Site Sections
Posts
254
Comments
120
Trackbacks
120
November 2006 Entries
Exchange 2007 Edge and ISA 2006 on the same box???

Back at Exchange Connections, I started hearing rumblings that there was going to be a new recommended configuration for the Exchange 2007 Edge Transport role: place it on the same server as ISA 2006. At first this seems counter-intuitive; I'm used to thinking of ISA as a firewall, and as a general rule you don't want to put additional software on your firewall. However, it starts to make sense when you think about it a bit longer:

  • ISA is a fantastic product line that securely hardens the network stack on whatever server it's installed on, especially when the base OS is hardened first.
  • ISA is an application proxy as well as a firewall and is the recommended tool to use for publishing HTTP access to Exchange (OWA, Outlook Anywhere/RPC over HTTPS, Exchange ActiveSync).
  • The SMTP screener in ISA is an optional component. I personally like it for use with non-Exchange messaging systems, but I'd rather have the full power (and Exchange integration) of Edge being the first server that handles incoming messages. Best of all, I wouldn't have to change firewall porosity to implement this; I'd still be opening SMTP into my Exchange Hub Transport server(s), and the Edge Subscription is pushed from the Hub Transport to the Edge Server -- no incoming port openings required.

Here's the problem: you can't do it. The ISA 2006 server can't be installed on x64 versions of Windows (although the firewall client can), and Exchange 2007 must be used on Windows x64 for production. However, this post on the Exchange team blog originally said the ISA 2006/ configuration. If you scroll down to the comments, you'll see that a couple of readers ask for clarification (one of those names might look somewhat familiar). This morning, I noticed that we've been answered:

I was under the impression that a version of ISA 2006 that would install on x64 was in the works (perhaps I was confused by the x64 firewall client), but that appears to not be the case. So it would seem Exchange & ISA cannot be on the same OS in production.

My thanks to the Exchange team in general, and Scott Landry in particular, for being so quick to answer questions and willing to clarify statements like this. They are an insanely responsive and communicative group of people, and they're the first reason that Exchange 2007 is such a radical departure from the Exchange of yesteryear.

If anyone from the ISA team is reading this: please, please, please get an x64 version of ISA 2006 on the roadmap sooner rather than later. And when you do, specifically take steps to make ISA + Edge a tested configuration. This allows us Exchange folks to more effectively lobby for the use of ISA in our perimeter networks, pointing to the advantages of using Edge *and* ISA to provide the best level of protection for all external access to our Exchange organization.

posted @ Tuesday, November 21, 2006 9:25 AM | Feedback (1)
Getting Rid of PSTs: the session

Not only did I get to start the day with the first time slot, I got to end it with the last one. This session, though, took place in one of the largest individual rooms being used for the various sessions (and yet it was just a part of the vast ballroom that was the site of the various all-hands sessions, including the closing Q&A session). It's intimidating to walk into a room and see not just two screens, but three or four. I was even more intimidated as the attendees starting pouring in. It was a very good-sized crowd, and the people were pretty responsive; I'd been afraid that having the only session after lunch would hurt me.

I want to thank the wonderful audience for this session; they were very responsive to my initial chatter and lent a great deal of energy to me, so I felt that I was able to finish the day with a strong talk and a solid, entertaining performance. My wife has pointed out that I assume a separate persona when I do presentations, a fact that I attribute to my years of theater in high school. As nervous as I was about the large crowd, having that many people definitely helped me focus. I didn't once feel my aching feet, even though I was pacing back and forth during pretty much the entire session.

I got a lot of good questions, and I hope that everyone who didn't get an immediate answer will follow through on emailing me to remind me!

Shoutout to Tom Shinder, who not only sat in on my Sender ID session on Wednesday, but came to this session as well. Thank you for the support; it was deeply appreciated. Also thanks to the Symantec and Mimosa reps who took time to attend the session and introduce themselves to any attendees who wanted to find out more about their archival and PST managemetn solutions.

I want to specially thank Exchange MVP Ed Crowley; his oft-repeated mantra of "There are seldom good technological solutions to behavioral problems" proved to be the core inspiration for this session. Getting rid of PSTs is hard because users see them as useful tools to get their work done. If we want them to cooperate with us, we have to give them a better way to get their work done. Thus was born Devin's Theory of PST Removal:

Any successful attempt to remove PSTs will require the deployment of an email archival solution.

Here is the final version of the slide deck: Getting Rid of PSTs (Powerpoint 2003 format).

posted @ Friday, November 10, 2006 2:25 AM | Feedback (1)
Testing Your Mail Hygiene Solution: the session

It's a particular type of cruel and unusual punishment to be given the first morning slot on the last day of the conference, especially when the big party was the previous evening. Even though I have a clean conscience, I can't help but wonder, just for a moment, which gods of scheduling I've offended. Having said that, I actually had a surprisingly number of attendees; they were a good crowd with a lot of questons. Unfortunately, I feel like I didn't really deliver a great value for them, because I wasn't able to go into the kinds of detail I'd been envisioning when I turned in the proposal. This session was based on our experiences during an actual client contract, and I ended up not being able to talk about the kind of juicy details that help make these kind of presentations a success.

Here is the final version of the slide deck: Testing Your Mail Hygiene Solution (Powerpoint 2003 format).

posted @ Thursday, November 09, 2006 9:56 AM | Feedback (2)
All About Sender ID: the session

I'm now safely back in the speaker's lounge (where I have a reliable network connection). I survived the presentation of All About Sender ID, and I mean that literally; I kept trying to trip on things (like the stairs up to the podium). We didn't have a huge crowd of people, but the folks who came were all wonderful and asked a lot of good questions. My wife Stephanie sat in on the session, as did ISA guru Tom Shinder. After the presentation was over and I was answering questions, Steph went above and beyond the call of duty by pimping my blog on the few occasions I failed to do so.

Without further ado, here is the final version of the slide deck: All About Sender ID (Powerpoint 2003 format).

My next two sessions are both tomorrow, but I'll try to get in another post later today. Time for lunch -- gotta keep up my strength.

Update: fixed the URL. Sorry!

posted @ Wednesday, November 08, 2006 1:45 PM | Feedback (2)
Greetings from Exchange Connections!

Greetings from sunny Las Vegas, where there's no rain, no flooding, and 5,000 attendees of the combined Connections conferences. In just 30 minutes, I'll be starting my first session of the conference, All About Sender ID. This is a reprise of my session from Orlando, with some added content and tweaks. I'll post links to the slide deck after the session is over.

posted @ Wednesday, November 08, 2006 11:02 AM | Feedback (0)
Forefront's Worm List

I'm playing with the Microsoft Forefront Security for Exchange Server, which is in beta right now. I do note that the evaluation/beta now supports 32-bit Exchange 2007. Remember, though, that you can't run 32-bit Exchange 2007 -- and thus 32-bit Forefront -- in a production environment!

We've got some nice 64-bit Dell machines to play with, so our Exchange 2007/Forefront installation is purring along nicely. So far, I'm pretty impressed with it; it's not loading up our test hardware nearly as much as I thought it would be. 64-bit Exchange server rock on toast, that's all I have to say.

One thing that caused me a bit of consternation, though, was when I was checking the auto-update configuration options for the various engines. One of Forefront's claims to fame (coming from the Sybari Antigen lineage) is that it features multiple malware engines, allowing admins to mix and match the engines they think best fit their needs. I was expecting to see the nine engines listed in the Forefront whitepaper (AhnLab, Authentium, CA InoculateIT, CA Vet, Kaspersky, Microsoft, Norman, Sophos, and VirusBuster), but I was surprised to see a tenth engine: the Worm List.

It turns out that this isn't really a separate engine, but rather a performance measure. Instead of wasting CPU time and resources scanning messages that are known worms, Forefront uses a separate list to keep track of worms that can be immediately deleted without the risk of losing a legitimate message. This list is updated as a separate entity from any of the scan engines because it allows Forefront to delete matching messages without passing them to the active scanners.

So, that's why you see ten engines to update when Forefront only offers nine!

posted @ Friday, November 03, 2006 7:37 PM | Feedback (1)
Free greylisting for Exchange Server 2003!

Back in mid-September, I received a comment from Chris Järnåker pointing me to this nifty project he'd written:a greylist SMTP transport sink for Exchange 2003, Exchange 2000, or the IIS SMTP service. Neat idea, I say, especially when I notice that it uses the .NET 2.0 framework. I didn't actually get around to installing it on my home Exchange server until last week, though.

For the past several months, my wife and I have noticed a steady rise in the amount of spam getting past the Exchange IMF and the Outlook Junk Filter. It was pretty clear by looking at the logs that this increase had less to do with the spams getting better at slipping past the filters and more to do with a rise in the sheer volume of messages coming in. In fact, it's a phenomenon that has been pretty noticeable on the Internet level, as this graph demonstrates. We'd gotten to the point where we were having between 25-50 spam messages in the Inbox each day, and that was far too much; back after I'd switched on the IMF and some judicious blocklisting, we'd only had 4-5.

So, how does this greylist sink do?

One word: it's terrific. Yesterday, I got a single -- that's right, one solitary spam in my Inbox. On average, we're back down to 2-3 spams per day. It doesn't seem to be putting that much of a load on the Exchange server, and the default 2-minute delay hasn't resulted in any sort of noticeable slowdown in message delivery.

If you're not familiar with greylisting, it's a spam-blocking strategy that relies on the simple fact that the vast majority of spam runs are produced by software that doesn't actually implement a full SMTP sender. Early spammers tried to bounce spam through existing mail servers, but these are relatively easy to find and shut down (or block, at the router if need be). Instead, the typical spammer now uses a large number of clients (often botnets of zombies, or machines that have been infected with malware and can be remotely controlled by the miscreants) to perform a distributed run of messages. The spam literally comes from hundreds or thousands of discrete IP addresses, making it difficult to control by traditional listing methods.

