Tuesday, October 30, 2007

Batten-Down the iHatches!

207 comments

Earlier I posted an article relating to the difficult relationship between enterprise and the iPhone. Now as a follow up it is necessary to look into the security related issues regarding Apple’s venture into mobility.

Lately there have been a number of articles and sites dedicated to hacking the underlying operating system of the iPhone. Initial attempts were purely for benign reasons of curiosity and (not so benign) unlocking. Both of these feats have now been accomplished and have provided some unexpected results. It seems that Apple, in their rush to get the iPhone to market, neglected to lock down security at the OS level. Worse still, the operating system on the iPhone is not some proprietary device based system, but actually a more-or-less fully functional version of Apple’s OS X!

On the surface this seems fantastic! OS X embedded on a $300 device is an incredible deal! Problems arise however when it becomes apparent just how easy it is to hack these devices. The most evident exploit available presently is related to the fact that all applications on the iPhone are run as Root processes. Essentially this allows any application full access to the entire device immediately upon being exploited.

There are any number of articles around now related to the iPhone becoming a mobile hacking platform however this is not the real issue (any hacker worth his salt probably has at least one laptop anyway). The real problem for the consumer is the privacy of their information stored on the device. For instance, malicious code injected into a website accessed by the Safari browser could gain access to the core functionality of any iPhone. An experienced hacker could then gain access to confidential information such as phone logs and contacts.

From the point of view of a personal user this is bad enough. Thinking of it from an enterprise perspective, the lack of security becomes potentially disastrous! Imagine the CEO of a Fortune 500 company having his call logs, contacts and even private photographs on display for the entire world to see! With this exploit it may even be possible for a hacker to gain control of the camera, snapping photos at inopportune times with the CEO’s own device!

I have the honor of calling myself an Apple fan, user and even expert. I am constantly amazed by the wonders of industrial design created within their walls. That said, for the second article in a row, I have to conclude that although I love the idea of the iPhone, it does not belong in business; at least not until Apple decides to leverage the legendary UNIX security that the device already contains!

Mark


Thursday, October 25, 2007

CC Checkspam

3 comments

You have seen the convenience of managing your spam quarantine by logging into the Ceryx Customer Center and by browsing your daily quarantine digests, but do you know that there is an even faster and more convenient way of managing false positives for people who are always on the go?

Say hello to CC Checkspam.

Checkspam is a feature of the Ceryx anti-spam solution that allows you to e-mail a command to Ceryx Customer Center to search for quarantined messages and have the messages released and mailed back to you in real-time. This will work from any desktop or handheld e-mail client provided the account you use to e-mail the command is the one registered in the Customer Center.

Suppose for example you are on the road and are waiting for an important e-mail from your vendor, john.doe@vendor.com. You suspect that the message was quarantined but your CC Quarantine Digest is set to be sent at 10 PM everyday and you have to respond to this vendor before 5 PM. It’s already 4:45 PM and you an hour away from your hotel where you can connect to the internet and log in to the Customer Center in order to release the message. All you have is your BlackBerry that is configured with your Ceryx account.

To quickly release the message, compose a new email on your BlackBerry, address it to checkspam@ceryx.com, enter the e-mail address john.doe@vendor.com in the subject line and then send the message. The system receives your message, queries your quarantine for all messages from john.doe@vendor.com and automatically releases all messages found to your inbox.

Checkspam can only search the From field of quarantined messages. It uses the “contains” comparison operator to compare the value in the Subject field of your submission with the From field of quarantined messages. This means the more general the value you submit, the more quarantined e-mail could potentially be released.

In the example given above, you could have put @vendor.com as the subject in your e-mail instead of john.doe@vendor.com and that would release all messages from any of your vendor’s e-mail users.

Because Checkspam uses this implicit wildcard comparison operator, great care should be taken in choosing the subject of your submission. Do not put just an @ sign or a dot as your subject unless you want everything in your quarantine released to your mailbox.

The Ceryx Customer Center, or CC for short, is a web-based application that allows Ceryx E-mail Firewall users to manage their filtering service. With CC, users can write filters to block spam or allow legitimate mail through. CC administrators in addition can create, modify and delete CC accounts as well as view email firewall statistics. For customers who are on the Ceryx Hosted Exchange service, CC version 1.6 is integrated with Exchange to allow administrators to also manage their e-mail service. When an administrator creates a CC 1.6 account, for example, a corresponding Ceryx Exchange account is also created. For more information on what else you can do with CC 1.6, please contact sales@ceryx.com.

Ian


Thursday, October 18, 2007

WebReady Document Viewing

241 comments

WebReady Document viewing is a new feature in Exchange 2007 Outlook Web Access. It allows user to view common file types without the need to have the corresponding application installed on their PC. As a result, the user will be able to view the attachments without saving them to disk or opening them in a locally-installed application.

When the user requests to view certain attachments from Outlook Web Access 2007, it gives user the option to open attachment as a webpage. Exchange 2007 then does the conversion so the user doesn’t need anything but a web browser to view the attachment.

Currently, WebReady Document viewing in Exchange 2007 supports the following types of files:
• .doc (Microsoft Word Documents)
• .dot (Microsoft Word Templates)
• .rtf (Rich Text Format)
• .xls (Microsoft Excel Spreadsheets)
• .ppt (Microsoft PowerPoint Presentations)
• .pps (Microsoft PowerPoint Slide Shows)
• .pdf (Adobe PDF Documents)

By the way, documents created by Microsoft Office 2007 are not supported in WebReady Document Viewing at the moment. This limitation will be addressed in Exchange 2007 Service pack 1.

