Top 15 Exchange Questions that Senior Admin ask - Jaap Wesselius
-
Upload
kemp-load-balancers -
Category
Technology
-
view
422 -
download
1
Transcript of Top 15 Exchange Questions that Senior Admin ask - Jaap Wesselius
TOP 15 SENIOR ADMIN EXCHANGE QUESTIONSPRESENTED BY MVP, JAAP WESSELIUS
INTRODUCTION
AGENDA
TOP 15 QUESTIONS
SUMMARY OF THETOP 15 QUESTIONS
JAAP WESSELIUS
WHO AM I?
Office Server and Services MVP (previously Exchange server MVP)
Freelance consultant
Blogger, author, presenter
Husband, dad with three sons (uh oh)
Biker enthusiast
?•KEMP (pre-sales) receive numerous Exchange related question •Load balancing questions (makes sense) •Lots of other questions, like •Veeam supportability •Anti-malware questions •Security questions •Tools questions •Etc….
For this presentation we’ve created a top 15 list
TOP 15 QUESTIONS
1Always use the requirements calculator when designing an Exchange environment
• https://exchangeloadbalancer.com/exchange-role-calculator/ (The Exchange Role Size calculator) • https://kemptechnologies.com/loadmaster-sizing-
guide/ (Load Balancer Sizing Guide)
• For large environments: better not use virtualization!
• Use Jetstress for validating your storage design
1. BEST PRACTICES FOR INSTALLING EXCHANGE
1Use proper 3rd party SSL certificates (like DigiCert for example)
Use unattended setup
Document your setup procedure
Use Michel’s PowerShell script (http://bit.ly/UnAttended)
Use Desired State Configuration for larger environments
Make sure you have a proper patch management solution
1. BEST PRACTICES FOR INSTALLING EXCHANGE
22. HOW CAN EXCHANGE 2010
COEXIST WITH 2016
Exchange 2010 can coexist with Exchange 2016
Exchange 2010/2016 is using down level proxy mechanism
22. HOW CAN EXCHANGE 2010
COEXIST WITH 2016Most important part and potentiallyhigh impact!
Identical to Exchange 2010/2013
Build new Exchange 2016 farm
Change namespace to Exchange 2016
No legacy namespace needed
Clients access Exchange 2016 servers
Requests are proxied to Exchange 2010
Requests CANNOT be proxies from Exchange 2010 to Exchange 2016, no uplevel proxy!!
22. HOW CAN EXCHANGE 2010
COEXIST WITH 2016
Down Level Proxy(in real
life)
33. HOW TO MIGRATE FROM EXCHANGE 2010 TO 2016
THERE ARE TWO OPTIONS
OPTION 1: TRANSITION TO EXCHANGE 2016 • Build a coexistence environment with down level proxy
• Build a new Exchange 2016 Database Availability Group
• Use New-MoveRequest to seamlessly move mailboxes to Exchange 2016
• Decommission Exchange 2010(uninstall, not just delete VMs!!)
33. HOW TO MIGRATE FROM EXCHANGE 2010 TO 2016
THERE ARE TWO OPTIONS
OPTION 2: MIGRATE TO EXCHANGE 2016 • Move all resources to a new forest and Exchange
environment
• Also known as inter-forest migration
• Use 3rd party tooling to move accounts and mailboxes to new Active Directory forest
44. WHAT ARE THE
BENEFITS OF MAPI/HTTP
Mapi/Http is the new Outlook client protocol
Outlook Anywhere is deprecated(already being decommissioned from Office 365)
Instead of using the RPC Proxy component(Windows component, not an Exchange component) Outlook is using HTTP natively
No dependency of RPC Proxy component(which is not the most stable component)
More stable with flaky(WiFi or Cellular data) connections
4. WHAT ARE THEBENEFITS OF MAPI/HTTP
55. WHAT ARE THE BENEFITS OF
HYBRID DEPLOYMENT
Basically it is one ‘virtual’ Exchange organization, comprising of Exchange on-premises and Exchange Online
Benefits: •One autodiscover mechanism (points to on-premises) • Secure mail flow between on-premises and online •One address book • Sharing free/busy information, mailtips, OOF • Easy migration to Exchange Online (uses regular Mailbox
Replication Service) • Interesting but not heard often: there’s an easy
offboarding mechanism!
55. WHAT ARE THE BENEFITS OF
HYBRID DEPLOYMENT
But remember, identity management (including Exchange properties) is
performed on-premises. You always need at least one Exchange server on-premises!!
66. HOW TO ENABLE AN
IMAP4 CONNECTIONPOP3 and IMAP4 are not running by default on Exchange 2013 or Exchange 2016 (startup type set to manual)
Set the startup type to automatic
There’s a front-end service and a back-end service
Make sure the Login Type is set correctly (SecureLogin vs PlainText)
When using S/POP3 or S/IMAP4 make sure you use the right SSL certificate
Make sure you know the right Telnet commands for testing purposes :-)
Shameless plug: http://bit.ly/POP3Telnet
66. HOW TO ENABLE AN
IMAP4 CONNECTION
77. WHAT SPAM PROTECTION IS
AVAILABLE WITH EXCHANGE 2016
There is some anti-malware protection in Exchange 2016
Use Get-MalwareFilteringServer, Get-MalwareFilterPolicy and Get-MailwareFilterRule to check details
Edge Transport server is very limited for anti-spam
Can do some RBL and whitelist/blacklist and ‘some’ content filtering
Mostly used as an SMTP server in DMZ scenario
You always need separate anti-malware solution
77. WHAT SPAM PROTECTION IS
AVAILABLE WITH EXCHANGE 2016
Third party solution can be on-premises or online
Exchange Online Protection
Anti-malware, DKIM signing/verify, DMARC validation
On-premise solutions
Cisco Email Security Appliance (ESA, aka IronPort)
Anti-malware, DKIM signing/verify, DMARC validation
Beware: Exchange 2016 does not support DKIM and DMARC
Think about user education
There’s no technical solution for user inability!
88. WHAT IS TARPITTING
WHAT IS TARPITTING?
WHY AM I BEING TARPITTED?
HOW TO BYPASS A TARPIT INTERVAL?
Tarpitting is deliberately slowing down SMTP responses on the Receive Connector(default 5 seconds)
This will frustrate malwaresending hosts
Helps protecting against directory harvesting
Bypassing Tarpit interval might not be a good idea (whitelist maybe?)
Change using the Set-ReceiveConnector command
99. BEST WAYS TO ACHIEVE
HIGH AVAILABILITY
PART 1: PROTOCOL LOAD BALANCING •Use load balancer for incoming request
•Distribute request amongst multiple Exchange servers
•Will load balance and overcome server failure
SPLIT HA INTO TWO PARTS:
1010. HOW TO ENSURE
SITE RESILIENCY
Using multiple datacenters you can create site resiliency
Use the Exchange Preferred Architecture http://bit.ly/ExchangePA
•Namespace design
•Bound namespace – users connect to a particular datacenter like emea.contoso.com or us.contoso.com
•Unbound namespace – users connect to any datacenter like mail.contoso.com
1010. HOW TO ENSURE
SITE RESILIENCY
This has impact on DNS and load balancing design
Use an Active Directory site per datacenter
Transport Site Resilience via Shadow Redundancy and Safety Net can only be achieved when DAG members are in multiple sites
Take care about network latency between datacenters
1010. HOW TO ENSURE
SITE RESILIENCY
Geo-distributed Unbound Namespace
1111. IS VEEAM SUPPORTED
FOR EXCHANGE
DEFINITELY
•Veeam creates snapshot backup of the Virtual Machine
•Through the Integration Components a VSS snapshot is created in the Virtual Machine
•VSS stamps database header with last/previous backup information
•VSS purges transaction log files
•And fully supported by Veeam and Microsoft :-)
1212. HOW TO CONFIGURE SMTP
RELAY IN EXCHANGE
