What's New in Microsoft ® Exchange Server 2010 Service Pack 2
description
Transcript of What's New in Microsoft ® Exchange Server 2010 Service Pack 2
UCC206
What's New in Microsoft®
Exchange Server 2010Service Pack 2Scott [email protected] Technical WriterMicrosoft Corporation
Agenda
• Service Pack 2 (SP2) Development• Major new features in SP2
• Outlook Web App (OWA) Mini• Hybrid Configuration Wizard• Address Book Policies• OWA Cross-Site Silent Redirection
Exchange SP2 Development
Scheduled for public release by end of CY 2011Private Technology Adoption Program (TAP) currently runningService packs contain bug fixes AND features
SP2 has ~500 bug fixes and 4 primary new featuresEvery bug is triaged for risk, cost and applicabilityEach new feature gets a Functional Spec, a Development Spec, and a Test Spec, and undergoes a thorough team review
Technology Adoption Program
Exchange has a long history in this areaJDP, RDP, TAP
TAP consists of customers who are prepared to deploy pre-release bits in production
They get support from MicrosoftThey get access to a private distribution list, a Wiki with all the latest info, and conference calls with the Exchange team developing the featuresThey get to provide early feedback, change the product and find bugs
OWA Mini
OWA Mini
This feature was driven by demand from markets where browser phones still ruleAdminister using PowerShellThis is a complete re-write, none of the 2003 code was re-used
It is built as a set of OWA forms so it is not a separate application
Managing OWA Mini
Enabled and disabled using Set-OWAMailboxPolicySet-OWAMailboxPolicy PolicyName -OWALightEnabled:$True
OWA Mini is effectively an alternative view of OWA, so OWA mailbox policies and segmentation are inherited
Any unsupported features in the policy are secure by default (e.g., disabled for OWA Mini)Features such as calendar, contacts, etc., can be enabled or disabled on a per policy basis
Will ship in all OWA languagesIf a new language is added to OWA, OWA Mini gets it
Hybrid Configuration Wizard
Hybrid Configuration Wizard
EMC-based wizard plus cmdlets for setting up on-premises Exchange and Office 365 to work together – in Hybrid modeVastly simpler process than the current SP1 manual experienceWhat once took ~49 steps, now takes 6 (your mileage may vary)
>80% reduction for the administrator
Address Book Policies
GAL Segmentation
By default in Exchange, the Global Address List contains every mail enabled objectGAL Segmentation means dividing up the GAL and Address ListsWhy would you want to do this?
Legal or compliance reasons – people are not allowed to see each other in the GALOptimization reasons – You have a huge GAL but operate in smaller logical unitsHosting reasons – you want to host multiple organizations on one platform and don’t want them seeing each other
GAL Segmentation - History
In the Exchange 2000 timeframe a KB that was released that outlined to how carve up your GAL but we pulled it when HMC was createdFor 2003, no such paper, but lots of support casesFor 2007, a new whitepaper was bornFor 2010, we decided to engineer the solution into the product fully
GAL Segmentation - History
Based on a combination of methodsUsing ACL’s on GAL’s and AL’s (Outlook and Exchange ActiveSync)
Deny at the root levelAllow to a specific ALRequires security group membership and all ACL’s to be evaluated
MsExchQueryBaseDN (for OWA but not needed since SP1)Specify per user the base OU the user can search from (this means the OU hierarchy is rigid)
Per-User OAB assignmentSpecify per user the OAB the user can access
Relied upon Outlook and Exchange choosing the largest or ‘best’ GAL when there are a few to choose from
Using security groups, QBDN’s and per user OAB’s meant creating users with scripts to get the right settings – or things start to go wrongAs we change things in Exchange, things can (and did) start to breakThe OU hierarchy was too restrictive for some customers – a user cannot exist in more than one OU
GAL Segmentation - History
Address Book Policies
Address Book Policies (ABPs) enable you to achieve GAL Segmentation in Exchange 2010
ABPs work on the principal of direct GAL and Address List assignment rather than allowing or denying access to all available listsABPs only apply to users with mailboxes on Exchange 2010 as they plug in to the Address Book Service on the 2010 SP2 CAS roleAny request that comes through the Address Book Service on CAS is evaluated against the ABP assigned to the user
Address Book Policies
ABPs work for any client that goes through CAS for directory and;Opens the address list pickerTries to resolve a name or an aliasAdds a room resource to a meeting requestSearches the GALSearches the directory from Outlook Voice AccessQueries the directory from a mobile deviceViews someone’s DL memberships, or views the members of a DL
Yes – if a user in a DL is outside the scope of your ABP, you won’t see themThis prevents GAL mining by surfing up and down the member/memberof properties in some scenariosThis does mean you might be sending to more people than you think you are… and that MailTips might (apparently) not be telling the truth…
ABP Deployment Considerations
Deploying ABPs successfully is all about PLANNING and understanding what they can, and cannot doABPs alone do not result in ‘true’ separation – smart users can usually figure out ways to get around them or expose some data
Examples: delivery reports, DL membershipsDon’t try and use ABPs alone to ‘fake’ multi-tenancy, it’s more complex than thatABPs are better suited to providing optimized address lists for discrete groups of users that do not share resources
ABP Deployment Considerations
Use standard, built-in and existing Custom Attributes to represent company/division/class or whatever you want to divide upon
DLs don’t have Company attributes you can use so you can’t filter on thoseCustom Attributes are consistent on all mail enabled objects
Build simple AL and GAL filters and group them together into ABP’sBuild OABs based on GALs, not ALsMake sure a user exists in their own GALMake sure the GAL is a superset of the AL’s in an ABP
The GAL is the effective ABP scope – if the GAL is smaller than an AL the user has access to, users will be filtered
Address Book Policies
ABPs cannot prevent anyone directly connecting to AD and bypassing ABP logic
LDAP clients (for example, Outlook Mac/Entourage) will not work with ABPs
You can’t use ABPs if Exchange is installed on a GC as NSPI is provided by Active Directory, not Address Book ServiceIf you span DLs over ABPs you need to disable Group Management in ECP as ECP uses Get-Group which ignores ABPsDon’t try and mix and match ABPs and ACLs (unless migrating) or use QBDNs
Migration From ACLs
If you are using an ACL based model today in 2007 you might be able to migrate without too many problems
First create ABPs that mirror your security groups and ACLsInstalling 2010 will result in some downtime as setup must be able to read the Default GALAs you migrate mailboxes, you need to assign an ABP and remove the QBDN from the user objectYou can also remove the OAB setting as that comes from the ABP as wellYou will need to test against YOUR environment
ABPs and Office 365
Making ABPs work in Office 365 is part of our long term plan but it’s not as easy as just putting the new code there;
Tenant admins cannot today create or manage ALs, GALs or OABs so they wouldn’t be able to create very useful ABPs
We would need to allow creation and enforce throttlingLync and SharePoint have their own directory access methods, and so do not respect ABPs
Either we try to change that, or customers have to accept thatWe would also need to add dirsync capability to make the feature easy to manage for hybrid customers
OWA Cross-Site Silent Redirection
OWA Cross-Site Silent Redirection
Pre-Exchange 2010 SP2, if you use OWA on a Client Access server (CAS) in the ‘wrong’ Active Directory site, CAS has a decision to make: it can proxy or redirect the connection to the target site
If there is no ExternalURL in that site, we proxy, the mailbox opens and the user gets accessIf the target site has an ExternalURL we show the user a page with a link to click
The user clicks the link, and logs in again, and gets accessThe user has to log in twice
We are removing the need to click the link, which for some scenarios will result in a Single Sign On experience
OWA Cross-Site Silent Redirection
Disabled by defaultOut of the box, cross-site manual redirection still occurs
Can be a single sign-on experience when the source and target OWA virtual directories leverage Forms-Based AuthenticationIs only available for intra-org cross-site redirection events
OWA Cross-Site Silent Redirection
Enabled on Internet-facing CAS, on a per OWA virtual directory basis
Set-OWAVirtualDirectory –Identity “CAS1\owa (default Web site)” –CrossSiteRedirectType Silent
When you enable silent redirection you will be informed that the target CAS must have an ExternalURL that leverages HTTP SSL protocolWhen you enable silent redirection, you will receive a warning that single sign-on experience may not be possible if FBA is not enabled
Experience Before and After
Cue Applause….
Summary
SP2 includes many bug fixes and four major new features
OWA MiniHybrid Configuration WizardAddress Book PoliciesOWA Cross-Site Silent SSO Redirection
Resources
Exchange Team Bloghttp://aka.ms/EHLO
Exchange 2010 Documentation Libraryhttp://aka.ms/Ex2010Docs
Feedback
Your feedback is very important! Please complete an evaluation form!
Thank you!
Questions?
UCC206 Scott Schnoll
Principal Technical [email protected]://blogs.technet.com/scottschnollTwitter: @schnoll
You can ask me questions at the “Ask the Expert” zone:November 10, 2011 12:30 – 13:30