exchange management

All posts tagged exchange management

When you would like to change the log path of a normal storage group it’s not very hard, but when you want to change the log path of a storage group which is CCR enabled then you will need to do a few more things.

In this tutorial I will explain how you can move the logs from the CCR enabled storage group.

For the first step we will need to open the Exchange Management Console, we will need to disable to log replication temporarily. This can be done by going to the mailbox server via server configuration. Then select the storage group and right click on it, the menu below will be displayed.

 Suspend Storage Group Copy

In this menu we select the option Suspend Storage Group Copy, a new screen will be displayed which will let you enter the reason why you suspend the copy, you don’t have to fill it in if you don’t like it.

Administrative suspend

The status of the CCR will be changed from healthy to suspended.

Now the CCR copy has been disabled temporarily we need to open the Exchange Management Shell to perform the reconfiguration of the log path. This can only be done via the Exchange Management Shell.

Move storage group logs via Powershell

By executing the command: move-StorageGroupPath -Identity ‘First Storage Group’ -LogFolderPath ‘E:\Mailbox\SG1’ – ConfigurationOnly we specify that we want to change the log path, files must be moved manually because the Powershell command won’t do it for you. Two confirmations will be asked, one for the reconfiguration of the log path and the other tells you that all databases within the storage group will be dismounted. Please be aware that the storage group will not be available to users at that moment.

When the command has been executed successfully you will need to move the log files and fileswith the jrs extension manually to their new location. When this is done you can enable the mount the storage group again via the Exchange Management Console by right clicking on it and choose the option mount.

Mount database

When the storage group and databases are mounted again you can enable CCR. This can be done by right clicking on the storage group and select the option Restore Storage Group Copy. After several seconds the status will change to healthy again. When you have a look at the properties of the storage group you will see that the log path has been changed to the new location.

Log path changed

Strange issue, easy solution

Today I had a nice issue. After implementing 2 new domain controllers and deconfiguring the 2 old ones there where some strange issue with the Exchange Management Console. For example setting mail quota’s was not possible this caused the following error:

The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error.

First checked if the Exchange server wasn’t looking at one of the old domain controllers. After fixing this the issue still wasn’t resolved.

So I started searching the internet and found an issue which looked like pretty the same as I had. This was solved by restarting the Exchange System Attendant, after I did this also the issue was solved.

When you have played with Exchange 2007 and Outlook Web Access earlier you may have seen a lot of differences between Outlook Web Access 2007 and 2003. There have been added nice features to the new version of OWA such as: you can access a file-server/sharepoint-server, you can restrict what files can be opened via OWA and how they are opened then.

Users can only use these functionalities if their mailbox is hosted on an Exchange 2007 mailbox server. The users who have their mailbox on an Exchange 2003 server will use the old version of OWA.

The OWA functionalities are delivered by the Client Access Server (CAS) if you had an Exchange 2003 environment running with OWA this functionality was provided by the Frontednd Server. When we zoom in to the Exchange Management Console en then have a close look ath the server configuration of  the CAS server you will discover that it hosts mutiple websites:

The three that are important for Outlook Web Access are:

  • owa, this is the 2007 version of OWA
  • exchange, this is the 2003 version of OWA
  • exchweb, this site contains most functionalities of OWA

Now you may ask yourself, what are those other directories used for:

  • exadmin, this folder willl be used when you manage Public Folders from the Management Console
  • public, this folder will be use when opening a Public Folder via OWA

We will restrict this tutorial to OWA 2007 only, so we will get the properties of the site named owa.

The first tab we see is general:

You can’t change much on this tab, it contains some information you may find interesting:

  • which server is hosting the OWA
  • under which website the OWA is placed
  • for which Exchange version this OWA is responsible
  • when has the website changed

There are two fields which you can fill in:

  • internal url, here you need to define the url which users on the internal network use to access the OWA
  • external url, here you need to define the url which users on the internet use to access the OWA

You need to pay attention to the url’s when you are going to buy certificates that you buy one for the correct url.

The next tab is authentication on this tab we can setup the way the user has to login to OWA. The default setting is Use form-based authentication below this option you can choose three methods to fill in the username:

  • Domain\username, the user logs in like this test.local\johan
  • User Principale Name, the user logs in like this johan@test.local
  • User Name Only, the user fills in his username, in this case the field logon domain contains the domain where the user needs to login.

The next tab is segmentation on this tab we can control what options end-users will get when they use OWA. You can for example block the ActivSync integration or prevent the password changing in OWA.

