A Walkthrough – Data Loss Prevention in Microsoft Exchange Server 2013

Introducing Data Loss Prevention – Microsoft Exchange Server 2013

Let me start with the objective of Data Loss Prevention in Microsoft Exchange Server 2013(also called The New Exchange – a cloud centric messaging version) is to prevent accidental data loss sent by an email. It educates both end-users (using policy tips alert so that the confidential data isn’t leaked by accident) and Exchange administrator (make understand what risk organization carrying and how to mitigate)

I’ve scanned/read through the TechNet, TechEd (Videos), and also some Expert’s blog, to my experience it’s a wonderful feature that is gradually meeting the business needs to protect accidental leak of data via email (alone).

Who should plan or think of implementing DLP? –  Ask yourselves and let me help you too.

IMHO organization banking sector, financial institutes, any other firms which are strict towards following, implement regulatory and compliance with regards to email security.

Do you suspect there might be a leak in your email transaction with regards to any financial data like SSN, Credit card details, IP Address, your permutation and combination what comes to your mind which contains in the email body as text?

Also there might be a chance of accidental confidential data loss when a user sending email to internal or external recipients when he/she didn’t intended to do so – LOL,  whatever the user justification is.

No worries – we’ll see how it can be prevented & protected.

What are the prerequisites?

  • Microsoft Exchange Server 2013 On-Premise / Office 365 / Hybrid supported, lower versions mailboxes the DLP policies aren’t applied.
  • It requires Enterprise CAL license
  • Its goanna work with Outlook 2013 alone as a whole functionality depends (policy tips in particular as compared to lower versions of outlook which is not available).
  • The DLP rules although will work via Outlook 2007 but will lack the policy tips as feature.

Any Advantages?

  • Of course users will not be able to send out confidential data accidently via email
  • Exchange Folks can now analyze/track the no. of emails transaction and can build a report what are the confidential email transacted as per the company compliant policies. This is in turn knowledge and to make themselves aware how users are meeting the compliance of the organization.
  • Users are educated with the help of policy tips if they were accidently trying to leak confidential data and based on the rules to allow user to override or completely block.
  • You can double secure by implementing ADRMS and integrate with DLP transport rule as used in the legacy (talking about simple transport rule) version.
  • Even if the Outlook 2013 is in cached mode or offline the policy tips are still applied as the templates gets downloaded from the server once in a day (24 hours) to outlook as they are reachable. We can control whether to push the policy to clients or not from the server side once in a day which is scheduled by default & hard-coded (can’t be alerted).

And Disadvantages if any?

  • The policy tips only works with Outlook 2013 and not even in OWA 2013
  • The policy templates are limited as per the region/local countries and need to make one customizing as per the business needs.
  • Need to check with Third party vendors for policy templates if any vendor meets their org’s business requirement – you can make your own if you know how to.
  • Implemented DLP on Exchange online the reports are not exported in CSV

Can I compare DLP with other vendors in the market – Oh please don’t do so – IMO.

I tried initially to check with other vendors just to research as they got the same feature so called “Data Loss Protection” but you know what they will WIN-WIN. They not only have the feature alone but as whole suite like ENDPOINT / GATEWAY / NETWORK / STORAGE protection what IMO sounds good and involves great investment & add s complexity (Meaning additional stuffs to manage) to your environment.

There are vendor who are specializing individual product and in no means you should be surprised or attracted towards feature like the content detection engine/functionality one of the areas where I got impressed. MS has just began using DLP in Microsoft Exchange 2013 and has a long way to go. Also FYI the other vendors too have drawbacks when it comes to comparison with Exchange DLP the one alone which has a direct integration of Outlook 2013 with Exchange 2013 and managing under the hood using common EAC console.

Why DLP and not Transport rule? – Here is a bit more of technical and might be of an interest to Exchange Folks.

If I start writing it won’t end & TechNet is the right source to deep dive more precisely and consulting MCS or people who are Exchange Experts. I will highlight some of the important points which makes sense to know at this moment.

Although it is built on Transport rule which is also very similar to Outlook rules as well, DLP is more intelligent which not only detects the keywords but also reads the attachments which might contain the confidential data. It works with Transport rule initially and then starts its intelligence by detecting contents and attachment to match the policy templates used of in-built/custom or imported by third party vendor as per the business compliance. It not only helps in protecting the data but also helps administrators understand the level of risk the organization is carrying.

By implementing DLP administrator not only can alert end-users with policy tips in Outlook 2013 and prevent(sure you can also configure override setting) data leak accidently but also capture no. of incidents happened, track who sent the emails and how many times it was based on the policy template settings. You then have auditing which is nothing but sending the incident report to the configured user/group to check exactly who it matched the policy templates for example detecting the credit card numbers mentioned in the message body/attachments, the matched policy name, the values it found like 5432 XXXX XXXX XXXX (now X equals to some number). Now here is the great deal what if the user entered 1111 XXXX XXXX XXXX, the DLP is so smart that it knows the credit card numbers will never start with 1 and hence it will not prevent the user to send email. You can develop your own template to make such intelligence to search and detect.

You can simply implement DLP rules to some users in test mode doing which users are not aware of the tracking and auditing done at the transport level and later can enforce the same. You could also export the statistics in to csv to create reports and dashboards.

May I know how it works now?

It works again as mentioned above on the transport rule with additional detection mechanism based on the policy template which are classified, the available rules and configured with.

The templates are nothing but the xml files which can be also encrypted, there will be some if you got from some vendor or make your own.

There are already lot of information available on the TechNet, EHLO, Exchange Online & by the Experts how to configure step by step and it’s working with description of which I cannot see much better than those for your reference.

I would recommend you all to go through & read the links as it contains valuable information on DLP with Microsoft Exchange 2013

Hope it was informative.

Posted in Exchange Servers | 1 Comment

Single Sign On using MS Directory Synchronization Tool – Enabling Password Sync

It all started with designing Hybrid project for one of my client where I was supposed to plan for single sign on and longtime back there was this feature extended to DirSync tool called as “Enable Password Synchronization” which came to my mind.

I was planning to use ADFS for single sign on but soon realized to use the feature of DirSync and minimize the complexity and cost of implementing ADFS on-premise.

Below are some important points need to look at and consider while you design for SSO as it helped me to focus.

Prerequisites:

  • Make sure at least you have Office 365 Midsize Business subscription plan to integrate on-premise AD with azure AD on cloud.
  • DirSync tool version must be at least minimum 6382.0000 and above to sync password from on-premise to azure AD on cloud.
  • Make sure you have enabled DirSync feature first via portal before enabling password sync feature on-premise @DirSync tool.
  • Network connectivity and credentials with appropriate permission is required to sync password using DirSync tool from on-premise to azure AD on cloud.

Important points to note:

  • Additional security is applied to the hash value of the password before it leaves on-premise and synchronizes to azure AD on cloud
  • Password sync is one way from on-premise to azure AD cloud and cannot be reversed vice versa except the write-back attribute with the help of two way synchronization feature.
  • Password synchronization frequency differs from actually AD object replication (which can be scheduled) from on-premise to azure AD on cloud further to which it gets overwritten.
  • All users’ passwords are synchronized to azure AD on cloud using DirSync tool and you cannot explicitly define which user’s passwords to synchronize.

How it works:

So what happens when you actually change the password of a user in on-premise having DirSync tool with password sync enabled.

  1. You change the password of the user
  2. The password sync feature detects any changes and synchronizes the changed password, within a minute.
  3. If the password sync was not successfully due to connectivity (or any other) issues the sync feature will again try automatically for the same user.
  4. If there is any error during synchronization for sure it will log an event ID and so that we can troubleshoot further to why it has failed
  5. Once the password is successfully synched to azure AD on cloud the online users will be able to login on to their mailboxes without any issues and the experience is seamless as both the on-premise and cloud azure AD has unique credentials.

 

Hope it was informative.

Posted in Exchange Servers | Leave a comment

Sometimes, In My Heart A Feeling Emerges….Microsoft Exchange

If you ever loved Music and Microsoft Exchange…

Kabhi Kabhi Mere Dil Mein Khayal Aata Hai

I feel like a plane on a runaway about to lift off
I feel like an ocean so deep, deep as my love

You should know that it’s you that I’ve chosen
and I’m ready to give you my all
Yes I’m right open Come and get, come and get it.

You know that I could be.
The one that makes you complete
‘Cause I’ve fallen head over heels, and you’re the only one.

