module 4 planning and deploying client access services in microsoft® exchange server 2010
TRANSCRIPT
Module 4
Planning and Deploying Client Access Services
in Microsoft® Exchange Server 2010
Module Overview
• Overview of the Client Access Server Role
• Designing Client Access Server Deployment
• Designing Client Access
• Designing Client Access Policies
Lesson 1: Overview of the Client Access Server Role
• Client Access Business Requirements
• Client Access Server Services
• How RPC Client Access Service Works
• How Client Access Service Works with Multiple Sites
• Requirements for Accessing the Client Access Server from the Internet
Client Access Business Requirements
• Number and types of clients
• Client usage profiles
• Client locations
• Security requirements
• Availability requirements
• Performance requirements
Client Access Server Services
Client Access server options:
• Outlook (MAPI)
• Outlook Anywhere (HTTPS)
• Outlook Web App
• Exchange ActiveSync
• POP3
• IMAP4
• Entourage 2008, Web Services Edition
Client Access server services:
• RPC Client Access Service
• Autodiscover
• Availability
• Address Book
• Exchange Web Services
• MailTips
• Exchange Control Panel
How RPC Client Access Service Works
RPC Client Access Service is a new service in Exchange Server 2010 that resides on the Client Access server
RPC Client Access Service is a new service in Exchange Server 2010 that resides on the Client Access server
With RPC Client Access Service:
• Outlook data connections go to the Client Access server instead of connecting directly to Mailbox servers
• The DSProxy interface is replaced by providing an Address Book service on the Client Access server
• Public folder connections connect directly to the Mailbox server
Client Access serverClient Access server
Mailbox server
Mailbox server
DomainControllerDomain
Controller
How Client Access Service Works with Multiple Sites
RPCRPC
HTTPSIMAP4POP3
HTTPSIMAP4POP3
MailboxServer
MailboxServer
DomainControllerDomain
Controller
Client AccessServer
Client AccessServer
MAPIMAPI
33
22
44
11
Client request is redirected
Client request is redirected
Multiple InternetAccess Points
Multiple InternetAccess Points
Single InternetAccess Point
Single InternetAccess Point
Client requestis proxied
Client requestis proxied
• Proxying is used for Outlook Web Access, Exchange ActiveSync, Exchange Web Services, POP3 and IMAP4
• Redirection is used only for Outlook Web Access
• Client Access server must be accessible using the client access protocols
• Client Access virtual directories must be configured with an external URL
• External names must be available in DNS
• Split DNS may be required
• SSL certificate with multiple subject alternative names is recommended
• Autodiscover should be available for Outlook Anywhere and Exchange ActiveSync clients
Requirements for Accessing the Client Access Server from the Internet
Lesson 2: Designing Client Access Server Deployment
• Designing Client Access Server Hardware Requirements
• Client Access Server Security
• Designing Client Access Server Certificates
• Designing Autodiscover
• Designing the Availability Service
• Designing MailTips
• Designing Client Throttling
• Designing Client Access Services with Multiple Namespaces
Designing Client Access Server Hardware Requirements
Component Recommendation
Processor cores 2 cores minimum, and 12 cores maximum
RAM 2 GB of RAM per processor core (8 GB minimum)
Hard disk Not hard disk intensive
Network connections
• Configure with teamed 1 Gbps network cards
• Requires fast network connections to Mailbox servers and global catalog servers
Deploy three Client Access server processor cores in an Active Directory site for every four Mailbox server processor coresDeploy three Client Access server processor cores in an Active Directory site for every four Mailbox server processor cores
Client Access Server Security
To secure a Client Access server:
Install server certificates and ensure that SSL is required
Configure authentication settings:
• Integrated Windows authentication
• Digest authentication
• Basic authentication
• Forms-based authentication
Protect the server with an application layer firewall
Designing Client Access Server Certificates
• Use certificates to encrypt all client traffic
• Use multiple subject alternative names in the certificate to simplify deployment
• Use as few server names as possible
• Avoid using wildcard certificates
• Use public CAs to simplify the user experience
• Use the same certificates for Client Access servers and reverse proxies
Designing Autodiscover
• Consider modifying the Internal URL to use a single host name for multiple Client Access servers
• Consider using site affinity for multiple locations
• Configure DNS records to enable Autodiscover access from the Internet
• Configure external host names for all required virtual directories
• Ensure that the Autodiscover virtual directory is accessible for Internet clients
Designing the Availability Service
• Consider legacy client support for Availability data
• Consider cross-forest availability lookups
• Synchronize GAL
• Configure Autodiscover
• Validate certificates
Designing MailTips
The Client Access server
• Compiles and sends MailTips to the client
• Uses Active Directory information, recipient mailbox information, and local group metrics to compile MailTips
The process for compiling MailTips is optimized to avoid performance degradation
To optimize using MailTips:
• Verify the group metrics calculation
• Ensure that Client Access servers have fast connections to global catalog servers, Mailbox servers, and local group metrics to compile MailTips
• Be aware of limitations for accessing MailTips between sites
Designing Client Throttling
Throttling policies define the Client Access server capacity that a user can useThrottling policies define the Client Access server capacity that a user can use
To design client throttling:
• Monitor the Client Access servers to identify bottlenecks
• Review the default throttling policy settings
• Plan for client throttling based on client access protocols
To implement client throttling:
• Configure custom throttling policies
• Assign the policies to user accounts
• Implement policies incrementally, and monitor results
Designing Client Access Services with Multiple Namespaces
Multiple namespace support may be required when:
• An organization uses multiple SMTP domains
• An organization includes multiple Active Directory trees or forests
• Configure SCP records in all forests for Autodiscover • Configure host name and Autodiscover DNS records for each
domain name • Include all domain names in the certificate subject alternative
names• Consider configuring separate Web sites for each domain
• Configure SCP records in all forests for Autodiscover • Configure host name and Autodiscover DNS records for each
domain name • Include all domain names in the certificate subject alternative
names• Consider configuring separate Web sites for each domain
Lesson 3: Designing Client Access
• Designing MAPI Client Access
• Designing Outlook Anywhere Access
• Designing Outlook Web App and Exchange Control Panel
• Designing Exchange ActiveSync Access
• Designing POP3 and IMAP4 Access
• Designing Firewalls and Reverse Proxies for Client Access
Designing MAPI Client Access
Options for configuring MAPI client access
• Disable all MAPI client connections
• Enable MAPI connections based on client versions
• Disable MAPI connections by user
To configure Outlook Anywhere access:
Designing Outlook Anywhere Access
• Configure Autodiscover to provide necessary URLs
• Remember that Redirection is not supported
• Enable Outlook Anywhere on at least one Client Access server per site
• Plan certificate settings carefully
• Configure firewall settings
Designing Outlook Web App and Exchange Control Panel
When designing Outlook Web App and Exchange Control Panel, plan the following:
Authentication
Virtual directory segmentation settings
Advanced security options
Consider modifying the Outlook Web App virtual directories:
• Simplify the URL
• Redirect requests
• Create a new virtual directory
Ensure that the Exchange Control Panel virtual directory settings match the Outlook Web App virtual directory settings Ensure that the Exchange Control Panel virtual directory settings match the Outlook Web App virtual directory settings
Designing Exchange ActiveSync Access
To configure Exchange ActiveSync access:
• Configure Autodiscover to enable automatic client configuration
• Require SSL on the Microsoft-Server-ActiveSync virtual directory
• Consider requiring certificates on mobile devices
• Implement Exchange ActiveSync policies
• Configure firewall settings to support Direct Push
• Consider data plans when configuring client settings
Designing POP3 and IMAP4 Access
Identify the business requirements for POP3 and IMAP4
Plan an SMTP delivery option for POP3 and IMAP4 clients to send e-mail
Plan for secure authentication
Consider implementing TLS
Plan client connection and retrieval settings
Designing Firewalls and Reverse Proxies for Client Access
• Enable access on only required client access ports
• Deploying Client Access servers in a perimeter network is not supported
• Consider using a reverse proxy to secure connections to the Client Access server
• Verify that reverse proxy supports certificates with multiple subject alternative names
Forefront Threat Management Gateway or Forefront Unified Access Gateway are recommended reverse proxy solutions for Exchange 2010 Client Access servers
Forefront Threat Management Gateway or Forefront Unified Access Gateway are recommended reverse proxy solutions for Exchange 2010 Client Access servers
Lesson 4: Designing Client Access Policies
• Designing Outlook Web App Mailbox Policies
• Options for Managing Mobile Devices
• Designing Exchange ActiveSync Policies
• Designing Mobile Device Remote Wipe Policies
Designing Outlook Web App Mailbox Policies
Identify the business requirements for Outlook Web App mailbox policies
Modify the virtual directory settings to address the requirements for most users
Modify the default Outlook Web App mailbox policy, and apply to users
If required, create new Outlook Web App mailbox policies, and apply to users
Options for Managing Mobile Devices
• Setting security restrictions on a mobile device by applying an Exchange ActiveSync policy to a user mailbox
• Using the Exchange Server management tools to:
• View a list of all mobile devices in use
• Send a remote wipe command to a mobile device
• Delete an unused partnership between devices and mailboxes
• Securing the connection from mobile devices to the Client Access server
• Managing which types of devices are allowed to connect to the Client Access server
• Managing Exchange ActiveSync access for individual mailboxes
Options for managing mobile devices include:
Consider implementing System Center Mobile Device Manager 2008 to manage mobile devices using Active Directory policies Consider implementing System Center Mobile Device Manager 2008 to manage mobile devices using Active Directory policies
Exchange ActiveSync policy options include:
Designing Exchange ActiveSync Policies
• Password complexity requirements, password length, password expiration, and time-out value before users must re-enter their passwords
• Restrictions on downloading attachments to mobile devices
• Requirements for data encryption on mobile devices
• The number of times users can enter the wrong passwords before their devices are locked or wiped
• Storage of the device’s recovery password on an Exchange server
Use multiple Exchange ActiveSync policies to configure different security settings for different users Use multiple Exchange ActiveSync policies to configure different security settings for different users
Designing Mobile Device Remote Wipe Policies
When defining policies for performing a remote wipe:
• Define a policy for when Exchange administrators will wipe a device remotely
• Develop policies and procedures for rebuilding wiped devices or rebuilding new devices
• Develop policies for allowing users to wipe their own devices
Both the Exchange administrator and the device user can initiate a remote wipe of the mobile device Both the Exchange administrator and the device user can initiate a remote wipe of the mobile device
Lab: Planning and Deploying Client Access Services in Exchange Server 2010
• Exercise 1: Designing the Client Access Server Deployment
• Exercise 2: Designing Client Access
• Exercise 3: Implementing Client Access
Logon information
Estimated time: 90 minutes
Lab Scenario
• You are a messaging engineer for A. Datum Corporation, an enterprise-level organization with multiple locations. A. Datum Corporation is an international corporation involved in technology research and investment, and is planning to upgrade from Exchange Server 2003 to Exchange Server 2010.
• You have been tasked with reviewing the current messaging infrastructure and network topology and planning the deployment and configuration of Client Access servers. You are required to make proposals about how best to address the needs of the various stakeholders in the organization.
• Finally, you are required to implement part of your proposed client access design.
Lab Review
• In exercise 3, you used https://van-ex1.adatum.com/owa to connect to Outlook Web App. If you wanted to use https://mail.adatum.com/owa instead, what would you need to consider?
• In exercise 3, you assigned an Exchange ActiveSync mailbox policy to a collection of users. If you had an Outlook Web App mailbox policy called “Sales Policy” to assign to members of the Sales OU, what would be the Exchange Management Shell syntax?
Module Review and Takeaways
• Review Questions
• Best Practices