Service Pack 1 for Microsoft Exchange Server 2007 is due for release on 30 November 2007! Microsoft has prepared a major update for its flagship mail server which has now received many new features and improvements and can be downloaded from site.

Support for new platform

Microsoft Exchange Server is now fully compatible with Microsoft Windows Server 2008 and can be deployed to a computer running Windows Server 2008 RC0 Escrow build. The full list of supported operating systems can be found here.
Exchange Server 2007 SP1 has a mixed IPv6 128-bit addressing by default when running on a Windows Server 2008 platform. That is it only runs IPv6 when the obsolescent protocol IPv4 is enabled. Otherwise Exchange server will fail running on IP. If you are running a deployment for multiple machines you can create a rule to deploy only for the defined IPv6 range thus avoiding unsupported setup conditions with IPv6-enabled management tools or based on general information about support of IPv6 in Microsoft operating systems. Another way is to call a function that can resolve to an IPv6-address, that is something like IsResolvableEx used to resolve a hostname when performing a Web-Proxy autodiscovery or just issue a ping command on IPv6-address like say

ping6 -n 2 ::1

That is we ping 2 times on a loopback address 0:0:0:0:0:0:0:1 using a short notation (two-colon notation) for writing IPv6 addresses.

New features were added to a remote access for a remote client

Exchange Active Sync a has received a remote wipe confirmation feature and is now enabled with Enhanced Exchange ActiveSync mailbox policy settings which include ability to
Disable Removable Storage
Disable Camera
Disable Wi-Fi
Disable POP/IMAP e-mail
Block Internet Sharing

It both provides for a data protection and ensures a security for sensitive data on mobile devices should they be stolen or accidentally lost by user. This all can be done centrally from within Exchange Management Console or Exchange Management Shell and works in a best traditions of what is meant under a centralized management.

Mobile work becomes faster

The new Service Pack improves and speeds-up long-standing connections between a server and a mobile device mobile devices.

Dramatic improvements in remote work though Outlook Web Access

Microsoft has completely rewritten the Outlook Web Access in Exchange Server 2007 and SP1 brought many of those that were not enabled in the RTM so that OWA now comes with lightning new features too.
First off, running in a Light mode OWA does not time out any longer and no longer drops the session out if user is composing a long message or just working with its calendar for a long time. OWA now prevents you from losing your typed messages by automatically saving the them in as Draft folder as-you-type.
In Premium mode for Outlook Web Access it is now possible for a user to create and edit Personal Distribution Lists and server side rules.
What about support for Microsoft Office System 2007? WebReady Document Viewing has finally been added with support for decoding and viewing in HTML of Word/Excel and PowerPoint X-Documents in OpenXML format.
It is now possible to copy or move folders using a dedicated context menu command.

Public Folders functionality now offers following features:
It is now possible to get full access to public folders from OWA and you don’t have to use the Public virtual directory. And you can get full access to public folders on Exchange 2007 Mailbox servers is now available for users without the need for you to provide Public Folder access from Outlook Web Access on Exchange 2003 Mailbox server. Microsoft has also added search features for Public Folders.

Increased manageability within Exchange Management Console

Exchange Management Console has been enhanced with a brand new interface for administering POP3 and IMAP4 protocols.

Hub Transport Server role has been added with functionality to set message size limits on Active Directory site links.

New features in Mailbox Server role

It is now possible to import and export mailbox by using .pst files. I believe this will provide greater flexibility administrator especially combined with such functionally available in standalone applications as automatic configuration of .pst files for the end user profile.

Those companies that use IP telephony are now able to create SIP URI and E.164 dial plans and add a SIP or E.164 address for a user by using the Enable Unified Messaging Wizard.

Security changes

Exchange Web Services were added with a more granular permission configuration that now supports configuring folder level permissions so that both users and user applications are now able to list and configure permissions on folders. It is also possible to delegate management with services.