Kabhi Kabhi Mere Dil Mein Khayal Aata Hai
K Jaise Tujhko Banaya Gyaa Hai Mere Liye (2)
Inspired by – http://tinyurl.com/KabhiKabhi

Posted in Exchange Servers | Leave a comment

Deep Diving with Mail Routing Scenarios – Microsoft Exchange Server 2013

0

Scenario 1 – Incoming mail on multi-role server

Internet email is received on port 25 of Frontend transport service running on CAS server and then it proxies to the Transport component of mailbox server on port 2525, the transport component processes and routes it to the transport delivery on server(mailbox server) where the mailbox is active. Mailbox transport service then listens/receives email on port 475 and delivers email local active mailbox database.

1

Scenario 2 – Incoming mail on two multi-roles

Internet email is received to Hardware Load balancer/NLB on port 25 and at the backend which ever CAS server is available it receives email, further it delivers to the one of the CAS server’s frontend transport service on port 25 in this case meaning as per the slide it choose server2. Here we notice the recipients are two sitting individual on both the server, since CAS is nothing but stateless and proxies the request. It then passes the email to Transport service component of the mailbox server(server2) before it sends to the transport service(of mailbox server) it checks the recipient type if it is mailbox or mail enabled, if mailbox then its versions, no. of recipients, distribution group, so on and accordingly it routes to the best available transport service of any mailbox server(in this case it delivered on the server1 CAS/MBX server, it could have equally delivered to its local server1 also but it doesn’t matter at all, what CAS server looks is for the Transport service of the mailbox server locally or remotely which ever it finds and best available).

Transport service on Server1 is going to categorize the message and checks there are two recipients, located on two different mailbox server active databases, bifurcate that into 2 copies and submits that to the mailbox transport service on each mailbox server that is local to the active database copy for message delivery.

Mailbox transport service then does the content conversion and delivers the copy to the local active mailbox database via RPC.

2

Scenario 3 – Originating mail on two multi-roles

Let us know consider the same scenario like second instead of mail coming on premise we will see email going out of premises originating from mailbox server roles.

Message originating from server1 send email to 3 recipients (one on the same server1, second on the server2 and third on the internet)

User when tries to send an email the mailbox submission service submits the message to the mailbox transport service via RPC, once the transport service on mailbox server1 receives the message it will then choose any of the  local or remote mailbox server transport service. In this scenario the message from Transport service of server1 connects to the transport service of server2, transport service on mailbox server2 categorizes and sees there are three recipients (2 internal and 1 external), bifurcates the recipients and delivers(one on server1 FE transport service, one on server1 mailbox transport service and local server mailbox transport service) the message accordingly. Then the mailbox transport service will  deliver the message to the local active mailbox database copy via RPC and to the FE service on Server1(assuming that we configured on send connector with proxy enabled server1 for outgoing) for external delivery.

3

Scenario 4 – Incoming to DG on separated roles

Here we have now four sites having 1 CAS and 1 MBX server as separate role on each sites.

So now internet users wants to target this four recipients sitting on each site mailbox server sending email.

Having MX pointed to one of the sites and behind the CAS if there is load balancer it will deliver to one of the available CAS servers to that particular site. In this scenario let us choose the third CAS right corner of the slide.

Frontend transport receives that message, it checks there are multiple recipients having mailbox enabled which needs to be delivered, so it choose the local site available transport service as its best for that particular CAS server and delivers it to the transport service on the mailbox server to that local site. The transport service is then going to bifurcate that message, will create 4 copies and delivers that to the mailbox transport component (one locally and 3 to the remotel site mailbox server transport service). Then finally the mailbox transport service on each mailbox server delivers to the local mailbox database copy via RPC.

4

Scenario 5 – Incoming mail to legacy mailbox

So the fifth scenario is very much similar to the fourth but what change happens here is there comes the fifth site having Exchange 2010 HUB / MBX server.

Similarly as mentioned above the message coming from internets delivers the message to the CAS2013 on site 3 and the process is almost same until it delivers to the mailbox transport component of mailbox server site 3 and see what’s next further.

So now the transport service instead of creating 4 copies it will now create 5 copies, now the first four copies whose mailbox is on Exchange 2013 server it will deliver same as mentioned above in scenario 4 but for fifth copy its final delivery seems to be different from other than 4 copies (DAG delivery group) that is mailbox server delivery group (Exchange 2010 HUB server).

