Mailhelp

In order to classify the different types of email users out there, we often talk about "filers" (people who file their emails away into specially-named folders) and "pilers" (people who just leave everything in the Inbox and rely on searching to find the emails that they need). I am definitely not a piler because my Inbox seldom has more than seventy messages in it, but, compared to the number of messages that I receive, the number of messages that I file away into a folder is statistically quite small (and, thus, ignorable). Given that I am not a piler and that I am not filing away that many messages, this must mean that I delete a lot of email. This is true. OWA shows me both how many items are in my Deleted Items folder and how many of those items are unread, so I decided to do a quick calculation to determine how much of the deluge of email I am actually reading: i_t - total items in Deleted Items i_u - total unread items in Deleted Items p_r - percentage of items that have been read (i_t - i_u) / i_t * 100 = p_r My Deleted Items folder currently has almost 3000 items spanning about a three week period (I periodically empty this folder for reasons having to do with obsessive tidiness; my office, apartment, and bicycles are submitted as exhibits A, B, and C). About 2000 of these are unread. The exact percentage given the above equation shows that I read 32.91% of my email. I'm going to postpone emptying my Deleted Items folder to see where this value trends to. Are the percentages of email that you are reading significantly different from mine?

Many people use rules to automatically sort messages from various distribution lists into folders in order to keep the volume of email traffic in their inbox to a manageable level. This work for the most part - until someone decides to BCC a list. Since the distribution list isn't visible in the list of recipients, it bypasses all rules and gets dropped in their inbox. This can cause quite a distraction for everyone on that DL because something appeared in their inbox, and it's not quite apparent why they received that message. Mailman and Majordomo have had this problem solved for a while now. It's actually a very simple solution: make sure the name of the mailing list is included in the subject of the email. Then users can set up filters based on words in the subject and they never encounter the problem when someone BCC's the list. Exchange 2007 can do the same thing; it just needs a little help from a custom transport agent. I have written a very basic agent to add the name of the DL into the subject. You can use it as a starting point and add your own features. To install this agent, follow these instructions:

1. Copy ShowDLInSubjectAgent.dll to your transport server. In this example, I place it in C:\MyAgents
2. Open the Exchange Management Shell
3. Type Install-TransportAgent -Name ShowDLInSubjectAgent -TransportAgentFactory ShowDLInSubjectAgent.ShowDLInSubjectFactory -AssemblyPath C:\MyAgents\ShowDLInSubjectAgent.dll
4. Close and restart the Exchange Management Shell.
5. Type Enable-TransportAgent -Identity ShowDLInSubjectAgent
6. Restart the transport service by typing Restart-Service MSExchangeTransport

If all goes well, all emails to a distribution list will now include the name of the DL in the subject of the email. Note: This is a sample transport agent and it is not officially supported by Microsoft. Please see the readme.txt file included in the package for more information. The ZIP file with the binary and the entire source for you to play with is here: ShowDLInSubjectAgent.zip

Related articles by Zemanta

• Push email (contacts and calendar too) on iPhone for free

Recently I came across a situation where it was reported that Connection Filtering stopped working (IPs on the Blocklist and RBLs were no longer being blocked). The solution led me to write this blog to clarify some confusion about "when" connection filtering is applied and how configuration settings are applied when the agents are installed on a Hub server. Let's begin by looking at the online documentation regarding Connection Filtering:

"By default, connection filtering is enabled on the Edge Transport server for inbound messages that come from the Internet but are not authenticated. These messages are handled as external messages. You can disable the filter in individual computer configurations by using the Exchange Management Console or the Exchange Management Shell. When connection filtering is enabled on a computer, the Connection Filter agent filters all messages that come through all Receive connectors on that computer. As noted earlier in this topic, only messages that come from external sources are filtered. External sources are defined as non-authenticated sources. These are considered anonymous Internet sources."

http://technet.microsoft.com/en-us/library/bb123943(EXCHG.80).aspxv-61marf

From this explanation we see 4 things:

1. That Connection Filtering is installed on Edge by default (as are all the other AS agents)
2. Enabled for inbound (ExternalMail) by default
3. For connections that have not authenticated
4. Connection Filtering (and all AS agents) can be disabled/enabled on individual computers

So in the scenario (where connection filtering was no longer blocking) we checked:

1. Get-Transportagent which showed the Connection Filtering agent enabled
2. Get-IPBlocklistconfig which showed True for both Enabled and ExternalMailEnabled (False for InternalMailEnabled - default setting)
3. Get-IpBlocklistentry which contained IPs that should be blocked
4. Confirmed that ActiveDirectory correctly reflected that the agent and config were enabled
5. Agent Logs did not show activity related to the IPs that should be blocked

The missing piece was in understanding that connection filtering is a combination of how the Agents are enabled (noted above) and what rights the connecting SMTP session is granted. Examining the SMTP receive log files indicated that the session was granted all the rights possible (including ByPassAntiSpam) which only occurs with "Externally Secured" Authentication. So here's the way it works: When the AS Filter components "Enabled" and "ExternalMailEnabled" parameters are set to true, any mail that comes in from an SMTP Session anonymously or via a Partner may be scanned. If the AS Filter components "Enabled" and "InternalMailEnabled" parameters are set to true, any mail from an authenticated session may be scanned. Note: Authenticated partner sessions are not considered Internal. So to recap: The following 5 points should be considered when determining whether an AS agent executes against a particular SMTP session.

1) The agent itself must be enabled. i.e. The Connection Filtering agent. Use Get-TransportAgent to determine which agents are installed and enabled/disabled.

2) The Anti-Spam config must be enabled. i.e. Get-IPBlockListconfig | fl enabled

3) Consider whether the Anti-spam component is set for ExternalMailEnabled and/or InternalMailEnabled Default settings IPAllowListConfig: 4) Anonymous and Partner SMTP Sessions are governed by the ExternalMailEnabled parameter. Authenticated sessions (including connectors that are configured for External Authoritative) are governed by the InternalMailEnabled parameter. 5) What permissions does the submitting client have? i.e. All Exchange Servers and Externally Secured sessions get the Bypass Anti-spam privilege (this cannot be removed). Even when ExternalMailEnabled is true and the SMTP session is anonymous, if NT Authority\Anonymous Logon has the Bypass Anti-Spam associated with the receive connector, mail will not be checked.

Now to dispel some other misunderstandings with regard to Configuration controls IPAllowlistconfig or IPBlocklistconfig command default settings are below. However, if InternalMailEnabled is set to True... ...no action is taken on trusted servers in the Exchange Organization. For grins, I decided to test this in my lab sending mail from one Hub to another. The sending server passed the X-EXPS Auth command which would be the auth used for "Exchange Servers". In the debug tracing you could see that the IP was checked against the IPBlocklist, but not rejected because the Exchange Servers group is granted ByPassAntispam permissions on the connector. Configuration Misunderstandings when Anti-Spam Agents are installed on Hub servers Anti-spam Agents are installed per server by running install-antispamagents.ps1 script. After running the script you will have Organization level and Server level controls. There are two Anti-Spam Tabs added to the Exchange Management Console, one at the Org level and another at the Server\Hub level. Organization level settings in the Exchange Management Console: Server level setting in the Exchange Management Console: Get-TransportAgent cmdlet is a per Transport server configuration setting. This example has 3 of the agents disabled. So this will only affect the Hub this is configured on: The cmdlet, Set- Transport server, -AntispamAgentsEnabled, is a bit confusing at first. The default value is True when you run the script to install the agents on a Hub. When set to False, it does not disable the AS agents. It simply hides the Anti-Spam tab at the Server level for that particular Hub server in the Exchange Management Console (may require restart of the msExchangeTransport and close / reopen the console). The overlooked 'internalSmtpServers' list Imagine this scenario: Mail with valid SPF records is rejected by your SenderID Agent. The SPF shows these IP addresses: contoso.com text = "v=spf1 ip4:192.168.50.2 ip4:192.168.50.3 ip4:192.168.50.4 -all" The rejected Message headers are: Received: From senderserver.contoso.com (192.168.50.3) by hosting1.company.com (192.168.2.3) Received: From hosting1.company.com (192.168.51.3) by mail02.yourcompany.com (192.168.75.6) From: sender@contoso.com Since Exchange has to pick an IP to compare to the SPF records, which one does it pick? To determine this, Exchange starts with the last "received: From" header in the mail message and looks for a match in the internalSmtpServers list moving up the received: From headers until a match is NOT found. In the example above, "Received: From hosting1.company.com (192.168.51.3) will be the first IP match attempted. The reason the mail was rejected above was that IP was not in the internalSmtpServers list. Adding it then returns a match so the next Recevied:From header is now examined and that IP is not only the last external IP (not in the list of internalSmtpServers) but also on the Sender's SPF records (192.168.50.3) and the mail passes SenderID Agent. In some scenarios mail is filtered through a hosted service provider that provides services such as Anti-Spam, Anti-Virus. By failing to add the hosted service provider IP addresses to the internalSmtpServers list, it's possible that all inbound mail will cease. Upon investigation you find the following in your Agent Log:

Agent : Connection Filtering Agent Event : OnEndOfHeaders Action : RejectMessage SmtpResponse : 550 5.7.1 External client does not have permissions to submit to this server Reason : LocalBlockList ReasonData : machine-generated entry

Machine generated entries are those added by the Sender Reputation Agent. You can get a quick look with the following cmdlet:

PS> get-IPBlockListEntry | {where $_.IsMachineGenerated}

Remember, the internalSmtpServers determines what the 'last external IP' to be used by the AS agents. If incoming mail is filtered through an appliance or hosted service it's imperative that the ip address(s) of those servers be listed here. When the AS agents are installed but the InternalSmtpServers is not populated, Event 1022 is logged:

Anti-spam agents are enabled and the list of internal SMTP servers is empty. Please use the set-TransportConfig task to populate this list.

Troubleshooting connection filtering

1. Determine if the connecting server authenticated by examining the SMTP protocol receive logs
2. What permissions were ultimately granted to the session (get-adpermission for the receive connector Exchange Extended rights on the user)
3. Check the IPAllowlistconfig or IPBlocklistconfig for how they are enabled
4. Check the IPAllowlistentry and / or IPBlocklistentry
5. Check the individual server settings with Get-Transportagent

Related articles by Zemanta

• Turbo Mail Tray 1.5

It's been a while since I've been thinking of writing a blog post about various aspects of Outlook Anywhere that people have been asking questions about. Somehow, I keep getting myself caught up in one thing or another, and have consequently delayed writing this blog post by almost 4 months. Ugh. Better late than never I figure. Given how long this blog post is overdue, I plan to cover a lot of topics, from frequently asked questions to common misconceptions to problems with Outlook Anywhere to suggested solutions for different problems. How does Outlook Anywhere work? I won't cover details on the cmdlets that enable and change settings for Outlook Anywhere. There is already a bunch of documentation on it. Instead, let's do a slightly deeper dive than the cmdlet documentation provides. The values that you provide to Outlook Anywhere settings can be classified into 2 types of properties - client facing and server facing. Examples of client facing properties are ClientAuthenticationMethod, External Host Name. Examples of Server facing properties are IISAuthenticationMethods, SSLOffloading. Client facing properties are picked up by Autodiscover and supplied to Outlook to configure client access to the Outlook Anywhere service. Server facing properties are picked up by a servicelet called RpcHttpConfigurator which runs as part of the Microsoft Exchange Service Host service. This servicelet runs every 15 mins by default, but the interval can be adjusted by changing the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\RpcHttpConfigurator\PeriodicPollingMinutes regkey. Note that setting this value to 0 turns off the RpcHttpConfigurator. When the RpcHttpConfigurator runs, it picks up the IISAuthenticationMethods and SSLOffloading values from the AD and stamps it on the \rpc vdir settings in the IIS metabase - overwriting any previously set value. This means that if you manually change the settings on this vdir, you should expect to be run over pretty shortly by the RpcHttpConfigurator (unless you have set the reg key to 0). Ok, so that's just part of what the servicelet does. Outlook Anywhere depends on the RPC/HTTP Windows component to do the marshalling and unmarshalling of the RPC packets from the client to the CAS server. A client side RPC component is responsible for marshalling every RPC packet into an HTTP tunnel and sending it over to the \rpc vdir on the CAS server. RPCProxy is an ISAPI extension that unmarshals the RPC packet, retrieves the RPC endpoint that the client wants to talk to and forwards the packet to the endpoint. But imagine if you were able to connect to any server in the organization if you were able to auth against an IIS box running RPCProxy. By the weakest link theory, all you'd need to do would be hack into a single IIS server and you'd have free access to all servers in the org. Ouch ! To alleviate this problem, RPCProxy only allows connections to be made to servers and ports that are in a trusted list. This list is maintained through the HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy\ValidPorts regkey and contains all the servers/ports that RPCProxy is allowed to talk to. So, the other part of what the RpcHttpConfigurator servicelet does it that is queries the AD for all mailbox servers and stamps them in the ValidPorts regkey allowing access to ports 6001, 6002, 6004 for both FQDN and Netbios access. So, you will typically see something like mbx1:6001-6002;mbx1:6004;mbx1.contoso.com:6001-6002;mbx1.contoso.com:6004 as the value for the key. As new mailbox servers are added to the org, they will be picked up when the servicelet runs and be added to the key. Again, if you manually change this regkey, you should expect to be bulldozed by the servicelet. Note that the ValidPorts key is only used by RPCProxy as a filter to disallow communication with unlisted server ports. It is not used to determine which server to send requests to. For the same reason, the order in which servers are listed in this key does not matter. I just thought I'd clarify this since I was recently told that there was confusion on what this key accomplished. Ok, simple enough, now that all the configuration is done, how does Outlook Anywhere actually establish its connections. The following diagram may help: As you see above, the client specifies the VIP of the Load balancer (or direct CAS FQDN if the CAS is exposed to the Internet) as the HTTP endpoint and the mailbox server as the RPC endpoint. The query string is somewhat like this: http://nlb.contoso.com/rpc/rpcproxy.dll?mbx1.contoso.com:6001 This tells the RPCProxy on CAS1 that the client is trying to connect to server mbx1.contoso.com on port 6001. RPCProxy looks up the ValidPorts key and if mbx1.contoso.com:6001 is listed there, it allows the connection to go through. The blue and red arrows above represent the 2 different connections spawned by the RPC/HTTP client component to represent a single RPC connection. This is done because HTTP connections are half duplex (i.e. they either allow you to send information or receive information, not both at the same time). In the case of RPC, connections need to be long lived and full duplex, so the RPC_IN_DATA connection acts as the sending half duplex connection, while the RPC_OUT_DATA connection acts as the receiving half duplex connection. Since HTTP requires that each connection be given a max length, each of these connections are 1GB "long" and are terminated when this limit is reached. Each of these connections is tagged with a client session id. When the RPC server component receives the RPC_IN_DATA and RPC_OUT_DATA with the same client session id, it knows that for any request received on the RPC_IN_DATA connection, it must reply back on the RPC_OUT_DATA connection. That's magic. Ok, so you already know this, but I'll reiterate - the mailbox server has 3 ports that are used for RPC/HTTP: port 6001 is used for Mail connections, port 6002 is used for directory referral, port 6004 is used for proxying directory connections to AD. The Referral Service running on port 6002 and DSProxy running on port 6004 are part of the same mad.exe process, and the Referral Service just refers clients back to DSProxy to establish their Directory connections. If you Ctrl+Right Click the Outlook icon and click on Connection Status, it will tell you what connections exist (Mail vs. Directory), what server they are going to and what protocol they are using (HTTPS vs. TCP(direct Exchange RPC connection)). I have conveniently omitted any discussion around certificates, since that can take up another few blog posts. As some would say, that is beyond the scope of this article and is left as an exercise to the reader. How do I know Outlook Anywhere is working? Simple... when no one is complaining! Seriously though, it is preferable is to run diagnostics on Outlook Anywhere before subjecting it to thousands of users. The one tool that works pretty well in most cases is rpcping. Yes, it has a lot of parameters and is confusing, but it does provide pretty good diagnostic information and as long as you have the KB open, you can figure out where problems lie. Start by pinging just the RPCProxy by using the -E option. Once that works, move onto testing the mailbox server endpoints by removing the -E and adding -e 6001 instead. Similarly for 6002, 6004. A typical command line would be something like this. Refer to http://support.microsoft.com/kb/831051 for usage details rpcping -t ncacn_http -o RpcProxy=cas1.contoso.com -P "user,domain,password" -H 1 -F 3 -a connect -u 9 -v 3 -s mailbox.contoso.com -I " user,domain,password " -e 6004 How does Outlook Anywhere not work? Unfortunately, there are some cases where Outlook Anywhere does not work without requiring manual tweaks. This is the part I wish I had blogged about earlier. I'm sure there are poor folks out there that have hit these issues and wasted their time figuring out what I had already learned... DSProxy and IPv6 As of E12 SP1, Outlook Anywhere on Windows 2008 requires that IPv6 be manually turned off on the CAS server. This is because the DSProxy component that listens on port 6004 (mad.exe) for directory connections does not listen on the IPv6 stack. If you do a netstat -ano | findstr 6004, you will see only 1 LISTENING entry - the one that corresponds to the IPv4 stack. Contrast this with ports 6001 and 6002 that have 2 entries. (As most of you already know, if you are running your Mailbox role on the same machine as a DC, lsass.exe not mad.exe listens on port 6004, so this problem will not surface since lsass.exe listens on both protocol stacks.) How do you turn off IPv6 ? It depends on whether you are running CAS and Mailbox on the same server or different ones. If you're in a multi-server scenario where the RPCProxy is not on the same server as the Mailbox, then you need to do the following:

1. Unselect IPv6 from the properties of your NIC (on the RPC-over-HTTP Proxy machine); that will force the RPC-over-HTTP Proxy to use IPv4 to talk to Exchange and everything will be fine. In most cases, this step suffices. If it does not, continue with steps 2 and 3.
2. Under the regkey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, add a 32 bit DWORD with the name Disabled Components and value 0xFF
3. Reboot the machine

If you're in a single-server scenario where the RPCProxy and Mailbox are on the same machine, then the above does not work since the loopback interface still uses IPv6. In this case, you need to make the following changes in the system32\drivers\etc\hosts file:

1. Comment out the line ":::1 localhost"
2. Add the following two lines: <IPv4 address> <hostname of the computer> <IPv4 address> <FQDN of the computer>

Thanks to Kevin Reeuwijk and others for finding and reporting the issue and solution. A fix (make DSProxy listen on the IPv6 stack) is on the way and is expected to be available in Exchange 2007 SP1 RU4 in Q3 2008. DSProxy and Split RPC_IN_DATA, RPC_OUT_DATA connections In the diagram above, you will notice that I have used a Source IP Loadbalancing layer. This ensures that the RPC_IN_DATA and RPC_OUT_DATA connections coming from a single Outlook instance are always affinitized to the same CAS server. However, there are some legitimate scenarios where Source IP affinity is not viable for customers. A typical example is when a large number of end users are behind NAT devices causing all connections to end up with the same IP and hence the same CAS server... yay load balancing! Outlook Anywhere does not support cookies, so cookie based Load balancing cannot be used either. The only way of spreading load across the server farm is to use with no affinity or SSL-ID based affinity. However, this has the problem that the RPC_IN_DATA and RPC_OUT_DATA connections could (and most likely would) end up on different CAS servers as shown in the diagram below: If you've been reading closely, you'll remember my earlier mention that the RPC server component is well aware of client session IDs and can reply on RPC_OUT_DATA for any requests on RPC_IN_DATA. And if that's the case, we should still be fine since Outlook always specifies the mailbox server as it's RPC endpoint. Well, almost. We are fine for ports 6001 and 6002 which are real RPC end points. The issue is with port 6004 where DSProxy pretends to be an RPC endpoint, but is just a proxy as the name implies. DSProxy only proxies client connections through to the DC. In the example above, RPC_IN_DATA is proxied to DC1 while RPC_OUT_DATA is proxied to DC2. The DCs are the real RPC endpoints. However, now that the 2 connections have been split, neither of the DCs is aware of the other connection and requests sent on RPC_IN_DATA are lost in oblivion. We call this split connectivity and it is a problem surfaced by SSL-ID or no affinity load balancing. While I would recommend not using these configurations if avoidable, it is clear as described earlier that these may be the only alternatives. Think hard if this is the case since the workaround that I am describing below will be tedious to maintain. The goal of these steps is to eliminate the possibility of split connectivity by (1) having clients bypass DSProxy wherever possible and (2) constrain DSProxy to talking to a single DC for any requests to DSProxy. First off, you need to avoid using DSProxy wherever possible. Normally, the Referral Service running on port 6002 refers clients to DSProxy on port 6004. By setting the following regkey, you instruct Referral Service to not send clients to DSProxy, but instead give them a referral to a DC for directory connections. So, instead of client connections going from Client to RPCProxy to DSProxy to DC, the path would be from Client to RPCProxy to DC. Note that the client is not directly connecting to the DC, so it is not required to publish the DCs to the internet or open any new firewall ports. See KB http://support.microsoft.com/kb/872897 for details:

On the Mailbox servers: a DWORD entry needs to be created on each Mailbox server named "Do Not Refer HTTP to DSProxy" at HKLM\System\CCS\Services\MSExchangeSA\Parameters\ and the value set to 1

Next, as indicated earlier, the RPCProxy will block access to the DC servers unless there servers are included in the ValidPorts regkey. So, set the following on the Client Access Servers

1. The ValidPorts setting at HKLM\Software\Microsoft\RPC\RPCProxy needs setting so that the entries referring to 6004 point to DC servers in addition to the mailbox server.
2. The PeriodicPollingMinutes key at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\RpcHttpConfigurator\ needs setting to zero to prevent RpcHttpConfigurator from updating the Valid Ports key automatically.

Finally, you need to make sure that the DCs are listening on port 6004:

On the Global Catalog servers: a REG_MULTI_SZ entry needs to be created on each GC named NSPI interface protocol sequences at HKLM\System\CCS\Services\NTDS\Parameters\ and the value set to ncacn_http:6004

These fixes will make sure that all directory connections bypass DSProxy and terminate at the DCs, thereby allowing the DC RPC server side component to receive both the RPC_IN_DATA and RPC_OUT_DATA connections. There is 1 last thing to deal with in this SSL-ID load balanced configuration. Outlook profile creation hard codes a call to DSProxy on 6004. Which means that we can get split connectivity during profile creation. To deal with this minimal volume of traffic, there is 1 final regkey that should be set on the mailbox servers:

On the Mailbox Servers - set the HKLM\System\CCS\Services\MSExchangeSA \Parameters key "NSPI Target Server" to the FQDN of the DC that profile creation should use.

By using only 1 DC for profile creation, all DSProxy calls will be proxied into that single DC, once again avoiding split connectivity. That's it folks! Of course, subsequent releases will provide cleaner solutions for such topologies, but for now, rest assured that having gone through the above steps multiple times, I feel your pain. That's pretty much it. I hope that adds some clarity to how Outlook Anywhere works and hasn't succeeded in confusing everyone even more. Until the next post - Hasta Luego!

