Category Archives: Uncategorized

Exchange 2010 and TLS 1.2

In a previous blogpost I discussed an issue I had with Outlook 2010 and TLS 1.2. At the same time this reminded me that Microsoft will remove support for TLS 1.0 and TLS 1.1 in Office 365 on October 31, 2018 as communicated in https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365. This means that when you have communication issues with Office 365 because of an older and weaker protocol, you won’t get any support. Time to do some research….

Existing Exchange 2010 environment

As you may have seen on this side, I still am a big fan of Exchange 2010 and also have an pure Exchange 2010 hybrid environment up-and-running and it looks like this:

Inframan-hybrid

MX records is pointing to my Exchange 2010 Edge Transport Server (running on Windows 2008 R2), webmail and Autodiscover are routed via an F5 LTM load balancer to an Exchange 2010 CAS/HUB/Mailbox server (also running on Windows 2008 R2), and hybrid is configured directly on Exchange 2010 (for hybrid mail flow I’m using a separate FQDN, o365mail.inframan.nl) without any Exchange 2013 or Exchange 2016 server.

So, how do you test which TLS version is used by your Exchange 2010 server? In Exchange 2010 this should be done using the protocol logfiles. Message headers in Exchange 2010 do not contain enough information for showing this TLS information. So, you must enable protocol logging for the appropriate Receive Connectors and Send Connectors. In my environment this means the Default Receive Connector on the Exchange 2010 Edge Transport server (for O365 traffic from other tenants), the Default-First-Site-Name to Internet Send Connector, and both connectors between the Exchange 2010 server and Office 365 for hybrid. Analyzing the protocol logfiles can best be done in Excel (import as CSV files). When analyzing, look for a string like TLS protocol SP_PROT_TLS1_0_SERVER (when receiving) or TLS protocol SP_PROT-TLS1_0_CLIENT (when sending). When TLS 1.2 is used, look for a string like TLS protocol SP_PROT_TLS1_2_SERVER and TLS protocol SP_PROT-TLS1_2_CLIENT.

Continue reading Exchange 2010 and TLS 1.2

Hybrid Configuration Wizard diagnostics

Life can be so simple sometimes… learned this nice feature at Microsoft Ignite last week… when running the Hybrid Configuration Wizard (HCW) and you press F12, the diagnostics tools becomes available:

hybrid-diagnostics

You can open the individual directories, open the log file itself or create a support package when you have to contact Microsoft support in case of issues. Very nice and useful!

support-package

 

Ignite 2018 – Azure AD and security sessions

A little later than originally planned because of an unexpected visit of the Massachusetts General Hospital in Boston on my way…. In my previous postings I blogged about the start of the conference and some of the Exchange sessions I attended in the first two days. Now how much I do love Exchange, most of my clients are moving towards Office 365 and Exchange Online, so what else is important here?

Yes, authentication! Azure Active Directory, Identity and Access Management and security around these solutions. And this happens to be important for Exchange and Exchange Online as well, so….

Secure access to Office 365/Azure Active Directory with new features in AD FS in Windows Server 2019 and Azure AD Password Protection

Sessions “BRK3226 – Secure access to Office 365/Azure Active Directory with new features in AD FS in Windows Server 2019 and Azure AD Password Protection” is all about authentication in Azure AD. It explains the traditional password hash sync as well as the ADFS options (more that 71 million users are actively using ADFS). But there are also 1.29 billion authentications blocked in August 2018 and 81% of all security breaches are because of weak, default or stolen passwords.

securing-resources

Common passwords used in (Azure) AD are Password, Spring, Summer, Autumn, Winter, 2018, 1234, your favorite football team etc. And these in turn are used in password spray attacks! Also vulnerable are passwords where number and letters are changed, for example “I” becomes “!”, “O” becomes “0” etc. And now you wonder, how many of my users are doing this? Password protection in Azure AD also includes normalization of the password, so these changes are automatically blocked. The good thing is, Azure AD password protection is coming to on-premises AD as well!

