Site Sections
Posts
254
Comments
120
Trackbacks
120
January 2007 Entries
In with the old, in with the new

I've had two technological experiences this morning that can be summed up thusly: I love living in the future!

The first involved the new VoIP PBX we had installed earlier this week. The installer kindly left the TAPI integration driver on my desk for me, so I loaded it up this morning. A few minutes of setting up my new dialing rules for this location and I was placing calls directly from my Address Book:

Call options within Outlook
Call options within Outlook

When you select the call, you get the following window:

The New Call window
The New Call window

Click Start Call and your PC contacts the PBX and establishes the call. Once it's dialed, the PBX activates the phone set on your desk, placing it into speakerphone automatically. How cool is that? It's not bleeding-edge technology; I've seen the same configuration with traditional PBXs for several years, but now that I have access to it, this is one piece of technology that will continue to make Outlook my most critical app.

I already live and die around my email, and my choice of mobile device was dictated by the desire to have my calendar and contact data work seamlessly with Outlook; this telephony integration just reinforces that tendency. (And wait until we get Exchange 2007 UM deployed, so I can listen to my voicemail from within Outlook...or from my mobile device, thanks to the wonders of Exchange ActiveSync.)

The second was definitely far more old-school. I wanted to play some music on my desktop system and take advantage of no one else being around to really crank it up. I was about to whip out my 1GB thumb drive and copy a few new songs over when I remembered that I'd packed my old 40GB iPod in my backpack. A minute scrounging around for a spare M-M 1/4" two-channel cable and my iPod was happily pumping my entire music selection through my desktop's Line-In port and out to my speakers, without me even needing to fire up an app. That was cool...how cool would it have been if my iPod and desktop both had Bluetooth so I could have done it without cords?

I love living in the future.

posted @ Saturday, January 27, 2007 11:56 AM | Feedback (1)
And now I make the Internet disappear

A lot of my work at 3Sharp involves working with virtual machines. (And when I say "a lot" I really mean "the majority.") When it comes to working with virtual machines, I have a choice: I can use Virtual PC or Virtual Server. Non-Microsoft virtualization environments offer some nice features, but I usually can't use them for some reason or other. Given my choices, I tend to stick with Virtual Server; it isn't quite as user-friendly in some options as Virtual PC, but it doesn't have some of the brain-dead limitations either.

Today, I found a new way in which Virtual Server helps break machines, at least if you operate it in PEBCAK[1] mode. Let me 'splain. I had to deploy a new test lab environment consisting of six virtual machines configured as a single-domain Active Directory forest with a DNS name of contoso.demo and a NetBIOS name of CONTOSO. The only spare machines that we had to run these virtual machines, which are fairly resource-intensive, were a pair of 64-bit servers hanging around after having just been used for a different project. They were still configured as part of their test domain contoso.com with a NetBIOS name of CONTOSO. Now, I might have expected there to be some problems based on the recurring NetBIOS domain name, but when I deployed the VMs everything worked out fine. Since I had the six VMs split over two machines, I threw a crossover cable onto the second network adapters on the hosts, changed the Internal network to bind to those adapters, and away I went.

Unfortunately, I needed to be able to pass data in and out of the test network, so I did was has become my standard practice: shut down one of the machines (usually the DC, since it inevtiably ends up doing the least amount of work in my labs) and configure a second network interface, bound to the external network. I made the changes and started the VM back up...and suddenly the host falls off the network. Can't talk to the VS web page, can't ping it, can't RDP to it. I walk into the server room and check the console -- no, it's still running, but I can't logon using the cached domain credentials and the local admin password isn't taking. What's going on here?

To make a long story short, I did more poking around and finally came up with a theory. As far as I can tell, what happened was that when the DC started up, about the time the Netlogon service started up and it began registering itself with NetBIOS, it would cause the host's network stack to flip out. The host, you see, was a member of a CONTOSO domain already, and to have another one get announced through its physical interface was apparently too much. My fix was to remove the external network interface; instead, I'll just use a two-step copy process to move data in and out (once from the external network to the host, the second from the host to the guest).

