Mail enabled Contacts in a Hosted Enviroment and the Offline Address Book.

Contacts in a Hosted Exchange environment can be tricky to implement succesfully, with 1) the way Exchange searches object attributes to create an Offline Address Book and 2) Active Directory not allowing 2 objects to have the same proxy address (which in all fairness is actually a great necessary check in the GUI to have – although this can be bypassed with LDAP manipulation! (ADSI too) – Note: having two objects with an identical proxyaddress will break delivery to that address and is considered attribute corruption of Active Directory).

So how does the Exchange 2003 System Attendant (using oabgen.dll) determine objects to be included for OAB generation? - It looks to see if the object has two attributes: a ‘proxyaddress’ and ‘mail’ attribute. It will further check to ensure the primary (SMTP in uppercase) ‘proxyaddress’ matches the mail attribute address.

So how does an Exchange Hoster get around 2 companies having the same contact of john@doe.com for example?

First let me explain the TargetAddress and ProxyAddress attributes on a mail enabled AD contact.

The TargetAddress is their actual email address, for example : bill@microsoft.com
The ProxyAddress is what RUS (if you use it – HMC disables all but Enterprise RUS (enabled for System Attendant operation)) stamps on the objects email addresses tab. RUS can of course be told to bypass objects by unchecking ‘Automatically update email addresses based on recipient policy’. You will find the primary proxyaddress will be the address of the contact, matching the targetaddress, and depending on RUS and Recipient Policy configuration it could well be stamped with further proxyaddresses.

So, john@doe.com – how can two customers have this contact in an HMC/Hosted Exchange environment?

The short answer is they can, but it cannot show up in the OAL. This is due to the Offline Address Book generation specifying proxyaddress attributes I mentioned earlier, rather than also considering targetaddress attributes.

99% of hosters won’t have this problem – and contacts will be generated with a proxy address (something HMC supports by default). However when you run into this problem it does cause customer grief.

One way of bypassing it is to give a bogus proxyaddress, for instance ‘HostedCompanyName.joe@bloggs.com’, where HostedCompanyName is the name of the Hosted Exchange customer.

This does work, but introduces other issues when a user outside the Org performs a ‘Reply All’. Take a look.

Here’s the properties of the contact from the GAL:

Here’s the contact from the AD, I have pulled the info from ADSIEdit:

You can see the highlighted proxyaddress and targetaddress attributes clearly:

When you send a message outside of the Org, and include the contact, if anyone that is also outside the Org does a 'Reply All', they will only see the incorrect proxyaddress and not the correct SMTP address of the contact, which is the targetaddress:

This of course will result in an NDR

The fix? Remove the proxy attribute altogether, removing the contact from OAB generation, or have the primary proxy address match the target address (standard Exchange2003/2007 behaviour) – but something that will cause mail flow issues when you get a customer with the same contact.


Oliver Moazzezi

MVP - Exchange Server

Hosted Exchange for the world

Large Hosted Exchange providers can get bitten by scheduled maintenance – it will always be in everyones contract, but what happens when a certain percentage of your customers are outside your timezone? – worse still, substantially.

To expand your Hosted mailboxes you have to reach further than your own country – and a lot of Hosted Exchange providers can say they host mailboxes for companies across both the Americas, Europe and the Middle East/Asias.

Intelligence has to be added to your provisioning portal – otherwise your Hong Kong users from Company A could be put on the same Exchange Server (not necessarily the same Mailstore or even Storage Group) as the rest of Company A’s users from Europe. And what’s worse? The rest of the users on the Exchange Server are based in Europe. How is the scheduled maintenance justified to the Hong Kong contigent when it's happening during their working day?

So how does scheduled maintenance come into effect here?

Working out of hours to GMT isn’t going to cut it for the users in Hong Kong as their day is still in full swing – this is where careful planning and design is required. The ideal answer is to carve up the World Map into set zones, so whether a single company is from Dubai, or a single company has offices in Dubai, Europe and the USA you do not affect their respective core working hours. This requires a lot of Dev work - as although HMC supports provisioning to multiple stores for a customer, it doesn’t have the intelligence of splitting users between ‘time zone Exchange Server farms’ based on their location for example. This is where in-house or outsourced Dev work is required.

Suffice to say our current Exchange 2003 solution doesn’t have this feature – we support the provisioning to multiple databases – even across multiple Exchange Servers – however there is not the intelligence that is required for a Hosted Exchange supplier to rule all time zones and keep customers that have offices in some or all, happy.

Our Exchange 2007 platform will have this – it will be a phase II or III step and time zone provisioning won’t be available at launch, but it is coming. It is a needed solution for to successfully achieve 100,000 mailboxes and beyond.


Oliver Moazzezi

MVP - Exchange Server

Mutual authentication and URL Branding with an Outlook Anywhere / RPC over HTTPs connection

With Exchange 2007 not ‘officially’ supporting Forms Based Authentication nor Outlook Anywhere on more than one site (whether that’s the Default Site or not), it has become slightly more difficult to create URL branding for customers that require this within a Hosted environment. With Exchange 2003 you could create multiple sites and FBA was supported in all – Microsofts stance with Exchange 2007 is that if you need FBA on more than one site per CAS then you use ISA Server to support this. And another issue, although the use of ISA allows multiple sites with FBA enabled (albeit offloaded on the ISA server/s) still only one site is supported for the use of Outlook Anywhere (read: RPC over HTTPs). Again with Exchange 2003 it was simply a case of copying the RPC Virtual Directory to your other sites.

The advent of SAN (Subject Alternative Name) certificates have greatly helped our design of a Hosted Exchange 2007 infrastructure here at Cobweb. This has allowed us to implement cost effective Client Access Server design and support URL branding for the customers that require it – whilst minimising costs (dedicated CAS servers for every branding OWA URL we support or indeed take on with new business). For example an Exchange Hoster that wants to stay within a supported solution by Microsoft, that had say, 10 dedicated OWA URL’s would at a minimum have to deploy 10 CAS servers – and that doesn’t even take into account HA. To achieve that (at the most basic level without taking the numbers of users hitting each URL) you would need 20.

This is where SAN Certs come into their own. All branded OWA URLs can be appended to the certificate along with other Exchange services/protocols (autodiscover, POP3, IMAP4 etc). This helps a Hoster significantly as well as give benefits to normal in-house deployments.

There is one ‘gotcha’ however when using a SAN Cert for multiple OWA URLs for Outlook Anywhere access, if you enable mutual authentication for the session, you can’t connect on any of the Subject Alternative Names. This is due the client explicitly looking for a principle name in the certificate (which is matched to the Subject field of the cert):





















Mutual Authentication isn’t necessary as all client machines connecting to us are deemed non domain joined (they could very well be in their own domain however) and these clients machines are unlikely to have any certificates published to them from their own Certificate Authorities.

Once this checkbox was removed, Outlook Anywhere worked for any of the branded OWA URLs held in the Subject Alternative Name field of the certificate.

Here is the Subject Alternative Name field of a cert:


















Interestingly, the first OS to support Subject Alternative Names was Windows 98.

For Microsoft reference on creating Exchange Certificates and support for SAN certs with Exchange 2007 using the New-ExchangeCertificate PowerShell command see:

‘Certificate Use in Exchange Server 2007’ http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

‘Exchange 2007 lessons learned - generating a certificate with a 3rd party CA ‘ http://msexchangeteam.com/archive/2007/02/19/435472.aspx

‘Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007 ‘ http://support.microsoft.com/kb/929395




Oliver Moazzezi

MVP - Exchange Server

Hosted versus In-House

We recently came across an article that weighs up the pros and cons of each. I specifically wanted to address the questions for the Hosted Exchange provider.

The article is here:

http://theessentialexchange.com/blogs/michael/archive/2007/12/17/moving-from-in-house-exchange-to-hosted-exchange.aspx

The questions it poses are below; i've answered each one if taking the Hosted Exchange Solution provided by Cobweb.


1. Does the hosting environment allow multiple hosting clients to have contacts with the same e-mail address? (This question can be restated as: how does the hosting software deal with SMTP address collisions?)

The answer is yes _and_ no. Active Directory cannot support two objects with an identical proxyaddress, and unfortunately the OAL is built based on objects having this attribute. The solution is to remove the proxyaddress, giving the contact just it's targetaddress attribute. This allows the exact same contact to exist in multiple customers OU's, but will remove the contact from the OAL. We have been working with Microsoft on this issue, and a resolution to this is promised in the next version of Active Directory/Exchange.


2. Does the hosting environment allow you to share SMTP address space, either as a master or as a slave environment, with a hosted SMTP domain? (This question can be restated as: can you do a step-wise migration, or do you have to migrate all mailboxes at once?)

Yes we have supported this for around two years. We can share SMTP address space and either pass mail over VPN tunnels or over the Internet using SMTP over TLS. We also provide SMTP over the Internet for customers that are not concerned about potential internal mail being sent in clear text across the Internet. In all cases we suggest TLS/VPN solutions, which we manage with the customer and help setup.

3. Does the hosting environment support Deleted Item Retention? For how long? Does their deployment environment set the DumpsterAlwaysOn registry key for Outlook? (This question can be restated as: what happens when someone deletes something they didn't mean to!)

We support DIR for 14 days (two weeks), we also keep deleted mailboxes for 31 (effectively 1 calendar month), of course all mailboxes deleted after this time are still recoverable from our backups.

4. Does the hosting environment support Deleted Mailbox Retention? For how long? (Restatement: can I easily restore the mailbox if my company administrator deletes a mailbox by mistake?)

Answered above.

5. Does the hosting company do backups? How often and how long do they retain them? Can they do single mailbox recovery? (Restatement: if the hosting company has a "disaster" can they recover my mailboxes? Also, if the timeframe for Deleted Mailbox Retention has expired, can I recover the company president's mailbox from last month?)

Again partially answered above, we keep monthly backups for 7 years (yes 7 years). We can restore a mailbox to any given day in the past 4 week window - after that we keep one full backup per month.

6. Does the hosting environment support journaling? What are the data-retention options for the journal mailbox? Can I have an external interface to a journal solution?

Cobweb supports Journaling, we can Journal your mailboxes and send them to an external solution of your choosing (we have no control of this data - you ensure this provider can do the job), or we can Journal your mail ourselves. we use Zantaz EAS and support envelope journaling. We have default plans of 1, 2, 5 and 7 years. We can also provide custom retention policies. This is searchable using a built in Zantaz EAS plugin, which retrieves the archived mail from your own personal document store over SSL.

7. Does the hosting environment support catchall mailboxes? (This is simple a feature that some companies use. Others don't.)

We don't support this, we could but I can honestly say i've never had any customers require this

8. Does the hosting environment have a decent anti-spam solution? (More than the Outlook Junk Mail Filter!) Does the anti-spam solution support individual mailbox quarantines? If there is a false-positive, how can you get your file/message delivered?

We use MessageLabs as standard for all Hosted Exchange mailboxes. We also use Antigen for virus detection on the actual Exchange Servers themselves - supporting 4 AV engines.

9. Does the hosting environment allow you to truly white-label their services? (Restatement: can you have a custom OWA URL? Can you have a custom RPC/HTTP URL? When you connect to an SMTP virtual server, does it say YOUR domain name?)

Yes you sure can, although there is of course an extra cost associated with this.

10. Does the hosting environment allow you to have custom OWA themes? Does it support OWA segmentation

We support OWA segmentation, we base this around our own custom mailbox plans. We can support custom OWA themes but so far we have not had any customers require this.

11. Does the hosting environment support SPF and/or Sender-ID incoming? Does it require it outgoing? Can you decide or are you limited to their default?

MessageLabs support SPF, we don't use Sender-ID within the Exchange Org, we help customers setup their own SPF records.

12. Does the hosting environment support SSL for OWA? TLS for SMTP? Form-based authentication for OWA? Two-factor authentication for OWA and for Outlook?

SSL for OWA with FBA - Yes
SMTP over TLS - Yes
IMAPS - Yes
POP3S - Yes
RPC over HTTPS - Yes

We currently do not provide two factor authentication processes.

13. Does the hosting environment allow you to specify on a per-user basis who gets EAS (ActiveSync)? Blackberry services? Goodlink services?

Yes, which user gets what is entirely customisable via the customers Portal Administrators.

14. Does the hosting environment allow you to create custom address lists?

Currently no, this is something I want to bring into our Exchange 2007 offering. Support for 3 to 5 custom address lists is what I want to achieve.

15. Does the hosting environment allow you to force an Offline Address Book (OAB) update?

Yes, this is done simply by modifying a user in our Portal, we then automatically set instructions to rebuild your OAL.

16. How is disk space aggregated? Is each mailbox billed separately? Is the company/domain aggregated together? Can different mailboxes have different default allocations? Can you manage the limits? Can you get disk space reports? Can you create/manage a "Mailbox Manager" policy for your domain?

Whilst I cannot answer any billing questions, I can state mailbox size is highly configurable. Bought two mailboxes with the default of 200mb each for you and your secretary? Don't need that space for her? No problem, take space off her mailbox and assign it to yourself or your public folders.

17. What are the hard limits on mailboxes sizes?

We don't have any, we do warn (due to current limitations in certain administration tools and tasks) against going over 2GB.

18. Does the hosting environment run a gateway anti-virus solution? An information store anti-virus solution? A file-based anti-virus solution? If there is a false-positive, how can you get your file/message delivered?

MessageLabs for the gateway, Antigen on the servers. Customers get their own Spam Manager Portal to login and check any spam messages that have been quarantined.

19. Does the hosting environment support "Send As" permissions and "Send On Behalf Of" permissions? Can you manage this yourself?

We do support this yes, our existing Portal does not support this feature, our new Exchange 2007 Portal will support this.

20. Does the hosting environment support LDAP access to your address books?

No, however watch this space.

21. Do you have access to SMTP log files? Do you have access to message tracking log files?

SMTP protocol logging is turned on and off by Cobweb as/when there is any possible issue. In regards to access to Message Tracking, the answer is no. However this is something I want to incorporate into our Portal.

22. What is the maximum incoming message size? The maximum outgoing message size? Can you adjust it?

20MB, customers cannot adjust this currently no.

23. What is the maximum number of message recipients? Can you adjust it?

500, this is not configurable.

24. Does the hosting environment support public folders? How many? How big? Can you mail-enable public folders?

We support Public Folders yes. We also support mail enabling them.

25. Does the hosting environment support an interface to SharePoint services?

We current offer Sharepoint 2.0. We are launcing our new Sharepoint 3.0 service sometime over the Summer.

26. Does the hosting environment allow for external SMTP relays by IP address? What about by authorized users?

We support this yes.

27. Does the hosting environment allow for POP-3 or IMAP users to access Exchange mailboxes?

This is configurable by the customer within the Portal.

28. Does the hosting company offer a network Service Level Agreement (SLA)? Does the hosting company offer an Exchange SLA? Does the SLA have any teeth?

Check http://www.cobweb.com for our SLA, I believe currently it is 99.9%, which we meet.

Oliver

Oliver Moazzezi

MVP - Exchange Server

64bit Domain Controllers

What's the benefit you may ask, well plenty if configured correctly!

Here at Cobweb we've just finished our deployment of 64bit DC's. The project was started as we realised if we kept our existing 32bit Domain Controllers we would actually have to double the number to support both our existing Exchange 2003 infrastructure and the soon to be deployed Exchange 2007 service we are launching. Supporting 40,000 mailboxes (approx: at this time) takes a lot of Directory work and the last thing we wanted to do was rack and deploy another farm of Active Directory servers - especially when Rack Consolidation is proving to be so important now with power restrictions DataCentres are starting to enforce.

Ultimately we were left with only one option, upgrade to 64bit.


The general rule of thumb for 32bit GCs is to have 1 processor core for every 4 Exchange processors cores. Note I mention core - not actual processor. Having a 64bit GC extends this support to 1 core for every 8 Exchange cores - as long as the server has enough RAM to support loading the entire of the directory (NTDS.dit file) into RAM.

Thus upgrading to 64bit Directory servers allowed us to keep the same physical number of servers, without having to worry about rackspace or power considerations - and indeed cooling - and has given us the support for both Exchange 2003 and Exchange 2007 into our infrastructure.


Oliver Moazzezi

MVP - Exchange Server