Viestinnän seminaari 8.11.2012 / Exchange
-
Upload
salcom-group -
Category
Technology
-
view
555 -
download
1
Transcript of Viestinnän seminaari 8.11.2012 / Exchange
The new ExchangeWork Smarter, Anywhere.
Exchange, Office & Office 365 Preview Workshop
October 2012
3
Hei, kuka puhuu?
Jarmo EkholmSenior Trainer/ConsultantMCT, MCSE, MCITPOsaamisalueet:• Exchange, kaikki versiot• Varmennepalvelut• Palvelininfrastruktuuri
Copyright© Microsoft Corporation
Introducing | Your Modern Office
Devices SocialCloud Control
Copyright© Microsoft Corporation
Exchange —Work Smarter, Anywhere.
Exchange enables you to tailor your solution based on your unique needs and ensures your communications are always available while you remain in control; on your own terms—online, on-premises, or a hybrid of the two.
Exchange helps your users be more productive by helping them manage increasing volumes of communications across multiple devices and work together more effectively as teams.
Exchange keeps your organization safe by enabling you to protect business communications and sensitive information and to meet internal and regulatory compliance requirements.
Do more, on any device
Keep the organization safe
Remain in control, online, and on-premises
Copyright© Microsoft Corporation
Increase your
insight
Smart monitoring, telemetry, and analytics to improve your users’ experience
Copyright© Microsoft Corporation
Plan your upgrades
Scheduled, fast, seamless upgrades to ease onboarding
Copyright© Microsoft Corporation
Role-based access control
Who
Where
What
Copyright© Microsoft Corporation
Cloud readyEnterprise-grade reliability and standardsISO 27001, SSAE16, FERPA, HIPAA, FISMA & EU Model clauses
Replicated in geo-redundant datacenters to protect against datacenter wide failures
Risk mitigation with multi-dimensional approach to help safeguard services and privacy of data
Backed by a 99.9% financially backed service level agreement
Copyright© Microsoft Corporation
Block Spam before it reaches your network
Block email based on language
Block email based on geography
Copyright© Microsoft Corporation
Transparent & granular retention
Policy details transparently displayed to end user
Right click to assign policy to an item, folder or to all your
Copyright© Microsoft Corporation
Comprehensive view of DLP policy
performance
Unified eDiscovery
Get instant statistics
Use proximity searches to understand context
Query results across Exchange, Lync &
SharePoint
Laser focused refiners to help find the data you
need
Fine tune complex queries
Copyright© Microsoft Corporation
5 server roles
Tightly-coupledin terms of
versioning
functionality
user partitioning
geo-affinity
Previous Server Role Architecture
Internal Network Phone system (PBX or VOIP)
Web browse
r
Outlook (remote
user)
Mobile phone
Line of business application
MailboxStores mailbox
and public folder items
Unified MessagingVoice mail and
voice access
Client AccessClient connectivity
Web services
Outlook (local user)
Layer 7 LB
AD
ExternalSMTP
servers
Edge TransportRouting and
AV/AS
Hub TransportRouting and policy
Forefront Online
Protection for Exchange
Copyright© Microsoft Corporation
Challenges with existing model
Exchange deployments can be complicated
Load balancing is difficult and can require expensive solutions
When dedicated server roles are deployed, hardware can go unutilized or under-utilized
Too many namespaces required
Copyright© Microsoft Corporation
Exchange high availability
Evolved architecture with Exchange building block model
Help simplify deployments
Integrate availability throughout the system
Copyright© Microsoft Corporation
Exchange 2013 Architecture Benefits
Hardware efficiencyDeployment simplicityCross-version inter-opFailure isolation
Architecture overview
Enterprise networkInternet
Exchange building blocks
Client Access Server comprises of client protocols and SMTP
Mailbox Server hosts all components to process, render and store data
Laye
r 4 lo
ad
bal
ance
r
CAS
PBXLocal clientsRemote clients & devices
Edge
MBX
Copyright© Microsoft Corporation
Functional Layering
AuthN, Proxy, Re-direct
Protocols, API, Biz-logic
Assistants, Store, CI
Exchange 2010
AuthN, Proxy, Re-direct
Store, CI
Protocols, Assistants, API, Biz-
logic
Exchange 2013
Client Access
Mailbox
Client AccessHub Transport,