Enter greylisting. What greylisting does is keep track of the properties of incoming connections, typically some combination of the source IP address, the envelope sender address, and the envelope recipient address. This combination is known as a triplet and is treated as a single data item, even though it's really a composite of three fields. The first time a greylist engine sees a connection from a given triplet, it records that fact in its database and instructs the SMTP server to issue a temporary error. By design, when SMTP-compliant machines get a temporary error, they queue the message up and try to send it again in a short time.

However, queuing and retry is bad news for spamware, because it means messages have to be written to and read from disk. It's easy to open up a few outbound SMTP connections without the user noticing when you're doing it all from memory, but if you start thrashing their disk, sooner or later they're going to catch on that something isn't right with their computer. A lot of spam-sending malware treats temporary errors as equivalent to permanent errors -- more accurately, it treats all errors the same way: drop the message and move on to the next.

Forcing a single resend the first time you see a message with a particular triplet value is, therefore, an excellent way of distinguishing ham from spam. Spammers know it's being used, but many of them don't bother to change their software to accommodate it, because it slows down the resulting spew of crap. It's literally far cheaper for them to instead concentrate on pumping up the volume of spam, hoping to make up the lost revenue from blocked spam in volume.

Chris's greylist uses a local Access-format database file to store the message triplets it's seen. Not only can you adjust which fields you want it to use, you can also specify how many days it remembers them for. I've configured mine for 90 days retention to start and will tune it as necessary. I'm using the full triplet to block on, but this is another value I'll have to keep an eye on, thanks to message lists. Some message software (for good reasons too long to go into in detail right now) generates a unique envelope sender and/or recipient address for each copy of each message it sends out (it's common to see this on mailing lists); these message-specific addresses mean that each incoming message from that host will always generate a unique triplet.

The only issue I've possibly noticed; a couple of days ago, my Exchange server went nuts. Various services were stopping and starting every few minutes, and the result was that the box stopped accepting inbound SMTP for several hours until we noticed it. A simple reboot solved the problem, and I'm not sure whether the greylist was the cause of the problem or merely one of the first victims. If it happens again, I'll have to drop Chris a note and see if he can't help me figure out what's going on.

Updated 11/10: Fixed a dropped quote mark in the URL. You should now be able to follow the link to the greylist homepage.

Updated 11 Sep 2007: The author has just let me know that the product is now called JEP(S) and is available from a new website. Link updated accordingly.

posted @ Friday, November 03, 2006 7:00 PM | Feedback (5)
KC's Insanely Useful Outlook headers macro

Every now and then you run across a tip that makes your whole day better. Thanks to Microsoft's KC Lemson, I've had that experience.

I just installed her most-excellent macro for quickly viewing the Internet headers of a selected message in Outlook into Outlook 2007. Took me three minutes to do and it's already saved me at least that much time. Install it as a button on one of your toolbars, and you can highlight a message, click a button, and immediately have a Notepad session with the headers all displayed (as well as have them in the Clipboard, ready to be pasted into, oh, say, the PowerPoint slide decks you're working on for a presentation you have to give next week...)

Thanks, KC! This is great stuff!

posted @ Friday, November 03, 2006 6:17 PM | Feedback (1)
Bulk creating Exchange mailboxes from a CSV file

The current project I'm working on required me to create a large number of mailbox-enabled user accounts in an Exchange 2007 organization. When you're using Exchange 2007, you need to provision your accounts with Exchange 2007's tools, and the Exchange Management Shell (EMS) makes creating mailboxes quick and easy. Here's the script I used:

$pw = Read-Host "Enter password:" -AsSecureString

get-content mailboxes.txt | foreach {
	$umb=@{}
	$umb.acc, $umb.fn, $umb.ln = $_.split()
	$upn = $umb.acc + '@contoso.com'
	$wn = $umb.fn + ' ' + $umb.ln
	New-Mailbox `
            -Alias $umb.acc `
            -SamAccountName $umb.acc `
            -UserPrincipalName $upn `
            -Name $wn -FirstName $umb.fn `
            -LastName $umb.ln `
            -OrganizationalUnit 'contoso.com/Users' `
            -Password $pw `
            -ResetPasswordOnNextLogon $false `
            -Database 'MBX01\First Storage Group\Mailbox Database'
}

This approach uses the Get-Content cmdlet and a foreach loop to break out each field into a separate variable using the split operator.

It turns out, though, there's an easier way to do it: use the Import-CSV cmdlet. Bharat Suneja shows you how to use it over on his blog. Man, I wish I'd known about that.

Powershell (despite abandoning the cool name of Monad) rocks.

posted @ Friday, November 03, 2006 5:41 PM | Feedback (0)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows