Damian Scoles | Project Leadership Associates Microsoft Exchange Server MVP

Edge Transport Role DLP Enhancements MAPI over HTTP IP Less DAGs EAC Command Logging OWA Enhancements Miscellaneous

Microsoft Confidential Edge role in production: Deployed in DMZ o Talks directly to CAS/MBX through the firewall

Reduce attack surface o Reduced set of services o Reduced set of PowerShell commands o Member server with AD LDS installed Provides mail routing as well as message hygiene No GUI o No interface like the EAC for other roles o Configurable via PowerShell only

Policy Tips in OWA Document Finger Printing Sensitive information types expanded

No longer limited to just Outlook. Can Enforce – warn, block or allow exceptions – as well as test Seamless user experience – OWA/Outlook operate the same Above example warns on SSN or Bank Numbers

What is fingerprinting? What can we use it for? o Government forms o HIPPA o Employee forms (HR) o Patent forms o Custom Forms (proprietary to your company) Limitations o Password protected files will not work o Documents with images only How are the documents stored? o XML Hash file Microsoft Confidential

Source -

Create a document finger print from an existing document. − EAC –> DLP –> Manage document finger prints -> Add document Create DLP Policy that uses this document fingerprint o Add a custom rule o Edit the ‘Sensitive Information types’, select the fingerprint o Finish the rules you want applies to the policy. The same process can be performed in PowerShell o get-content o new-fingerprint o New-transportrule Microsoft Confidential

Exchange 2013 SP1

More types have been added to DLP: o Finland National ID o Poland National ID (PESEL) o Poland Identity Card o Poland Passport o Taiwan National ID Microsoft Confidential

Replacement for RPC over HTTP o RPC is a legacy protocol with no real updates in a decade o Design for LANs and not communication over the Internet o RPC is sensitive to interruptions o More information (history of RPC and reasoning for HTTP transition)  Provides a common communication platform for Exchange communications – HTTP o Active Sync o OWA o Outlook Uses POST Commands based on HTTP 1.1 No metrics on actual performance yet. Still pending from Microsoft.

How to enable this in Exchange? o Set-MapiVirtualDirectory -Identity "Contoso\mapi (Default Web Site)" - InternalUrl -IISAuthenticationMethods Negotiate o Set-OrganizationConfig -MapiHttpEnabled $true Caveats o May not be able to access legacy Public Folders. o All Exchange servers at 2013 Service Pack 1 o All clients at Outlook 2013 Service Pack 1

What is an IP Less DAG? o Windows cluster has no IP Address – no resource in cluster core group o No cluster name – no resource in cluster core group o No DNS entry for cluster o No computer objects (CNO) are created in Active Directory o Cluster managable with PowerShell and not Failover Clustering o Reduces attack surface of Exchange 2013 o Can convert an existing DAG Requirements o Windows Server 2012 R2 o Exchange 2013 SP1 ** Caveat - "We do not recommend this deployment method for any scenario that requires Kerberos authentication.“ Source -

IP Address is entered as No object in Active Directory

Originally in Exchange 2007 and 2010 What is it? Why do we care? How do I turn it on Logging? What does it actually do? Actual Output:

Caveats/Information o Displays only current actions o When closed, previous results are lost o Up to 500 entries at a time o Searchable Microsoft Confidential

S/MIME o Can be enabled in the Outlook Web App Policy via PowerShell Set-OWAVirtualDirectory -identity "owa (Default Web Site)" -SMimeEnabled $true o Requires IE 7+, recommend IE 9+ (supported clients) o Uses Rich Text Editor o Improvements in the user interface for easier use  Copy and Paste  Better format options Firefox - Offline Mode o Controlled by Outlook Web App Policies (on by default) o Offline-supported folders include:  Inbox  Drafts  Any folder viewed from the browser in the last week Microsoft Confidential

Loose truncation ExBPA in Exchange 2013 SP Server R2 Supported OS Forest/Domain R2 Enhancements in Managed Availability Enhancements in Cluster stability o Hotfix that was available for Windows 2008 OS released for 2012 Schema Updates – minor changes SSL Offloading Post Hot Fix ‘required’:

Prior to Exchange 2013 SP1 – two options for database logging o Full: truncate on backup o Circular: self truncating Disabled by default Enabled via registry entries o HKLM\Software\Microsoft\ExchangeServer\v15\BackupInformation  LooseTruncation_MinCopiesToProtect  LooseTruncation_MinDiskFreeSpaceThresholdInMB  LooseTruncation_MinLogsToProtect Purpose o Prevent disks from running out of space (i.e. during maintenance windows) o Keeps only the logs that are needed – unverified logs not replicated to other servers o Ignores the farthest copy out of sync

Microsoft Confidential No longer requires Office 365 tenant to download Does not run on Edge server Only gives results for one server at a time Can be run on a non-Exchange server

Microsoft Confidential

SOURCE:

− After you install Microsoft Exchange Server 2013 Service Pack 1 (SP1) or you upgrade an existing Microsoft Exchange Server 2013 installation to Exchange Server 2013 SP1, third-party or custom-developed transport agents cannot be installed correctly. Additionally, the Microsoft Exchange Transport service (MSExchangeTransport.exe) cannot start automatically. Specifically, you cannot enable third-party products that rely on transport agents. For example, you cannot enable anti- malware software or custom-developed transport agents. When the installation fails, you also receive an error message that resembles the following: The TransportAgentFactory type must be the Microsoft.NET class type of the transport agent factory. Why does this happen? − This problem occurs because the global assembly cache (GAC) policy configuration files contain invalid XML code. So what does this mean? Microsoft Confidential

Q & A Damian Scoles | Project Leadership Associates Microsoft Exchange Server MVP