All posts by jaapwesselius

Control Panel in hosted Exchange 2010 SP2

In the past I’ve blogged about building a hosted Exchange 2010 SP2 environment. Basically you have to prepare Active Directory, create a hosting container where all customer containers (also referred to as organizations, not to mess up with an Exchange organization) are located, secure the OU’s etc. Also you have to create Address Lists, Address Book Policies, Offline Address Books (do not forget to secure these to prevent unwanted downloads) and all this in a reliable and consistent manner.

It is certainly doable with a lot of scripting and HTML knowledge (been there, done that) but the overall recommendation is to use a Control Panel vendor. You can find an overview on the Microsoft website:

Using a Control Panel

There are a number of vendors, each having their own pros and cons but all work according to the same principle using a provisioning engine. This provisioning engine is talking to all services in your environment like Active Directory, Exchange, Lync or Sharepoint. It is also possible to add even more services like CRM, Hyper-V, online backup or Azure.

Continue reading Control Panel in hosted Exchange 2010 SP2

Empty a mailbox using Exchange Web Services

Currently I’m working on an environment where 6,000 test mailboxes are created. During test migrations all kinds of information is stored in these mailboxes. You can use Exchange Web Services to empty these mailboxes.

To empty the (test) mailboxes you need the following:

  • Exchange Web Services Managed API;
  • An account with enough permissions to empty the mailboxes;
  • A script that does the actual plumbing.

The Managed API can be downloaded from the Microsoft website: and it runs on Windows 7 clients or Windows 2008 (R2) servers.

The script will logon to the mailboxes with an account that needs sufficient permissions. You can set the permissions on the Exchange CAS Server using the following commands:

Continue reading Empty a mailbox using Exchange Web Services

Publish Lync Services in TMG

In an earlier blog post I explained how to setup a Lync Server 2010 in your Lync organization. Using a Lync Server you can give access to external users and implement federation services. You also might want to implement publishing rules on your Threat Management Server (TMG) 2010 to implement the following additional services:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.

Continue reading Publish Lync Services in TMG

Autodiscoverredirect and TMG

In my blogpost Autodiscover Redirect and SRV option I explained how to use the AutodiscoverRedirect or the SRV records method to use Autodiscover when using multiple primary SMTP addresses in an Exchange 2010 environment.

This works fine as long as your Exchange server is connected directly to the Internet (behind a firewall of course) and you have the possibility to add public IP addresses to your Exchange Server. When using a reverse proxy solution like Threat Management (TMG) Server in front of the Exchange 2010 Client Access Server, all Exchange services are published to the Internet, and this requires a different approach for the AutodiscoverRedirect method.

First thing, the Client Access Server no longer needs to the autodiscoverredirect website since this is now handled by the TMG Server. So the Client Access Server can be used in a default configuration. In this environment a certificate with two FQDNs are used: and but now this environment is published using TMG 2010 SP1.

The TMG Server now intercepts all autodiscoverredirect traffic so a new rule with a new listener (on a separate IP address) needs to be created. Please note that this traffic is unencrypted, so HTTP (port 80) needs to be used for this listener. For the Client Authentication Method when creating the Web Listener select No Authentication.


The next step is to create a web publishing rule that uses this listener. This rule should deny all traffic and redirect it to the ‘normal’ autodiscover URL on the TMG Server, i.e.


One thing to notice though, after creation of the web publishing rule you can select whether this rule listens to all requests or only for specific websites (select the Public Name tab). Also, don’t forget to change the redirection (select the Bridging tab) to port 80. Like the previous blog post you have to enter the in the public DNS, and for other domain create a CNAME autodiscover record (again in public DNS) and point this to the FQDN.

Now when you go to the Remote Connectivity Analyzer ( and test using another domain you’ll see that it again works, but now via the TMG Server.


The warnings in this screenshot is about root certificate not being able to verify. Also note that in this example the RCA doesn’t even try the SRV method since the redirect method is successful.

SRV Records

The autodiscover SRV records option I explained in my previous article works immediately through the TMG Server. This makes sense since the information is taken from public DNS directly and the autodiscover service is accessed directly without any redirection.


One thing I would like to mention. Quite a lot of people think that autodiscover fails because of the 3 failing attempts (in the above screenshot). While this is true autodiscover successfully finishes the fourth option so autodiscover is considered to be successful.

Now combine the autodiscover redirect and the SRV method with the Address Book Policies that will be available in Exchange 2010 Service Pack 2 and you’re one step closer to your own Exchange 2010 hosting solution.

To be continued, stay tuned…