TOP 15 SENIOR ADMIN EXCHANGE QUESTIONSPRESENTED BY MVP, JAAP WESSELIUS

INTRODUCTION

AGENDA

TOP 15 QUESTIONS

SUMMARY OF THETOP 15 QUESTIONS

JAAP WESSELIUS

WHO AM I?

Office Server and Services MVP (previously Exchange server MVP)

Freelance consultant

Blogger, author, presenter

Husband, dad with three sons (uh oh)

Biker enthusiast

?•KEMP (pre-sales) receive numerous Exchange related question •Load balancing questions (makes sense) •Lots of other questions, like •Veeam supportability •Anti-malware questions •Security questions •Tools questions •Etc….

For this presentation we’ve created a top 15 list

TOP 15 QUESTIONS

1Always use the requirements calculator when designing an Exchange environment

• https://exchangeloadbalancer.com/exchange-role-calculator/ (The Exchange Role Size calculator) • https://kemptechnologies.com/loadmaster-sizing-

guide/ (Load Balancer Sizing Guide)

• For large environments: better not use virtualization!

• Use Jetstress for validating your storage design

1. BEST PRACTICES FOR INSTALLING EXCHANGE

1Use proper 3rd party SSL certificates (like DigiCert for example)

Use unattended setup

Document your setup procedure

Use Michel’s PowerShell script (http://bit.ly/UnAttended)

Use Desired State Configuration for larger environments

Make sure you have a proper patch management solution

1. BEST PRACTICES FOR INSTALLING EXCHANGE

22. HOW CAN EXCHANGE 2010

COEXIST WITH 2016

Exchange 2010 can coexist with Exchange 2016

Exchange 2010/2016 is using down level proxy mechanism

22. HOW CAN EXCHANGE 2010

COEXIST WITH 2016Most important part and potentiallyhigh impact!

Identical to Exchange 2010/2013

Build new Exchange 2016 farm

Change namespace to Exchange 2016

No legacy namespace needed

Clients access Exchange 2016 servers

Requests are proxied to Exchange 2010

Requests CANNOT be proxies from Exchange 2010 to Exchange 2016, no uplevel proxy!!

22. HOW CAN EXCHANGE 2010

COEXIST WITH 2016

Down Level Proxy(in real

life)

33. HOW TO MIGRATE FROM EXCHANGE 2010 TO 2016

THERE ARE TWO OPTIONS

OPTION 1: TRANSITION TO EXCHANGE 2016 • Build a coexistence environment with down level proxy

• Build a new Exchange 2016 Database Availability Group

• Use New-MoveRequest to seamlessly move mailboxes to Exchange 2016

• Decommission Exchange 2010(uninstall, not just delete VMs!!)

33. HOW TO MIGRATE FROM EXCHANGE 2010 TO 2016

THERE ARE TWO OPTIONS

OPTION 2: MIGRATE TO EXCHANGE 2016 • Move all resources to a new forest and Exchange

environment

• Also known as inter-forest migration

• Use 3rd party tooling to move accounts and mailboxes to new Active Directory forest

44. WHAT ARE THE

BENEFITS OF MAPI/HTTP

Mapi/Http is the new Outlook client protocol

Outlook Anywhere is deprecated(already being decommissioned from Office 365)

Instead of using the RPC Proxy component(Windows component, not an Exchange component) Outlook is using HTTP natively

No dependency of RPC Proxy component(which is not the most stable component)

More stable with flaky(WiFi or Cellular data) connections

4. WHAT ARE THEBENEFITS OF MAPI/HTTP

55. WHAT ARE THE BENEFITS OF

HYBRID DEPLOYMENT

Basically it is one ‘virtual’ Exchange organization, comprising of Exchange on-premises and Exchange Online

Benefits: •One autodiscover mechanism (points to on-premises) • Secure mail flow between on-premises and online •One address book • Sharing free/busy information, mailtips, OOF • Easy migration to Exchange Online (uses regular Mailbox

Replication Service) • Interesting but not heard often: there’s an easy

offboarding mechanism!

55. WHAT ARE THE BENEFITS OF

HYBRID DEPLOYMENT

But remember, identity management (including Exchange properties) is

performed on-premises. You always need at least one Exchange server on-premises!!

66. HOW TO ENABLE AN

IMAP4 CONNECTIONPOP3 and IMAP4 are not running by default on Exchange 2013 or Exchange 2016 (startup type set to manual)

Set the startup type to automatic

There’s a front-end service and a back-end service

Make sure the Login Type is set correctly (SecureLogin vs PlainText)

When using S/POP3 or S/IMAP4 make sure you use the right SSL certificate

Make sure you know the right Telnet commands for testing purposes :-)

Shameless plug: http://bit.ly/POP3Telnet

66. HOW TO ENABLE AN

IMAP4 CONNECTION

77. WHAT SPAM PROTECTION IS

AVAILABLE WITH EXCHANGE 2016

There is some anti-malware protection in Exchange 2016

Use Get-MalwareFilteringServer, Get-MalwareFilterPolicy and Get-MailwareFilterRule to check details

Edge Transport server is very limited for anti-spam

Can do some RBL and whitelist/blacklist and ‘some’ content filtering

Mostly used as an SMTP server in DMZ scenario

You always need separate anti-malware solution

77. WHAT SPAM PROTECTION IS

AVAILABLE WITH EXCHANGE 2016

Third party solution can be on-premises or online

Exchange Online Protection

Anti-malware, DKIM signing/verify, DMARC validation

On-premise solutions

Cisco Email Security Appliance (ESA, aka IronPort)

Anti-malware, DKIM signing/verify, DMARC validation

Beware: Exchange 2016 does not support DKIM and DMARC

Think about user education

There’s no technical solution for user inability!

88. WHAT IS TARPITTING

WHAT IS TARPITTING?

WHY AM I BEING TARPITTED?

HOW TO BYPASS A TARPIT INTERVAL?

Tarpitting is deliberately slowing down SMTP responses on the Receive Connector(default 5 seconds)

This will frustrate malwaresending hosts

Helps protecting against directory harvesting

Bypassing Tarpit interval might not be a good idea (whitelist maybe?)

Change using the Set-ReceiveConnector command

99. BEST WAYS TO ACHIEVE

HIGH AVAILABILITY

PART 1: PROTOCOL LOAD BALANCING •Use load balancer for incoming request

•Distribute request amongst multiple Exchange servers

•Will load balance and overcome server failure

SPLIT HA INTO TWO PARTS:

1010. HOW TO ENSURE

SITE RESILIENCY

Using multiple datacenters you can create site resiliency

Use the Exchange Preferred Architecture http://bit.ly/ExchangePA

•Namespace design

•Bound namespace – users connect to a particular datacenter like emea.contoso.com or us.contoso.com

•Unbound namespace – users connect to any datacenter like mail.contoso.com

1010. HOW TO ENSURE

SITE RESILIENCY

This has impact on DNS and load balancing design

Use an Active Directory site per datacenter

Transport Site Resilience via Shadow Redundancy and Safety Net can only be achieved when DAG members are in multiple sites

Take care about network latency between datacenters

1010. HOW TO ENSURE

SITE RESILIENCY

Geo-distributed Unbound Namespace

1111. IS VEEAM SUPPORTED

FOR EXCHANGE

DEFINITELY

•Veeam creates snapshot backup of the Virtual Machine

•Through the Integration Components a VSS snapshot is created in the Virtual Machine

•VSS stamps database header with last/previous backup information

•VSS purges transaction log files

•And fully supported by Veeam and Microsoft :-)

1212. HOW TO CONFIGURE SMTP

RELAY IN EXCHANGE

That’s not too difficult, but make sure you’re not creating an internet facing open relay server (you’ll be blacklisted in minutes)

The Default Receive Connector accepts anonymous connections and relays mail to internal recipients (Accepted Domain)

Your multi-functional devices can use this for internal delivery

1212. HOW TO CONFIGURE SMTP

RELAY IN EXCHANGE

For anonymous delivery to external recipients you need to create a new, dedicated Receive Connector (I prefer not to fiddle around with default connectors)

And, new Receive Connector means additional IP address(Cannot have two Receive Connectors listening to same IP address and Port Number)

1212. HOW TO CONFIGURE SMTP

RELAY IN EXCHANGE

Restrict access to new Receive Connector on IP basis

Grant the ms-Ech-SMTP-Accept-Any-Recipient permission to "NT AUTHORITY\ANONYMOUS LOGON" user on new Receive Connector

Get-ReceiveConnector –Identity "Relay Connector (EXCH01)" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient"

Another shameless plug: http://bit.ly/SMTPRelay

1313. USES FOR OFFCAT

OffCat = Microsoft Office Configuration Analyzer Tool

Provides a detailed report of your installed Office programs

Originally started as Outlook Configuration Analyzer Tool (OCAT)

Use OffCat for scanning PC’s for known Office configuration issues and detailed reports

For Outlook, it will scan autodiscover (lots of questions about AutoD), Calendar, Outlook profile etc.

1313. USES FOR OFFCAT

13. USES FOR OFFCAT

13. USES FOR OFFCAT

1414. HOW TO AVOID/REMOVE

CRYPTOLOCKER

•Send money to the bad guy (seen this once) and hope for an unlock key

•Restore the last know good backup. Data after this back will be lost

REMOVE

14• Implement a good anti-malware solution, not only for email, but also on PC’s

• Yes, this is expensive, but what about the previous bullets?

• User education is extremely important

• Don’t trust incoming email with attachment, invoice-03202017.zip might not be what you think it is

• Don’t click on any (suspicious) link in email

• Be careful with Internet browsing (again, implement anti-malware solution)

AVOID

14. HOW TO AVOID/REMOVE CRYPTOLOCKER

1515. THE BEST FREE TOOLS

FOR EXCHANGE

Remote Connectivity Analyzer (aka.ms/exrca)(Very nice SMTP header analyzer)

Mxtoolbox.com

Exchange Environment Report Tool (by Steve Goodman)

SMTP Protocol logging

Code projects (by Paul Cunningham)

CheckTLS.com

Ssl-checker.online-domain-tools.com

https://www.checktls.com/assuretls.html

15. THE BEST FREE TOOLSFOR EXCHANGE

15. THE BEST FREE TOOLSFOR EXCHANGE

15. THE BEST FREE TOOLSFOR EXCHANGE

15. THE BEST FREE TOOLSFOR EXCHANGE

15. THE BEST FREE TOOLSFOR EXCHANGE

15. THE BEST FREE TOOLSFOR EXCHANGE

15. THE BEST FREE TOOLSFOR EXCHANGE

15. THE BEST FREE TOOLSFOR EXCHANGE

15. THE BEST FREE TOOLSFOR EXCHANGE

Email - jaap@Wesselius.info

Website – https://jaapwesselius.com/

Twitter - https://twitter.com/jaapwess

SUMMARY

Well, there’s not really a summary after discussing top 15 questions

Keep your questions coming…

Email Q&A to: QandA@kemptechnologies.com

KEMP RESOURCESExchange Load Balancing: https://kemptechnologies.com/microsoft-load-balancing/load-balancing-microsoft-exchange/

Exchange Resources:https://exchangeloadbalancer.com/

MSExchange.org Resources: http://www.msexchange.org/loadbalancing/

Dell Load Balancer Store: http://www.dell.com/load-balancers