1 / 32

What's New in Microsoft ® Exchange Server 2010 Service Pack 2

UCC206. Principal Technical Writer. Microsoft Corporation. What's New in Microsoft ® Exchange Server 2010 Service Pack 2. Scott Schnoll scott.schnoll@microsoft.com. Agenda. Service Pack 2 (SP2) Development Major new features in SP2 Outlook Web App (OWA) Mini

jaron
Download Presentation

What's New in Microsoft ® Exchange Server 2010 Service Pack 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UCC206 Principal Technical Writer Microsoft Corporation What's New in Microsoft®Exchange Server 2010Service Pack 2 Scott Schnoll scott.schnoll@microsoft.com

  2. Agenda • Service Pack 2 (SP2) Development • Major new features in SP2 • Outlook Web App (OWA) Mini • Hybrid Configuration Wizard • Address Book Policies • OWA Cross-Site Silent Redirection

  3. Exchange SP2 Development • Scheduled for public release by end of CY 2011 • Private Technology Adoption Program (TAP) currently running • Service packs contain bug fixes AND features • SP2 has ~500 bug fixes and 4 primary new features • Every bug is triaged for risk, cost and applicability • Each new feature gets a Functional Spec, a Development Spec, and a Test Spec, and undergoes a thorough team review

  4. Technology Adoption Program • Exchange has a long history in this area • JDP, RDP, TAP • TAP consists of customers who are prepared to deploy pre-release bits in production • They get support from Microsoft • They get access to a private distribution list, a Wiki with all the latest info, and conference calls with the Exchange team developing the features • They get to provide early feedback, change the product and find bugs

  5. OWA Mini

  6. OWA Mini • This feature was driven by demand from markets where browser phones still rule • Administer using PowerShell • This is a complete re-write, none of the 2003 code was re-used • It is built as a set of OWA forms so it is not a separate application

  7. Managing OWA Mini • Enabled and disabled using Set-OWAMailboxPolicy • Set-OWAMailboxPolicyPolicyName -OWALightEnabled:$True • OWA Mini is effectively an alternative view of OWA, so OWA mailbox policies and segmentation are inherited • Any unsupported features in the policy are secure by default (e.g., disabled for OWA Mini) • Features such as calendar, contacts, etc., can be enabled or disabled on a per policy basis • Will ship in all OWA languages • If a new language is added to OWA, OWA Mini gets it

  8. Hybrid Configuration Wizard

  9. Hybrid Configuration Wizard • EMC-based wizard plus cmdlets for setting up on-premises Exchange and Office 365 to work together – in Hybrid mode • Vastly simpler process than the current SP1 manual experience • What once took ~49 steps, now takes 6 (your mileage may vary) • >80% reduction for the administrator

  10. Address Book Policies

  11. GAL Segmentation • By default in Exchange, the Global Address List contains every mail enabled object • GAL Segmentation means dividing up the GAL and Address Lists • Why would you want to do this? • Legal or compliance reasons – people are not allowed to see each other in the GAL • Optimization reasons – You have a huge GAL but operate in smaller logical units • Hosting reasons – you want to host multiple organizations on one platform and don’t want them seeing each other

  12. GAL Segmentation - History • In the Exchange 2000 timeframe a KB that was released that outlined to how carve up your GAL but we pulled it when HMC was created • For 2003, no such paper, but lots of support cases • For 2007, a new whitepaper was born • For 2010, we decided to engineer the solution into the product fully

  13. GAL Segmentation - History • Based on a combination of methods • Using ACL’s on GAL’s and AL’s (Outlook and Exchange ActiveSync) • Deny at the root level • Allow to a specific AL • Requires security group membership and all ACL’s to be evaluated • MsExchQueryBaseDN (for OWA but not needed since SP1) • Specify per user the base OU the user can search from (this means the OU hierarchy is rigid) • Per-User OAB assignment • Specify per user the OAB the user can access • Relied upon Outlook and Exchange choosing the largest or ‘best’ GAL when there are a few to choose from

  14. GAL Segmentation - History • Using security groups, QBDN’s and per user OAB’s meant creating users with scripts to get the right settings – or things start to go wrong • As we change things in Exchange, things can (and did) start to break • The OU hierarchy was too restrictive for some customers – a user cannot exist in more than one OU

  15. Address Book Policies • Address Book Policies (ABPs) enable you to achieve GAL Segmentation in Exchange 2010 • ABPs work on the principal of direct GAL and Address List assignment rather than allowing or denying access to all available lists • ABPs only apply to users with mailboxes on Exchange 2010 as they plug in to the Address Book Service on the 2010 SP2 CAS role • Any request that comes through the Address Book Service on CAS is evaluated against the ABP assigned to the user

  16. Address Book Policies • ABPs work for any client that goes through CAS for directory and; • Opens the address list picker • Tries to resolve a name or an alias • Adds a room resource to a meeting request • Searches the GAL • Searches the directory from Outlook Voice Access • Queries the directory from a mobile device • Views someone’s DL memberships, or views the members of a DL • Yes – if a user in a DL is outside the scope of your ABP, you won’t see them • This prevents GAL mining by surfing up and down the member/memberof properties in some scenarios • This does mean you might be sending to more people than you think you are… and that MailTips might (apparently) not be telling the truth…

  17. ABP Deployment Considerations • Deploying ABPs successfully is all about PLANNING and understanding what they can, and cannot do • ABPs alone do not result in ‘true’ separation – smart users can usually figure out ways to get around them or expose some data • Examples: delivery reports, DL memberships • Don’t try and use ABPs alone to ‘fake’ multi-tenancy, it’s more complex than that • ABPs are better suited to providing optimized address lists for discrete groups of users that do not share resources

  18. ABP Deployment Considerations • Use standard, built-in and existing Custom Attributes to represent company/division/class or whatever you want to divide upon • DLs don’t have Company attributes you can use so you can’t filter on those • Custom Attributes are consistent on all mail enabled objects • Build simple AL and GAL filters and group them together into ABP’s • Build OABs based on GALs, not ALs • Make sure a user exists in their own GAL • Make sure the GAL is a superset of the AL’s in an ABP • The GAL is the effective ABP scope – if the GAL is smaller than an AL the user has access to, users will be filtered

  19. Address Book Policies • ABPs cannot prevent anyone directly connecting to AD and bypassing ABP logic • LDAP clients (for example, Outlook Mac/Entourage) will not work with ABPs • You can’t use ABPs if Exchange is installed on a GC as NSPI is provided by Active Directory, not Address Book Service • If you span DLs over ABPs you need to disable Group Management in ECP as ECP uses Get-Group which ignores ABPs • Don’t try and mix and match ABPs and ACLs (unless migrating) or use QBDNs

  20. Migration From ACLs • If you are using an ACL based model today in 2007 you might be able to migrate without too many problems • First create ABPs that mirror your security groups and ACLs • Installing 2010 will result in some downtime as setup must be able to read the Default GAL • As you migrate mailboxes, you need to assign an ABP and remove the QBDN from the user object • You can also remove the OAB setting as that comes from the ABP as well • You will need to test against YOUR environment

  21. ABPs and Office 365 • Making ABPs work in Office 365 is part of our long term plan but it’s not as easy as just putting the new code there; • Tenant admins cannot today create or manage ALs, GALs or OABs so they wouldn’t be able to create very useful ABPs • We would need to allow creation and enforce throttling • Lync and SharePoint have their own directory access methods, and so do not respect ABPs • Either we try to change that, or customers have to accept that • We would also need to add dirsync capability to make the feature easy to manage for hybrid customers

  22. OWA Cross-Site Silent Redirection

  23. OWA Cross-Site Silent Redirection • Pre-Exchange 2010 SP2, if you use OWA on a Client Access server (CAS) in the ‘wrong’ Active Directory site, CAS has a decision to make: it can proxy or redirect the connection to the target site • If there is no ExternalURL in that site, we proxy, the mailbox opens and the user gets access • If the target site has an ExternalURL we show the user a page with a link to click • The user clicks the link, and logs in again, and gets access • The user has to log in twice • We are removing the need to click the link, which for some scenarios will result in a Single Sign On experience

  24. OWA Cross-Site Silent Redirection • Disabled by default • Out of the box, cross-site manual redirection still occurs • Can be a single sign-on experience when the source and target OWA virtual directories leverage Forms-Based Authentication • Is only available for intra-org cross-site redirection events

  25. OWA Cross-Site Silent Redirection • Enabled on Internet-facing CAS, on a per OWA virtual directory basis • Set-OWAVirtualDirectory –Identity “CAS1\owa(default Web site)” –CrossSiteRedirectType Silent • When you enable silent redirection you will be informed that the target CAS must have an ExternalURL that leverages HTTP SSL protocol • When you enable silent redirection, you will receive a warning that single sign-on experience may not be possible if FBA is not enabled

  26. Experience Before and After Cue Applause….

  27. Summary • SP2 includes many bug fixes and four major new features • OWA Mini • Hybrid Configuration Wizard • Address Book Policies • OWA Cross-Site Silent SSO Redirection

  28. Resources • Exchange Team Blog • http://aka.ms/EHLO • Exchange 2010 Documentation Library • http://aka.ms/Ex2010Docs

  29. Feedback Your feedback is very important! Please complete an evaluation form! Thank you!

  30. Questions? • UCC206 • Scott Schnoll • Principal Technical Writer • scott.schnoll@microsoft.com • http://blogs.technet.com/scottschnoll • Twitter: @schnoll • You can ask me questions at the “Ask the Expert” zone: • November 10, 2011 12:30 – 13:30

More Related