A few months ago I wrote a post listing fourteen online resources for email admins that included several of my favourite troubleshooting resources. In this post, I want to take you for a closer look at the best one of the lot for testing remote connectivity to Exchange, the Microsoft Exchange Server Remote Connectivity Analyzer. You can access this test suite by clicking the link above, or directly at its URL, https://www.testexchangeconnectivity.com/. There are several great tests this tool can run through to ensure that you have properly set up remote access to your Exchange infrastructure, and you will want to bookmark this site and refer to it whenever you setup, or change, the external connectivity to Exchange.

Continue reading How to troubleshoot remote connectivity to Exchange

Malware

According to Secure List malicious files were found in 3.18% of all emails sent during the month of February showing a rise in .43% when compared to January’s numbers of this year. While this may look insignificant, the Radicati Group estimates that 294 billion emails are sent every day so that equates to almost 10 billion malicious emails sent on a daily basis.

While this doesn’t represent the numbers seen in the early days of commercial email when email messages were the primary methods used to spread malware, it does show that this trend is rising again. And if there is an increase over time then it can only mean that this method of spreading malware must be working on a significant enough level for attackers to use it in such numbers.

Continue reading 10 Most Common Malicious Programs Sent By Email

One of my favourite features within Microsoft Exchange’s Client Access Server role is ActiveSync. This practically foolproof method of providing email access from a variety of mobile devices makes it quick and painless to connect the various phones to your Exchange system, and doesn’t require anything beyond the CALs you already purchased.

While many a manager might argue that a Blackberry is the only serious business phone, the multitude of business apps for iPhones and iPads makes the platform my first choice. Droids can also get in on the action, and the growing number of Windows smartphones makes it inevitable that you will be asked to support ActiveSync connections.

Because once your CAS server is set up and accessible over the Internet, ActiveSync is almost completely self-configuring. You may still run into those who believe that only corporate owned (and therefore corporate controlled) devices should be permitted to connect to the corporate email system, but unless company policy forbids access to web mail from personal computers, the horse may have already left the barn. Several programs can interpret Outlook Web Access’ html and present email to client, and unless you parse your logs for the user agent you may never know about this. ActiveSync devices, even those that are personally owned, can be managed to a degree which should meet most organisations’ security requirements.

Continue reading 5 reasons to support ActiveSync from personal devices

The increasing number of smartphones and tablets that connect to Microsoft Exchange is placing pressure on the email administrator to also diagnose and troubleshoot issues related to the Exchange ActiveSync protocol.  On this front, I’ve listed a number of tips in Troubleshooting Exchange ActiveSync that I hope will help administrators resolve problems that originate from a range of trouble vectors related to it.

It was in the course of writing my previous article on Exchange ActiveSync that I realized just how scarce resources are on this topic.  Moreover, the different versions of Exchange ActiveSync in use can only contribute to the confusion for a new administrator.  As such, I’ve decided to compile a list of reading resources to help you get quickly up to speed on this important topic. Continue reading 7 Exchange ActiveSync Resources for the Email Administrator

The other day, my boss noticed that another VP had configured his personal iPhone to connect to Exchange. Concerned about the security of a device not controlled by IT, he asked me if we should turn off ActiveSync, or at least publish a policy forbidding employees connecting their personal devices to the corporate Exchange system. This is a question many of you have either also encountered, or may encounter soon.

Without ActiveSync, you will probably find some users forwarding their company email to a webmail account, and configuring that account to allow them to “send as” so that they can use their device. Other devices can take advantage of Outlook Web Access, formatting the web based email to render nicely on a mobile device. Rather than fighting this, or creating a situation that might tempt users to violate policy, I recommend you embrace ActiveSync. If you would like to know more, please read on.

Continue reading Block ActiveSync? Inconceivable!

In my previous post I described four features and reasons for administrators to try Exchange Server 2010. Those features and reasons included “Personal Archive” for email archiving, “Legal Hold” for retention purposes, e-Discovery for compliance requests and ActiveSync for mobility.

Here are six more of the ten reasons to try Exchange Server 2010.

5. Exchange Server 2010 includes new self-service and administrative capabilities that can help reduce the amount of time an administrator spends on management tasks. It has been estimated that an IT staff can lower their operational costs by 15 to 20 percent by leveraging these new features. Using a web-based Exchange Control Panel and a role-based security model email administrators can now delegate their job functions to other members of their team based on skills and authorizations. Basic tasks can also be delegated to the end users. This can help to further reduce the administrator’s management burden as users will be able to perform their own administrative actions. Some of the administrative tasks that users can perform are the ability to create and delete distribution groups, track delivery receipt information and manage memberships and ownership. And to facilitate these actions all work can be performed through a convenient web-based interface.

6. I’ve already spoken previously about the benefits of “ActiveSync” as it applies to mobile communications. But there are other benefits as well which include reduced licensing costs for third-party tools. A further enhancement to the mobile communications capability is the new “Unified Messaging Card” feature. Users can now access their email while on the go using this new feature which adds a speech-to-text preview mode. This can be important to mobile employees who require “24×7” access to all their business communications. Using this feature users can now playback their voicemail messages or initiate return phone calls while on the run.

Continue reading 10 Reasons to Try Exchange Server 2010 – Part 2

Windows=based smartphones work best with Exchange.

Let’s face it, your users are going to want to connect  to your organization’s Exchange services with their mobile phones. Rather than allow that activity to grow willy nilly, you may want to impose some controls on the process. So it might make sense to know what smartphones play nicely with Exchange.

Smartphone makers have been steadily improving their handsets’ Exchange capabilities. What’s more, Microsoft has also moved, with the release of Exchange 2010, to better accommodate phone warriors. For example, with Exchange 2010 and ActiveSync, members of your organization get real-time access to their communications on literally hundreds of devices. Email, contacts and calendar items can be automatically synchronized over the air quickly.

What’s more, a user’s inbox becomes truly universal. Barriers to all forms of communication–email, voicemail, rights-protected messages, calendar requests, RSS feeds and saved instant messages–have been removed allowing one-stop access for members of your organization.

In addition, versatility and productivity of mobile email has been boosted with features like previewing messages with speech-to-text voicemail and creating a contest for messages with a conversation view.

Microsoft didn’t leave administrators out of the equation either. They have greater control over device access. They can create lists of devices to block, quarantine or permit access to their network. And budget-strapped IT departments will be glad to hear that the additional mobile support is included at no additional cost in Exchange 2010. Some of that cost, no doubt, is unloaded on smartphone makers, who have to pay a licensing fee to use ActiveSync.

Continue reading Smartphones that play nicely with Exchange

We are conducting our lives and our businesses in an increasingly mobile world.  We need access to our critical business information from multiple locations and using multiple devices.

These needs often clash with the requirement to keep our data secure.  Exchange Servers are kept behind corporate firewalls which restrict who can access them and how they can connect to their mailboxes.

Secure mobile access to mailboxes on Exchange Servers is typically achieved through one or more of these methods:

• Virtual Private Network (VPN)
• Outlook Anywhere
• Outlook Web App (OWA)
• ActiveSync

Virtual Private Networks

A VPN is a secure communications tunnel established between two endpoints.  These endpoints can be two devices such as routers or firewalls, or can be between a client device such as a laptop and a firewall.

Mobile workers use VPNs to establish LAN-like network access to their corporate network.  This usually means that once connected to the VPN they have access to the same network resources they would be able to access when connected to the LAN from within the business premises.  In more security conscious environments this access is sometimes limited to just the few resources they need, but in a practical sense operates just as if they were on the LAN.

Using VPNs for access to Exchange Server makes sense when there are other needs for VPN access as well, such as access to application servers, file servers, or intranet sites.  Rather than each resource having its own independent access method, the VPN provides an “all in one” access solution.

However sometimes VPNs are not practical.  It is not uncommon for a mobile worker to find they are unable to establish a VPN tunnel because of restrictions on the foreign network they are currently working on.  This is mostly the case for IPSEC and PPTP VPN tunnels.  SSL VPN tunnels usually have no such problems because the SSL/HTTPS port is usually permitted out through firewalls.

Outlook Anywhere

Outlook Anywhere was formerly known as RPC-over-HTTPS, which accurately describes how it works.

The Outlook connection to a mailbox server over RPC is tunnelled through an SSL/HTTPS connection so that it can traverse firewalls, as well as to secure the communications over untrusted networks. Continue reading 4 Ways to Access Exchange Server Mailboxes through Firewalls

There have been many times in the past when I have started a project for a new customer and discovered that they are not using SSL for their email servers.  Usually after a brief discussion they agree to implement SSL in the new system we are installing for them.

Occasionally they agree but insist on doing it in a less than ideal manner.  And sometimes, although rarely, they decline our advice and continue without SSL.

What is SSL?

SSL stands for Secure Socket Layer and is an encryption protocol that secures communications between two parties over insecure networks such as the internet.  Although still commonly referred to as SSL its new name is actually TLS (Transport Layer Security) which more accurately describes its role of securing communications at the Transport layer of the OSI model (eg, the TCP protocol).

In an SSL/TLS secured communication the two parties (e.g. a web server and a web browser) agree on how to secure the connection they are establishing. Continue reading The Importance of SSL for Exchange Servers

Some Exchange Server 2007 and Exchange Server 2010 roles require Internet Information Services (IIS) to function.   On these servers Exchange will install a series of IIS virtual directories.  In this post I will describe the Exchange Server virtual directories and their purpose.

/owa – This is the directory for OWA (Outlook Web Access on Exchange 2007, and now called Outlook Web App on Exchange 2010), which is the web browser version of Outlook that is usually accessed by remote workers.  The /owa directory is for access to Exchange 2007 or 2010 mailboxes.

/Public – This is the directory used by OWA users when accessing any Public Folders in the organization.

/Exchweb – This directory is used for OWA access for Exchange 2003 or 2000 users but is not usually accessed directly by the end user.  The OWA session will automatically refer the connect to this virtual directory when necessary.

/Exchange – This directory is again used for OWA access.  When an Exchange 2003 or 2000 mailbox user access the /Exchange virtual directory they are proxied to their mailbox.  For Exchange 2007 or 2010 mailbox users they are redirected to the /owa directory for their mailbox access.

This is useful during the transition from legacy Exchange versions to 2007 or 2010, because users can continue to connect to the /Exchange directory and the result will always be that they connect to their mailbox, as long as the server does not run the Mailbox Server role.  In other words, the /Exchange directory only works for legacy mailbox users if the server is a dedicated Client Access Server (though it can also contain the Hub Transport Server role without a problem). Continue reading Overview of Exchange Server Virtual Directories