Since the mailbox transport doesn’t connects directly to the 2010 mailbox server hence it will route the message to the 2010 HUB server on the fifth site. Then the transport service of the Exchange 2010 HUB server will deliver the email to the final delivery that is the 2010 mailbox server.

5

6 – Client submission to single namespace

In this scenario the user Diana has her mailbox to be located at site A mailbox server1. She is a roaming user and travels often now not it happens to be in another site B for some work and wants to send email to the internet. Let’s see how it goes.

When Diana accesses here mailbox she connects to the local site CAS server(Site B) and tries to send email, the CAS server checks the mailbox location where it belongs and since it finds the users in mailbox server1 in site A, the front end transport service of CAS on site B directly connects to the transport service on site A mailbox server1. Since it has already authenticated at site B CAS server the transport service on mailbox server1 simply sends out the email as front end proxy to its local site A CAS server(as configured in send connector) frontend transport service and from their it goes out to the internet from site A.

6

7 – Client submission for legacy mailbox

Ok, now again similar scenario as sixth but instead of the mailbox version 2013 it is now Exchange 2010.

When Diana accesses her mailbox she would be connecting to site B 2013 CAS server, frontend transport service will authenticates and lookup for the location of the mailbox and its version. Since the CAS FE doesn’t directly talks to the mailbox server of Exchange 2010 MBX it will then connects to the Exchange 2013 mailbox server to its local site’s transport service.

The transport service on Exchange 2013 mailbox server on site B then categorizes the message and connects to the 2010 HUB server on site B based on the AD cost and then it will deliver the email to the mailbox on site A HUB to MBX 2010.

7

8 – Transport high availability

Exchange 2013 replaces shadow redundancy with new feature called Safety Net.

In Exchange 2010 when the message was sent from one HUB server to relay out to the next (first) hop the shadow queue was used to generate on the source (previous hop) server but in 2013 the shadow queue is created on the first hop right from the server where the mail is generated for guaranteed redundancy.

In 2013 now DAG is the transport boundary for high availability as compared to transport dumpster which was single point of failure meaning if the shadow queue on which mail.que was generated and in the event of lossy failover and Transport dumpster on which it is configured(HUB) failed too then you could not recover email.

So now when DAG is a HA boundary any message coming into DAG group now the message is queued not only in local site shadow queue but also remote site meaning in the event of local site failure you can resubmit the email at the time of failover or manually mounting the databases. Resubmit is also possible by doing manually using PowerShell command.

So that HA queue is nothing but called safety net which was introduced in 2010 exchange online and revealed it later with Exchange 2013 as new feature.

Safety Net retains data for a set of period of time (Time bases, default is 2days), regardless of whether the message has been successfully replicated to all database copies or delivered to final destination.

FYI – Safety Net period should be at least equal or greater than your LAGGED database time to prevent data loss.

 1 – Mailbox01 receives message from a server outside the transport high availability boundary

2 – Before acknowledging receipt, Mailbox01 initiates and succeeds in making the message redundant on Mailbox03’s shadow queues

3a – Transport on Mailbox01 processes message and attempts delivery via mailbox transport

3b – Mailbox transport on Mailbox01 in turn delivers the message to Store

3c – Transport on Mailbox01 queues a discard status for Mailbox03 (Shadow) and moves the message to Primary Safety Net.

4 – Mailbox03 (Shadow) periodically polls for delivery status on the primary copy of the message

5 – When Mailbox03 determines Mailbox01 has successfully processed the primary copy of the message, it moves the message to its Shadow Safety Net.

