Book giveaway and e-mail notice • Please give me a piece of paper with your name for drawing • Include your e-mail address or give.

Download Report

Transcript Book giveaway and e-mail notice • Please give me a piece of paper with your name for drawing • Include your e-mail address or give.

Book giveaway and e-mail notice
• Please give me a piece of
paper with your name for
drawing
• Include your e-mail
address or give me a
business card if you want:
●
●
20% discount code for
Directory Update software
Notification e-mail when
Mastering Exchange
Server 2007 is available
• Keep an eye out for
Mastering Exchange
Server 2007 – Due out in
late April
Exchange 2007
for
Exchange 2003 Administrators
Jim McBee
ITCS Hawaii
[email protected]
Who is Jim McBee!!??
• Consultant, Writer, MCSE, MVP and MCT – Honolulu,
Hawaii (Aloha!)
• Principal clients (Dell, Microsoft, U.S. Government,
SAIC, Servco Pacific)
• Author – Exchange 2003 Advanced Administration and
Mastering Exchange Server 2007 (Wiley/Sybex)
• Contributor – Exchange and Outlook Administrator
• Blog
●
http://mostlyexchange.blogspot.com
• Directory Update software
●
http://www.directory-update.com
Audience Assumptions
• You have at least a few months
experience running Exchange 5.5, 2000,
or 2003.
• You have worked with Active Directory
• You can install and configure a Windows
2000 / 2003 server
 Today’s presentation
•
•
•
•
•
•
•
What is new with Exchange 2007?
Upgrading or migrating
Administering Exchange 2007
Resource Management
High availability options
Anti-spam, antivirus, and security
Transport rules
 What’s new? Why upgrade?
• No single “killer feature”
• Improved deployment options
●
●
●
●
Scriptable
Command-line
Simplified management console
Automatic Outlook 2007 configuration
Installation is intuitive and helpful
64-bit rocks
• Use up to 32GB of RAM (cost is limiting
factor right now)
• Improved caching
• Reduce I/O profile
• Reduce disks required for I/O profile
• 0.3 IOPS per “heavy” user
Server roles
•
•
•
•
•
•
Allows easy segmentation of functions
Mailbox
Client Access
Hub Transport
Unified Messaging
Edge Transport
Why have server roles?
• Install just what you need
• Easier to harden
• Simplify, consolidate or distribute
Hub
Transport
Server
Client
Access
Server
Mailbox
Server
Unified
Messaging
Server
Edge
Transport
Server
Perimeter Network
Protected Network
Server Roles: Edge Transport
• Optional role
• Must be on its own separate physical machine
with no other roles installed
• May be workgroup member or joined to a
separate Active Directory forest
• Uses Active Directory Application Mode (ADAM)
for configuration and recipient information
• Enforces policy at the perimeter policy
enforcement
●
●
●
Message hygiene
Anti-virus
Advanced anti-spam
• Must be connected (subscribed) to a Hub
Transport server
Server Roles: Client Access Server
• Supports client protocols except MAPI
●
●
●
●
●
●
OWA
Exchange ActiveSync
Outlook Anywhere (formerly RPC/HTTPS)
POP3 and IMAP4
Autodiscover
Web services
• Placed in protected network
●
ISA in perimeter can publish protocols
• At least one CAS in each site and domain where
mailbox servers exist
• Requires good network connection for RPC to
mailbox servers
• Not strictly required for mailbox access, but almost
all environments will need it
• Can coexist with mailbox, Hub Transport, UM roles
Server Roles: Hub Transport
• Handles message delivery and routing
• Applies policies to all messages via transport rules
• Can handle some message hygiene functions
●
●
Anti-virus
Limited anti-spam
• Reduces cost and complexity
●
●
Provides more predictable routing
Reduces downtime
• At least one in every AD site with a mailbox server
• Can coexist with mailbox, Hub Transport, UM roles
Server Roles: Mailbox
• Responsible for serving mailbox
databases and public folders
• Mailbox access through MAPI
• Supports, but does not require, public
folders
• HA options:
●
●
●
●
Local Continuous Replication (LCR)
Cluster Continuous Replication (CCR)
Single Copy Cluster (SCC)
Standby Continuous Replication (SCR)
Server Roles: Unified Messaging
• Unified Messaging
●
●
●
Placed in the protected corporate network
Requires that Mailbox and Hub Transport roles
exist
Answers calls diverted by PBX
• Provides automated attendant
• Records and delivers voice messages
●
●
Provides Outlook Voice Access
Check with your phone vendor to see if their
phone system will work with UM server
• May require PBX gateway
Enterprise Topology
SMTP
Clients
Edge
Transport
Hub
Transport
Routing
Routing
Mailbox
Hygiene
Policy
Public
Folders
Mailbox
PBX/
VoIP
`
Unified
Messaging
External
Clients
ISA Server
`
Applications
