slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
What's New in Microsoft ® Exchange Server 2010 Service Pack 2 PowerPoint Presentation
Download Presentation
What's New in Microsoft ® Exchange Server 2010 Service Pack 2

Loading in 2 Seconds...

  share
play fullscreen
1 / 32
jaron

What's New in Microsoft ® Exchange Server 2010 Service Pack 2 - PowerPoint PPT Presentation

164 Views
Download Presentation
What's New in Microsoft ® Exchange Server 2010 Service Pack 2
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. UCC206 Principal Technical Writer Microsoft Corporation What's New in Microsoft®Exchange Server 2010Service Pack 2 Scott Schnoll scott.schnoll@microsoft.com

  2. Agenda • Service Pack 2 (SP2) Development • Major new features in SP2 • Outlook Web App (OWA) Mini • Hybrid Configuration Wizard • Address Book Policies • OWA Cross-Site Silent Redirection

  3. Exchange SP2 Development • Scheduled for public release by end of CY 2011 • Private Technology Adoption Program (TAP) currently running • Service packs contain bug fixes AND features • SP2 has ~500 bug fixes and 4 primary new features • Every bug is triaged for risk, cost and applicability • Each new feature gets a Functional Spec, a Development Spec, and a Test Spec, and undergoes a thorough team review

  4. Technology Adoption Program • Exchange has a long history in this area • JDP, RDP, TAP • TAP consists of customers who are prepared to deploy pre-release bits in production • They get support from Microsoft • They get access to a private distribution list, a Wiki with all the latest info, and conference calls with the Exchange team developing the features • They get to provide early feedback, change the product and find bugs

  5. OWA Mini

  6. OWA Mini • This feature was driven by demand from markets where browser phones still rule • Administer using PowerShell • This is a complete re-write, none of the 2003 code was re-used • It is built as a set of OWA forms so it is not a separate application

  7. Managing OWA Mini • Enabled and disabled using Set-OWAMailboxPolicy • Set-OWAMailboxPolicyPolicyName -OWALightEnabled:$True • OWA Mini is effectively an alternative view of OWA, so OWA mailbox policies and segmentation are inherited • Any unsupported features in the policy are secure by default (e.g., disabled for OWA Mini) • Features such as calendar, contacts, etc., can be enabled or disabled on a per policy basis • Will ship in all OWA languages • If a new language is added to OWA, OWA Mini gets it

  8. Hybrid Configuration Wizard

  9. Hybrid Configuration Wizard • EMC-based wizard plus cmdlets for setting up on-premises Exchange and Office 365 to work together – in Hybrid mode • Vastly simpler process than the current SP1 manual experience • What once took ~49 steps, now takes 6 (your mileage may vary) • >80% reduction for the administrator

  10. Address Book Policies

  11. GAL Segmentation • By default in Exchange, the Global Address List contains every mail enabled object • GAL Segmentation means dividing up the GAL and Address Lists • Why would you want to do this? • Legal or compliance reasons – people are not allowed to see each other in the GAL • Optimization reasons – You have a huge GAL but operate in smaller logical units • Hosting reasons – you want to host multiple organizations on one platform and don’t want them seeing each other

  12. GAL Segmentation - History • In the Exchange 2000 timeframe a KB that was released that outlined to how carve up your GAL but we pulled it when HMC was created • For 2003, no such paper, but lots of support cases • For 2007, a new whitepaper was born • For 2010, we decided to engineer the solution into the product fully

  13. GAL Segmentation - History • Based on a combination of methods • Using ACL’s on GAL’s and AL’s (Outlook and Exchange ActiveSync) • Deny at the root level • Allow to a specific AL • Requires security group membership and all ACL’s to be evaluated • MsExchQueryBaseDN (for OWA but not needed since SP1) • Specify per user the base OU the user can search from (this means the OU hierarchy is rigid) • Per-User OAB assignment • Specify per user the OAB the user can access • Relied upon Outlook and Exchange choosing the largest or ‘best’ GAL when there are a few to choose from

  14. GAL Segmentation - History • Using security groups, QBDN’s and per user OAB’s meant creating users with scripts to get the right settings – or things start to go wrong • As we change things in Exchange, things can (and did) start to break • The OU hierarchy was too restrictive for some customers – a user cannot exist in more than one OU

  15. Address Book Policies • Address Book Policies (ABPs) enable you to achieve GAL Segmentation in Exchange 2010 • ABPs work on the principal of direct GAL and Address List assignment rather than allowing or denying access to all available lists • ABPs only apply to users with mailboxes on Exchange 2010 as they plug in to the Address Book Service on the 2010 SP2 CAS role • Any request that comes through the Address Book Service on CAS is evaluated against the ABP assigned to the user

  16. Address Book Policies • ABPs work for any client that goes through CAS for directory and; • Opens the address list picker • Tries to resolve a name or an alias • Adds a room resource to a meeting request • Searches the GAL • Searches the directory from Outlook Voice Access • Queries the directory from a mobile device • Views someone’s DL memberships, or views the members of a DL • Yes – if a user in a DL is outside the scope of your ABP, you won’t see them • This prevents GAL mining by surfing up and down the member/memberof properties in some scenarios • This does mean you might be sending to more people than you think you are… and that MailTips might (apparently) not be telling the truth…

  17. ABP Deployment Considerations • Deploying ABPs successfully is all about PLANNING and understanding what they can, and cannot do • ABPs alone do not result in ‘true’ separation – smart users can usually figure out ways to get around them or expose some data • Examples: delivery reports, DL memberships • Don’t try and use ABPs alone to ‘fake’ multi-tenancy, it’s more complex than that • ABPs are better suited to providing optimized address lists for discrete groups of users that do not share resources

  18. ABP Deployment Considerations • Use standard, built-in and existing Custom Attributes to represent company/division/class or whatever you want to divide upon • DLs don’t have Company attributes you can use so you can’t filter on those • Custom Attributes are consistent on all mail enabled objects • Build simple AL and GAL filters and group them together into ABP’s • Build OABs based on GALs, not ALs • Make sure a user exists in their own GAL • Make sure the GAL is a superset of the AL’s in an ABP • The GAL is the effective ABP scope – if the GAL is smaller than an AL the user has access to, users will be filtered

  19. Address Book Policies • ABPs cannot prevent anyone directly connecting to AD and bypassing ABP logic • LDAP clients (for example, Outlook Mac/Entourage) will not work with ABPs • You can’t use ABPs if Exchange is installed on a GC as NSPI is provided by Active Directory, not Address Book Service • If you span DLs over ABPs you need to disable Group Management in ECP as ECP uses Get-Group which ignores ABPs • Don’t try and mix and match ABPs and ACLs (unless migrating) or use QBDNs

  20. Migration From ACLs • If you are using an ACL based model today in 2007 you might be able to migrate without too many problems • First create ABPs that mirror your security groups and ACLs • Installing 2010 will result in some downtime as setup must be able to read the Default GAL • As you migrate mailboxes, you need to assign an ABP and remove the QBDN from the user object • You can also remove the OAB setting as that comes from the ABP as well • You will need to test against YOUR environment

  21. ABPs and Office 365 • Making ABPs work in Office 365 is part of our long term plan but it’s not as easy as just putting the new code there; • Tenant admins cannot today create or manage ALs, GALs or OABs so they wouldn’t be able to create very useful ABPs • We would need to allow creation and enforce throttling • Lync and SharePoint have their own directory access methods, and so do not respect ABPs • Either we try to change that, or customers have to accept that • We would also need to add dirsync capability to make the feature easy to manage for hybrid customers

  22. OWA Cross-Site Silent Redirection

  23. OWA Cross-Site Silent Redirection • Pre-Exchange 2010 SP2, if you use OWA on a Client Access server (CAS) in the ‘wrong’ Active Directory site, CAS has a decision to make: it can proxy or redirect the connection to the target site • If there is no ExternalURL in that site, we proxy, the mailbox opens and the user gets access • If the target site has an ExternalURL we show the user a page with a link to click • The user clicks the link, and logs in again, and gets access • The user has to log in twice • We are removing the need to click the link, which for some scenarios will result in a Single Sign On experience

  24. OWA Cross-Site Silent Redirection • Disabled by default • Out of the box, cross-site manual redirection still occurs • Can be a single sign-on experience when the source and target OWA virtual directories leverage Forms-Based Authentication • Is only available for intra-org cross-site redirection events

  25. OWA Cross-Site Silent Redirection • Enabled on Internet-facing CAS, on a per OWA virtual directory basis • Set-OWAVirtualDirectory –Identity “CAS1\owa(default Web site)” –CrossSiteRedirectType Silent • When you enable silent redirection you will be informed that the target CAS must have an ExternalURL that leverages HTTP SSL protocol • When you enable silent redirection, you will receive a warning that single sign-on experience may not be possible if FBA is not enabled

  26. Experience Before and After Cue Applause….

  27. Summary • SP2 includes many bug fixes and four major new features • OWA Mini • Hybrid Configuration Wizard • Address Book Policies • OWA Cross-Site Silent SSO Redirection

  28. Resources • Exchange Team Blog • http://aka.ms/EHLO • Exchange 2010 Documentation Library • http://aka.ms/Ex2010Docs

  29. Feedback Your feedback is very important! Please complete an evaluation form! Thank you!

  30. Questions? • UCC206 • Scott Schnoll • Principal Technical Writer • scott.schnoll@microsoft.com • http://blogs.technet.com/scottschnoll • Twitter: @schnoll • You can ask me questions at the “Ask the Expert” zone: • November 10, 2011 12:30 – 13:30