8

Inspired by Ross Smith’s IV presentation on Transport Architecture and thought of an interest to blog the same. You can check his presentation @TechEd Session

 

Posted in Exchange Servers | 4 Comments

Understanding Client Access Protocol Connectivity Flow – Microsoft Exchange Server 2013

Autodiscover (External Clients) – Exchange 2010 coexistence with Exchange 2013  

Exchange 2010 Client queries internet DNS for autodiscover.contoso.com and connects to internet facing site Exchange 2013 CAS server and it then proxies the request to 2010 CAS server. CAS 2010 then handles the request, generates the autodiscover.xml query and response back to the clients

Exchange 2010 client (Non-internet facing site) queries internet DNS for autodiscover.contoso.com and connects to internet facing site Exchange 2013 CAS server and it proxies the request to 2010 CAS server (non-internet facing site). CAS 2010(Non-internet facing site) then handles the request, generates the autodiscover.xml query and response back to the clients

Autodiscover - 2010-2013

Autodiscover (External Clients) – Exchange 2007 coexistence with Exchange 2013 

Exchange 2007 Client queries internet DNS for autodiscover.contoso.com and connects to internet facing site Exchange 2013 CAS server and it redirect the request to 2013 mailbox server(internet facing site). Mailbox server 2013 then handles the request, generates the 2007 autodiscover.xml and response back to the clients

Exchange 2007 Client (Non-Internet facing site) queries internet DNS for autodiscover.contoso.com and connects to internet facing site Exchange 2013 CAS server and it proxies the request to 2013 Mailbox server. Mailbox server 2013 then handles the request, generates the 2007 autodiscover.xml and response back to the clients

Autodiscover - 2007-2013

Autodiscover (Internal Clients) – Exchange 2010 coexistence with Exchange 2013 

Exchange 2010 client(internet facing site) queries internal DNS for service connection point object that is autodiscover.contoso.com and connects to Exchange 2013 CAS server and it proxies the request to 2010 CAS server.

In this case irrespective of the mailbox hosted on Exchange 2010 mailbox server either on site A or site B the CAS 2013 proxies the request to CAS 2010. CAS 2010 then handles the request, generates the autodiscover.xml query and response back to the clients

Autodiscover Internal 2010-2013

Autodiscover (Internal Clients) – Exchange 2007 coexistence with Exchange 2013 

Exchange 2007 client(internet facing site)  queries internal DNS for service connection point object that is autodiscover.contoso.com and connects to Exchange 2013 CAS server and it proxies the request to 2013 mailbox server.

In this case irrespective of the mailbox hosted on Exchange 2007 mailbox server either on site A or site B the CAS 2013 proxies the request to mailbox server 2013. Mailbox 2013 then handles the request, generates the exchange 2007 autodiscover.xml query and response back to the clients

Autodiscover Internal 2007-2013

Outlook Anywhere – Exchange 2007 & 2010 coexistence with Exchange 2013 

Exchange 2007/2010/2013 – mail.contoso.com (internet facing site)

Exchange 2007/2010 client queries internet DNS for mail.contoso.com and connects to internet facing site Exchange 2013 CAS server and it redirect the request to either 2007/2010 CAS server(internet facing site) based on the mailbox version

Client queries internet DNS for mail.contoso.com and connects to internet facing site Exchange 2013 CAS server and it redirect the request to either 2007/2010 CAS server(Non-internet facing site).

What is important here to enable OA on all Exchange 2007/2010 CAS servers with NTLM authentication enabled so that it can proxy to the end point of the OA request to the other site as well. Also the FQDN must be same for the Exchange 2013/2010/2007 OA as it responds back to the client with the URL.

OA 2007-2010-2013

Outlook Web App – Exchange 2007 coexistence with Exchange 2013 – CAS Redirection / Different Namespace

  • Exchange 2013 – mail.contoso.com (Internet facing site A)
  • Exchange 2007 – legacy.mail.contoso.com (Internet facing site A)
  • Exchange 2007 – Europe.mail.contoso.com (Internet facing site B)

Exchange 2007 client (Site A legacy.mail.contoso.com) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then redirects the request to exchange 2007 CAS server (internet facing site) which prompts another logon OWA page for dual authentication – This was till Exchange 2013 CU1 where silent redirection was not implemented yet.

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

Exchange 2007 client (Site B legacy.mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then redirects the request to exchange 2007 CAS server (internet facing site A) which prompts another logon OWA page for dual authentication– This was till Exchange 2013 RTM where silent redirection was not implemented yet. Further since the client is in site B the internet site A Exchange 2007 CAS server proxies the cross site request to the site B Exchange 2007 CAS server

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

Exchange 2007 client (Site B Europe.mail.contoso.com) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then redirects the request to exchange 2007 CAS server (Europe.mail.contoso.com internet facing site B) which prompts another logon OWA page for dual authentication– This was till Exchange 2013 RTM where silent redirection was not implemented yet.