I don't have time to play with it and figure out exactly what happened; is it a quirk of this network driver, of 64-bit Windows Server, or a generic "don't do this" kind of bug with VMs? Does it happen under VPC too? While I wish I could track this down, the reality is that I don't have the time.

[1] Problem Exists Between Chair And Keyboard. Related to the infamous I-D-Ten-T error.

posted @ Thursday, January 18, 2007 1:37 PM | Feedback (0)
Hankering to deploy Exchange 2007?

The busy folks at HP are wasting no time in getting their Exchange 2007 consulting groove on. They've got a ton of guidance on using Exchange 2007 on HP hardware (servers and storage). It makes for interesting reading, seeing the recommendations they're making and the configurations they're using, as real-world deployment and sizing information is still hard to find at this point.

posted @ Wednesday, January 17, 2007 4:32 PM | Feedback (0)
Gaps in PowerShell cmdlet coverage

As I've been working more and more with PowerShell, I've discovered a few gaps in coverage in the cmdlets it offers. Most of my PowerShell noodling has been with Exchange 2007, so represents holes in the Exchange Management Shell extensions, but the one I just ran across is basic PowerShell.

PowerShell provides a series of cmdlets for querying and manipulating Windows Services, among them New-Service, Set-Service, and Get-Service:

  • New-Service, of course, allows me to create a new service instance, including setting dependencies and credentials.
  • With Set-Service I can change various parameters associated with a service: its display name, description, and startup type (Automatic, Manual, or Disabled). However, I can't change its credentials or dependencies.
  • Get-Service is the most disappointing. It doesn't return the startup type parameter, so even though I can return an arbitrary list of services (using built-in rich wildcard support for service names and our friend the where cmdlet to sift through other parameters) I can't tell whether my returned services are set to automatically run or not!

This makes it pretty difficult to use native PowerShell to (say) write a quick script to capture the status of a set of services for later retrival, then shut them down and set them to Disabled for a time. If I were able to capture that status, I could use a second quick script that would use the saved settings and reset the services to their prior configuration. This script would then be generic and could be used in all sorts of situations. Instead, I get to hardwire stuff in or do it by hand.

The second major hole I've found so far is in the Exchange Management Shell extensions, in particular the Set-PublicFolder cmdlet. I've finally figured out the right syntax for specifying multiple servers for the -Replicas parameter, but it would have been really be nice if the cmdlet had distinct -AddReplicaTo and -RemoveReplicaFrom parameters. As it is now, if I'm making changes, I have to capture the existing list of replica databases, add or remove the desired entries, then feed the entire list back in to Set-PublicFolder. If I try to pass in a single database, I overwrite the existing value of Replicas. This may be acceptable for large-scale public folder operations, but it makes it a pain to do quick one-off operations.

This is matched by a minor gripe with Get-PublicFolder: when it displays the replicas in a table or list format, it displays only the database names. If I've named multiple public folder databases the same name (like, say, "Public Folders"), then I can't tell by inspecting this list which servers the replicas are on. I need to indulge in further script-foo to figure it out. Again, this makes casual administration from EMS much more of a chore than it should be.

Finally, I'd like to thank both the Exchange team and the PowerShell team for all the hard work they've done, both on the code and on the docs. My only complaint about the docs is that often there are not enough examples, especially when you have parameters whose use isn't immediately obvious (such as the -Replicas parameter for the Set-PublicFolder cmdlet).

Have you found a puzzling gap in cmdlet coverage? If so, let me know, and I'll start compiling a list.

posted @ Wednesday, January 17, 2007 4:26 PM | Feedback (1)
ISA Server rules for segregating Exchange 2007 Edge and Hub Transport

As promised earlier, here's a quick look at the ISA rules to put in place to properly segregate deploy Exchange 2007 Edge Transport servers in the perimeter network. These rules depend on some fundamental assumptions:

  1. The only hsots that should be allowed to initiate SMTP into the external untrusted network are the Edge servers.
  2. The only hosts that should be allowed to initiate SMTP into the Edge server are the Hub Transport servers.
  3. The Edge servers must be able to initiate SMTP into the Hub Transport servers to relay in incoming mail.
  4. The Hub Transport servers must be able to initiate Edge Subscription connections to the Edge servers over the default custom LDAP ports (TCP 50389 and TCP 50636).
  5. We're only concerned about SMTP; if we need SSL, we'll use TLS over TCP 25.