Unified Messaging
Mailbox
HardwareLoad Balancer
L4 LBL7 LB
Exchange Deployment and Coexistence
Fundamentals of Deployment
Exchange 2013 Prerequisites• Supported coexistence scenarios
Exchange Server 2010 SP3* Exchange Server 2007 SP3 (+ coexistence RU*)
• Supported client access methods Outlook 2013, Outlook 2010, Outlook 2007 RPC over HTTP is only method of connectivity for Outlook clients Entourage 2008 for Mac, Web Services Edition Outlook for Mac 2011
* http://blogs.technet.com/b/exchange/archive/2012/09/25/announcing-exchange-2010-service-pack-3.aspx
Exchange 2013 Prerequisites• Active Directory
Windows Server 2003 forest functional level or higher At least one Windows 2003 SP2 or later GC/DC in each site No support for RODC or ROGC
• Supported Namespaces Contiguous Dis-contiguous (also known as Non-Contiguous) Disjoint Single label domain Definitions:
http://technet.microsoft.com/en-us/library/cc731125(v=WS.10).aspx
Exchange 2013 Prerequisites• Operating System (64-bit)
Windows Server 2008 R2 SP1 Standard or Enterprise Standard - for Exchange 2013 Client Access servers Enterprise - for Exchange 2013 Mailbox servers in a DAG
Windows Server 2012 Standard or Datacenter
• Other IIS and OS components• .NET Framework 4.5• Windows Management Framework 3.0• Unified Communications Managed API (UCMA)
4.0
Upgrade and Coexistence
Copyright© Microsoft Corporation
Upgrading to Exchange PreviewFrom an existing Exchange 2010 environment
SP3
E2010 CAS
E2010 HUB
E2010 MBX
Clients
Internet-facing site – upgrade first
autodiscover.contoso.commail.contoso.com
Intranet site
Exchange 2010 Servers
SP3
1. Prepare
Install Exchange 2010 SP3 across the ORG
Prepare AD with Exchange Preview schema
Validate existing Client Access using Remote Connectivity Analyzer and test connectivity cmdlets
4. Switch primary namespace to Exchange Preview CAS
Exchange Preview fields all traffic, including traffic from Exchange 2010 users
Validate using Remote Connectivity Analyzer5. Move Mailboxes
Build out DAG
Move Exchange 2010 users to Exchange Preview MBX6. Repeat for additional sites
2. Deploy Exchange Preview servers
Install both Exchange Preview MBX and CAS servers
SP3SP3
E2013 CAS
E2013MBX
3. Obtain and deploy certificates
Obtain and deploy certificates on Exchange Preview Client Access Servers
1 2 4
3
5 6
26
Copyright© Microsoft Corporation
Upgrading to Exchange PreviewFrom an existing Exchange 2007 environment
RU
E2007 SP3 CAS
E2007 SP3 HUB
E2007 SP3 MBX
Clients
Internet-facing site – upgrade first
autodiscover.contoso.commail.contoso.com
Intranet site
Exchange 2007 Servers
RU
1. Prepare
Install Exchange 2007 SP3 + RU across the ORG
Prepare AD with Exchange Preview schema and validate
5. Switch primary namespace to Exchange Preview CAS
Validate using Remote Connectivity Analyzer6. Move mailboxes
Build out DAG
Move Exchange 2007 users to Exchange Preview MBX
7. Repeat for additional sites
2. Deploy Exchange Preview servers
Install both Exchange Preview MBX and CAS servers
RU
RU
E2013 CAS
E2013MBX
3. Create legacy namespace Create DNS record to point to legacy Exchange 2007 CAS4. Obtain and Deploy Certificates
Obtain and deploy certificates on Exchange Preview CAS servers configured with legacy namespace, Exchange Preview namespace, and autodiscover namespaceDeploy certificates on Exchange 2007 CAS
legacy.contoso.com 3
1 2 5
4
6 7
27
Copyright© Microsoft Corporation
Install coexistence update on all servers in the organizationInstall Exchange 2010 SP3 using same steps as previous Exchange 2010 Service PacksInstall Exchange 2007 SP3 + coexistence RU using same steps as previous Exchange 2007 roll-ups
Prepare Active Directory with Exchange Preview schema
Validate existing client access using Remote Connectivity Analyzer and test connectivity cmdlets http://www.exrca.com
Preparing for Exchange PreviewPrepare
1
28
Copyright© Microsoft Corporation
Install both MBX and CAS ServersMBX performs PowerShell commandsCAS is proxy only
Exchange Preview SetupGUI or command lineIn-place upgrades not supportedUpdated to reflect Exchange Preview roles
ParametersNew required parameter for license terms acceptance
Exchange Preview Setup
Install
− Setup.exe /mode:install /roles:clientaccess
− Setup.exe /mode:install /roles:mailbox
− Setup.exe /mode:install /roles:ManagementTools