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

OWA 2007-2013

Outlook Web App – Exchange 2010 coexistence with Exchange 2013 

Client queries to the FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then proxies the request to exchange 2010 CAS server(internet facing site).

Client(non-internet  site B) queries to the FQDN mail.contoso.com which connects to Exchange 2013 CAS server(Internet facing site) OWA logon page, after entering the credential based on the mailbox version it then does cross site proxies the request to exchange 2010 CAS server(non-internet facing site).

Outlook Web App – Exchange 2010 coexistence with Exchange 2013 – CAS Redirection / Different Namespace

  • Exchange 2010 – Europe.mail.contoso.com (Internet facing site B)
  • Exchange 2013 – mail.contoso.com (Internet facing site A)

Exchange 2010 client using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then redirects the request to exchange 2010 CAS server (internet facing site B) which prompts another logon OWA page for dual authentication – This was till Exchange 2013 RTM where silent redirection was not implemented yet.

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

OWA 2010-2013

Outlook Web App – Exchange 2013 Only – CAS Redirection / Different Namespace

  • Exchange 2013 – mail.contoso.com (Internet facing Site A)
  • Exchange 2013 – Europe.mail.contoso.com (Internet facing Site B)

Client (site B Europe.mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page (Site A), after entering the credential based on the mailbox version it then redirects the request to exchange 2013 CAS server (internet facing site B) which prompts another logon OWA page for dual authentication – This was till Exchange 2013 RTM where silent redirection was not implemented yet.

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

OWA Different URL 2013

Outlook Web App – Exchange 2013 Only – CAS Proxies / Same Namespace

  • Exchange 2013 – mail.contoso.com (Internet facing Site A)
  • Exchange 2013 – mail.contoso.com (Internet facing Site B)

Client (site B Europe.mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page (Site A), after entering the credential based on the mailbox version it then redirects the request directly to exchange 2013 Mailbox server (in site B) which will over comes the loop scenario as compared to Exchange 2007 or 2010 because of the same external URL name space.

OWA Same URL 2013

Active Sync – Exchange 2007 coexistence with Exchange 2013

  • Exchange 2013 – mail.contoso.com (internet facing site A)
  • Exchange 2007 – europe.mail.contoso.com (Internet facing site B)

Client (Internet facing site A) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server and it proxies the request to 2013 Mailbox server. Mailbox 2013 server then proxies the request to Exchange 2007 CAS server – MBX server.

Client (Non-internet facing site B mail.contoso.com users) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server (internet facing site B) and it proxies the request to 2013 Mailbox server. Mailbox 2013 server then proxies the request to Exchange 2007 CAS server – MBX server.

Client (internet facing site B users – Europe.mail.contoso.com) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server (internet facing site A) and it proxies the request and it proxies the request to 2013 Mailbox server. Mailbox 2013 server then proxies the request cross site to Exchange 2007 CAS server – MBX server in site B

If your Exchange 2007 users are moved from site B Europe.mail.contoso.com to mail.contoso.com Exchange 2013 server the profile might have to be reconfigured as the http redirect 451 comes here into this scenario.

EAS 2007-2013

Active Sync – Exchange 2010 coexistence with Exchange 2013

  • Exchange 2013 – mail.contoso.com (internet facing site A)
  • Exchange 2010 – europe.mail.contoso.com (Internet facing site B)

Client (Internet facing site A) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server and it proxies the request to 2010 CAS server.

Client (Non-internet facing site B) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server (internet facing site B) and it proxies the request to cross site 2010 CAS server on site B.

Client (internet facing site B users – Europe.mail.contoso.com) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server (internet facing site B) and it proxies the request to cross site 2010 CAS server on site B. (remember http redirect code 451 now it doesn’t exist instead it proxies with mutli namespace)

EAS 2010-2013

Web Services – Exchange 2007 coexistence with Exchange 2013

  • Exchange 2007 – legacy.mail.contoso.com (Internet facing site A)
  • Exchange 2007 – Europe.mail.contoso.com (Internet facing site B)
  • Exchange 2013 – mail.contoso.com (Internet facing site A)

So now autodiscover is responsible for giving the client web services URL and when Exchange 2007 client(site A) connect to autodiscover.contoso.com, it queries autodiscover for the right CAS server URL based on the mailbox version and users then directly connects to Exchange 2007 CAS server (Site A legacy.mail.contoso.com users) .

