New Collaboration and Security Options boost Work in Microsoft Exchange Server 2007. What’s new in latest SP1?
November 29, 2007
Service Pack 1 for Microsoft Exchange Server 2007 is due for release on 30 November 2007! Microsoft has prepared a major update for its flagship mail server which has now received many new features and improvements and can be downloaded from site.
Support for new platform
Microsoft Exchange Server is now fully compatible with Microsoft Windows Server 2008 and can be deployed to a computer running Windows Server 2008 RC0 Escrow build. The full list of supported operating systems can be found here.
Exchange Server 2007 SP1 has a mixed IPv6 128-bit addressing by default when running on a Windows Server 2008 platform. That is it only runs IPv6 when the obsolescent protocol IPv4 is enabled. Otherwise Exchange server will fail running on IP. If you are running a deployment for multiple machines you can create a rule to deploy only for the defined IPv6 range thus avoiding unsupported setup conditions with IPv6-enabled management tools or based on general information about support of IPv6 in Microsoft operating systems. Another way is to call a function that can resolve to an IPv6-address, that is something like IsResolvableEx used to resolve a hostname when performing a Web-Proxy autodiscovery or just issue a ping command on IPv6-address like say
ping6 -n 2 ::1
That is we ping 2 times on a loopback address 0:0:0:0:0:0:0:1 using a short notation (two-colon notation) for writing IPv6 addresses.
New features were added to a remote access for a remote client
Exchange Active Sync a has received a remote wipe confirmation feature and is now enabled with Enhanced Exchange ActiveSync mailbox policy settings which include ability to
Disable Removable Storage
Disable POP/IMAP e-mail
Block Internet Sharing
It both provides for a data protection and ensures a security for sensitive data on mobile devices should they be stolen or accidentally lost by user. This all can be done centrally from within Exchange Management Console or Exchange Management Shell and works in a best traditions of what is meant under a centralized management.
Mobile work becomes faster
The new Service Pack improves and speeds-up long-standing connections between a server and a mobile device mobile devices.
Dramatic improvements in remote work though Outlook Web Access
Microsoft has completely rewritten the Outlook Web Access in Exchange Server 2007 and SP1 brought many of those that were not enabled in the RTM so that OWA now comes with lightning new features too.
First off, running in a Light mode OWA does not time out any longer and no longer drops the session out if user is composing a long message or just working with its calendar for a long time. OWA now prevents you from losing your typed messages by automatically saving the them in as Draft folder as-you-type.
In Premium mode for Outlook Web Access it is now possible for a user to create and edit Personal Distribution Lists and server side rules.
What about support for Microsoft Office System 2007? WebReady Document Viewing has finally been added with support for decoding and viewing in HTML of Word/Excel and PowerPoint X-Documents in OpenXML format.
It is now possible to copy or move folders using a dedicated context menu command.
Public Folders functionality now offers following features:
It is now possible to get full access to public folders from OWA and you don’t have to use the Public virtual directory. And you can get full access to public folders on Exchange 2007 Mailbox servers is now available for users without the need for you to provide Public Folder access from Outlook Web Access on Exchange 2003 Mailbox server. Microsoft has also added search features for Public Folders.
Increased manageability within Exchange Management Console
Exchange Management Console has been enhanced with a brand new interface for administering POP3 and IMAP4 protocols.
Hub Transport Server role has been added with functionality to set message size limits on Active Directory site links.
New features in Mailbox Server role
It is now possible to import and export mailbox by using .pst files. I believe this will provide greater flexibility administrator especially combined with such functionally available in standalone applications as automatic configuration of .pst files for the end user profile.
Those companies that use IP telephony are now able to create SIP URI and E.164 dial plans and add a SIP or E.164 address for a user by using the Enable Unified Messaging Wizard.
Exchange Web Services were added with a more granular permission configuration that now supports configuring folder level permissions so that both users and user applications are now able to list and configure permissions on folders. It is also possible to delegate management with services.
Official Document describing what’s new in Exchange Server 2007 SP1
Automatic configuration of mailboxes and Outlook profiles for the client side on the post-deployment stage
Additional information on what you have to do to deploy Exchange Server 2007 SP1 on Windows Server 2008 and Windows Server 2003 family
More information about what’s new about client access features in Exchange Server 2007 SP1
Outlook: Enable Users to Remotely Access Corporate Mail From Anywhere. Part I Introduction. Setting Up and Configuring Server Side
April 13, 2007
We have several divisions where people mostly roam from one location to another be it a business trip or just a remote work. But as that’s all about doing their jobs they need the information they basically can access only right from the office. One of such types of information is surely their personal corporate mail. That’s how we work today. If we have no access to any collaboration services our work gets stuck. And the mail is the main thing there. So the core task for every system administrator today is how to provide the user with access to their corporate mail remotely from any place no matter where the user will decide to access it from.
How to do that?
One way is to create a Virtual Private Network (VPN). But what if by some reasons you can’t or simply don’t want to setup VPN to avoid making the things for users even more complex? What can you do here? What should you start with? The core term here is “RPC over HTTP“, where RPC is the Remote Procedure Call, a protocol that allows interprocess communications between client and server sides so that a component to be accessed remotely in such a way that we don’t even need to know any low-level information. This is the technology that allows Outlook users to connect to their Exchange mailbox from a remote place. And there’s no need to have a VPN connection. It allows accessing Exchange servers right through your default corporate LAN’s firewall using the basic ports used by browsers to access unsecure and secure contents on the internet. The ports that should be opened to allow access are the TCP port 80 used for basic unsecure connections and the SSL port 443 used for secure connections that are established using the Secure Sockets Layer protocol which is used as basis protocol for the Transport Layer Security (TLS) protocol which version 1.1. is defined in the RFC4346 document.
What should we do to enable all that for our users?
The process contains least two parts we should do to implement the functionality. As we are talking about client-server communications we need to prepare the configurations on both the server as the client. We will consider the Microsoft Exchange Server 2003 installed on the Windows Server 2003 Service Pack 1 and above to be the server side and Microsoft Office Outlook 2003 installed on the Windows XP Professional Service Pack 2 to be the client side.
Configuring Server Side
Let’s start configuring the setup from the server side. First of all we need to configure Exchange Server 2003 back-end server as an RPC proxy server. The process here starts with installing the additional component RPC over HTTP Proxy from the Windows Server Setup Disk. To do that:
1. Click Start and select Control Panel|Add or Remove Programs to start the Add or Remove Programs applet
2. In the Add or Remove Programs windows click Add/Remove Windows Components button
3. The Windows Components screen of the Windows Components Wizard will appear
4. Select Networking Sevices and click the Details button to open the Networking Sevices dialog
4. In the dialog box, check the RPC over HTTP Proxy checkbox and click OK
The RPC component will be installed on the system and the RPC virtual directory will be created on the IIS. Now we need to configure authentication and the encryption.
Configuring client authentication
Basic authentication will be used to authenticate users. This type of authentication has one very annoying property: it sends creadentials in the pure form as the plain text. That’s why we will need to configure SSL and implement the encryption to be used for passing the credentials.
To configure that
1. Click Start and select Programs|Administrative Tools|Internet Information Services (IIS) Manager to start the IIS manager