 

On the tab Public Computer File Access you can decide how OWA will react if a user tries to open an attachment while logged into OWA from a public computer:

  • OWA needs to convert the file via the Web ready functionality
  • OWA needs to prevent the opening/downloading of the file
  • OWA allows to open/download the file

 

As you can see it has been changed a lot compared to OWA 2003. The first option enable direct file access let you configure which files the end-user may open without using the Web ready functionality. When you click on the customise button you can change the files allowed or blocked:

  • allow, which files with the extension/mime-code may be opened
  • block, which files with the extension/mime-code may not be opened
  • force save, which files with the extension/mime-code first need to be saved before opening.
  • unknown files, what does OWA need to do with  “unknown” files

You see there are a lot of possibilities and you can really make changes to allow or block a file. The default settings are quite good, if you won’t allow mp3’s being opened via OWA then you need to delete it from the allow list. The option unknown files will be used when an extension/mime-code is not defined in the other 3 lists. The  default option for unknown files is Force Save which tells OWA to first let the user download the file before opening it.

Another new feature in OWA is WebReady Document Viewing, this function will convert a file to a webpage with the build-in convertors. Normally this shouldn’t be the case because the option Force WebReady Document viewing when a converter is available is disabled. OWA contains converters for the following filetypes:

  • Excel files
  • Word files
  • Powerpoint files
  • PDF files

I think this are the most used files which you want to open using this new function.  You don’t need to have the application installed locally on your pc/laptop.

The last two options on this tab make it possible to open files on remote file servers. With remote file servers you are able to open files on:

  • Windows File Shares
  • Windows SharePoint Services

The remote file servers need to defined on another tab called remote servers this will come later on in this tutorial.

The next tab is Private Computer Access with this tab you can configure the same things as on the tab Public Computer Access only then for trusted computers/laptops. Default there are a few settings that are not the same as on the tab Public Computer Access for example the options to access Windows File Shares and Windows SharePoint Services is enabled.

On the last tab remote file servers you can setup which servers are accessable via OWA. You can easily set this up by adding a server to one of the two lists. It would be a lot of work to add all the file-servers that you want to block and for example allow only one. For this case you can use the option unknown servers the action defined there will be used for every server who isn’t listed on the allow or block list. Default the action is block.

 

As you can see there is only one button left that we didn’t spoke about. The button configuration on the bottom of the tab. With this button we need to specify which domains need to be seen as internal domains. When a server is added from a domain that is not listed OWA will not see it as an internal server and will block access to it.

We now have spoken about all the tabs of OWA. The other things such as certificates will be handeled via the Powershell and IIS admin MMC.

When OWA is published on the internet it may be necessary to use a 3rd party certificate for the OWA, you can buy a certificate with for example VeriSign. OWA 2007 uses https and form-based authentication by default. Here a self-signed certificate is used, which can result in warnings from webbrowsers.

You will have to add a copy of the self signed certificate to the trusted root authority to prevent this error. You can get a copy of this certificate in two ways:

  • via the website itself and then import it into the right store
  • by exporting it via Powershell and import it in the right store

First via the website itself:

  • go to the website
  • click on continue when the warning is displayed.
  • click on the certificate error button in the addressbar
  • click on display certificate
  • click on install certificate
  • choose the option to save all certificates in the archive below
  • select the trusted root authority via the browse function
  • click on next en finish
  • a warning will be displayed that you are importing a certificate, accept it
  • a message will be displayed that the certificate is installed

All the steps above can be done on a client. All the steps below need to be executed from the CAS server:

  • execute the following domain: Get-ExchangeCertificate -DomainName mail.test.local
  • an overview will be displayed with all certificates that are used by mail.test.local
  • then we need to export the certificate: Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Path c:\certificates\export.pfx -Password:(Get-Credential).password
  • when this command is executed it will prompt you for a username and password. The password is the only thing that is necessary to export and import the certificate.
  • the last step is importing the certificate in the trusted root authorities on the client, optionally this can be done via a Group Policy.

Both warnings will result in not displaying the message anymore. When a 3rd party certificate will be installed the steps above are not needed. The only thing you should arrange is that you trust the root certificate from the 3rd party.

When you choose to get a certificate from a 3rd party we first need to create a CSR and after that when receiving the file from the 3rd party install it.:

  • start Powershell
  • run the following command: New-ExchangeCertificate -DomainName test.ocal -Force -FriendlyName OWA -GenerateRequest:$True -Keysize 2048 -Path c:\owa.req -privatekeyExportable:$true -SubjectName “C=NL, O=Test, L=Utrecht, S=Utrecht, CN=owa.test.local”
  • this command will generate a CSR to get a certificate
  • when we receive the certificate from the 3rd Party we need to install it
  • importing is done by the following command: Import-ExchangeCertificate -Path c:\certificaat.crt | Enable-ExchangeCertificate -Services “IIS”
  • with the parameter-Services we can tell Exchange that this certificate may only be use for IIS in this case. Other options are SMTP, IMAP and POP3.

If everything is configured we can check if OWA is working OK, this can be done in two ways:

I use OWA 2007 for a few months now and I must say it’s working really good. I hope you have learned something from this tutorial.

When you use the UM functionality from Exchange 2007 only the English language pack will be installed by default.

But there are many more UM language packs for example Dutch.

In this tutorial I will describe how you can add and configure the Dutch language pack.

First thing to do is to download the language pack, a complete overview can be found on the following  site.

When the language pack is downloaded we can start installing it. This can be done by executing the following command:

setup.com /AddUmLanguagePack:nl-NL /sourcedir:d:\Downloads\UmLanguagePacks

  • setup.comcan be foud in the Exchange install directory, when you have installed SP1 you need to use the setup.com of SP1.
  • the next parameter is AddUmLanguagePack:nl-NLwith this one we tell the setup that we want to install the Dutch language pack. If you want to install German for example then we need to type de-DE, the question is how can you discover this ? The file name of the download has the following syntax umlang-en-AU the last piece of the file name is the piece we need as the parameter to install the language pack.
  • the last parameter is used to give the directory where the MSI is located in this case  d:\Download\UMLanguagePacks.

When the command is executed you will get the following result:

 

It can take a few minutes before the language pack is installed. When the installation is completed you can start the Exchange Management Console.

Open Organization Configuration -> Unified Messaging

The first thing we need to modify is the dialplan , with this setting we modify the default language for the Subscriber Access. Users can change this via the OWA if they want another language.

Select the UM Dial Plans tab en get the properties of the dialplan. A new window will be opened with a few tabs, choose the tab Settings.

As you can see in the screenshot above the default language is English (United States) . When you click on the arrow you will get a complete overview of all installed languages.

When you don’t have this options, check if the dialplan  is assigned to the Exchange server. You can check this by looking at the Associated UM Servers column. When this is not configured OK you can’t view the installed language.

Select Dutch (Netherlands) from the list to set Dutch as the default language for the Subscriber Access and click OK.

The Subscriber Access is modified, when you use auto attendants you need to modify them also. This can be done via the following steps.

Click on the tab UM AutoAttendants and get the properties of the auto attendant that you want to modify.

 

A new windows will be opened, click on the tab Features en select the language you want to use.

Earlier we spoke about the option that users can change their default language.  This can be done via the OWA.

Let the user login to OWA and select options in the left menu. Next select Regional settings and let the user choose their default language. The list that is displayed to the user is longer then the installed language packs. It can happen that the user selects a language which is not installed which cause that the user will not hear the language he expects.

In the previous versions of Exchange you need to do some tricks to create a resource mailbox. In Exchange 2007 it’s a default option to create one, via the both the GUI and the shell.

First we will add a box via the Exchange Management Console. This goes nearly the same as creating a user, select one other option and you have a resource mailbox.

In the first field we choose for a room or equipment mailbox in this example we choose for a room mailbox. And we will click next to continue.

In the next screen you have the ability to create a new user or assign the box to an existing user. We will create a new user.

The next step will be providing the user details, in this case we will create a user called boardroom. The password is pure formality and you don’t need it in most cases especially when you create a box which autoaccepts meetingrequests.

Click on next when ready

In the mailbox settings screen we decide on which mailbox server the mailbox will be created and in which storage group and mailbox database. The two policy options you mostly don’t user while creating a resource mailbox.

A few times clicking on next and the resource mailbox is created.

All the previous steps can be done faster with Powershell. Actually there are more option in Powershell then in the GUI. You can for example add the -room parameter to a resource mailbox of the type room to add accessoires. When choosing for a resource mailbox of the type equipment then you can use the –equipment  to do this.

New-Mailbox -UserPrincipalName boardroom2@test.local -database “First Storage Group\Mailbox Database” -Name “Boardroom 2” -OrganizationalUnit Users -DisplayName “Boardroom 2” -ResetPasswordOnNextLogon $false -Room

With the command above we will create a resource mailbox with the name boardroom2.