Exchange 2007 client(site B legacy.mail.contoso.com users) connect to autodiscover.contoso.com, it queries autodiscover for the right CAS server URL based on the mailbox version and users then directly connects to Exchange 2007 CAS server (Site A legacy.mail.contoso.com users)  further the site A CAS server proxies the request to site B Exchange 2007 CAS server.

Exchange 2007 client(site B legacy.mail.contoso.com users) connect to autodiscover.contoso.com, it queries autodiscover for the right CAS server URL based on the mailbox version and users then directly connects to Exchange 2007 CAS server (Site B europe.mail.contoso.com users) .

Autodiscover is responsible here for the web services for you to give the right URL and the right direction.

Web 2007-2013

Web Services – Exchange 2010 coexistence with Exchange 2013

  • Exchange 2010 – Europe.mail.contoso.com (Internet facing site B)
  • Exchange 2013 – mail.contoso.com (Internet facing site A)

Exchange 2010 client(Site A mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server based on the mailbox version it then redirects the request to exchange 2010 CAS server (internet facing site).

Exchange 2010 client (Site B europe.mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server based on the mailbox version it then cross sites the request to exchange 2010 CAS server (internet facing site B).

Autodiscover is responsible here for the web services for you to give the right URL and the right direction.

Web 2010-2013

Inspired by Greg Taylor’s presentation on CAS 2013 and thought of an interest to blog the same. You can check his presentation @TechEd Session

Posted in Exchange Servers | 7 Comments

Microsoft Certified Master / Solution / Architect Exchange – Insider’s Views

Sad news out past week about retiring MCM/MCSM/MCA certifications and it has disappointed, discouraged & demotivated many of the Exchange experts who currently hold this certifications / about to give exams / who aim or prepare to be one of them.

Even in this case I wouldn’t want to give up the passion or have anything bad to say about because I already know (preparing for it & going through the pre-reading list) what it means.

I would rather to encourage thought of bringing those highly motivating words right from the Masters who have already sown & thrilled the hearts of Exchange guys by their invaluable comments & their passion.

Not knowing what’s next I still hope, learn, prepare myself for knowing & understanding Exchange via whatever the available resources (TechNet/Help.chm) / peer groups (friends/colleagues)/ Expert’s articles / Master’s blogs.

Hear it from Masters what it takes – John Rodriguez, Andrew Ehrensing, David Zazzo & Greg Taylor

The people who come for this program are the people who really looking either to take it to the next level or fill in all the gaps, they already know exchange, and they are looking to increase their knowledge of Exchange. You don’t come here to learn, you come here to kind of improve and go beyond.

Also you are in the room with lot of peers who are at the top level in their field so instead of just being one expert in the room, one or two or three…you realize that you are just one of 15 / one of the 20 people in the room, all are operating at your level and your caliber.

You can’t get this content anywhere else, you won’t get this content anywhere else and so just by going through that hopefully make you better expert on Exchange,

Let’s get the show on the road of three weeks having Exchange loving :)

People who go through the program come out the other side with a far greater awareness and understanding of the product

So for example – If you already knew some client access you will learn twice as much here, if you already understood disaster recovery you would learn even more here. The idea is to take basic level content you will find in the Microsoft Certified IT Professional track and go far beyond that.

Don’t under estimate the program don’t go and think that you can cruise through things thinking that I know exchange server, I passed all MCP exams am good to go because you will be very quickly realigned and recalibrate with that

It is very intense experience the days are long the content comes at you hard and fast, it’s not the blink and you miss it but it’s a lot of content coming very quickly

First few days are settling and experience then you get in to routine and before you know you are awaken up 6:00am every day and go to bed 11:00PM every day and only you find yourself in the middle of Exchange

You know the values going to be the long term results of your projects so it’s going to be what’s the technical qualities of your deliverables is, you know it should be higher

Somebody who has been through this program represents the much more complete and professional picture to a client to a customer they understand why we make the decision or why Microsoft makes recommendation that we do

Then it is about proving your customer and having a stand proof approval right you’ve been signed off by Microsoft you passed the technical qualities you passed the bar. So the customers can feel good and get the assurance that they are working with top tier experts trained signed off by Microsoft and the product group really is big part of this, that solution should work to meet the needs of the customer

Be prepared to dedicate yourself to exchange for three weeks it’s that simple you cannot juggle this with work you cannot juggle this with family visits going out you are here for Exchange and you are going to learn Exchange and you are going to be immersed in Exchange and kind of subsumed in it.

Having the peer groups both as support system and as a sounding board is also benefit in the class itself

As part of participating in the MCM rotation really it is the access to the product group access to the community that you wouldn’t may be even know that it exist in the first place and being know you know that exist and you know that everyone is of the same technical excellence its invaluable resource I have this weird desired edge case, hey what you guys think send right and you get the mind hive, you can get all the other MCMs and all the other Rangers from Exchange 2003 to 2010 and then the next version, you know thinking about it you get a lot of expert ideas and expert opinions about it may be how to solve this edge case that you haven’t come across before

But if you dedicate yourself to it and you really do – except that is your focus for those three weeks at the end the reward is that you will be unrecognizable you won’t recognize yourself as an Exchange Professional you will grow that much am not talking about maturation or something like that I mean the content you will learn will be just staggered.

 

MCM Logo

Posted in Exchange Servers | Leave a comment

Ladder Up With Me Five Steps Towards Cloud Microsoft Office 365 – Exchange Wave 15

Let me will walk you through five simple steps towards Cloud Microsoft O365 via this article and you will be able to experience the whole New Exchange wave 15 with minimal expense in my case approx.  102 – Rs. Only

  1. Register your Company DNS Domain – e.g.  In my case I have registered a domain called msexchangeasia.com at godaddy.com which is cheap and I got for approx. 102 Rs.
  2. Subscribe for a free trial – Subscribing for a trial account will give you chance to experience the all New Exchange and take advantages of its features.
  3. Configure your Domain – Once you got the trial account add and verify your company domain to the Office 365 portal.
  4. DNS Record Update – Using automatic DNS records created by O365 portal just update at the pubic DNS registration for MX/CNAME/TXT/SRV.
  5. Create Mailbox à Send / Receive Emails – Once you are done with the above four steps all you need to do is collaborating with colleagues and friends and enjoy the free subscription for a month.

Let us know understand each towards Cloud – Microsoft Office 365 as below mentioned.

  1. Register your Company DNS Domain – e.g.  In my case I have registered a domain called msexchangeasia.com at godaddy.com which is cheap and I got for approx. 102 Rs.

1

Go the DNS domain registration website, enter the desired domain and search for availability – there are many DNS domain registration website but I preferred to go with godaddy.com

2. Subscribe for a free trial – Subscribing for a trial account will give you chance to experience the all New Exchange and take advantages of its features.

2

Go to URL – http://office.microsoft.com/en-001/business/compare-office-365-for-business-plans-FX102918419.aspx and select a free trial plan

3

Signup, once done filling your details and select create my account and login on to below portal

4

5

Once logged in explore the management options.

3. Configure your Domain – Once you got the trial account add and verify your company domain to the Office 365 portal.

6

Using Domain section – add your company domain which you just registered at godaddy.com in my case msexchangeasia.com

7

Specify the DNS hosting provider detail, by default are the available  hosting listed in the portal so that O365 portal can directly query or you can simply default options and click done verify now.

8

Once you select I selected godaddy as hosting provider – it will instruct further to create TXT record so that MS can query to verify as below mentioned in the godaddy DNS registration zone portal.

9

10

Upon successful creation of TXT record it will verify and add the domain

11

Now the domain status will be seen as verified and click on manage DNS

4. DNS Record Update – Using automatic DNS records created by O365 portal just update at the pubic DNS registration for MX/CNAME/TXT/SRV.

12

The Office 365 portal will populate with the records needs to be created and update at godaddy.com DNS zone file and will look as below mentioned.

13

5. Create Mailbox à Send / Receive Emails – Once you are done with the above four steps all you need to do is collaborating with colleagues and friends and enjoy the free subscription for a month.

15

Go to User management and create mailboxes – with the trial account subscription you can have up to 10 mailbox license with Lync enabled.

Test mail flow – in my case am sending test email from Hotmail to O365 mailbox and replied received.

16

Enjoy :)

Posted in Exchange Servers | 1 Comment