2. In the manager window navigate to Web Sites and select Default Web Site
3. Expand Default Web Site, right-click the RPC virtual directory, and select Properties command from the shortcut menu
4. In the RPC Virtual Directory Properties page switch to the Directory Security tab
5. Under Anonymous Access and Authentication Control pane click Edit button.
6. The Authentication Methods dialog box will appear
7. Uncheck the Enable Anonymous Access checkbox
That’s needed because by default RPC over HTTP doesn’t allow anonymous access
8. Under Authenticated access section, select the check box Basic authentication (password is sent in clear text)
9. You can also allow the NTLM Windows authentication and leave the Integrated Windows authentication checkbox checked
Microsoft has a note on this type of authentication:
“It is recommended that you use Basic authentication over NTLM because of two reasons. First, RPC over HTTP currently supports only NTLM – it doesn’t support Kerberos. Second, if there is an HTTP Proxy or a firewall between the RPC over HTTP client and the RPC Proxy, which inserts via the pragma in the HTTP header, NTLM authentication will not work”
10. End with the warning message and ensure that you have correct SSL certificate installed on your server
Now we need to enabled SSL to be used for the RPC Virtual Directory. To do that
1. On the same Directory Security tab mentioned above click Edit button under Secure communications
2. Check both the Require secure channel (SSL) and the Require 128-bit encryption check boxes
3. Click OK to save settings and close the window
See How to Configure the RPC Virtual Directory in IIS article for the detailed info
The next step is to configure the RPC proxy server on Exchange Server 2003 to use specified port range for RPC over HTTP. To do that:
1. Open registry editor by typing regedit in the Run dialog box
2. In the Regsitry Editor navigate to the path
Create the ValidPorts string REG_SZ parameter and set it to the value the is built in the following manner
to open the port range 6001-6002 and one single port 6004
Now we need to configure our Exchange 2003 back-end servers (the GC, Global Catalog servers) and set the NT Directory Services (NTDS) port on them. So we again should to specify registry parameter to do that. This time we need to open the
create a REG_MULTI_SZ ‘NSPI interface protocol sequences’ parameter and set it to value NCACN_HTTP:6004
We ended with the specific preliminary tasks on the server and can start with configuring client application (that is the Outlook 2003) profile to work with RPC over HTTPS. But that’s the story to be covered in the next part when we will talk about client side configuration.
Technorati tag: remote work remote mail client-server exchange properties corporate mail private network RPC over HTTP open port back-end server NTLM authentication basic authentication secure mail exchange mailbox mail configuration collaboration registry IIS VPN proxy Microsoft Office mobile users outlook profiles exchange profiles OWA virtual directory remote access firewall
March 19, 2007
I work in a company that provides various kinds of services. We have a pretty distributed corporate network throughout the country. Many people use our mailing server to collaborate with each other. Some work in local offices, some go out for a business trip. Add here the never-ending flow of incoming clientèle and you’ll probably see yourself as it’s you are talking from this blog. Nothing that unusual. We know it’s our normal quite serene working day in IT department. No matter where we are actually working in. Routine. Returning back to what I have in my corp. As we also have external offices this adds the additional complexion. We definitely needed some way to separate client accounts at least to differentiate between customers and workers. The standard way to answer the task is to use outlook profiles. That’s what we did.
We started with quite a brute way of making this. We wrote down the guide on the corporate intranet site describing the steps the new user should take himself to setup outlook profiles. Again nothing that comes extremely unusual, just the standard multi-step follow-up to guide user through the manual configuration. Except that the diversity of users forced us to enhance the guide to handle several basic configurations of used version of Outlook and the operating system it runs on.
Here I will go a little bit aside to talk about intentions and decisions. (Sometimes they differ, huh?) First I wasn’t thinking about showing you that ‘guide’ we created. I just didn’t want to attack you with additional strings of ASCII bytes to narrow the excess and cancel the empty non-informative noise. But then I come thinking of why not to show you our errors and describe the underlying story a bit more detailed to get it more descriptive and explanatory. This would bring some humor and joy and allow some of you to not repeat my errors. Sometimes it gets the positive result if someone learns from the errors of your own. So I decided to include that our user manual and put some extra info to show how we found the the way to resolve the problem settled down the internal and external collaboration to run in a fully automated way. Here it is in all its glance though in a slightly abridged form (I cut down the specific info).
How to set up Outlook profiles to work with your mail in the XYZ corporation network
Operating System: Windows 98
Outlook client: Microsoft Outlook 2000
1. Click Start
2. Select Settings\Control Panel to open the Control Panel window
3. Locate the Mail or Mail and Fax icon and double-click on it to launch the applet
4. In the Mail dialog box opened Add button to start the Inbox Setup Wizard
5. In the wizard page opened select the Use the following information services radio button and check the Microsoft Exchange Server check box in the scrolling field below
6. Click next to move to next wizard dialog box
7. Click into Microsoft Exchange server field and type the following in it
8. Switch to second field on the wizard dialog box and type your last name
9. Click next to move to next wizard dialog box
10. Click No when prompted to ask “Do you travel with this computer?” question
11. Click Finish to close the wizard
12. Select the created profile and click Properties button
13. On the XYZ Corporation Properties mailbox dialog box select the Microsoft Exchange Server and click Properties button
14. In the Microsoft Exchange Server dialog box opened check you’ve entered correct settings for the mail server address and the name of your mailbox we put previously in steps 7 and 8. Revise if the mail server address was typed correctly and listed as
as you wouldn’t be able to work with mail if the address was incorrectly set
15. Click OK to close the window
16. Now double click the Outlook icon on your desktop to start mailing program.
17. In the Enter password dialog box type
18. Your login name into the User Name field
19. XYZ in the in the Domain Name field
20. Your password into the Password field
Note: if you don’t know your your login and password check with your supplementary Account setup form list or contact system administrator by phone to get them BEFORE proceeding with next step
21. When entered click OK to proceed with settings and log in to mailbox
Note: if you need to create multiprofile setup, refer to How to create multiprofile mail setup document on the http://intranet/techinfo/mail/outlook/ompmbseetup.doc
Operating System: Windows 2000, Windows XP
Outlook client: Microsoft Outlook 2002, Microsoft Office Outlook 2003
1. Click Start
2. Control Panel to open the Control Panel window
3. Locate the Mail icon and click on it to launch the applet
4. In the Mail dialog box opened Add button and enter the profile name in the New Profile dialog box
5. In the Mail Setup – Outlook dialog box click on the E-mail Accounts… button to launch the E-mail Accounts wizard
6. Select Add a new e-mail account radio button to be able to add your new Outlook account
7. Click Next to go to next wizard dialog box
8. On the Server type dialog select Microsoft Exchange Server radio button and click next
9. On the Exchange Server Settings dialog box fill in the field with the data contained in the supplementary Account setup form list or contact system administrator by phone to get the info
10. In the Microsoft Exchange Server field enter mail.xyz.com as the address to be used by Outlook to connect and retrieve your personal mail
11.1 If you are using Office Outlook 2003 check the Use Cached Exchange Mode checkbox below
11.2 If that is not true and you are using the previous version of Microsoft Outlook go to next step
12. In the User Name field enter the name to be used for your mail box. If you don’t know your username, click Start and use the name written in the caption of the Start menu
13. Click Check name to verify the entered name and avoid conflict with existing names (if any)
14.1 If you are using Windows XP, enter email@example.com in the User name field and fill in the password in the field below
14.2 If you are using Windows 2000, enter your username in the User name field, fill in the password in the next field and enter xyz in the Domain name field
15. If Microsoft Outlook notification message box appears notifying you about existing personal folders appears, go to step 17
16. Setup is now finished. Click Finish button the save settings and exit the Outlook configuration wizard
17. Click Yes button to confirm and continue
18. Start the Mail Setup – Outlook dialog box (see step 5 above) click on the E-mail Accounts… button to launch the E-mail Accounts wizard
19. Select View or change existing e-mail accounts radio button and click Next button
20. In the E-mail Accounts dialog select Microsoft Exchange Server entry within the Outlook processes e-mail for these accounts in the following order
21. Server will ask you to authenticate. Enter the data as discribed in steps 14.x above
22. Change delivery target in the Deliver new mail to the following location drop-down list and choose Mailbox – Username, where Username will be the name you used to authenticate and click Finish
Pretty complicated, isn’t it? I bet you agree. Imagine how complex this comes for the person who doesn’t need to know deep in IT and just wants to concentrate on his personal work responsibilities. Twenty steps to complete to just configure mail profile. That last not too long until we realized that this mess cant last any longer and we should implement something to smooth the process for users and, if possible, make it completely automatic and transparent for the user.
How to create a new e-mail profile in Outlook 2007 and in Outlook 2003
Overview of Outlook e-mail profiles
Create a new e-mail profile in Outlook
Manage Outlook profiles
Get the version number for your Office program and information about your computer
Use Outlook Anywhere to connect to your Exchange server without VPN
What is a Microsoft Exchange account?
Change the password for your .pst file
Scan and repair corrupted Outlook data files
Turn on or off Cached Exchange Mode
More blogs about outlook profiles.