Let’s add some extra accessoires to it, for this we will need to do two things:

  • create the accessoire
  • add the accessoire to the resource mailbox

Creating new accessoires can only be done via Powershell:

Set-ResourceConfig -DomainController fqdn.dc  -ResourcePropertySchema Room/Networkprojector

In the exampe above we added a beamer to the list of accesoires. You can also add multiple accesoires at one time:

Set-ResourceConfig -DomainController fqdn.dc -ResourcePropertySchema (“Room/16Seats”,”Equipment/Projector”,”Room/8Seats”,”Equipment/Whiteboard”)

The next step will be to assign the accesoires to the resource mailbox. This can be done within the  Exchange Management Console. First we will need to get the properties of the resource mailbox and click on the tab Resource Information.

In the screen that opens you can click Add to add accessoires to the object:

A new windows will be opened where we can select the beamer we just created and assign it to the resource mailbox.

It would be easier if the boardroomcan autoaccept meetingrequests and look for availability of the room. In Exchange 2003 this was already possible via a few clicks, in Exchange 2007 this can easily done via the Powershell:

Set-MailboxCalenderSettings boardroom -AutomateProcessing:AutoAccept

In case you would not like to use the autoaccept functionality you need to assign delegates to the resource mailbox

Set-MailboxCalenderSettings -Indentity “boardroom” -ResourceDelegates “Pietje Puk”

In the example above we will assign Pietje Puk as a delegate of the boardroom.

Propably every one has to do with spam today, sometimes you receive more spam then normal mail. There are a few anti-spam solutions which try to prevent spam mails in the users inbox, for example the Fortimail from Fortinet or the IMSS from Trend Micro.

Exchange 2007 includes a few anti-spam agent to prevent spam. This filters are active by default on the Edge Transport server but also can be activated on the Hub Transport server by executing the following command in Powershell:

./install-AntispamAgents.ps1

This command needs to be executed from the scripts directory, you will find it in the Exchange install directory.

When the command is executed you need to restart the Transport Services, this can be done by executing the following command:

Restart-Service MSExchangeTransport

After restarting the Transport Services you can open the Exchange Management Console, when it is opened click on the Organizational Configuration and then choose HUB Transport. You will see there’s an extra tab added named Anti-Spam, click on it

You will see the anti-spam agents that are installed:

  • content filtering
  • IP Allow list
  • IP Allow list providers
  • IP Block list
  • IP Block list providers
  • Recipient filtering
  • Sender filtering
  • Sender ID
  • Sender reputation

Below the agents are described per agent:

Content Filtering

With this agent you can filter on keywords. For example you can filter on the words Make Money Fast, this can be seen below. But when you have a company that does sell Hovercrafts you don’t want mail with that word ends up in the junk mail. This word can be added to the top of the screen in the section named Messages with these words or phrases will not be blocked.

Besides the last called option there is a possibility to exclude mail-adresses from filtering. This can be done on the tab Exceptions.

The final step is deciding which action needs to be executed, this can be: delete, reject or quarantaine. Per action you can define when it needs to be executed. Which action is executed depends on the SCL (Spam Confidence Level), this is determined by the IMF (Intelligent Message Filter) i.c.w. de words we setup earlier. When you are gone experimentate with the filter, for example put the SCL values lower. Then I would suggest to first choose the action to quarantaine it before choosing delete/reject as the action. This will safe you a lot of angry end-users that don’t receive their normal mail anymore.

Powershell commands:

Set-ContentFilterConfig-SclQuarantineEnabled:$true -SclRejectEnabled:$true -SclDeleteEnabled:$true -SclQuarantineThreshold 5 -SclRejectThreshold 6 -SclDeleteThreshold 8 -QuarantineMailbox spamQ@contoso.com -RejectionResponse ”Message rejected due to content restrictions” -AuthenticatedMessageBypassEnabled:$true -PuzzleValidationEnabled:$true -BypassedRecipients user1@contoso.com, user2@contoso.com

The content filter will be activated with the following options:

  • Quarantaine will be activated for all mails with a SCL of 5 words will be placed in it, the quarantaine box has the following address spamQ@contoso.com
  • Reject will be activated for all mails met a SCL if 6  this mails will be bounced, senders of the mail will get a mail back that their mail is bounced with the following text in it ”Message rejected due to content restrictions”.
  • Delete will be activated for all mails with a SCL of 8 will be deleted
  • When mail is sent to user1/user2@contoso.com the filter will not be applied.
  • It turns on Autenticated Message Bypass
  • It turns on Puzzle Validation

Get-ContentFilterConfig returns the current settings for the Content filter agent

Add-ContentFilterPhrase-Phrase:”This is an e-mail that you don’t want to receive” -Influence:BadWord

This command will add “This is an e-mail that you don’t want to receive” to the list of forbidden words or sentences. 

