UCC206

What's New in Microsoft®

Exchange Server 2010Service Pack 2Scott Schnollscott.schnoll@microsoft.comPrincipal Technical WriterMicrosoft Corporation

Agenda

• Service Pack 2 (SP2) Development• Major new features in SP2

• Outlook Web App (OWA) Mini• Hybrid Configuration Wizard• Address Book Policies• OWA Cross-Site Silent Redirection

Exchange SP2 Development

Scheduled for public release by end of CY 2011Private Technology Adoption Program (TAP) currently runningService packs contain bug fixes AND features

SP2 has ~500 bug fixes and 4 primary new featuresEvery bug is triaged for risk, cost and applicabilityEach new feature gets a Functional Spec, a Development Spec, and a Test Spec, and undergoes a thorough team review

Technology Adoption Program

Exchange has a long history in this areaJDP, RDP, TAP

TAP consists of customers who are prepared to deploy pre-release bits in production

They get support from MicrosoftThey get access to a private distribution list, a Wiki with all the latest info, and conference calls with the Exchange team developing the featuresThey get to provide early feedback, change the product and find bugs

OWA Mini

OWA Mini

This feature was driven by demand from markets where browser phones still ruleAdminister using PowerShellThis is a complete re-write, none of the 2003 code was re-used

It is built as a set of OWA forms so it is not a separate application

Managing OWA Mini

Enabled and disabled using Set-OWAMailboxPolicySet-OWAMailboxPolicy PolicyName -OWALightEnabled:$True

OWA Mini is effectively an alternative view of OWA, so OWA mailbox policies and segmentation are inherited

Any unsupported features in the policy are secure by default (e.g., disabled for OWA Mini)Features such as calendar, contacts, etc., can be enabled or disabled on a per policy basis

Will ship in all OWA languagesIf a new language is added to OWA, OWA Mini gets it

Hybrid Configuration Wizard

Hybrid Configuration Wizard

EMC-based wizard plus cmdlets for setting up on-premises Exchange and Office 365 to work together – in Hybrid modeVastly simpler process than the current SP1 manual experienceWhat once took ~49 steps, now takes 6 (your mileage may vary)

>80% reduction for the administrator

Address Book Policies

GAL Segmentation

By default in Exchange, the Global Address List contains every mail enabled objectGAL Segmentation means dividing up the GAL and Address ListsWhy would you want to do this?

Legal or compliance reasons – people are not allowed to see each other in the GALOptimization reasons – You have a huge GAL but operate in smaller logical unitsHosting reasons – you want to host multiple organizations on one platform and don’t want them seeing each other

GAL Segmentation - History

In the Exchange 2000 timeframe a KB that was released that outlined to how carve up your GAL but we pulled it when HMC was createdFor 2003, no such paper, but lots of support casesFor 2007, a new whitepaper was bornFor 2010, we decided to engineer the solution into the product fully

GAL Segmentation - History

Based on a combination of methodsUsing ACL’s on GAL’s and AL’s (Outlook and Exchange ActiveSync)

Deny at the root levelAllow to a specific ALRequires security group membership and all ACL’s to be evaluated

MsExchQueryBaseDN (for OWA but not needed since SP1)Specify per user the base OU the user can search from (this means the OU hierarchy is rigid)

Per-User OAB assignmentSpecify per user the OAB the user can access

Relied upon Outlook and Exchange choosing the largest or ‘best’ GAL when there are a few to choose from

Using security groups, QBDN’s and per user OAB’s meant creating users with scripts to get the right settings – or things start to go wrongAs we change things in Exchange, things can (and did) start to breakThe OU hierarchy was too restrictive for some customers – a user cannot exist in more than one OU

GAL Segmentation - History

Address Book Policies

Address Book Policies (ABPs) enable you to achieve GAL Segmentation in Exchange 2010

ABPs work on the principal of direct GAL and Address List assignment rather than allowing or denying access to all available listsABPs only apply to users with mailboxes on Exchange 2010 as they plug in to the Address Book Service on the 2010 SP2 CAS roleAny request that comes through the Address Book Service on CAS is evaluated against the ABP assigned to the user

Address Book Policies

ABPs work for any client that goes through CAS for directory and;Opens the address list pickerTries to resolve a name or an aliasAdds a room resource to a meeting requestSearches the GALSearches the directory from Outlook Voice AccessQueries the directory from a mobile deviceViews someone’s DL memberships, or views the members of a DL

Yes – if a user in a DL is outside the scope of your ABP, you won’t see themThis prevents GAL mining by surfing up and down the member/memberof properties in some scenariosThis does mean you might be sending to more people than you think you are… and that MailTips might (apparently) not be telling the truth…

ABP Deployment Considerations

Deploying ABPs successfully is all about PLANNING and understanding what they can, and cannot doABPs alone do not result in ‘true’ separation – smart users can usually figure out ways to get around them or expose some data

Examples: delivery reports, DL membershipsDon’t try and use ABPs alone to ‘fake’ multi-tenancy, it’s more complex than thatABPs are better suited to providing optimized address lists for discrete groups of users that do not share resources

ABP Deployment Considerations

Use standard, built-in and existing Custom Attributes to represent company/division/class or whatever you want to divide upon

DLs don’t have Company attributes you can use so you can’t filter on thoseCustom Attributes are consistent on all mail enabled objects

Build simple AL and GAL filters and group them together into ABP’sBuild OABs based on GALs, not ALsMake sure a user exists in their own GALMake sure the GAL is a superset of the AL’s in an ABP

The GAL is the effective ABP scope – if the GAL is smaller than an AL the user has access to, users will be filtered

Address Book Policies

ABPs cannot prevent anyone directly connecting to AD and bypassing ABP logic

LDAP clients (for example, Outlook Mac/Entourage) will not work with ABPs

You can’t use ABPs if Exchange is installed on a GC as NSPI is provided by Active Directory, not Address Book ServiceIf you span DLs over ABPs you need to disable Group Management in ECP as ECP uses Get-Group which ignores ABPsDon’t try and mix and match ABPs and ACLs (unless migrating) or use QBDNs

Migration From ACLs

If you are using an ACL based model today in 2007 you might be able to migrate without too many problems

First create ABPs that mirror your security groups and ACLsInstalling 2010 will result in some downtime as setup must be able to read the Default GALAs you migrate mailboxes, you need to assign an ABP and remove the QBDN from the user objectYou can also remove the OAB setting as that comes from the ABP as wellYou will need to test against YOUR environment

ABPs and Office 365

Making ABPs work in Office 365 is part of our long term plan but it’s not as easy as just putting the new code there;

Tenant admins cannot today create or manage ALs, GALs or OABs so they wouldn’t be able to create very useful ABPs

We would need to allow creation and enforce throttlingLync and SharePoint have their own directory access methods, and so do not respect ABPs

Either we try to change that, or customers have to accept thatWe would also need to add dirsync capability to make the feature easy to manage for hybrid customers

OWA Cross-Site Silent Redirection

OWA Cross-Site Silent Redirection

Pre-Exchange 2010 SP2, if you use OWA on a Client Access server (CAS) in the ‘wrong’ Active Directory site, CAS has a decision to make: it can proxy or redirect the connection to the target site

If there is no ExternalURL in that site, we proxy, the mailbox opens and the user gets accessIf the target site has an ExternalURL we show the user a page with a link to click

The user clicks the link, and logs in again, and gets accessThe user has to log in twice

We are removing the need to click the link, which for some scenarios will result in a Single Sign On experience

OWA Cross-Site Silent Redirection

Disabled by defaultOut of the box, cross-site manual redirection still occurs

Can be a single sign-on experience when the source and target OWA virtual directories leverage Forms-Based AuthenticationIs only available for intra-org cross-site redirection events

OWA Cross-Site Silent Redirection

Enabled on Internet-facing CAS, on a per OWA virtual directory basis

Set-OWAVirtualDirectory –Identity “CAS1\owa (default Web site)” –CrossSiteRedirectType Silent

When you enable silent redirection you will be informed that the target CAS must have an ExternalURL that leverages HTTP SSL protocolWhen you enable silent redirection, you will receive a warning that single sign-on experience may not be possible if FBA is not enabled

Experience Before and After

Cue Applause….

Summary

SP2 includes many bug fixes and four major new features

OWA MiniHybrid Configuration WizardAddress Book PoliciesOWA Cross-Site Silent SSO Redirection

Resources

Exchange Team Bloghttp://aka.ms/EHLO

Exchange 2010 Documentation Libraryhttp://aka.ms/Ex2010Docs

Feedback

Your feedback is very important! Please complete an evaluation form!

Thank you!

Questions?

UCC206 Scott Schnoll

Principal Technical Writerscott.schnoll@microsoft.comhttp://blogs.technet.com/scottschnollTwitter: @schnoll

You can ask me questions at the “Ask the Expert” zone:November 10, 2011 12:30 – 13:30