Official Document describing what’s new in Exchange Server 2007 SP1
Automatic configuration of mailboxes and Outlook profiles for the client side on the post-deployment stage
Additional information on what you have to do to deploy Exchange Server 2007 SP1 on Windows Server 2008 and Windows Server 2003 family
More information about what’s new about client access features in Exchange Server 2007 SP1


We ended with configuring of server side to prepare the remote access to Exchange mailbox from the outside. Now we can start configuring the client side. In other words, we need to what we should do as the users to be able to receive corporate mail while we are sitting home or traveling with our laptop on the business trip. But before we will do that I will go a little backward and say that we as admins should pay our attention to the fact how we configure our environment. In that our specific case when we should provide user with access to the network the outer network perimeter is what pays our attention. What we do usually to prevent ourselves from being attacked from the outside? As with medieval battles, we close our doors, close our windows (oopps, let leave Windows running for little more we haven’t finished with configuring its client application) and left just a pair of doors left open. For us themselves, our friends and our bodyguards. The same way we do when our medieval castle turns into our corporate network. We usually leave to ports open: the one for HTTP (that’s we ourselves as we as our friends, the users, need access to information) and the one for SSL (that’s our bodyguard that keeps our connection secure by using public key encryption). But aren’t we here to communicate with Exchange server? How will we do that if we just have HTTP(S)? We need to be able of doing remote procedure calls. But we blocked them! How should be manage to be able to use them anyway. Uh, again we should carry that weight on our own shoulders. Let’s help the RPC and let HTTP to carry it on top. That’s exactly what we do there. We use RPC over HTTP. We encapsulate RPC network filesystem commands into HTTP headers. So here’s the scheme we have:
1. We send the request from the Outlook client application via SSL
2. It then comes to the corporate firewall (such as ISA firewall)
3. As ISA sees HTTP traffic on its input it passes the flow forward
4. Now we have the Front-End Exchange server on our way. Shortly, front-end server is the component that authenticates and proxifies HTTP requests

Typically running IIS RPC over HTTP proxy service is enough. So the main thing here to get is proxy.

Note: if you are still running old Windows XP SP1 clients you should keep this and mind and prepare your system and install the hotfix specified in the article to make to Outlook work reliable.

Keep in mind that to configure the profile on the client side and begin working with RPC over HTTP you should have your RPC port (that is the 135 one) opened prior that. Here are the recommendations provided by Microsoft for building the Front-End and Back-End Topology:
“Open TCP ports on the intranet firewall for the protocols you are using:

80 for HTTP

143 for IMAP

110 for POP

25 for SMTP

691 for Link State Algorithm routing protocol

Open ports for Active Directory Communication:

TCP port 389 for LDAP to Directory Service

UDP port 389 for LDAP to Directory Service

TCP port 3268 for LDAP to Global Catalog Server

TCP port 88 for Kerberos authentication

UDP port 88 for Kerberos authentication

Open the ports required for access to the DNS server:

TCP port 53

UDP port 53

Open the appropriate ports for RPC communication:

TCP port 135 – RPC endpoint mapper

TCP ports 1024+ – random RPC service ports

(Optional) To limit RPCs across the intranet firewall, edit the registry on servers in the intranet to specify RPC traffic to a specific non random port. Then, open the appropriate ports on the internal firewall:

TCP port 135 – RPC endpoint mapper

TCP port 1600 (example) – RPC service port

If you use IPSec between the front-end and back-end, open the appropriate ports. If the policy you configure only uses AH, you do not need to allow ESP, and vice versa.

UDP port 500 – IKE

IP protocol 51 – AH

IP protocol 50 – ESP

UDP port 88 and TCP port 88 – Kerberos”

Still the great thing with Outlook 2003 is that it IS able to configure the profile even without port 135 opened! Yes, it will swear on you that you have not opened port 135 but in the end you will get the profile configured. You just need your DNS working properly.

We sorted out the underlying process and can now freely begin with setting up the client side.