You can find the presentation on Youtube https://youtu.be/DC4cyF_JEgw and the presentation can be found here https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3226.pptx

Azure Active Directory best practices from around the world

The title of the session was renamed to “Azure AD: Do’s and Don’ts”, but this is a more ‘notes from the field’ session with a lot of practical information around Azure AD, legacy authentication, modern authentication, Hybrid Azure AD Joine (HAADJ, I hate 3 letter acronyms, let alone 5 letter versions 😊) and what to do to get a better and more safe authentication experience.

legacy-authentication

Interesting in this presentation is that is also discusses what step you need to take to move from legacy authentication to modern authentication, and also the pitfalls you might encounter, including links to more information (found in the presentation).

associating-devices

You can see the presentation on Youtube https://youtu.be/wGk0J4z90GI and you can find the presentation here https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3408.pptx

Scott Schnoll’s Exchange and Office 365 tips and tricks

I don’t know how many times Scott Schnoll has delivered this session, but it still is an awesome session and contains so much practical information around Exchange and nowadays Exchange Online.

scott-schnoll

I tried to make some pictures with Office Lens, but I think the color of the slides and text are not identified correctly so they are horrible. The slides aren’t available (yet), so you have to check the presentation on Youtube: https://youtu.be/0WNMX8EKYZk

Topics include anti-virus exclusions, DMARC enhancements, decommission on-premises Exchange in (or after) hybrid, changes to EOP IP ranges, migrating DL’s to Office 365 (including a script to do so), a license administrator in Office 365 (preview), DLP and credit card numbers and Mail Flow Insights, a new tool/dashboard that is currently being developed. Scott is doing a demo on this at the end of his presentation. Very cool, very promising, very useful!

Summary

So, after 5 days (well, four and a half days) we can say it was a very successful event. It is so huge, approx. 30,000 attendees from 5,000 organizations. So many sessions, break-out, theatre, workshop, hands-on, almost too much. And the sheer size of the location, I guess one can walk between 6 and 7 miles every day between the various locations. Would I go again? Sure, next year, again in Orlando, November 4-8. Hope to see you there!

More information/sessions

And some more interesting sessions to view online….

BRK2407 – Windows 10 and Office 365 ProPlus lifecycle and servicing update (CONDENSED)

https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK2407.pptx  https://youtu.be/t9Bs55czc1E

BRK3234 – An IT pros guide to Open ID Connect, OAuth 2.0 with the V1 and V2 Azure Active Directory endpoints (very informative, but not available online yet I’m afraid)

BRK3397 – Protect and control your sensitive emails with Office 365 Message Encryption

https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3397.pptx

https://youtu.be/Ld4b4pFua0g

BRK3408 – Azure Active Directory best practices from around the world

https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3226.pptx

https://youtu.be/wGk0J4z90GI

BRK3146 – What’s amazing and new in calendaring in Outlook!

https://youtu.be/-ZrNTylawOA

THR3024 – How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less

https://youtu.be/7hoEmEwV8Rk

BRK3081 – Implementing a modern network architecture to get the most out of Office 365

https://youtu.be/FGMzS_MjuPY

BRK3145 – Deploying Outlook mobile securely in the enterprise

https://youtu.be/4mHlxdJMh1Q

THR3036 – Azure Active Directory hybrid identity and banned password detection

https://youtu.be/kuVkfIiapI4

 

 

 

Ignite 2018 – Exchange sessions, the good and a bit ugly

My first blog about Ignite 2018 was more about the keynotes on the first day, Microsoft’s strategy around the cloud and how various application integrate with each other and take advantage of the cloud. But I’m a technical consultant and more interested in the technical stuff. And as a MVP in ‘Office Apps and Service’  (used to be ‘Office Servers and Services’, and before that just ‘Exchange MVP’) my heart is still with Exchange. Although I also attended lots of other sessions, there are better blogs available for these technologies instead of mine 😊

Welcome to Exchange 2019

The first break-out session I attended was BRK “Welcome to Exchange 2019” by Greg Taylor and Brent Alinger. Lots of information was already available since Microsoft released the preview version of Exchange 2019, but some other interesting points were mentioned as well:

  • Exchange 2019 runs on Windows 2019 only. There are so much security features in Windows 2019 that Exchange is using, features that are not available in Windows 2016. The preview version was running on Windows 2016, but the final version won’t.
  • Windows 2019 Server Core is the recommended platform because of the lower footprint and attack surface.
  • Required Forest Functional Level is Windows 2012 R2, which may cause issues with customers I guess.
  • Minimum recommended RAM is 128 GB. Be aware, this is the recommended amount of RAM, not the required amount of RAM. This amount comes from .NET usage in Windows 2019 that does much better performance with lots amount of memory. If an Exchange 2019 server does not have 100GB or more, it won’t take advantage of a lot of these improvements. There’s also a correlation with the amount of processors in the Exchange 2019 server, and this 128 GB is related to 48 processors. If you are using less processors, the memory usage decreases as well.
  • Exchange 2019 will (at least for now) only be available via Volume Licensing. Discussions are going on whether this will lead to piracy via download sites. Microsoft is aware of this, but at this moment it’s only Volume Licensing.
  • A very cool new feature is the MCDB, or metacache database. This is a cache stored on SSD drives where metadata from the Mailbox databases is stored, like search information, folder structure etc. This will improve performance for Outlook clients running in Online Mode, not only search information, but also logon to the Mailbox is dramatically improved (I’m starting to sound like a marketing guy 😊
  • Related to the previous bullet, Search is improved (or rewritten actually) using Bing technology. The indexing information is no longer stored in a separate directory on the disk, but it is stored in the Mailbox, and thus inside the Database. This means that passive copies have the same information, and the same search indexes. A failover will now never fail because search is not healthy in replication, speeding up fail-over times.
  • And Microsoft also released the documentation for Exchange 2019, which can be found on https://docs.microsoft.com/en-us/Exchange/exchange-server?view=exchserver-2019.

Unfortunately this session is not available online yet. It is recorded, but somehow not yet available.

As a side note, Microsoft has organized a side meeting with the Exchange and Outlook Product Groups and a couple of (Exchange) MVPs. In this 2 hour session we could have a decent discussion with all Program Managers in the room, and we were able to express our deepest concerns regarding the announcements and presentations at Ignite. Some people prefer to do this on Twitter, but we think it’s better to discuss with the Program Managers directly. They gave us additional background information, but at the same time were impressed by the feedback we gave them, and will take it back to HQ. They won’t change the product of course, but the marking messeag and documentation (background information) around Exchange 2019 will certainly change.

Securing Exchange Online from modern threats

Another interesting session was BRK3148 “Securing Exchange Online from modern threats”. It all about security, and what steps the bad guys usually take to attach a platform like Exchange Online. And it’s incredibly easy. Every heard of ‘password spray’? This a brute force attack, but the other way around. The bad guy has a list of usernames (UPN = Email address to make their life easy) and standard passwords like Summer2018 or Spring2018. But with a spray attack they take a password, and try this against all users. If not successful then try the next password against all users in the list. Incredibly simple, and unlike a regular brute force attack this does not result in locked out accounts. And we all know it, it’s a matter of little time before a simple password is compromised. In the demo the presenter shows how easy it is, and once logged on how to continue with elevated privileges.

The good news is, this presentation is available on YouTube: https://youtu.be/jnUUioUU_eY

Hybrid Exchange: making it easier and faster to move to the cloud

Exchange hybrid is also a hot topic. Last year Jeff Kizner did a session on hybrid, and announced Microsoft was working on removing the last Exchange server when all Mailboxes are moved to the cloud. Expectations were high when attending this years session BRK3143 “Hybrid Exchange: making it easier and faster to move to the cloud”.

The first part of this presentation is about the work done on the Organization Configuration Transfer in the Hybrid Configuration Wizard. Still not finished, but a lot of the configuration information cannot be copied over to Exchange Online. It is copying to Exchange Online, there’s no synchronization. So when making changes in Exchange on-premises, they are not transferred automatically to Exchange Online. You have to either make the changes in Exchange Online, or run the Hybrid Configuration Wizard again.

Completely new (and not available yet) is the Hybrid Agent that runs on-premises. The hybrid agent works with an endpoint in Microsoft Azure, and is outbound HTTPS traffic only. Exchange Online is configured with the HCW to use the same endpoint in Microsoft Azure. This way only outbound connections are used, and it is no longer needed to make all kinds of firewall changes when configuring Exchange Hybrid. Even better, when Autodiscover and Exchange on-premises are not published this still works, since only Outbound connections are used, and configuration information is stored safely in the endpoint in Microsoft Azure.

Exchange Hybrid Agent

TargetSharingEpr

At this moment it is only going to work with Free/Busy and Mailbox moves using the MRS, but it’s a good start. Next versions can include more features, and using this technique everything is possible, imaging Microsoft Search that’s searching your on-premises Mailbox servers…. I’m not sure if that’s a good idea, and I have an idea how the average security officer will react to a solution like this. Some people will refer to this as a man in the middle that has full access to your Exchange environment (something with Exchange Trusted Subsystem). Also, the Hybrid Agent only supports auto-update, and I’m not sure if I want that to happen on my Exchange servers. The good news, you can run the Agent on dedicated servers instead of the Exchange servers, as long as these servers have a decent Internet connection.

