Top 15 Exchange Questions that Senior Admin ask - Jaap Wesselius

1. TOP 15 SENIOR ADMIN EXCHANGE QUESTIONS PRESENTED BY MVP, JAAP WESSELIUS

2. INTRODUCTION AGENDA TOP 15 QUESTIONS SUMMARY OF THE  TOP 15 QUESTIONS

3. JAAP WESSELIUS WHO AM I? Office Server and Services MVP  (previously Exchange server MVP) Freelance consultant Blogger, author, presenter Husband, dad with three sons (uh oh) Biker enthusiast

4. ? •KEMP (pre-sales) receive numerous Exchange related question •Load balancing questions (makes sense) •Lots of other questions, like • Veeam supportability • Anti-malware questions • Security questions • Tools questions • Etc…. For this presentation we’ve created a top 15 list TOP 15 QUESTIONS

5. 1 Always use the requirements calculator when designing an Exchange environment • https://exchangeloadbalancer.com/exchange-role- calculator/ (The Exchange Role Size calculator) • https://kemptechnologies.com/loadmaster-sizing- guide/ (Load Balancer Sizing Guide) • For large environments: better not use virtualization! • Use Jetstress for validating your storage design 1. BEST PRACTICES FOR INSTALLING EXCHANGE

6. 1 Use proper 3rd party SSL certificates (like DigiCert for example) Use unattended setup Document your setup procedure Use Michel’s PowerShell script (http://bit.ly/ UnAttended) Use Desired State Configuration for larger environments Make sure you have a proper patch management solution 1. BEST PRACTICES FOR INSTALLING EXCHANGE

7. 2 2. HOW CAN EXCHANGE 2010 COEXIST WITH 2016 Exchange 2010 can coexist with Exchange 2016 Exchange 2010/2016 is using down level proxy mechanism

8. 2 2. HOW CAN EXCHANGE 2010 COEXIST WITH 2016 Most important part and potentially  high impact! Identical to Exchange 2010/2013 Build new Exchange 2016 farm Change namespace to Exchange 2016 No legacy namespace needed Clients access Exchange 2016 servers Requests are proxied to Exchange 2010 Requests CANNOT be proxies from Exchange 2010 to Exchange 2016, no uplevel proxy!!

9. 2 2. HOW CAN EXCHANGE 2010 COEXIST WITH 2016 Down Level Proxy  (in real life)

10. 3 3. HOW TO MIGRATE FROM EXCHANGE 2010 TO 2016 THERE ARE TWO OPTIONS OPTION 1: TRANSITION TO EXCHANGE 2016 • Build a coexistence environment with down level proxy • Build a new Exchange 2016 Database Availability Group • Use New-MoveRequest to seamlessly move mailboxes to Exchange 2016 • Decommission Exchange 2010  (uninstall, not just delete VMs!!)

11. 3 3. HOW TO MIGRATE FROM EXCHANGE 2010 TO 2016 THERE ARE TWO OPTIONS OPTION 2: MIGRATE TO EXCHANGE 2016 • Move all resources to a new forest and Exchange environment • Also known as inter-forest migration • Use 3rd party tooling to move accounts and mailboxes to new Active Directory forest

12. 4 4. WHAT ARE THE  BENEFITS OF MAPI/HTTP Mapi/Http is the new Outlook client protocol Outlook Anywhere is deprecated  (already being decommissioned from Office 365) Instead of using the RPC Proxy component  (Windows component, not an Exchange component) Outlook is using HTTP natively No dependency of RPC Proxy component  (which is not the most stable component) More stable with flaky  (WiFi or Cellular data) connections

13. 4. WHAT ARE THE  BENEFITS OF MAPI/HTTP

14. 5 5. WHAT ARE THE BENEFITS OF HYBRID DEPLOYMENT Basically it is one ‘virtual’ Exchange organization, comprising of Exchange on-premises and Exchange Online Benefits: • One autodiscover mechanism (points to on-premises) • Secure mail flow between on-premises and online • One address book • Sharing free/busy information, mailtips, OOF • Easy migration to Exchange Online (uses regular Mailbox Replication Service) • Interesting but not heard often: there’s an easy offboarding mechanism!

15. 5 5. WHAT ARE THE BENEFITS OF HYBRID DEPLOYMENT But remember, identity management (including Exchange properties) is performed on-premises. You always need at least one Exchange server on-premises!!

16. 6 6. HOW TO ENABLE AN  IMAP4 CONNECTION POP3 and IMAP4 are not running by default on Exchange 2013 or Exchange 2016 (startup type set to manual) Set the startup type to automatic There’s a front-end service and a back-end service Make sure the Login Type is set correctly (SecureLogin vs PlainText) When using S/POP3 or S/IMAP4 make sure you use the right SSL certificate Make sure you know the right Telnet commands for testing purposes :-) Shameless plug: http://bit.ly/POP3Telnet

17. 6 6. HOW TO ENABLE AN  IMAP4 CONNECTION

18. 7 7. WHAT SPAM PROTECTION IS AVAILABLE WITH EXCHANGE 2016 There is some anti-malware protection in Exchange 2016 Use Get-MalwareFilteringServer, Get-MalwareFilterPolicy and Get-MailwareFilterRule to check details Edge Transport server is very limited for anti-spam Can do some RBL and whitelist/blacklist and ‘some’ content filtering Mostly used as an SMTP server in DMZ scenario You always need separate anti-malware solution

19. 7 7. WHAT SPAM PROTECTION IS AVAILABLE WITH EXCHANGE 2016 Third party solution can be on-premises or online Exchange Online Protection Anti-malware, DKIM signing/verify, DMARC validation On-premise solutions Cisco Email Security Appliance (ESA, aka IronPort) Anti-malware, DKIM signing/verify, DMARC validation Beware: Exchange 2016 does not support DKIM and DMARC Think about user education There’s no technical solution for user inability!

20. 8 8. WHAT IS TARPITTING WHAT IS TARPITTING? WHY AM I BEING TARPITTED? HOW TO BYPASS A TARPIT INTERVAL? Tarpitting is deliberately slowing down SMTP responses on the Receive Connector  (default 5 seconds) This will frustrate malware  sending hosts Helps protecting against directory harvesting Bypassing Tarpit interval might not be a good idea (whitelist maybe?) Change using the Set- ReceiveConnector command

21. 9 9. BEST WAYS TO ACHIEVE  HIGH AVAILABILITY PART 1: PROTOCOL LOAD BALANCING •Use load balancer for incoming request •Distribute request amongst multiple Exchange servers •Will load balance and overcome server failure SPLIT HA INTO TWO PARTS:

22. 10 10. HOW TO ENSURE  SITE RESILIENCY Using multiple datacenters you can create site resiliency Use the Exchange Preferred Architecture  http://bit.ly/ExchangePA • Namespace design • Bound namespace – users connect to a particular datacenter like emea.contoso.com or us.contoso.com • Unbound namespace – users connect to any datacenter like mail.contoso.com

23. 10 10. HOW TO ENSURE  SITE RESILIENCY This has impact on DNS and load balancing design Use an Active Directory site per datacenter Transport Site Resilience via Shadow Redundancy and Safety Net can only be achieved when DAG members are in multiple sites Take care about network latency between datacenters

24. 10 10. HOW TO ENSURE  SITE RESILIENCY Geo-distributed Unbound Namespace

25. 11 11. IS VEEAM SUPPORTED  FOR EXCHANGE DEFINITELY •Veeam creates snapshot backup of the Virtual Machine •Through the Integration Components a VSS snapshot is created in the Virtual Machine •VSS stamps database header with last/previous backup information •VSS purges transaction log files •And fully supported by Veeam and Microsoft :-)

26. 12 12. HOW TO CONFIGURE SMTP RELAY IN EXCHANGE That’s not too difficult, but make sure you’re not creating an internet facing open relay server (you’ll be blacklisted in minutes) The Default Receive Connector accepts anonymous connections and relays mail to internal recipients (Accepted Domain) Your multi-functional devices can use this for internal delivery

27. 12 12. HOW TO CONFIGURE SMTP RELAY IN EXCHANGE For anonymous delivery to external recipients you need to create a new, dedicated Receive Connector  (I prefer not to fiddle around with default connectors) And, new Receive Connector means additional IP address  (Cannot have two Receive Connectors listening to same IP address and Port Number)

28. 12 12. HOW TO CONFIGURE SMTP RELAY IN EXCHANGE Restrict access to new Receive Connector on IP basis Grant the ms-Ech-SMTP-Accept-Any-Recipient permission to "NT AUTHORITYANONYMOUS LOGON" user on new Receive Connector Get-ReceiveConnector –Identity "Relay Connector (EXCH01)" | Add-ADPermission -User "NT AUTHORITY ANONYMOUS LOGON" -ExtendedRights “ms-Exch-SMTP-Accept- Any-Recipient" Another shameless plug: http://bit.ly/SMTPRelay

29. 13 13. USES FOR OFFCAT OffCat = Microsoft Office Configuration Analyzer Tool Provides a detailed report of your installed Office programs Originally started as Outlook Configuration Analyzer Tool (OCAT) Use OffCat for scanning PC’s for known Office configuration issues and detailed reports For Outlook, it will scan autodiscover (lots of questions about AutoD), Calendar, Outlook profile etc.

30. 13 13. USES FOR OFFCAT

31. 13. USES FOR OFFCAT

32. 13. USES FOR OFFCAT

33. 14 14. HOW TO AVOID/REMOVE CRYPTOLOCKER •Send money to the bad guy (seen this once) and hope for an unlock key •Restore the last know good backup. Data after this back will be lost REMOVE

34. 14 • Implement a good anti-malware solution, not only for email, but also on PC’s • Yes, this is expensive, but what about the previous bullets? • User education is extremely important • Don’t trust incoming email with attachment, invoice-03202017.zip might not be what you think it is • Don’t click on any (suspicious) link in email • Be careful with Internet browsing (again, implement anti-malware solution) AVOID 14. HOW TO AVOID/REMOVE CRYPTOLOCKER

35. 15 15. THE BEST FREE TOOLS  FOR EXCHANGE Remote Connectivity Analyzer (aka.ms/exrca)  (Very nice SMTP header analyzer) Mxtoolbox.com Exchange Environment Report Tool (by Steve Goodman) SMTP Protocol logging Code projects (by Paul Cunningham) CheckTLS.com Ssl-checker.online-domain-tools.com https://www.checktls.com/assuretls.html

36. 15. THE BEST FREE TOOLS  FOR EXCHANGE

45. Email - jaap@Wesselius.info Website – https://jaapwesselius.com/ Twitter - https://twitter.com/jaapwess SUMMARY Well, there’s not really a summary after discussing top 15 questions Keep your questions coming… Email Q&A to: QandA@kemptechnologies.com

46. KEMP RESOURCES Exchange Load Balancing:  https://kemptechnologies.com/microsoft-loadbalancing/load-balancing-microsoft-exchange/ Exchange Resources:  https://exchangeloadbalancer.com/ MSExchange.org Resources:  http://www.msexchange.org/loadbalancing/ Dell Load Balancer Store:   http://www.dell.com/load-balancers