1. The first step is as always to start Mail control panel applet to configure the MAPI profile. There are at least two ways to do that:
1. We can click Start\Control Panel\Mail
2. We can right-click the Outlook icon in the Start menu and select Properties from the context menu
2. In the opened Mail dialog click Add button to add or create new profile
3. Now create new mail account by selecting Add a new e-mail account in the E-mail Accounts wizard or change the existing one by selecting the View or change existing e-mail accounts
4. On the Server Type window select Microsoft Exchange Server and click Next
5. On the Exchange Server Settings window specify the Fully Qualified Domain Name for the front-end Exchange server (refer to the info shown in the IIS site certificate to get the right name) such as Type your user account in the Username field
6 . In the Microsoft Exchange Server dialog box switch to the Advanced tab (I recommed leaving the settings specified on the General tab intact), check Use local copy of Mailbox and set the Download only headers checkbox. This is expecially useful when configuring settings for the roaming client that uses laptop
7. Switch to the Security tab and check the Encrypt information checkbox
8. Now we are ready to do what are here for. Switch to the Connection tab and set Connect to my Exchange mailbox using HTTP checkbox
9. Click the Exchange Proxy Settings… button and configure the URL (such as used to connect to your RPC proxy by setting it in the Use this URL to connect to my proxy server for Exchange text box. Check the Mutually authenticate the session when connecting with SSL checkbox. In the Principal name for proxy server text box put the FQDN preceded with the msstd: string. So that with you should specify as the principal name for the proxy server
10.1. Check both checkboxes for the slow and fast connections
10.2 If you have the single Connect using HTTP first, then connect using my Local Area Network (LAN) checkbox only, now you know what Microsoft means under LAN…
11. Select Basic Authentication and click OK to close the Window
12. We finished the process and can now start the client application. Depending on whether you have that command in the Outlook icon in the notification area of the taskbar you willl be able to observe established connections to the server by choosing the status command.

Note: as Microsoft says Outlook (in contrast to Group Policy which is “defined by default as any rate slower than 500 kilobits per second (Kbps)“) “defines a fast connection as a connection that is faster than 128 kilobits per second (Kbps). Outlook defines a slow connection as a connection that is slower than or equal to 128 Kbps”

How to Create an Outlook Profile for Users to Use with RPC over HTTP
Target-based Automated Client Configuration with Ability to Update and Add the RPC over HTTP Functionality for the Domain User

The Group Policy Slow-Link Detection Formula

Technorati tag:

We have several divisions where people mostly roam from one location to another be it a business trip or just a remote work. But as that’s all about doing their jobs they need the information they basically can access only right from the office. One of such types of information is surely their personal corporate mail. That’s how we work today. If we have no access to any collaboration services our work gets stuck. And the mail is the main thing there. So the core task for every system administrator today is how to provide the user with access to their corporate mail remotely from any place no matter where the user will decide to access it from.

How to do that?

One way is to create a Virtual Private Network (VPN). But what if by some reasons you can’t or simply don’t want to setup VPN to avoid making the things for users even more complex? What can you do here? What should you start with? The core term here is “RPC over HTTP“, where RPC is the Remote Procedure Call, a protocol that allows interprocess communications between client and server sides so that a component to be accessed remotely in such a way that we don’t even need to know any low-level information. This is the technology that allows Outlook users to connect to their Exchange mailbox from a remote place. And there’s no need to have a VPN connection. It allows accessing Exchange servers right through your default corporate LAN’s firewall using the basic ports used by browsers to access unsecure and secure contents on the internet. The ports that should be opened to allow access are the TCP port 80 used for basic unsecure connections and the SSL port 443 used for secure connections that are established using the Secure Sockets Layer protocol which is used as basis protocol for the Transport Layer Security (TLS) protocol which version 1.1. is defined in the RFC4346 document.

What should we do to enable all that for our users?