There has been a lot of discussions in the Exchange ecosystem (see comments on this post and other posts on our blog for example) about the fact that Windows Server 2008 built-in backup application (Windows Server Backup) is not Exchange-aware. Even though we have also clarified that the limitation does not apply to Windows Small Business Server 2008, we still kept getting a lot of open and honest feedback on the subject, which we greatly appreciate. Background About 2 years ago, when the Exchange team started testing Exchange 2007 on Windows 2008, we found that the built-in backup application had changed dramatically. Decisions that drove that change by the Windows team are not the subject of this post, but it is fair to say that the Windows team did not make the decision lightly. When we evaluated the features of Windows Server Backup, it was clear that the backup and restore experience on Windows 2008 would not be the experience that existing Exchange customers have been used to for so long. Because we had feedback from several customers who told us they would rather get a more full-featured backup solution for their Exchange servers, a decision was made not to provide an Exchange-aware backup solution for Windows 2008 in Exchange 2007 Service Pack 1. Exchange 2007 Service Pack 1 Ships... Right after we shipped Service Pack 1, we started hearing from customers who were upset with the fact that they cannot take Exchange-aware online backups with Windows Server Backup. These customers had enjoyed the integration of Exchange and Windows Backup (NTBackup) for many years, and for many versions of Exchange and Windows. We also saw quite a but of discussion activity on this issue in various Exchange communities (this blog, internal discussion groups, MVP and MCT communities, etc.). We then published a blog post on this issue, which prompted more comments from customers who told us that they were unhappy about this and why. Now - the next question you have must be: What are we doing about this? Although we can't share all of the details now, we thought that this issue was important enough to announce a decision we recently made. We have decided to develop and release a VSS-based plug-in for Windows Server Backup that will enable you to properly backup and restore Exchange 2007 with a built-in Windows 2008 backup application. While you will be able to backup and restore Exchange 2007 on Windows 2008, you should not expect feature parity with the Windows 2003 NTBackup experience. There will not be the same level granularity and control that NTBackup provides and backups will be limited to the local server only. However, you will be able to perform a VSS backup of Exchange to a separate disc or a network share. If the backup completes successfully, it will (depending on options chosen) truncate Exchange transaction log files, and you'll be able to restore Exchange data when needed. We will cover all of the details in updated documentation when the time comes. We realize that this may not be an ideal solution for all organizations, but we are quite confident that this is a good solution for many, especially our smaller customer segment. When can you expect this? We do not have a release date to announce yet. Our Customer Experience team is working out the details, and because we are still relatively early in this process, we cannot commit to a specific date yet. Rest assured - we'll announce it when it becomes available! Finally, I think it is in order to thank all of you for all the feedback that you have provided us. As we mentioned before, we want your feedback. We are lucky to have people passionate enough to let us know and explain why what we did was not ideal.

This post is the first in a multi-part series dedicated to Information Rights Management (IRM) in Outlook 2007. While IRM has been a part of Microsoft Office and Outlook since the 2003 release, we often receive questions regarding the deployment of the system and its practical uses. To address these questions we will be writing an IRM specific blog series that will cover the following topics:

• What is IRM in Outlook?
• What IRM infrastructure do I need?
• What are IRM Templates and how do I use them?
• How does Microsoft use IRM?
• How can I use IRM at my company?
• The IRM Resource index

A substantial amount of documentation for IRM is available on the Internet. It is, however, often difficult for people to get a good end-to-end overview of how to configure and use IRM in the Office 2007 system. As part of this series, we will be providing a list of resources that we think will help you in further understanding IRM. Now let’s get to the fun stuff. ;-)

Firstly, what is IRM?

The official IRM ‘mantra’ is:

“IRM helps individuals enforce their preferences concerning the transmission of personal or private information. IRM also helps organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information.” (Office Online)

IRM provides customers using Outlook with a method to specify “restrictions” on messages that they send so that they may control how their content is used. For example a sender can use IRM to ensure recipients cannot forward, copy, or edit the message. For larger organizations, one of the coolest additions to the IRM “arsenal” in Microsoft Office 2007 is the ability to create custom permission templates by using a Rights Management Service (RMS) server. This enables customers to create custom permission templates specific to their organization. Due to the amount of detail we need to go into to cover this adequately we will explain RMS in more detail in a future post.

What is IRM good for? Are there any limitations?

It is important to understand that IRM is not a silver bullet. IRM protected messages can be used to help with the following scenarios

• Preventing the recipient from forwarding, copying, modifying, printing, or otherwise using your content without your permission.
• Preventing restricted content from being copied in Windows by using the Print Screen feature.
• Restricting your content with your chosen restrictions regardless of where it is sent.
• Providing a consistent level of restrictions to e-mail attachments created using the Microsoft Office 2007 suite of programs.
• Defining an expiration date so that content in documents and e-mail messages can no longer be viewed after a certain date.
• Enforcing your organizations policies that govern the use and dissemination of content in the company.

It is important to note that IRM can't prevent the following:

• Content from being erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain types of spy-ware.
• Content from being lost or corrupted because of the actions of computer viruses.
• Analog attacks such as hand-copying or taking a digital photograph of restricted content from the recipient's screen.
• Restricted content from being copied by using third-party screen-capture programs.

How do I set IRM permissions on a message I will be sending?

The example below shows two popular methods to compose an e-mail and send it using the IRM “Do Not Forward” restriction. This restriction allows recipients to read, copy, modify and print the message but not to forward it to other people.

1. Open Outlook 2007 and compose a new mail message by clicking on the “New Mail Message” button.
2. Select the “Do Not Forward” IRM restriction for the message. This can be done by clicking on the Microsoft Office Button and then choosing Permission, “Do Not Forward”.
Alternatively this can be accessed by clicking on the Permission button in the ribbon and then selecting the “Do Not Forward” restriction.

If the Microsoft IRM add-on has not been installed on your machine, Outlook 2007 will prompt you to download the latest version of the Rights Management Service (RMS) client software. Once you have set the permissions, an InfoBar will show in the message explaining the restrictions that have been placed on the message. (The InfoBar is the banner near the top of a mail message.) Once you have sent the message, your copy of the message in Sent Items will have a special icon next to it so that you can easily tell that it has an IRM restriction:

What does it look like when your recipient receives your IRM protected message?

Firstly, when your recipient attempts to open your IRM protected message, Outlook 2007 checks to see if a valid certificate (which is necessary to open IRM'd mail) is accessible. The certificate is a digital finger print that is used to verify a user’s identity. In the event that there is no certificate for this mail, Outlook 2007 will give the option to connect to Microsoft’s service to obtain one. (More on this in a future post.) Once the certificate has been installed the message can be opened and viewed. The InfoBar will indicate that the message is restricted (and what the restrictions are) as well as disabling the appropriate commands. In this case, your recipient will see that forward is disabled but that Reply and Reply to All are still active. And finally here is what the message looks like when your recipient opens it: The following Microsoft articles were referenced in this post.

1. The purpose of IRM and its limitations (http://office.microsoft.com/en-us/help/HA101003661033.aspx#1) 2. Protect confidential e-mail information using IRM in Outlook 2007 (http://office.microsoft.com/en-us/outlook/HA102325901033.aspx)

Next blog post: “What I need to get IRM working.”

Related articles by Zemanta

• Living without Microsoft Office
• Add Public Holidays to Your Outlook 2003 Calendar [Calendars]

Recently we have published the updated Exchange Developer Roadmap over on Exchangedev blog. This covers Exchange Server beyond Exchange Server 2007. You can read about multiple things there, including:

• APIs that Will Be Removed
• APIs Moving To Extended Support

If you are developing for Exchange Server, please make sure to check it out. - The Exchange Team

Related articles by Zemanta

• Linux-based Exchange replacement helps 3 health care systems cut costs

Please go to our Mailbox Server Role Storage Requirements Calculator updates tracking page to see what is in this new version! There are a lot of usability improvements as well as a whole new section on Storage Design. A blog post explaining the calculator (updated for this new version) is here and the calculator can be downloaded from here. Comments welcome!

The How-To Geek blog recently published a post on how to prevent duplicate tasks in the To-Do Bar when using a Gmail IMAP e-mail account in Outlook 2007. Thanks for the great tip, How-To Geek!

(more...)