So, with that in mind, we first need to create two new computer sets:

Computer set: Internal mail servers
  • Add entries for all your HT servers.

 

Computer set: Perimeter mail servers
  • Add entries for all your Edge servers.

Next we create a new protocol:

Protocol: Exchange Edge Subscription
  • TCP 50389 outbound
  • TCP 50636 outbound

And now, we'll create three rules:

Rule: Allow SMTP between perimeter and internal mail servers
  • Action: Allow
  • Protocol: SMTP
  • From: Internal mail servers, Perimeter mail servers
  • To: Internal mail servers, Perimeter mail servers

 

Rule: Allow outbound SMTP from perimeter mail servers
  • Action: Allow
  • Protocol: SMTP
  • From: Perimeter mail servers
  • To: External

 

Rule: Allow Edge Subscription updates
  • Action: Allow
  • Protocol: Exchange Edge Subscription
  • From: Internal mail servers
  • To: Perimeter mail servers

Note that on the "Allow SMTP between perimeter and internal mail servers" rule, we've listed both sets of servers in both the To and From fields. This allows a single rule to cover all SMTP traffic regardless of which side initiates the connection.

Combined with the SCW hardening and other security measures, we've now formed an effective isolation between Edge and the HT servers.

posted @ Thursday, January 11, 2007 7:11 AM | Feedback (3)
Hosted backup MX services considered harmful?

I'm subscribed to a slowly growing number of mailing lists and services that are aimed at keeping journalists and other such folk informed of trends and developments in the IT industry. Last night on one such list run by Ferris Research, I received an article that talks about how the practice of using a backup MX service can cause problems when used in conjunction with an improperly configured SPF/Sender ID screening implementation.

The problem they're addressing: many people who use SPF or Sender ID forget to whitelist the hosts used by their backup MX service. Thus, when messages get submitted to those hosts and passed along, they may fail the SPF/Sender ID checks and cause mail to get improperly rejected or marked as spam.

While the article is for subscribers only, I received permission to quote from the article here:

One way to avoid this situation is to ensure that SPF/SIDF checks are not performed on mail received from the backup mail services. However, this will either negate the effect of part of your spam filtering or require that the backup MX also perform backup spam filtering.

So far, so good...

We recommend, where possible, to simply not use a backup MX. If your primary MX is unavailable, mail should still queue at the sending MTA for several days. The sending MTA should continue to retry periodically until your site is available again. In many ways, backup MX configurations are an anachronism -- a holdover from the days when connectivity was unreliable and some MTAs' queuing algorithms weren't great.

Hold the phone! This is where I disagree with the authors. While most MTAs have decent queuing algorithms and connectivity is usually a lot more stable, those vcery factors have combined to convince many mail admins that it's no longer necessary to hold mail for the once-customary time of 7 days before NDRing it. (Ah, the good old days when everyone ran Sendmail. Of course, I hated Sendmail, but at least you knew what to expect.) And I'm not talking about small, insignificant hosts either. There are many major ISPs and mailing list services that will start bouncing mail in a shorter time than you might think.

And while connectivity is usually good, that's not to say it's perfect. When we moved the office, a simple misconfiguration by our data provider left a fair chunk of our public IP addresses unroutable for several days. It's not hard to conceive of circumstances that could keep your mail servers offline for 48, 72, even 96 hours, and you could very well be losing important messages in that timeframe. Backup MXs are still a very good idea.

The real problem is identified in the first quote: never use backup MX hosts that aren't doing all of the same basic filtering you are. Now, some types of filtering are hard to push out to backup MX hosts (legitimate recipient filtering) and don't really need to be done until the message is ready to enter your organization. However, position-sensitive mechanisms like SPF/Sender ID, RBLs, and other IP-based techniques should be done by the first host that accepts responsibility for them in your domain.

Folks I've talked to are seeing a rise in the right kind of solutions for these problems: hosted MX services and hosted mail services. If you can't maintain your own backup MX servers that have consistent message hygience configurations and features as your primary MX hosts, then you should at least have a service that accepts all incoming mail to you, processes it consistently, and passes the resulting clean feed back to your mail server.

[1] Even so, it's best practice to have your backup MX hosts do your recipient filtering too. Otherwise, they're stuck having accepted responsbility for messages addressed to non-existent recipients, and they're going to generate NDRs. They could very well be contributing to backscatter.

Edit 0723 PST: The author of the article, Richi Jennings, also posted his argument on his blog, so you can go read it there.

posted @ Thursday, January 11, 2007 6:19 AM | Feedback (1)
Usul no longer needs the weirding module!

We work pretty hard at 3Sharp, but we don't work hard all the time. Our new offices have lately been plagued by an infestation of tiny remote-control helicopters. Well, all I can say to that is I need one of these remote-control ornithopters.

I can't think of ornithopters without thinking of Dune (hence the title of this post), but this would be seriously cool to have.

posted @ Thursday, January 11, 2007 5:53 AM | Feedback (0)
A neat trick to increase Outlook performance

Thanks to this nifty article on Exchange 2003 hacks by Exchange MVP Rodney Buike, I learned about the Contig tool. This tool, freely available from Microsoft as part of the SysInternals offerings, offers the ability to perform file-level defragmentation. This can be a good thing for volatile data files such as Outlook's .ost file.

Don't forget the basics, though. Keep the number of items in your Inbox down as much as you can, and try to keep the number of messages in any given folder lower than 1,000. Don't be afraid to make use of folders and a hierarchy. Just as proper use of containers helps you keep physical stuff organized, proper use of folders will keep your mail organized.

posted @ Thursday, January 11, 2007 5:01 AM | Feedback (1)
One interface or two: an Edge case

I'd managed to overlook this during the beta cycle, but yesterday I ran across the following statement in the release Exchange 2007 docs:

"An Edge Transport server that is in the perimeter network typically has two network adapters:
A network adapter that connects to the Internet, or external, network.
A network adapter that connects to the corporate, or internal, network."

Don't believe me? Check it out for yourself.
Update 12 Apr 2007: This month's content update removes this assumption from the documentation, so this is no longer the case.

Now, the way this passage is written, it implies to me that the two network interfaces are directly connected to the appropriate networks. That's not the definition of "perimeter network" I'm familiar with; interfaces that reach out of the perimeter tend to conveniently bypass the other layers of security. Your perimeter network (or networks, if you find multiple perimeter networks to your taste) is protected from direct access by firewalls and proxies. Microsoft can't really be advocating a box with one lead stuck into the external network and the other stuck into my interior network, can they?

I could suppose they mean one box with two interfaces in the perimeter network....but no, that just doesn't make sense unless I'm overlooking something. I already expect my Edge server to live in the perimeter, so I've taken the appropriate steps to harden it, including running the Security Configuration Wizard (SCW). Microsoft's recommended SCW configuration gives you instructions on setting up restrictions in the SCW policy to limit which machines can talk to the Edge server on which ports. By it's nature, an Edge server needs to talk SMTP with at a minimum all external mail servers (I'm making the assumption that you're not using a smarthost) and with the Hub Transport servers in the interior network. However, the LDAP connection for the Edge Subscription information only needs to listen to the interior Hub Transport machines. Microsoft's guidance tells you how to configure the SCW policy to achieve this based on network adapter.

I can see some pros to this approach, but the cons are really getting to me. Yeah, it's easier to define policies by adapter, but I can just as easily configure SCW on a single-interface Edge box to lock down Edge Sucscription to the internal network, allow SMTP to all hosts, and prevent everything else -- and by haivng this single interface actually within my perimeter I can enforce these restrictions in my firewall rules, giving me an extra layer of security. In fact, later today I'll describe the ISA rules I used to secure access to the Edge server after hardening it with SCW.

