Inside OUT The ultimate, in-depth reference Hundreds of timesaving solutions Supremely organized, packed with expert advice
Microsoft Exchange Server 2013: Connectivity, Clients, and UM
Paul Robichaux Microsoft MVP for Exchange Server PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2013 by Paul Robichaux All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2013948709 ISBN: 978-0-7356-7837-8
Printed and bound in the United States of America.
First Printing
Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
Acquisitions Editor: Anne Hamilton Developmental Editor: Karen Szall Project Editor: Karen Szall Editorial Production: nSight, Inc. Technical Reviewer: Tony Redmond; Technical Review services provided by Content Master, a member of CM Group, Ltd. Copyeditor: Kerin Forsyth Indexer: Lucie Haskins Cover: Twist Creative • Seattle Contents at a Glance
Chapter 1 Client access servers...... 1 Chapter 2 The Exchange transport system ...... 43 Chapter 3 Client management...... 155 Chapter 4 Mobile device management ...... 227 Chapter 5 Message hygiene and security ...... 271 Chapter 6 Unified messaging...... 309 Chapter 7 Integrating Exchange 2013 with Lync Server...... 391 Chapter 8 Office 365: A whirlwind tour...... 433
iii
Table of Contents
Introduction ...... xv Acknowledgments ...... xvi Errata & book support ...... xvi We want to hear from you ...... xvii Stay in touch ...... xvii Chapter 1 Client access servers ...... 1 CAS architecture demystified ...... 2 CAS authentication methods ...... 7 External vs. internal ...... 10 External and internal URLs ...... 11 External and internal authentication ...... 12 Managing virtual directory settings ...... 12 The death of affinity ...... 14 Load balancing made simpler ...... 15 Layer 4 load balancing ...... 15 Layer 7 load balancing ...... 15 DNS round robin ...... 17 Windows Network Load Balancing ...... 17 Choosing a load balancing solution ...... 18 The role of Outlook Anywhere ...... 19 Designing namespaces ...... 21 Using a single namespace ...... 21 One name per service? ...... 21 Using a single internal name for Outlook Anywhere ...... 22 External names for Outlook Anywhere ...... 22 The Front End Transport service ...... 23
What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey
v vi Table of Contents
Autodiscover ...... 24 The Autodiscover process ...... 26 Accessing Autodiscover through SCPs ...... 27 Accessing Autodiscover through well-known URLs ...... 28 The role of Exchange providers ...... 28 Retrieving configuration information with Autodiscover ...... 30 Understanding CAS proxying and redirection ...... 31 Proxying ...... 32 Redirection ...... 33 CAS coexistence and migration ...... 34 Routing inbound traffic to the 2013 CAS role ...... 34 Removing ambiguous URLs ...... 35 Certificate management ...... 36 How Exchange uses certificates ...... 36 Where to get certificates ...... 37 Certificate contents ...... 38 What certificates do you need? ...... 38 Requesting and applying certificates ...... 39 Moving mail ...... 41 Chapter 2 The Exchange transport system ...... 43 A quick introduction to Exchange transport ...... 43 The transport pipeline: An overview ...... 44 Message routing: An overview ...... 46 Exchange 2013 transport architecture in depth ...... 47 The Front End Transport service ...... 52 The Transport service ...... 52 The Mailbox Transport Delivery service ...... 53 The Mailbox Transport Submission service ...... 53 The role of connectors ...... 53 Securing mail with Transport Layer Security (TLS) ...... 68 Queues in Exchange 2013 ...... 73 Queue types ...... 73 Queue databases ...... 74 Queue velocity ...... 76 Viewing queues ...... 77 Enabling prioritized message delivery ...... 81 Managing queues ...... 82 Message throttling ...... 89 Back pressure ...... 93 Message routing in depth ...... 94 Delivery groups ...... 95 Exchange 2013 and Active Directory ...... 96 Overriding Active Directory site link costs ...... 100 Selecting a send connector ...... 102 Exchange 2013 and DNS MX lookups ...... 104 Delayed fan-out ...... 105 Table of Contents vii
High availability and Exchange transport ...... 106 Shadow redundancy ...... 109 Safety Net ...... 114 Transport rules ...... 115 Transport rule structure ...... 118 How transport rules are applied ...... 119 Setting transport rule priority ...... 120 Active Directory Rights Management Services and transport rules ...... 122 Data loss prevention ...... 123 DLP policies ...... 124 Data loss prevention rules ...... 125 Policy Tips ...... 128 Journaling ...... 129 Journal reports ...... 131 Alternate journal recipients ...... 133 Journaling at the mailbox database level ...... 135 Journaling using journal rules ...... 135 Journaling of unified messaging messages ...... 136 Securing a mailbox used as a journal recipient ...... 136 Changing organization-level transport settings ...... 137 Setting server-level behavior ...... 143 Logging ...... 143 Controlling logging ...... 144 Interpreting protocol log files ...... 146 Customizing transport system messages ...... 149 Exchange DSNs ...... 149 Customizing NDRs ...... 152 Chapter 3 Client management ...... 155 Choosing a client ...... 156 Outlook ...... 156 Outlook Web App ...... 161 Mac OS X ...... 166 Outlook Web App for Devices ...... 167 Managing Outlook for Windows ...... 169 Managing Outlook Anywhere ...... 169 Managing Autodiscover ...... 170 Using the Exchange Remote Connectivity Analyzer ...... 171 Outlook settings and group policies ...... 175 Pre-staging OST files for Outlook 2013 deployment ...... 177 Controlling PST files ...... 178 Blocking client connections to a mailbox ...... 180 Blocking client access to a Mailbox server ...... 185 Using the Office Configuration Analyzer Tool ...... 186 Managing Outlook Web App ...... 189 Outlook Web App mailbox policies ...... 189 Controlling offline Outlook Web App use ...... 196 viii Table of Contents
Controlling attachment access and rendering ...... 198 Managing Outlook Web App virtual directory settings ...... 200 Managing Outlook Web App timeouts ...... 201 Managing Office Store apps for Outlook Web App ...... 202 Customizing Outlook Web App ...... 209 Managing Outlook for Mac ...... 212 Managing Outlook Web App for Devices ...... 213 POP3 and IMAP4 ...... 213 Configuring the IMAP4 server ...... 215 Configuring IMAP4 client access ...... 219 Client throttling ...... 221 Chapter 4 Mobile device management ...... 227 All about Exchange ActiveSync ...... 228 A quick tour of EAS history ...... 228 What it means to “support EAS” ...... 230 How Exchange ActiveSync works ...... 232 WBXML ...... 233 Autodiscover ...... 233 EAS policies ...... 234 Device provisioning ...... 235 Device synchronization ...... 238 Remote device wipes ...... 240 Device access rules ...... 242 Managing Exchange ActiveSync ...... 248 Organization-level settings ...... 249 CAS-level settings ...... 251 Mobile device mailbox policies ...... 251 Certificate management ...... 253 Handling users who leave the company ...... 255 Reporting on EAS sync and device activity ...... 257 Building device access rules ...... 261 Blocking devices on a per-user basis ...... 265 Wiping lost devices ...... 266 Debugging ActiveSync ...... 267 Other mobile device management alternatives ...... 270 Chapter 5 Message hygiene and security ...... 271 A quick message-hygiene primer ...... 274 Spam ...... 274 Phish ...... 274 Malware ...... 275 Are you positive? ...... 276 Message security and protection in Exchange ...... 277 Built-in security features ...... 278 Client-side features ...... 278 Table of Contents ix
Exchange Online Protection ...... 283 Major changes from previous versions ...... 285 Managing anti-malware scanning ...... 285 Managing server-level settings ...... 286 Disabling anti-malware scanning ...... 288 Configuring server-based third-party anti-malware scanners ...... 289 Managing anti-spam filtering ...... 290 Methods of spam filtering ...... 291 Enabling anti-spam filtering on mailbox servers ...... 297 The spam filtering pipeline ...... 297 Controlling protocol filtering ...... 298 Controlling content filtering ...... 303 Controlling sender reputation filtering ...... 304 Controlling how Exchange interacts with client-side junk mail filtering . . . . .304 Working with quarantined messages ...... 306 Chapter 6 Unified messaging ...... 309 A quick introduction to Exchange UM ...... 310 Major Exchange UM features ...... 310 Unified messaging concepts ...... 312 Unified messaging objects and attributes ...... 318 Unified messaging architecture ...... 323 What happens when the phone rings ...... 325 Call answering for a user mailbox ...... 326 Call answering for an automated attendant ...... 346 Call answering for Outlook Voice Access ...... 350 Call answering for faxes ...... 351 Placing outbound calls ...... 353 The parts of a phone number ...... 353 The role of dialing rules ...... 355 Blind transfers ...... 359 Supervised transfers ...... 359 Multilingual support in UM ...... 360 Installing and removing language packs ...... 362 Choosing the right language ...... 362 Deploying UM ...... 363 Sizing and scaling UM ...... 364 Preparing your network ...... 364 Installing UM ...... 365 Creating core UM objects ...... 365 Designing automated attendants ...... 366 Enabling users for UM ...... 368 Managing UM ...... 368 A quick note about permissions ...... 369 Managing UM server-level settings ...... 369 Scheduling UM work on the Mailbox server ...... 375 Dial plan settings ...... 376 x Table of Contents
UM IP gateway settings ...... 381 UM mailbox policy settings ...... 381 Mailbox settings ...... 384 Automated attendant settings ...... 387 Unified messaging and the future ...... 390 Chapter 7 Integrating Exchange 2013 with Lync Server ...... 391 A quick history of Lync ...... 391 Combining Lync and Exchange ...... 393 What Lync provides ...... 393 What Exchange adds to Lync ...... 395 Lync integration concepts and architecture ...... 397 Certificates, trust, and permissions ...... 401 Initial integration steps ...... 402 Installing prerequisites on Exchange servers ...... 403 Configuring server authentication ...... 403 Configuring Autodiscover ...... 404 Creating partner applications ...... 405 Enabling IM and presence integration in Outlook Web App ...... 408 Configuring IM/P with single-role servers ...... 408 Completing IM/P integration ...... 409 Troubleshooting Outlook Web App IM integration ...... 412 Integrating Exchange UM and Lync Server ...... 415 Exchange UM integration concepts ...... 415 Initial setup ...... 416 Enabling the Unified Contact Store for Lync users ...... 423 Working with high-resolution photos ...... 426 Assigning photos to users ...... 427 Integrating Exchange archiving with Lync Server ...... 429 What archiving integration means ...... 429 Understanding Lync archiving ...... 429 Enabling Lync archiving to Exchange ...... 430 On to the cloud ...... 431 Chapter 8 Office 365: A whirlwind tour ...... 433 What is Office 365? ...... 434 The many faces of Office 365 ...... 435 Plans and licensing ...... 435 Dedicated vs. shared ...... 438 A word about pricing ...... 439 Is Office 365 right for you? ...... 439 The big bet ...... 439 Hybrid or hosted? ...... 442 Connectivity ...... 444 Uptime and support ...... 444 Privacy and security ...... 447 Table of Contents xi
Cost ...... 449 Unique service features ...... 449 Hybrid operations, migration, and coexistence ...... 450 The role of directory synchronization ...... 450 Single sign-on and federation ...... 452 Password synchronization ...... 453 Hybrid mode ...... 454 Understanding types of migration ...... 458 Assessing your Office 365 readiness ...... 459 Signing up for the service ...... 459 The OnRamp process ...... 460 Setting up a hybrid organization ...... 463 Enabling directory synchronization ...... 463 Mail flow ...... 471 Domains ...... 473 Running the Hybrid Configuration Wizard ...... 479 Moving users to the cloud ...... 484 Managing a hybrid organization ...... 488 Connecting Windows PowerShell and EAC to the service ...... 488 Enabling customization ...... 489 Changing hybrid settings after deployment ...... 490 Dealing with throttling ...... 490 All-in on the cloud ...... 492
Index ...... 493 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey Foreword for Exchange 2013 Inside Out books
Those seeking an in-depth tour of Exchange Server 2013 couldn’t ask for better guides than Tony Redmond and Paul Robichaux. Tony and Paul have a relationship with the Exchange team that goes back two decades, to the days of Exchange 4.0. Few people have as much practical knowledge about Exchange, and even fewer have the teaching skills to match. You are in good hands.
Over the past few years, we have seen significant changes in the way people communicate; a growing number of devices, an explosion of information, increasingly complex compli- ance requirements, and a multigenerational workforce. This world of communication chal- lenges has been accompanied by a shift toward cloud services. As we designed Exchange 2013, the Exchange team worked hard to build a product and service that address these challenges. As you read these books, you’ll get an up-close look at the outcome of our efforts.
Microsoft Exchange Server 2013 Inside Out: Mailbox and High Availability covers founda- tional topics such as the Exchange Store, role-based access control (RBAC), our simplified approach to high availability, and the new public folder architecture. It also covers our investments in eDiscovery and in-place hold. As you read, you’ll see how Exchange 2013 helps you achieve world-class reliability and provides a way to comply with internal and regulatory compliance requirements without the need for third-party products.
Microsoft Exchange Server 2013 Inside Out: Connectivity, Clients, and UM explores the technologies that give users anywhere access to their email, calendar, and contacts across multiple devices. It also explains how to protect your email environment from spam, viruses, and other threats and describes how Exchange 2013 can connect with Office 365 so you can take advantage of the power of the cloud.
From our new building-block architecture to data loss prevention, there’s a lot to explore in the newest version of Exchange. I hope that as you deploy and use Exchange 2013, you’ll agree that this is an exciting and innovative release.
Enjoy!
Rajesh Jha Corporate Vice President - Exchange Microsoft Corporation
xiii
Introduction
This book is for experienced Exchange administrators who want to gain a thorough under- standing of how client access, transport, unified messaging, and Office 365 integration work in Exchange Server 2013, the latest version of the Microsoft enterprise messaging server first released in October 2012 and updated on a frequent basis since. It isn’t intended to be a reference, and it isn’t suitable for novices.
In 2011, when Tony Redmond and I were working together to present the Exchange 2010 Maestro workshops in cities throughout the United States, we spent a lot of time talking about the nature of an ideal Exchange book. It should be comprehensive enough to cover all the important parts of Exchange, with enough detail to be valuable to even very experi- enced administrators but without just parroting Microsoft documentation and guidance. As far as possible, it should draw on real-world experience with the product, which of course takes time to produce. Out of those talks came Tony’s idea to write not one but two books on Exchange 2013. A single book would either be unmanageably large, both for author and reader, or would omit too much important material to be useful.
Although Tony’s Exchange 2013 Inside Out: Mailbox and High Availability (Microsoft Press, 2013) draws on his long and broad experience with the nuances of the Exchange mail- box role and how to put it to work, this book covers all the other things Exchange does, including client access, transport, unified messaging, and the increasingly important topic of Office 365 integration. Because Exchange 2013 is an evolution of Exchange 2010, we decided to use Microsoft Exchange Server 2010 Inside Out (Microsoft Press, 2010) as the base for the new book. For the topics in this book, so much has changed since Exchange 2010 that only a small amount of the original material remains. The rest is new and was written to take into account the many changes and updates that Exchange 2013 has under- gone since its original release.
I have had the good fortune to work with and around Exchange for nearly 20 years. During this time, I’ve seen the Exchange community, product team, and product evolve and grow in ways that might not have been predictable back in 1996. If you went back to, say, 2000 and told the Exchange product group, “Hey, in 2013, your product will be deployed to hundreds of millions of users worldwide, many with tiny handheld computers that are more powerful than your desktop, and a whole bunch of them running as a Microsoft-hosted service,” you’d be bound to get some skeptical looks, and yet here we are.
I hope that you enjoy this book and that you’ll read it alongside Tony’s Microsoft Exchange Server 2013 Inside Out: Mailbox and High Availability. The two books really do go together. Tony and I exchanged technical editing duties for our respective books, so we share respon- sibility for any errors you might find.
xv xvi Introduction
Acknowledgments
I was incredibly fortunate to receive a great deal of help with this book from a variety of sources. A large group of Exchange experts from the Microsoft Most Valuable Professional (MVP) and Microsoft Certified Systems Master (MCSM) communities volunteered their time to read early drafts of the chapters as they were produced; their mission was to identify shortcomings or errors and to suggest, based on their own experience, ways in which the book could be improved. This book is much better thanks to their efforts, which I very much appreciate. My thanks to Kamal Abburi, Thierry Demorre, Devin Ganger, Steve Goodman, Todd Hawkins, Georg Hinterhofer, Miha Pihler, Maarten Piederiet, Simon Poirier, Brian Reid, Brian R. Ricks, Jeffrey Rosen, Mitch Roberson, Kay Sellenrode, Bhargav Shukla, Thomas Stensitzki, Richard Timmering, Steven van Houttum, Elias VarVarezis, Johan Veldhuis, and Jerrid Williams. My thanks also go to the broader MCM and MVP communi- ties, particularly Paul Cunningham, Brian Desmond, and Pat Richard, for discussing topics or sharing scripts that informed the material I wrote.
In addition to these volunteers, I benefited greatly from the efforts of many people from the product team, including Diego Carlomagno, Bulent Egilmez, David Espinoza, Kern Hardman, Pavani Haridasyam, Tom Kaupe, Roy Kuntz, Lou Mandich, Jon Orton, Tony Smith, Greg Taylor, and Mini Varkey. Extra thanks to Rajesh Jha for taking the time to write the foreword for both books—no easy task considering how often Tony and I have hassled him about various matters.
Finally, you wouldn’t have this book at all if it weren’t for the stalwart efforts of Karen Szall, Valerie Woolley, and a cast of dozens at Microsoft Press. Karen never lost her temper despite the many vigorous discussions we had about my failure to meet deadlines or my obstinacy toward some of the requirements imposed by the Microsoft crack legal depart- ment. Thanks to them all for producing such a good-looking finished product.
Errata & book support We’ve made every effort to ensure the accuracy of this book and its companion con- tent. Any errors that have been reported since this book was published are listed on our Microsoft Press site at:
http://aka.ms/EXIOv2/errata
If you find an error that is not already listed, you can report it to us through the same page.
If you need additional support, email Microsoft Press Book Support at [email protected]. Introduction xvii
Please note that product support for Microsoft software is not offered through the addresses above.
We want to hear from you At Microsoft Press, your satisfaction is our top priority, and your feedback our most valu- able asset. Please tell us what you think of this book at:
http://www.microsoft.com/learning/booksurvey
The survey is short, and we read every one of your comments and ideas. Thanks in advance for your input!
Stay in touch Let's keep the conversation going! We're on Twitter: http://twitter.com/MicrosoftPress.
CHAPTER 3 Client management
Choosing a client...... 156 Managing Outlook Web App for Devices ...... 213 Managing Outlook for Windows...... 169 POP3 and IMAP4 ...... 213 Managing Outlook Web App...... 189 Client throttling...... 221 Managing Outlook for Mac...... 212
lthough administrators think of Exchange Server as a complex, server-based sys- tem, the reality is that many of the millions of Exchange users worldwide think of A their email system as Microsoft Outlook. This is a testament to the Microsoft Office team’s branding efforts, but it also reflects a simplistic view of the Exchange client land- scape. The truth is that there are six categories of Exchange clients:
●● Outlook remains the Microsoft premium fat or rich client. Microsoft long ago made a conscious decision to tie client-side and server-side features together in Exchange and Outlook so that key features in each new release require you to deploy the client and server together for maximum benefit. Outlook 2013 still uses Messaging Appli- cation Programming Interface (MAPI) (although it’s now tunneled over HTTPS), and Outlook 2007 and Outlook 2010 are still fully supported.
●● Outlook Web App has come a long way since Microsoft introduced the first versions in Exchange 5.5. The modern Outlook Web App client looks and behaves very much like Outlook 2013, and it supports a broad array of browsers on both conventional computers and mobile devices. The addition of a special touch mode for tablets, coupled with an offline mode for selected modern browsers, shows some tantalizing indications that Microsoft intends the web-based Outlook Web App experience to match or surpass native mobile-device clients in both flexibility and capability.
●● On the other hand, the fact that Microsoft is now shipping Outlook Web App clients as native applications for the Apple iPad and iPhone is an indication that there’s a place for purpose-built mobile clients. These clients, collectively known as Outlook Web App for Devices (perhaps indicating a future release for other platforms), don’t use Exchange ActiveSync; instead, they are based on a combination of Exchange Web Services (EWS) and HTML5. The current iOS versions provide full calendar and mailbox access, including push notification support, offline capability, and a wealth of other features formerly reserved for Apple’s native device clients.
155 - - - invested little to no engineering resources in updating Exchange 2013 POP/IMAP in updating Exchange 2013 POP/IMAP invested little to no engineering resources discussed only briefly are support versions, and these protocols to previous compared in this chapter. described fully in Chapter 4, “Mobile device management.” device management.” fully in Chapter 4, “Mobile described OS X (hereafter that Outlook 2011 for Mac just called Outlook EWS is the protocol and Outlook other applications, including Outlook 2010 Many 2011) uses exclusively. a straightforward, client, use EWS because it provides non-MAPI 2013 and the Lync way to access and modify every much pretty object, includ Exchange data type of uses EWS to rules, and folders.ing messages, contacts, Another example: SharePoint portable EWS is also data in site mailboxes. Linux, platforms; access and store across Mac OS X, clients also use EWS. and Android iOS, Windows Phone, A last category and IMAPv4. Although these protocols comprises clients using POP3 and poor limited features popular on Linux clients, they offer and remain mature are has Microsoft such as EAS and EWS. performance to newer protocols compared Speaking of native clients, another category native Speaking of Exchange client includes Exchange of Phone 8 version and the Windows Apple Mail for iOS (EAS) clients such as ActiveSync are management thereof and the itself, the EAS protocol Outlook. These clients, of ● ● ● ● ● ● before the corresponding Exchange release, whereas others have shipped after whereas Exchange. Exchange release, the corresponding before expe In either case, this poses a conundrum for companies that want the better-together Office is Deploying Exchange or a new version of promises. always rience that Microsoft challenging. For example, is even more a challenge, and doing them both concurrently early Exchange Outlook 2010, limiting the ability of before Exchange 2010 was released Outlook product between the Exchange and Outlook the relationship of Over the years, the strength changes and enterprises, organizational other large teams has waxed and waned. Like most The teams work together. to which these the degree political maneuvering have influenced sched the two teams’ plans has been the release collision between of most noticeable area of Office have shipped In the past, some versions flagship products. their respective ule of The first question many organizations have when they consider deploying a new version of version have when they consider deploying a new The first question many organizations Exchange is, “What client should we use?” In Exchange 2013, Microsoft has made dramatic changes to the client experience in several has made dramatic changes to the client In Exchange 2013, Microsoft the latest version that use and require as site mailboxes, such added new features, ways. It’s App Outlook Web the built-in made many changes intended to improve It’s Outlook. of interfaces the EWS and EAS application programming client and extended and improved which other clients take advantage. (APIs) of Client management Client
Chapter 3 Chapter
Choosing a client 156
Chapter 3
Outlook 2007 Outlook 2003 Outlook Version 3-1 TABLE with Exchange2013. Table 3-1brieflysummarizesmajorfeatures andhowtheywork ineachOutlookversion anearlyupgrade. harder forcompaniestojustify ClientAccessLicenses(CALs)nolongerincludealicense forOutlookalsomakesit server form of userproductivity, costs,oranythingelse.Thefactthat the Exchange lowersupport ises great costfornewlicensesanddeploymentwhileoffering littleobviousreturn inthe withanupgradethat prom ofolder versions Outlook;theyseelittlevalueingoingforward sofar. welcomedbyusers been universally Thisiswhysomanycompaniescontinuetorun of andapplicationfeatures, large andthesechangeshavenot changestotheuserinterface caused alotof Office2013makesanumber controversy becauseitwasunfamiliartousers. ple, theintroduction (featuringtheribbon)inOutlook2007 of theOfficefluentinterface cost of newsoftware licensesandpotentialhardware upgradesare considered. Forexam therollout, andthe and issuessuchasusertraining,preparing thehelpdesktosupport complexity whenanewapplicationmustbedistributedtotensof thousandsof desktops companies thanitisforlarge ones.Thelawof conspires numbers tocreate muchgreater ofWhat version Outlookshouldyoudeploy? Answeringthisquestioniseasierforsmall environments. ing fortheabilitytodeployExchange2013intoexisting2007or2010 toplanandexecuteOfficedeploymentswhilewait door provided ahandyopportunity Exchange 2013,butthedelayingetting2013CumulativeUpdate1(CU1)out torealizeadopters fullvaluefrom theirdeployment.Office2013didn’tshipuntilafter
Comparing different versions ofComparing different versions Outlook managed mailandretention policies. (OAB) implementationfor touseweb-baseddistributioninstead.First forshared datasuchasfree/busy andOfflineAddressrepository Book figuration of userprofiles. Movementaway asthe from publicfolders Introduction of Autodiscoverfunctionalityto enableautomaticcon byExchange2013. supported andlocalreplicas.ers Exchange2010requires Outlook2003SP2.Not fold enable fasterandmore efficientsynchronization betweenserver Introduction networkingto of cachedExchangemodeand smarter Major Features Choosing aclient Choosing
- - - - 157 -
Chapter 3 - - - -
Outlook 2010 Outlook. Far more developed and feature-complete version of mes version of feature-complete developed and more Outlook. Far policies. Supports (document retention) management saging record help customers to sharing calendar deploy in mixed cross-organization deployments. Supportson-premise/hosted email conversation view of Exchange) and the ability to (also works with earlier versions of threads in email. not interested in which you’re threads ignore also supports located on Exchange 2010 servers personal archives and in addition to the primary mailboxes Exchange can open up to three mailbox. Revamped user interface, Windows tablets including touch mode for devices. Supportand touchscreen pub and modern for site mailboxes lic folders. Supports sync behavior in cached Exchange mode. Changes user interface additions, Outlook.com. Various EAS connections to that dis a subwindow Bar, the Weather and including inline replies plays weather in the calendar view. Major Features 32-bit platforms). (also available for of Outlook The first 64-bit version Supports within tracking from as MailTips and message such features control has been to allow (or force) the user to choose which folders to synchronize. This is the user to choose which folders to synchronize. (or force) has been to allow control but it falls far short for users who don’t necessarily know which a power user, if you’re great tools. The Outlook search folders they actually use because they file and find items through new Outlook sync interface 3-1) instead asks users to choose how much (shown in Figure calendar data whereas older mail items are synced in the background. For example, a user synced in the background. older mail items are calendar data whereas can You right away. messages a long vacation will see her most recent from who returns by setting the HKEY_CURRENT_USER\software\policies\microsoft this feature off turn any other DWORD to 0, but you can’t configure \office\15.0\outlook\hybrid\localcaching Access. Fast aspect of to sync The traditional approach problem. The sync slider is intended to handle a different Fast Access and the new sync slider. Fast works has the way synchronization together, As Exchange and Outlook have evolved the latest stage in this evolution; the basic idea is that Access is Fast too. Exchange changed, for the user to notice should continue in the back a sync operation that takes long enough email and all his the user’s Access immediately syncs most recent Exchange Fast ground. Outlook 2013 brings some interesting new functionality to the equation. Whether the new new functionality Outlook 2013 brings some interesting worthwhile are for everyfeatures different enough to consider an upgrade is company. cached Exchange mode in Outlook and Exchange 2003, it has introduced Since Microsoft one area However, bandwidth-efficient. and more continually worked to make sync faster be synced in the first what should much is the question of addressed it hasn’t previously the user’s experience: Exchange to improve two new features place. Outlook 2013 offers Outlook 2013 Outlook 2013 Outlook Version Outlook 2010 Client management Client
Chapter 3 Chapter
158
Chapter 3 deposits mailinacompressed OSTfile;more precisely, somedataitemsinthefile are legal valuesare 0(meaningtheentire mailbox), 1,3,6,12,or24.Thesyncmechanism Policy object(GPO).Set thevaluetonumberof monthsof maildatayou wanttosync; \Office\15.0\Outlook\Cached Mode)enablesyoutosettheslidervaluethr value(aDWORDunderHKEY_CURRENT_USER\Software\Policies\Microsoftregistry the resulting helpdeskcalls)whodon’tseemail they expected.TheSyncWindowSetting (and you mightwanttoapplyaconsistentvalueforthissetting avoidconfusingusers By default,Outlook2013syncs12monthsof However, mail,whichisplentyformanyusers. synchronized. doesn’t affectsyncforcalendaritems,contacts,tasks,ornotes; allthoseitemsare always clickingthatlinkloadsadditionalmessagesfrom theserver. Interestingly,server; theslider see thatOutlookprovides alinktellingyouthatmore results are availableontheExchange mail whileincachedmode.Ifyouscroll tothebottomofasearch, you’ll alistorperform If thesliderissettoanythingotherthanAll(therightmostvalue), youseeasubsetof your synchronization behavior Figure 3-1 the usertomakethatchoice.Outlookissupposedhandlerest. decide whethertheyneedamonth,year, oralltheiremailsynced,sothesliderenables mail theywanttosyncbasedontime.Theideahere can isthatevennontechnicalusers The Outlookaccountsettingsdialogbox, whichnowincludesasliderthatcontrols Choosing aclient Choosing ough aGroup
159
Chapter 3 - - - -
- - Your users can’t install or run apps from the Office Store. the Office users or run apps from can’t install Your No user interface display the MailTips the server is available to provides. Outlook 2007 doesn’t understand identifiers the internal Exchange uses to connect (includ features the conversation-related items in a conversation, so none of related ing conversation button) views, the ability to clean up a conversation, and the Ignore supported.are group App to allow managing Integration with the settings slabs in Outlook Web editing unified messaging (UM) settings (such as call answering rules), information, You can’t access site mailboxes from Outlook, although they are still available from still available from Outlook, although they are from can’t access site mailboxes You SharePoint. within Microsoft in Outlook 2013. Tips warnings Policy (DLP) users data loss prevention won’t see Your ● ● ● ● ● ● ● ● ● ● ● ● Exchange 2010: Outlook 2007 users will miss out on some additional features that were first introduced in first introduced that were Outlook 2007 users will miss out on some additional features the November 2012 cumulative update (CU), and Outlook 2007 requires SP3 and the (CU), and Outlook 2007 requires the November 2012 cumulative update November 2012 CU. these versions, you’ll miss out on some key Exchange 2013 features: If you use either of and the ability to warn you when you use phrases such as “see attached” or “I’ve attached” attached” or “I’ve you when you use phrases such as “see and the ability to warn an actual attachment. but then don’t include and Outlook 2007 Outlook 2010 fully supportsMicrosoft 2007 and Outlook 2010 with Exchange 2013, pro Outlook SP1 with versions. Outlook 2010 requires updated to the required vided that they are amounts of system resources on a client PC, which would occur if someone attempted to which would occur if someone attempted on a client PC, system resources amounts of open mail the limit for concurrent increase you can However, open 10 or 20 mailboxes. by updating the value held in the registry up to the maximum boxes at HKCU\Software \Microsoft\Exchange\MaxNumExchange. such as a weather display some miscellaneous new features, Outlook 2013 also includes compressed, and others are not. Microsoft claims up to a 40 percent space savings com space up to a 40 percent claims not. Microsoft others and are compressed, Outlook. to older versions of pared concur mailboxes to 9,999 Exchange 2013 can open up is that Outlook Another change This is a signifi Exchange organization. belong to the same which have to not all of rently, By default, Outlook imposes 10 mailboxes! over the Outlook 2010 limit of cant increase taking up huge Outlook from set to prevent This is deliberately four mailboxes. a limit of Client management Client
Chapter 3 Chapter
160
Chapter 3
Since then,Microsoft andApplehavebegunworking muchmore closely toensure that iOS floodedwith transactionlogs. whosuddenlyfoundtheirservers Exchange administrators In late2012andearly2013,a pair of seriousbugsinApple’s iOScausedproblems for tablets intwoways: phonesand ExchangeActiveSyncclientsonsmart work toobviatetheneedforthird-party Web App2013,though,seemtopointsomethingelse:Microsoft islayingtheground the Exchangeteamwillkeepimproving OutlookWeb App.TheenhancementsinOutlook ofkeep makingnewversions Outlookaslongthere isanOfficeteamand,likewise,that what thecompany’s long-term intentionsare. Ithinkit’s safetosaythattheOfficeteamwill look andbehavemore likeOutlookwitheachsuccessiverelease. Thatraisesthequestionof As OutlookWeb AppandOutlookhavematured, Microsoft hasmadeOutlookWeb App Outlook Web App inOutlook2003. Anywhere), supported whichwasfirst Exchange 2013allowsclientstoconnectonlythrough RPC-over-HTTPS (orOutlook use Autodiscover, it.Second, Outlookclienttosupport andOutlook2007wasthefirst Exchange2013requires First, reasons aren’t clientsto theearlierversions supported. less improvements technical there andbugfixesinnewerversions, are twoimportant from thecount Apart areOutlook 2003andearlierversions nolongersupported. Outlook of versions Earlier ● ● ● ● ● ● ● ● ● ● ● ● that canreplace thebuilt-in MailandCalendarapplications By shippingnativeappsforAppleiOS(andpossiblyother platforms inthefuture) devices thatlackamouseortrackpad,andtheavailabilityof offline storage touch modeinOutlookWeb App,designedtomakeOutlookWeb Appfriendlieron By improving thebrowser-based experienceasevidencedbythecombination of a forretention tagsandpolicies. There isnosupport You (SMS)messagesfrom Outlook2007. MessageService cannot sendShort preview. Also,itcannotprocess protected voicemail. of thevoicemail toplaythevoicecontentifyouclickpart lacks thecontrol necessary Outlook 2007canrender voicemailpreviews asplainHTMLinthemessagebodybut released byMicrosoft inlate2010. Personal archives are accessibleonlyifyoudeploytheupdateforOutlook2007 directly toaccesstheseoptions. and soonare missing.However, canstillopenOutlookWeb users Appoptionsslabs Choosing aclient Choosing -
- 161
Chapter 3 - - The Outlook Web App 2013 mail interface on Mac OS X in Chrome The Outlook Web Whether or not you like it, though, it’s safe to say that this design will be with us for a while, Whether or not you like it, though, it’s Windows 8, and the other compo used in Xbox, given that the same design elements are the Office 2013 family. nents of Figure 3-2 Figure ous versions is largely gone (see Figure 3-2). Opinions are divided over this visual style; 3-2). Opinions are gone (see Figure ous versions is largely and that space inefficiently others it uses screen say that whereas like it, some people really white. too much there’s New features in Outlook Web App 2013 featuresNew Outlook Web in interface, App 2013 is its new which was explicitly in Outlook Web The biggest new feature white space, and Outlook 2013. The interfacedesigned to look like much more features no are there by text labels. For instance, or replaced either removed most icons have been previ icon-based toolbar of and the on the lefticons in the folder list the window, side of and Exchange get along well, and the Exchange team has added both bug fixes and new bug fixes and new has added both and the Exchange team get along well, and Exchange with Even problems. causing server-side from a misbehaving client prevent to help features 2013 to enable Exchange sense for Microsoft makes though, it probably these changes, actions, such as (although some for many use cases clients customers to ditch the built-in the use of still require for example, might photo app, a built-in message from sending a client). built-in Client management Client
Chapter 3 Chapter
162
Chapter 3
“Managing OfficeStore appsforOutlook Web App” sectionlaterinthischapter. within Outlook.Formore information onconfiguring andmanagingtheseapps,seethe In addition,separateOutlook 2013–specific features enableyoutocontrol appbehavior Web Appappmodelrequires theappsto be stored mailbox intheuser’s on theserver. from installingappsthatruninherlocalinstance of Outlook2013because theOutlook apps foranindividualuser. The lastfeature enablesyoutoprevent anindividualuser canblockindividualapps,turn offAdministrators appsfortheorganization, orturn off an Exchangeserver, aSharePoint site,orinafile. Thisappcatalog canbestored waytopublishappsforenterpriseusers. on straightforward You canalsodeployappsbypublishingtheminaninternal appcatalog, whichgivesyoua suchasTwitter,consumer services LegalBox, andLinkedIn,plusutilitiesof varioussorts. plug intoOutlook2013andWeb App2013,includingextensionsthatintegrate /store/apps-for-outlook-FX102804983.aspx surprising degree of utility. TheOfficeStore catalogat However, theycanoffer a webservices, becausetheseappscanintegratewiththird-party types of datatheycanaccess becausetheyruninthesecuritycontextof browser. theuser’s ortheserver,users Theappsare computers. butnotonindividualusers’ constrainedinthe for OutlookWeb App(andSharePoint) are installedontheserver, eitherforindividual ments butdoesnotreplace theexistingextensioncapabilities.Forexample,cloudapps tocreateopers software thatintegrateswithOutlookontheclient.Thenewmodelsupple The Outlookclientitselfhaslonghadanumberof extensibilitymodelsthatenabledevel thatmakesenseincontext. should offer services notions thatthedocumentorpageiscenterof activityfortheuserandthatapp thecloudappmodelshares with itthe for Office2007,thismodelshouldsoundfamiliar; the documentorpageonwhichtheyare triggered. Tags Ifyouremember Microsoft Smart JavaScript thatconnecttowebsitesoffer actionsbasedonthecontextandcontentof Web App.Applicationsbuiltusingthismodelare of essentiallycontainers HTMLand way toaddnewfunctionalitydesktopOfficeapplications,Shar APIsisauseful predicated ontheideathatalightweightappconnectstowebservice Microsoft refers tothisnewapplicationdevelopmentmodelasthe 2013. Thislastcategory, of iswhatthischapterfocusesonthemost. course, plates forOffice Word, orapplicationsthatplugintoOutlook2013and Web App ins forOffice,suchasexecutableadd-insMicrosoft ExcelorOutlook,documenttem 2013. Microsoft nowprovides acentralized placewhere companiesof allsizescanselladd- withtheintroduction ofstore modelhasnowexpandedfurther theOfficeStore inOffice Google, BlackBerry, haveallfollowedsuit.Theexpansionof Nokia,andothervendors the it,butMicrosoft, cansellapplicationsfortheplatform. Applestarted in whichthird parties significantdesktopandmobileoperatingsystemplatform hasitsownstore Almost every Web Outlook with App apps Extending listsseveraldozenappsthatare intendedto http://office.microsoft.com/en-us ePoint sites,andOutlook cloud appmodel Choosing aclient Choosing ; itis
- - 163 -
Chapter 3 - The Outlook Web App 2013 mail interface in Light mode on Internet The Outlook Web Figure 3-3 Figure 10 on Windows 8 Explorer Light experience. to the additional features Good is better than Light; it adds some experience, including automatic App 2013 Best gives users the full Outlook Web and more. drag-and-drop, fields, address message lists, autocompletion of of refresh support. also get touch mode and offline Some browsers Light refers to a fairly limited set of features. In Light mode, there’s no drag-and- there’s In Light mode, features. set of to a fairly limited Light refers mode App Light the user and experience looks essentially just like Web Outlook drop, 3-3 shows the Outlook a few minor stylistic changes). Figure in Outlook 2007 (with 10 on Windows 8. Explorer Internet App Light mode in Microsoft Web ● ● ● ● ● ● browsers. Internet Explorer versions 9 and 10, Safari version Explorer 6 on Mac OS X, Internet browsers. ver Firefox the minimum versions version for the Best mode experience 24 are sion 17, and Chrome access in addition to offline 10 offer Explorer Safari, and Internet Chrome, platforms. across the Best experience. Table 3-2 summarizes the support 3-2 summarizes and operating systems of levels for various combinations Table Browser and operating system support operating and Browser support and operating system browser for Outlook state of to summarize the The best way App support Web characterizes Outlook in Microsoft broad. it’s App 2013 is to say Web ways: three Client management Client
Chapter 3 Chapter
164
Chapter 3
Apple iPad and Internet Explorer 10for WindowsRTand8. touchmodeforOutlookWeb Apponasmallersetofsupports browsers: Safariforthe Notice thatTable 3-2doesn’tmentionmobilebrowsers; that’s onpurpose.Microsoft only Linux Mac OSX10.5+ Windows 8 Windows 7 2008 Server Windows Vista, 2003 Server Windows XP, Windows Operating System 3-2 TABLE whether Lightmodeisavailableatall. choose LightmodethemselvesorSet-OWAVirtualDirectory –OWALightEnabled tocontrol Set-OWAVirtualDirectory –LogonPageLightSelectionEnabled tocontrol can whetherusers lar client,althoughthisisnotofficially documentedanywhere. Inaddition,youcanuse “?layout=light” totheOutlookWeb AppURLtoforce itintoLightmodeforaparticu force yourFirefox togettheGoodorLightexperience,youcan’t.You users canappend There iscurrently nowaytoforce downgradesforaclient;example,ifyouwantto
Browser and operating system support forOutlookWebBrowser App2013 andoperatingsystemsupport Chrome 24+ Firefox 17+ Safari 6+ Firefox 17+ Chrome 24+ Chrome 24+ Firefox 17+ Internet Explorer 10 Chrome 24+ Firefox 17+ Internet Explorer 10 Internet Explorer 9 Internet Explorer 8 Chrome 24+ Firefox 17+ Internet Explorer 9 Internet Explorer 8 Chrome 24+ Firefox 17+ Internet Explorer 8 Internet Explorer 7 Browser Best plusoffline access Best Best plusoffline access Best Best plusoffline access Best plusoffline access Best Best plusoffline access Best plusoffline access Best Best Best Good Good plusoffline access Good Best Good Good plusoffline access Good Good Light level Support Choosing aclient Choosing -
165
Chapter 3 - - - - Web App or Outlook, with many missing features and some annoying behaviors App or Outlook, with many missing features Web You can deploy Outlook 2011, part of Mac Office 2011. Although it shares a name can deploy Outlook 2011, part Mac Office 2011. Although it shares of You a verywith Windows Outlook, Mac Outlook is beast, with a completely dif different to the Windows user interface functionality compared in ferent and many differences is Office suite version. the entire Because it is a Mac-native application, and because familiar to most Mac users, said that, Outlook 2011 this is a fairly safe choice. Having are the supposed bugs though many of for being buggy and slow, has a reputation actually design choices that some Mac users don’t like. Mail and iCal applications, which come bundled with the oper can use Apple’s You ating system. They support generally stable and performant. EWS, and they are not very they are to Outlook good as email and calendar clients compared However, S/MIME encryption supported aren’t and signatures although in Exchange 2013, documentation says they will be supportedMicrosoft version. in a future currently the window; there’s side of pane on the right can only have the reading You no option to move it to the bottom. as attachments to other embedded that are to email messages can’t reply You messages. Attachment previews are now generated by an Office Web Apps serverof by by an Office now generated are instead previews Attachment Web “The included in Exchange 2010. See the Office feature of the WebReady role Apps Server” details. chapter for more section later in this messages sent to distri list moderation, you can’t moderate distribution Concerning App 2013. Web bution lists in Outlook ● ● ● ● ● ● ● ● ● ● ● ● ● ● Mac OS X If you have Mac OS X users, you choose you essentially have four client choices. Which one Mac users you have, how vocal they are, on the number of measure will depend in large aggravation. and their tolerance for (or appetite for) Some other features were cut from the RTM version of Exchange 2013 that you might or Exchange 2013 that you might the RTM version of cut from were Some other features might not miss: Deprecated featuresApp 2010 from Outlook Web In every Exchange, along with of new release taketh away. and Microsoft giveth, Microsoft is no App 2013 Web and Outlook removed, are we get, some old ones the new features commentary the most garnered checking; is spell that’s feature The deprecated exception. rather than including it as a fea to do it on the browser App 2013 depends Outlook Web browsers. modern decision, given the capabilities of is an eminently reasonable This ture. Client management Client
Chapter 3 Chapter
166
Chapter 3 the SQLite database engine included with iOS. From the server’s perspective, thetraffic perspective, the SQLitedatabaseengineincluded withiOS.From theserver’s Web Apptogetherwithnativefunctionalityonthedevice.Local storageisprovided by PAL thattiestheJavaScript implementationof Outlook (for“platform abstraction layer”) for mailsynchronization. Theappitselfincludes a middleware layer thatMicrosoft calls the nativeclientsoniOSandWindows Phonedo,OutlookWeb App forDevicesusesEWS The implementationof theappisinteresting. RatherthanusingExchangeActiveSync,as meaning thatnameresolution forphonecallswillworkproperly. contacts from your Exchangeaccountscanbesynchronized withthelocalcontactstore, access toshared Thebiggestfeature calendars. of interest inthecontactsmoduleisthat closevisualresemblance tothedesktopOutlook2013clientandprovides full tains avery the app(seeFigure 3-4)isahugeimprovement overthenativeiOScalendarapp;itmain The appincludesmodulesforemail,calendar, of andcontactaccess.Thecalendarportion archive mailboxes, theabilitytodisplay MailTips,andfullintegrationof Officeapps. (ADRMS),accesstopersonal RightsManagementServices protected withActive Directory able inthebuilt-in appsshippedbyApple,includingtheabilitytosendandread messages Firefox. Perhaps more importantly, theappoffers anumberof features thataren’t avail when loadingOutlookWeb AppinInternet Explorer 10orarecent of version Chrome or icons, typography, spacing,colorscheme,andsoonare nearlyidenticaltowhatyousee browser-based of version OutlookWeb Apprunningonmodern desktopbrowsers; the faithfultothe iPhone (iPhone4Sandlater).Thevisualappearanceof theclientisvery Outlook Web AppforDevicesclientsrunonmostmodelsof iPad (iPad 2andlater) the field of Exchangeclients. ReleasedasanalmostcompletesurpriseinJuly2013,the cooladditionto Despite theratherclumsyname,OutlookWeb AppforDevicesisavery Outlook Web AppforDevices ● ● ● ● this optiononawidescalecanbechallenge(andanexpensiveoneatthat). ifnot,settingupanddeploying Windows desktopsfortheirMacusers; virtualized do.Manyorganizationsrunning thesamecodeyourWindowsusers already provide atruecross-platformmachine. Thisgivesusers experiencebecausetheyare literally You can runOutlook2007,2010,or2013inaWindowsvirtual browser, anditdoesn’toffer allthe features thenativedesktopclientsdo. Outlook Web Appisabrowser-based application,itrequires theuseof asupported andgives themapretty goodexperienceoverall.However,on yourpart because You haveOutlookWeb canletyourMacusers App,whichrequires littletonoeffort option tohavinglearn touseOutlook. ineachMacOSXrelease, anddie-hard willprobably Macusers support prefer this as (such assometimesfailingtohidedeletedmessages)thatstemfrom theirlegacy IMAP/ POP clients.Applehasgraduallybeenimproving thedegree of Exchange Choosing aclient Choosing
- 167 -
Chapter 3 - Outlook Web App for Devices can display shared calendars, and the result is visually calendars, and the result App for Devices can display shared Outlook Web of late 2013 it has not yet done so. As a means of giving customers incentives to move to late 2013 it has not yet done so. As a means of of of many but it seems to leave a bad taste in the mouths Office 365, this isn’t a bad strategy, customers citizens. who feel like second-class on-premises (BYOD) organizations because it means that issuing a remote wipe to a user won’t remove remove wipe to a user won’t a remote because it means that issuing organizations (BYOD) a device that he owns. the user’s photos, music, or other personal data from released Web App for Devices was apps for iOS, Outlook As with the Office productivity first only supported for Office 365 users. It is currently 365 tenants; Microsoft for Office Exchange 2013 deployments, but as has said that it will enable it for use with on-premises nearly identical to the desktop Outlook 2013 client nearly identical to the desktop Outlook 2013 it wipe request, a remote so if it receives store, The app maintains its own separate data but doesn’t affect any other data on the device. erases all the application data and settings App policies on the or Outlook Web with mailbox Likewise, security policies that you apply server any impact on the device operat by the app, without enforced and will be honored is a welcome change for bring-your-own-device ing system or on other applications. This Figure 3-4 Figure generated by the mobile app looks like a mix of browser Outlook Web App operations and App Web Outlook browser looks like a mix of by the mobile app generated EWS traffic. Client management Client
Chapter 3 Chapter
168
Chapter 3 Managing OutlookforWindows unless you have a very goodreason. unless youhaveavery and NTLM/Kerberos setforinternal clients;thisisgenerallyoptimalas is,sodon’tchangeit Exchange 2013installationwill havenegotiateauthenticationsetupforexternal clients ods Exchangecanuseinvarious scenarios,includingOutlookAnywher The “CASauthenticationmethods”sectioninChapter1outlines theauthenticationmeth $true –InternalClientRequiresSSL–externalHostname 'mail.betabasement.com' Set-OutlookAnywhere –id'PAO-EX01\rpc(DefaultWebSite)' –ExternalClientRequiresSSL done withthefollowingcommand: suppose youwantedtoconfigure anInternet-facing named server PAO-EX01; that’s easily hostname andenabletheuseof SSLforbothinternal andexternal clients.Forexample, not required toconnect.ForallyourInternet-facing youshouldsetanexternal CASservers, hostname thatmatchesthemachineFQDN,butexternal hostname isblank,andSSL 2013 Mailbox isconfigured server, withaninternal directory theOutlookAnywhere virtual your Internet-facing installaplainExchange Whenyoufirst and internal-facing CASservers. clients. Itmightornotworkforexternal clients,dependingonhowyou’vesetup Right outof thebox, ifyoudon’tdoanything, OutlookAnywhere worksfineforinternal necessary. thisisnot onyourMailbox servers, clients. AlthoughyoumayinstallapublicCAcertificate chainisonthetrust listforthe trust—either apublicCAoraninternal CAwhosecertificate authority(CA)theclientscan isissuedbyacertification “valid” meansthatthecertificate andthenmakeafewminor configurationtweaks.Inthiscase, your clientaccessservers on too, becauseallyouneedtodoisinstallavalidSecure SocketLayer(SSL)certificate stances. Exchange2013greatly streamlines theOutlookAnywhere deploymentexperience, tofigure outwhichprotocol theclient would useunderdifferentinherent circum intrying Outlook canusetoaccessExchangemailboxes. Thiseliminatesmuchof theconfusion Exchange 2013simplifiestheOutlookAnywhere worldbymakingittheonlyprotocol Exchange havesometimesmadeOutlookAnywhere configurationsomewhatcomplicated. private network(VPN)connectionare significant,butprevious versions of Outlookand since then.Thebenefits of allowingclientstogettheiremailwithout requiring avirtual Outlook Anywhere introduced wasfirst inExchange2003,andithasevolvedquitea bit Managing OutlookAnywhere form toensure thesmoothfunctioningof yourorganization’s Outlookclients. access servers.” Thissectiontalksspecificallyaboutactionsyoumightneedorwanttoper (CAS)itself,changing settingsontheClientAccessServer asdescribedinChapter1,“Client You candomuchof whatyouneedtodomanageOutlookclientsonWindowsby Managing Outlook forWindows Outlook Managing e. Anunmodified
- 169 - -
Chapter 3 - . e traffic at an e traffic at . Everything is internal Everything is
One consequence of the Outlook Anywhere changes in Exchange 2013 is that Outlook changes in Exchange the Outlook Anywhere One consequence of even Settings dialog box, Proxy hostname in the Exchange always displays the internal network on an external hostname because it’s the external if is connecting to Outlook not clear why the claims in KB articleMicrosoft 2754898 that this is by design, but it’s users this in mind in case your complain that design it this way; keep would company server “wrong” the to connecting their Outlook clients are EXPR elements. The new EXHTTP partwhy you have to update Outlook 2007 nodes are of with they work properly and Outlook 2010 with the November 2012 (or later) CU before any configuration because it Exchange 2013. In addition, Autodiscover itself doesn’t require and service publishes the URLs merely on other objects, such as configured names that are the Exchange ActiveSync virtual directory for Outlook Anywhere. and the endpoints Outlook is that the Autodiscover XML manifest typically gives you all the clues you need to Outlook is that the Autodiscover XML manifest The Exchange 2013 implementation you encounter. problems any understand the cause of earlier versions. First, remember that of from in a few respects is different Autodiscover of that Exchange 2013 emits two EXHTTP one for nodes as part its Autodiscover response: of version, configuration and one for the external order. in that Outlook Anywhere the internal ignoring any older to try supposed Outlook clients are these two configurations in order, Managing Autodiscover is what the Autodiscover protocol section in Chapter 1 describes The “Autodiscover” Autodiscover in to the use of with respect and how it works. The key thing to remember must configure your Exchange 2007 and Exchange 2010 CAS servers your Exchange 2007 and Exchange must configure to allow integrated on the /rpc virtualWindows authentication directory. and thus can de-encapsulate the Outlook Anywhere packets. This design has a couple of design has a couple of packets. This the Outlook Anywhere and thus can de-encapsulate Exchange installed on your Exchange 2007 or have the RPCproxy.dll side effects: you must You 2010 CAS servers, those servers and you must have for Outlook Anywhere. configured on every Anywhere must enable Outlook 2010 CAS, even Exchange 2007 and Exchange servers traffic to internal 2013 can proxy because Exchange as not Internet-facing, if it’s change; you an authentication also requires Coexistence proxying process. part its proxy of Coexistence among Exchange 2007, Exchange 2010, and Exchange 2013 Outlook Anywhere Outlook Anywhere and Exchange 2013 2007, Exchange 2010, among Exchange Coexistence Outlook Anywher is to point all incoming to set up. The key is fairly simple pro the remote doesn’t have CAS role the Exchange 2013 2013 CAS. However, Exchange That proxy! not an RPC because it’s contained in RPCproxy.dll code proxy call (RPC) cedure RPC-over- send the encapsulated to uses HTTP Exchange 2013 CAS means the proxying HTTP have RPCproxy.dll or Exchange 2010 CAS, which does packets to an Exchange 2007 Client management Client
INSIDE OUT Chapter 3 Chapter
170
Chapter 3
Lync Autodiscoverand connectivity tests.There isasecond,client-based thatyou version Exchange installationoragainst anOffice365tenant.TheonlineExRCAalsoper EWS, andEASconnectivity. againstyourownon-premises Thesetestscanbeperformed www.testexchangeconnectivity.com hostedat Theonlineversion, The ExRCAtoolitselfisavailable intwoversions. Figure 3-5 thatmakesiteasytoresolve problems.report Figure 3-5showsasampleExRCAreport. Autodiscover isconfigured, andittellsyouwhenfinds problems inaclear, easy-to-read and yourExchangeserver, used,theCASconfiguration,andhow includingthecertificates The toolanalyzesmanyaspectsof theconnectionbetweenanOutlookormobileclient troubleshootwhich wasseekingabetterwaytohelpcustomers connectivityproblems. team, or ExRCA.ExRCAisatooloriginallychampionedbytheExchangeproduct support tion inthecontextof client managementistheExchangeRemoteConnectivityAnalyzer, forMicrosoft men Windows toincludesupport first thatdeserves PowerShell. Anotherfirst ensureanalyzer tohelpcustomers thattheirdeploymentswere optimized;anditwasthe toproduce theteam was thefirst abest-practicesto usewhatwenowthinkof asAJAX; other product groups latercopy. Microsoft Forexample,Exchangewasthefirst product One of thecoolestthingsaboutExchangeteamisitshabitof innovatinginwaysthat Using theExchange Remote ConnectivityAnalyzer An example, intentionally bad: an ExRCA report showingmultiplefailures An example,intentionallybad:anExRCAreport , performs testsforOutlookAnywhere, Autodiscover,, performs Managing Outlook forWindows Outlook Managing http:// forms
171 -
Chapter 3 - - The opening page of ExRCA,The opening page of you to choose a test to run requiring Figure 3-6 Figure Autodiscover and Outlook Anywhere tests are probably of greatest interest to most admin to most interest greatest of probably tests are Anywhere Autodiscover and Outlook and Office Exchange, Lync, tests for various aspects of other are istrators, although there 365 connectivity. credentials for an account in your Exchange organization. Although Microsoft is trustwor Although Microsoft for an account in your Exchange organization. credentials course instead, you should to use an administrative account for this; a bad idea it is of thy, use an ordinary and that is normally ideally one that you use only for testing user account, disabled in Active Directory actually testing. except when you’re 3-6). The to choose a test (Figure of the ExRCA website asks you The first page download from the Clients tab of the ExRCA website and run on a local client. The local a local client. The local website and run on the ExRCA the Clients tab of from download you want to is useful when Connectivity Analyzer, known as the Microsoft version, properly particularsee why a in a particular client (or a client trouble. network) is having location or Using the version online of ExRCA you to provide online is that it requires when using ExRCA remember The biggest thing to Client management Client
Chapter 3 Chapter
172
Chapter 3 have newlyassumedresponsibility) andgetclear prescriptive guidance onhowtofixthe shines; it’s simpletorunExRCAagainstanewExchange deployment(oroneforwhichyou you toapagewithmore information onthespecific failure. Thisiswhere ExRCA really ally includealinklabeled“Tell memore aboutthisissueandhowtoresolve it”thattakes makesclearwhichoperationssucceededorfailed; failedoperationsusu page. Thereport therequested test.Whenit’sExRCA thenperforms done,yougetaneatlyformatted report Figure 3-7 Perform Test button. a CAPTCHA thetestbyclicking verificationfield;whenyou’vedoneso,youcanstart might becompromised andthatyouacceptresponsibility forit.You alsohavetofillout box andacceptthattheworkingaccountyouspecify thatindicates thatyouunderstand must supplycredentials forthetestaccountyou’re using,andyoumustselectacheck When you’vechosenatesttype,youseepagesimilartothatshowninFigure 3-7.You
ExRCA requires logoncredentials, whichyoumustcarefully safeguard Managing Outlook forWindows Outlook Managing
173 -
Chapter 3 each test is labeled with an icon indicating whether it passed or failed, and most tests have each test is labeled with an icon indicating details. MCA reports to see more triangle by which you can expand the results a disclosure test results asked to review link, which is handy when you’re Me More also have the Tell less useful for end users. but is probably MCA has gathered user for whatever other information MCA needs, including logon credentials. When you’ve When you’ve credentials. MCA needs, including logon user for whatever other information clicking Next starts information, plugged in the requested the test. After the test completes, you see a summary found, the page were any problems page; if Separate buttons enable the user Assistance May Be Required.” typically says “Administrator them himself. to give to the administrator) or review (presumably to save the test results an MCA report,When you review as you see in ExRCA; format you’ll notice the same basic installation. Be aware that you will need version 4.5 of the .NET Framework installed on the .NET Framework that you will need version 4.5 of installation. Be aware the need to configure you might also (depending on your browser) the client PC and that you have the tool running, you see the to allow ClickOnce deployments. When browser start essentially the same options as that this is providing 3-8. Note shown in Figure page way for users approachable in a much more and worded formatted the ExRCA page, but it’s the prompts the links on this page Exchange administrators. Clicking any of who aren’t machine. MCA is packaged using the Microsoft ClickOnce technology, so it can easily be ClickOnce technology, using the Microsoft machine. MCA is packaged even by users don’t have local administrative who a web browser from installed directly privileges on their computers. MCA, download Microsoft tab on the ExRCA website and click the open the Client To the actual through walks you link; the MCA installation process Connectivity Analyzer issues ExRCA finds. You can save ExRCA results as XML or HTML reports HTML results as XML or ExRCA You can save if you want to, finds. issues ExRCA issues over time. of the progress be handy when tracking which can Using the Microsoft Connectivity Analyzer in early 2013, it new; released relatively Connectivity Analyzer (MCA) is The Microsoft a client from tool you can run directly a downloadable by providing complements ExRCA Client management Client
Chapter 3 Chapter
174
Chapter 3
from book, butit’s mentioningsomeof themostinteresting worth settings;afulllistisavailable applying Group Policy object(GPO)customizationstoOutlookare outsidethescopeof this abookof itsownduetocomplexity.(OCT), atopicthatdeserves Themechanicsof .microsoft.com/en-us/library/cc178992.aspx attaching theOffice-specificadministrativetemplates(available fr large environments. You canapplythesecustomizationsbyusingthetraditionalmethodof Outlook haslongoffered asetof Group Policy–based administrationin controls tosimplify Outlook settingsandgroup policies available inExRCA Figure 3-8 ● ● http://technet.microsoft.com/en-us/library/ff631135.aspx more fullylaterinthechapter“Controlling PSTfiles”section. vent itfrom allowingthemtogrow. Bothof these Group Policy settingsare described from usingPSTfilesatall.Second,youcanallow ittoopenexistingPSTfilesbut pre You canprevent Outlook from youcanprevent usingPSTfilesintwoways.First, it The Microsoft ConnectivityAnalyzermainpage,asimplified rendition of theoptions ) orbyusingtheOfficeCustomization Tool . Managing Outlook forWindows Outlook Managing om http://technet
175 -
Chapter 3
-
http://technet However, as of this as of However, . Administrative Templates\Microsoft Outlook 2013\Outlook Options\Preferences Administrative Templates\Microsoft GPO settings, so I recommend leaving them alone. GPO settings, so I recommend If you don’t want your Office users you can block them using using apps for Office, no way to block apps only within Outlook. the Block Apps for Office setting; there’s or none. desktop Office programs all either block apps from You the Microsoft If you want to let users them from run apps for Office but not install setting. set the Block The Office Store Office Store, apps; these are the activation behavior of multiple settings for controlling are There apps that use too much CPU or RAM or block intended to give you a way to throttle mentioned at are These controls within Outlook. when run from .microsoft.com/en-us/library/jj219429.aspx#BKMK_Managing specific values that might make sense for these hasn’t documented writing, Microsoft courage users from clicking links in email and might want to turn this feature off; this feature clicking links in email and might want to turn courage users from and network path into the hyperlinks setting under this, use the Internet to control Outlook 2013\Outlook Templates\Microsoft the User Configuration\Administrative Options GPO. User Configuration MailTips by using the can disable the display of You \ \Email Options GPO setting or the HKEY_CURRENT_USER\software\policies value. Setting this doesn’t \microsoft\office\15.0\outlook\options\mail!disablemailtips data loss prevention. Tips for Policy have any effect on the display of You can control how many months of cached email data are synchronized with with synchronized data are cached email many months of how can control You the HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook chapter. value, as described earlier in the \hybrid!syncwindowsetting email and email on the server; both locally cached searches By default, Outlook Outlook to performing If you want to restrict calls this hybrid searching. Microsoft User Configuration\Administrative on only local messages, you can set the searches Options Options\Preferences\Search Outlook 2013\Outlook Templates\Microsoft GPO option. URLs and Universal Internet Outlook helpfully tries to turn Naming Normally, try into clickable hyperlinks. Some organizations Convention (UNC) paths to dis You can disable Exchange Fast Access by using the HKEY_CURRENT_USER\software Access by using the Exchange Fast can disable You although this value, \policies\microsoft\office\15.0\outlook\hybrid!localcaching a user interfacedoesn’t expose file. OCT or the GPO template in either ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● The new Office app extensibility model gets its own set of controls. All of them live in the All of controls. gets its own set The new Office app extensibility model Office 2013 Templates\Microsoft GPO template under User Configuration\Administrative Center node: \Security Settings\Trust Client management Client
Chapter 3 Chapter
176
Chapter 3
To stagetheOSTfile,do following: to deploy. of work,youcouldprobably automatethisprocess ifyouhavea large numberof mailboxes Repeat thisprocess foreachof forwhosemailboxes theusers youwantOSTfiles.Withabit and thenprovide itto theuseroffline. Thebasicprocess workslikethis: DAG replica; theideaistocreate acopyof the OSTfileoverahigh-speednetwork,saveit, aprocess ofports creating aninitialOSTfile. You canthink of thismuchlikepreseeding a process of deployingOutlook,andtoreduce theamountof networktraffic,Microsoft sup downloadingtheiremailatthesametimecanbeanissue,too.Tomany users the simplify amount of emailtobedownloaded;forlarge deployments,thenetworkburden of having can beaslowprocess, dependingonthespeedof networkconnectionandthe theuser’s stores itinalocalOSTfile—that’s thecachetowhich “cached Exchangemode” This refers. mailbox and folderinherprimary iteminevery Exchange mode,Outlookdownloadsevery When ausersynchronizes hermailbox timeusingcached withOutlookforthefirst Pre-staging OSTfilesforOutlook2013deployment 4. 3. 2. 1. 5. 4. 3. 2. 1. Log ontoOutlook. Create a new Outlook profile for the user, the OST location you used in step 2. specifying \Outlook. the profile, thiswillbe%userdata%\Local Settings\ApplicationData\Microsoft Copy theOSTfilebacktoitshome;ifyouacceptOutlook defaultswhencr machineastheuser.Log ontotheuser’s computer. You couldalsoburn ittoaDVD, putitonaUSBstick,andsoon. \Application Data\Microsoft\Outlook towhere itisreachable from theuser’s Quit OutlookandthenmovetheOSTfilefrom %userdata%\Local Settings Launch OutlookandwaitfortheOSTtosynchronize. amount of mailyouwanttheOSTtocontain. mode isenabled.Setthesyncsliderdescribedearliertoappropriate valueforthe Create anewOutlookprofile forthetarget user, makingsure thatcachedExchange necessary, itreduces thechancesthatyou’llaccidentallycopywrong OSTfile. Delete anyexistingOSTfilesorOutlookprofiles. Althoughthisstepisnotstrictly account thathastheSendAsandReceivepermissions onthetarget user. mailbox.log ontotheuser’s mailbox Thiscanbetheuser’s oraseparateadministrative Log ontoamachinerunningOutlook2013,usinganaccountthathaspermission to Managing Outlook forWindows Outlook Managing
eating
177 -
Chapter 3
- - by DisablePST .0\Outlook\DisablePST, .0\Outlook\DisablePST, X value (HKEY_CURRENT_USER\Software\Policies PSTDisableGrow Microsoft Exchange ServerMicrosoft and High Availability 2013 Inside Out: Mailbox is the version of Outlook—for instance, 15.0 for Outlook 2013). When this value is Outlook—for is the version of X files to grow in size. The files to grow allowing the Outlook from \Microsoft\Office\X.0\Outlook\PST\PSTDisableGrow) prevents from them, but remove items in size; users can open their existing files and PST file to grow users cannot add new items. value (HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\ where in the user’s be present and set to 1, Outlook will not open any PST files that might present PST files to new PST files or add existing nor will it allow users to create Outlook profile, a profile. but not to allow those PST second option is to allow users to open their existing PSTs Your to find and ingest PST files on your network, or use a third-partyto find and ingest PST files on your network, tool. Restricting use PSTin of filesOutlook uses how Outlook over two aspects of settings give you control Policy The Outlook Group PST files at all with the opening Outlook from PST files. First, you can prevent If you want more information about compliance issues, see Chapter 11, “Compliance man information see Chapter about compliance issues, want more If you in agement,” 2013). Press, (Microsoft Redmond Tony you PST files in your organization, the use of Assuming that you want to limit or eliminate tool PST Capture restrict them, use the Microsoft Outlook to choices: configure have three Exchange efficiently supports mailboxes of 10 GB or even larger, and storage is cheap and storage is cheap of 10 GB or even larger, supportsExchange efficiently mailboxes space on a server terabytes of enough that having Compliance is no longer uncommon. important increasingly these too. Given are for many organizations, retention and records are relevant. There and still useful factors, it makes sense to examine whether PST files are including the fact that mail your organization, to banish PST files from many good reasons or any compliance, security, is essentially invisible from in local workstation PSTs stored Exchange data. backup tools you have in place for your PST files are an unwelcome part of many Exchange deployments. In the early days of an unwelcome part In the early days of many Exchange deployments. PST files are the email to help relieve of to let clients keep their own stores Exchange, it made sense placed on the server;storage burden server a typical email have been able to might only support so letting users keep their own local stashes of 25 MB mailboxes, a few hundred world has changed in several important the messaging ways. mail made sense. However, When Outlook starts,When Outlook mail to the original made were any changes that it will download because you the Exchange server contents on box to date. However, to bring the OST up have to be synced changes that the volume of initially, OST to synchronize allowed the for a full download. that required much smaller than should be PST files Controlling Client management Client
Chapter 3 Chapter
178
Chapter 3
Anywhere mightstillhavePSTfilesstashedaway onlaptopsordesktopsathome. withnon-domain-joinedmachinesrunning Outlook PST files,bearinginmindthat users in yourorganization thebenefit on thecomputers andgettingrid versus of identifying of agent.) You havetotradeoff theworkrequired toinstall(and,later, remove) theagent (Although NASdevicescanbe scannedwiththeconsole,theycan’tnormally runthe ornetwork-attached theorganizationputers owns,fileservers, storage(NAS)devices. on machinesthatare likelytohavePSTfiles.Thatmightincludedesktoporlaptop com The more interesting questionisreally where youinstalltheagent.Obviously, youwant it SERVICEPORT=6674 msiexec /iPSTCaptureAgent_x86.msi/qCENTRALSERVICEHOST=deathToPSTs.contoso.com like so: towhichyouwantittalk,butcandothisfrom thecommandline Capture server automated installationmethods.Theagentnormally requires the PST youtospecify silentinstallation,soyoucanpushitusingGroup MSI filethatsupports Policy orother youwanttobeablescan.Theagentispackagedasan Install theagentoncomputers Management role-based accesscontrol (RBAC) role. needstheExchangeOrganization precise, theaccountunderwhichyourunservice you’re using.To mailboxesmission toread ontheExchangeservers andmodify bemore installing themonadedicatedcomputer. accountwithper requires aservice Theservice To andconsole;Microsoft recommends youinstallthePSTCapture usethetool,first service ture toolsendsmaildatadirectly tothe cloud. PSTs ifyou’re importing through CASservers; tomailboxes hostedonOffice365,thecap mailboxes aresendsthemail withinyourExchangeorganization, thePST Capture service theresulting mailboxes. filestousers’ Ifthetargetcriteria youpluginandthenimporting PST Capture really involvesatwo-step process: discovering thePSTfilesaccording tosearch tion aboutthefilestheyfindtocentralserver. server. Theagentsscanindividualmachines,lookingforPSTfiles,andthensendinforma itselfona agent oneachof yourworkstations andthenyouinstallthePSTCapture service its ownPSTmanagementtool,Capture. Thefunctionof thetoolissimple:You installan of years cedingtheworldof MicrosoftAfter introduced PSTmanagementtothird parties, tool Capture PST Using Exchange the computers. the settingsyouwant,andallowGPOmechanismtoreplicate thesettingstotarget the appropriate administrativetemplatetotheGPOthattargets thedesired enforce users, ofGPO templatesforeachversion Officethatalready incorporatethesettings;youadd to useWindowsGroup Policy objects(GPOs)todotheworkforyou.Microsoft provides Although youcandeploythesesettingsonindividualmachines,itismuchmore productive Managing Outlook forWindows Outlook Managing
- - - - 179
Chapter 3 - - - - . http://technet.microsoft.com/en-us/library/hh781033(v=exchg.141).aspx Whereas Exchange 2007 and Exchange 2010 required you to make this change through you to make this change through Exchange 2010 required Exchange 2007 and Whereas the user’s account properties, tab of in Exchange 2013, you can do it Features the Mailbox Blocking client connections to a mailbox to Blocking client connections including MAPI, all client connection protocols, Exchange enables you to disable any or running users from might need to do this if you want to prevent basis. You on a per-user Outlook that don’t supportearlier versions you need (such as messaging records of features like managed folders) required or because the usersmanagement features in question are App. to use Outlook Web and others. As with many other Microsoft add-ons, the PST Capture tool does much but add-ons, the PST Capture and others. As with many other Microsoft features have to decide whether the additional not all the work third-party do. You tools of con (which might include better reporting, or a wider range flexible scheduling, more on an of buying a tool you might not need to run figuration options) justify the expense ongoing basis. mentation at third-partyExploring solutions a mar tool, it entered the PST Capture the initial version of delivered When Microsoft solutions for identifying and importing contained a number of ket that already PST files, TransVault, from the Migrator product Sherpa Software, from including PST Attender you must use the PST Capture console to link each PST file with the mailbox to which it mailbox console to link each PST file with the Capture you must use the PST should be imported. name and local path the console shows you the computer Because belong to which users, but it finds, it should be simple to identify each PST which PSTs of specifying in the console can be a time-consuming operation. that docu see the Microsoft tool, the PST Capture and feeding of details on the care For more can import PSTs to a specific folder in the target user’s mailbox, or you can dump the con or you user’s mailbox, target to a specific folder in the can import PSTs named Old Mail with say the PST has a top-level folder For example, tents in the Inbox. the user sees a new folder option, subfolders and 2012. If you select the Inbox named 2011 the Old folder, a specific target If you select the Inbox. of subfolder named Old Mail as a also specify can that you want PST You that folder. as a child of Mail folder will be created case, that he has one. In either items imported presuming mailbox, into the user’s archive After you install agents, you can perform a search. You can control which computers are which computers are can control After you can perform you install agents, You a search. For and specific folders in the search. included or excluded you want the search included in can Windows system directory can exclude the example, you You box. with a single check or perform search schedule the it immediately. your own manual import or supplied a search When you’ve completed list containing the you want to import, you can start an import the PSTs operation. You names and paths of Client management Client
Chapter 3 Chapter
180
Chapter 3
Figure 3-9 connect tohermailbox. Center (EAC) (Figure 3-9).IfyoudisableMAPIforauser, thatusercannotuseOutlookto box features tabof dialogbox mailbox theuser’s inExchangeAdministration properties either through ExchangeManagementShell(EMS)(byusingSet-CASMailbox) orthemail Disabling MAPIaccessforauser Managing Outlook forWindows Outlook Managing
181 -
Chapter 3 osoft did not Enables you to determine whether you Enables you to determine
Enables you to determine whether you allow whether to determine Enables you Enables you to control which versions of Outlook which versions of Enables you to control
A user discovers that he can’t use this version of Outlook to connect to A user discovers that he can’t use this version of Outlook 2007 SP1: 12.6425.1000 Outlook rather than the need to use cached Exchange mode might confuse the help Outlook rather than the need to use cached desk when users report their problem. Outlook 2007: 12.4518.1014 Figure 3-10 Figure Exchange MAPIBlockOutlookNonCachedMode Set this parameter mode to the server. allow Outlook clients to connect in online clients to connect in cached to force to allow online access or to $False to $True access see the online users blocked from Exchange mode. Somewhat confusingly, to tell them message 3-10, followed by another error same message shown in Figure to the version of email folders.that Outlook is unable to open their default Pointing MAPIBlockOutlookRpcHTTP Set the RPC over HTTP to connect over Outlook clients Outlook Anywhere. through access. to allow to block RPC over HTTP access and $False parameter to $True MAPIBlockOutlookVersions users to upgrade to a setting to force might use this You can connect to Exchange. to use by blocking Outlook 2007. If a user attempts Outlook version modern of more 3-10. message shown in Figure error Outlook, he will see the a blocked version of offline, but to work for cached Exchange mode continue Outlook clients configured to the serverthey cannot connect until an administrator lifts the block. ● ● ● ● ● ● ● ● ● ● Microsoft identifies Outlook builds using a scheme of major release, minor release, build release, minor of major identifies Outlook builds using a scheme Microsoft all the Office applications. The Office 14 across number is shared The major release number. Outlook 2013, and so on. (Micr suite includes Outlook 2010, Office 15 includes release indicates whether the build is in the original an Office 13 suite.) The minor produce RTM build, a service pack, or a cumulative update, and the build number is incremented the build numbers for are daily to include code and fixes checked in by engineers. Here some example Outlook versions: The Set-CASMailbox cmdlet supports cmdlet individual how an parameters to control of a number The Set-CASMailbox server: on an Exchange a mailbox MAPI to connect to can use mailbox Client management Client
Chapter 3 Chapter
182
Chapter 3
-15.0.4128.1014' Set-CASMailbox –Identity'Simpson, Katherine'–MAPIBlockOutlookVersions'-6.0.0; 6.0), likethis: connectionsalwaysuseMAPI version Exchangeserver-side MAPIconnections(server port When you’re 6.0.0tosup blocking,youshouldalwaysinclude anexplicitallowforversion semicolons. Afewexamplesmighthelpmakethisclearer: ing onwhere youputit.You stringsbyseparatingthemwith cancombinemultipleversion depend thatversion, eitherbefore blocksallversions orafter asingleversion Specifying Arangeof andanyinbetween. blocks onlythatversion. blocksthoseversions twoversions sion stringthatdoesthetrickwhenpassedtoSet-CASMailbox. byitself Asingleversion youwanttoblock,thenextstepisconstructaver When youknowwhichversions -Path ExchangeClientVersions.csv UserName,ClientName,ClientVersion,LogonTime |'Export-Csv Get-MailboxServer |Get-LogonStatisticsSelect she’s toblockonwhichmailboxes: decisionsaboutwhichversions using.Thishelps simplify you aCSVfilelistingeachuserwho’s runningOutlook alongwiththeversion of Outlook Exchange infrastructure. OnExchange2007and2013,thiscommandwillgive arewant toknowwhichusers currently toconnectyourexisting usingwhichversions of version OutlookonExchange2013,youmight blockinganyparticular Before youstart /library/aa996848.aspx list ofuseful clientversions thatMicrosoft maintainsat itself, oflook attheproperties Outlook.exe usethePrograms control panel, orcheckwiththe To discoverintheMAPIBlockOutlookVersions theclientversion to specify parameter, you can ● ● ● ● ● ● ● ● ● ● ● ● sion later than Outlook 2013 RTM. Any earlier version canconnect. sion laterthanOutlook2013RTM.Anyearlierversion Set-CASMailbox –MAPIBlockOutlookVersions “-15.0.4481.1003”blocksanyclientver canconnect. version earlier thanthepublicbetaof Outlook2013,includingthepublicbetaitself. Anylater Set-CASMailbox –MAPIBlockOutlookVersions “-15.0.4128.1014”blocksanyversion canconnect. earlier orlaterversion uptoandincludingOutlook2010SP1.Any Outlook 2007SP2onlyandallversions Set-CASMailbox –MAPIBlockOutlookVersions “12.0.4518.1014-14.0.6023.1000”blocks SP2 only. canconnect. Anyotherversion Set-CASMailbox –MAPIBlockOutlookVersions “12.0.6504.5000”blocksOutlook2007 Outlook 2013RTM:15.0.4481.1003 Outlook 2010:14.0.4760.1000 .
http://technet.microsoft.com/en-us Managing Outlook forWindows Outlook Managing
-
-
183 - -
Chapter 3 - -
Set-CASMailbox –Identity Bond –ImapEnabled $False Set-CASMailbox Set-CASMailbox –Identity Bond –PopEnabled $False –Identity Bond –PopEnabled Set-CASMailbox
To disable access to POP3 To disable access to IMAP To ● ● Kol, Ayla {MAPI§0§§§§§§§} False Kol, Ayla {MAPI§0§§§§§§§} True Simpson, Katherine {OWA§1, IMAP4§0§§§§§§§§... Name ProtocolSettings MAPIEnabled Name ProtocolSettings ------True Cannon, Paul {MAPI§§§§-6.0.0;10.0.0-... Name ProtocolSettings ProtocolSettings Name ------Cannon, Paul {MAPI§§§§-6.0.0;10.0.0-11.5603.0§§§§} Kol, Ayla {MAPI§0§§§§§§§} IMAP4§0§§§§§§§§, POP3§0§§§§§... Simpson, Katherine {OWA§1, ● ● In addition to imposing blocks on MAPI connections, you can use the Set-CASMailbox connections, you can use the Set-CASMailbox In addition to imposing blocks on MAPI For example: cmdlet to disable client access to other protocols. Get-CASMailbox –Filter {ServerName –eq'ExchServer1'} | Where {$_.ProtocolSettings Get-CASMailbox –Filter {ServerName –eq'ExchServer1'} MapiEnabled –ne $Null} | Select Name, ProtocolSettings, You can also use the Get-CASMailbox cmdlet to check for MAPI blocks. Get-CASMailbox is cmdlet to check for MAPI blocks. Get-CASMailbox can also use the Get-CASMailbox You the MAPIEnabled prop of the value because it also allows you to return interesting more all the details of using MAPI) and to see if the user is completely blocked from erty (False you cannot specify a server name However, settings you can set on a mailbox. the protocol organiza because it will scan the entire is less efficient to check against, so Get-CASMailbox filter to focus on one server: its scope by using a server-side tion unless you restrict restriction is in place for a specific client version, version you see that restriction listed. If an number and no you see “MAPI” disabled MAPI access for the mailbox, administrator has completely For example: version number. –ne $Null} | Select Name, PAO-EX01 | Where {$_.ProtocolSettings Get-Mailbox –Server ProtocolSettings You have to wait up to 120 minutes for the cached information about the mailbox to expire to expire mailbox about the for the cached information wait up to 120 minutes have to You service, you can restart Store the Information but cache. Alternatively, the Store’s from apart it will affect all because not the best approach this is definitely test situations, from to the server. connected the mailboxes on a server in place for any protocols are any restrictions can check whether by using You If a each mailbox. property the ProtocolSettings cmdlet to examine of the Get-Mailbox Client management Client
Chapter 3 Chapter
184
Chapter 3
Choose from twoapproaches ifyouneedtoblockconnectionsaMailbox server. CAS,youmusttakeanother tack. if youwanttoblockMAPIconnectionsonaparticular keydoesn’tworkonExchange2010or2013.Forthoseversions, This registry anti-spam andantivirusfeatures suchasbeaconblocking. your company’s security requirements becausetheearliersoftware doesn’tinclude recent way, from that mightnotmeet itstops users attemptingtoconnectwithearlierversions torequireadministrators the deploymentof of abase-level version Outlook.Putanother by configuringtheDisableMAPIClientskeyin registry. Thiskeyisintendedtoenable 2000 toExchange2007,youcouldblockMAPIclientsfrom connectingtoaMailbox server is more convenienttobeableapplytheblockcentrally. from Forallversions Exchange andusingtheSet-CASMailboxbases ontheserver cmdlettodisableMAPIaccess,butit You could applysuchablockwithEMSbysearching forallmailboxes hostedinactivedata standalone server, though? explicitly.never havetoblockclientaccessaDAG memberserver Whatifyouhavea 2013InsideOut:Mailbox andHighAvailability Exchange Server DatabaseAvailability Group,”cess, whichisdescribedfullyinChapter9,“The in DAG memberintomaintenancemode,workonit,andthenbringitonlineagain.Thispro Availability Group (DAG) architecture isthewayitsimplifiesmaintenance; youcanputa withtheupgrade.Oneoftially interfere themanyadvantagestoExchangeDatabase orpoten software imposeloadonthe server orapplyandupdatewithouthavingusers access toaMailbox server. withsome Forexample,youmightwanttoupdatetheserver Implementing blocksonamailbox basisisuseful,butsometimesyouwanttoblockall Blocking clientaccessto aMailbox server ● ● ● ● ● ● ● ● "0.0.0-5.65535.65535; 7.0.0-11.99999.99999" Set-RPCClientAccess -Server ExCAS01 -BlockedClientVersions ofany version Outlookpriorto2007 (majorrelease 12). nections comingfrom Forexample,thiscommandblocksaccessto specificversions. Use theSet-RPCClientAccess cmdlet.ThiscmdletallowsyoutoblockallMAPIcon –ActiveSyncEnabled $False To disableaccesstoActiveSync against Office365mailboxes. for Devicesisonlyofficially supported anything usefulwhenrunagainstanon-premises mailbox becauseOutlookWeb App –Identity Bond–OWAforDevicesEnabled $False. Notethatthissettingmightnotdo To disable useraccessusingOutlookWeb AppforDevices –OWAEnabled $False To disable accesstoOutlookWeb Access
Set-CASMailbox –IdentityBond
Set-CASMailbox –IdentityBond Managing Outlook forWindows Outlook Managing , meansthatyou’llprobably Set-CASMailbox
Microsoft
- - 185 - -
Chapter 3
- -
equire updates to the equire http://www.microsoft.com/en-us/download
. It’s packaged in a number of ways, including as a ZIP file contain ways, including as a ZIP file in a number of packaged . It’s On larger sites that support sites that On larger servers, Mailbox multiple CAS and can set a per- you cmdlet for every on the server mailbox block with the Set-CASMailbox that mailbox For example: you want to maintain. PAO-EX01 | Set-CASMailbox –MAPIBlockOutlookVersions Get-Mailbox –Server '-6.0.0;10.0.0-12.4406.0' The problem is that all connections to all Mailbox serversto all Mailbox all connections is that The problem supported by the CAS server sites that to use on small be an effective method blocked. This might will be CAS serverhave just one server. Mailbox and one ● ● that shown in Figure 3-11. that shown in Figure the application for you. No matter how you get it onto the target system, once you launch system, once you launch you get it onto the target the application for you. No matter how it, you’ll be in familiar territory When you launch because it works very similarly to ExBPA. as it asks you if you want it to check for updates to its rule base, which is packaged OffCAT, updates to the rules don’t r a separate downloadable XML file so that the Office After that lists all of you’ve installed updates, you see a page application itself. name is a link that takes you to a page like each program’s Access to Word; from programs Practices Analyzer (ExBPA) and other tools that look at a static configuration and check it Practices Analyzer (ExBPA) teams. product of Microsoft’s best practices defined by one against a set of website at Microsoft’s is available from OffCAT /details.aspx?id=36852 ing the application and its support files or as a Windows Installer file that actually installs use imaging or cloning) might not behave the way you expect. Microsoft used to provide used to provide the way you expect. Microsoft use imaging or cloning) might not behave to help diagnose Tool, or OCAT, tool known as the Outlook Configuration Analyzer a free with OffCAT, replaced OCAT with Outlook installations. For Office 2013, Microsoft problems the configu is to analyze of OffCAT Tool. The purpose the Office Configuration Analyzer report the Office applications on a given machine and back on ration and installation of is similar in spirit to the Exchange Best or potential, that exist. OffCAT real any problems, one specific Mailbox server. one specific Mailbox Tool Configuration Analyzer Using the Office time. evolved over a long period of that’s Outlook for Windows is a complex program still are over time, there Despite the fact that parts it have been completely rewritten of you machines, depending on whether occasions when a particular of machine (or group Both mechanisms are equally effective as a block. The choice between the two therefore The choice between the two therefore equally effective as a block. Both mechanisms are a CAS server through you can block all connections flowing comes down to whether no connections to just or you need to block servermatter what Mailbox destined for, they are Client management Client
Chapter 3 Chapter
186
Chapter 3 during thescan,results yougetmightbeincompleteorevenunusable. anOffCAThave Outlookrunningtoperform scan,andifyouquitOutlook(orit crashes) items,andotherstructuresers, insidethecurrent mailbox. user’s Forthisreason, youmust somerelated totheOutlookinstallationandconfiguration;some related tofold user; including somerelated totheOutlookconfigurationonlocalmachineforcurrent logged on.OffCAT severaldozenchecksof performs variousconfigurationanddataitems, mailbox archive andpersonal mailbox fortheuserwhoiscurrently inboththeprimary ers (helpfully named“Outlook”)forconsistencyandpossiblecorruptionchecksof thefold are beingexecuted.InFigure 3-12,the tasksincludeacheckof thecurrent Outlookprofile the scan,theOffCATOnce youstart displaychangestoreflect whichspecificscantasks Figure 3-11 Starting an Outlook scan Starting Managing Outlook forWindows Outlook Managing
187 - -
Chapter 3 - - - An OffCAT scan of Outlook 2013 in progress Outlook scan of An OffCAT You can also run OffCAT from the command line, meaning that you can push it to client the command line, meaning that from can also run OffCAT You Although it might not be neces as partsystems and run it with a logon script or a GPO. of sary to Office configuration, related all your client systems for problems to periodically scan it would certainly be a good idea to scan machines on which users have reported problems, and it might be worthwhile for upgrading to scan your clients as part your preparations of Office. of to a new release ous synchronization problem report problem repositoryous synchronization fills with items for no apparent that often several prob include the scan, but not visible in the figure, found by Other errors reason. reported 2008. Each problem includes links to a corrupt calendar item from lems related Knowledge Base articles documentation or Microsoft corrective to Microsoft that propose action for the reported problem. The amount of time required to run the scan varies according to the speed of the computer to the speed of to run the scan varies according time required The amount of other factors. and a number of data in the user’s mailbox, being scanned, the amount of take less than five minutes. Outlook alone will normally Having said that, a typical scan of the of report 3-13) that is reminiscent results the scan, you’ll see a (Figure the end of At this case, the scan configuration analysis tools. In shown by various other Microsoft results that mysteri found in the Sync Issues folder, items were include a note that there results Figure 3-12 Figure Client management Client
Chapter 3 Chapter
188
Chapter 3
Managing OutlookWeb App more granularwaytocontrol accesstoOutlookWeb Appfeatures. Allthefeatures Outlook Microsoft addedOutlookWeb a ApppoliciesinExchange2010togiveadministrators theindividualmailboxes.then applythosesettingstomailboxes without havingtomodify Outlook Web Apppoliciesare intendedtoenableyoucreate agroup of settingsand Web through Appusers policies.Aswiththeothertypesof policies Exchangesupports, theabilitytoallocatedifferent levelsofExchange 2013supports functionalitytoOutlook Outlook Web App mailbox policies Outlook Web App. using Set-OWAVirtualDirectory andSet-OWAMailboxPolicy tocontrol thevariousoptionsin created duringinstallationofdirectory theMailbox role; youwillbecomequiteadeptat vehicleforchangingOutlookWeb AppsettingsistheOutlookWebprimary Appvirtual have changed frominteract withandmanageitasadministrators previous The versions. sosomeofExchange 2013,OutlookWeb thewayswe ApponlyrunsonMailbox servers, (IIS);itsrole istoretrieve usermaildata,displayit,andinteractwiththeuser.Server In well thatOutlookWeb AppisaseparateapplicationthatrunsunderInternet Information “Oh, it’s thewebpageIusetogetemail.” however, Exchangeadministrators, knowquite don’ttypicallythinkofUsers OutlookWeb Appasanapplicationonitsown;theythink, Figure 3-13 The results of anOffCAT scanshowingproblems withdatainthescannedmailbox Managing Outlook Web App
189
Chapter 3
Viewing the list of Outlook Web App policies in EAC App policies Outlook Web Viewing the list of What should you put in the default Outlook Web App policy? It depends. The default It depends. App policy? What should you put in the default Outlook Web App policy included with Exchange basically duplicates the default out-of- Outlook Web installed virtual App Web the Outlook segmentation properties directorythe-box of as it’s to a set of mailboxes is with the Set-CASMailbox cmdlet. For example, this command is with the Set-CASMailbox mailboxes to a set of that belong to the Northfetches all the mailboxes unit (OU) and America organizational policy: App mailbox Outlook Web to apply the default pipes them to Set-CASMailbox America'| Set-CASMailbox Get-Mailbox –OrganizationalUnit 'North -OwaMailboxPolicy 'Default' Figure 3-14 Figure including the default policy, App policy, Outlook Web The easiest way to apply any mailbox features is controlled by the segmentation properties defined for the Outlook Web App properties by the segmentation is controlled the Outlook defined for features App for Outlook Web view 3-14 shows the EAC virtual Figure directory on each CAS server. and modify shows you a helpfully use to create policies, which you policies. EAC mailbox the window. side of settings on the right summary selected policy’s the currently of Web App policies can control can also be controlled by changing settings on an individual changing settings by can also be controlled control App policies can Web mailboxes. settings on user by changing them can be modified and many of server, Mailbox any isn’t applied to but that default App policy, Web includes a default Outlook Exchange App mailbox Web as many Outlook can create You you manually do so. unless mailboxes to each App policy one Outlook Web then apply a maximum of policies as you like and App a user’s access to Outlook Web any policies to a mailbox, If you don’t apply mailbox. Client management Client
Chapter 3 Chapter
190
Chapter 3
Figure 3-15 Exchange 2013CU2. choose anyorallof theavailable features inthepolicy, severalof whichwere addedin enables youtoselectwhichfeatures toaccess(Figure youwantusers 3-15).You can select theOutlookWeb Apppoliciestab,andclicktheplus(+)icon.Awizard then To create anewOutlookWeb Appmailbox policy, openthePermissions sectionof EAC, mium client. on aMailbox server. Itpermits accesstoallOutlookWeb Appfeatures, includingthepre Creating anewOutlookWeb Appmailbox policy Managing Outlook Web App
- 191
Chapter 3 - - Outlook Web App Outlook Web for Devices App Outlook Web Outlook Web App Outlook Web App Outlook Web ECP ECP App Outlook Web App Outlook Web App Outlook Web Available through Available - Controls whether Office 365 users are allowed whether Office 365 users are Controls their LinkedIn contacts with to synchronize their Exchange contacts folder. allowed whether Office 365 users are Controls contacts with their Facebook to synchronize their Exchange contacts folder. whether users running Outlook Web Controls allowed to sync their App for Devices are Exchange contacts to the device using the app. If enabled, users can see all defined address If disabled, they can see lists in the directory. only. List (GAL) the Global Address disabled, this feature is removed. disabled, this feature is is enabled and the mailbox If this feature enabled for UM, users can access and manage Exchange Control their UM settings through If disabled, the option is removed. (ECP). Panel the If enabled, users can access details of mobile devices they have synchronized, including the ability to wipe devices if they logs containing details lost and retrieve are the operations. If disabled, synchronization of ECP. from option is removed If enabled, users can access their Contacts the App. If disabled, folder in Outlook Web App. Outlook Web from icon is removed Meaning Lync configured If enabled, and if you’ve usersIM functionality can access properly, App, including the Outlook Web within from If dis information. ability to view presence unavailable. are abled, these features and send text If enabled, users can create App. If Outlook Web (SMS) messages from Outlook Web App features controllable through Outlook Web App policies Outlook Web through controllable App features Outlook Web
All Address Lists All Address Facebook contact sync Facebook Mobile device contact sync Contacts LinkedIn contact sync Exchange ActiveSync Text messaging Text Unified messaging TABLE 3-3 Feature Instant messaging Table 3-3 lists the features shown on the Features tab of the EAC dialog box for an Outlook box dialog the EAC of tab shown on the Features 3-3 lists the features Table (text mes on other components depend these features Some of policy. App mailbox Web a very folders,saging, public for example), and othersinstant messaging, and require good to dis make much sense it usually doesn’t them. For example, you disable before reason to change passwords requests handling user because feature Password able the Change extra work for help desks. creates Client management Client
Chapter 3 Chapter
192
Chapter 3
Email signature Premium client Themes Junk emailfiltering Change password Recover DeletedItems Inbox rules Search Folders Notes Journaling Public Folders Feature option isremoved from ECP. them tooutgoingmessages.If disabled,the emailsignaturescreate andapply ormodify can accesstheoptionto If enabled,users client nomatterwhatbrowser theyuse. aredisabled, users forced to usethestandard thisclient. If with abrowser that supports canusethepremiumIf enabled,users client suppressed. Web AppandECP. Ifdisabled,theoptionis than thedefaultandapplyittoOutlook canselectathemeother If enabled,users removed from ECP. and safeuserlists.Ifdisabled,theoptionis control junkmailprocessing suchasblocked canaccesstheoptionsto If enabled,users option tochangetheirpassword inECP. 14 daysinadvance),andtheycannotseethe date(prompts start approaching itsexpiry not prompt whentheirpassword users is App. Ifdisabled,OutlookWeb Appwill their accountpassword from Outlook Web If thisfeature canchange isenabled,users Recoverable Itemsfolder. theseitemsinthe will continuetopreserve items withOutlookWeb App,butExchange cannotrecoverIf disabled,users deleted canrecoverIf enabled,users deleteditems. respect anyrulescreated withOutlook. pressed. However, Exchangecontinuesto through ECP. Ifdisabled,theoptionissup rules cancreateIf enabled,users andmodify suppressed. areated byOutlook.Ifdisabled,thesefolders canaccesssearch creIf enabled,users folders Outlook Web ApphidestheNotesicon. items inOutlookWeb App.Ifdisabled, note canseeandmodify If enabled,users hides thefolder. their folderlist.Ifdisabled,OutlookWeb App canseetheJournal folderin If enabled,users from OutlookWeb App. Ifdisabled,theiconisremovedpublic folders. canaccessandworkwith If enabled,users Meaning Managing Outlook Web App - - Outlook Web App Outlook Web App Outlook Web App Available through ECP Outlook Web App /ECP Outlook Web App ECP /ECP Outlook Web App Outlook Web App ECP Outlook Web App
193
Chapter 3 -
-
Available through Available App Outlook Web App Outlook Web App Outlook Web
-
from Outlook Web App. Outlook Web from tasks and manage usersIf enabled, can create the option is App. If disabled, in Outlook Web suppressed. users App provides Web If enabled, Outlook meeting of new messages, with notifications disabled, these notifi and so on. If reminders, suppressed. cations are Meaning usersIf enabled, the Calendar can access is removed If disabled, the icon application. can still open whatever mailboxes they have access to from Outlook. In a similar vein, they have access to from can still open whatever mailboxes DefaultTheme enables you to specify the name of an Outlook Web App theme an Outlook Web DefaultTheme enables you to specify the name of –DefaultTheme by default, for instance, Set-OWAMailboxPolicy that users receive theme names is to look at the ver I’ve found to get a list of The only way “Orange”. on an RTM Exchange for example, sion-specific folder under V15\ClientAccess\OWA; folders the theme be in V15\ClientAccess\OWA\15.0.516.30\Owa2 will 2013 server, \resources\themes. whether users who have delegate access to another DelegateAccessEnabled controls delegates App. Users who are in Outlook Web can open the other mailbox mailbox ● ● ● ● -ThemeSelectionEnabled $False -UMIntegrationEnabled $False -ThemeSelectionEnabled $False -UMIntegrationEnabled $True -PublicFoldersEnabled $False -ChangePasswordEnabled $True -RulesEnabled $True -SMimeEnabled $True -RecoverDeletedItemsEnabled $False -InstantMessagingEnabled $False -TextMessagingEnabled only available policy settings that are App mailbox Outlook Web of a number are There EMS, too: through New-OWAMailboxPolicy -Name 'Limited OWA features' New-OWAMailboxPolicy -Name 'Limited OWA OWA features' Set-OWAMailboxPolicy -Identity 'Limited $True -ActiveSyncIntegrationEnabled $True -AllAddressListsEnabled $True -JournalEnabled $True -CalendarEnabled $True -ContactsEnabled $True -JunkEmailEnabled $True -RemindersAndNotificationsEnabled $True -SearchFoldersEnabled $False -NotesEnabled $True -PremiumClientEnabled $True -TasksEnabled $True -SignaturesEnabled $True -SpellCheckerEnabled A new policy can also be created with EMS. For some odd reason, this is a two-step process. a two-step process. this is some odd reason, with EMS. For be created A new policy can also cmdlet, and then you use the new policy with the New-OWAMailboxPolicy First, you create by the enabled or disabled are cmdlet to define which features the Set-OWAMailboxPolicy client while remov a policy that allows users to use the premium For example, here’s policy. esoteric features: the more ing some of Reminders and notifications EMS in policies App mailbox Managing Outlook Web Feature Calendar Tasks Client management Client
Chapter 3 Chapter
194
Chapter 3
Exchange enforces thenewpolicynexttime the userlogsontohermailbox. Browse buttontoselect thepolicyyouwanttoapply. the OutlookWeb Applabel.Thatdisplaysthedialogbox showninFigure 3-16;usethe page of dialogbox, EAC, andclickingtheViewDetailslinkbeneath openingitsproperties If you’d ratheruseEAC, youcanapplythepolicybyselectinguser ontheRecipients Set-CASMailbox –Identity'Andrews,Ben(IT)'–OWAMailboxPolicy 'LimitedOWAFeatures' the following: –OWAMailboxPolicy switch.Forexample,toapplythepolicydefinedearlier, youcoulddo or EMStoapplythenewpolicy. EMSissimple;youuseSet-CASMailbox withthe youhavecreated anOutlookWebAfter Appmailbox policy, youcanuseeitherEAC Web Outlook an Applying mailbox App policy ● ● ● ● ● ● ● ● office (OOF)messages,and theResources taboncalendaritemsishidden. this issetto$False, don’tseeseparate optionsforinternal andexternal outof users OrganizationEnabled turns off someorganization-level settings.For example,when that itexists. widely usedinOutlookWeb App,andit’s are notclearyetwhether users evenaware This isanintriguingidea(muchlikeadaptivemenusinOffice2003),butit’ customize thecommandsandiconsuserseesaccording towhatthey’re doing. PredictedActionsEnabled enablesanOutlookWeb Appfeature thatissupposedto (AD RMS). RightsManagementServices sages thathavebeenprotected withActiveDirectory IRMEnabled controls whetherOutlookWeb toread Appallowsusers orsendmes set toaSharePoint page. when theyattempttochangetheirphotofrom withinOutlookWeb App;itisoften and DisplayPhotosEnabledissetto$True. are SetPhotoURListheURLusers sentto Outlook Web iftheyare Appattemptstousephotosfrom present Active Directory cansettheirownphotofromwhether users withinOutlookWeb App.Iftheycannot, sender photosare displayedwithinOutlookWeb App; SetPhotoEnabledgoverns DisplayPhotosEnabled, SetPhotoEnabled,andSetPhotoURLaffectwhetherhow target user. box from withinOutlookWeb Appwithoutloggingoutandbackinasthe ExplicitLogonEnabled controls mail whetherauserisallowedtoopenanotheruser’s Managing Outlook Web App s not
- 195 -
Chapter 3
Selecting an Outlook Web App mailbox policy for a user App mailbox Selecting an Outlook Web accidentally leave important or sensitive data on a public computer, set the value of set the value of accidentally leave important or sensitive data on a public computer, policy to NoComputers and then apply the policy as desired. AllowOfflineOn for the target each user logs on. the policy won’t be applied until the next time Remember, they were logging on should be treated as a public or private computer. Outlook Web App Outlook Web as a public or private computer. logging on should be treated they were use to private offline 2013 doesn’t give users default. If you want to restrict this choice by First, you use Set-OWAMailboxPolicy a two-step process. computers, you can, but it’s –AllowOfflineOn PrivateComputersOnly and then you enable the private/public computer –LogonPagePublicPrivateSelectionEnabled. choice by running Set-OWAVirtualDirectory reason such as the fear that users will access for some offline If you want to prevent Both EAC and EMS enable you to control whether users may use Outlook Web App in whether users may use Outlook Web and EMS enable you to control Both EAC toggle, though. By default, any user who has an mode. This isn’t a simple on/off offline because the default offline mode on. That’s to turn is allowed browser offline-compatible Web the AllowOfflineOn setting in the default policy is AllComputers. Outlook value of App 2010 and earlier versions allowed users to specify which whether the computer from Figure 3-16 Figure use Web App Outlook offline Controlling Client management Client
Chapter 3 Chapter
196
Chapter 3 locally ifyouwantOWA offline modetowork Figure 3-17 change thesetting,dofollowing: mightaccidentallyturn itoff, oryourusers versions, notrealizing whatitdoes.To check or default inInternet Explorer 10onWindows8,youmightfindthatit’s disabledonother be enabledforthebrowser toactuallycacheanydata.Althoughthissettingis enabledby the form of theAllowWebsite CachesAndDatabasessetting(Figure 3-17),whichmust browser itselfhastobeconfigured toallow offline access.InInternet Explorer, thistakes there’sOf course, anotheraspecttocontrolling offline use of Outlook Web App:theclient 4. 3. 2. 1. Click OKtodismisstheWebsite DataSettingsandInternet Optionsdialogboxes. thattheAllowCachesAndDatabasescheckbox isselected. Databases tabandverify When theWebsite DataSettingsdialogbox switchtotheCachesAnd appears, group. command On theGeneraltab,clickSettingsbuttoninBrowsing history command. Open theInternet Explorer settingsdialogbox withtheTools |Optionsmenu Make sure thatInternet Explorer isconfigured toallowwebappsstore data Managing Outlook Web App
197
Chapter 3 - - files are deemed innocuous and safe to open on the client computer. The list deemed innocuous and safe to open on the client computer. files are file types pose a significant risk to a computer when a user opens them because they can contain executable code. These files include types such as Windows because they can contain executable code. These files include types such as Windows batch files (.bat extension) and Windows command files (.cmd extension). Allowed documents (.doc and .docx extensions) and Windows includes types such as Word will not contain malicious sure bitmaps (.bmp extension) that you can be reasonably code. Blocked Whether a rendered attachment should be displayed using the Office Web Apps attachment should be displayed using the Office Whether a rendered and Word, supports PowerPoint, Microsoft available. WAC if it’s component (WAC) Excel files. down first before is available, whether a user must see a web rendering If rendering loading or opening the file. it must first or whether be file directly Whether the user can open the attachment opening). scanners it before to scan saved to disk (which allows local anti-malware Whether the user sees the attachment at all; if the attachment file type is blocked, the all; if the attachment at the attachment Whether the user sees App. Outlook Web through user cannot access it must use the render type is allowed and whether the user Whether the attachment the of a web-based rendering App to see Outlook Web ing tools available within Viewing). This feature Document known as WebReady attachment data (a feature files. text, graphics, and XML-formatted displays only HTML ● ● ● ● ● ● ● ● ● ● ● ● ● ● Attachment access App categorizes files into four groups: Outlook Web This sounds like a fairly complex set of options, and it is. It is challenging to balance users’ options, and it is. It is challenging This sounds like a fairly complex set of and the potential security risks that need to work with documents sent as attachments scope of The broad document formats. come along with allowing access to complex what your for attachment access gives you the tools to adjust App controls Outlook Web security policy. users can do based on their needs and your organization’s When a user receives a message with an attachment, administrators a message with an attachment, can control: When a user receives Controlling attachment access and rendering access attachment Controlling policies and App Web Outlook of most obvious use segmentation is the feature Although users how work with of other aspects also control attention, you can the most receives flexibility amount of you have a fair these policies. In particular, App through Outlook Web App. in specifying how users in Outlook Web may work with attachments Client management Client
Chapter 3 Chapter
198
Chapter 3 well . tion at Setting upOffice butthe Web Appsisoutsidethescope of thisbook, TechNet documenta documents. TheOffice Web Appsfeature isalsoknownas Web Appscomponent(WAC). among itsothercapabilities,Exchange 2013canusetorender PowerPoint, Excel,andWord Office teambuilt applicationthat, WebAppsServer, aseparate,standaloneserver handle newfileformats orfixsecurity oftheOffice2013problems. Aspart release, the browser, butitalsomeantthatMicrosoft wasatthemercy of thevendorfor updatesto plier hadalready solved theproblem of howtorender manyfiletypesefficiently inaweb WebReady sup DocumentViewing.Thiswasasensiblemovegiventhatthethird-party In Exchange2007and2010,Microsoft licensedasetof libraries for third-party Server Apps Web of Office role The theycommunicatewith. nomatterwhatserver to users mailbox policiestocontrol fileaccesssothatthesettingsyouwantare consistentlyapplied asabestpractice,youshoulduseOutlook Web App directory; Outlook Web Appvirtual There are separatecopiesof theselistsforeachOutlookWeb Appmailbox policyandeach BlockedFileTypes, BlockedMimeTypes, ForceSaveFileTypes, andForceSaveMimeTypes. type orMIMEtype,usingtheappropriate value:AllowedFileTypes, AllowedMimeTypes, to allow;youcanadditemstheallowed,blocked,orforced-save listbyeitherfile EAC only. There are actuallyseparatelistsforthefiletypesandMIMEyouwant The listof filetypesthat are allowed,blocked,andForce To Savecanbemanagedthrough and replaces itwithatextfiletotelltheuserthatattachmentwas removed. the PC.IfhiddenXMLorHTMLcodeisdetected,OutlookWeb Appstripstheattachment contain maliciouscodethatcouldintroduce avirusoranotherdangerous program onto toensure thatnoattachment iseverdownloadedthatcould code. Thischeckisperformed Outlook Web AppexaminesthecontenttoseewhetheritactuallycontainsXMLorHTML HTML tostripoutanymaliciousXMLorcode.Iftheattachmentisanothertype, whether itisXMLorHTML.Inthiscase,OutlookWeb ApprunssomecodecalledSafe its contents.AsOutlookWeb Appdownloadstheattachmentfrom theserver, itchecks This meansthattheuserhastosaveattachmenthislocaldiskbefore hecanview Outlook Web specialprocessing forattachmentsmarkedasForce Appperforms To Save. ● ● ● ● before opening. should bedonewiththesefiles;thedefaultisto require themtobesaveddisk settingspecifieswhat App mailbox directory policy orOutlookWeb Appvirtual Unknown andDirector (.dcr)files. (.swf) them todiskbefore theycanbeopened.ThesetypesincludeAdobeShockwave Force save http://technet.microsoft.com/en-us/library/jj219458(v=office.15 filesare thosethatare notincludedintheotherlists.TheOutlook Web filesare thosethatausercannotopendirectly; instead,shemustsave Managing Outlook Web App describes the process describes
- - 199
Chapter 3 - - -
connection. You can fix these two issues by using the LogonPageLightSelectionEnabled can fix these two issues by using the LogonPageLightSelectionEnabled connection. You set parameters to Set-OWAVirtualDirectory; and LogonPagePublicPrivateSelectionEnabled App logon page. option on the Outlook Web ting them to true enables the corresponding though. In addition to these the changes to appear, to force might have to run iisreset You clean, spare look. The default version includes text fields for the user’s logon credentials look. The default version includes text fields for the user’s logon credentials clean, spare all. This is a sharp contrast to the cluttered App logo, and that’s and a big Outlook Web App logon the Exchange 2007 and Exchange 2010 Outlook Web look and tiny print of right formerly the new design also takes away some options that were pages. However, a public or private com on on the logon page; users can’t tell Exchange whether they are they have a slow or unreliable nor can they voluntarily use the Light mode when puter, the Outlook Web App virtual directory, though. The Outlook Web App virtual App virtual though. The Outlook Web directorythe Outlook Web directory, discussed in and client authentication were settings that pertain redirection, to proxying, described in Chapter 7, “Integrating are with Lync Chapter 1. The integration settings used settings avail of That leaves us with a fairly eclectic group Server.” Exchange 2013 with Lync quite useful. nonetheless which are some of able for Set-OWAVirtualDirectory, been designed to have a very App 2013 logon page has intentionally The Outlook Web Many of the settings available to control Outlook Web App behavior are duplicated on the App behavior are Outlook Web the settings available to control Many of App virtual policy and the Outlook Web directory App mailbox objects. This Outlook Web of servers, only a handful with gives administrators some flexibility; in small organizations App virtual and larger to the Outlook Web directories, to apply settings directly easy it’s that the right users get policies to ensure App mailbox can use Outlook Web organizations the right settings no matter what servers unique to settings are they use. A fair number of copies of sensitive documents lying around. If you want to enable this feature, the the If you want to enable this feature, sensitive documents lying around. copies of and ForceWacViewingFirstOnPublicComputers ForceWacViewingFirstOnPrivateComputers it. enables or Set-OWAVirtualDirectory parameters to Set-OWAMailboxPolicy App virtualManaging Outlook Web directory settings of WAC for rendering content on public and/or private computers, do with the which you for rendering WAC of and WacViewingOnPublicComputersEnabled WacViewingOnPrivateComputersEnabled true which are of (both or Set-OWAVirtualDirectory parameters to Set-OWAMailboxPolicy by default). saving them before users to view documents using WAC you can force Optionally, that they’ll leave the risk to end users,to disk. This is annoying but it helps reduce Assuming that you have Office Web Apps configured, integrating it with Exchange is integrating configured, Web Apps that you have Office Assuming perform. tasks you need to essentially only two are First, you must there simple because do this with the You serverstell your Exchange is. Web Apps farm the Office where accepts which parameter, WACDiscoveryEndPoint cmdlet and its Set-OrganizationConfig Web After farm. the Outlook is to configure so, the second step doing the WAC the URL of App virtual the use policy to enable App mailbox directory Outlook Web or (preferably) Client management Client
Chapter 3 Chapter
200
Chapter 3
This behavioriscontrolled totheSet-OrganizationConfig bytwoparameters cmdlet: session.Bydefault,OutlookWeba legitimateuser’s sixhours. Appsessionstimeoutafter can’tpiggybackon App automaticallylogstheuseroutsothatanosyormalicious person periodof inactivity, acertain the ideabehindthesetimeoutsisthat,after OutlookWeb You’re probably familiarwiththetimeoutvaluesOutlookWeb App2003andlatersupport; Managing OutlookWeb Apptimeouts UPN isthesameastheiremailaddress. whose is alsoset,and–LogonFormat PrincipalNameenablesUPNsign-in,butonlyforusers thedefaultdomain name, –LogonFormat UserNameacceptstheusernameif(andonlyif) can setitwiththeLogonFormat switch:–LogonFormat FullDomainrequires domain\user format, you using theDefaultDomainswitch.Ifyouwanttorequire touseaparticular users domainsitshouldsigninto.Toable ActiveDirectory solvethis,setthedefaultdomainby use—if Erikjusttypesinruckere, OutlookWeb Apphasnowaytoknowwhichof theavail the username,butforthistoworkOutlookWeb Apphastoknowwhatdefaultdomain PrincipalName(UPN)ofhis Universal [email protected]. Athird optionistousejust username (contoso\ruckere; Microsoft refers tothis format asfulldomain),orhecoulduse formats. AusernamedErikRuckercouldthuschoosetoenterhiscredentials asdomain\ name field of thelogon page. Bydefault,Outlook Web App acceptscredentials inthree You can alsochangethewayOutlookWeb Appinterprets whattheusertypesinto and HighAvailability Chapter 5,“Mailbox management,” in guage youwanttouse.(Languageselectionformailboxes iscovered inmore detailin haven’t specifiedonethemselves;youmustsupplythelanguagecode(L –LogonAndErrorLangauge seewhenthey enablesyoutosetthedefaultlanguageusers Web Apprenders thelogonpageinthatlanguage. However, Set-OWAVirtualDirectory the userhasloggedon.Ifsetapreferred languageinhisbrowser, Outlook mailboxthe languagesetforauser’s butitcan’tdothatuntil torender theuserinterface, You willseewhentheylogon.OutlookWeb cansetthedefaultlanguageusers Appuses pack. deploy anExchangecumulativeupdateorservice whenyou of messagesbyeditingthelogonpage,butanysucheditswillbeoverwritten thatunauthorizedaccessisprohibited.a warning tellingusers You canaddthesetypes changes, thelogonpageiscommonlyusedtodisplayaninformational message,suchas ● ● ● ● considered idleandthuscloses. whichasessionis specifiesthetimeafter ActivityBasedAuthenticationTimeoutInterval (The defaultis$True.) ActivityBasedAuthenticationTimeoutEnabled controls whethertimeoutsare applied. . Microsoft Exchange Server 2013InsideOut:Mailbox Microsoft ExchangeServer Managing Outlook Web App CID) of thelan
- - 201 -
Chapter 3
- - - http://msdn.microsoft.com/en-us/library ) is quite flexible. You can write applications that work on specific types of that work on specific types You can write applications ) is quite flexible. Unsubscribe provides a simplified interface newsletters,Unsubscribe provides sales from for unsubscribing email, or other possibly unwanted messages. Action Items analyzes the text of your email messages and suggests action items (in Action Items analyzes the text of to the message content. related Exchange tasks) that are of the form you maps and and offers items for addresses Bing Maps scans messages and calendar map data to the window. by adding a tab of directions messages and suggests appointments that the text of Suggested Meetings reviews might be added to your calendar. ● ● ● ● ● ● ● ● Marketplace Apps role grants permission to install and configure apps that come from the apps that come from to install and configure permission grants Marketplace Apps role role grants the ability to install and man Custom Apps the Org Office Store; Microsoft enterprise distribution points. In the same vein, the My internal age apps that come from Because these apps are built in, you cannot remove them, although you can disable them. built in, you cannot remove Because these apps are Who can install apps? and configure adds new that underlies Exchange, when Microsoft infrastructure Thanks to the RBAC those fea the use of to control a separate management role it often provides features, The Org roles. no exception; Exchange 2013 adds four new RBAC Outlook apps are tures. Exchange 2013 CU2 ships with four built-in apps: Exchange 2013 CU2 ships with four built-in ment model for Outlook-based apps (described at ment model for Outlook-based /fp161135.aspx messages, your apps can modify their appearance or behavior depending on the device extra advantage of they run, and apps that can run within Outlook 2013 can take where services Services Web by calling Exchange routines. Web App. These apps are hosted on the Mailbox server; hosted on the Mailbox App. These apps are Web individual users by default, can a degree will want to retain as can administrators.install and run apps, Many organizations app installation, so fortunately over control Exchange 2013 includes some controls. of along with HTML, CSS, and JavaScript, bundles that can contain are The apps themselves as whether it can run in Outlook, capabilities (such specifies the app’s a manifest file that An application to install. privilege required the level of App, or both) and Outlook Web an application as installable by usersdeveloper can mark or administrators. The develop Managing Office Store apps for Outlook Web App apps for Outlook Store Office Managing which model, own device” (BYOD) have the “bring your device world, we In the mobile apps to run to use, and which which device the choice of mobility by putting democratizes choice a similar level of is now extending individual users. Microsoft hands of on it, in the apps that run inside Outlook to end users and run Office Store by allowing them to install Client management Client
Chapter 3 Chapter
202
Chapter 3 to users throughoutto users the organization Figure 3-18 description provided bytheappvendor. side of whatpermissions itrequires, thewindowchanges toshowtheappversion, anda canaccesstheapp.Whenyouselectanapp,detailspaneonright which users listed; foreachapp,youcanseewhoprovides theapp,whetherit’s and availabletousers, Figure 3-18showstheAppstabof theOrganization slabinEAC. Theinstalledappsare Installing, removing, and configuring apps disable thebuilt-in appsasdescribedinthenextsection. disable useraccesstoappscompletely, youmustremove anyappsyou’veaddedandthen remove anyexistingapps,nordoesitprevent from users accessingthem.Ifyouwantto be activatedfororbyanyuserintheorganization. However, changingthissettingdoesn’t Set-OrganizationConfig –AppsForOfficeEnabled;whenitissetto$false,nonewappscan By default,theappintegrationfeature isenabled.You canchangethiswith Enabling level organization or the disablingat apps manage theirownapps. Marketplace AppsandMyCustomuserroles theabilitytoinstalland grantusers The Appstabof theOrganization slabinEAC, showingtheinstalledapps available Managing Outlook Web App
203
Chapter 3 - - . Apps outside States theUnited
loadable apps can be too, although the Office Store license agreement doesn’t seem license agreement Store the Office although apps can be too, loadable has made no public state on transnational app sales . Microsoft place any restriction to to you might have worldwide, though, so Store the Office take ments about its plans to that can’t use it currently in an area if you’re checking for its availability keep no apps available for Office or SharePoint available for your country/region for available at this SharePoint for Office or no apps available the Apple App app stores; with other vendors’ happened what’s mirrors This time.” Video Music and Xbox Xbox and the Microsoft Google Play, app store, Amazon’s Store, time after in the additional countries over first out to being introduced all rolled have in this case. Music, video is doing the same and it appears that Microsoft States, United or territory; in each region down usually licensed separately and books are content, The Office Store is not yet available in every serves.that Microsoft yet available is not market In many Store The Office are stating that “there see a message you’ll page, visit the store countries, when you as mandatoryof new apps, always enabled. Users won’t see any explicit notification are 2013 or and the apps themselves don’t appear until the next time a user launches Outlook need to tell your usersyou’ll a new app, deploying about App. If you’re opens Outlook Web it yourself. in Figure 3-20. The app can be made available to users by selecting the Make This App in Figure but just making it available doesn’t check box, Organization Users In Your To Available in this option buttons three of mean that users will necessarily be able to use it. The group take on: optional and enabled by default, lists the states an individual app can dialog box The “by default” in the first two options is optional and disabled by default, or mandatory. apps marked because users apps themselves, whereas can enable or disable optional there You can also add or remove apps by using EMS; the New-App and Remove-App cmdlets can also add or remove You using New-App means that you don’t get any of to the toolbar icons. However, correspond Store. the additional data shown in the Office as disabled, and usersWhen you install a new app, it shows up have no access to it. To shown the settings dialog box click the pencil icon to open availability, change the app’s To add or remove an app, just use the appropriate icons in the toolbar. You can add apps You in the toolbar. icons just use the appropriate an app, add or remove To a URL you specify;itself or from you to option enables the latter Store the Office from When you install an folder. or a local or shared app catalog SharePoint a add apps from case, the 3-19; in this one in Figure similar to the dialog box see a confirmation app, you’ll and the summary items, mailbox to read permission is only asking for LinkedIn app text that. reflects Client management Client
INSIDE OUT Chapter 3 Chapter
204
Chapter 3
Figure 3-20 Figure 3-19 The appinstallationconfirmation dialogbox The appsettingsdialogbox Managing Outlook Web App
205
Chapter 3 - - - -
DisplayName Enabled AppVersion ------LinkedIn False 1.1 MessageHeaderAnalyzer False 1.0 MessageHeaderAnalyzer 62916641-fc48-44ae-a2a3-163811f1c945 MessageHeaderAnalyzer 7a774f0c-7a6f-11e0-85ad-07fb4824019b Bing Maps bc13b9d0-5ba2-446a-956b-c583bdc94d5e Suggested Meetings d39dee0e-fdc3-4015-af8d-94d4d49294b3 Unsubscribe f60b8ac7-c3e3-4e42-8dad-e4e1fea59ff7 Action Items DisplayName AppId DisplayName ------333bf46d-7dad-4f2b-8cf4-c19ddc78b723 LinkedIn XML for the application manifests (stored in the ManifestXml property)XML for the application manifests (stored and the applica and permissions. scope tion’s you get a summary the apps installed in your of cmdlet by itself, If you run the Get-App organization: Get-App scoped to the organization. These might be apps from the Office Store or custom enter the Office Store These might be apps from scoped to the organization. apps and user apps is that the organiza prise apps; the distinction between organization available to all users potentially in the level and are at the organization stored tion apps are organization. properties other interesting several on the individual applications, including the are There The OrganizationApp parameter specifies that you just want to see applications that are applications that are parameter specifies that you just want to see The OrganizationApp need the application ID. To get the ID for an individual app, you can do something like this: get the ID for an individual app, To ID. need the application | ft DisplayName, AppID get-app -OrganizationApp classes these as recipient cmdlets because they enable, disable, add, remove, or configure or configure remove, because they enable, disable, add, cmdlets classes these as recipient as a glob represented specific users.app has a unique identity, Each apps for one or more friendly name to of the time you’ll use the app’s (GUID), but most ally unique identifier present. which apps are keep track of apps, but to get it, you’ll data about individual a wealth of cmdlet returns The Get-App Removing apps is easy; select the app, click the Delete icon (it looks like a trashcan), and icon (it looks like the app, click the Delete apps is easy; select Removing and immediately, removed is Yes. The app by clicking box dialog confirmation answer the users it. no longer access can Managing apps from EMS for managing apps for individual users. several new cmdlets used Microsoft are There Client management Client
Chapter 3 Chapter
206
Chapter 3
–ProvidedTo inthe lattercase,youcan ortoSpecificUsers; switch canbesettoEveryone to Set-App. seethese changesdependsontwootherparameters Which users The AlwaysEnabled, thatforces theappon. bygiving itavalueofon forusers Enabledor Disabled;ifyouuse–DefaultStateForUser You canusethe–DefaultStateForUser switchtocontrol whetheranenabledappisturned controls whethertheappisenabledfor(andthusvisibleto)users. The Enabledproperty –OrganizationApp –Enabled:$false Get-App |where{$_.DisplayName–like"MessageHeaderAnalyzer"} |Set-App MessageHeaderAnalyzer app,youcoulduseacommandlike thefollowingtoturn itoff: that withtheSet-App cmdlet.Forexample,toprevent from users seeingorusingthe If youwanttochangetheenabledordisabledstateof directly, anappforusers youdo buttheycanstillenableitthemselves. disabled bydefaultfornewusers, eter. Forexample,ifyouinstallanewappandthenuseDisable-Apponit,thewillbe These changethedefaultstateof unlessyoupassthe–Mailbox theappforallusers param You can changetheenabledstateof appswiththeEnable-AppandDisable-Appcmdlets. because Ienabledthoseappsdirectly formymailbox. for mymailbox, eventhoughtheirdefaultstateintheprevious outputwasdisabled.That’s showstheLinkedInandMessageHeaderAnalyzer appsasenabled Notice thatthissummary get-app -mailboxpaul –mailbox switchtoGet-App, likeso: lar user. To user, seethestateof applicationsforaparticular thatuserwiththe youspecify whether theappisenabledordisabledbydefault,notit’s availabletoanyparticu Each app’s are displaynameandversion shown.ThevalueintheEnabledcolumnreflects ActionItemsTrue1.0 UnsubscribeTrue1.0 SuggestedMeetingsTrue1.0 BingMapsTrue1.0 MessageHeaderAnalyzerTrue1.0 LinkedInTrue1.1 ------DisplayNameEnabledAppVersion ActionItemsTrue1.0 UnsubscribeTrue1.0 SuggestedMeetingsTrue1.0 BingMapsTrue1.0 Managing Outlook Web App
207 - -
Chapter 3 in the Installed By column). User
The list of installed apps for an individual user mailbox The list of Figure 3-21 Figure (which they will have by default). Users can manage apps from Outlook Web App by clicking Outlook Web by default). Users(which they will have can manage apps from Manage the window) and choosing of corner gear in the upper-right the Options icon (the view and choosing the Manage Outlook 2013 by opening the backstage Apps, or from will appear; 3-21 to that shown in Figure Apps link. In either case, the view similar one important 3-18 is that this view view and the one shown in Figure between this difference of app (as indicated by the value includes a user-installed Self-service app management for users for management app Self-service be able to enable an individual user might After is installed, either by you or a user, an app App 2013 or Outlook 2013 (which Web within Outlook from or disable optional applications 3-21). Their ability to do this component, as shown in Figure options actually uses the EAC earlier in the chapter as described roles, RBAC the appropriate depends on their having either pipe in a set of mailboxes or use the –UserList switch. For example, to make the example, to make the switch. For or use the –UserList mailboxes in a set of either pipe do the you could to all users available in the Legal group, ScreenShotChecker app named following: Legal $a = Get-DistributionGroupMember –OrganizationApp | Set-App –like "ScreenShotChecker"} where {$_.DisplayName Get-App | AlwaysEnabled -UserList $a –DefaultStateForUser –ProvidedTo SpecificUsers Client management Client
Chapter 3 Chapter
208
Chapter 3
3-22 are wanttocustomize. themostcommon onesthatadministrators \themes\Resources. You are free toeditanyof these,althoughtheitemsshowninFigure Program Files\Microsoft\Exchange Auth\Current Server\V15\FrontEnd\HttpProxy\Owa\ branding. Thegraphicfilesandstylesheetsusedto render thelogonpageare stored in customizationstocomplywithcorporate can usethisinformation todevelopthenecessary ofFigure thelogonpage.You 3-22shows the logonpagewithcalloutsshowingparts scheme andlogochangesonthelogonpage—are fairlysimpletoapply. has notyetdonesoforExchange2013.However, the mostcommoncustomizations—color lished customizationguidesforExchange2007and2010,butasof thiswriting the problem istocustomizesomeof thefiles usedforthedefaulttheme.Microsoft pub the OutlookWeb AppapplicationisdistributedwithExchange,andtheclassicsolutionto Outlook Web Appwithoutdoingtheworktocreate atheme.Thecompletesource codeof Many companieslikedtheideaof incorporatingsomeaspectof theircorporateidentityin exactdimensions. themes) andtheneditthefilesyoufindthere, beingcareful to preserve (located in (UI).Thesimplestwaytodothisiscopyoneof theexistingthemes App userinterface extensivecustomizationof theOutlookWebso on.Creating acompletethemeisvery You can alsocreate yourownthemeandincludecorporatelogos,colorschemes, willhaveunlesstheychangeit. theme thatusers althoughtheycansetadefault over userchoiceandcannotimposeathemeonusers, tomize theirOutlookWeb Appsession’s don’thavecontrol appearance.Administrators byincludingasetof canapplytocus 22themesthatusers 2013 continuesthissupport forcustomizableOutlookWebExchange 2007introduced App themes;Exchange support Themes definethecolorschemeandgraphicelementsusedforOutlookW Customizing OutlookWeb App candothat. nization apps;onlyadministrators it insteadof alsocannotchangetheenablementstatefororga disablingit.Individualusers user apps;thepresumption isthatifyoudon’twantaccesstoanapp,can justremove From thisscreen, canaddandremove users theirownapps.Theycan’tdisableorenable \ Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\Current\ Managing Outlook Web App eb App.
-
- 209 -
Chapter 3 -
Components of Outlook Web App customization Outlook Web Components of Make a copy of the \Program Files\Microsoft\Exchange Server\V15\FrontEnd Files\Microsoft\Exchange the \Program Make a copy of render the logon page file. This file tells IIS how to \HttpProxy\owa\auth\Logon.aspx App. when a user connects to Outlook Web the HTML you want displayed on the page and then save it a file that contains Create in the same directory name. as Logon.aspx. Give it an easily remembered 2. 1. simple customization by doing the following. customize the logon page with some new text, do the following: To Figure 3-22 Figure or either instead of is to add text or graphics to the logon page, Another common request now that the challenging This is much more in addition to changing the existing graphics. App logon page includes touch support; static page, as Outlook Web rather than a largely scripts that dynami App 2013 logon page is full of versions, the Outlook Web in previous you can make However, from. device the user is connecting what kind of cally determine Client management Client
Chapter 3 Chapter
210
Chapter 3
INSIDE OUT INSIDE 6. 5. 4. 3. deployment plan. test doalittlerecoding andperhaps forOutlookWeb Appcustomizations into every tion—or anymethodof customization—invalid, so beprepared to buildsometimeto way OutlookWeb Appworks inafuture version andrender thismethodof customiza future .It’s alsofairto saythat there isnoguarantee thatMicrosoft willnotchangethe andcustomizedoriginal versions of anyfile you changeso you can review theminthe youeasier to upgradeExchange applyitafter .You shouldalsokeep acopyof boththe documentation aboutanycustomization you applyto OutlookWeb Appto make it to doubtthatfuture updates willbeanydifferent .That’s whyyou shouldkeep careful OutlookWebvice packs. Appcustomizations, CU1overwrites andthere isnoreason bycumulative updates andser beoverwritten App componentswillalmostcertainly The otherthingto remember isthatanycustomization of oneof theOutlookWeb customization on every CAS server inanorganization. CASserver customization onevery copying yourmodifiedfiles.There isnoautomaticmechanismtoapplythiskind of by When youare happywiththecustomization,youcanapplyitonallCASservers customized messagewhentheysignoutof OutlookWeb App. You can takethesameapproach toupdateLogoff.aspx toseea ifyouwantusers [IIS]oranyof theExchangeservices.) Microsoft Internet Information Services anOutlookWebSave Logon.aspxandrestart Appsession.(You don’thavetorestart
Customizations will be overwritten by future product updates product byfuture overwritten be will Customizations
Managing Outlook Web App -
- 211
Chapter 3 - - - re-launch the client. To force a reconnection, you can also use the Work Offline menu you can also use the Work a reconnection, force the client. To re-launch mode and then switch back switch to offline item under the Outlook menu; use it to to online mode. is that the Mac client can importThird 2007, Outlook 2003, Outlook PST files from doesn’t use OST files. It also cannot Outlook 2010, and Outlook 2013. Mac Outlook export email to PST. has separate parameters that enable you to Fourth is that Set-CASMailbox Entourage and Mac Outlook—EwsAllowEntourage and block the EWS edition of EwsAllowMacOutlook. treat Mac Outlook like a Windows Outlook client that’s trying out to connect from Mac Outlook like a Windows Outlook client that’s treat side the corporate network. as a Mac laptop) client (such notice an issue when a roaming you might However, to outside the corporate net the corporate network and then roams connects from 2011 will happily keep URL, Outlook work. If Autodiscover finds an internal-facing tryingafter to use it even or another network back to the Internet the laptop roams URL. The fix for this is to edit the account it should be using an external-facing where URL back in. external the affected account and put the correct settings of the Mac versionSecond is that, unlike Windows Outlook, doesn’t have any way to no easy meaning there’s a reconnection, connection status or to force see the current quit and The fastest way to do this is to a new Autodiscover request. way to force First is Autodiscover. The Mac version of Outlook fully supports Autodiscover. If your fully supports Outlook The Mac version of Autodiscover. First is Autodiscover. tests, then Outlook 2011 passes the ExRCA Autodiscover Exchange environment Mac Outlook doesn’t performKeep in mind that just fine. should connect to it service that standpoint, just Outlook does. From connection point (SCP) lookups, as Windows ● ● ● ● ● ● ● ● Mac Outlook has a useful logging feature that is in a somewhat unusual location. If you Mac Outlook has a useful logging feature folder and enable connection logging, it will give you details on Autodiscover requests, EWS, and Lightweight Directory through (LDAP) item synchronization Access Protocol tion policies), but in exchange it adds some Mac-specific features such as the ability to such as the ability to exchange it adds some Mac-specific features tion policies), but in Spotlight insert an iPhoto library easily from pictures with Apple’s and full integration virtually what you know about none of tool. As an Exchange administrator, desktop search and managing Mac for Windows will be useful when administering administering Outlook notable exceptions. Outlook, with some Although it shares the Outlook name with its Windows sibling, the Mac version of Outlook the Mac version with its Windows sibling, the Outlook name of it shares Although is a very on EWS instead. It lacks exclusively MAPI, relying beast. It doesn’t use different Tips, personal version the Windows as support (such of some features Policy for MailTips, public folders, modern and reten tips, site mailboxes, policy data leak prevention archives, Client management Client
Chapter 3 Chapter
Managing Outlook for Mac Outlook Managing 212
Chapter 3
POP3 andIMAP4 Managing OutlookWeb AppforDevices Outlook.com and Gmail (Hotmail-supported POP3; Gmail supports bothprotocols). POP3 POP3; Gmailsupports Outlook.com andGmail(Hotmail-supported of thereasons they havelongbeentheprotocols suchas of choice forfree emailservices Fansport. of theseprotocols lovethelightweightnature of theirconnections, whichisone sup POP3 andIMAP4are Internet emailprotocols thatawidevarietyof clientsandservers through thebrowser orthrough themobileapp. for anyuserwhoissubjecttothepolicy, whethertheuseraccessesOutlook Web App ables oneof thesefeatures (say, integrationwithOfficeapps),thefeature willbedisabled Outlook Web AppforDevices.Ifyoucreate anOutlook Web Appaccesspolicythatdis as –IRMEnabled)are of interest becausetheycontrol features thatare availablethrough book fornameornumberresolution. However, anumberof (such otherparameters not visibletothebuilt-in phoneapporotherappsthatdependonthesystem address address book.Ifthis settingisfalse,theusercanstillseehercontactsinapp,butthey’re which controls contactsinthedevice’s whetherthedeviceisallowedtocacheuser’s specific argument toSet-OWAMailboxPolicy isAllowCopyContactsToDeviceAddressBook, mobile appmaydo.Asof Exchange2013CU2,theonlyOutlookWeb AppforDevices– in theOutlookWeb Accessmailbox policyobjectthatletyoucontrol of whatusers the App forDevices.You havefiner-grained control, though, becausethere are severalsettings won’tbeabletoconnectwithOutlookWebmailbox, clientsusingthatmailbox orserver ora App andmanagingExchangeActiveSyncdevices.IfyoudisableEASaccesstoaserver Managing OutlookWeb AppforDevicesisaweird combinationof managing OutlookWeb to thisloguntilyourepeat thepreceding stepsandcleartheloggingcheckbox. on theMacOSXdesktop.AslongasOutlookisrunning,itwillcontinuetoappendentries Outlook immediatelycreates anewfilenamedMicrosoft Outlook_Troubleshooting_0.log do thefollowing: access todomaincontrollers (DCs)andglobalcatalogs(GCs).To turn onlogging,youmust 4. 3. 2. 1. check box isselectedandthenclickOK. In theresulting dialogbox, makesure theTurn OnLoggingForTroubleshooting of thewindow. clickthelargeWhen theErrors windowappears, geariconintheupper-right corner Choose theError LogcommandintheWindowsmenu. Launch Outlook2011. POP3 and IMAP4 IMAP4 and POP3 -
213 -
Chapter 3 - - - Users who access an Exchange mailbox with IMAP to avoid having to buy Outlook with IMAP to avoid having Users who access an Exchange mailbox licenses. (Of course, RT Mail clients support now that the Windows 8 and Windows robust and more of faster using EAS, users can get the benefits on those platforms client access licenses EAS, using their existing Exchange mailbox from synchronization [CALs]). Users who don’t like Outlook. Often, these people have used a client such as Eudora to change. for many years and don’t see a reason or Thunderbird Users who run an operating system that doesn’t support version of the premium Many Linux and UNIX users are to use IMAP. App or who simply prefer Outlook Web Surface users of RT devices, given that no native ver In fact, so are in this category. Outlook is available in Windows RT currently. sion of IMAP4 can access any folder a server the fold exposes and download messages from replicas. ers to client-side the client holds open a connection to the IMAP4 allows a live-sync mode in which sync experience in which messages trickle in server; Outlook-like a more this provides arriving in batches when a POP3 connection is as they arrive instead of to the Inbox made. the priority is on where Users in an educational establishment such as a university, basic email servicesproviding at the lowest possible cost. POP3 downloads messages to a client and removes them from the server. them from to a client and removes POP3 downloads messages POP3 supports a very the Inbox). folders on the server limited set of (essentially, on the server. downloaded messages of IMAP4 can leave copies ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● The majority of clients that connect to Exchange 2013 through POP3 and IMAP4 belong to clients that connect to Exchange 2013 through The majority of four categories: and POP clients must use SMTP to send outbound mail. and POP clients must as follows: are Aparttwo protocols between the the fundamental differences age, from is the older and less functional protocol. IMAP4 is more functional than POP3 but less func than POP3 but functional IMAP4 is more protocol. and less functional is the older MAPI. tional than Nevertheless, features of can build a rich range including Outlook, IMAP4 clients, modern the rudimentaryaround from download messages communications to but superefficient that clients use to both protocols Of course, and IMAP4 are unlike MAPI, POP3 a server. transfer mail to the client. IMAP these protocols Both of a server. messages from retrieve Client management Client
Chapter 3 Chapter
214
Chapter 3
Web whoare Appforusers IMAP-enabledorPOP-enabled,youneedto do thefollowing: isturned off bydefault.Tobut thisadvertisement makethesesettingsvisibleinOutlook whatIMAP,ability toshowusers POP, andSMTPsettings theyshouldplugintotheirclients, However,is started. clientswon’tknow where toconnect. Outlook Web Appincludesthe security atall.You theservice usuallydon’thavetomakeanyconfigurationchanges after using SSLandTCP 143forconnectionsusingeitherTransport LayerSecurity(TLS)orno TCP theywilllistenontwoports: 993forconnections theIMAPservices, starting After Start-Service -ServicemsExchangeImap4 Start-Service -ServicemsExchangeImap4Backend Set-Service msExchangeImap4Backend-StartupTypeAutomatic Set-Service msExchangeImap4-StartupTypeAutomatic isbooted: timetheserver themevery Windows starts from ManualtoAutomaticsothat statefortheservices you shouldchangethestartup Inaddition, theseservices. POP3orIMAP4clientsistostart steptosupport the first that becausemostsiteswon’tuseIMAPorPOP, shouldremain off. theservices Therefore, itsthinkingis of of reducing bydisablingunneededservices; computers theattacksurface of theMicrosoft orenabledby defaultaspart overallstrategy aren’t started The services a multirole server, you’llseebothservices. forPOP. runsontheMailbox role, withcorresponding services Backend service Ifyouhave runsontheCAS,whereas theMicrosoft ExchangeIMAP Microsoft ExchangeIMAPservice foreachprotocol. The There are actuallytwoservices theservices. tocols butdoesnotstart clientconnectionsthrough thesepro tosupport and Microsoft ExchangeIMAP4services When youinstallExchange2013,thesetupprogram creates theMicrosoft ExchangePOP3 theIMAP4server Configuring it’s notcovered here. POP3 accessare conceptuallysimilar, fewExchangesites actuallyusePOP, butbecausevery and configuringclientstoconnecttheIMAP4server. Thestepstosetupandconfigure For theremainder of thisdiscussion,IfocusonsettinguptheExchange2013IMAP4server tion, andsoon. features thatare specifictoExchange,suchasMailTips,unifiedmessagingintegra support theseprotocols. Theytherefore thatsupports donot designed toworkacross anyserver number of clientsare inuse.Anotherreason isthatPOP3andIMAP4 clientsare purposely is availableiftheydon’twanttouseOutlook,andit’s easierforthehelpdeskifalimited inlargefew users corporatedeploymentsusePOP3orIMAP4clients.OutlookWeb App with Microsoft thatincludetheentire Officeapplicationsuite.Forthis reason, relatively This islessof anissueinlarge corporationsthatnegotiateenterpriselicensingagreements The attractionof usingfree POP3orIMAP4clientsistheavoidanceof Outlooklicensefees.
POP3 and IMAP4 IMAP4 and POP3
- 215 -
Chapter 3
Displaying client configuration information for an IMAP user Displaying client configuration information To advertise use Set-ReceiveConnector SMTP settings, To –AdvertiseClientSettings:$true –FQDN fqdn. To advertise IMAP or POP settings, use Set-IMAPSettings or Set-POPSettings with or Set-POPSettings advertise settings, use Set-IMAPSettings IMAP or POP To the FQDN of should include the which parameter, the –ExternalConnectionSettings the portmachine and number and encryption scheme. ● ● ● ● Figure 3-23 Figure After this change, you must run iisreset before Outlook Web App will update. After App will update. you’ve Outlook Web After before you must run iisreset this change, done so, users the Account Settings For POP or IMAP Access on will see a new link labeled similar to Clicking that link displays a window App settings page. their Outlook Web tab of in mind that Exchange will show whatever FQDN you 3-23. Keep the one shown in Figure information. clients will see the wrong wrong, specify; if it’s Therefore, to publish mail.betabasement.com as the server to publish mail.betabasement.com Therefore, name for a server named pao- you could do the following: ex01.betabasement.com, mail.betabasement.com:995:SSL Set-IMAPSettings –ExternalConnectionSettings "Client Frontend PAO-EX01" –AdvertiseClientSettings:$true Set-ReceiveConnector –FQDN mail.betabasement.com Client management Client
Chapter 3 Chapter
216
Chapter 3 named PAO-EX01, usethefollowingcommand: Set-POPSettings. Forexample,toretrieve thecurrent configurationforamultirole server tings fortheIMAP4server. The equivalentcmdletsforPOP3are Get-POPSettings and The Get-IMAPSettings andSet-IMAPSettings cmdletsretrieve andsetconfiguration See TechNet onthesesettings. fordetailedinformation out valuesandconnectionlimits. The More Options link belowtheSSLbindingslistexpandssettingstoincludetime Figure 3-24 dialog box. 993; youcanchangethesebindingsbyusingthetwolistsof IPaddresses inthesettings tolistenonallavailableIPv4andIPv6addresses usingTCP 143and IMAP service ports they configure IMAPconnectivityforExchange2013.Thedefaultconfiguration isforthe thatareFigure usuallyof 3-24showstheproperties mostinterest when toadministrators Viewing the basic properties ofViewing thebasicproperties theExchange IMAP4server POP3 and IMAP4 IMAP4 and POP3 -
217 -
Chapter 3 -
\V15\Logging\Imap4 LogFileRollOverSettings : Daily B (0 bytes) LogPerFileSizeQuota : 0 ExtendedProtectionPolicy : None EnableGSSAPIAndNTLMAuth : True Server : PAO-EX01 Identity : PAO-EX01\1 CalendarItemRetrievalOption : iCalendar OwaServerUrl : EnableExactRFC822Size : False LiveIdBasicAuthReplacement : False SuppressReadReceipt : False ProtocolLogEnabled : False EnforceCertificateErrors : False Files\Microsoft\Exchange Server LogFileLocation : C:\Program AuthenticatedConnectionTimeout : 00:30:00 AuthenticatedConnectionTimeout : 00:01:00 PreAuthenticatedConnectionTimeout : 2147483647 MaxConnections MaxConnectionFromSingleIP : 2147483647 MaxConnectionsPerUser : 16 MessageRetrievalMimeFormat : BestBodyFormat ProxyTargetPort : 9933 SSLBindings : {[::]:993, 0.0.0.0:993} SSLBindings : {PAO-EX01.betabasement.com:993:SSL, InternalConnectionSettings PAO-EX01.betabasement.com:143:TLS} : {mail.betabasement.com:993:SSL} ExternalConnectionSettings : PAO-EX01 X509CertificateName IMAP4 service is : The Microsoft Exchange Banner ready. : SecureLogin LoginType ProtocolName : IMAP4 ProtocolName : 1 Name : 10240 MaxCommandSize : False ShowHiddenFoldersEnabled : {[::]:143, 0.0.0.0:143} UnencryptedOrTLSBindings Exchange 2010 and 2013, you can enable logging with the Set-IMAPSettings cmdlet. For Exchange 2010 and 2013, you can enable logging with the Set-IMAPSettings example: Set-IMAPSettings –Server PAO-EX01–ProtocolLogEnabled $True –LogFileLocation 'C:\Logs\' If you change any of the configuration settings for the IMAP4 server, you have to restart you have to settings for the IMAP4 server, the configuration If you change any of on proto common to find that you want to turn Exchange IMAP4 service.the Microsoft It’s logging enable protocol particular a from col logging to help debug connections client. To it should create and tell Exchange where for IMAP4 clients, you need to enable logging you to edit a configuration file, but in the log. Enabling logging in Exchange 2007 requires Get-IMAPSettings –Server PAO-EX01 Get-IMAPSettings Client management Client
Chapter 3 Chapter
218
Chapter 3
The stepsrequired toconfigure theclienttoconnectExchange2013are asfollows: must beconfigured before anIMAP4 clientcandownloadandsendmessages. download from Exchange 2013.Formyexample,IchosetheThunderbird free IMAP4clientthatyoucan From itiseasytoconfigure auserperspective, aPOP3orIMAP4clienttoconnect IMAP4clientaccess Configuring isresponding. sending andhowtheserver andclientlogstoensure thattheyhavefullknowledgeof whattheclientis erate server representativeneed toprovide solveaproblem, datatohelpasupport youshouldgen not familiarwithdebuggingIMAPconnections.Clientscanalsogeneratelogs,andifyou Logging generatesamassof dataontheserver, someof whichisfairlyobtuseifyouare 3. 2. 1. ● ● ● ● requires fillingoutthedialogbox showninFigure 3-25. name\account nameformat. Inthecaseof of theMacOSXversion Thunderbird, this andtheusernameindomain Configure theclient withthename of theCAS server toeffectthechangeinauthenticationsetting. theIMAP4server Restart authentication mechanismstheclientsupports. to IntegratedWindowsAuthenticationorSecure Logon,dependingonwhich that connectionsworkfreely, youcanincrease the level of securitybymoving ensures thatjustaboutanyIMAP4clientcanconnect.Whenyouhaveestablished you wanttoconnecttheclient.Thisissufficientfortestingpurposesbecauseit on theCAStowhich Set theauthenticationsettingtoBasicforIMAP4server IMAP4 clientstorelay outgoingmessagesthrough SMTP. An SMTPreceive connectormustbeavailabletoacceptclientconnectionsallow anditems. load folders to acceptclientconnectionssothatIMAP4clientscanaccessmailboxes anddown mustbeready hostedbyanExchange2013CASormultirole server An IMAP4server http://www.mozillamessaging.com/en-US/thunderbird/ . Two connections POP3 and IMAP4 IMAP4 and POP3
- - 219
Chapter 3 Configuring basic IMAP account settings in Thunderbird Configuring basic IMAP site as the CAS server. Set the name of the connection to Active DirectorySet the name of else you like as an or whatever illustrative name. Set the directory server a global catalog server hostname to the FQDN of that is should be a global catalog server this in the same the client. Ideally, from reachable Connect the client to prove that messages can be downloaded. Connect the client to prove connector assigned to the default client receive Groups Check that the Permission on the server want to use for sending outbound messages allows that you easiest setting to use to test outgoing anonymous connections. Again, this is the client can connect to send that all types of message connectivity and should ensure the security. flowing, you can increase are messages. When you know that messages security with user (and most other IMAP clients) supportsThunderbird STARTTLS connector doesn’t need to allow so the receive credentials, name and password authenticated connections will be regarded anonymous connections because these as Exchange users. 3-25 Figure 2. 1. 4. 5. can only browse Active Directory, whereas others, such as Thunderbird, can validate email others, such as Thunderbird, whereas Active Directory, can only browse against Active Directory into message headers. addresses entered as they are or a similar client: Thunderbird to configure can use the following process You After messages are being downloaded and sent freely, the next step is to configure LDAP LDAP the next step is to configure After being downloaded and sent freely, messages are access to Active Directoryso that you can use Active Directory The book. as an address to Active Directory a connection how to configure varydetails of client to client, as from Some clients Active Directory. the client to use the data fetched from does the ability of Client management Client
Chapter 3 Chapter
220
Chapter 3
Client throttling INSIDE OUT INSIDE help protect againstmisbehavingclientsinOffice 365,Microsoft introduced afeature in the situation.However, thiscanbealabor-intensive process, anditdoesn’t scalewell.To You canthenfigure outwhatactiontheclientwastaking tocausetheproblem and resolve andrestore normalrelieve levelsof thestrainonserver responsiveness tootherclients. client withtheExchangeUser Monitor (ExMon)utilityandthenterminate itsconnectionto the errant load.Theusualcorrective toidentify actiontakeninprevious isfirst versions nary the clienttocommunicateinanunpredictable mannerandsocreate anout-of-the-ordi happens are many and variedbutusuallyinvolvesomeform of software bugthatcauses Clients canoccasionallycreate anexcessiveloadonExchangeserver. Thereasons this you knowexist.You shouldbeabletoseemailboxes, contacts,anddistributiongroups. To testtheconnection,openclientaddress bookandsearch forsomemailboxes that 5. 4. 3. . serious very thatreveals information directory some objectsthat other clientsdon’tshowisn’treally These are smallhiccupsalongtheroad, have andbecauseusers read-only accessto Two smallissuesare thefollowing: ● ● The bind DN should be set to the user’s SMTPaddress.The bindDNshouldbesettotheuser’s (389)LDAP numberissetto3268ratherthanthestandard uses. port The port domain. the directory. You willprobably wanttousetheroot tree of foryour thedirectory pointforLDAPThe basedistinguishedname(DN)providessearches astarting in ● ● able to sendemailto theseobjectsbecausetheydon’thave emailaddresses . able to groups seesecurity suchasEnterprise Admins.However, you won’t be any filters to eliminate objectsthatare notmail-enabled,so you’ll probably be Along thesamelines,anLDAP search doesn’timpose againstActive Directory hidden objectswillprobably berevealed to . users through theGAL.However, thisblockmeansnothingto otherclients,andthe an object,itstops OutlookandWeb from Appusers seeingthatobject youFor example,if selecttheHideFrom Exchange Address Listscheckbox for The LDAP searches executed byaclientmightignore Exchange-specific filters.
Only minor issues minor Only Client throttling
- 221
Chapter 3 - Exchange Web ServicesExchange Web category (EWS; this includes unified messaging users and users running Entourage or Outlook for Mac OS X) Discovery searches and Office 365 access (including hybrid access between on-premises Cross-forest tenants) Message sending using SMTP Services Web and PowerShell Windows PowerShell Exchange ActiveSync (EAS) Exchange ActiveSync App Outlook Web POP3 and IMAP4 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● The policy comes into effect when the percentage of CPU usage by Exchange exceeds CPU usage by Exchange of The policy comes into effect when the percentage This setting is of the default policy. property CPUStartPercent defined in the the threshold is 75, so when one basis. The default value for CPUStartPercent applied on a per-service Exchange the Exchange services this threshold, reaches of for client throttling monitored doing so (and you may not remove or rename the default policy). That’s because you can the default policy). That’s or rename doing so (and you may not remove usage and then resource over granular control more additional policies that provide create is setting not explicitly specified in a policy assign those policies to users. Any throttling exactly the so you can quickly build policies that control the global policy, inherited from by the global usage to be governed you want while allowing other resources’ resources policy. A default policy is automatically created and enforced within the organization when you within the organization and enforced A default policy is automatically created to be is intended named GlobalThrottlingPolicy_GUID, install Exchange 2013. This policy, policy applied. Although specific have a more the baseline policy for any user who doesn’t recommend doesn’t Microsoft by the default policy, you can change the limits enforced reduced, with a gradual reduction in the amount of slowdown that allows the client to slowdown that allows the client in the amount of with a gradual reduction reduced, recharge. and applied to several distinct applications policies can be throttling Exchange 2013 client protocols: Exchange 2010 known as client throttling, which enables administrators which enables to set limits pro throttling, 2010 known as client Exchange establish policies that it enables them to precisely, more what clients can do; actively on kinds of consume for various them, clients may many of and how what resources, control usually blocked not it’s usage, the limit for resource When a client exceeds connections. altogether; using clients who are The net effect is that delayed. are instead, its requests any particular resource will have their access to that of resource their fair share than more Client management Client
Chapter 3 Chapter
222
Chapter 3 or otherwise disconnected by a user action (logging off). Ifauserattemptsto establish disconnectedbya user action(loggingoff). or otherwise is maintainedfrom thetimearequest ismadetoestablishituntilthe connectionisclosed from 0to100),meaningthatausercanhaveup to20activeEWSsessions.Aconnection to control userworkload:themaximumconcurrency foranyuseris setto27(therangeis indicatesthatmultiplethresholdsThe outputfortheEWSparameters are currently inplace Get-ThrottlingPolicy |SelectEws*Format-List that govern EWSclientswith: can break themdown intothecategorieslistedearlier. Thus,youcanretrieve thesettings A lotof dataisoutputwhen youexaminetheattributesof athrottling policy. However, you Get-ThrottlingPolicy |Where{$_.IsDefault–eq$True}Format-Table policy withthiscommand: Throttling policiescanbemanagedonlythrough EMS.You canviewdetailsof thedefault documentation fortheNew-ThrottlingPolicy cmdletforacompletelist. Individual protocols orapplicationsmighthaveadditionalsettings,too;seetheTechNet areIn general,fourcommonparameters associatedwitheachtypeof resource usage: toallclients. service per-mailbox cancontinuetoprovide areasonably smooth basistoensure thattheserver begins toapplyanythrottling restrictions thatare definedinthedefaultpolicyorona ● ● ● ● EwsMaxSubscriptions:5000 EwsCutoffBalance:3000000 EwsRechargeRate:900000 EwsMaxBurst:300000 EwsMaxConcurrency:27 ● ● ● ● single clientmaytake. MaxConcurrency setsthelimitforhowmanyconcurrent connectionsoractionsa bursts. controlsMaxBurst howfarabovethestandard resource limitaclientmaygoinshort rate limitwillfallbelowtheandregain fullaccessastimepasses. For example,aclientthatsendslarge numberof messagesandhitstherecipient RechargeRate resource isthespeedatwhichuser’s budgetrecharges orrefills. hits it,itwillbeblockedfrom thatresource untilitrecharges. resource. Thinkof thisasahard maximumlimitforusingtheresource; theclient after CutoffBalance denyingaccesstoa controls thelevelatwhichExchangestarts
Client throttling
223
Chapter 3 - - The period in seconds
This constraint is applied in two
Sets the number of cmdlets a user can Sets the number of
PowerShellMaxConcurrency (default value 18) PowerShellMaxConcurrency PowerShell sessions a user remote Windows of ways. It defines the maximum number can have open on a serverof cmd at one time. It also defines the maximum number lets EMS can execute concurrently. (default no limit) PowerShellMaxCmdlets After PowerShellMaxCmdletsTimePeriod. by execute within the time period specified expires. cmdlets can be run until the period the value is exceeded, no future (default no limit) PowerShellMaxCmdletsTimePeriod cmdlets constraint has whether the maximum number of Exchange uses to determine been exceeded. ● ● ● The solution was to create a new throttling policy a new throttling create . The solution was to threshold maximum concurrency $Null and then assigned to parameter the RCAMaxConcurrency of that set the value can perform the administrator the BES account . This is a step afterthe new policy to installing BES . Exchange is throttling BlackBerry Enterprise Server activities BlackBerry Enterprise throttling is Exchange had an unfortunate client throttling side effect on some applications that Introducing . The BlackBerryimpose heavy demands on Exchange Server Enterprise (BES) provided user uses essentially mimics a hyperactive the best example because the account it mobile devices . The and send messages to fetch to who accesses multiple mailboxes the RCA BES activities because it exceeded throttled was that Exchange usual problem TROUBLESHOOTING ● ● ● A number of specific parameters are available to control workload generated through through workload generated available to control specific parameters are A number of Windows PowerShell: find those applying to Outlook Web App with: to Outlook find those applying | Select OWA* | Format-List Get-ThrottlingPolicy more than the allowed maximum, that connection attempt will fail. The EwsMaxBurst, connection attempt maximum, that than the allowed more limits for specific set, too, indicating that are limits and EwsCutoffBalance EwsRechargeRate, in milli both expressed are rate The max burst in place. recharge and usage are resource being EWS activity before of heavy up to five minutes user can have a burstseconds; the of blocked. you can the other client categories. For example, available for settings are of Similar groups Client management Client
Chapter 3 Chapter
224
Chapter 3
INSIDE OUT INSIDE Three additionalsettingscanconstraintheconsumptionof generalresources: ● ● ● ● ● Set-ThrottlingPolicy –Identity $TP-DiscoveryMaxKeywords15 $TP =(Get-ThrottlingPolicy).Identifier to refer to thepolicywithwhichyou wantto work work withapolicy, you mightwantto store theidentifierina so variable you canuseit .Ifyouno sensiblehumanbeingcouldthinkthatsucha name is understandable planto identifier. Isuspectthatthisisajoke played onusbytheMicrosoft because engineers DefaultThrottlingPolicy_dade6c60-e9cc-4692-bc6a-71771158a82f asitsnameand You’ll note thatthe defaultthrottling policyisgiven avalue suchas ● ● ● ● ● that can be configured in Inbox Rules for the forward or that canbeconfiguredredirect inInbox action. Rulesfortheforward (defaultnolimit) ForwardeeLimit are rejected. may address messages toup1,000recipients daily. Messagesthatexceedthislimit be addressed ina24-hourperiod.Forexample,ifthisvalueissetto1,000,theuser RecipientRateLimit (defaultnolimit) declined, andtheyare forced toreattempt later. using SMTP. Iftheseclientsattempttosubmittoo manymessages,theirrequest is system is forclientssuchasPOP3andIMAP4thatsubmitdirectly tothetransport canacceptthem.Theexception limit are Outbox placedintheuser’s untiltheserver systemforprocessing. Messagesoverthe ute thatausercansubmittothetransport MessageRateLimit (defaultnolimit) the coderunbyECPorEWS. the valueof PowerShellMaxConcurrency. Exchangedoesnotapplythisconstraintto if set,thevalueof PowerShellMaxCmdletQueueDepth shouldbesettothree times PowerShellMaxCurrency operationusestwooperations.)Microsoft recommends that, lets astheyrun.Theyare alsoconsumedbyinternal operations.(Forexample,the operations Exchangeallowsausertoexecute.Operationsare consumedbycmd PowerShellMaxCmdletQueueDepth (defaultnolimit) the constraintisexceeded,Exchangeslowsdownexecutionof othercmdlets. can executewithinthetimeperiodsetbyPowerShellMaxCmdletsTimePeriod. After ExchangeMaxCmdlets (defaultnolimit)
Storing the default throttling identifier in a variable in a identifier throttling default the Storing
Specifies alimitforthenumber of recipients
Governs thenumberof messagespermin Specifies thenumber of recipients thatcan
Specifies thenumber of cmdletsauser .Forexample:
Specifies thenumber of Client throttling -
225 -
Chapter 3 Set-ThrottlingPolicy –Identity 'Restricted CAS Access' –IsDefault $True –Identity 'Restricted CAS Access' –IsDefault Set-ThrottlingPolicy to users:or apply it selectively CAS Access' 'David Jones' –ThrottlingPolicy 'Restricted Set-Mailbox –Identity If you create a new policy with the New-ThrottlingPolicy cmdlet, the values from the the values from cmdlet, policy with the New-ThrottlingPolicy a new If you create you want to for the settings to do is state values inherited. All you have are default policy you can do: change. Thus, 10 –RCAMaxConcurrency CAS Access' –Name 'Restricted New-ThrottlingPolicy either make it the default: you can new policy, apply the To Client management Client
Chapter 3 Chapter
226
Chapter 3