Other required parameter- /IAcceptExchangeServerLicenseTerms
12
29
Copyright© Microsoft Corporation
Required for Exchange 2007 coexistence onlyUsed to access Exchange 2007 during coexistence
Create DNS record in internal and external DNS for legacy namespaceLegacy.contoso.com
Validate legacy namespace creation via Remote Connectivity Analyzerhttp://www.exrca.com
Create Legacy Namespace 13
30
DNSLegacy.domain.com 2007CASmail.domain.com/owa 2013CAS
2007 CASExternalURL legacy.domain.com
mail.domain.com 2013 CAS
2007/2013 coexistence
mail.domain.com
legacy.domain.com
Legacy.domain.com
Copyright© Microsoft Corporation
End-to-end Certificate Wizard in the Exchange Administration Center (EAC)
EAC provides notification when an Exchange Preview Client Access server’s certificate(s) is about to expireFirst notification shown 30 days prior to expirationSubsequent notifications provided daily
Certificates 14
32
Copyright© Microsoft Corporation
Minimize the number of certificates
Minimize number of host namesUse split DNS for Exchange host namesmail.contoso.com for Exchange connectivity on intranet and Internetmail.contoso.com has different IP addresses in intranet/Internet DNS
Don’t list machine host names in certificate host name listUse load-balanced (LB) arrays for intranet and Internet access to servers
Use “Subject Alternative Name” (SAN) certificate
Certificates - Best Practices Certificates 14
33
Client Access Server Upgrade• Validate legacy namespace creation• Configure Load balancing
Layer 7 load balancers are no longer required for primary Exchange 2013 namespace
Layer 4 is supported and recommended Legacy namespace is separate VIP configured with Layer 7 load
balancing Configure the AutoDiscoverServiceInternalUri on Exchange 2013
CAS Servers to a LB value Configure AutoDiscoverSiteScope
Exchange Architecture – CAS
Copyright© Microsoft Corporation
Discuss the “new” server architecture in Exchange Preview
Discuss the Client Access Server (CAS) role architecture
Agenda
36
Copyright© Microsoft Corporation
Exchange deployments are overly complicatedDoing Exchange load balancing “right” is hard and often requires expensive solutionsOver the last year, we saw multiple issues in MSIT/Office 365 and with services like BES and MRS Proxy that all came down to the load balancerMany hardware load balancing (HLB) solutions are expensive and thus are a luxury many of our customers can’t afford or don’t have the expertise to deploy
Customers deploy based on dedicated server rolesThis means that in many cases, hardware is deployed that is unutilized (e.g., DIMM slots and disk slots, etc.) or underutilized
Too many namespaces are required (especially in site-resilient designs)
What’s wrong with the existing model?
37
Copyright© Microsoft Corporation
Exchange: The Evolution
2013
LB
Simplify for scale, balanced utilization, isolationIntegrate HA for all rolesSimplify network architecture
L7 LB
2010
Separate HA solutions for each roleIntroduced the DAGRich management experience using RBACLeaves resources on the ground in each role
CAS
HT
MBX MBX
2007
Separate roles for ease of deployment and management segmentationSupport cheaper storage
Ex Ex
SAN
Ex Ex
2000/2003
Role differentiation through manual configurationHardware solutions for “reliability” ($$$$)
38
The “New” Server Architecture
Copyright© Microsoft Corporation
Use Building Blocks to facilitate deployments at all scales – from self-hosted small organizations to Office 365Server role evolutionNetwork layer improvementsVersioning and interoperability principles
BenefitsHardware efficiencyDeployment simplicityLow-friction, cross-version interoperabilityFailure isolation
Exchange Preview Architecture Theme
40
Copyright© Microsoft Corporation
Two building blocks1. Client Access ArrayEvolution of Exchange 2010 CAS Array SMTP Front End
2. Database Availability GroupEvolution of Exchange 2010 DAGIncludes core server protocols
Loosely coupledFunctionalityVersioningUser partitioningGeo affinity
Exchange Preview Server Role Architecture
Enterprise Network
External SMTPservers
Phone System (PBX or VOIP)
Web browse
r
Outlook (remote
user)
Mobile phone
Line of Business
ApplicationOutlook (local user)
AD
DAG
MBX
MBX
MBX
MBX
MBX
Layer
4 L
B
CAS ArrayCAS
CAS
CAS
CAS
CAS
Forefront Online
Protection for Exchange
Edge TransportRouting and
AV/AS
41
Copyright© Microsoft Corporation
Layer 4 LB
SMTP
MDB
HTTP Proxy
IISCAS 2013
RPC CA
MBX 2013
IIS
RPSOWA, EAS, EWS,
ECP, OAB
POP, IMAP
SMTP
IMAP
UM
POP IMAP
Transport UM
SIP
Redirect
SIP + RTPSMTPPOP, IMAPHTTP
MailQ
CAS 2013 Client Protocol Architecture
RpcProxy
OWA Outlook EAS EAC PowerShell SBC, AP
42
Copyright© Microsoft Corporation
RPC/HTTP removes the need for a complicated namespace for the DAG (RPC Client Access service) and simplifies the protocol stack
How does it work?1. CAS 2013 receives outer HTTP request, directed to mail.contoso.com2. CAS 2013 extracts RPC Server Name from the request URL, which is in the form of
[email protected]. CAS 2013 performs an Active Directory lookup of the mailbox GUID, followed by an Active
Manager lookup, and determines which MBX 2013 server the active database copy is hosted on
4. CAS 2013 proxies the HTTP request to the MBX 2013
What are the benefits?No longer require an “RPC CAS array namespace” for the DAGNo longer have to worry about “The Exchange administrator has made a change that requires you to quit and restart Outlook” during mailbox moves or *over eventsExtremely reliable and stable connectivity model – the RPC session is always on the MBX 2013 server hosting the active database copy
Outlook ConnectivityRPC/HTTP and the death of RPC/TCP
43
Copyright© Microsoft Corporation
Third-party MAPI products will need to use RPC/HTTP to connect to CAS 2013
Exchange Preview will be the last release to support a MAPI/CDO downloadThird parties must move to Exchange Web Services in the future
The MAPI/CDO download will be updated to include support for RPC/HTTP connectivityWill require third-party application configuration; either by programmatically editing a dynamic MAPI profile, or by setting registry keysLegacy environments can continue to use RPC/TCP
Third-Party MAPI Products
44
Copyright© Microsoft Corporation
Outlook only supports a single RPC Proxy endpoint
If Outlook Anywhere is allowed on the Internet, this may have internal Outlook clients connect to the external firewall for connectivity
To ensure that internal Outlook clients follow the internal pathway, use split DNSForces internal clients to use internal IPForces external clients to use external IP
Split DNSWhat you need to control connectivity flow
45
Copyright© Microsoft Corporation
CAS 2013 Client Protocol Connectivity FlowLegacy Coexistence
Protocol E2007 user accessing E2010 namespace
E2007 user accessing E2013 namespace
E2010 user accessing E2013 namespace
Requires Legacy Namespace Legacy Namespace No additional namespaces
OWA • Same AD site: silent or SSO FBA redirect
• Externally facing AD site: manual or silent/SSO cross-site redirect
• Internally facing AD site: proxy
Silent redirect (not SSO) to CAS 2007 externally facing URL
• Proxy to CAS 2010• Cross-site silent redirect (not SSO), which may
redirect to CAS 2010 or CAS 2013
Exchange ActiveSync
• EAS v12.1+ : Autodiscover & redirect
• Older EAS devices: proxy
Proxy to MBX 2013 Proxy to CAS 2010
Outlook Anywhere
Direct CAS 2010 support Proxy to CAS 2007 Proxy to CAS 2010
Autodiscover Direct CAS 2010 support Redirect to CAS 2007 externally facing URL Proxy to CAS 2010
EWS Autodiscover Autodiscover Proxy to CAS 2010
POP/IMAP Proxy Proxy to CAS 2007 Proxy to CAS 2010
OAB Direct CAS 2010 support Proxy to CAS 2007 Proxy to CAS 2010
RPS n/a n/a Proxy to CAS 2010
ECP n/a n/a • Proxy to CAS 2010• Cross-site redirect, which may redirect to CAS
2010 or CAS 2013 46
Copyright© Microsoft Corporation
Simplifies the network layerL4 load balancing is simpler and less expensive than L7 LBJust get the traffic to CAS 2013 and let it handle the affinityCAS 2013 can be “farther away” from MBX 2013 and still offer good client performance (because it is a 1:1 proxy)Removes the need for RPC Client Access arrays
Deployment flexibilityCAS 2013 provides more deployment flexibility; for example, consolidate to fewer sitesCan deploy a single worldwide namespace
Simplifies upgrade and interoperabilityDesigned to proxy to multiple Mailbox Server versions, up- and down-levelDAGs can be replaced with Exchange Preview at any desired pace
CAS 2013 Client Protocol Benefits
47
Front-End Transport Service
Copyright© Microsoft Corporation
Front-End Transport Service Architecture
Front-End Transport Pipeline
SMTP SendSMTP ReceiveProtocol Agents
SMTP to MBX 2013SMTP from MBX 2013
External SMTP External SMTP
Hub Selector
49
Copyright© Microsoft Corporation
The SMTP Front-End Service provides:Protocol-level filtering – performs connection, recipient, sender, and protocol filteringNetwork protection – centralized, load-balanced egress/ingress point for the organizationMailbox locator – avoids unnecessary hops by determining the best MBX 2013 to deliver the messageLoad-balanced solution for client/application SMTP submissions
Scales based on number of connections – just add more servers
Benefits of SMTP Front-End Service
50
Copyright© Microsoft Corporation
New Building BlocksFacilitates deployments at all scales – from self-hosted small organizations to Office 365Provides more flexibility in namespace management
Simplified upgrade and interoperabilityAll components in a given server upgraded togetherNo need to juggle with CAS <-> MBX <-> HT versions separately
Client Access Server roleSimplifies the network layer – layer 7 solutions are no longer needed!Proxies and authenticates all client protocolsProvides load-balanced SMTP proxy solution for clients, external applications
Key Takeaways
51
Copyright© Microsoft Corporation
Architectural betPublic folders are based on the mailbox architecture
DetailsHierarchy is stored in public folder mailboxes (one writeable)Content can be broken up and placed in multiple mailboxesThe hierarchy folder points to the target content mailboxUses same HA mechanism as mailboxes
No separate replication mechanismSingle-master model
Similar administrative features to current PFs (setting quota, expiry, etc.)No end-user changes (looks just like today’s PFs)
Not all public folder usage scenarios are best served by public folders
Public FoldersDawn of a New Age
MBX2013
CAS 2013
MBX2013
MBX2013
Public Logon
Private Logon
Public Logon
Content MailboxHierarch
y Mailbox
52
Copyright© Microsoft Corporation
1. User connects to their home Public Folder mailbox first, which should be located near their primary mailbox; all Public Folder mailboxes have a complete copy of the folder hierarchy.
2. Folder contents live in a specific mailbox for that folder; all content operations are redirected to the mailbox for that folder
3. Folder hierarchy changes are intercepted and written to writeable copy of Public Folder hierarchy
4. All Public Folder mailboxes listen for hierarchy changes and update similar to Outlook clients
5. When a Public Folder mailbox gets full, move some folders to a new mailbox
Exchange Preview Public Folders in Action
1
2 3 5
4
53
Transport-Related Changes
Copyright© Microsoft Corporation
Mailbox Transport SubmissionMailbox Transport Delivery
Mailbox Transport Component Architecture
Mailbox Transport Pipeline
Store Driver Deliver
MBX Deliver Agents
SMTP SendSMTP Receive
Hub Selector (Router)
Store Driver Submit
MBX Assistants
MBX Submit Agents
MAPI MAPI
Mailbox Store
SMTP to Transport Service
SMTP from Transport Service
55
Copyright© Microsoft Corporation
Next hop selection is broken down into distinct delivery groups:Routable DAGMailbox delivery groupConnector source serversActive Directory site (Hub sites; Edge subscriptions)Server list (delivery group expansion servers)
Queuing is per delivery group, connector, or mailbox
Once message is received at final destination, Transport will deliver the message via SMTP to Mailbox Transport on the server hosting the active database copy
Send/Delivery-Agent connectors can have source servers from multiple DAGs or Active Directory sites, and can be proxied through CAS
Routing Optimizations
56
Copyright© Microsoft Corporation
New transport configuration – RejectOnShadowFailure ensures that no message is acknowledged and accepted unless a shadow copy was first created
Messages are made redundant on other servers within a DAG, stamp group, or site
Messages are tried for a configurable amount of time before giving up and rejecting the message
Guaranteed Redundancy
57
Seminaaritarjous!– Microsoft Exchange Server– 533: Exchange 2013 / Office 365 Ignite 20.-
22.11.2012– 10135: Exchange 2010, käyttöönotto ja hallinta
11.-14.12.2012 – 520: MCITP: Enterprise Messaging
Administrator 2010 -valmennusohjelma alkaen 11.12.2012
Work Smarter, Anywhere.