I've tried to think of compelling reasons why I'd hypothetically want dual interfaces on a perimeter machine. I can think of lots of reasons why I wouldn't:

  • It increases the level of complexity but doesn't really give me an increase in the security it offers. Not only that, I'm more likely to have to replace an interface when hardware goes bad, than I am going to have to change which subnets everything lives on. In our recent office move, I had a server lose its interface and I had to replace it. Had it been my Edge server, would I have remembered to re-configure the SCW policy to tie it into the new interface? (Would I have needed to? I don't know...and I'd be willing to bet there are very few people out there who can answer that off the top of their head, discounting the guys at Microsoft who worked on the SCW). If my policy is based on network addresses and subnets, as long as I configure the new interface with the same address as the old, my policy is still valid.
  • Say I have an attacker go after my Edge server. If this attacker gets into the box, they can shut off the SCW policy and turn on IP forwarding. Boom! Instant egress into my network, bypassing my other controls and layers of security.
  • Speaking of layers of security, I being the conscientious admin[1][2] have of course have deployed IPSec filters on my internal network to make sure that my important machines (like my domain controllers and Exchange servers) won't respond to queries initiated from anywhere other than the trusted hosts on my internal network. These filters just got more complicated; now I have an internal IP address I can't trust incoming traffic from....unless I'm an Exchange server and it's SMTP traffic on TCP25.

So, can anyone help me figure out what I am missing, or is this really the bad guidance that it appears to be?

[1] In the hypothetical situation we're describing here.

[2] Ryan and Doug, I can hear you snickering.

posted @ Thursday, January 11, 2007 4:21 AM | Feedback (3)
My take on the iPhone

iPod. Mac mini. MacBook Pro. OS X. These are Apple products that I have acquired in the last several years and that cause me much love, because for the most part, they just work. So what do I think about the iPhone?

Simple. I think it's going to be a boutique phone/media player for folks with money to burn and who want convergence between their phone, media players, and PDA. It's sleek and has a great-looking UI -- an Apple standard -- but the price tag keeps it from being a casual purchase.

I don't forsee it making inroads into the lucrative corporate messaging environment, though, because it doesn't offer any sort of synchronization support for the full Exchange experience. POP3 and IMAP don't cut it here. There's a reason RIM offers the BES option for BlackBerry devices, because individual cradle synch doesn't cut it. Businesses are demanding and using over-the-air sync with full support for all features of the messaging environment -- contacts, calendars, messaging, documents.

Now, I'm pretty certain the iPhone is going to hurt Windows Mobile in the consumer market...but its lack of support for Exchange or even Notes and Groupwise will keep it out of most enterprises.

BTW, note to Apple: I'd love to be proven wrong about this. You're more than welcome to send me a review unit, once they're available (FCC licensing is still pending according to the note at the bottom of Apple's website today), and I'll happily take it through its paces.

posted @ Wednesday, January 10, 2007 2:48 PM | Feedback (0)
Don't overlook this feature of Exchange 2007

There's one nice feature in Exchange 2007 that I suspect will get overlooked far more than it deserves, and that's the built in support for the Windows Server 2003 SP1 Security Configuration Wizard. Out of the box, the SCW provided support for an impressive number of current-generation Microsoft applications, but the big question was always what would happen when newer versions of software were released.

Exchange 2007 comes with SCW support. While it doesn't register the SCW extensions during installation (or even give you the option of doing so, which would have been a nice touch), the Post-Install steps in the Exchange Management Console (and the Exchange documentation) give you the complete process for using the SCW to harden your Exchange 2007 servers. While the documentation is impressively complete, I found a couple of typos that might put some small bumps in the road.

In the How to Register Exchange Server Role SCW Extensions topic, they give you a couple of command lines to register the extensions used to tell SCW how to secure Exchange 2007. Here's the command lines I ended up using:

Registering the SCW extensions for one or more of the MB, CAS, HT, or UM roles:

scwcmd register /kbname:"Ex2007KB" /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007.xml"

Registering the SCW extensions for the ET role:

scwcmd register /kbname:"Ex2007EdgeKB" /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007Edge.xml"

Let me know how it works for you.

posted @ Wednesday, January 10, 2007 1:09 AM | Feedback (3)
Managing public folders in Exchange 2007

In general, I love Exchange 2007. I love Exchange 2007 with a love that is brighter than the aggregate IQ of a science fiction convention and stronger than the body odor of the RPG section of that same convention[1].

However, one area of Exchange 2007 that I don't love is public folder management. It is a downright shame that the best interface for managing public folders in Exchange 2007 remains the Exchange 2003 System Manager. Creating a simple public folder in the Exchange Management Shell isn't a problem, but the docs are very weak on practical, usable examples of everyday tasks like adding and removing replicas to existing public folders, or working with the system public folders.

There is a great need for an "Exchange 2007 Administrator's Guide to Public Folders." Unfortunately, I don't see it happening any time soon.

[1]I used to be a freelancer in the RPG industry and I've spent my share of time at conventions. I've even run games at conventions, so I get to make this joke.

posted @ Tuesday, January 09, 2007 7:51 PM | Feedback (4)
Using PowerShell to sort mailboxes by size

This weekend I was playing with the Exchange Management Shell while performing some troubleshooting on our Exchange 2007 system and discovered some fun combinations of cmdlets I thought I'd share.

First, let's start with a command that lists all of the mailboxes in a given server, sorted by size. There are two variants for ascending and descending, differing only in the inclusion of the -Descending paramter in the Sort-Object cmdlet in the latter:

Get-MailboxStatistics -Server RED-MSG01 | Sort-Object -Property TotalItemSize | `
  Format-Table DisplayName,TotalItemSize

Get-MailboxStatistics -Server RED-MSG01 | Sort-Object -Property TotalItemSize -Descending | `
  Format-Table DisplayName,TotalItemSize

Pretty simple stuff, really; your basic pipeline exercise. You can also use Get-Mailbox -Server SERVER | Get-MailboxStatistics like I originally was, but since the Get-MailboxStatistics cmdlet already supports the -Server parameter it would be redundant. If you have some other way you need to define your collection of mailboxes, once you figure out how to define it, pipe the collection into Get-MailboxStatistics and away you go.

Next up, a variant of the same, only this time I want to only show those mailboxes larger than, say 1GB:

Get-MailboxStatistics -Server RED-MSG01 | Where {$_.TotalItemSize -gt 1GB} | `
  Sort-Object -Property TotalItemSize -Descending | Format-Table DisplayName,TotalItemSize

The Where cmdlet gives me access to comparisons against any propertDispy on the collection of objects passed into it, so be careful where you use it in the pipeline. The collection of objects given by Get-Mailbox is not the same collection of objects given by Get-MailboxStatistics, and they will have different sets of properties. And yes, you put multiple Where cmdlets into different places in your pipeline to fine-tune your selections, as the following search for the Kelly brothers illustrates:

Get-Mailbox -Server RED-MSG01 | Where {$_.DisplayName -imatch "kelly"} | `
  Get-MailboxStatistics | Where {$_.TotalItemSize -gt 1GB} | `
  Sort-Object -Property TotalItemSize -Descending | Format-Table DisplayName,TotalItemSize

This would show me all mailboxes whose display name contains the string "kelly" (without considering the case of the characters) and that was larger than 1GB in size. The -imatch comparison is a case-insensitive regular expression match, so I could have gotten fairly fancy in my comparison.

Last one: let's take the list of mailboxes, in ascending order, and feed it to the Move-Mailbox cmdlet. This way, we'll be moving the smaller mailboxes first, allowing us to get through more moves in the beginning and saving the real packrats for last:

Get-MailboxStatistics -Server RED-MSG01 | Sort-Object -Property TotalItemSize | `
  Move-Mailbox -TargetDatabase "RED-MSG02\Mailbox Database"

Let me know if you have questions or comments!

posted @ Monday, January 08, 2007 4:33 PM | Feedback (3)
Dr. MacBook (or how I learned to stop right-clicking and love the touchpad)

Score another UI/usability win for Apple. They've done something I never thought anybody could ever do: not only get me to use a trackpad on a laptop, but to like it -- to the point that I don't miss the "eraser mouse" (sometimes called a trackpoint) that I've loved on my IBM Thinkpads. While we're at it, Apple has also managed to convince me that life with one mouse button not only doesn't suck, but can be fun and productive.

As I mentioned in a previous post, I'm now the proud owner of a new Apple MacBook Pro. It's a very sweet laptop -- all sleek burnished aluminum and lush styling -- but when I first unpacked it, I was concerned because the only built-in mousing surface is one of those damnable trackpads. Bleh! I've been a confirmed member of the Church of Apocalypse of Trackpads for years, so I spent a few minutes of anticipation mourning the loss of my little red nubbin, nestled comfortingly between the G, H, and B keys.

Much to my surprise, I immediately found that I was able to live with the MacBook Pro trackpad for a multitude of reasons:

  • The first thing I noticed was that unlike PC trackpads, Apple doesn't have the default configuration set to react to heavy pushes as if it were a mouse button. Years of typing on a Focus keyboard have given me a heavy typing action, and on PC laptops I often find that I've put my finger down on the trackpad just a little too forcefully, causing the computer to interpret it as a left-click. My typical reaction is to disable the trackpad entirely (usually in Device Manager). On the MacBook Pro, you can turn this feature on if you want to....but it's off by default, and you don't really need to because...
  • ...there's only one mouse button. This is a typical Apple-ism (at least until they finally capitulated by creating an optional multi-button mouse for those who just can't live without that sweet sweet right-clicking action), but in the case of the MacBook Pro, it's not a wimpy little button. Heck, no -- this sucker is a good inch deep and five inches wide. It's bigger than the space bar. This means you can easily depress it no matter where your finger is on the trackpad, which oddly enough makes it far superior to the typical split buttons on PC laptops. Only having to lift one hand off the keyboard to use the trackpad means that the other hand can hit the necessary keys to produce the shifted click combos necessary to duplicate the functionality of right-clicking. I've already caught myself trying to do it in Windows.
  • The shape of the Apple touchpad also makes it easier to use, because it replicates the screen in miniature. It's a big long rectangle, just like my screen, in roughly the same proportions. This means that with the right sensitivity settings, I can easily move the mouse across my entire screen without having to re-track my finger.
  • Did I mention that Apple's mouse sensitivity settings actually allowed me to find a setting that worked for me within one or two adjustments? On most PCs, I have to crank it to the maximum and even then, that pointer isn't moving fast enough.

However nice all these reasons are, they're nothing compared to the Big Kahuna: the scrolling feature. This, quite frankly, kicks serious a**. When I use a single finger, OS X moves the cursor over the screen as normal. When I use two fingers in tandem, OS X immediately detects that, figures out which screen region my mouse is in, and scrolls that region if it can be scrolled.

Yes, that's right. Use one finger to move into my web browser, then put down a second finger and immediately scroll through the current page, without having to click to change focus. If I need to zip over and scroll the document in the window next door, I lift a finger, move the cursor, put the finger back down. And it works for both horizontal and vertical scrolling. This, my friends and readers, is Pure Mousing Heaven. It's so easy to use that I have spent more time telling you how it works than you'd need to master it if you were in front of my MacBook Pro (and I were to let you touch it).

Genius, Apple. Genius.

posted @ Saturday, January 06, 2007 6:38 AM | Feedback (1)
Exchange Connections Spring 2007 is coming!

It's already that time of year, when presenters start putting together PowerPoint slide decks. This year, the spring session of Windows/Exchange Connections is April 1-4 and we'll be back in Orlando, FL (although not, sadly, at the Disney Swan and Dolphin hotels as we were last year). I'm used to Paul being there, but this year we'll have two other 3Sharp presenters infiltrating the Windows Connections side of things: David Gerhardt and Doug VanBenthuysen.

I'll be speaking on the following topics:

  • DCAR with Exchange -- Discovery, Compliance, Archival, and Retention: they're challenges every Exchange administrator faces. Whether you're using Exchange 2000, 2003, or 2007, join me to find out how to solve these challenges using Exchange.
  • 10 Tips to Make Your Exchange Server a Good Net Neighbor -- Many Internet mail administrators consider Exchange to be a poorly behaved SMTP MTA. All too often, these perceptions are rooted in configuration errors surrounding Exchange, rather than in any flaw in the product. Learn these common (and in many cases) simple configuration changes you can make that will keep your external mail running smoothly.
  • Iron Chef: Using Powershell with Exchange 2003 -- While the new Exchange Management Shell is only designed to manage Exchange 2007 servers, the underlying Powershell technology can make managing and scripting your Exchange 2000 and 2003 servers a lot easier. Join one of the authors of the Exchange Server Cookbook and learn how to take advantage of Powershell to make scripting Exchange easier than ever.

Drop me a note if you're planning on being there -- I'd love to meet you! And as always, if you've got some practical experience that relates to one or more of the above topics and you think I'd benefit from hearing about, let me know.

posted @ Saturday, January 06, 2007 6:09 AM | Feedback (0)
Maybe now the PIX SMTP screener won't suck

Read this press release on Friday:

SAN JOSE, Calif., January 4, 2007 - Cisco (NASDAQ: CSCO) - Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection.

For many years now, the Cisco PIX firewalls have been a big part of the security landscape. From most reports, they're good boxes and do their jobs well. However, I inevitably watch mail admins come to loathe them with a deep and unending hatred, because they include one of the lamest, most brain-dead SMTP proxy modules in existence. In both the Postfix and Exchange communities, the advice is inevitably, "Oh, you're running a PIX? Shut off the SMTP screener. It's breaking your email."

Now, of course, they're going to have access to the tasty goodness of the IronPort appliances. I've not used one myself, but everyone I know who has raves about them and thinks they're the best thing on earth. It will be very interesting to see whether they continue to be a separate product offering in the next couple of years, or whether they get broken apart for the crunchy technological bits and integrated into existing Cisco offerings.

Of course, I've never been big on the appliance route myself anyway. I want control over my border mail router, and the typical appliance doesn't tend to give you that deep level of access you occasionally need to really understand why things aren't working (and to get them fixed quickly). I have a special dark place in my heart for appliances and appliance makers that reserve backdoor channels into the appliance (which you've bought) to perform specific administrative functions and won't give you that access in return, even when you assure them that yes, you understand that if you break it you'll need to jump through extra hoops/sacrifice extra goats/pay extra money to get it all set right again. It's bad enough to have to pay an ongoing subscription fee for updates to the anti-spam filters; to lock me out of administrative access of the box I bought and paid for is beyond the pale and bespeaks a certain arrogance for one's customers that I don't like to see rewarded with financial success. I'm all for targeting your product to a less-knowledgeable crowd, but when the customer says, "Yes, I understand that this course of action I want to pursue could really break things and that I'll have to pay above and beyond to get it fixed," you give the customer access to their hardware.

Thank goodness for the Exchange 2007 Edge role. I can run it on my hardware of choice, it integrates fully with Active Directory and my Exchange organization without lots of silly generic LDAP configuration, and it will even recognize and use my users' Blocked Senders and Safe Senders lists. I've got decent spam and virus filtering capabilities, I've got lots of other crunchy message hygiene options, and there's a good API for developing additional plugins and functionality. In my opinion, Exchange admins are beter off with Exchange 2007 Edge than any appliance....and then they'll never have to admit to have a PIX mangling their SMTP.

posted @ Saturday, January 06, 2007 5:53 AM | Feedback (0)
Happy new year!

Greetings, everyone. I hope you had a great holiday season. Mine was pretty decent; I received a Macbook Pro and survived the office move. I also got some good news today.

Back to Exchange blogging!

posted @ Wednesday, January 03, 2007 11:52 AM | Feedback (3)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows