Microsoft Exchange and Remote Desktop Services Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Exchange 2007 SP1 Released

Updated to include link to SP1 release notes.  

The eagerly awaited service pack 1 for Exchange 2007 has been released.
In a change from service packs for earlier versions of Exchange, you can install Exchange 2007 fresh from this download - therefore the download files are quite big.
Available in both 64 bit and 32 bit, although remember that 32 bit is not supported for production use. Evaluation only.

From the download page:

Overview

Microsoft Exchange Server 2007 Service Pack 1 (SP1) has been designed specifically to help meet the challenges of any business and the needs of all the different groups with a stake in the messaging system. Exchange Server 2007 SP1 is a mission-critical communications tool that enables employees to be more productive and access their information anywhere and anytime while providing a messaging system that enables rich, efficient access to e-mail, calendar items, voice mail, and contacts. For the administrator, Exchange Server 2007 SP1 provides advanced protection options against e-mail security threats, such as spam and viruses, as well as the tools to help manage internal compliance and high availability needs.

In Exchange Server 2007 SP1, several new features and improvements will extend the Anywhere Access capabilities of Exchange Server 2007 to help make employees more productive on whatever device they’re using, provide additional Operational Efficiency tools for administrators seeking a streamlined management and deployment experience, and enable advanced Built-in Protection for more robust high availability and compliance scenarios.

Improvements in Exchange Server 2007 SP1 include:

Anywhere Access

  • Integrated Exchange Unified Messaging functionality with Microsoft Office Communicator 2007 and Microsoft Office Communications Server 2007.
  • Outlook Web Access additions, including public folder access, S/MIME support, personal distribution lists, and mailbox rules editor.
  • Webready document viewer supports Microsoft Office 2007 documents in addition to Microsoft Office 2003 documents.
  • Extended language support in Outlook Web Access with Arabic and Korean spell checking.

Operational Efficiency

  • Support for Windows Server 2008 deployments, including benefits in flexible clustering, native virtualization, advanced networking, and simplified management.
  • Additional tools in the Exchange Management Console, including public folder management and configuration options for clustering and POP/IMAP access.
  • Improvements to the Exchange Management Shell syntax and import-export PST in the move-mailbox command.
  • Wider variety of web services for application development, including public folder access, delegate management, and folder level permissions.

Built-in Protection

  • Addition of Standby Continuous Replication (SCR) for site resilient high availability deployments.
  • Extended Exchange ActiveSync policies for mobile policy enforcement.
  • Information rights management pre-licensing by the Hub Transport role.
  • Secure Real Time Protocol (SRTP) support in the Unified Messaging role.
  • Support for IPv6 when using Windows Server 2008.


This is the link to download it. However you need to register, using a Microsoft Live ID:

http://www.microsoft.com/downloads/details.aspx?FamilyId=44C66AD6-F185-4A1D-A9AB-473C1188954C&displaylang=en

UPDATE:  

At the time of writing, the link to the release notes takes you to the RTM release notes, not the SP1 release notes. To see the SP1 release notes (gives you something to read while it downloads) go here: http://www.microsoft.com/downloads/details.aspx?FamilyId=5770BD59-376E-42EC-B940-BE6225CD97FF&displaylang=en 

Things you get asked at presentations - the custom MMC

I do quite a few presentations, in public and to small groups in private. After each one you always ask if they have any questions. Never asked the same questions twice, some want to know about OWA, others about Powershell or the management console.

At a recent presentation, the only thing they wanted to know about was this:

Exchange 2007 Custom MMC

When I build my demonstration environments, I always create a custom MMC console with the Exchange tools included. As I was demonstrating Exchange 2007 SP1, it included the main Exchange Management Console, as well as public folder management and the queue viewer. I then finish it off with some a few other settings to make it look professional. I then drop the finished item on to my desktop for easy access.

This is nothing new for me, I have been doing it for years. With Exchange 2003 I would have a custom MMC that had both ESM and ADUC in the same window.

So here is a quick guide on what I do.

  1. Click Start, Run and type mmc. This starts a new blank mmc console. Choose File, Add/Remove snap in and select the snap-ins that you want to add. Don't worry about the Public Folders snap in stating it is not connected to a server, that will correct itself when you start using it.

    Add/Remove Snap-in, with the Exchange 2007 snap ins included.
  2. After pressing OK, you will be returned to the main mmc interface which should include the snap-ins that you have just added.

    MMC with the Exchange 2007 snap-ins in place.
  3. Now to customise the look and feel.
    Choose File, then Options to be presented with the screen below.
    Change the name to something more appropriate - I have used Exchange Tools.
    I have also changed the console mode to "User Mode - Full Access" and enabled the option to "Do not save changes to this console". That gets rid of the annoying "Do you want to save changes" prompt that you get every time that you close a custom console. If you need to change it in the future, right click on the MSC file and choose Author.

    MMC options showing the default icon, custom name and other settings" title="MMC options showing the default icon, custom name and other settings
  4. To change the icon, click the "Change Icon" button. The file that you want to get the icon I have used is ExSetupUi.exe which is found (in a default installation path) in "C:\Program Files\Microsoft\Exchange Server\Bin\". Select the file and then you can choose the icon. Press OK.

    Select the path for the icon you wish to use."

  5. After pressing OK you will be shown the completed options screen as below.

    MMC options showing the icon, custom name and other settings

  6. Finally, after pressing OK, right click on "Console Root" and choose rename. You can then enter a more appropriate name.
  7. Don't forget to turn the Action Pane on. This is done by clicking on the button at the top of the MMC console - highlighted with the red box in the screenshot below:

    Custom Exchange 2007 Console with Action Pane enabled

  8. Choose File, Save As and save the file somewhere, with the extension of msc. I usually suggest on a network share. Then create a shortcut to the file.

The above technique also works for perfmon - so if you create a custom set of counters and wish to save it and not have the save prompt when you are finished, change the Console Mode. 

Windows Mobile Compatible Certificates

When you are deploying Windows Mobile in to your Exchange environment, you should be using an SSL certificate to secure the deployment.
However the number of SSL certificates that Windows Mobile trusts is much smaller than the number supported by Internet Explorer or Firefox on your desktop. This means one of two things.

1. You need to purchase a certificate from one of that small list.
2. You have to import the SSL certificate in to your device.

For the second option, I have instructions elsewhere: http://www.amset.info/pocketpc/certificates.asp

For the first option, which may be preferable if you are going to deploy a large number of the devices, you need to get a certificate that is issued by one of the roots supported by Windows Mobile.
The root certificates can be easily seen in the device, but the name of the certificate does not always match the name of the company who can issue the certificates. The root certificates have changed hands, companies have merged or simply changed their names.

Therefore what I have done is taken the list of root certificates from a standard emulator image, which is what Microsoft would have supplied the hardware suppliers as their base image and then found who is currently issuing the certificates.
You should check whether the root certificate list I have here is the same as what you have in your device, as there have been reports of some root certificates being removed.

Where it isn't clear who is the current owner of a root, I have put a question mark. Also note that not all providers are using the root certificates to issue NEW certificates - they may be using them for legacy support only. You should note that some issuers are using multiple roots and you may have to ask for a certificate to be issued from a specific root to get Windows Mobile support.

If you are deploying a mixture of Windows Mobile 5 and Windows Mobile 6 devices, then use the list of root certificates on Windows Mobile 5 to ensure maximum compatibility.
If you are tempted by wildcard certificates - remember that Windows Mobile 5 does not support any wildcard certificates.

Windows Mobile 6

Thawte Server CA (Thawte)
Thawte Premium Server CA (Thawte)
Starfield Class 2 Certification Authority (GoDaddy - http://www.certificatesforexchange.com/)
Secure Server Certification Authority (Verisign)
http://www.valicert.com (GoDaddy - http://www.certificatesforexchange.com/)
GTE CyberTrust Global Root (GlobalSign)
GoDaddy Class 2 Certification Authority (GoDaddy - http://www.certificatesforexchange.com/)
GlobalSign Root CA (GlobalSign - was InstantSSL.com)
Geotrust Global CA (Geotrust)
Equifax Secure Certification Authority (Geotrust)
Entrust.net Secure Server Certification Authority (Entrust)
Entrust.net Certification Authority (2048) (Entrust)
Class 3 Public Primary Certification Authority (Verisign)
Class 2 Public Primary Certification Authority (Verisign)
Baltimore CyberTrust Root (Cybertrust?)
AddTrust External CA Root (AddTrust)
AAA Certificate Services (Comodo?)
GTE CyberTrust Root (InstantSSL.com)

Windows Mobile 5

Thawte Server CA (Thawte)
Thawte Premium Server CA (Thawte)
Secure Server Certification Authority (Verisign)
http://www.valicert.com (GoDaddy  - http://www.certificatesforexchange.com/)
GTE CyberTrust Global Root (GlobalSign)
GTE CyberTrust Root (InstantSSL.com)
GlobalSign Root CA (GlobalSign - was InstantSSL.com)
Equifax Secure Certification Authority  (Geotrust)
Entrust.net Secure Server Certification Authority (Entrust)
Entrust.net Certification Authority (2048) (Entrust)
Class 3 Public Primary Certification Authority (Verisign)
Class 2 Public Primary Certification Authority (Verisign)

Exchange 2007 Edge - What is the Point?

Having now completed a few Exchange 2007 deployments, upgrades and consulted on a few more, not one of them has featured an Edge server.

Which made me think, what is the point of Edge services for most users?

To use Edge you need to purchase another Exchange 2007 license which isn't cheap. What do you get for your money? Simply the ability to put a machine in a DMZ or similar network.
The edge server is just for SMTP traffic, but the most common concern I hear is for people worried about web traffic and therefore they want to put OWA in the DMZ. With Exchange 2003 this would have been a frontend server, although it is a bad idea to try and put an Exchange 2003 frontend server in to a DMZ.

The anti-spam agents that are installed on Edge can be installed on to another server by simply running a Powershell script, therefore the need for the Edge becomes less. All that it does is move where the spam filtering takes place - and if your main Exchange 2007 server is exposed to the internet then you haven't really lost anything, other than the warm fuzzy feeling that your Exchange server is not directly exposed to the internet.

If Edge was more like ISA, but for Exchange exclusively, so allowing you to have OWA in the DMZ with the small number of ports open similar to what Edge currently requires for SMTP traffic, then it would become something worth considering.

At the moment, if you want to protect SMTP traffic then you have more options if you do NOT use an Edge server. Instead install a standard Windows 2003 Server with IIS. That gives you options to use most third party products that offer a gateway facility.

I have built a few using a third party tool on top of IIS called Vamsoft ORF. This provides the basic option of recipient filtering via an LDAP lookup and can also do greylisting. There is an article on my other site that discusses building this type of server: http://www.amset.info/exchange/gateway.asp
With that product you can even integrate Antivirus software as an agent. Pick up a single copy of a server product different to what you are using internally and you have the multi layer protection that you should be aiming for.

Even after the purchase of Vamsoft ORF and another AV product, you are still easily within the cost of another Exchange 2007 license.

Furthermore by using Windows 2003 standard - i.e. 32 bit software - you could use an old server that you are removing from another role without having to purchase something new. It is a basic configuration, so if the server fails easily replacing it would be simple. You could even put the gateway functionality in to a virtual machine and keep a copy of it. If the physical hardware fails then simply copy the virtual machine on to the replacement hardware.

Out of Office Messages and Email Discussion Lists

As you would probably expect, I am a member of a number of email discussion lists based around Microsoft Exchange. These include the lists at Sunbelt Software, msexchange.org (via freelists), Swinc.com and some others.

However what always surprises me is the number of Out of the Office (OOTO) messages that I get from these lists when I make a post.
As Exchange admins they should be able to use distribution lists in a way that ensures OOTO messages do not get returned to list members. This can also ensure that internal information is not broadcast to a large number of strangers. I have talked about the security concerns of OOTO messages before (http://blog.sembee.co.uk/archive/2006/06/08/Out-of-Office-Messages-to-the-Internet.aspx).

At a minimum, if you are using Exchange 2003, then you should look to make the OOTO suppression registry change as outlined here: http://support.microsoft.com/default.aspx?kbid=825370

However the easiest way I have found to work with discussion lists is to use public folders.

Each list gets its own public folder. This public folder is mail enabled. The list is subscribed to using the email address of the public folder. All posts go in to the public folder.
Permissions are configured as required, with at least anonymous having contributor permissions. Everyone else can be hidden by changing the default permissions to none.

To post replies, I subscribe my personal email address, but use the options on the list to "no mail". This could also be listed as a holiday setting or similar wording.

The additional benefit of using a public folder is that more than one person in the company can read the distribution list. New members of staff could also have access to the archives. On my home Exchange server the public folder store is actually bigger than my mailbox store.

One note of caution. If you are using Outlook in cached mode/offline folders, then I would suggest that you do not configure these public folders to be available offline. Many of the large Exchange discussion lists are very high traffic and you may find you are spending a long time waiting for the folders to sync.

Public Folders are not going away for some time, so this method will work for a few years yet. If you have started to use Sharepoint 3.0 then you could do something similar with that, but public folders is very easy to work with for this particular application.