The process contains least two parts we should do to implement the functionality. As we are talking about client-server communications we need to prepare the configurations on both the server as the client. We will consider the Microsoft Exchange Server 2003 installed on the Windows Server 2003 Service Pack 1 and above to be the server side and Microsoft Office Outlook 2003 installed on the Windows XP Professional Service Pack 2 to be the client side.
Configuring Server Side
Let’s start configuring the setup from the server side. First of all we need to configure Exchange Server 2003 back-end server as an RPC proxy server. The process here starts with installing the additional component RPC over HTTP Proxy from the Windows Server Setup Disk. To do that:
1. Click Start and select Control Panel|Add or Remove Programs to start the Add or Remove Programs applet
2. In the Add or Remove Programs windows click Add/Remove Windows Components button
3. The Windows Components screen of the Windows Components Wizard will appear
4. Select Networking Sevices and click the Details button to open the Networking Sevices dialog
4. In the dialog box, check the RPC over HTTP Proxy checkbox and click OK

The RPC component will be installed on the system and the RPC virtual directory will be created on the IIS. Now we need to configure authentication and the encryption.

Configuring client authentication

Basic authentication will be used to authenticate users. This type of authentication has one very annoying property: it sends creadentials in the pure form as the plain text. That’s why we will need to configure SSL and implement the encryption to be used for passing the credentials.
To configure that
1. Click Start and select Programs|Administrative Tools|Internet Information Services (IIS) Manager to start the IIS manager
2. In the manager window navigate to Web Sites and select Default Web Site
3. Expand Default Web Site, right-click the RPC virtual directory, and select Properties command from the shortcut menu
4. In the RPC Virtual Directory Properties page switch to the Directory Security tab
5. Under Anonymous Access and Authentication Control pane click Edit button.
6. The Authentication Methods dialog box will appear
7. Uncheck the Enable Anonymous Access checkbox

That’s needed because by default RPC over HTTP doesn’t allow anonymous access

8. Under Authenticated access section, select the check box Basic authentication (password is sent in clear text)
9. You can also allow the NTLM Windows authentication and leave the Integrated Windows authentication checkbox checked

Microsoft has a note on this type of authentication:
It is recommended that you use Basic authentication over NTLM because of two reasons. First, RPC over HTTP currently supports only NTLM – it doesn’t support Kerberos. Second, if there is an HTTP Proxy or a firewall between the RPC over HTTP client and the RPC Proxy, which inserts via the pragma in the HTTP header, NTLM authentication will not work

10. End with the warning message and ensure that you have correct SSL certificate installed on your server

Now we need to enabled SSL to be used for the RPC Virtual Directory. To do that

1. On the same Directory Security tab mentioned above click Edit button under Secure communications
2. Check both the Require secure channel (SSL) and the Require 128-bit encryption check boxes
3. Click OK to save settings and close the window

See How to Configure the RPC Virtual Directory in IIS article for the detailed info

The next step is to configure the RPC proxy server on Exchange Server 2003 to use specified port range for RPC over HTTP. To do that:
1. Open registry editor by typing regedit in the Run dialog box
2. In the Regsitry Editor navigate to the path


Create the ValidPorts string REG_SZ parameter and set it to the value the is built in the following manner


to open the port range 6001-6002 and one single port 6004

Now we need to configure our Exchange 2003 back-end servers (the GC, Global Catalog servers) and set the NT Directory Services (NTDS) port on them. So we again should to specify registry parameter to do that. This time we need to open the


create a REG_MULTI_SZ ‘NSPI interface protocol sequences’ parameter and set it to value NCACN_HTTP:6004

We ended with the specific preliminary tasks on the server and can start with configuring client application (that is the Outlook 2003) profile to work with RPC over HTTPS. But that’s the story to be covered in the next part when we will talk about client side configuration.

Further info:
RPC over HTTP Interactions on the RPC Proxy Server
How RPC Works
Automatic Configuration of The Client Side
RPC over HTTP Authentication and Security

Technorati tag: