "http://externalURL" and you should be redirect to
secure OWA
Wrap-up

– Management requests
– New OWA features
– Light and premium versions
– Authentication
– File server access
– URL Simplification
43
Video 15
Working with POP and IMAP
Where we're
going
• Protocol architecture
• Management requests
• Settings on the CAS server
• Settings on the Hub Transport server
• User-specific permissions
• Setting up the client
• Best practices
Note: We're talking about servers that have
SP1 installed
Architecture
POP and IMAP Architecture

• Comparison
• POP Details:
– POP downloads all mail from the server, and it is read locally
– Only the inbox on the server is accessed, as a big mailbox to be emptied
– There is an option to leave a copy of the email on the server
– Secure POP3 uses TCP port 995, insecure uses 110
• IMAP Details:
– IMAP accesses the mail on the server, but isn't fully downloading it
– IMAP allows access to multiple mail folders in a mail account
– IMAP synchronizes deletions up to server
– Secure IMAP uses TCP port 993, insecure uses 143
• Not sub-components of IIS anymore
• Both are RECEIVING protocols. SMTP must be used for SENDING.
44
Scenario
• Management requests:
– Chumnus needs a separate secure POP3
mailbox set up
– Gandalf recently got an iPhone and wants to
set up secure IMAP access to it
– No other users should be able to access
IMAP or POP3
CAS Settings
• Preparing the Client Access Server

– Start the IMAP and POP3 services and set
them to Automatic
• Via Service Control Panel
• Via "Set-Service MSExchangePOP3 -StartupType
automatic"
– The defaults in the EMC should be good, but
check on them
Hub Transport
Settings
• Check these settings:

– Open the Receive Connector called "Client
3CGMAIL07"
– Check the FQDN and make sure it matches external,
certed name
– Note that it's going to listen on port 587
– Confirm TLS with Basic Auth
– Confirm Exchange Users in Permissions Groups
– Make changes to firewall rules
45
User Settings
• Access rights
– Use a PowerShell cmdlet to disallow permissions to
all users
• Get-CASmailbox | Set-CASmailbox -POPenabled $False -
IMAPEnabled $False
– Use mailbox properties to give a user permission to
access IMAP or POP3
• Use the GUI
• Set-CASMailbox -Identity cboviphlatian -POPenabled $True -
IMAPEnabled $True
Client Setup
• Configuring the Outlook client:

– Watch demo
Best Practices
– Use Outlook Anywhere or OWA instead, if possible
– Always use SSL encryption
– Use the default security settings
– Use a 3rd-party cert to make things easier
– Lower the MaxConnections value for IMAP
– Disallow access to all users and provide it explicitly
– Provide screenshots to users to facilitate setup
46
Wrap-up

– Snapshot
– Management Requests
– CAS-specific settings, services
– Hub Transport components
– User settings
– Setting up the client
– Best Practices
Video 16
Looking at Hub Transport
Where we're
going
• Mail flow and routing architecture

• Working with domains and email addresses
• Creating transport rules
• Using send connectors
• Using receive connectors
• Setting size limits and delivery restrictions
• Using the Queue Viewer
47
Hub Transport
Architecture –
Part 1
• How mail gets around
– New SMTP stack: MSExchangeTransport
– Sent via send connector, received via receive
connector
– Hub transports route mail to other hub transports for
remote mailbox servers
– Mail routing is not done with routing connectors &
routing groups anymore
– Mail routing uses AD site link topologies
Hub Transport
Architecture –
Part 2 Public
Internet
a il
M
FIREWALL
und
Private
bo
In
Network
Site B
SM
T T
Site A ED GE LS P/
RPC
SMT P/TLS
RP C
C
RP RP MBox
C HUB HUB
M Box
Outlook 2 007
Ou tl ook 2007
Client
Clien t
Scenario
• Management Requests
– Extra email addresses for each user like
clive.lewis@cashcowcapitalgroup.com
– Set maximum message size to 50mb
– Set max number of recipients to 200
– Add a disclaimer to all outbound email
– Filter mail with "guarantee" or "promise" in it, bcc to
Chumnus
– Send AOL mail out through ISP smarthost
48
Domains and
Addresses
• Working with Accepted Domains and Email Address

Policies
– Accepted domains are domains that the server will relay mail for
– Mail destination could be local or remote, internal or external
– No more recipient policies or Recipient Update Services (good
riddance!)
– Changes to the email address policy are immediate!
– Policies can only be made which match existing accepted
domains
– Multiple addresses can be created for a single domain
Transport Rules
• Configuring Transport Rules

– Can be used to:
• Append
• Reroute
• Copy
• Filter
• Log events
Send
Connectors
• Using Send Connectors

– Hub role does not install with a send connector
– Implicit send connectors communicate between hub roles
– A send connector needs to be created for outbound if there is no
Edge server
– Send connectors are created to enforce TLS between remote
servers
– Send connectors can be used to route outbound mail through a
smarthost
– Send connectors are ORGANIZATIONAL level objects
49
Receive
Connectors
• Using Receive Connectors

– The default receive connectors only allow internal
delivery
– A receive connector will have to be created if there is
no Edge server
– Receive connectors can be created to handle TLS
connections from remote servers
– Unlike send connectors, receive connectors are
SERVER-based
Setting Limits
• Working with the Global Settings

– Limits are set at the Organization level
– Get properties on Transport Settings under
Global Settings
– Transport Dumpster settings are cluster-
related
Working with
Queues
• The Queue Viewer

– Queue Viewer is found in the ToolBox
– Queues are no longer kept as individual files in a folder, but in an
ESE database
– There are five types of queues:
• Submission
• Mailbox Delivery
• Remote Delivery
• Poison Message
• Unreachable
– You can use Get-Queue and Get-Message cmdlets in the EMS
to manipulate queues and messages
50
Wrap-up

– Architecture overview
– Chumnus requests
– Accepted domains and address generation
– Creating transport rules
– Send and receive connectors
– Limits
– Queue Viewer
Video 17
Meeting Compliance
Requirements with
Exchange 2007
Where we're
going
• Intro to journaling
• Planning and implementing journaling
• 3rd party products
• Other compliance issues
51
Scenario
– Archive all Broker and Executive messages
– Disallow between Brokers and Research
except in emergencies
Journaling Intro
• What is Journaling?
– Capturing and archiving mail traffic across Hub Transports
– Mail can be journaled (archived) to several different types of locations:
• Local mailbox
• Distribution group
• External hosting service
• 3rd party archiving database
– There are "store-level journaling" and "Journaling with rules"
– Mail can be captured based on criteria like group membership or
individual mailbox
– Journaling anything less than on a Global level requires Enterprise
CALs
– Journaling takes advantage of Single Instance Storage (SIS) for space
efficiency
Planning
Journaling
• How to design a journaling strategy

– What are the requirements?
– What needs to be collected?
• Which users?
• Internal/External/Both?
• UM?
– Where will you keep your archive?
• In a journaling mailbox?
• Using a 3rd-party product?
• Outside vendor?
– How long will you archive?
– How will you secure your compliance archive?
52
3rd Party
Products
• General Benefit and Architecture of 3rd Party products
– Examples: Quest's Archive Manager and GFI's Mail Archiver
– Both bring:
• Greatly enhanced searchability and discovery export features
• Reduced load on mail stores over time
• Ease of restorability
– Quest's Archive Manager:
• Requires SQL
• Web, Outlook and mobile to archives, including offline access for Outlook
• Ties into other applications, can archive Live Communication Server
• Efficient backfill process
– GFI's Mail Archiver:
• Uses SQL or open-source database format on NTFS partition
• Simplest setup
More
Compliance
• Other compliance concerns

– Setting up ethical walls
– Discovery/Disclosure search/provide methods
– Encrypted SMTP communication
– Confidentiality statements
– Content alerts
– Data retention limits
– Content protection with Rights Management Services
Wrap-up

– Intro to journaling
– Planning and implementing journaling
– 3rd party products
– Other compliance issues
53
Video 18
Edge Transport Role
Where we're
going
• A look at Edge Transport
• Edge setup requirements
• Installing the Edge role
• Securing the Edge server
• Best Practices
Scenario
– Force all traffic to internal servers to
authenticate
– Implement inbound relay for port 25 traffic
– Implement some anti-spam system
– Set up new Edge Transport server
54
Basic Edge –
Part 1
• What the Edge Transport server is for

– Main purposes are security (smtp-relay and
smart-host) and anti-spam
– Secondary functions:
• Journaling
• Transport Rules
• SMTP rewrites
– Anti-spam features allow for a highly
customizable filter set
Basic Edge –
Part 2
Internet
Public
Internet
In
bo
un
dM
FIREWALL
ai l
DMZ
Network
SM T
EDG E
FIREWALL
P /TL
S
R PC
Internal
Network
M B ox HU B
Edge Facts –
Part 1
• Edge Architecture
– Edge Transport servers are never domain members
– Edge Transport role cannot coexist on same server with any other role
– Edge can function without other Exchange 2007 server roles existing
– Keeps its own queuing database (ESE, same type as mailbox db)
• EdgeSync
– Edge uses information from the AD to make intelligent decisions about
filtering
– Edge receives updates about AD info via a one-way communication
with Hub
– Active Directory Application Mode (ADAM) component facilitates this AD
data sync
– The EdgeSync service is responsible for pushing data to the Edge
server
55
Edge Facts –
Part 2
EdgeSync Process
Internal Network DMZ Network
DC H ub Transport Firewall Edge Transport
Current Network
Main Chicago Office
R oute r
Public Internet
Firew all
C 3DB C3D C C3 MAIL07

SQL DC, DN S Exchange 20 07
INTERNAL
Network with
Edge
Main Chicago Office
Public Internet
DMZ Router
C3GED GE
Exchange 2007 Firewall
C 3DB C 3D C C3MAIL07
SQL DC, D NS Exchange 2007
TRUSTED
56
Edge
Requirements
• Install requirements
– OS: W2K3 Standard R2 or W2K3 Standard
SP1 installed as a standalone
– One or two network adapters
– DNS Suffix and name resolution configuration
– ADAM
– .Net Framework and PowerShell
– Exchange 2007 media
Edge
Subscription –
Part 1
• Kicking off EdgeSync
– Create an EdgeSubscription file using EMS
• New-EdgeSubscription - file "path"
• This creates an ADAM account on the Edge server
• Clears the deck for config import from Exchange org
• Local Edge interface will be locked for Edge Transport objects
– Import the EdgeSubscription file on a Hub Transport
• EMC -> Org -> Hub -> Edge Subscriptions
• This will create the EdgeSync relationship
• This will auto-generate needed connectors between Hub and Edge
• Restart the Exchange EdgeSync service on the hub server
Edge
Subscription –
Part 2
• Data replication will begin
– Recipient data
– Accepted domains
– Remote domains
– Safe Senders
– Send Connector configuration
• Verify EdgeSync is working:
– do a Get-Accepted Domain
– check Send Connectors
– Config data will sync each hour, recipient data every
four hours
– To manually initiate full synchronization: Start-
EdgeSynchronization
57
Securing the
Edge
• Using the Security Configuration Wizard

– This tool can be used to "harden" a server for specific
roles
– Requires Windows 2003 R2 or SP1
– Add the component via Add/Remove Programs
– Register the E2007 SCW extension
• scwcmd register /kbname:Ex2007EdgeKB
/kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\
Exchange2007Edge.xml"
– Create a policy using the appropriate Exchange role
Best Practices
• Recommendations
– Create a postmaster mailbox
– Use a dual-NIC Edge server
– Consider the one-forest limitations of
EdgeSync
– Use EdgeSync rather than setting up all
connectors manually
Wrap-up

– Edge Transport role functions/architecture
– Network changes
– Edge role installation
– EdgeSync and ADAM
– Edge security
– Best practices
58
Video 19
Configuring Edge Anti-Spam
Components
Where we're
going
• Architecture
• Installing the edge anti-spam filters on the hub transport
• Connection filtering
• Sender filtering
• Recipient filtering
• SenderID filtering
• SPF records
• Content filtering
• Attachment filters
• Transport rules
• Address rewrite agent
• Safelist aggregation
• Best practices
Scenario
– Set up and configure spam filters
– Block mail from a particular spammer network
– Ensure local compliance with best practices
– Copy any mail from the "eustocktradernetwork.com"
domain to Chumnus
– Rewrite outbound mail addresses from
orders@cashcowcapitalgroup.com to be from
orders@eustocktradernetwork.com
59
Anti-Spam
Architecture
• How the Anti-Spam filter system is designed
– Mail is processed by filters before delivery
– Filters are processed in a particular order
• Connection filter
• Address Rewrite agent
• Edge Transport Rule agent
• SenderID filter
• Recipient/Sender filter
• Content filter
• Attachment filter
• Virus scan
– The order of the filters in the GUI is the order of processing
– Some filters rely on outside verification, others on EdgeSync data
Hygiene on Hub
• Installing the anti-spam filters on the

Hub Transport
– Run the Install-AntispamAgents.ps1 script on
the Hub server
– Use the new Anti-Spam tab in the EMC
Connection
Filtering
• Configuring Connection Filtering

– IP Allow List
– IP Block List
– IP Allow List Providers (whitelist)
– IP Block List Providers (RBL)
• DNSBL.SORBS.NET
• DNSBL.NJABL.ORG
• CBL.ABUSEAT.ORG
• LIST.DSBL.ORG
• BL.SPAMCOP.NET
• ZEN.SPAMHAUS.ORG - paid subscription
– Get-antispamtorblproviders.ps1 script
60
Sender Filtering
• Configuring Sender Filtering

– Blocked senders
• By domain
• By address
– Blocking blank senders
– Action options
• Reject
• Stamp with SCL info and process
Recipient
Filtering
• Configuring Recipient Filtering

– Block by recipient address
– Block non-GAL recipients
– Tarpitting is tied to this agent
SenderID
Filtering
• Configuring SenderID Filtering
– How SenderID works SPF

Record
Public
Internet
D NS Private
S trangecastle.com Network
Sender
Dolph@strangecastle.com
Edge Server H ub/Mailbox
Server
Foreign
Mail S erver
mail.strangecastle.com
61
SPF Records
• Setting up an SPF record

– Use the Sender ID Framework SPF Record
Wizard at Microsoft's site
– Create a TXT record on the DNS server for
your zone
• Paste data that the wizard generated as the
"value" of the TXT record
• Name the record: yourdomain.com. (don't forget
the period at the end)
Content Filtering
• Configuring Content Filtering

– Content filter uses SmartScreen technology to calculate Spam
Content Level (SCL) ratings
– SCL ratings go from 0 to 9 -- 9 is most likely to be spam
– Filter is regularly updated via Windows Update
– Content filter can also identify phishing attempts
– Set three actions based on SCL ratings:
• Delete
• Reject
• Quarantine
– Safe Sender aggregation
– Outlook E-Mail Postmark Validation
Attachment
Filtering
• Using Attachment Filters

– Filters attachments by file type
– Check the transport agents: get-TransportAgent
– Check the attachment filters: get-AttachmentFilterList
– Add new filter: add-AttachmentFilterEntry -Name -Type
• Ex: add-AttachmentFilterEntry -Name *.plw -Type FileName
• Ex: add-AttachmentFilterEntry -Name badfile.doc -Type FileName
• Ex: add-AttachmentFilterEntry -Name image/png ContentType
– Remove a filter: remove-AttachmentFilterEntry
– Actions:
• Reject
• Strip
• Silent Delete
62
Transport Rules
• Transport Rules available on the Edge

– See demo
Address Rewrite
• Using the Address Rewrite Agent

– Modifies inbound or outbound SMTP headers
– Make sure the rewrite agent is active using
Get-TransportAgent
– To create a rewrite entry:
• Use the New-AddressRewriteEntry cmdlet
– Ex: New-AddressRewriteEntry -Name "eustocktrader"
-InternalAddress orders@cashcowcapitalgroup.com
-ExternalAddress orders@eustocktradernetwork.com
Safelist
Aggregation –
Part 1
• Using Safelists
– Safelists are created by users in Outlook
– Safelists are applied as part of the content filter
– Safelists are stored on a per-mailbox basis
– Safelists can be gathered and synced up to the Edge
Transport server
– Safelists have to be updated with the update-safelist
cmdlet
– Schedule a nightly update of all safelists
• At 22:00 /every:M,T,W,Th,F,S,Su cmd /c
"C:\updatesafelists.bat"
63
Safelist
Aggregation –
Part 2
– Contents of the batch file:
– "C:\WINDOWS\system32\windowspowershell\v1.0\
powershell.exe"
-psconsolefile "C:\Program
Files\Microsoft\Exchange Server\bin\exshell.psc1"
-command "get-mailbox | where {$_.RecipientType -
eq
[Microsoft.Exchange.Data.Directory.Recipient.Recip
ientType]::UserMailbox } | update-safelist"
Best Practices
• Recommendations
– Disable all filtering initially and enable filters one by
one
– At least initially, choose to mark spam rather than
reject/delete it
– The fewer the filters you can use, the simpler
troubleshooting will be
– Use an external IP block list provider, don't roll your
own
• Expect more latency when using an external list provider
• Sometimes the providers are wrong--is it worth it?
Wrap-up
– Architecture
– Filters on the hub transport
– Connection filtering
– Sender filtering
– Recipient filtering
– SenderID filtering
– SPF records
– Content filtering
– Attachment filters
– Transport rules
– Address rewrite agent
– Safelist aggregation
– Best practices
64
Video 20
Anti-Virus and Exchange 2007
Where we're
going
• Architecture
• Supported vendors
• ForeFront overview
• Installing ForeFront
• Testing AV
• Best Practices
AntiVirus
Architecture
• A look at anti-virus on Exchange 2007

– Solution needs to be 64-bit
– Good solutions take advantage of new transport agents and
MIME-parsing engine
– VSAPI and transport agent scanning vs. file-level AV scanning
– Anti-virus engine scans happen after the attachment filter
– Anti-virus implemented as agents in the message processing
pipeline
– Mail headers include AV stamp
• denotes whether it was scanned and by what version of definitions
• Stamp allows for incremental scans
– On-Access scans vs. transport scans vs. background scans
65
Vendors
• Some AV Offerings for Exchange 2007

– PureMessage from Sophos
– ScanMail Suite from Trend Micro
– MailSecurity from GFI
– F-Secure Antivirus for Exchange 7 from F-Secure
– Symantec Mail Security from Symantec
– Kaspersky Antivirus from Kaspersky Labs
– GroupShield from McAfee
– Microsoft ForeFront (the rebranded Sybari Antigen)
Installing
ForeFront
• ForeFront install process

– Download ForeFront with SP1 if your server already
has SP1 installed
– Run the setup program
– Configure alert details
– Check default settings
– For more configuration info see this document:
• Introduction to ForeFront Security for Exchange Server Best
Practices
Best Practices –
Part 1
• Recommendations
– Run AV on all desktops as well as on the mail
gateway
– Kick off a full background scan after first installing the
AV to check existing mail
– Schedule off-hours background scanning in addition
to basic on-access scanning
• Set scan to RE-scan mail received during last 48-72 hours
– For ForeFront, use the Scan on Scanner Update
option to rescan with new definitions
– during outbreaks
66
Best Practices –
Part 2
– For ForeFront configuration, default settings are the

recommended settings
– Install AV on both hub/mailbox and edge roles, but
configure scan settings identically
– Configure exclusions for file-level scanning if using a
file-level AV solution:
• Folder
• File type
• Process
• see "File-Level Antivirus Scanning on Exchange 2007" article
– http://technet.microsoft.com/en-us/library/bb332342.aspx
Wrap-up

– Architecture
– Supported vendors
– ForeFront overview
– Installing ForeFront
– Testing AV
– Best Practices
Video 21
Configuring Backups
67
Where we're
going
• Database/backup architecture
• Knowing what to back up
• Using NTBackup
• Volume Shadow Copy
• Local Continuous Replication
• Standby Cluster Replication
• Recommendations
Backup
Essentials
• What you need to know about backing up Exchange

– A standard on-line file backup of Exchange databases will not be easily
recoverable
– An "image" backup of a server with Exchange is not usually a good
backup solution
– Only an off-line file-level backup of DB and logs can capture data store
accurately.
– An "Exchange-aware" backup
• Can capture data properly while DB is on-line
• Must be done for log file maintenance to be done
– NTBackup, and many 3rd-party backup solutions are "Exchange-aware"
– Microsoft uses NTBackup to back up data in its clustered Exchange
2007 environment
Recoverability point = proper backup + logs since that backup
What to back up
• What should you back up?

– Your mail and public folder databases - in an
Exchange-aware fashion
– System State (and/or have multiple domain
controllers)
– Data under Program
Files\Microsoft\Exchange Server\
• Exclude the Storage Group Folders under the
Mailbox directory
68
Using NTBackup
• How to properly back up Exchange with

NTBackup
– Demo
VSS
• Options for using Volume Shadow Copy

– There are actually two types of Exchange backups:
• Streaming (legacy)
• VSS (bleeding edge)
– Exchange-aware VSS works with Exchange to pause DB operations
temporarily
– Process normally only takes a few seconds
– Restores can be applied very rapidly
– VSS can be run against the passive LCR copy of a database to further
minimize disruption
– VSS requires fast disk access
– Microsoft System Center's Data Protection Manager supports VSS
snapshots re: Exchange
• So do products made by IBM, Commvault, EMC and other enterprise
vendors
Setting up LCR
• How to configure Local Continuous Replication for
data protection
– LCR creates a passive copy of the active databases
• An initial "seeding" copies the existing DB
• Transaction logs copied to the LCR directory are applied to the
passive DB
– Configure LCR to create the database copy on another drive
(internal or external)
– Replicating Storage Groups can only contain a single database
– Public folder stores cannot be replicated with this method
– Consider using mount points to make recovery simpler
• Moving the database files
• Setting up the NTFS volume mount points
– LCR will increase your processor overhead due to log/database
activity
69
SCR Basics
• Standby Cluster Replication basics

– Like LCR, but the passive database exists on a remote
Exchange 2007 mailbox server
– Multiple remote server targets can be configured for a single
store
– Target servers must be in the same AD
– Configurable delay in log replication to block logical corruption
– If original mailbox store goes offline, a passive copy can be
made active
– Requires Exchange 2007 SP1
Due to the bad moon on the rise, we will not be covering
Clustered Continuous Replication (CCR)
Best Practices
• Recommendations
– Set up LCR for cheap additional protection, but use a separate
disk or set of disks
– Do "Exchange-aware" backups!
– Protect your logs
– Don't spurn NTBackup
– Don't forget system state backups
– Look at a VSS-aware backup application if budget allows
– Test your backups by doing practice recoveries
– Don't back up your databases on the file level at all, unless
offline or with VSS
– Take daily backups unless you have LCR set up, in which case
you can do them weekly
Wrap-up

– Database/backup architecture
– Knowing what to back up
– Using NTBackup
– Volume Shadow Copy
– Local Continuous Replication
– Standby Cluster Replication
– Recommendations
70
Video 22
Disaster Recovery
Where we're
going
• A look at scenarios of increasing

cruelty
• Walkthrough several types of recovery
• Best practices for recovery
Scenario
• Recovering from several types of disasters

– Items deleted last week and recycle bin subsequently
emptied
– Items deleted two months ago
– Mailbox deleted last week
– Mailbox deleted four months ago
– Store corruption
– Server failure
71
Recovering
Deletions
• Recovering Deleted Items

– Users can recover their deleted items via
Outlook/OWA Deleted Item Recovery
– Deleted Item recovery period is 14 days by
default
– Items older than the server settings can be
restored if they were on a backup
• Process for this similar to mailbox recovery
Recovering a
mailbox
• Mailbox recovery process

– Use the Database Recovery Management Tool
– Build a Recovery Storage Group
– Restore the source database from backup to the new RSG
– Mount the restored database in the RSG
– Select mailbox merge options
– Run extraction -> import of mail items
To recover an entire deleted mailbox, a new mailbox one can be
created and the restored data can be merged into it.
Recently deleted (last 30 days) mailboxes can be reconnected
using the Disconnected Mailbox tool in the EMC.
Recovering a
Corrupt Store –
Part 1
• Recovering the store
– Two options for recovery
• LCR/SCR copy of the database
• Restore database from an Exchange-aware backup
– LCR Recovery
• Take corrupted store offline if needed
• Run Restore-StorageGroupCopy -Identity "First Storage
Group"
– Swap mount points to make LCR copy the live one
– Or--use the -ReplaceLocations parameter
• Mount the database copy
72
Recovering a
Corrupt Store –
Part 2
– Recovery from backup to original server
• Dismount the target database
• Set the database for overwriting
• Select the Exchange-aware restore and run it
Database
Portability
• Mail Databases can be restored on a separate server

– Remember that databases are portable!
– Restores can be made to any Exchange 2007 mailbox server in
the organization
• Target SG will need a new mailbox database created first (same
name!)
• Restore .edb file and logs to the SG data directory
• Mount the mailbox database in the EMC
• Run this cmdlet to properly associate the mailboxes with the new
server:
– Get-Mailbox -Database "oldserver\dbname" | Move-Mailbox
-TargetDatabase "newserver\dbname" -ConfigurationOnly: $True
• Outlook 2007 clients will automatically reconfigure to find mailbox
– Public Folder databases cannot be restored to another server
Recovering a
server – Part 1
• How to recover after a fried/drowned/stolen server

– Build a new server with the same name and join it to the domain
• Reset the computer account in the AD before joining the
replacement
• Create identical partitions/disks (size can be larger)
• Install required Windows components and Exchange role
prerequisites
– Run Exchange setup.exe from the command-line using the
/M:RecoverServer switch
• Will restore all roles and basic configs (things found in Org-level
config)
• Will not restore certs, databases, receive connectors, etc. (server-
level)
– Create new Storage Groups and databases
73
Recovering a
server – Part 2
– Recover mail and public folder databases from backup

• For recoveries from NTBackup, media will have to be cataloged
prior to restore
• If public folders were replicated, recovery from backup won't be
necessary
– Another recovery path if recovery is to the original hardware:
• Reinstall Windows 2003 server and bring up to proper patch level
• Install needed Windows components and prerequisites
• Restore all Exchange Program directories and System State
• Restore databases to proper location
– Clone an Edge role server's configuration for later restoring
Best Practices
• Recommendations
– Document your configuration completely for disaster recovery
purposes
– Use the Database Troubleshooter tool if you have databases
which fail to mount
– Learn to use ESEUTIL to do VERY occasional offline defrags
and repairs
• It's found in the Exchange Server\Bin directory
• Many of the ESEUTIL operations are integrated into the Recovery
Tool wizards
– Delete RSG files when you are done with them
– DO PROPER BACKUPS!
Wrap-up

– We prepared a disaster gauntlet
– Walkthrough several types of recovery
– Best practices for recovery
74
Video 23
Transport Layer Security
Where we're
going
• TLS Architecture
• Setting up TLS
• Recommendations
Scenario
• Management Request
– A partner company,
EUStockTradersNetwork.com, needs to
encrypt all email between
our network and theirs
75
TLS Architecture
• Transport Layer Security in a nutshell

– TLS is encryption of higher layer information very similar to SSL,
and uses a certificate.
– The client uses the cert (public key) to

Application Layer encrypt the data, and the server
HTTP , FTP, SMTP
uses its private key to decrypt it.
– The certificate is either provided from a
Transport Layer 3rd-party trusted root, or exchanged
TCP, TLS
privately and also serves to verify the
server's authenticity to the client.
Network Layer
IP
TLS Types –
Part 1
• Transport Layer Security in 2007

– Opportunistic TLS
• Enabled by default, required setup in Exchange 2003
• A self-signed cert is used by default
• Always ready to allow inbound traffic to request encryption
via receiver cert
• The receiving end handles the cert and encryption
• E2007 always ready to request encryption as a sender
TLS Types –
Part 2
– Mutual TLS
• Requires setup
• Both servers authenticate each-other's certs
• MTLS is the foundation of "Domain Security"
– Direct Trust
• What EdgeSync sets up to allow TLS between Hub and
Edge
• Certs are stored in AD and ADAM
• Also used to encrypt inter-org Exchange org traffic
76
Implementing
TLS
• Enabling Mutual TLS

– Opportunistic TLS
• Get-ExchangeCertificate on Edge
• Enable-ExchangeCertificate -thumbprint <thumbprint> -
Services:SMTP
• If necessary, install the needed cert on the Edge server before
enabling
– Mutual TLS
• Make sure that each server has a cert that the other trusts (3rd-
party)
• Configure Domain Security on Send and Receive connectors
• Add remote domain to Domain Secure List on both connectors
Best Practices
• Recommendations
– Turn on protocol logging for aid in troubleshooting:
• Set-ReceiveConnector Inet -ProtocolLoggingLevel Verbose
• Set-SendConnector Inet -ProtocolLoggingLevel Verbose
– Use 3rd-party certs, not the default self-signed cert
– Check EHLO feedback to verify TLS is active
Wrap-up

– TLS architecture
– Implementations in Exchange 2007
– Setting up Mutual TLS
– Best Practices
77
Video 24
Advanced Mailbox Topics
Where we're
going
• Delegating mailboxes
• Linked mailbox architecture
• Using linked mailboxes
• Managed folder architecture
• Setting up managed folder policies
• Recommendations
Scenario
• Management Requests:
– Give Clive full access to Henry's mailbox
– Allow server to host mailboxes for users from
a trusted domain
– Auto-delete mail that's been in deleted items
more than seven days
– Create a special folder for payment
information that is deleted after 45 days
78
Delegation
• How to delegate mailbox access:

– Two typical scenarios: Send-As and Full Access
– Three ways to do it:
• Using the ADUC
– Turn on Advanced Features
– In the Security tab of the user object
• Using the EMC
– Right-click the Recipient and choose Manage Send-As/Full
Access
• Using the EMS
– Add-ADPermission -Identity -User -ExtendedRights
– Add-MailboxPermission -Identity -User -AccessRights
Linked
Mailboxes
• What are linked mailboxes?

– Local mailboxes for users from a separate, trusted
domain
– Used in account/resource domain environments
– Linked mailboxes have a local, disabled AD account
to facilitate passthrough
– Trust between domains has to be established
beforehand
Managed
Folders – Part 1
• How Managed Folders work:

– Managed Folders are global folders that can have
content policies applied to them
– There are default managed folders and custom
managed folders
– Default managed folders already exist, and can have
policies applied to them
– For custom folders, first set up the folder, then define
the content policy
79
Managed
Folders – Part 2
– The Managed Folder Assistant service runs

periodically to enforce rules
• Run the MFA manually with the Start-
ManagedFolderAssistant cmdlet
– By default, the MFA is disabled
For Custom Managed folders to be created in
a user's mailbox,
the user has to THEN be assigned a
managed folder policy.
Folder Policies
• Implementing a managed folder policy:

– Create the policy and add managed folders to
it
– Assign the policy to users
Best Practices
– Let the work processes drive the managed
folder policy, not visa versa
– Let the law dictate your message/document
retention policy
80
Wrap-up

– Delegating mailboxes
– Linked mailbox architecture
– Using linked mailboxes
– Managed folder architecture
– Setting up managed folder policies
– Recommendations
Video 25
Exchange 2007 Tools
Where we're
going
• Mail Flow TroubleShooter
• Message Tracking Center
• Best Practices Analyzer
• Performance Monitor
• ESEUTIL
81
Scenario
– Defrag mail database after downsizing
– Troubleshoot messages that were delayed
– Find out who Dave Shackelford emailed this month
– See if there are any easily discoverable
misconfigurations with our org
– Figure out why Outlook is timing out and giving RPC
error to some users
Mail Flow
• Using the Mail Flow Troubleshooter

– This tool invokes the Exchange Troubleshooting
Assistant engine
– Allows you to specify the symptoms and relevant
recipients
– Parses the message tracking logs for the relevant
messages and prepares a report
– Would be a good idea to run these tools from a
management workstation
Message
Tracking
• Using the Message Tracking Tool

– This tool invokes the Exchange
Troubleshooting Assistant engine too
– Is a web-based shell around a simple cmdlet
that retrieves message information
– Makes working with Message Tracking logs
easier
82
ExBPA
• Using the Exchange Best Practices

Analyzer
– Demo
Perf Monitor
• Using PerfMon
– Same as general Windows PerfMon, with some Exchange
counters displayed
– Use CTL+H to highlight a particular counter on the graph
– Used in conjuction with troubleshooting performance problems
• Using the Performance Troubleshooter
– Uses the Exchange Troubleshooting Assistant engine
– Uses a counter gathering session to follow-up on complaints
– Uses performance figures to suggest solutions to RPC issues
ESEUTIL –
Part 1
• Using the Exchange Server Database

Utilities
– ESEUTIL is a command-line tool found in
the "Exchange Server\bin" directory
– This tool is used against the databases to:
• Defragment
• Verify/Checksum
• Repair/Recover/Restore
• Copy/Dump
83
ESEUTIL –
Part 2
– Defrag, Verify, Recover and Repair are the

most frequently used
• Defrag is an offline defragmentation that recovers
space
• Verify checks the log file integrity
• Recover is done automatically after an unexpected
database stoppage
• Repair is a last resort option to repair corruption or
to make up for lost logs
Other Resources
• Other Troubleshooting tools

– Application event log
– Protocol logging - disabled by default
• Enabled on Send/Receive connectors
• Stored in "Exchange Server\Transport Roles\Logs\Protocol
Logs" directory
– EventID lookup
– Newsgroups, technical forums
– Being proactive - shoot trouble before he draws
Wrap-up

– Management Requests
– Mail Flow TroubleShooter
– Message Tracking Center
– Performance Monitor
– ESEUTIL
– Other resources for troubleshooting
84
Video 26
Integrating SharePoint
Where we're
going
• Enabling SharePoint as a mail
destination
• Migrating content from public folders
• Accessing SharePoint via OWA and
Outlook
• Best Practices
Scenario
• Management Requests:
– Integrate 3CGSHAREPOINT server into network as a
mail destination
– Allow inbound mail from researchers to be collected
in a SharePoint library
– Add SharePoint library contacts to Exchange
– Move data from Public Folders to SharePoint
document libraries
– Manage SharePoint document libraries in Outlook
2007
– Access SharePoint data from OWA
85
Adding Mail to
SharePoint
• How to mail-enable SharePoint folders

– Create an MX record for the SharePoint server
– Create a new OU for SharePoint contacts
– Add the IIS SMTP service to the SharePoint server
– Configure the IIS SMTP service
– Configure inbound mail settings in SharePoint
• Enable incoming mail
• Specify the Directory Management Service LDAP path
• Configure the Exchange server IP as a "safe server"
– Set up a new send connector in Exchange for the SharePoint
server
– Mail-enable a document library
Migrating
Content
• Moving content into SharePoint

– Quest Public Folder Migrater
– Tzunami Deployer
– Moving files via Outlook
– Moving files via file system
Folder Access
• Accessing SharePoint libraries from

OWA and Outlook
– Demo
86
Best Practices
• Recommendations
– Don't learn in production, build a test system
– Work with someone knowledgeable in
SharePoint
– Be meticulous about documenting
permissions used
– Don't expect perfection - metadata transfer
not always seamless
Wrap-up

– Enabling SharePoint as a mail destination
– Migrating content from public folders
– Accessing SharePoint via OWA and Outlook
– Best Practices
87

Notes

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Notes

Hochgeladen von

Copyright:

Verfügbare Formate

Exchange Server 2007

Learn to Configure and Manage Your

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

Public Krakow Branch Office

Boston Branch Office

Internal Active Directory Domain : CDB.LOCAL

C3DB C3DC C3FILE1 Chicago Network Subnet : 192.168.67.0/24

© Train Signal, Inc., 2002-2007

Main Chicago Office WAN

Boston Branch Office

Internal Active Directory Domain : C3G.LOCAL

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

Preparing the disk subsystem

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

• Setting up the name resolution environment

© Train Signal, Inc., 2002-2007

• Building your domain

© Train Signal, Inc., 2002-2007

• Public Namespaces and Registration

© Train Signal, Inc., 2002-2007

• Check for these things:

© Train Signal, Inc., 2002-2007

• Preparing the Schema for Exchange 2007

© Train Signal, Inc., 2002-2007

• Using the Exchange Best Practices

© Train Signal, Inc., 2002-2007

• Basic Differences between the two editions

© Train Signal, Inc., 2002-2007

• Where we've been:

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

• Going through the installation

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

• Tasks for Finalizing Deployment

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

• Adding or Removing Exchange Roles

© Train Signal, Inc., 2002-2007

• What it adds to the installation

© Train Signal, Inc., 2002-2007

• Where we've been:

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

• How the Exchange Management Console is arranged

© Train Signal, Inc., 2002-2007

• The Console and Shell make changes

© Train Signal, Inc., 2002-2007

© Train Signal, Inc., 2002-2007

• How roles work

© Train Signal, Inc., 2002-2007

• What sort of tour:

© Train Signal, Inc., 2002-2007