damian scoles | project leadership associates microsoft exchange server mvp...

Exchange 2013:What’s New in Service Pack

1?Damian Scoles | Project Leadership Associates

Microsoft Exchange Server [email protected]

http://justaucguy.wordpress.com/

What’s New In Service Pack 1

• Edge Transport Role• DLP Enhancements• MAPI over HTTP• IP Less DAGs• EAC Command Logging• OWA Enhancements• Miscellaneous

Microsoft Confidential

Edge Transport Role

• Edge role in production:

• Deployed in DMZo Talks directly to CAS/MBX through the firewall

Edge Transport Role

• Reduce attack surfaceo Reduced set of services

o Reduced set of PowerShell commandso Member server with AD LDS installed

• Provides mail routing as well as message hygiene

• No GUI o No interface like the EAC for other roleso Configurable via PowerShell only

DLP Enhancements

• Policy Tips in OWA

• Document Finger Printing

• Sensitive information types expandedhttp://technet.microsoft.com/en-us/library/

jj150541%28v=exchg.150%29.aspx

Policy Tips in OWA

• No longer limited to just Outlook.• Can Enforce – warn, block or allow exceptions – as

well as test• Seamless user experience – OWA/Outlook operate

the same

• Above example warns on SSN or Bank Numbers


DLP Fingerprinting• What is fingerprinting?

• What can we use it for?o Government formso HIPPAo Employee forms (HR)o Patent formso Custom Forms (proprietary to your company)

• Limitationso Password protected files will not worko Documents with images only

• How are the documents stored?o XML Hash file


DLP Fingerprinting (con’t)

Source - http://technet.microsoft.com/en-us/library/jj919236(v=exchg.150).aspx


How DLP Fingerprinting Works• Create a document finger print from an existing

document.− EAC –> DLP –> Manage document finger prints -> Add document

• Create DLP Policy that uses this document fingerprinto Add a custom ruleo Edit the ‘Sensitive Information types’, select the fingerprinto Finish the rules you want applies to the policy.

• The same process can be performed in PowerShello get-contento new-fingerprinto New-transportrule


DLP Interface Change

Exchange 2013 CU3

Exchange 2013 SP1


DLP Sensitive Information• More types have been added to DLP:o Finland National IDo Poland National ID (PESEL)o Poland Identity Cardo Poland Passporto Taiwan National ID

MAPI over HTTP

• Replacement for RPC over HTTPo RPC is a legacy protocol with no real updates in a decadeo Design for LANs and not communication over the Interneto RPC is sensitive to interruptionso More information (history of RPC and reasoning for HTTP transition)

http://windowsitpro.com/exchange-server-2013/exchange-server-2013-transition-rpc-http

• Provides a common communication platform for Exchange communications – HTTPo Active Synco OWAo Outlook

• Uses POST Commands based on HTTP 1.1

• No metrics on actual performance yet. Still pending from Microsoft.

MAPI over HTTP

• How to enable this in Exchange?o Set-MapiVirtualDirectory -Identity "Contoso\mapi (Default Web

Site)" -InternalUrl https://Contoso.com/mapi -IISAuthenticationMethods Negotiate

o Set-OrganizationConfig -MapiHttpEnabled $true

• Caveatso May not be able to access legacy Public Folders.o All Exchange servers at 2013 Service Pack 1o All clients at Outlook 2013 Service Pack 1

IP Less DAGs

• What is an IP Less DAG?o Windows cluster has no IP Address – no resource in cluster core groupo No cluster name – no resource in cluster core groupo No DNS entry for clustero No computer objects (CNO) are created in Active Directoryo Cluster managable with PowerShell and not Failover Clusteringo Reduces attack surface of Exchange 2013o Can convert an existing DAG

• Requirementso Windows Server 2012 R2 o Exchange 2013 SP1

** Caveat - "We do not recommend this deployment method for any scenario that requires Kerberos authentication.“

Source - http://technet.microsoft.com/en-us/library/dn265972.aspx#BKMK_ADAg

IP Less DAGs (con’t)• IP Address is entered as

255.255.255.255

• No object in Active Directory

EAC Command Logging• Originally in Exchange 2007 and 2010

• What is it? Why do we care?

• How do I turn it on Logging?

• What does it actually do?

• Actual Output:


EAC Command Logging

• Caveats/Information

o Displays only current actions

o When closed, previous results are lost

o Up to 500 entries at a time

o Searchable


DEMO


OWA Enhancements• S/MIMEo Can be enabled in the Outlook Web App Policy via PowerShell

Set-OWAVirtualDirectory -identity "owa (Default Web Site)" -SMimeEnabled $true

o Requires IE 7+, recommend IE 9+ (supported clients)o Uses

• Rich Text Editor o Improvements in the user interface for easier use

Copy and Paste Better format options

• Firefox - Offline Modeo Controlled by Outlook Web App Policies (on by default)o Offline-supported folders include:

Inbox Drafts Any folder viewed from the browser in the last week

Miscellaneous• Loose truncation

• ExBPA in Exchange 2013 SP1

• 2012 Server R2• Supported OS• Forest/Domain - 2012 R2

• Enhancements in Managed Availability

• Enhancements in Cluster stabilityo Hotfix that was available for Windows 2008 OS released for

2012

• Schema Updates – minor changes

• SSL Offloading

• Post Hot Fix ‘required’: • http://support.microsoft.com/kb/2938053

Loose Truncation• Prior to Exchange 2013 SP1 – two options for

database loggingo Full: truncate on backupo Circular: self truncating

• Disabled by default

• Enabled via registry entrieso HKLM\Software\Microsoft\ExchangeServer\v15\BackupInformation

LooseTruncation_MinCopiesToProtect LooseTruncation_MinDiskFreeSpaceThresholdInMB LooseTruncation_MinLogsToProtect

• Purposeo Prevent disks from running out of space (i.e. during maintenance

windows)o Keeps only the logs that are needed – unverified logs not replicated to

other serverso Ignores the farthest copy out of sync


ExBPA – Exchange 2013 SP1• No longer requires Office 365

tenant to download

• Does not run on Edge server

• Only gives results for one server at a time

• Can be run on a non-Exchange server


ExBPA – Exchange 2013 SP1

Windows 2012 R2 Support

SOURCE: http://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx


Hot Fix required - kb2938053• http://support.microsoft.com/kb/2938053

−After you install Microsoft Exchange Server 2013 Service Pack 1 (SP1) or you upgrade an existing Microsoft Exchange Server 2013 installation to Exchange Server 2013 SP1, third-party or custom-developed transport agents cannot be installed correctly. Additionally, the Microsoft Exchange Transport service (MSExchangeTransport.exe) cannot start automatically. Specifically, you cannot enable third-party products that rely on transport agents. For example, you cannot enable anti-malware software or custom-developed transport agents.

When the installation fails, you also receive an error message that resembles the following:

The TransportAgentFactory type must be the Microsoft .NET class type of the transport agent factory.

• Why does this happen?−This problem occurs because the global assembly cache (GAC)

policy configuration files contain invalid XML code.

• So what does this mean?

Q & ADamian Scoles | Project Leadership Associates

Microsoft Exchange Server [email protected]

http://justaucguy.wordpress.com