Willy


Tuesday, October 16, 2007

Data Migration – Part 1: Exporting Data

22 comments

Part of moving to a new mail system is the migration of user data. Arguably this is the most important part as this is what your customers (users) see and feel on the ‘new’ system (new to them; if you are at this point you have hopefully been playing with the new system for a while, due diligence and all…). If you don’t believe me in saying this is the most important part to test, plan and execute, try moving your CEO’s mailbox in the middle of the day somewhere around year-end or shortly prior to a board meeting from an old system (Exchange or otherwise) to your new Exchange 2007 system. Enough Said.

Of course there are several factors that need to be taken into consideration when moving a USER (not just the data) from one system to another like installing/configuring clients, re-pointing mobile devices etc. For the purpose of this series, I am going to focus on techniques on getting your user’s data from one spot to another.

Data migration can come in many flavors:
- In-House Exchange 2000/2003 to In-House Exchange 2007 (all part of the same Exchange Org)
- In-House Exchange 2000/2003 to In-House Exchange 2007 (new Exchange Org, or AD forest if you would like)
- In-House POP/IMAP based system to In-House Exchange 2007
- In-House GroupWise to In-House Exchange 2007
- In-House Lotus Notes/Domino to In-House Exchange 2007
- All of the above except replace the last part with ‘Hosted Exchange 2007’ (By the way, Hosted Exchange and Software as a Server (SaaS) in general are the best! End Shameless Plug.)

The above list is a subset of possibilities, but these are the most common situations.

Exporting the Data

Lets deal with the first instance, but only because it’s the easiest to handle. Moving mailbox data between Exchange Servers in the same Exchange Org (or Forest) is as simple as using the Move Mailbox from the Exchange 2007 Exchange Management Console (EMC) or through the Exchange Management Shell via the Mailbox-Move cmdlet. The speed in which data can be moved depends on a few factors, as always, like server power/utilization, network connectivity etc. A good rule of thumb we use when quoting customers at the high level is 1GB/hour. For a great article on how to use Exchange’s built-in tools to move mailboxes between servers in the same org, see the following link:
http://www.msexchange.org/tutorials/Transitioning-Exchange-2000-2003-Exchange-Server-2007-Part3.html

The rest of the instances involve a little bit more work. The hard part is generally getting the data out of the old system in such a way that is useable/importable.

The primary goal is this: get the data to .PST format!

If you’re pulling the data from an Exchange Server (even Exchange 5.5), Exmerge is your friend. Exmerge for those that don’t know, is a tool that runs against the Mailstore and exports all the data on a specified user or group of users mailbox(s) to a *.PST file format. This includes all mail (including the folder tree), deleted items, contacts, calendar items, notes/memos, tasks. Some 'gotchas' that don’t get exported include Mailbox Rules (most of them are client-side anyways), archives (again usually client-side). Another KEY gotcha for Exmerge is that the PST files it exports are in ANSI format, not Unicode. This means that they are subject to the 2GB size limit. So if you exporting the CEO’s 5GB mailbox, you’ll need to take a few runs at it to try and get multiple files down to less than 2GB each. You can filter by date of creation on items to try and narrow down the export. PLAN THIS CAREFULLY!

Exmerge is run on a domain Windows XP/2000 or Server 2000/2003 member (there are older versions available that run on NT). Because of the way inherited permissions are set up on the Exchange Stores by default, you have to be careful which account you run Exmerge as. For Exmerge purposes, I would suggest a dual processor server with lots of storage that is dedicated to this process. Exmerge is very capable of running multi-threaded processes so it can export up to 4 accounts at the same time. For detailed instructions on how to set up Exmerge with the appropriate permissions, see this link:

http://www.exchangeinbox.com/articles/024/exmergesetup.htm

For POP/IMAP type systems, this can be really easy or really difficult. Remember that in a POP setup, generally all the user’s mail is pulled down to the client when the user ‘POPs’ her mail. IMAP does leave the mail on the server, but that’s all it leaves. If the user has contacts, calendar items, tasks, notes (no matter which client software they are using) they are generally ALL stored on the local machine. This is because the POP and IMAP protocols where designed for EMAIL, not the rest of the stuff. The bright side is that if your users are using Outlook or Outlook Express already, there is an export to PST function right at the client. Although not the most glamorous use of time, this could mean the Jr. Admin gets to sit in the server room with two or three different machines in front of her each performing an export to PST on a different user for the next week. Hey, it’s good training.

As for the ‘other’ systems (GroupWise, Lotus Notes/Domino etc.), you generally have to use some sort of third party tool to export the data. We have used Quest Software’s tools for both GroupWise and Notes with success (http://www.quest.com). As part of our Due Diligence when planning and preparing for a customer data migration using a third party tool, we do the following to ensure a smooth migration:

1) We perform test migrations of large, non-production mailboxes (during off hours if at all possible) for the sole purpose of finding out how long it takes to migrate a unit of data. We generally like to metric how much data we can move in an hour and through experience have been able to guess it is usually around 1GB/hour.

2) We perform content test migrations. What this means is to create an empty mailbox on the old system, add one or two items of each item type that is available (so a few mail items, calendar items, recurring appointments, meetings with a few attendees, contacts, tasks with reminders or any other ‘everyday use functionality’ you can think of), and following the process of the tools you are using, move the mailbox to the new system. Coming up with a detailed test plan including documenting what was in the original mailbox, and a test script of what is expected in the new mailbox will allow you to plan for exceptions. There will be exceptions. Some of them can be fixed; some of them users will need to live with. For the latter, if the users are told well in advance, it results in less of an impact on your help desk when you actually move people over.

So at this point you should have a big hard drive full of PST files with your user’s data. You are half-way there. Stay tuned for Part 2 in which I will discuss getting your newly exported PST files into Exchange 2007.

Richard


Friday, September 14, 2007

Web-based Offline Address Book

295 comments

Microsoft’s Exchange Server 2007 introduces a new method of Offline Address Book (OAB) distribution that does not involve Public Folders (the required method in previous versions of Exchange). The new implementation is an HTTP mechanism that allows the OAB to be downloaded via the web.

The following are some key items regarding OAB downloads in Exchange 2007:

1) Web-based OAB downloads are only supported by Outlook 2007 email clients.

2) The Public Folder method for OAB download is still supported for backwards compatibility with earlier email clients (Outlook 2003 or earlier).

3) The Autodiscover service must be configured in order for web downloads to work correctly (you can refer to previous blog entries for more details on Autodiscover)

4) The new distribution has several advantages such as the ability to support more concurrent client connections, reduce bandwidth usage, and provide more resilient OAB downloads. The web-based OAB downloads utilize the Background Intelligent Transfer Service (BITS) technology that is also used to download updates from the Windows Update site.

For a more in-depth look at this feature and its associated components, please see the Microsoft Exchange Team Blog link below:

http://msexchangeteam.com/archive/2006/11/15/431502.aspx


Vaz


Tuesday, August 28, 2007

BlackBerry Helpful Tips

9 comments

I am a BlackBerry addict. There I said it.... My friends, family and colleagues should be proud. I carry it with me everywhere, and check it hundreds of times a day. I use it all the time, and even when I am NOT looking at it, the mere sight of someone checking their wireless device makes my hand reach for the holster. While some people might say that their BlackBerry, Windows Mobile device or iPhone is an extension to their Outlook/Exchange experience... I use my wireless device so frequently that I am starting to think that Outlook is in fact the extension. We live in a mobile world and wireless messaging is a terrific fix for any workaholic.

In my business life, I run a Hosted Exchange company that services the upper SMB and Mid-Markets. Our customers come from every industry and segment. The one common characteristic across our entire customer base is that email is their most mission critical application, it is very important to their business. Many of them would be crippled by a problem with their BlackBerry. As a bona fide BlackBerry junkie, I thought I should share with you a few “little known secrets” which can help you in a pinch.

Extending BlackBerry Battery Life:
I charge my device daily, not because it needs it but because I never know how much power I will need tomorrow. I like to start the day with a fully charged battery. I also tend to replace my battery every 12-18 months; this is more of a proactive decision to keep the device operating like new. If your battery is prematurely draining, I have a tip for you that might refresh your device. It worked for me. About a month ago my battery started to die by mid afternoon after beginning the day fully charged. Nothing in my daily routine had changed but the battery wasn't lasting any more. I tried the usual methods including reboot, take out the battery, let it run down and then fully charge it, all to no avail. I bought a new battery. Surprisingly, the new battery lasted a little bit longer but still did not compare to what I used to get before the problem started. Late one night, I called our 24x7x365 Helpdesk. I was both surprised and skeptical at what they suggested. I was even more surprised to find out that it worked. They suggested that I do the following:
1) Cycle your Content Protection (Security/General Settings - set it to enabled and then disabled), next cycle the device (either with Alt + Left Shift + Del or pull the battery).
2) The next step requires your BES Administrator - have your administrator send you a new policy (if you don't have a policy have them send you a blank one). This solved my BlackBerry battery problem and I hope it helps you as well.

Fixing an Erratic Track Wheel
If your track wheel is jumpy and erratic AND you REALLY WANT a new BlackBerry, Windows Device or iPhone .... stop reading now... I am about to take away your logical justification. What I am about to tell you will fix one of the most common, annoying and debilitating problems with the BlackBerry devices. If you have ever experienced it you will know what I mean. Whenever you move the track wheel the cursor jumps around randomly and it is impossible to work. The fix that I used is simple and easy. Head to your favorite electronics store and buy some Control Cleaner (Potentiometer cleaner, contact cleaner, TV tuner cleaner, etc.), it comes in a spray bottle and is around $10 at Radio Shack. Remove your battery and spray some into the track wheel, work the solution in by rotating your track wheel and pushing the button. Wait for the solution to dry before replacing your battery. When I did this, it worked the first time and my jumpy track wheel was fixed. You might have to do it a couple of times if it doesn't work. I have done this on a couple of units and have been successful both times, but I cannot take responsibility if it doesn't work for you or if something goes wrong. The way I see it, the device is garbage as soon as the track wheel starts to jump, so what have you got to lose?

I hope that you find these tips useful.


Tuesday, August 21, 2007

Manage Misbehaving Add-Ins in Outlook 2007

18 comments

When new Outlook, or Office for that matter is released, they are generally made to be backward compatible with previous versions. Due to various reasons, some third party add-ins that functioned perfectly in Outlook 2003 might not work or even misbehave and cause problems loading Outlook 2007. Here is how you can disconnect a misbehaving Add-in:

1. If an add-in causes Outlook to crash when Outlook is loading, Outlook 2007 should prompt you to disable the add-in. If it doesn’t and Outlook crashes then use the command line outlook.exe /safe to start Outlook in safe mode.
2. Select the Tools menu, and then Trust Center.
3. Click on the Add-ins tab (on left vertical tab pane), and then click the Go button at the bottom of the page.
4. Find that add-in and uncheck the box next to the add-in to disable it and click OK.

When you get a proper patch that makes your third party add-in compatible with Outlook 2007 and you want to enable it, you can follow the above procedure and just check the listed add-ins that you want to enable. While you can access this from the Trust Center via the Add-ins tab, the easiest way in Outlook is to select the Help menu, then Disabled Items. Find the add-in on the list of disabled items, select it, and click the Enable button to enable the add-in again.

If Outlook believes the add-in is misbehaving it can automatically disable it. There are some add-ins that are disabled immediately when Outlook is installed. In all cases, enable an add-in again only if you are sure that it will not cause any problems in Outlook.

Mustansir


Thursday, August 16, 2007

Resource Booking Attendant features in Exchange 2007

169 comments

Anyone who has been around Exchange or been a corporate user in an Exchange environment should be somewhat familiar with the concept of Resources. Resources are still alive and well in the newest version of Exchange and are actually improved over previous versions. A Resource in Exchange 2007 is identified as either a room (like a Conference Room) or equipment (like a projector). Each of these types of Resources has special attributes that identify which type they are and how they are handled in terms or scheduling. Each type of resource is specially marked in the Address Book so they can be browsed separately and given custom permissions and properties.
Exchange 2007 introduces a new feature for managing Resources called the Resource Booking Attendant. This feature helps to manage the resources by limiting who can book resources, gives conflict information for meetings that are declined, schedules meetings during working hours only, enforces maximum meeting duration and sends an “out of policy” request to delegates for approval. The attendant can auto-accept requests if the invitee is available and also decline an invitation with details if the invitee is unavailable. Resource policies can be set by an administrator which can include scheduling permissions and available hours for the resource. The administrator can also create a resource calendar which will show what availability a resource has prior to a user booking it. Even if a resource is unavailable, a user can submit a request for manual approval. This will allow the administrator to decide whether or not to rebook a meeting to accommodate the new meeting request.
The Resource Booking Attendant is just one of many new features that help manage the Resources in Exchange 2007. It is part of the Calendar Concierge group of features that also include Calendar Attendant, Scheduling Assistant and Availability Web Service. All of these new calendaring features are designed to provide a better end-user experience regarding booking meetings and equipment in a corporate Exchange environment.

Jason


Friday, July 20, 2007

iPhone Revolution

1 comments


For the past number of months, tech news sources have been overflowing with articles relating to the launch of Apple’s newest technological revolution: the iPhone.

Although the iPhone offers many new and innovative features, it is not exactly enterprise friendly. At the time of release, the iPhone leverages only the IMAP protocol to access Exchange email data. This essentially limits the device in such a way that it cannot take advantage of Exchange 2007 features such as Calendar and Contact synchronization. Furthermore, IMAP has at least two inherent negatives on a mobile device: it is not a ‘push’ email technology (unlike BlackBerry and Windows Mobile 5+ based solutions) and it is not natively secure (Ceryx utilizes an SSL encrypted IMAP solution to circumvent this issue).

The iPhone is a beautifully engineered device with little in the way of close competition in terms of gizmos and gadgets. Unfortunately it falls well short of the bar in an enterprise environment. If you must have an iPhone, you will have to do without many of the mobile features that are now standard amongst the competition – at least until 3rd party software is available or until, as speculated, Apple licenses Microsoft ActiveSync technology.

Apple iPhone:
http://www.apple.com/iphone/

MacNN – iPhone/Active Sync:
http://www.macnn.com/articles/07/06/26/iphone.exchange.support/

Microsoft Exchange Team Blog - http://msexchangeteam.com/archive/2007/07/10/446015.aspx

Mark


Tuesday, July 17, 2007

Exchange 2007 Free/Busy Feature

99 comments

With Exchange Server 2007 as your messaging platform, secure access to more consistent and up-to-date free/busy information is now possible.

Unlike previous versions of Exchange, Exchange Server 2007 does not have to publish free/busy information into public folders if all attendees have Exchange 2007 mailboxes and are using Outlook 2007 or 2007 Outlook Web Access. In this “native” 2007 messaging environment Exchange Server 2007 makes free/busy information available in real-time directly from the attendee’s mailbox. This means you no longer have to deal with replication delays and access latency commonly associated with public folders.

All this is made possible by the Availability Service, which supportes clients like Outlook 2007 and 2007 Outlook Web Access, via the Auto-discover service.

The Availability Service is a Web Service deployed on the Client Access Server (CAS) role of Exchange Server 2007 along with the Auto-discover service. (For more information on CAS see
http://technet.microsoft.com/en-us/library/bb125134.aspx)

So how does this all work?

First, the client will make a connection to the CAS.
- If Outlook 2007, the CAS will be determined via the Auto-Discover configuration using the Availability URL.
- If the target mailbox is in another AD site, the source CAS will make an HTTPS connection to the target CAS server. The target CAS will obtain the free/busy info by communicating over MAPI to the mailbox server and then send it back to the source CAS.
- If the target mailbox is in the same AD site then the CAS will communicate to the mailbox server via MAPI and obtain the free/busy info. The source CAS will then send the data back to the client.

For backwards compatibility, Exchange Server 2007 will still publish free/busy information to public folders in mixed messaging environments and provide other access methods. For example,
1. When the e-mail client requesting free/busy information is Outlook 2003 and the user using this client as well as the target attendee have Exchange 2007 mailboxes, free/busy information will be published in local public folders.
2. When the e-mail client requesting free/busy information is Outlook 2007, the user using this client has an Exchange 2007 mailbox, and the target attendee has an Exchange 2003 mailbox, the availability service will make HTTP connections to public virtual directory of the Exchange 2003 mailbox.

For more information about Exchange Server 2007 please visit the following link:
http://technet.microsoft.com/en-us/library/aa996018.aspx

Ian


Thursday, July 12, 2007

Exchange 2007 ActiveSync Policies

11 comments

In Exchange 2007 administrators will have a more robust way of managing their remote ActiveSync users with ActiveSync Mailbox Policies. This will allow administrators to enforce settings to control how users use their ActiveSync mobile devices. This means administrators have more control and security when deploying ActiveSync devices.

Below is a list of the few of the settings you can set:


Alphanumeric password required -

- Requires that the password contains both numbers and letters.


Maximum failed password attempts -

- Set the number of times a user can enter an incorrect password before the device wipes itself.


Attachments enabled -
- Enabled the downloading of email attachments.


Maximum inactivity time lock -

- Set the maximum time the device can be inactive before it locks.


WSS file access -
- Allow access to SharePoint sites.


The main benefit over Exchange 2003 in Exchange 2007 is that an administrator has the ability to set a policy on a user by user basis, whereas in Exchange 2003 policies would be set globally. In Exchange 2007 there are two ways of creating ActiveSync policies: using the Exchange Management Shell or Exchange Management Console. The management console only has the ability to set some of the settings; the Management Shell is where all other settings can be found. Also note that you do not have to specify all policy settings when creating a new policy as any policy setting that you do not set will keep the default value.




Eren


Wednesday, July 11, 2007

Exchange Management Shell

6 comments

Windows Power Shell, the scripting language introduced by Microsoft last year, is a welcome addition to the admin toolbox. Command line tools experienced a decade of neglect as GUI adminstrative tools took over the landscape. "In the beginning.. " is an entertaining yarn by Neal Stephenson about the history of the much maligned command line.

The Exchange 2007 team adopted an approach that lets us have our cake and eat it too. We now have the GUI Exchange Management Console for convenience that always shows the equivalent Exchange Management Shell cmdlets that are being used to accomplish each operation.

Get-Mailbox is an Exchange Shell cmdlet that can locate one or more mailboxes and report on various properties.


Use the Select-Object cmdlet to display just the properties you're interested in as opposed to the default display properties. For example, showing only the warning and send limits is often desired.



You could then use the Set-Mailbox cmdlet to change the quota.



This is all fine except you may be wondering what the big deal is all about. An administrator could just as easily use the Exchange Management Console and do the same thing with less effort. The real power of Power Shell (pardon the pun) is the combination of assorted cmdlets to automate repetitive tasks.

Let's suppose we want to increase the ProhibitSendQuota by 50MB for all users that have current ProhibitSendQuota greater than or equal to 100MB. This could potentially be a large task to do manually (checking every user and upgrading them), however it's quick and easy using Exchange Shell.



Note that I used the $1st shell variable to hold the intermediate results so I could check the list of mailboxes obtained using the Where-Object cmdlet before actually running the foreach loop that bumps the send quota limits.

Saving the list in a variable also lets us check things again at the end using $1stGet-Mailbox to make sure everything worked as expected.

Exchange Shell opens up many new possibilities for managing Exchange Server and simplifies the administration of large number of users.

See the Using the Exchange Management Shell in TechNet for an introduction and The Exchange 2007 Wiki for more tips and examples.









Tuesday, June 19, 2007

ActiveSync in Exchange 2007

18 comments

ActiveSync is a technology that allows your mobile device to synchronize with the Exchange server for emails, calendars, contacts and task items in your mailbox. Exchange 2003 Service Pack 2 introduced a new feature called Direct Push which enables Exchange data in your mailbox to be sent in near real time. A long standing HTTPS request is maintained between the device and the Exchange server. When new items arrive to the Exchange mailbox, those changes are synchronized to the device. This enables ActiveSync to provide a similar mobile messaging experience as BlackBerry.

Exchange 2007 takes mobile messaging a step further by providing several improvements to ActiveSync features. Some of the key improvements include:

Mailbox Search – You are now able to search items in your entire mailbox without downloading the items to the mobile device.

Self Service Device Management – Exchange 2007 allows you to wipe data on a lost or stolen mobile device using a tool in the option interface in Outlook Web Access (OWA).

Handheld Lockup – A security policy can be set up to require a password be entered on your mobile device after a period of inactivity.

Out of Office Support – You are now able to configure an Out of Office Message directly from your mobile device.

HTML/Flagged Message - The HTML/flagged message can now be displayed properly on the mobile device.

In order to take full advantage of these new features, your mobile device will need the latest Windows Mobile 6.0 operation system. Ultimately, the mobile device’s operation system will largely determine the new features it supports.
For a full list of new features and supported devices, please refer to http://msexchangeteam.com/archive/2007/04/06/437572.aspx.


Thursday, June 14, 2007

New and improved Out of Office Assistant (OOF)

21 comments

Exchange 2007 provides several improvements to the Out-of-Office (OOF) feature, which are accessible to users via Outlook 2007 or OWA. (If you are wondering why it is called OOF and not OOO, go here: http://msexchangeteam.com/archive/2004/07/12/180899.aspx)

Some of the improvements include:
1) Scheduled OOF Messages
You can now schedule when your OOF message is sent. One obvious benefit of this is that you can pre-create your OOF message(s) and set the desired schedule. When you leave the office, your messages are automatically sent, and upon your return, your OOF is automatically disabled. This is especially helpful when preparing for an extended period of absence, such as a business trip or vacation.

2) Improved Security
OOF messages will not be sent out in response to server-detected junk e-mail or internet mailing lists.

3) Improved Editing Controls
OOF messages can now be composed in HTML format and customized with all the same controls currently available for editing emails.

For more details on this feature, please see the Exchange 2007 OOF blog: http://msexchangeteam.com/archive/2006/10/06/429115.aspx.

Is OOF assistant one of your favourite features in Exchange 2007? Vote in our poll!


Thursday, June 7, 2007

Sharepoint and Exchange 2007

113 comments

Where did those Public Folders go?! The answer is they are still there; just not as visible as they used to be. Exchange 2007 has been designed in such a way that Public Folders, although still available, require command-line like administration – a little bit clunky. But why use dated technology to store your files, emails, contacts and calendar items? The reported reason behind the slow demise of Public Folders is so that newer more efficient and functional technologies can prevail.

Enter SharePoint either in WSS 3.0(Windows SharePoint Services) or MOSS (Microsoft Office SharePoint Server, formerly SharePoint Portal Server) 2007 flavor. SharePoint provides an easily extensible platform for the sharing of information (something Public Folders didn’t offer). It allows administrators and users to create themed ‘sites’ and ‘lists’ that contain the same information, but on a rich platform that allows for version control (not available on PFs), check-in/check-out document control (not available on PFs), customizable views (not that easy to do on PFs) that can include multiple ‘webparts’ to display relevant information to viewers like work group calendars, link lists, key contacts etc. Other functionality like the quick creation of blog and wiki sites and configurable event driven email alerts further extend capabilities that were never even conceived in public folders.

Integration through Exchange 2007 comes at the client level (spare email routing requirements). SharePoint lists and objects can be added directly to the Outlook 2007 for direct access via the folder tree. OWA also integrates with SharePoint through the ‘Document Access’ feature (on a read-only basis) which allows remote users to open up local documents either via SharePoint URLs or UNC File Shares. And of course, if you want to provide direct access to your SharePoint Site collections, SharePoint can be placed on public facing systems and accessed via standard web browser and can even allow anonymous access to specific sections (no one has an excuse to NOT have a blog space now!)

So I say, out with the old (Public Folders) and in with the new (easily extensible rich featured SharePoint)!

For more information on SharePoint:

Microsoft Office SharePoint Official Site
http://office.microsoft.com/en-us/sharepointserver/FX100492001033.aspx

Microsoft Feature-by-Feature WSS 3.0 and MOSS 2007 Comparison http://download.microsoft.com/download/1/d/c/1dc632e8-71e1-466f-8a2f-c940f1438e0a/SharePointProductsComparison.xls

A great collaboration of SharePoint professionals and enthusiasts
http://www.sharepointblogs.com

A quick description of SharePoint from our Favorite Wiki Resource
http://en.wikipedia.org/wiki/SharePoint


Wednesday, May 30, 2007

Challenges Implementing Autodiscover

16 comments

One of our visitors recently asked whether there are any challenges with implementing Auto Discover effectively, and Owen, our resident expert, had this to say:

The simple answer, the setup can be as simple or as complex as your corresponding Exchange environment. In a simple Exchange 2007 scenario, where Exchange routes for only one domain, the setup is fairly straightforward. As part of the Exchange 2007 CAS server installation, the necessary Autodiscover components are installed by default on the CAS server, and corresponding SCP records created in Active Directory. For users connecting from remote systems, such as laptops or home computers, an external DNS record is required which directs requests to autodiscover.yourdomain.com to the external address of the Exchange 2007 CAS server.

For more complex Exchange 2007 implementations, with multiple email domains, many external users, and custom SSL certificates, there are a few issues to overcome. Microsoft recommends that a separate website be created for a heavily utilized Autodiscover service. For multiple email domains, individual DNS records for each email domain need to be directed to one common HTTP based URL, which should to be configured to redirect all requests to an HTTPS enabled CAS server hosting the Autodiscover web site. This allows the use of multiple email domains, but one common Autodiscover site and corresponding SSL certificate. Otherwise, individual Autodiscover websites would need to be created on the CAS server, each with individual SSL certificates, which would become cumbersome and expensive to manage.

As Exchange 2007 has introduced a new web based delivery mechanism for Offline Address Books (OABs) for Outlook 2007 clients, replacing the Public Folder method used for Outlook 2000 through 2003 clients, a fully functioning Autodiscover service is required to maintain full functionality for Outlook 2007 clients. The same is true for Unified Messaging and Availability services, therefore a good understanding of and well designed Autodiscover implementation is key to a successful Exchange 2007 deployment.

For further information, Microsoft has published a good description on their TechNet site that describes the various scenarios, and potential solutions.


Friday, May 18, 2007

Autodiscover in Exchange 2007 and Outlook 2007

20 comments

Exchange administrators and end users alike will praise the new Exchange 2007 feature known as Autodiscover. This new feature, combined with Outlook 2007, makes the setup of new Outlook profiles as simple as logging into your webmail. Simply provide Outlook your email address and password, and your Outlook profile is configured with no other information required. Gone are the days of needing to know your server name, or hunting for the settings and location to input your RPC over HTTP information.

This feature is elegantly accomplished through external DNS records, and features included on the new Exchange 2007 Client Access Servers (CAS). Administrators simply need to publish a DNS record on the internet for autodiscover.yourdomain.com, directing it to the CAS server of their Exchange email environment. The CAS server then provides the settings to Outlook 2007, including their Exchange server name, their RPC over HTTP settings (now called Outlook Anywhere), their offline address book web URL, their display name, and any other information required. This information is provided through a file called Autodiscover.xml, which is hosted by an IIS website on the CAS server, secured through NTLM authentication and SSL communications.

Similar principles are in place for Outlook 2007 with regards to personal accounts provided through user’s Internet Service Providers or free email providers. Many providers have the required information published that allows a user to simply input their display name, email address, and password, and Outlook 2007 automatically applies the required settings. You no longer need information regarding your incoming mail server, outgoing mail server, authentication settings, etc.

Simply put, Autodiscover makes accessing your email that much easier.


Friday, May 4, 2007

The Exchange database engine

2 comments

Exchange can be considered to be a special purpose database application. The database is all the email and calendar entries in everybody's mailbox. Rather than writing a database from scratch, Microsoft used the Jet Database engine also used by Microsoft Access. What's that you say, gasping in horror, Microsoft Access is running my corporate email system??? Yup. It also runs your Active Directory, by the way.

Why doesn't Microsoft switch to a "real" database like SQL Server. There's certainly been talk about this for years, and a lot of rumors that would happen in E2K7, but it didn’t go down that way. And here's the rub: Jet is actually way faster than SQL Server.

SQL Server is built from the ground up to be a true multi-client, multi-machine, client-server database, and that carries lots of overhead.

All the clients need to create ASCII "SELECT" statements, send them over a skinny little pipe to the server, have the server parse and execute the queries, and then send the results back over the same skinny pipe to be parsed on the client end and then served up to the application.

By contrast, the Jet data and Jet engine sits right on the same computer as the application accessing the db, and uses big fat shared memory communications. Meanwhile, Exchange has customized and optimized the heck out of it to ensure the database performance is super-optimized for Exchange. Because the Exchange store.exe process manages all the communications to the database, there is no need for all the overhead of a true client-server database.

For a true client-server app, there is no substitute for a nice robust relational database like SQL server. But for an app like Exchange where all communications to a given computer are already funneled through a “front-door” process (store.exe), it’s really not necessary… honest…


Thursday, May 3, 2007

Outlook or Google mail?

1 comments

The UK's ITWeek asks whether or not Outlook should be consigned to the scrap heap and replaced with Google mail.

This writer makes some interesting points, but we'll wager he hasn't tried Exchange 2007 yet. His primary issues - the fit between Outlook and Exchange 2007 is on our top eleven list, as are the improved Outlook Web Access, and how 2007 addresses expanding mailboxes with a revised architecture - are all addressed in Exchange 2007. As for Google - we'd like to hear from readers who are considering or using Gmail for their businesses - would you go with a service like Gmail for corporate mail? Why or why not?


Friday, April 27, 2007

What's caching, really?

6 comments

In the last post I told you that E2K7 (that’s short for Exchange 2007) uses lots and lots of caching to improve performance, especially on 64-bit architectures where lots and lots of memory is available.

One way to improve performance is to keep all data in zippy-fast RAM (random access memory) as opposed to on slug-like hard drives. Trouble with RAM is that when you reboot the machine, all contents are wiped away whereas hard drives can keep everything between reboots. So you can't only use RAM. The other problem with RAM is that there is never enough of it. 16GB is the practical limit of RAM you can load into a reasonably priced machine nowadays, whereas that same machine could take several Terabytes of disk.

So a compromise is needed. That compromise is caching. Caching means "fronting" the slow disk with fast RAM, and it relies on a property of most applications called "locality of access". The actual number of disk pages accessed during any small period of time is much smaller than the total amount of disk, especially with Exchange. Think about the 1GB of data in your mailbox - how much of it do you ever use at the same time? That means that the whole "working set" of disk pages can be mirrored in RAM, if you have enough of it.

On the first read operation, Exchange can bring the 8 KB disk page containing your data (and some nearby data) into RAM. All subsequent reads and writes can occur onto the mirrored page in RAM. When the user moves onto something else 10 or 12 seconds later (an eternity to a CPU running with a 3GHz clock speed) the RAM-mirrored page begins "ageing", and if it is not touched in a while, it is written back to disk so that the RAM can be used to mirror a different disk page that is in more active use.

This technique vastly reduces the number of iops to disk in favor of mops to RAM, which, are much, much faster, and don't require that you pay for all those expensive disk spindles to supply you with your necessary dose of iops.

One caveat with Exchange is that it is a database (albeit a cheesy one, but more on that in another post), and so there is a requirement to write data back to disk. In databases, this is handled by writing changes to the database to a "transaction log" straight to disk without any pesky caching getting in the way. That way, if the server suddenly crashes, the combination of whatever is on the disk plus the transaction log can bring the database right back up to date. So in the case of Exchange, big caches don't save on log write operations, but they sure save on store iops, which are by far the most common operation.

There are other ways of speeding up access to data other than caching, but they all require reorganizing the data radically and moving away from a more standard relational database organization to a super-customized disk organization, specifically geared towards your application. Even then, customized application-driven caching can still dramatically improve matters from there.

Taking a sub-optimal storage layout and throwing a 64-bit address space worth of caching at the problem as was done for E2K7 may not be elegant, but it sure gets the job done


Tuesday, April 24, 2007

E2K7 Feature Rankings - here’s what you’ve said so far!

0 comments

Here are the top 11 features of Exchange 2007 according to your rankings so far! Agree? Disagree? Vote at http://www.ceryx.com/exchange2007.asp for your favourites.

Top 3 Features:

Outlook Web Access
Improved Calendaring and Scheduling
Improved Function Management from Mobile Devices

Next 2:

Sharepoint and RSS integration
Outlook Voice Access

Bottom 5:

Better search and message management
Out of Office Privacy and Config Mgmt
X64 Architecture
Native replication
Regulatory Compliance


Check back as we post updates to the survey!


Thursday, April 19, 2007

Why x64?

1 comments

Exchange 2007 is only supported on 64-bit hardware and operating systems. This will cost a lot of people a lot of time and money to replace servers. Why did Microsoft do this? I’ll try to explain the thinking here.

Disk i/o operations per second (iops) is the single biggest constraint in Exchange 2003. A heavy user in E2K3 uses about 1 iops to the disk subsystem. A typical disk drive running at 10,000 rpm can deliver about 100 iops (your mileage may vary depending upon how much caching is in place in the disk subsystem. For example, a SAN will typically cache a lot and give you an effective iops more like 150 for the same disk).

