3Sharp blogs

3Sharp Web Site

David Gerhardt — Tue, 31 Aug 2010 08:41:33 GMT

The new and vastly improved 3Sharp Web site went live yesterday. Built on SharePoint 2010, the updated site offers a more accurate company description than was previously published. Our focus is now entirely SharePoint and Office solutions, and the site nicely lists the specific services we provide, our project portfolio, our client list, and much more. For more information about our company, please check out the new Web site.

Public Sector Demos

David Gerhardt — Mon, 02 Aug 2010 10:55:59 GMT

Over the past few months, my team has been busy working on some Office 2010 demos for the public sector. Microsoft just published a few of them:

These demos showcase our expertise in creating scenarios where SharePoint/Office can be used in a practical manner. They also highlight our ability to produce high-quality videos (using real voiceover, not my monotonous ramblings) and downloads for a click-through experience. At least two more demos related to education should get published in the next few weeks...

Comparing Dates in the Data View Web Part

David Gerhardt — Fri, 02 Apr 2010 07:15:22 GMT

Recently, a colleague and I were trying to filter a SharePoint Data View Web Part to display only list items with a start date of today or some date in the future. Using SharePoint Designer 2010, we could not find a way to use built-in functions in the GUI to compare two date values. So, we did the next best thing: we converted both date values to numbers and then compared those values.

SharePoint uses ISO values for columns that are of the Date data type. The format for these values is "yyyy-MM-ddTHH:mm:ssZ". With XSLT, you can first use the substring-before function to grab everything in the date string before the "T". Then, you can use the translate function to remove the "-" characters. Finally, you can use the number function to convert the string to a number and then do your date comparison. The following screen shot shows how the XSLT expression appears in the SharePoint Designer GUI.

I poked around on the Web for alternative ways of doing a date comparison. I found this thread, where it was suggested that the 'yyyyMMdd' modifier could be used for the string function. I bet that approach and maybe some others are cleaner than what we came up with...I am just glad we found something that worked.

Multi-Server PKS Install (Part 2)

Jeremy Campbell — Wed, 16 Dec 2009 02:50:43 GMT

There is no Part 2!

Most of the issues that happened with farm installs have been fixed in the most recent versions.

In fact, I would suggest using August PKS (the newest version as of my writing this) if you are creating a new PKS site.

I'll warn you though, the install is longer than it has ever been. Follow the document and double check every step... seriously.

Office 2010 Videos: Part 7

David Gerhardt — Thu, 29 Oct 2009 11:05:05 GMT

Another set of Office 2010 feature videos that we produced has been posted to YouTube. These same videos are now also up on GetSharp...

The latter video highlights one of my favorite PowerPoint 2010 features: the ability to trigger effects (e.g., animations) from a video bookmark. It shows another way to create visually impactful presentations with PowerPoint 2010.

Office 2010 Videos: Part 6

David Gerhardt — Tue, 20 Oct 2009 07:58:43 GMT

Four more of our Office 2010 feature videos were posted to YouTube yesterday. I published the same videos to GetSharp a short while ago...

Two of the videos showcase Office Mobile capabilities, part of Microsoft's effort to make the Office clients available on mobile devices. There are two more Office Mobile videos and a few other Office 2010 videos still to come...

Office 2010 Videos: Part 5

David Gerhardt — Fri, 16 Oct 2009 11:08:33 GMT

Microsoft posted another of our Office 2010 feature videos—about Excel 2010 slicers—on YouTube yesterday. I subsequently published it here on GetSharp. If you are interested in seeing improved filtering functionality for PivotTables or cube functions in Excel 2010, check out this video.

As I have been saying for the past few months, there are still more of these feature videos to come...

2009 SharePoint Conference

John Peltonen — Thu, 15 Oct 2009 19:14:18 GMT

I'm getting ready to pack my bags, 3 laptops, 2 external hard drives, etc... and head out to the SharePoint Conference. I'm looking forward to meeting up with some old friends and make some new ones.

Leaving 3Sharp

Devin L. Ganger — Thu, 15 Oct 2009 12:19:25 GMT

3Sharp has been a fantastic place to work; for the last six and half years, my co-workers and I have walked the road together. One of the realities of growth, though, is that you often reach the fork in the road where you have to move down different paths. Working with Paul, Tim, Missy, Kevin, and the rest of the folks who have been part of the Platform Services Group here at 3Sharp over the years has been a wild journey, but we were only one of three groups at 3Sharp; the other two groups are also chock-full of smart people doing wonderful things with SharePoint and Office. 3Sharp will be moving forward to focus on those opportunities, and the Platform Services Group (which focused on Exchange, OCS, Windows Server, Windows Mobile, and DPM) is closing its doors. My last day here will be tomorrow, Friday, October 16.

I think that the Ecclesiastes 3:1 says it best; in the King James Version, the poet says, “To every thing there is a season, and a time to every purpose under the heaven.” It has been my privilege to use this blog to talk about Exchange, data protection, and all the other topics I’ve talked about since my first post here five years ago (holy crap, has it really been five years???) With 3Sharp’s gracious permission and blessing, I’ll be duplicating all of the content I’ve posted here over on my personal blog, Devin on Earth. If you have a link or bookmark for this blog or are following me via RSS, please take a moment to update it now (Devin on Earth RSS feed). I’ve got a few new posts cooking, but this will be my last post here.

Thank you to 3Sharp and the best damn co-workers I could ever hope to work with over the years. Thank you, my readers. You all have helped me grow and solidify my skills, and I hope I returned the favor. I look forward to continuing the journey with many of you, even if I’m not sure yet where it will take me.

OneNote 2010 Keeps Your Brains In Your Head

Devin L. Ganger — Tue, 13 Oct 2009 11:03:07 GMT

Some months back, those of you who follow me on Twitter (@devinganger) may have a noticed a series of teaser Tweets about a project I was working on that involved zombies.

Yes, that’s right, zombies. The RAHR-BRAINS-RAHR shambling undead kind, not the “mystery objects in Active Directory” kind.

Well, now you can see what I was up to.

I was working with long-time fellow 3Sharpie David Gerhardt on creating a series of 60-second vignettes for the upcoming Office 2010 application suite. Each vignette focuses on a single new area of functionality in one of the Office products. I got to work with OneNote 2010.

Here’s where the story gets good.

I got brought into the project somewhat late, after a bunch of initial planning and prep work had been done. The people who had been working on the project had decided that they didn’t want to do the same boring business-related content in their OneNote 2010 vignettes; oh, no! Instead, they hit upon the wonderful idea of using a Zombie Plan as the base document. Now, I don’t really like zombies, but this seemed like a great way to spice up a project!

The rest, as they say, is history. Check out the results (posted both at GetSharp and somewhere out on YouTube) for yourself:

One of the best parts of this project, other than getting a chance to learn about some of the wildly cool stuff the OneNote team is doing to enhance an already wonderful product, was the music selection. We worked a deal with local artist Dave Pezzner to use some of his short music clips for these videos. Dave is immensely talented and provided a wide selection of material, so I enjoyed being able to pick and choose just the right music for each video. It did occur to me how cool it would be if I could use Jonathan Coulton’s fantastic song Re: Your Brains, but somehow I think his people lost my query email. Such is life – and I think Mr. Pezzner’s music provided just the right accompaniment to the Zombie Plan content.

Enjoy!

Office 2010 Videos: Part 4

David Gerhardt — Fri, 09 Oct 2009 14:56:20 GMT

Microsoft posted four more of our Office 2010 feature videos on YouTube yesterday, with each one showcasing a different application. I published the videos to GetSharp earlier today...

You might notice that the SharePoint Workspace video is a little longer than most of the other videos we have posted thus far. With SharePoint Workspace being new (well, a newer version of Groove), it was felt that more context was needed for the user to understand what was happening in the video.

There are still more of these feature videos to come...

Office 2010 Videos: Part 3

David Gerhardt — Thu, 24 Sep 2009 12:39:27 GMT

Microsoft posted six more of our Office 2010 feature videos on YouTube yesterday. Devin, who produced the OneNote 2010 videos, and I published them to GetSharp earlier today...

There are still more of these feature videos to come...

Why Aren’t My Exchange Certificates Validating?

Devin L. Ganger — Fri, 21 Aug 2009 14:42:58 GMT

Updated 10/13: Updated the link to the blog article on configuring Squid for Exchange per the request of the author Owen Campbell. Thank you, Owen, for letting me know the location had changed!

By now you should be aware that Microsoft strongly recommends that you publish Exchange 2010/2007 client access servers (and Exchange 2003/2000 front-end servers) to the Internet through a reverse proxy like Microsoft’s Internet Security and Acceleration Server 2006 SP1 (ISA) or the still-in-beta Microsoft Forefront Threat Management Gateway (TMG). There are other reverse proxy products out there, such as the open source Squid (with some helpful guides on how to configure it for EAS, OWA, and Outlook Anywhere), but many of them can only be used to proxy the HTTP-based protocols (for example, the reverse proxy module for the Apache web server) and won’t handle the RPC component of Outlook Anywhere.

When you’re following this recommendation, you keep your Exchange CAS/HT/front-end servers in your private network and place the ISA Server (or other reverse proxy solution) in your perimeter (DMZ) network. In addition to ensuring that your reverse proxy is scrubbing incoming traffic for you, you can also gain another benefit: SSL bridging. SSL bridging is where there are two SSL connections – one between the client machine and the reverse proxy, and a separate connection (often using a different SSL certificate) between the reverse proxy and the Exchange CAS/front-end server. SSL bridging is awesome because it allows you radically reduce the number of commercial SSL certificates you need to buy. You can use Windows Certificate Services to generate and issue certificates to all of your internal Exchange servers, creating them with all of the Subject Alternate Names that you need and desire, and still have a commercial certificate deployed on your Internet-facing system (nice to avoid certificate issues when you’re dealing with home systems, public kiosks, and mobile devices, no?) that has just the public common namespaces like autodiscover.yourdomain.tld and mail.yourdomain.tld (or whatever you actually use).

In the rest of this article, I’ll be focusing on ISA because, well, I don’t know Squid that well and haven’t actually seen it in use to publish Exchange in a customer environment. Write what you know, right?

One of the most irritating experiences I’ve consistently had when using ISA to publish Exchange securely is getting the certificate configuration on ISA correct. If you all want, I can cover certificate namespaces in another post, because that’s not what I’m talking about – I actually find that relatively easy to deal with these days. No, what I find annoying about ISA and certificates is getting all of the proper root CA certificates and intermediate CA certificates in place. The process you have to go through varies on who you buy your certificates from. There are a couple, like GoDaddy, that offer inexpensive certificates that do exactly what Exchange needs for a decent price – but they require an extra bit of configuration to get everything working.

The problem you’ll see is two-fold:

External clients will not be able to connect to Exchange services. This will be inconsistent; some browsers and some Outlook installations (especially those on new Windows installs or well-updated Windows installs) will work fine, while others won’t. You may have big headaches getting mobile devices to work, and the error messages will be cryptic and unhelpful.
While validating your Exchange publishing rules with the Exchange Remote Connectivity Analyzer (ExRCA), you get a validation error on your certificate as shown in Figure 1.

Figure 1: Missing intermediate CA certificate validation error in ExRCA

The problem is that some devices don’t have the proper certificate chain in place. Commercial certificates typically have two or three certificates in their signing chain: the root CA certificate, an intermediate CA certificate, and (optionally) an additional intermediate CA certificate. The secondary intermediate CA certificate is typically the source of the problem; it’s configured as a cross-signing certificate, which is intended to help CAs transition old certificates from one CA to another without invalidating the issued certificates. If your certificate was issued by a CA that has these in place, you have to have both intermediate CA certificates in place on your ISA server in the correct certificate stores.

By default, CAs will issue the entire certificate chain to you in a single bundle when they issue your cert. You have to import this bundle on the machine you issued the request from or else you don’t get the private key associated with the certificate. Once you’ve done that, you need to re-export the certificate, with the private key and its entire certificate chain, so that you can import it in ISA. This is important because ISA needs the private key so it can decrypt the SSL session (required for bridging), and ISA needs all the certificate signing chain so that it can hand out missing intermediate certificates to devices that don’t have them (such as Windows Mobile devices that have the root CA certificates). If the device doesn’t have the right intermediates, can’t download it itself (like Internet Explorer can), and can’t get it from ISA, you’ll get the certificate validation errors.

Here’s what you need to do to fix it:

Ensure that your server certificate has been exported with the private key and *all* necessary intermediate and root CA certificates.
Import this certificate bundle into your ISA servers. Before you do this, check the computer account’s personal certificate store and make sure any root or intermediate certificates that got accidentally imported there are deleted.
Using the Certificate MMC snap-in, validate that the certificate now shows as valid when browsing the certificate on your ISA server, as shown in Figure 2.

Figure 2: A validated server certificate signing chain on ISA Server

IMPORTANT STEP: restart the ISA Firewall Service on your ISA server (if you’re using an array, you have to do this on each member; you’ll want to drain the connections before restarting, so it can take a while to complete). Even though the Certificate MMC snap-in validates the certificate, the ISA Firewall only picks up the changes to the certificate chain on startup. This is annoying and stupid and has caused me pain in the past – most recently, with 3Sharp’s own Exchange 2010 deployment (thanks to co-worker and all around swell guy Tim Robichaux for telling me how to get ISA to behave).

Also note that many of the commercial CAs specifically provide downloadable packages of their root CA and intermediate CA certificates. Some of them get really confusing – they have different CAs for different tiers or product lines, so you have to match the server certificate you have with the right CA certificates. GoDaddy’s CA certificate page can be found here.

Some Thoughts on FBA (part 2)

Devin L. Ganger — Fri, 21 Aug 2009 09:20:32 GMT

As promised, here’s part 2 of my FBA discussion, in which we'll talk about the interaction of ISA’s forms-based authentication (FBA) feature with Exchange 2010. (See part 1 here.)

Offloading FBA to ISA

As I discussed in part 1, ISA Server includes the option of performing FBA pre-authentication as part of the web listener. You aren’t stuck with FBA – you can use other pre-auth methods too. The thinking behind this is that ISA is the security server sitting in the DMZ, while the Exchange CAS is in the protected network. Why proxy an incoming connection from the Internet into the real world (even with ISA’s impressive HTTP reverse proxy and screening functionality) if it doesn’t present valid credentials? In this configuration, ISA is configured for FBA while the Exchange 2010/2007 CAS or Exchange 2003 front-end server are configured for Windows Integrated or Basic as shown in Figure 1 (a figure so nice I’ll re-use it):

Figure 1: Publishing Exchange using FBA on ISA

Moving FBA off of ISA

Having ISA (and Threat Management Gateway, the 64-bit successor to ISA 2006) perform pre-auth in this fashion is nice and works cleanly. However, in our Exchange 2010 deployment, we found a couple of problems with it:

The early beta releases of Entourage for EWS wouldn’t work with this configuration; Entourage could never connect. If our users connected to the 3Sharp VPN, bypassing the ISA publishing rules, Entourage would immediately see the Exchange 2010 servers and do its thing. I don’t know if the problem was solved for the final release.

We couldn’t get federated calendar sharing, a new Exchange 2010 feature, to work. Other Exchange 20120 organizations would get errors when trying to connect to our organization. This new calendar sharing feature uses a Windows Live-based central brokering service to avoid the need to provision and manage credentials.

Through some detailed troubleshooting with Microsoft and other Exchange 2010 organizations, we finally figured out that our ISA FBA configuration was causing the problem. The solution was to disable ISA pre-authentication and re-enable FBA on the appropriate virtual directories (OWA and ECP) on our CAS server. Once we did that, not only did federated calendar sharing start working flawlessly, but our Entourage users found their problems had gone away too. For more details of what we did, read on.

How Calendar Sharing Works in Exchange 2010

If you haven’t seen other descriptions of the federated calendar sharing, here’s a quick primer on how it works. This will help you understand why, if you’re using ISA pre-auth for your Exchange servers, you’ll want to rethink it.

In Exchange 2007, you could share calendar data with other Exchange 2007 organizations. Doing so meant that your CAS servers had to talk to their calendar servers, and the controls around it were not that granular. In order to do it, you either needed to establish a forest trust and grant permissions to the other forest’s CAS servers (to get detailed per-user free/busy information) or set up a separate user in your forest for the foreign forests to use (to get default per-org free/busy data). You also have to fiddle around with the Autodiscover service connection points and ensure that you’ve got pointers for the foreign Autodiscover SCPs in your own AD (and the foreign systems have yours). You also have to publish Autodiscover and EWS externally (which you have to do for Outlook Anywhere) and coordinate all your certificate CAs. While this doesn’t sound that bad, you have to do these steps for every single foreign organization you’re sharing with. That adds up, and it’s a poorly documented process – you’ll start at this TechNet topic about the Availability service and have to do a lot of chasing around to figure out how certificates fit in, how to troubleshoot it, and the SCP export and import process.

In Exchange 2010, this gets a lot easier; individual users can send sharing invitations to users in other Exchange 2010 organizations, and you can set up organization relationships with other Exchange 2010 organizations. Microsoft has broken up the process into three pieces:

Establish your organization’s trust relationship with Windows Live. This is a one-time process that must take place before any sharing can take place – and you don’t have to create or manage any service or role accounts. You just have to make sure that you’re using a CA to publish Autodiscover/EWS that Windows Live will trust. (Sorry, there’s no list out there yet, but keep watching the docs on TechNet.) From your Exchange 2010 organization (typically through EMC, although you can do it from EMS) you’ll swap public keys (which are built into your certificates) with Windows Live and identify one or more accepted domains that you will allow to be federated. Needless to say, Autodiscover and EWS must be properly published to the Internet. You also have to add a single DNS record to your public DNS zone, showing that you do have authority over the domain namespace. If you have multiple domains and only specify some of them, beware: users that don’t have provisioned addresses in those specified domains won’t be able to share or receive federated calendar info!
Establish one or more sharing policies. These policies control how much information your users will be able to share with external users through sharing invitations. The setting you pick here defines the maximum level of information that your users can share from their calendars: none, free/busy only, some details, or all details. You can create a single policy for all your users or use multiple policies to provision your users on a more granular basis. You can assign these policies on a per-user basis.
Establish one or more sharing relationships with other organizations. When you want to view availability data of users in other Exchange 2010 organizations, you create an organization relationship with them. Again, you can do this via EMC or EMS. This tells your CAS servers to lookup information from the defined namespaces on behalf of your users – contingent, of course, that the foreign organization has established the appropriate permissions in their organization relationships. If the foreign namespace isn’t federated with Windows Live, then you won’t be allowed to establish the relationship.

You can read more about these steps in the TechNet documentation and at this TechNet topic (although since TechNet is still in beta, it’s not all in place yet). You should also know that these policies and settings combine with the ACLs on users calendar folders, and as is the typical case in Exchange when there are multiple levels of permission, the most restrictive level wins.

What’s magic about all of this is that, at no point along the way other than the initial first step, do you have to worry consciously about the certificates you’re using. You never have to provide or provision credentials. As you create your policies and sharing relationships with other organizations – and other organizations create them with yours – Windows Live is hovering silently in the background, acting as a trusted broker for the initial connections. When your Exchange 2010 organization interacts with another, your CAS servers receive a SAML token from Windows Live. This token is then passed to the foreign Exchange 2010 organization, which can validate it because of its own trust relationship with Windows Live. All this token does is validate that your servers are really coming from the claimed namespace – Windows Live plays no part in authorization, retrieving the data, or managing the sharing policies.

However, here’s the problem: when my CAS talks to your CAS, they’re using SAML tokens – not user accounts – to authenticate against IIS for EWS calls. ISA Server (and, IIRC, TMG) don’t know how to validate these tokens, so the incoming requests can’t authenticate and pass on to the CAS. The end result is that you can’t get a proper sharing relationship set up and you can’t federate calendar data.

What We Did To Fix It

Once we knew what the problem was, fixing it was easy:

Modify the OWA and ECP virtual directors on all of our Exchange 2010 CAS servers to perform FBA. These are the only virtual directories that permit FBA, so they’re the only two you need to change:
Set-OWAVirtualDirectory -Identity "CAS-SERVER\owa (Default Web Site)" -BasicAuthentication $TRUE -WindowsAuthentication $FALSE -FormsAuthentication $TRUE
Set-ECPVirtualDirectory -Identity "CAS-SERVER\ecp (Default Web Site)" -BasicAuthentication $TRUE -WindowsAuthentication $FALSE -FormsAuthentication $TRUE
Modify the Web listener on our ISA server to disable pre-authentication. In our case, we were using a single Web listener for Exchange (and only for Exchange), so it was a simple matter of changing the authentication setting to a value of No Authentication.
Modify each of the ISA publishing rules (ActiveSync, Outlook Anywhere, and OWA):
On the Authentication tab, select the value No delegation, but client may authenticate directly.
On the Users tab, remove the value All Authenticated Users and replace it with the value All Users. This is important! If you don’t do this, ISA won’t pass any connections on!

You may also need to take a look at the rest of your Exchange virtual directories and ensure that the authentication settings are valid; many places will allow Basic authentication between ISA and their CAS servers and require NTLM or Windows Integrated from external clients to ISA.

Calendar sharing and ISA FBA pre-authentication are both wonderful features, and I’m a bit sad that they don’t play well together. I hope that future updates to TMG will resolve this issue and allow TMG to successfully pre-authenticate incoming federated calendar requests.

Office 2010 Videos: Part 2

David Gerhardt — Mon, 17 Aug 2009 07:21:28 GMT

While I was out on vacation, Microsoft posted two more of our Office 2010 feature videos on YouTube. I just published both of them to GetSharp...

We will continue to post these vignettes to GetSharp in the coming weeks...

Stolen Thunder: Outlook for the Mac

Devin L. Ganger — Thu, 13 Aug 2009 12:01:51 GMT

I was going to write up a quick post about the release of Entourage for EWS (allowing it to work in native Exchange 2007, and, more importantly, Exchange 2010 environments) and the announcement that Office 2010 for the Mac would have Outlook, not Entourage, but Paul beat me to it, including my whole take on the thing. So go read his.

For those keeping track at home, yes, I still owe you a second post on the Exchange 2010 calendar sharing. I’m working on it! Soon!

InfoPath 2010 Filtering

David Gerhardt — Mon, 27 Jul 2009 13:12:46 GMT

Control filtering is one of the out-of-the-box features not supported in InfoPath 2007 browser scenarios. The InfoPath team posted a Web service workaround for this, and I described a managed-code fix as well.

With InfoPath 2010, it appears that these workarounds are no longer necessary. In the video I posted earlier this month about richer browser forms, see the filtering functionality at work in an InfoPath 2010 browser scenario. At least that's one big improvement to the browser form experience...

Office 2010 Videos: Part 1

David Gerhardt — Fri, 17 Jul 2009 07:38:39 GMT

Microsoft demonstrated many of the new Office 2010 features this week at the Worldwide Partner Conference. Some of these feature demos were converted to 30-to-60-second vignettes and posted to YouTube. 3Sharp produced many of these vignettes, and I published a few of them to GetSharp as well...

For a sneak preview of Office 2010 functionality, check out these videos. We will be posting more to GetSharp in the coming weeks...

EAS: King of Sync?

Devin L. Ganger — Fri, 10 Jul 2009 19:06:09 GMT

Seven months or so ago, IBM surprised a bunch of people by announcing that they were licensing Microsoft’s Exchange ActiveSync protocol (EAS) for use with a future version of Lotus Notes. I’m sure there were a few folks who saw it coming, but I cheerfully admit that I was not one of them. After about 30 seconds of thought, though, I realized that it made all kinds of sense. EAS is a well-designed protocol, I am told by my developer friends, and I can certainly attest to the relative lightweight load it puts on Exchange servers as compared to some of the popular alternatives – enough so that BlackBerry add-ons that speak EAS have become a not-unheard of alternative for many organizations.

So, imagine my surprise when my Linux geek friend Nick told me smugly that he now had a new Palm Pre and was synching it to his Linux-based email system using the Pre’s EAS support. “Oh?” said I, trying to stay casual as I was mentally envisioning the screwed-up mail forwarding schemes he’d put in place to route his email to an Exchange server somewhere. “Did you finally break down and migrate your email to an Exchange system? If not, how’d you do that?”

Nick then proceeded to point me in the direction of Z-Push, which is an elegant little open source PHP-based implementation of EAS. A few minutes of poking around and I became convinced that this was a wicked cool project. I really like how Z-Push is designed:

The core PHP module answers incoming requests for the http://server/Microsoft-Server-ActiveSync virtual directory and handles all the protocol-level interactions. I haven’t dug into this deeply, but although it appears it was developed against Apache, folks have managed to get it working on a variety of web servers, including IIS! I’m not clear on whether authentication is handled by the package itself or by the web server. Now that I think about it, I suspect it just proxies your provided credentials on to the appropriate back-end system so that you don’t have to worry about integrating Z-Push with your authentication sources.
One or more back-end modules (also written in PHP), which read and write data from various data sources such as your IMAP server, a Maildir file system, or some other source of mail, calendar, or contact information. These back-end modules are run through a differential engine to help cut down on the amount of synching the back-end modules must perform. It looks like the API for these modules is very well thought-out; they obviously want developers to be able to easily write backends to tie in to a wide variety of data sources. You can mix and match multiple backends; for example, get your contact data from one system, your calendar from another, and your email from yet a third system.
If you’re running the Zarafa mail server, there’s a separate component that handles all types of data directly from Zarafa, easing your configuration. (Hey – Zarafa and Z-Push…I wonder if Zarafa provides developer resources; if so, way to go, guys!)