OWA
Reverse Proxy
Forms Based
Authentication
Client
Access
Internal
Clients
Protocols
EAS, POP, IMAP,
Outlook Anywhere
Programmability
Web services, Web parts
Voice
Messaging
Fax
Outlook Voice
Access
Improved high availability options
•
•
•
•
Single copy clusters
Cluster continuous replication
Local continuous replication
Database portability
Improved compliance and security
•
•
•
•
•
•
Message transport rules
Messaging records management
Opportunistic TLS
Internal SMTP always encrypted
Per-recipient journaling
Edge Transport server role and anti-spam
agents
• Forefront Security for Exchange
Improvements for users
• OWA integration with file shares and
SharePoint
• More than 32KB of rules per folder
• Improved OOF functions
●
Internal, external, schedulable
• Improved shared resource features
• Windows Mobile 6 support
• Manage mobile devices via OWA
Customizable quota and NDR messages
Server licensing changes
• Exchange Server 2007 Enterprise Edition
●
●
●
Allows clustering
Allows 50 storage groups / mailbox databases
Database size 16TB
• Exchange Server 2007 Standard Edition
●
●
Allows 5 storage groups / mailbox databases
Database size 16TB
• See:
●
http://preview.tinyurl.com/bmd55
Client Access Licenses
• Standard Exchange CAL
●
E-mail, ActiveSync, OWA, Outlook Anywhere
• Enterprise Exchange CAL
●
●
●
●
●
Unified Messaging
Per recipient journaling
Messaging records management
Forefront Security for Exchange Server
Exchange Hosted Filtering (for SA customers)
• See:
●
http://preview.tinyurl.com/bmd55
 Administering Exchange 2007
•
•
•
•
Improvements for administrators
No more admin or routing groups
Exchange Management Console
Exchange Management Shell
Legacy Exchange Management Challenges
• Exchange 2000/2003 admins face some
challenges
●
●
●
●
●
Delegation is not flexible enough.
There are no consistent provisioning methods.
Bulk operations are difficult (or impossible).
ESM is scattered and difficult to navigate.
Scripting is difficult and limited in scope
• Many of these problems are only made
worse by the addition of third-party utilities.
Look familiar?
Improvements include…
• No more Recipient Update Service
• Mailbox properties generated at creation time:
●
●
Including SMTP addresses and address list
membership
Can be updated via command-line
• All recipient administration performed from
Exchange Management Console or Exchange
Management Shell (no ADUC extensions)
Exchange Server 2007 Management Architecture
GUI
Setup
CLI
WinForms
WinForms
ADO.Net
Early-bound objs
PowerShell Data Provider
PowerShell
Exchange-specific cmdlets / tasks
Configuration Data Access
Process
boundary
MAPI
Store
Registry
AD
Meta
base
What This Means To You
• New tools to learn
●
●
Exchange Management Console for GUI
Exchange Management Shell for CLI
• Most tasks are much easier
• A few tasks require use of the command
line
Exchange Management Console
• Goal: "Intuitive design"
• Simplified navigation
●
●
●
Multiple panes
Object filtering
Discoverable tasks through Actions pane
• Consistent user interface
• Integrated toolbox
●
●
●
RTM tools
Web release tools
ADU&C is no longer used for recipient management
Improved Exchange Management Console
•
•
Console Tree: segmented
into four work centers
• Recipients
• Servers
• System
• Toolbox
Allows quick access to
core functions and
groupings
Action Pane:
• Shows all tasks for
selected object(s)
• Easy contextual
access to all
actions for an
object
Result Pane:
• rich contextual list of
appropriate objects
• Shows all objects in
org or server
Work Pane:
• child objects of results
pane objects
• Automatically shows
what objects you can
work on at a given
time
Demos
Exchange Management Console
Create and manage mailbox
Administrative Group Design
• Existing problems
●
●
●
Too rigid; not dynamic
Not completely granular
Low usage
• 50% of companies (from Tech-Ed) state they do not use AGs
• Another 40% use 5 or less
• Benefits of removing Administrative Groups
●
●
●
●
Exchange Server 2007 provides org-wide permissions
Delegate access to single servers
Apply role-based permissions to server objects
Group and filter in GUI based on server attributes
• Transition note: Exchange Server 2007 creates a new
hard-coded AG for compatibility
Permission Delegation
• Permissions model
●
●
●
Organization Admin
Recipient Admin
Server Admin
• Recipient Admin can
move mailboxes
• Server Admin specified
for multiple servers
• Predefined groups:
●
●
●
●
Exchange Organization Administrators
Exchange Recipient Administrators
Exchange Server Administrators
Exchange View-Only Administrators
Simplified administrative model
• No more administrative or
routing groups!
• Server-based admin
permissions
• Separate “recipient
administrators”
• Pre-configured Active
Directory groups
• Customize your own
permissions
Demos
Active Directory groups
Delegating permissions via EMC
Exchange Management Shell
• Extensions to Windows PowerShell
• Fundamental implementation of the
Management API
• All management activities exposed to
command line and script
• Reduced complexity with fewer APIs
• NET integration
●
●
Can make use of .NET classes and namespaces
Can be consumed by .NET applications
• Bulk actions
●
●
Consistent provisioning
Updating multiple objects
• Security and safety features
Using the PowerShell
• Exchange functions are extension of
PowerShell
• Commands are “task based”
●
Called “cmdlet” – pronounced “command-let”
• Verb-Noun combination
• Easy to remember combinations
• Tab completion
Help is easy to find
•
•
•
•
Help or Get-Help cmdlets
Help *mailbox*
Help get*
Help Get-Mailbox –Full
●
●
or –Detailed
or -Example
EMS Cmdlet: What It Does
get-mailbox -server CT-EXCH-MBX-01 | `
move-mailbox `
–targetdatabase SG1\Executives
• Get all mailboxes on the mailbox server named CTEXCH-MBX-01 and pipe this list to the next command:
get-mailbox -server CT-EXCH-MBX-01|
• Move each mailbox in this list to the Executives
database in the SG1 storage group:
move-mailbox
–targetdatabase SG1\Executives
More EMS Examples
• Get-Mailbox -server CT-EXCH-MBX-01| `
Move-Mailbox -targetdatabase SG1\Executives
• Get-DistributionGroupMember “Engineering”
• Get-DistributionGroupMember “Engineering" | `
Set-Mailbox -IssueWarningQuota:1500MB
• Get-DistributionGroupMember “Engineering" | `
Set-Mailbox | Format-Table name,issuewarningquota
Demos
Using the Exchange Management Shell
SP1 Management Improvements
• Service Pack 1 includes some major EMC
improvements
●
●
●
Public folder management tools
POP / IMAP server management tools
Clustered mailbox server management
• There are EMS improvements as well
●
●
●
Import and export mailboxes to PST!
Improved tools for bulk mailbox manipulation
Some syntax improvements
 Message routing improvements
• Routing infrastructure no longer manually
defined
• No more routing groups
• Routing dependant on Active Directory
Legacy Message Routing
• Exchange 2000 and Exchange 2003
●
●
●
●
●
Provide multiple routing groups
Require routing group connectors
Use link state routing to share routing
information between RGs
Have difficulty converging link state
information in large networks
Have a hard time clearing / purging poisoned
or corrupted routing information
Exchange Server 2007 Message Routing
• No more routing groups!
●
●
●
●
Routing uses Active Directory sites
No RGs means no RGCs
No more link state updates
Automatic configuration of routing topology
• No more bridgeheads!
• Message routing goes direct whenever possible
●
●
HT in one site always attempts direct connect to HT in
another site first
When direct relay not available, HT establishes
connections based on AD topology
• Division of services between Hub and Edge
●
●
Edge provides perimeter policy control + external routing
Hub provides internal policy control + internal routing
Exchange Server 2007 Message Routing
• Hub Transport routing changes significantly
1.
2.
3.
HT selects a route
HT attempts direct delivery on the route
HT delays fan-out/bifurcation as long as possible
• Route selection is simplified and deterministic
●
●
Identify least cost route
Are there multiple routes with same cost?
• Choose one with lowest hop count
●
If equal sites exist, find last site prior to destination
 Planning Mailbox Database Storage
• Storage group recommendations
• Disk and LUNs
• Local continuous replication
considerations
• IOPS
• Demo
How many storage groups?
• Recommend using one storage group per
database
• When using SANs, create one LUN for each
SG’s transaction logs and one LUN for each
database (for VSS backups)
• Maximum database size:
●
●
●
100GB without LCR
200GB with LCR
Take in to consideration restore times and SLC
It is all about disk performance
• Sizing for IOPS is just as important as disk
capacity
User type
Light
Cache per
user
2MB
Sent /
Received
5 / 20
IOPS per
user
0.11
Average
3.5MB
10 / 40
0.18
Heavy
5MB
20 / 80
0.32
30 / 120
0.48
Very heavy 5MB
Demo
Create storage group and mailbox database
 Upgrading / migration
• Upgrade path
• Keeping an older version of Exchange?
• Prerequisites
Upgrade Paths
• Can upgrade organization from:
●
●
Exchange 2000 Server
Exchange Server 2003
• Cannot upgrade org from Exchange 5.5
• No in-place server upgrades; move/consolidate
existing mailboxes and services
• Most new mailbox features require mailbox to
be homed on Exchange Server 2007
• Many new features require Outlook 2007
Keeping Older Exchange Versions
• Exchange 2000
●
●
●
●
●
●
●
Microsoft Mobile Information Server
Instant Messaging Service
Exchange Chat Service
Exchange 2000 Conferencing Server
Key Management Service
cc:Mail Connector
MS Mail Connector
• Exchange 2003
●
●
Novell GroupWise Connector
Public folder access over OWA
Infrastructure Requirements
• Schema Master DC requires Windows Server 2003 SP1
• GCs used by Exchange 2007 require Windows Server 2003 SP1
• AD domain functional level must be Windows 2000 native or
higher for:
●
●
Each domain that will host Exchange Server 2007 servers
Each domain that will host mail-enabled users
• Multi forest topologies and forest trusts
●
Minimum forest functional level is Windows Server 2003.
• No Exchange Server 5.5 servers in the organization; organization
must be in native mode
• DNS is correctly configured for the Active Directory forest
• Active Directory is prepared
• Note: WINS is no longer required
The Typical Upgrade
•
•
•
•
•
•
Prepare Active Directory
Deploy Edge Transport servers - Optional
Deploy CAS servers
Deploy Hub Transport servers
Deploy Mailbox servers
Move resources from Exchange 2000/2003
servers
• Uninstall Exchange 2000/2003 servers from
the Exchange organization
• Remove connectors between RGs
• Remove RGs
Public Folders
• Still supported until 2016
●
De-emphasized in favor of SharePoint
• Public folder store not created by default
●
●
●
Free/busy published via web service
Other system folders not present (OAB)
Fix: specify pre-Outlook 2007 clients during installation
• Management options
●
●
●
●
EMC: create/manage/remove public folder store
EMS: full complement of cmdlets
Exchange Server 2007 adds EMC GUI support
PFDavAdmin still works, PFMigrate
• Gotchas:
●
●
OWA does not currently expose PFs on Exchange 2007 mailbox
servers
SharePoint 3.0 not yet a complete replacement
Public Folder Changes in SP1
• SP1 adds two major public folder improvements
●
●
Access from Outlook Web Access
Full administrative / management access to public folders from
EMC
Public Folder Management Console
File
Actions
View
Favorites
Window
Public Folders
Default Public Folders
Customer List
Feedback
Internet Newsgroups
Exchange Server
Exchange Server Admin
Exchange Server Setup
Support
Help
Default Public Folders – exch01.redmond.microsoft.com
+ Create Filter
Actions
Default Public Folders
Name
Path
Customer List
\IPM_SUBTREE
Feedback
\IPM_SUBTREE
Internet Newsgroups
\IPM_SUBTREE
Support
\IPM_SUBTREE
New Public Folder...
View
New Windows from Here
Refresh
System Public Folder
Help
Customer List
Update Public Folder
Mail Enable
Remove
Properties
X
 Resource management
• Resource mailboxes are now uniquely
identified
• Creating resource mailboxes
• Configuring and managing resource
mailboxes
Creating the mailbox using EMC
• Create “Room” or “Equipment” mailbox type
Customizing resource mailboxes
• Disabled user account created
●
•
•
•
•
•
Enable user account to manage resource
settings
Use OWA to manage resource mailbox
Allow automatic processing of requests
Specify who can request and schedule
Notification options
Privacy options
Resource scheduling options
Demo
Creating and managing a resource mailbox
 High availability options
• New high availability options
• Reduce recovery time after failure
• New replication option coming in SP1
Focus on High Availability
• Improve data availability
●
●
Protect mailbox data from failures and corruptions
Reduce time required to restore mailbox data
• Improve service availability
●
●
●
●
●
Make mailbox data more available
Make cluster failover faster and less painful
Make cluster management easier
Support for ‘stretch’ or ‘geo-clusters’
Allow large mailboxes inexpensively
High Availability Options
• Hub Transport Role
●
●
Redundant hardware
Automatically load balanced and redundant with multiple HTs
• Edge, Client Access Server and Unified Messaging
Roles
●
●
●
●
Redundant hardware
Windows NLB or third party load balancing (Edge / UM only)
Round robin DNS
DNS MX records (Edge only)
• Mailbox Server Role
●
●
●
●
●
Replication and clustering
Local Continuous Replication (LCR)
Cluster Continuous Replication (CCR)
Standby Continuous Replication (SCR)
Single Copy Clusters (SCC)
Local Continuous Replication
• Additional copy of the logs
● On the same server
● On a different volume
• Benefits
● Easy configuration
● Single datacenter
● Doesn’t require expensive hardware
● Online backups
● Very quick restoration of service
• Drawbacks
● Manual activation
● Only protects 1 server
● Only protects 1 DB in SG
● Additional storage requirements
LCR Diagrammed
Server
Transaction
Logs
Database
Copy of Database
Copy of
Transaction
Logs
Cluster Continuous Replication
• Benefits
● Potentially no single point of failure
● Two copies of the data on separate servers
● No need for shared storage.
● Full redundancy with automatic recovery
● Backup mailboxes without disturbing production
● Doesn’t require validation for clustered
configuration
• Drawbacks
● Initial database seeding required
● Servers must be on same subnet
● Transaction logs pulled over SMB shares
● Some scenarios require log validation, replay
CCR Caveats
• Requires Microsoft Cluster Services
●
●
Majority Node Set cluster
Requires a third “voting” node - uses a shared folder
• Two-node, active / passive only
• Backup:
●
●
Streaming backup against production storage
groups
VSS backup against production and replica storage
groups
• Limit of one database per storage group
• Can be used for PF database if it is the only PF
database in the organization
●
●
Stand-alone
In two different MSCS
clusters
On different subnets
• Controlled per storage
group
• Many-to-1 and one-tomany supported
Logs
●
Logs
• Coming in Service
Pack 1
• Source and target
machines can be
DB
Standby Continuous Replication
Replication to a standby server
Replication Options
• LCR
●
●
●
●
●
Focused towards server resiliency
Improves restore time
Administrator has to initiate restore manually
Single server, single data center solution
Implements log shipping and replay out of the box
• CCR
●
●
●
●
• Log files are copied locally and replayed
Targeted towards site resiliency
Automatic failovers
Single or two-data center solution by supporting “stretch” option
Implements log shipping and replay out of the box
• Log files are copied to remote server and replayed
●
Simplifies cluster deployment
• SCR
●
●
●
●
• Requires MSCS
• Does not require SAN or shared storage
• Does not require identical nodes in cluster
Provides site and server resiliency
“Cold spare” approach cuts hardware costs
Can be combined with LCR, CCR, and SCC for maximum flexibility
Look for more details at TechEd 2007
Single Copy Clusters
• Requires Microsoft Cluster Services
• Benefits
●
●
Improved Exchange Cluster setup
Failovers use the same data copy
• Disadvantages
●
●
●
●
●
Requires expensive hardware with shared storage
Can be complicated for admins to learn
Doesn’t protect from storage/data issues
Servers must be on same IP subnet
Data redundancy provided through partners
Demos
Replicating a database using LCR
 Transport rules
• Managing data in transit
• How transport rules are created
• Conditions, actions, exceptions
Where Data Is
• In transit: data being moved from one
storage location to another should not be
●
●
●
Snooped/sniffed
Altered (without notice)
Inappropriately disclosed
• At rest: data in a storage location should
not be
●
●
●
Inappropriately accessed
Altered (without notice)
Deleted
Applying E-mail Policy in Transit
• Transport rules
• Routing policies
●
●
Automatic certificate-based protection
Enforce retention and compliance
• Journaling
●
●
●
●
Transport-based
Massively reduced duplication
Scoped (internal, external, global messages)
Reports to any valid SMTP address
• Message security classifications
What Are Transport Rules?
• Rules that are applied to
all transport servers to
inspect messages and act
on them in some fashion
• Managed by the
administrators
• Managed by GUI wizard
or cmdlets
●
●
●
Who does the rule apply
to?
What exceptions are
allowed?
What should be done
with matching
messages?
Transport Rule Examples
• Example Conditions and Exceptions
●
●
●
●
Sender, Recipients
Sender or recipient is member of DL
String match in subject, body, or header
Regular expression match in subject, body, or
header
• Example Actions
●
●
●
Add a disclaimer
Encrypt the message
Route to a specified server
Ethical Walls
Select multiple conditions
to constrain the rule
Ethical Walls
Customize the action to
suit the organization’s
needs
Message Classification

Admin configuration
with transport rules

User configuration with
Outlook
More About Transport Rules
• Rules on the Hub Transport
●
●
●
●
Used for restrict / protect / audit scenarios
Stored in Active Directory
Managed and applied across entire
organization
Max of approx. 1000 rules per organization
• Rules on the Edge Transport
●
●
Used for boundary restrictions
Managed and applied per-server
Transport Rule Collections
• Collections
●
●
●
●
Internal: apply when all senders/recipients are
in the organization
External: apply to when one or more parties
are unauthenticated (anonymous) or not in
the organization
Global: apply to all messages
Edge: apply to all messages in the DMZ
Demos
Creating a transport rule
 Messaging Records Management
• Managing records “at rest”
• Creating policies for messaging records
management
E-mail Policy at Rest
• Messaging records management
(Managed Folders)
• Multi-mailbox search
• Secure classifications
• Rights Management
●
●
●
Certificate based
Applies access controls to the message data
Integrates with / requires Windows Rights
Management
Messaging Records Management
•
•
•
•
Settings configured by the admin
Implementation handled by the user
Integrates with an archiving solution
Retention policies can be configured
by type
• E-mail
• Voice mail
• Faxes
• Tasks
• Calendar
• …
Messaging Records Management
Help users store the information
they need and delete the
information they don’t
Retention Policies on Default Folders




Set policy on Inbox, Deleted Items, etc.
Policies based on item age
Unique policies enabled for e-mail, voice mail
and fax
Expiration actions:
 Move to Deleted Items
 Delete
 Move to a another
folder for cleanup
review
 Instructional message
can be shown to users
Messaging Records Management
Administrative Attributes
•Managed Folders display in the user’s
mailbox
•Provide a place to store critical
content longer-term
•Cannot be deleted by users
•Can have user-created sub-folders
•Grouped together by Mailbox Policies
•Policies can be deployed based on
different characteristics
•Folder quotas can limit individual
folder size
Demos
Using messaging records management
 Journaling
•
•
•
•
Increasingly common
Journal per mailbox database
Journal using transport rules
Journal per mailbox
Journaling in Exchange 2007
• Configurable per-recipient
• Envelope journaling only
• Number of individual journal reports has
been significantly reduced
• Can journal to multiple destinations:
●
●
●
Exchange mailbox
Mail-enabled public folder
SMTP recipient on external system
Demos
Creating a journaling rule
 Clearing out unwanted e-mail
• Use the Export-Mailbox
• Copy or remove content from specified
mailboxes
• Must be moved to another mailbox
• get-mailbox -database “Mailbox Database" | export-mailbox SubjectKeywords "resume" -StartDate "06/25/06" -EndDate
"07/07/06" -TargetFolder "Inbox" -TargetMailbox Administrator DeleteContent:$true
Demos
Using Export-Mailbox
 Improvements in message transit
security
• E-mail is encrypted in transit
●
●
●
●
Hub-to-Mailbox
Hub to Hub
Edge to Hub
Edge to Edge
• Alternately external connections can be
encrypted AND authenticated using
certificate authentication
Mailbox ↔ Hub
• Authentication: Mutual by Kerberos
• Encryption: TLS
TLS & Kerberos
Mailbox server
Hub Transport server
Hub ↔ Hub
• Authentication: Mutual by Kerberos
• Encryption: TLS
TLS & Kerberos
Hub Transport server
Hub Transport server
Edge ↔ Hub
• Authentication: Mutual via certificates
• Encryption: TLS
TLS & Mutual
Authentication
Perimeter
Edge Transport server
Internal
Network
Hub Transport server
Edge ↔ Edge
• Mutual authentication (Domain Security)
●
Certificate + TLS
TLS & Certificates
Perimeter
Perimeter
Internet
Edge Transport server
Edge Transport server
 Introducing the Edge Transport
• Why use the Edge Transport server?
• Placement of the Edge Transport server
role
• Adding anti-spam to the Edge Transport
The Need For The Edge
• Exchange Server 2003: Monolithic architecture
●
●
●
●
No granular control over which code modules are
installed
The Store service is required for SMTP delivery of
NDRs
Servers must be part of an Active Directory domain
Perceived to be vulnerable as a border MTA
• Mail routers on the edge have specialized needs
●
●
●
●
●
Hardening against increased security threats
Make intelligent routing choices
Reject bad messages, not allow into the organization
Enforce message hygiene and policy
Minimize firewall exposure and reconfiguration
Exchange Server 2007 On The Edge
• Full AD integration without AD exposure
• Easier than ever to provide secure transit
without a lot of configuration
• Enforce compliance policies on inbound and
outbound mail
• Extensive message hygiene features
●
●
Enterprise-grade anti-spam
Enterprise-grade anti-virus
• Fully scriptable
• Easily extended for third-party functionality
Exchange Server 2007 Filtering
• Connection filtering
●
Drop bad connections
based on source IP
address
• Allow/deny lists (IP,
domain, sender, recipient)
• DNS real-time blocklists
• Third party allow lists
• Protocol filtering
●
Drop bad connections
based on SMTP
conversation
• Sender filtering (local
restrictions, Sender ID)
• Recipient filtering
• Protocol errors
●
●
Protocol analysis
Slow down persistent
senders to avoid
excessive resource
consumption (tarpitting)
1 Connection Filtering
2 Sender & Recipient Filtering
3 Content Filtering
Inbox
Junk E-mail
Exchange Server 2007 Anti-Spam
• Content filtering
●
Reject or bounce messages based on content cues
• What’s in the message?
• Who sent it?
• What do we know about other messages from the same
source?
• Is there a postmark?
●
Most resource intensive
• Quarantine
●
●
●
Managed by administrator
Integrated with content filtering
Freeing messages feeds back to content filtering
engine
Content Filtering
• Uses SmartScreen technology
• Composite score from several data sources
●
●
●
●
●
●
●
Domain reputation
Sender ID
IP address presence on block lists
Message characteristics and contents
Computational puzzles
Provides two confidence levels: spam and phish
Regular automatic updates
• Custom weight lists
●
Administrator configurable word lists allow fine-tuning of results
• Transport rules allow centralized dynamic responses
Attachment Filtering
• Strip attachments
●
●
●
By file size
By MIME content type
By file extension
• Looks inside ZIP archives
• Use transport rules to quickly block
emerging threats
Transport AV By Role
• Edge Transport
●
Filters inbound and outbound traffic
• Hub Transport
●
●
Filters all email between mailboxes
…even on the same server
• Mailbox
●
●
Scan the mailbox store
Use legacy VSAPI 2.5 interface
Forefront Security for Exchange Server
• Forefront server security solutions help protect messaging servers
against viruses and worms
• Based on mature Antigen product line
• Full support of Exchange Server 2007 features like transport
stamping
Advanced
Protection
Multiple scan engines at multiple layers throughout the
corporate infrastructure provide maximum protection against
e-mail and collaboration threats
Availability
& Control
Tight integration with Microsoft Exchange, Windows-based
SMTP, SharePoint and Live Communications Servers
maximizes availability and management control
Secure
Content
Ensures organizations can eliminate inappropriate language
and dangerous attachments from internal and external
communications
 Overview of Unified Messaging
•
•
•
•
What is Unified Messaging?
Delivering access to e-mail from anywhere
The Unified Messaging server role
Common terms and concepts
What Is Unified Messaging?
• Solution: put voice and fax data into the
Inbox
●
●
Gives deskbound users access to all
communications from one place
Gives mobile users access to all data from
laptop, browser, mobile device, and
telephone
Expanding Anywhere Access
• Some users use Outlook heavily
●
They want all data types in one place
• Other users travel frequently and don't
always have access to Outlook
●
They want access to data from any location
and device
• How can we deliver both?
Exchange Unified Messaging
●
●
●
●
●
●
New server role
Connects physical phone system with
Exchange storage
Accepts voice and fax messages and delivers
them to users' inboxes
Applies admin-specified call routing rules
Provides Automated Attendant service
Provides Outlook Voice Access
Exchange Unified Messaging
Directory Server
Key
SMTP
Unified Messaging
Server
Hub Transport
Server
Client Access
Server
Mailbox
Server
VoIP Gateway
MAPI RPC
HTTPS
Site
PBX
IP-PBX
VoIP
Outlook
Forest
RPC/HTTPS
PSTN
LDAP
Internal Phone
Internet
TDM
Internal Phone
External
Phones
Fax
Exchange
ActiveSync
Outlook
Web
Access
Outlook
Exchange Unified Messaging
• Unified Messaging server
●
●
●
●
Accepts and routes calls
Records and plays back voice messages
Receives faxes
Outlook Voice Access
• Mailbox server
●
Holds user mailboxes
• Client Access Server
●
Allows Outlook, OWA, EAS clients to access mailbox contents
• Hub Transport server
●
●
●
Moves messages from UM to mailbox server
Provides store-and-forward in case of mailbox outage
Applies policies for archiving, compliance
Exchange Unified Messaging
• Unified Messaging depends on several new Active
Directory objects
●
●
●
●
●
●
Gateways
Dial plans
Hunt groups
Pilot numbers
Mailbox policies
Automated Attendants
Unified Messaging: Mailbox Policies
• Policies control what UM features the mailbox
can use
●
●
●
●
How long is the PIN and when must it be changed?
PIN lockout policies
Maximum greeting duration
Can the mailbox use Outlook Voice Access?
• You can create multiple policies
• Each mailbox can only have one policy applied
Unified Messaging Audio Encoding
• Exchange Server 2007 Unified Messaging
supports 3 different codecs
●
●
●
Uncompressed: 64kbps, same as standard phone
audio bandwidth
GSM: approximately 8kbps
Windows Mobile (default): 4kb + 1kbps
• Codec choice is set as part of the Exchange
organization settings
 Unified Communications
• A little gazing in to my crystal ball
• “Presence” will be everywhere
• Contacting you when you need/want to be
contacted
Communications Convergence
Communications
Convergence
Occurs
Communication
Capabilities
E-mail/Calendaring
Mobile Phones
Voicemail
Fax
Integrated
Communication
Solutions
IM and Presence
Web and Video
Conferencing
VoIP
PBX Integration
Integration with
Applications
IP Telephony
Unified Messaging
Mobile/Remote
Solutions
Horizontally
Integrated
Communications
Expanded VoIP
Scenarios
Common Directory
Standards Based
The Role of Real-Time
• Messaging / calendaring are
asynchronous
●
●
Sending and receipt are decoupled
Explicitly store-and-forward by design
• Not every kind of interaction is
asynchronous
●
●
Passing notes vs. having a conversation
“Phone tag” and “voice mail jail” vs IM and
conferencing
Microsoft Office Communicator 2005
Office Communications Server 2007
Investment Themes
Enhanced
Enterprise IM
Group IM
Enhanced presence
Improved scalability, security, compliance, and
manageability
Multi-Party
On-Premise
Conferencing
Ad-hoc and scheduled online meeting capabilities
Flexible IP audio / video conversations and meetings
RoundTable with panoramic view of room
Call
Management
Rich, integrated voice offering
Presence-enabled IP phone experience
Control of the desktop phone
Enhanced Enterprise IM
• Integration with Exchange distribution
groups
●
●
●
No longer need to manually duplicate groups
Use the group in real time or add it to contact
list
Send messages or invitation to groups at
once
Presence Everywhere
• Presence sprinkled everywhere
in Outlook
• SharePoint integration
• Contextual entry points
Interruption Management
• Send all
communications
to voicemail when
in do-not-disturb
• Allow specific people
breakthrough
privileges
• Lightweight
notification in
presentation mode
• Suppression of audio
notifications based on
how busy user is
Consolidated History In Outlook
• Automatic history for
all IMs and calls
• Custom forms and
views in Outlook
• Missed call entry point
in Communicator
Integration with OneNote 2007
• Make notes during
a call with OneNote
– straight from the
conversation
window
• Stored call logs
can link to the
OneNote notes
Questions
Questions?
Book giveaway
• Keep an eye out for
Mastering Exchange
Server 2007 – Due
out in late April
Free eBook from realtimepublishers.com
• Tips and Tricks Guide
to Secure Messaging
• Free download!
•
http://nexus.realtimepublishers.com/ttgsm.htm
• Watch for Exchange
Storage Solutions
eBook soon!
Links and more information
•
Mostly Exchange blog (me!)
●
•
Exchange Team blog
●
•
http://exchangepedia.com/blog
Exchange Home Page
●
•
http://blogs.3sharp.com/blog/deving
Bharat Suneja’s Exchangepedia blog
●
•
http://www.robichaux.net/blog
Devin Ganger’s (e)Mail Insecurity blog
●
•
http://ww.exchangeninjas.com
Paul Robichaux’s Down Home blog
●
•
http://msexchangeteam.com/
Exchange 2007 Wiki
●
•
http://mostlyexchange.blogspot.com
http://www.microsoft.com/exchange
Exchange 2007 Documentation
●
http://go.microsoft.com/fwlink/?LinkId=69434