Unfortunately, iops are SLOW, slow like molasses compared to quick in-memory access. An iop needs to wait for disks to spin, and disk heads to move, and processor interrupts, and finally transfers of data over impossibly slow busses. That means that users accessing large mailboxes are slowed way down as well.

The time-honored, brute force solution to slow iops and not enough of them is to keep recently used data mirrored in RAM (called caching). RAM is very speedy and the number of mops (memory operation per second) that can be done is vastly greater. Consider 1066 MHz RAM: that can do 1,000,000 mops. A lot faster than the 100 iops a disk can do (the comparison is a bit bogus because transfer size is not considered, but you get the idea).

Exchange 2003 used as much cache as it possibly could within the confines of a 4GB memory size imposed by 32-bit hardware and operating systems. They even put in a special /3GB switch to tell Exchange to use up to 3GB of cache on a machine configured with 4GB of RAM to tell Exchange that there is nothing else running on the machine and it's ok for it to hog it all like that. So, 32-bit machines are limited to addressing 4GB of memory. 64-bit machines, on the other hand, can address, well, LOTS of RAM (about 17 million Terabytes, which Bill assures us "ought to be enough for anybody", but who's counting).

So by going to 64-bit hardware (which in turns needs an operating system specially compiled and optimized to use the 64-bit hardware) this allows Exchange to make the database cache as large as you can afford.

The difference between a server with 4GB or RAM and one with 32GB of RAM is about $13K. The difference between one with 4GB RAM and one with 16GB is $2K. I think I'll stick to 16GB servers for now, thanks all the same. Microsoft reckons you need 2GB of RAM plus anywhere from 2MB up to 5MB extra per mailbox depending upon how heavy the user is (no fat jokes, please).

So a server with 16GB of RAM can host about 3000 heavy users. 3000 heavy users used to require 3000 iops, which can only be supplied by a whopping 30 disk drives. Definitely expensive SAN territory. And at about $1400 for a 10krpm 300GB Fiber Channel SAN disk drive, that's an extra $42K for disk drives.

Microsoft also reckons that the iops load drops to about 30% of what is was in E2K7. That means that the same storage can be had from fewer, less expensive 500GB 7200 rpm disks, which cost about the same as the smaller faster 300GB drives. We can make do with 18 of these disks instead (or fewer if you venture into RAID5 territory).

So we spend $2K extra for the RAM, but we save $17K on disk drives. Makes sense to me. And it will keep making better and better sense as RAM prices continue to drop, and as the size of disks continue to get larger (for the same $) but spin no faster (hence no extra iops).

Not only is it cheaper, but much larger mailboxes, no longer constrained by the speed of iops, can be used in Exchange 2007, and the same-sized mailboxes are faster to access on loaded servers. All good news.

Couldn’t Microsoft have also put out a 32-bit version of Exchange 2007 to support up to 400 heavy users? Actually, the eval is 32-bits, so it’s clearly possible. Why not support it in production? The cynic might say “sell more hardware and OS licenses?”. As a developer, every extra platform supported costs extra money, and if the world, and especially Longhorn is going 64, well…

So while this is great news if you're going out to buy a brand new Exchange 2007 back-end server, if you have an existing Exchange server you would like to upgrade, chances are it's all wrong for you. Oh well, you needed a beefy 32-bit server for that old accounting package anyways.


Tuesday, April 17, 2007

Some thoughts from around the industry and the blogosphere on Exchange 2007

0 comments

Here's an extensive piece in Redmond Mag that reviews some of the same features on our list. (You can rate your favourites here as well.)

Here is a scorecard that contains some interesting insights.

Read any interesting insights on Exchange 2007? Leave a comment or email us at blog@ceryx.com.


Tuesday, April 10, 2007

Moving to E2K7 from Notes just got easier

0 comments

Microsoft announced today that companies moving from Notes to Exchange can now download a free migration tool - the Microsoft Transporter Suite. It's a 32MB download and available from the Microsoft site.


Thursday, April 5, 2007

Exchange 2007 - Rank the Features!

0 comments

We at Ceryx talked to our customers and end users and have put together a list of the most significant features and functionality available with Exchange 2007 - from Outlook Voice Access, to autodiscovery for user setup, to compliance and email management features.

InfoWorld issued their own thoughts on features last year. We'd like to hear what you think. You can download our list from this page (contact information required), vote on what you think are the most valuable features, and discuss both rankings by commenting on this post below.

We'll be issuing a ranking based on user votes sometime in May, so please check back.

InfoWorld's ranking of top ten features
Ceryx' ranking (your information will be required to complete download)

Rank the features according to your experience


You Had Me at EHLO - Blog Pick of the Week

1 comments

We will be making recommendations on blogs that we find useful and informative on a regular basis. Our first blog spotlight is Microsoft's Exchange 2007 team has a blog, You Had Me at EHLO. it's a wealth of information from the Exchange 2007 team on everything from troubleshooting to tips to other links.

This post includes some excellent information on Active Directory design for Exchange 2007.


Welcome to the Exchange 2007 Blog!

0 comments

Thanks for visiting. We at Ceryx have recently launched this blog to facilitate discussion around Exchange 2007 - what's new, what do you need to be aware of, and how will it impact your messaging environment. This blog will cover everything from:

  • Insights from our experts on our experiences working with Exchange 2007
  • Useful websites, news and information related to Exchange 2007 implementations and/or upgrades
  • Insights from our projects and rollouts on managing Exchange 2007, particularly new features and functionality

We'll be posting a couple of times a week. If you've seen something interesting that you think should make it to our blog, send us a tip at blog@ceryx.com. We welcome your comments and questions!