You do need to be careful about the back-end modules; because they’re PHP code running on your web server, poor design or bugs can slam your web server. For example, there’s currently a bug in how the IMAP back-end re-scans messages, and the resulting load can create a noticeable impact on an otherwise healthy Apache server with just a handful of users. It’s a good thing that there seems to be a lively and knowledgeable community on the Z-Push forums; they haven’t wasted any time in diagnosing the bug and providing suggested fixes.

Very deeply cool – folks are using Z-Push to provide, for example, an EAS connection point on their Windows Home Server, synching to their Gmail account. I wonder how long it will take for Linux-based “Exchange killers” (other than Zarafa) to wrap this product into their overall packages.

It’s products like this that help reinforce the awareness that EAS – and indirectly, Exchange – are a dominant enough force in the email market to make the viability of this kind of project not only potentially useful, but viable as an open source project.

Comparing PowerShell Switch Parameters with Boolean Parameters

Devin L. Ganger — Thu, 02 Jul 2009 11:33:07 GMT

If you’ve ever take a look at the help output (or TechNet documentation) for PowerShell cmdlets, you see that they list several pieces of information about each of the various parameters the cmdlet can use:

The parameter name
Whether it is a required or optional parameter
The .NET variable type the parameter expects
A description of the behavior the parameter controls

Let’s focus on two particular types of parameters, the Switch (System.Management.Automation.SwitchParameter) and the Boolean (System.Boolean). While I never really thought about it much before reading a discussion on an email list earlier, these two parameter types seem to be two ways of doing the same thing. Let me give you a practical example from the Exchange 2007 Management Shell: the New-ExchangeCertificate cmdlet. Table 1 lists an excerpt of its parameter list from the current TechNet article:

Table 1: Selected parameters of the New-ExchangeCertificate cmdlet

Parameter Description

GenerateRequest
SwitchParameter)

Use this parameter to specify the type of certificate object to create.

By default, this parameter will create a self-signed certificate in the local computer certificate store.

To create a certificate request for a PKI certificate (PKCS #10) in the local request store, set this parameter to $True.

PrivateKeyExportable
(Boolean)

Use this parameter to specify whether the resulting certificate will have an exportable private key.

By default, all certificate requests and certificates created by this cmdlet will not allow the private key to be exported.

You must understand that if you cannot export the private key, the certificate itself cannot be exported and imported.

Set this parameter to $true to allow private key exporting from the resulting certificate.

On quick examination, both parameters control either/or behavior. So why the two different types? The mailing list discussion I referenced earlier pointed out the difference:

Boolean parameters control properties on the objects manipulated by the cmdlets. Switch parameters control behavior of the cmdlets themselves.

So in our example, a digital certificate has a property as part of the certificate that marks whether the associated private key can be exported in the future. That property goes along with the certificate, independent of the management interface or tool used. For that property, then, PowerShell uses the Boolean type for the -PrivateKeyExportable property.

On the other hand, the –GenerateRequest parameter controls the behavior of the cmdlet. With this property specified, the cmdlet creates a certificate request with all of the specified properties. If this parameter isn’t present, the cmdlet creates a self-signed certificate with all of the specified properties. The resulting object (CSR or certificate) has no corresponding sign of what option was chosen – you could just as easily submit that CSR to another tool on the same machine to create a self-signed certificate.

I hope this helps draw the distinction. Granted, it’s one I hadn’t thought much about before today, but now that I have, it’s nice to know that there’s yet another sign of intelligence and forethought in the PowerShell architecture.

Some Thoughts on FBA (part 1)

Devin L. Ganger — Wed, 01 Jul 2009 20:27:09 GMT

It’s funny how topics tend to come in clumps. Take the current example: forms-based authentication (FBA) in Exchange.

An FBA Overview

FBA was introduced in Exchange Server 2003 as a new authentication method for Outlook Web Access. It requires OWA to be published using SSL – which was not yet common practice at that point in time – and in turn allowed credentials to be sent a single time using plain-text form fields. It’s taken a while for people to get used to, but FBA has definitely become an accepted practice for Exchange deployments, and it’s a popular way to publish OWA for Exchange 2003, Exchange 2007, and the forthcoming Exchange 2010.

In fact, FBA is so successful, that the ISA Server group got into the mix by including FBA pre-authentication for ISA Server. With this model, instead of configuring Exchange for FBA you instead configure your ISA server to present the FBA screen. Once the user logs in, ISA takes the credentials and submits them to the Exchange 2003 front-end server or Exchange 2007 (or 2010) Client Access Server using the appropriately configured authentication method (Windows Integrated or Basic). In Exchange 2007 and 2010, this allows each separate virtual directory (OWA, Exchange ActiveSync, RPC proxy, Exchange Web Services, Autodiscover, Unified Messaging, and the new Exchange 2010 Exchange Control Panel) to have its own authentication settings, while ISA server transparently mediates them for remote users. Plus, ISA pre-authenticates those connections – only connections with valid credentials ever get passed on to your squishy Exchange servers – as shown in Figure 1:

Figure 1: Publishing Exchange using FBA on ISA

Now that you know more about how FBA, Exchange, and ISA can interact, let me show you one mondo cool thing today. In a later post, we’ll have an architectural discussion for your future Exchange 2010 deployments.

The Cool Thing: Kay Sellenrode’s FBA Editor

On Exchange servers, it is possible to modify both the OWA themes and the FBA page (although you should check about the supportability of doing so). Likewise, it is also possible to modify the FBA page on ISA Server 2006. This is a nice feature as it helps companies integrate the OWA experience into the overall look and feel of the rest of their Web presence. Making these changes on Exchange servers is a somewhat well-documented process. Doing them on ISA is a bit more arcane.

Fellow Exchange 2007 MCM Kay Sellenrode has produced a free tool to simplify the process of modifying the ISA 2006 FBA – named, aptly enough, the FBA Editor. You can find the tool, as well as a YouTube video demo of how to use it, from his blog. While I’ve not had the opportunity to modify the ISA FBA form myself, I’ve heard plenty of horror stories about doing so – and Kay’s tool is a very cool, useful community contribution.

In the next day or two (edit: or more), we’ll move on to part 2 of our FBA discussion – deciding when and where you might want to use ISA’s FBA instead of Exchange’s.

ISA 2006 and the fun of a corrupt rule

Tim Robichaux — Tue, 16 Jun 2009 13:07:43 GMT

It always seems like every time one thing if fixed, something else breaks. This morning I was working on Project A and I needed to look something up on our ISA 2006 firewall. While I was there I decided that I would look into, and fix, something odd that was happening with Project B's rule. Well, after fixing the rule into a corrupt state, I now had a Project C to work on as well. Corrupt rules are never fun, but I was able to figure out how to fix it, but I'm sure it's NOT a supported or recommended procedure.

When I was trying to find out exactly what machine we are routing FTP traffic, I wanted to take a look at why my IMAP connections seemed to be getting mail that was MONTHS out of date. Looking up and down the list of rules, I found a duplicate IMAP(S) rule that was pointing to an old IP address of our Exchange 2007 server. I figured that somehow, that might be a reason why I'm not getting the correct e-mail. I clocked into the rule, and changed the internal endpoint to our current Exchange 2010 server, clicked Apply and then OK.

On closing out of the ISA Management Console and looking at my e-mail, I noticed that my Inbox was starting to fill up with alerts from System Center: Operations Manager telling me that there was a problem with the configuration on one of our ISA machines, specifically the one that I was logged into. Side Note: I know I should have been looking at the configuration on the Configuration server, not one of the nodes of the array, but the Configuration server is having problems of its own!!!

Logging into the Configuration server, I opened up the Management Console and noticed that the rule I had edited was missing a bunch of information. Clicking on it (right or left) brought up an error dialog stating that "there is not enough memory to perform the action." After much fumbling and scrolling up and down, I realized that the name of the corrupt rule was the same as one farther down on the list, and when I changed the IP, the rules ended up being exactly the same. This led to the node pushing the change up to the configuration server before it was really sure that it SHOULD, and so, I am stuck with this dumb ghost rule. Since I know that I couldn't affect the corrupt rule, I decided to change the name of the good rule, so they wouldn't match! Brilliant!!! (:

Things weren't quite that simple, however, and when I made any changes to anything else on the server, I wasn't able to commit the changes! I kept getting an error that the corrupt rule needed more information before the changes could be saved. Oops! I even tried Exporting the rule set, removing the offending rule from the XML file, and then Importing it back in, but I ran into the same error.

It was time to bite the bullet and following the somewhat sparse directions from this forum post, I fired up ADAM ADSI Edit to remove the offending rule, once and for all.

Even though the directions weren't the best, it was enough for me to get there, so I'll post a little bit more coherent account:

Log into the machine that's hosting the ADAM database.
Open the ADAM ADSI Edit application by clicking "Start -> All Programs -> ADAM -> ADAM ADSI Edit"
Right-click the ADAM ADSI Edit node in the tree pane, and select "Connect to…"
Leave the Server name the default value of "localhost" and change the Port to "2171"
Select the Distinguished name (DN) or naming context: radio button and enter "CN=FPC2" into the box
Click OK.
In the tree pane, expand the My Connection [localhost:2171] node, and then the following nodes:
- CN=FPC2
- CN=Array-Root
- CN=Arrays
- CN={GUID of affected Array}
- CN=ArrayPolicy
- CN=PolicyRules
Once in the right set of Policy Rules, find the GUID of the offending rule and delete it
Restart the Microsoft ISA Server Storage service to re-populate the cache
Profit!

NOTE: I am pretty sure this is NOT supported. Any time you mess with ANY of the raw editing tools, you stand a big chance of messing things up beyond recovery. DO NOT USE these steps if you are not willing to accept total failure as a possible case.

Office 2007 Marketing Videos

David Gerhardt — Wed, 06 May 2009 07:56:37 GMT

I just uploaded three marketing videos to GetSharp showing features in the 2007 Microsoft Office system:

At first glance these might seem unspectacular, given how late we are in the 2007 release cycle. These videos, however, are essentially a tease for feature videos related to Office 2010, which we will be uploading in the near future.

Setting up a Domino Web Access redirect page

Tim Robichaux — Wed, 29 Apr 2009 09:43:52 GMT

I've been working with Domino and Lotus for a fairly short amount of time, but every time I have to touch it, I find myself gritting my teeth. I've been a Microsoft Exchange admin for a while, but I have a bunch of experience with several different e-mail platforms. While I am not as familiar with many of them as I am with Exchange, I can set up systems, start e-mail flow, provision users and just generally get by. One of the things that helps me do this is the rich environment of help and documentation that exists out on the Internet. Sometimes the gems of wisdom lurk in forums, sometimes they are on a product's support site, but more often than not, someone else has run into the same problem that I am having. This makes me feel a lot more comfortable and at home with a product, when I know that other people are actually using it and willing to SHARE their experiences.

Well, IBM, you have earned my ire in a bad way!

The situation is that one of Domino 8.0.1 systems I'm managing needed to have Domino Web Access set up so that the end user didn't have to know the whole long URL to his or her mail database file. In Microsoft Exchange 2003, 2007, and now 2010, this is a built in feature that, for the most part, works out of the box. So long as the user is configured for Outlook Web Access, they just have to navigate to a website that was installed on the server by default, enter in valid credentials, and off we go.

This is not the case, however for Domino Web Access. By default, once the user is configured to use DWA, they have to type in an exact URL pointing to his or her specific mail database file. I had known this and just ignored it, since Domino didn't install with any web sites enabled as default, but the client wants people to be able to test the DWA experience without having to know that information. So began the journey (my Google searches):

"how to create a lotus notes login page"
"how to create a login page for DWA"
"how to create a login page for Domino web access"

Now, these searches didn't really net me anything useful, so I headed over to IBM's web site and went to the Documentation section to do some digging. After drilling down, I found this page with some helpful steps:

Setting up Domino Web Access Redirect

The Domino Web Access Redirect template (IWAREDIR.NTF) is in the Domino data directory. To set up Domino Web Access Redirect:

Create an application using the IWAREDIR.NTF template.

In the IBM^® Lotus^® Notes^® client, open the application that you created.

Click Setup and follow the prompts to set up Domino Web Access Redirect.

Note If you select MailServer as the Redirection Type under Server Settings, the common name of the Domino mail server must be the same as its fully-qualified TCP/IP domain name. For example, if the mail server field in the Person document is set to serverA/domainA, the server's TCP/IP fully-qualified domain name must be serverA.lotus.com.

Now, I have to say, this was a WTF moment. Once more, I know that I'm not an expert, but I like to think that I can figure things out. This set of instructions, however, left something to be desired. After poking around on the server, I found the template, and with a right-click, I found that "New..." wasn't an option. How am I supposed to create an application?!?!? More Googleing:

"lotus domino create new application from template"
"lotus domino create new application template"

Which led me to this page with some more detailed instructions on completing the FIRST step in the previous set of instructions:

1. Open the Notes client.

2. Choose File-Application-New. The New Application box appears.

3. In the New Application box, select the Blank Composite Application template from the Template list.

4. Enter a title in the Title field. The File name is also created for you from your title. You may change the file name if you wish.

5. Click OK. A blank composite application container appears with a message that the application does not have any content

6. Choose Action-Edit Application to open the Composite Application Editor and begin working on your composite application. You can use the Composite Application Editor to edit the pages, components, and basic properties of a composite application

This set of instructions is not perfect, but I can steal at least the first two, verbatim, and then monkey around with the settings until I manage to create the new application! Woo! Now I'm getting somewhere...

Introduction to Database Availability Groups - Full of WIN! (UPDATED)

Tim Robichaux — Thu, 16 Apr 2009 14:36:10 GMT

Basic Overview

Now that Exchange 2010 has been released to beta, it's now time to talk about all the fun things that we've been working on and working with. To start off with, I want to point everyone over to the actual Exchange 2010 Official site.

Now that I've pointed you at the bits, let's get into some details about Database Availability Groups or "The DAG" as it's called! To start off with, it's a pretty simple concept. The DAG uses Windows Failover Clustering Services and a NEW component in Microsoft Exchange, called Active Manager, to allow automatic failover and uses continuous replication to keep copies of a Mailbox database floating on servers other than the one actually hosting the "active" copy. This is VERY simplistic, but I want to gloss over the details for a moment to build up to the details later. What this means is that now, we can host a bunch of copies of a Mailbox database on several servers (up to 16 servers can be in one DAG) and thanks to the magic of continuous replication, the log files are shipped and we can have multiple, concurrent copies of the database. In the event of a failure, Exchange 2010 "promotes" one of the copies of the database to "active" status and the Mailbox role then takes up the task of serving up the mailboxes on that database. Each database maintains separate status, so one server can host copies of multiple databases and only have some of those copies active at one time. This can be confusing, so let's draw a diagram (ooo, pictures!):

In this diagram, we have three servers, and three copies of each database, one on each server. The "active" database copy is the one with the star. The flow of data from the "active" copy to the "passive" copies is concurrent.

Hopefully, it's clear that a copy of each Mailbox database is hosted on two other servers in this scenario. There are actually several reasons for this, and let's start talking about some cases. In the first one, let's say that we lose MBDB01. In this case, it's just a simple failover and the next preferred server will elevate and start hosting the mailboxes (and for those of you wondering, YES you can set the preferred failover scheme, for example, if you want it to go 1, 3, 2 instead of 1, 2, 3, you can set that). That is a pretty simple case, why else would you want so many copies? In this case, we could use this type of architecture to fail a server, apply patches, and avoid nasty maintenance downtime, but will still be protected if one of the other servers fails during that time. Good 'ole double redundancy. The third case for maintaining at least three copies is that ensures that there are always enough servers in the DAG, up and running, to allow a quorum for the underlying cluster.

All of the mailboxes are hosted on one server, BUT, you are still able to have users access their e-mail, without long, expensive restores or complicated reconfiguration of your DNS or network!

How it actually works

Earlier on, I mentioned that the DAG uses Windows Failover Clustering and continuous replication to build the copies of the database. What is actually happening is (to me at least) much more interesting. The Windows Failover Clustering service is installed just for the purposes of the automatic failover. The way the databases are treated and how they are handled it much like the Exchange 2007 features of CCR with a few of the SCR features thrown in for good measure. One of the big differences between the DAG and CCR is that you can configure the number of database copies which allows you to make full use of the Clustering components. One of the reasons why I used the three server example, above, is because this is what Microsoft has recommended for the cluster to properly determine quorum decisions. You can get by with only two copies, but at least three is the recommended minimum.

One of the great features of using a DAG is that it is completely managed from Exchange. What this means is that when you are configuring the clustering you don't have to be a clustering wizard or HA guru to set it up correctly. Exchange 2010 takes care of all the configuration for you, and as my co-worker Devin says, this is a HUGE win.

What people are saying and doing

All this talk about clustering and data redundancy brings up an interesting conversation that is currently floating around, and that is, with a sufficiently robust DAG structure, do you still have a need for on-site backups? This has opened up a whole can of worms, and I can say that I feel confident that using a properly designed DAG scheme can easily replace many of the functions of standard backups. There are still areas that I would feel more comfortable with a reliable set of backups (database corruption or total site failure), but the DAG can mitigate some of the risks.

That being said, the way that we currently are using our DAG is a little bit different than the scenario I laid out above. To get even more complicated, I have plans to modify our structure to take advantage of Network Load Balancing and turning our current structure into one that it aimed at a high amount of availability! Here's the planned structure:

In this particular case, the plan is to basically mirror the servers using NLB to serve up one logical endpoint for the CAS, HT and UM roles (with the Hub Transport have to be careful to exclude the HT to HT traffic from the NLB, but that's a topic for another post). With that in place, and using the DAG to take care of two copies of a single database, we expand our ability to perform maintenance with minimal downtime to our internal clients while also providing a high amount of uptime in the case of a failure.

EDIT: It looks like, according to Microsoft, the combination of Windows Failover Clustering and Network Load Balancing is NOT SUPPORTED. They also say that it won't work, but I want to give it a try, anyway. This is a big pain since for a small to medium size business, you want to reduce the number of servers you have. This is what the documentation actually has to say:

Unlike Exchange 2007, where clustered mailbox servers required dedicated hardware, Mailbox servers in a DAG can host other Exchange roles (Client Access, Hub Transport, Unified Messaging), providing full redundancy of Exchange services and data with just two servers.

So, now I've talked about the DAG and what it can do, but there is quite a bit more. I'll follow this up shortly with some more advanced features like lag copies, off-site replication and other fun things!

You, too, can Master Exchange

Devin L. Ganger — Thu, 09 Apr 2009 14:08:27 GMT

One of the biggest criticisms I’ve seen of the MCM program, even when it first was announced, was the cost – at a list price of $18,500 for the actual MCM program, discounting the travel, lodging, food, and opportunity cost of lost revenue, a lot of people are firmly convinced that the program is way too expensive for anybody but the bigger shops.

This discussion has of course gone back and forth within the Exchange community. I think part of the pushback comes from the fact that MCM is the next evolution of the Exchange Ranger program, which felt very elitist and exclusive (and by many accounts was originally designed to be, back when it was only a Microsoft-only evolution designed to provide a higher degree of training for Microsoft consultants and engineers to better resolve their own customer issues). Starting off with that kind of background leaves a lot of lingering impressions, and the Exchange community has long memories. Paul has a great discussion of his point of view as a new MCM instructor and shares his take on the “is it worth it?” question.

Another reason for pushback is the economy. The typical argument is, “I can’t afford to take this time right now.” Let’s take a ballpark figure here, aimed at the coming May 4 rotation, just to have some idea of the kinds of numbers folks are thinking about:

Imagine a consultant working a 40-hour week. Her bosses would like her to meet 90% (36 hours) billable. Given two weeks of vacation a year, that 50 weeks at 36 hours a week.
We’ll also imagine that she’s able to bill out at $100/hour. This brings her minimum annual revenue to $180,000. They set her opportunity cost (lost revenue) at $3,600/week.
We’ll assume she have the pre-requisites nailed (MCITP Enterprise Messaging, the additional AD exam for either Windows 2003 or Windows 2008, and the field experience). No extra cost there (otherwise it’s $150/test, or $600 total).
Let’s say her plane tickets are $700 for round-trip to Redmond and back.
And we’ll say that she needs to stay at a hotel, checking in Sunday May 3rd, checking out Sunday May 24th, at a daily rate of $200.
Let’s also assume she’ll need $75 a day for meals.

That works out to $18,500 (class fee) + $700 (plane) + 21 x $275 (hotel + meals) + 3 x $3,600 (opportunity cost of work she won’t be doing) -- $18,500 + $700 + $5,775 + $10,800 = a whopping total of $35,775. That, many people argue, is far too much for what they get out of the course – it represents just over 10 weeks of her regular revenue, or approximately 1/5th of her year’s revenue.

If those numbers were the final answer, they’d be right.

However, Paul has some great talking points in his post; although he focuses on the non-economic piece, I’d like to tie some of those back in to hard numbers.

The level of training. I don’t care how well you know Exchange. You will walk out of this class knowing a lot more and you will be immediately able to take advantage of that knowledge to the betterment of your customers. Plus, you will have ongoing access to some of the best Exchange people in the world. I don’t know a single consultant out there who can work on a problem that is stumping them for hours or days and be able to consistently bill every single hour they spend showing no results. Most of us end up eating time, which shows up in the bottom line. For the sake of argument, let’s say that our consultant ends up spending 30% instead of 10% of her time working on issues that she can’t directly bill for because of things like this. That drops her opportunity cost from $3,600/week to $2,520, or $7,560 for the three weeks (and it means she’s only got an annual revenue of $126,000). If she can reduce that non-billable time, she can increase my efficiency and get more real billable work done in the same calendar period. We’ll say she can gain back 10% of that lost time and get up to only 20% lost time, or 32 hours a week.
The demonstration of competence. This is a huge competitive advantage for two reasons. First, it helps you land work you may not have been able to land before. This is great for keeping your pipeline full – always a major challenge in a rough economy. Second, it allows you to raise your billing rates. Okay, true, maybe you can’t raise your billing rates for all the work that you do for all of your customers, but even some work at a higher rate directly translates to your pocket book. Let’s say she can bill 25% of those 32 hours at $150/hour. That turns her week’s take into (8 x $150) + (24 x $100) = $1,200 + $2,400 = $3,600. That modest gain in billing rates right there compensates for the extra 10% loss of billing hours and pays for itself every 3-4 weeks.

Let’s take another look at those overall numbers again. This time, let’s change our ballpark with numbers more closely matching the reality of the students at the classes:

There’s a 30% discount on the class, so she pays only $12,950 (not $18,500).
We’ll keep the $700 for plane tickets.
From above, we know that her real lost opportunity cost is more like $7,560 (3 x $2,520 and not the $10,800 worst case).
She can get shared apartment housing with other students right close to campus for more like $67 a night (three bedrooms).
Food expenses are more typically averaged out to $40 per day. You can, of course, break the bank on this during the weekends, but during the days you don’t really have time.

This puts the cost of her rotation at $12,950 + $700 + (21 x $107) + $7,560, or $23,457. That’s only 66% – two-thirds – of the worst-case cost we came up with above. With her adjusted annual revenue of $126,000, this is only 19%, or just less than 1/5th of her annual revenue.

And it doesn’t stop there. Armed with the data points I gave above, let’s see how this works out for the future and when the benefits from the rotation pay back.

Over the year, our hypothetical consultant, working only a 40-hour work week (I know, you can stop laughing at me now) brings in 50 x $2,520 = $126,000. The MCM rotation represents 19% of her revenue for the year before costs.

However, let’s figure out earning potential in that same year: (47 x $3,600) - ($13,650 + $700 + $2247) = $152,603. That’s a 20% increase.

Will these numbers make sense for everyone? No, and I’m not trying to argue that they do. What I am trying to point out, though, is that the business justification for going to the rotation may actually make sense once you sit down and work out the numbers. Think about your current projects and how changes to hours and billing rates may improve your bottom line. Think about work you haven’t gotten or been unwilling to pursue because you or the customer felt it was out of your league. Take some time to play with the numbers and see if this makes sense for you.

If it does, or if you have any further questions, let me know.

Fixing interoperability problems between OCS 2007 R2 Public Internet Connectivity and AOL IM

Devin L. Ganger — Tue, 07 Apr 2009 13:19:34 GMT

One of the cool things you can do with OCS is connect your internal organization to various public IM clouds (MSN/Windows Live, Yahoo!, and AOL) using the Public Internet Connectivity, or PIC, feature. As you might imagine, though, PIC involves lots of fiddly bits that all have to work just right in order for there to be a seamless user experience. Recently, lots of people deploying OCS 2007 R2 have been reporting problems with PIC – specifically, in getting connectivity to the AOL IM cloud working properly.

Background

It turns out that the problem has to do with with changes that were made to the default SSL algorithm negotiations made in Windows Server 2008. If you deployed OCS 2007 R2 Edge roles on Windows Server 2003, you’d be fine; if you used Windows 2008, you’d see problems.

When an HTTP client and server connect (and most IM protocols use HTTPS or HTTP + TLS as a firewall-friendly transport[1]), one of the first things they do is negotiate the specific suite of cryptographic algorithms that will be used for that session. The cipher suite includes three components:

Key exchange method – this is the algorithm that defines the way that the two endpoints will agree upon a shared symmetric key for the session. This session key will later be used to encrypt the contents of the session, so it’s important for it to be secure. This key should never be passed in cleartext – and since the session isn’t encrypted yet, there has to be some mechanism to do it. Some of the potential methods allow digital signatures, providing an extra level of confidence against a man-in-the-middle attack. There are two main choices: RSA public-private certificates and Diffie-Hellman keyless exchanges (useful when there’s no prior communication or shared set of trusted certificates between the endpoints).
Session cipher – this is the cipher that will be used to encrypt all of the session data. A symmetric cipher is faster to process for both ends and reduces CPU overhead, but is more vulnerable in principal to discovery and attack (as both sides have to have the same key and therefore have to exchange it over the wire). The next choice is streaming cipher or cipher block chaining (CBC) cipher? For streaming, you have RC4 (40 and 128-bit variants). For CBC, you can choose RC2 (40-bit), DES (40-bit or 56-bit), 3DES (168-bit), Idea (128-bit), or Fortezza (96-bit). You can also choose none, but that’s not terribly secure.
Message digest algorithm – the message digest is a hash cipher used to create the Hashed Message Authentication Code (HMAC), which is used to help verify the integrity of the cipher. It’s also used to guard against an attacker trying to replay this stream in the future and fool the server into giving up information it shouldn’t. In SSL 3.0, this is just a MAC. There are three choices: null (none), MD5 (128-bit), and SHA-1 (160-bit).

Problem

Windows Server 2003 uses the following suites for TLS 1.0/SSL 3.0 connections by default:

TLS_RSA_WITH_RC4_128_MD5 (RSA certificate key exchange, RC4 streaming session cipher with 128-bit key, and 128-bit MD5 HMAC; a safe, legacy choice of protocols, although definitely aging in today’s environment)
TLS_RSA_WITH_RC4_128_SHA (RSA certificate key exchange, RC4 streaming session cipher with 128-bit key, and 160-bit SHA-1 HMAC; a bit stronger than the above, thanks to SHA-1 being not quite as brittle as MD5 yet)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (you can work out the rest)
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA

Let’s contrast that with Windows Server 2008, which cleans out some cruft but adds support for quite a few new algorithms (new suites bolded):

TLS_RSA_WITH_AES_128_CBC_SHA (Using AES 128-bit as a CBC session cipher)
TLS_RSA_WITH_AES_256_CBC_SHA (Using AES 256-bit as a CBC session cipher)
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 (AES 128-bit, SHA 256-bit)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384(AES 128-bit, SHA 384-bit)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521(AES 128-bit, SHA 521-bit)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256(AES 256-bit, SHA 256-bit)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384(AES 256-bit, SHA 384-bit)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521(AES 256-bit, SHA 521-bit)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 (you can work out the rest)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL_CK_RC4_128_WITH_MD5 (not sure)
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (not sure)
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA

Okay, so take a look at line 20 in the second list – see how TLS_RSA_WITH_RC4_128_MD5 got moved from first to darned near worst? Yeah, well, that’s because AES and SHA-1 are the strongest protocols of their type likely to be commonly supported, so Windows 2008 moves those to the default offered. Unfortunately, this causes problems with PIC to AOL.

Solution

Now that we know what the problem is, what can we do about it? For the fix, check out Scott Oseychik’s post here.

[1] HTTPS is really Hop Through Tightened Perimeters Simply – aka the Universal Firewall Traversal Protocol.

ExMon released (no joke!)

Devin L. Ganger — Wed, 01 Apr 2009 07:28:18 GMT

If you’re tempted to think this is an April Fool’s Day joke, no worries – this is the real deal. Yesterday, Microsoft published the Exchange 2007-aware version of Exchange Server User Monitor (ExMon) for download.

“ExMon?” you ask. “What’s that?” I’m happy to explain!

ExMon is a tool that gives you a real-time look inside your Exchange servers to help find out what kind of impact your MAPI clients are having on the system. That’s right – it’s a way to monitor MAPI connections. (Sorry; it doesn’t monitor WebDAV, POP3, IMAP, SMTP, OWA, EAS, or EWS.) With this release, you can now monitor the following versions of Exchange:

Exchange Server 2007 SP1+
Exchange Server 2003 SP1+
Exchange 2000 Server SP2+

You can find out more about it from TechNet.

Even though the release date isn’t a celebration of April 1st, there is currently a bit of an unintentional joke, as shown by the current screenshot:

Note that while the Date Published is March 31, the Version is only 06.05.7543 – which is the Exchange 2003 version published in 2005, as shown below:

So, for now, hold off trying to download and use it. I’ll update this post when the error is fixed.

Two CCR White Papers from Missy

Devin L. Ganger — Tue, 17 Mar 2009 18:23:37 GMT

This actually happened last week, but I’ve been remiss in getting it posted (sorry, Missy!) Missy recently completed two Exchange 2007 whitepapers, both centered around the CCR story.

The first one, High Availability Choices for Exchange Server 2007: Continuous Cluster Replication or Single Copy Clustering, provides a thorough overview of the questions and issues to be considered by companies who are looking for Exchange 2007 availability:

Large mailbox support. In my experience, this is a major driver for Exchange 2007 migrations and for looking at CCR. Exchange 2007’s I/O performance increases have shifted the balance for the Exchange store being always I/O bound to now sometimes being capacity bound, depending on the configuration, and providing that capacity can be extremely expensive in SCC configurations (that typically rely on SANs). CCR offers some other benefits that Missy outlines.
Points of failure. With SCC, you still only have a single copy of the data – making that data (and that SAN frame) a SPOF. There are mitigation steps you can take, but those are all expensive. When it comes to losing your Exchange databases, storage issues are the #1 cause.
Database replication. Missy takes a good look at what replication means, how it affects your environment, and why CCR offers a best-of-breed solution for Exchange database replication. She also tackles the religious issue of why SAN-based availability solutions aren’t necessarily the best solution – and why people need to re-examine the question of whether Exchange-based availability features are the right way to go.
RTO and RPO. These scary TLAs are popping up all over the place lately, but you really need to understand them in order to have a good handle on what your organization’s exact needs are – and which solution is going to be the best fit for you.
Hardware and storage considerations. Years of cluster-based availability solutions have given many Exchange administrators and consultants a blind spot when it comes to how Exchange should be provisioned and designed. These solutions have limited some of the flexibility that you may need to consider in the current economic environment.
Cost. Talk about money and you always get people’s attention. Missy details several areas of hidden cost in Exchange availability and shows how CCR helps address many of these issues.
Management. It’s not enough to design and deploy your highly available Exchange solution – if you don’t manage and monitor it, and have good operational policies and procedures, your investment will be wasted. Missy talks about several realms of management.

I really recommend this paper for anyone who is interested in Exchange availability. It’s a cogent walkthrough of the major discussion points centering around the availability debate.

Missy’s second paper, Continuous Cluster Replication and Direct Attached Storage: High Availability without Breaking the Bank, directly addresses one of the key assumptions underneath CCR – that DAS can be a sufficient solution. Years of Exchange experience have slowly moved organizations away from DAS to SAN, especially when high availability is a requirement – and many people now write off DAS solutions out of habit, without realizing that Exchange 2007 has in fact enabled a major switch in the art of Exchange storage design.

In order to address this topic, Missy takes a great look at the history of Exchange storage and the technological factors that led to the initial storage design decisions and the slow move to SAN solutions. These legacy decisions continue to box today’s Exchange organizations into a corner with unfortunate consequences – unless something breaks demand for SAN storage.

Missy then moves into how Exchange 2007 and CCR make it possible to use DAS, outlining the multiple benefits of doing so (not just cost – but there’s a good discussion of the money factor, too).

Both papers are outstanding; I highly recommend them.

Haz Firewall, Want Cheezburger

Devin L. Ganger — Tue, 17 Mar 2009 08:57:33 GMT

Although Window Server 2008 offers an impressive built-in firewall, in some cases we Exchange administrators don’t want to have to deal with it. Maybe you are building a demo to show a customer, or a lab environment to reproduce an issue. Maybe you just want to get Exchange installed now and will loop back to deal with fine-tuning firewall issues later. Maybe you have some other firewall product you’d rather use. Maybe, even, you don’t believe in defense in depth – or don’t think server-level firewall is useful.

Whatever the reason, you’ve decided to disable the Windows 2008 firewall for an Exchange 2007 server. It turns out that there is a right way to do it and a wrong way to do it.

The wrong way

This seems pretty intuitive to long-term Exchange administrators who are used to Windows Server 2003. The problem is, the Windows firewall service in Windows 2008 has been re-engineered and works a bit differently. It now includes the concept of profiles, a feature that built into the networking stack at a low level, enabling Windows to identify the network you’re on and apply the appropriate sets of configuration (such as enabling or disabling firewall rules and services).

Because this functionality is now tied into the network stack, disabling the Windows Firewall service and shutting it off can actually lead to all sorts of interesting and hard-to-fix errors.

The right way

Doing it the right way involves taking advantage of those network profiles.

Method 1 (GUI):

Open the Windows Firewall with Advanced Security console (Start, Administrative Tools, Windows Firewall with Advanced Security).
In the Overview pane, click Windows Firewall Properties.
For each network profile (Domain network, Public network, Private network) that the server or image will be operating in, select Firewall state to Off. Typically, setting the Domain network profile is sufficient for an Exchange server, unless it’s an Edge Transport box.
Once you’ve set all the desired profiles, click OK.
Close the Windows Firewall with Advanced Security console.

Method 2 (CLI):

Open your favorite CLI interface: CMD.EXE or PowerShell.
Type the following command:

netsh advfirewall set profiles state off

Fill in profiles with one of the following values:
- DomainProfile -- the Domain network profile. Typically the profile needed for all Exchange servers except Edge Transport.
- PrivateProfile -- the Private network profile. Typicall the profile you'll need for Edge Transport servers if the perimeter network has been identified as a private network.
- PublicProfile -- the Public network profile. Typicall the profile you'll need for Edge Transport servers if the perimeter network has been identified as a public network (which is what I'd recommend).
- CurrentProfile -- the currently selected network profile
- AllProfiles -- all network profiles
Close the command prompt.

And there you have it – the right way to disable the Windows 2008 firewall for Exchange Server 2007, complete with FAIL/LOLcats.

White Paper Announcement - CCR and DAS

Missy Koslosky — Tue, 10 Mar 2009 12:28:48 GMT

My new white paper on CCR and DAS is now available!!

Continuous Cluster Replication and Direct Attached Storage: High Availability Without Breaking the Bank can be found on 3Sharp's Notable Accomplishments page, or downloaded directly from the link I've provided. Here's a quick synopsis of the paper:

The days of 2GB drives, tiny user mailbox sizes, and limiting Exchange Server to run on a single database have long since passed; storage options now abound, and disk space is cheap. Over the past ten years, storage area networks (SANs) have become ubiquitous, and IT management has often been persuaded that all data should reside on the SAN. However, the idea that the SAN is the best option for Exchange Server storage needs to be revisited; there are other options available today that provide the necessary reliability at greatly reduced cost.

The choice of building Exchange Server 2007 as a 64-bit architecture, and the availability of massive, cheap RAM, leads to greatly-reduced input/output operations per second (IOPS) for disk access. The synchronicity between this fact, and the availability of cheap disk space allows organizations to rethink their approach to storage. In this whitepaper, we explain the benefits of using Direct Attached Storage (DAS) as opposed to a SAN for Exchange Server Cluster Continuous Replication (CCR). We argue the use of DAS for CCR clusters, and provide a counterpoint to the idea that a SAN is the best storage option for CCR deployments.

White Paper Announcement - CCR or SCC?

Missy Koslosky — Tue, 10 Mar 2009 12:23:32 GMT

My new white paper on CCR vs. SCC is now available!!

High Availability Choices for Exchange Server 2007: Continuous Cluster Replication or Single Copy Clustering can be found on 3Sharp's Notable Accomplishments page, or downloaded directly from the link I've provided. Here's a quick synopsis of the paper:

With today's reliance on e-mail services, the need for highly available systems where messaging services must be accessible at all times has become more apparent, and organizations are making significant investments in their messaging systems. Many organizations have come to the conclusion that redundancy is the only reliable way to keep e-mail services continuously available to their users. Exchange Server 2007 includes numerous high availability options that provide continuity of service and redundancy to help ensure messaging services are always up and operational. This whitepaper describes the benefits of Cluster Continuous Replication (CCR) for Exchange Server 2007, in contrast with Single Copy Clustering (SCC), and details the advantages and disadvantages of each.

Off-topic: trying to refurbish a Mac mini

Devin L. Ganger — Tue, 10 Mar 2009 11:30:50 GMT

Full details on my home blog.

Migrating OCS 2007 to OCS 2007 R2 (Part 1 of Many)

Tim Robichaux — Tue, 03 Mar 2009 21:41:04 GMT

With all the nifty features and functions that are available in the new version of OCS, I can't really see a reason to hold back and NOT migrate. Being the type of company that we are, it's important to keep up with the latest products and show that we can make them work. That being said, sometimes it's hard to hit the ground running when you don't have a large customer base for that type of work.

One of the struggles with any small company is that with the limited resources available, sometimes you can't set up a whole new lab environment just to test the new software. In my case, my work on other paying projects put a lot of internal IT projects on hold. This is not to say that the projects were being ignored, just that they took a much lower priority than I would have liked to assigned them.

My current project of love and devotion is our migration as a company to Office Communications Server 2007 R2, which was recently released. This is a big deal to me, being a Unified Communications consultant, so I've taken the time at work and at home to learn about what needs to be done.

I don't want to sit here and outline all the dinky step-by-step screen shots, since I'm sure that there are other sites out there that have those. What I'd rather do is outline the thought process and planning steps that are required for the migration.

Okay, on to the fun stuff... Let's talk about migration paths!

Supported Migration Paths

Microsoft has put a bunch of OCS 2007 R2 documentation on Technet, but none of it is available for download, so I'll just sum up some of the recommendations and provide the link so that you can get more detail about them on the site. Oh, wait... There isn't any more detail!

To start off with, there are two supported upgrade or migration paths:

Side-by-side migration
Uninstall/reinstall

Side-by-side Migration

This is the one that sounded like a really good idea for us, due to my limited time to ensure that everything was set up correctly. In this scenario, you stand up a second pool in the same Forest and then migrate users at your leisure.

Pros:

You have the ability to deploy the environment and validate/test it before you deploy it
It could be done with minimal downtime for users, theoretically no loss of service
Pool co-existence allows for cross communication and migration

Uninstall/reinstall

For this install, the process is dead simple. You remove all the old stuff, and you install the new stuff. Of course, there are more steps to it than that, but the idea is pretty simple. I didn't think that this would be a good fit for us because of the downtime that would be incurred. Okay, who am I kidding? I didn't want to take the time to listen to people complain about downtime. I think we, as a company, could handle it

Pros:

It minimizes the use of extra hardware (rebuild on the same platform)
The installation is simplified when dealing with back ends (more on this in the details)
This is a good chance to completely rebuild and redesign your OCS infrastructure

The Devil is in the Details

When the dust settles, it's all comes down to what actually the details of the situation are. In the case of migrating any production system from one version to another, there are going to be a host of issues and minor settings that can either slip through the cracks, or come back to bite you, later. The details always start out as a high level overview and then drill down to individual check boxes and radio buttons.

In Part 2, I'll cover the details of the Side-by-side Migration and in Part 3 I'll cover the Uninstall/reinstall details. More to follow!

3Sharp blogs

3Sharp Web Site

Public Sector Demos

Comparing Dates in the Data View Web Part

More Office 2010 Videos

Multi-Server PKS Install (Part 2)

Office 2010 Videos: Part 7

Office 2010 Videos: Part 6

Office 2010 Videos: Part 5

2009 SharePoint Conference

Leaving 3Sharp

OneNote 2010 Keeps Your Brains In Your Head

Office 2010 Videos: Part 4

Office 2010 Videos: Part 3

Why Aren’t My Exchange Certificates Validating?

Some Thoughts on FBA (part 2)

Offloading FBA to ISA

Moving FBA off of ISA

How Calendar Sharing Works in Exchange 2010

What We Did To Fix It

Office 2010 Videos: Part 2

Stolen Thunder: Outlook for the Mac

InfoPath 2010 Filtering

Office 2010 Videos: Part 1

EAS: King of Sync?

Comparing PowerShell Switch Parameters with Boolean Parameters

Some Thoughts on FBA (part 1)

An FBA Overview

The Cool Thing: Kay Sellenrode’s FBA Editor

ISA 2006 and the fun of a corrupt rule

Office 2007 Marketing Videos

Setting up a Domino Web Access redirect page

Introduction to Database Availability Groups - Full of WIN! (UPDATED)

Basic Overview

How it actually works

What people are saying and doing

You, too, can Master Exchange

Fixing interoperability problems between OCS 2007 R2 Public Internet Connectivity and AOL IM

Background

Problem

Solution

ExMon released (no joke!)

Two CCR White Papers from Missy

Haz Firewall, Want Cheezburger

The wrong way

The right way

White Paper Announcement - CCR and DAS

White Paper Announcement - CCR or SCC?

Off-topic: trying to refurbish a Mac mini

Migrating OCS 2007 to OCS 2007 R2 (Part 1 of Many)

Supported Migration Paths

Side-by-side Migration

Pros:

Uninstall/reinstall

Pros:

The Devil is in the Details