Get-ContentFilterPhrase returns the current settings for the Content filter phrase agent

Remove-ContentFilterPhrase -Identity “This is an e-mail that you don’t want to receive”

This command will delete “This is an e-mail that you don’t want to receive” from the list of of forbidden words or sentences. 

IP Allow List

As the name already tells you this agent lets you create IP-address white-lists. This can be used for business-relations that are on a black-list but you still want to receive mail from them. When clicking on Addyou can add an ip-address of ip-range.

Powershell commando’s:

Set-IPAllowListConfig-InternalMailEnabled:$true -DomainController ad-server.test.nl

With this command you will setup the DC on which the IP allow list needs to be saved/

Get-IPAllowListConfig returns the current settings for the  IP Allow list agent

Add-IPAllowListEntry-IPRange:192.168.0.1/24

Adds the IP-range 192.168.0.1/24 to the IP Allow list

Get-IPAllowListEntry returns the current settings for the specific IP Allow list entry

Remove-IPAllowListEntry -Identity <Integer> removes IP-address/the IP-range from the IP Allow list where the integer is the id  from the specific rule.

IP Allow List Providers

Besides RBL providers there are white-list providers. This are providers who provide lists with safe IP-addresses. On the following site you will find an overview of Whitelist providers: SpamLinks .

Powershell commando’s:

Add-IPAllowListProvider-Name:Example -LookupDomain:Example.com

The command above will add an Allow List Provider to the list with the name Example and domain/address example.com

Get-IPAllowListProvider returns the current settings of the IP allow list provider

Set-IPAllowListProvider-Identity Example.com -AnyMatch:$true

This command will tell Exchange that is has to check every e-mail with the Allow List provider example.com and will be threated the same despite the code that will be replied by the Allow List Provider.

Remove-IPAllowListProvider -Identity Example.com

Removes the provider example.com from the allow list provider.

Test-IPAllowListProvider-IPAddress 192.168.0.1 -Provider ExampleProviderName

With this command you can do a lookup of the IP-address 192.168.0.1 with the White-list provider ExampleProviderName

IP Block List

This agent contains IP-addresses who will be blocked by Exchange. It can happen that you don’t want to accept mails from specific IP-addresses or IP-ranges because you receive a lot of viruses or spam from them. In most cases it is easier to use a RBL provider then using an list with manual entries.

Powershell commando’s:

Set-IPBlockListConfig-InternalMailEnabled:$true -DomainController ad-server.test.nl

This command will tell to which DC the configuration needs to be saved.

Get-IPBlockListConfig returns the current settings of the IP Blocklist agent.

Add-IPBlockListEntry-IPRange:192.168.0.1/24

Adds the IP-range 192.168.0.1/24 to the IP Block list

Get-IPBlockListEntry returns the current settings of the IP Block list entry

Remove-IPAllowListEntry -Identity <Integer> deletes the entry of the IP-address/IP-range of the IP Block list with the id of the rule as the integer.

IP Block List providers

In this agent we can add RBL providers. This are organizations who provide lists with IP-addresses that are sending a lot of spam or servers which are configured as open-relay. On this page you can find an overview of them.

Within this agent there is an extra tab added exceptions, here  you can exclude IP-addresses from this agent.

Powershell commando’s:

Add-IPBlockListProvider-Name:Example -LookupDomain:Example.com -RejectionResponse “Originating IP addressed matched to Example.com’s IP Block List provider service”

This command will add a Block List Provider with the name Example and domain/address example.com. When an IP is found on list the sender will receive the following message: “Originating IP addressed matched to Example.com’s IP Block List provider service”

Get-IPBlockListProvider returns the current settings of the IP Block List Provider agent

Set-IPBlockListProvider-Identity Example.com -AnyMatch:$true

This command will tell Exchange to check every mail with the Block List Provider example.com. Despite the code that is being returned from the provider each mail will be threated the same.

Remove-IPBlockListProvider -Identity Example.com

Deletes the block list provider example.com from the IP Allow Block Provider agent.

Test-IPBlockListProvider-IPAddress 192.168.0.1 -Provider ExampleProviderName

This command will do a lookup of the IP-address 192.168.0.1 with the provider ExampleProviderName

Recipient Filtering

With recipient filtering you can filter messages on existing/non-existing recipients on the HUB transport without reaching a mailbox. This will prevent space being used by mails to non existing recipient such as administratornn@domain.com.

This agent can use the GAL as source, the GAL will be automatically updated when a user is added to Exchange. Besides that there is a possibility to manually add addresses that you want to block, when you use the previous mentioned option this is not necessary.

Powershell commando’s:

Set-RecipientFilterConfig-RecipientValidationEnabled:$true

Enables using the GAL as the source for recipient filtering.

Set-RecipientFilterConfig-BlockListEnabled:$true -BlockedRecipients klaas@domein.com,pietje@domein.com

Checks if the mail is send to klaas@domein.com or pietje@domein.com if this is the cases then the mail will be blocked.

Get-RecipientFilterConfig returns the current settings of the Recipient Filtering agent

Sender Filtering

You may wish to block e-mails from specific senders because you receive a lot of spam from this address. Then you can use the sender filtering agent. Here you can specify addresses from which you don’t want to receive mail. Besides that possibility you can enable the option to block e-mails which contain no sender address. Depending on which action is activate on the tab action mail will be bounced or marked as spam.

Powershell commando’s:

Set-SenderFilterConfig-BlankSenderBlockingEnabled:$true -BlockedDomainsAndSubdomains *example.com -BlockedSenders klaas@domein.com,pietje@domein.com

When a mail is send from the domain or subdomain example.com mail will be blocked. When mail is send from klaas@domein.com of pietje@domein.com mail also will be blocked.

Get-SenderFilterConfig returns the current settings of the Sender Filtering agent

Sender ID

With sender ID you can prevent spoofing mails being delivered. When a mail arrives at the Hub Transport Server the SMTP header will be checked and according to the results a query will be done via DNS. The agent will search for a SPF record; in this record all IP-addresses are listed which are used by the domain to send mail.

When the IP-address is not found in the SMTP-header, then the mail will be rejected, deleted or marked as spam.

Powershell commando’s:

Set-SenderIdConfig-SpoofedDomainAction Delete -BypassedRecipients klaas@domein.com,pietje@domein.com

When mail is send from a spoofed address is will be deleted except when it is send to klaas@domein.com or pietje@domein.com

Get-SenderIdConfig returns the current settings of the Sender ID agent

Test-SenderID-IPAddress 213.144.234.221 -PurportedResponsibleDomain example.com

This command let’s you manually check if the IP-addresses may be used to send mail from for a specific domain.

Sender Reputation

This agent will check the sender reputation. The sender reputation is determined by the following parameters:

  • helo/ehlo analyse
  • reverse dns lookup
  • analysis by the content filter to determine the SCL level
  • open proxy test

On the tab action you can specify how the filter will work, besides that you can specify how long the sender will be blocked. All e-mails that will be blocked by this agent will be blocked for 24 hours by default. Besides that you can define the following actions:

Powershell commando’s:

Set-SenderReputationConfig-SrlBlockThreshold 8 -SenderBlockingEnabled:$true -SenderBlockingPeriod 24

This command will block all e-mails that don’t pass the open proxy test and the SRL (Spam Reputation Level) is 8 or higher. The sender address will be blocked for 24 hours.

Get-SenderReputationConfig returns the correct settings of the Sender Reputation agent

This is a very long tutorial but I think we talked about all the points. When you like to have more commands, all Powershell commando’s are linked to pages on Technet which contain more info.

A new feature in Exchange 2007 is Transport rules this rules can be added in two ways, via the Exchange Management Console or via the Exchange Management Shell.

The transport rules will be created on the Hub transport server. The transport rules will be executed as follows:

When you choose to create the rules via the Exchange Management Shell you will see you will pass those steps.

Besides the parameters you can assign a priority to each Transport Rule. The priority start with 0, this rule has the highest priority. When a mail matches multiple rules all the rules will be applied to the mail, the priority will be used to make the decision in which order they will be applied. When you have created a rule you can adjust it very easy.

First we are going to create a Transport Rule via the Exchange Management Console. You have to start the Exchange Management Console  for this, next click on Organizational Configuration, Hub Transport and select the tab Transport Rules.

Now click somewhere in the white space in the center of the screen and choose the option New Transport Rule, you can also do this on the right side of the screen. You will get the following screen:

Fill in the fields that are displayed, Name is the name you want to give to the Transport Rule, Description  is a short description of the rules. The checkmark before Enable Rule is enabled by default, when you don’t want to use the rule immediately uncheck it, click on next.