That’s not too difficult, but make sure you’re not creating an internet facing open relay server (you’ll be blacklisted in minutes)
The Default Receive Connector accepts anonymous connections and relays mail to internal recipients (Accepted Domain)
Your multi-functional devices can use this for internal delivery
1212. HOW TO CONFIGURE SMTP
RELAY IN EXCHANGE
For anonymous delivery to external recipients you need to create a new, dedicated Receive Connector (I prefer not to fiddle around with default connectors)
And, new Receive Connector means additional IP address(Cannot have two Receive Connectors listening to same IP address and Port Number)
1212. HOW TO CONFIGURE SMTP
RELAY IN EXCHANGE
Restrict access to new Receive Connector on IP basis
Grant the ms-Ech-SMTP-Accept-Any-Recipient permission to "NT AUTHORITY\ANONYMOUS LOGON" user on new Receive Connector
Get-ReceiveConnector –Identity "Relay Connector (EXCH01)" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient"
Another shameless plug: http://bit.ly/SMTPRelay
1313. USES FOR OFFCAT
OffCat = Microsoft Office Configuration Analyzer Tool
Provides a detailed report of your installed Office programs
Originally started as Outlook Configuration Analyzer Tool (OCAT)
Use OffCat for scanning PC’s for known Office configuration issues and detailed reports
For Outlook, it will scan autodiscover (lots of questions about AutoD), Calendar, Outlook profile etc.
1313. USES FOR OFFCAT
13. USES FOR OFFCAT
13. USES FOR OFFCAT
1414. HOW TO AVOID/REMOVE
CRYPTOLOCKER
•Send money to the bad guy (seen this once) and hope for an unlock key
•Restore the last know good backup. Data after this back will be lost
REMOVE
14• Implement a good anti-malware solution, not only for email, but also on PC’s
• Yes, this is expensive, but what about the previous bullets?
• User education is extremely important
• Don’t trust incoming email with attachment, invoice-03202017.zip might not be what you think it is
• Don’t click on any (suspicious) link in email
• Be careful with Internet browsing (again, implement anti-malware solution)
AVOID
14. HOW TO AVOID/REMOVE CRYPTOLOCKER
1515. THE BEST FREE TOOLS
FOR EXCHANGE
Remote Connectivity Analyzer (aka.ms/exrca)(Very nice SMTP header analyzer)
Mxtoolbox.com
Exchange Environment Report Tool (by Steve Goodman)
SMTP Protocol logging
Code projects (by Paul Cunningham)
CheckTLS.com
Ssl-checker.online-domain-tools.com
https://www.checktls.com/assuretls.html
15. THE BEST FREE TOOLSFOR EXCHANGE
15. THE BEST FREE TOOLSFOR EXCHANGE
15. THE BEST FREE TOOLSFOR EXCHANGE
15. THE BEST FREE TOOLSFOR EXCHANGE
15. THE BEST FREE TOOLSFOR EXCHANGE
15. THE BEST FREE TOOLSFOR EXCHANGE
15. THE BEST FREE TOOLSFOR EXCHANGE
15. THE BEST FREE TOOLSFOR EXCHANGE
15. THE BEST FREE TOOLSFOR EXCHANGE
Email - [email protected]
Website – https://jaapwesselius.com/
Twitter - https://twitter.com/jaapwess
SUMMARY
Well, there’s not really a summary after discussing top 15 questions
Keep your questions coming…
Email Q&A to: [email protected]
KEMP RESOURCESExchange Load Balancing: https://kemptechnologies.com/microsoft-load-balancing/load-balancing-microsoft-exchange/
Exchange Resources:https://exchangeloadbalancer.com/
MSExchange.org Resources: http://www.msexchange.org/loadbalancing/
Dell Load Balancer Store: http://www.dell.com/load-balancers