First we will select the Conditions, this are the conditions that a message has to have. This can be for example: all mail to external users

The next step will be the Rules that are applied to the mail. In this case we will add a disclaimer to the e-mail.

You can see in the flowchart that we only need the define the Exceptions. In this case we don’t want to add exceptions and click on next

Before the rule is created you will get a small summary of the parameters we defined. Click on New to create the Transport Rule.

When you get the same screen as above the rule is created successfully and a disclaimer is added to all messages send to external users.

Now we created a Transport Rule via the Exchange Management Console it’s time to create one via Powershell.

We will create a rule which blocks e-mails with the word Finance in the body or subject except when the mail is send from Klaas Vaak.

Normally you get give the Powershell command directly, but with a Transport Rule this is not the case. First we will define the values for the conditions, rules and exceptionsand will use them in the Powershell command.

Below the script what what creates the Transport Rule:

$Condition = Get-TransportRulePredicate SubjectOrBodyContains

$Condition.Words = @(“Finance”)

$Exception = Get-TransportRulePredicate From

$Exception.Addresses = @((Get-Mailbox “Klaas.Vaak”))

$Action = Get-TransportRuleAction RejectMessage

$Action.RejectReason = “E-mail messages sent from departments except the Finance department are prohibited.”

New-TransportRule -name “Block e-mail messages with the word Finance” -Condition @($Condition) -Exception @($Exception) -Action @($Action)

The same as with the wizard the script will be separated in logical steps.

With $Condition we define the conditions which a mail should meet. You can do this by specifying the command Get-TransportRulePredicate followed by , in this case SubjectOrBodyContains.

The next step we will do is assign a value for the condition, we can those this with the parameter $Condition.Words. We will give the value after the – sign.

The next step is to define the exception, this will be done by the parameters $Exception and $Exception.Addresses. With this we will tell Exchange to use the command Get-TransportRulePredicate From to get the value from the from field and assign the value to $Exception.Addresses.

The last parameter we define is the action that needs to be executed when a mail matches all requirements.  This is done by the parameters $Action and $Action.RejectReason, in this case we will send a message back to the sender with the following text E-mail messages sent from departments except the Finance department are prohibited.

Now we defined all parameters we can use the New-TransportRule to create the rule. The only extra parameter we need is name which defines the name of the rule. When we don’t want to rule to be active after creation we need to add the parameter Enabled $false. The new rules will be assigned the lowest priority, can you change this by assigning the Priority parameter a numeric value.

I saved the script myself and executed it, the screen below shows the result:

The links below will direct you to the pages on Technet about the two commands:

New-TransportRule open

Get-TransportRulePredicate open

This tutorial will explain how you can activate the UM options for a user.

There are two ways to activate the UM options for a user:

  • via the Exchange Management Console
  • via the Exchange Management Shell

In this tutorial we will do it via the easy way, via the Exchange Management Console.

First we startup the Exchange Management Console and open the Recipient Configuration and choose mailbox. The middle part of the screen will display the current users who can use Exchange.

 Mailbox

By selecting the user for which you want to enable UM you will get an option in the right menu called activate Unified Messaging a wizard will be opened.

Wizard

Click the button browse to select the policy which you want to assign to the user. Then in the pin section select the option to manually enter a pin or let Exchange generate a pin. Besides that you can select the option Require user to reset pin at first telephone logon, the user then needs to change his pin after his first logon.

Click on the next button to proceed, you will get the following screen:

Extension configuration

Choose the extension/phone number which you want to assign to the user and click the next button.

We reached the final step, Exchange will give a short summary of the things we configured. When you click on enable all changes will be applied and the user can use the UM options.

Enable Unified Messaging

In this tutorial I will explain how you can configure the UM option in Exchange. In this tutorial I assume that you already have installed the UM functionality.

Configuring the UM functionality can be done in two ways:

  • via the Exchange Management Console
  • via the Exchange Management Shell

In this tutorial we will use the Exchange Management Console to configure the UM options

First we start the Exchange Management Console and open the option Organization Configuration.

Organization Configuration

Below this you will find 4 sub menu’s:

  • mailbox
  • client access
  • hub transport
  • unified messaging

The last of the 4 we need, this because we would like to configure the UM functionality. When you click on it the middle piece of the MMC changes and will get 4 tabs.

Unified Messaging

The first tab is named UM Dial Plans; configuring starts here. In the right side of the screen a menu is displayed, click on New UM Dial Plan, the following window will be opened:

UM Dial Plan

As you can see above the window contains four fields. All the fields need to be filled in:

  • name: give a name of the dial plan
  • number of digits in extension numbers: fill in the amount of digits that you want to use for the extension.
  • URI type: in this case we select telephone extension
  • VoIP Security: in this case unsecured, when you want to use TLS you will have to use secured

When all fields are filled in click on new to create the dial plan. When the dial plan is created you will see it when you select the tab UM Dial Plans:

UM Dial Plan

When you select the UM Mailbox Policies tab you can see that there is a policy created with the name name of the numberplan-default. When you create a dial plan there will also be a default policy created. In this policy several things are specified: minimum pin length, how long may the voicemail message be and a lot of other options. This can be used to create separate policies for different users. For example you can give user A a shorter voicemail text then user B.

UM Mailbox Policy 

The next step will be to define the IP gateway, this is the device where all incoming calls are arriving at the Exchange server and via which all outgoing calls leave the Exchange server.  By pressing New UM IP Gateway in the right menu you will get the following window:

UM IP Gateway

In this windows we need to specify the following:

  • name: name of the IP Gateway
  • IP Address/FQDN: IP-address or fully qualified domainname of the IP Gateway

When this two fields are filled in you can assign the created dial plan to the IP Gateway. When doing this a hunt group will be created for the specific gateway. When you do not select a dial plan then you need to create the hunt group manually. When the wizard is finished you will have the following address:

UM IP Gateway

You can see that it exists of 2 levels:

  • IP gateway
  • default hunt group

The hunt group arranges that the IP Gateway and the dial plan can communicate with each other. When creating the hunt group  manually you will need to manually assign a pilot number to it. In the following example I will try to explain why this is needed:

If you create a hunt group with the following numbers: 301, 302, 303, 304 where 301 is the hunt group. When 301 is called the hunt group will arrange that the call will be transferred to the first number who is free.

The final step is to create an auto attendant. With this feature we can arrange that people who call will here a standard text or will get a menu from which they have to choose, for example reaching a specific department.

Go to the tab auto attendant and press New UM Auto Attendant in the right menu, you will get the following window:

Auto Attendant

We will need to fill in thw following fields:

name: naam van de auto attendant

  • associated dial plan: select to which dial plan you want to assign the auto attendant
  • extension numbers: add the extensions that you want to use for the auto attendant
  • create auto attendant as enabled: will enable the auto attendant immediately after creating it.
  • create auto attendant as voice enabled: will enable the auto attendent for voice support (with this option you can give commands by talking to the auto attendant)

The latest step is assigning the dial plan to the server, follow the next steps to complete the configuration:

  • open server configuration
  • choose Unified Messaging
  • open the properties of the server
  • click the UM Settings tab
  • click the Add button
  • add the dial plan.

When you have done all steps you will have a working Exchange UM environment, if the PBX, etc is/are configured OK. If you don’t have this you can also try the UM options via the Exchange UMTestPhone. You will find a tutorial on this website about it.

This tutorial will explain how you can create users via Powershell.

The first thing we need to do is start Exchange Management Shell, you will find it in the startmenu under  Microsoft Exchange Server 2007.

Powershell

As you can see above there are a few commands displayed for example a command is displayed to display the help functionality. There is also a nice joke build in the Exchange 2007 Powershell, when you type in get-exblog it opens Internet Explorer with the Exchange 2007 Community.

The next step is the command we will need to create the user, it will look something like the following:

New-Mailbox –alias <alias> -name <name> -Database <Database name> -OrganizationalUnit Users –UserPrincipalName <UPN value, example: johan@test.local>

When you execute this command there are a few parameters which are needed:

  • alias
  • name
  • database
  • organizationalunit
  • userprincipalname

Below an example, this command will create a user johan with an UPN johan@test.local  in the OU utrecht in the database mailbox store.

User aanmaken

When you execute the command there is one thing missing, the password, Powershell will ask you for it.

Wachtwoord invoeren

When you typed in a password the user will be created and the the result will be like the screen below:

De gebruiker is aangemaakt

Of course there are more possibilities, the user we just created doesn’t get assigned managed folders. By adding the parameter -ManagedFolderMailboxPolicy <name policy> the user will be assigned this policy and will get managed folders. There are a few other parameters:

  • ActiveSyncMailboxPolicy
  • ResetPasswordOnNextLogon
  • WhatIf

Especially the last command is interesting if you are not sure what you are doing. This parameter will execute the command but not for real. The result will be displayed after it did the test run, if the result is OK you can remove the WhatIf and run it for real.