The Exchange Product Group released a blogpost on both topics, which can be found on https://blogs.technet.microsoft.com/exchange/2018/09/26/announced-improvements-to-hybrid-publishing-and-organization-configuration-transfer/.

Also, the presentation itself is available on YouTube: https://youtu.be/QhOh5RCcLu8

Unfortunately not a single word about that last Exchange server on-premises, so at this point this will need to be available for some time I’m afraid.

Email search in a flash! Accelerating Exchange 2019 with SSDs

As already mentioned in the first section of this blog, Microsoft introduced Metacache Database (MCDB) in Exchange 2019. Exchange 2019 will now work in the regular JBOD solutions, but now added are SSD disks in the servers. These SSD disks are used as an additional cache (special data from the mailbox database is stored additionally on the SSD disks) to speed up performance. Think about the message table, mailbox information, message metadata information, all kinds of information that’s regularly needed by Outlook clients, and can now be retrieved by the Exchange 2019 at a much faster pace.

Personally I think this is a very impressive technology, but I don’t see it appear at customers anytime soon. It is build on top of a DAG (should be no issue), but is also using AutoReseed as outlined in the Preferred Architecture. The SSD versus spinning disks ration is 1:3, so for a 12 disk Exchange server, three SSD disks are needed. Now, I don’t see a lot of customers deploying Exchange 2019 this way, at least not the smaller organizations, but maybe these customers are better off with Exchange Online, but that’s a different discussion.

metacache database

metacache guidance

The technology is impressive, and I’m looking forward to test this is a lab. Unfortunately this feature is not yet available in the preview version of Exchange, so you have to wait until the official release of Exchange 2019 later this year.

The presentation is available on YouTube: https://youtu.be/VHrScskhCQk

Stay tuned for more information…

 

Ignite 2018 – The conference starts

I’ve been at the Microsoft Ignite conference in Orlando from Sunday September 23 until Friday September 28. It’s been some time since I’ve visited a Microsoft conference, I think the Microsoft Exchange Conference in Austin, TX in early 2013. Also I did some TechEd events, both as speaker as well as attendee but that’s also a long time ago. And what’s the best way to get up-to-speed with Microsoft vision, strategy and new products? Yes, Ignite…. So off to Orlando 😊

Ignite is an annual event held in the US, and it’s big. This year approx. 30,000 attendees from 5,000 organizations worldwide. That’s a reasonable sized city walking around in a conference center, and it’s pretty impressive to see all this.

Ignite2018-1

Ignite starts with keynote sessions. The opening keynote is also a vision keynote, delivered by Satya Nadella, CEO of Microsoft. It should not be a surprise, but it’s all about the cloud at such a keynote, “intelligent cloud”  and “intelligent edge”, how the various applications and services can use this, for the benefit of the user. Data in the cloud, software in the cloud, Artificial Intelligence (AI), Machine Learning (ML), all services, organization and users benefit from this.

AI and ML sound scary, especially if you are a fan of science fiction movies where computers take over, but there are better solution. For example, in Exchange Online Protection Microsoft is receiving billion and billion of messages. Al these servers send out all kinds of monitoring information, and this is analyzed using AI and ML. Based on this, it is possible to predict certain actions, and take pro-active measures. The same happens in Azure Active Directory. It is now possible to check where logins are coming from, what kind of attacks are happening or if an attack is going to happen. You can use this yourself, and by doing so create a safer environment for you Azure and Office usage.

That’s what you see in a lot of sessions here at Ignite, security, security and security. Oh, did I already mention security? And be honest, Microsoft has to, don’t they? If Office 365 or Azure is massively compromised, it will take out customers’ trust and potentially lose business….

Another area where you can see the influence of the cloud is in desktop application. Microsoft Search is completely rewritten, and will now deliver a consistent search and search result throughout all application, where you are working in Outlook on the Web, PowerPoint, Windows 10 or Outlook, it will all give consistent results. Related to this in Microsoft Office is ‘ideas’. When working in PowerPoint on a presentation, you can use ‘ideas’ to enhance your presentation. A demo was given in PowerPoint with a list of bullets with several countries. Using ‘ideas’ it is possible to add information regarding these countries, and this information is retrieved from Microsoft Search. Also information regarding people in Outlook, where additional information can be retrieved from LinkedIn. Very useful usage of cloud technology in day to day applications.

Technical keynotes are more like what the various applications and services are doing and how these can take advantage of the cloud. I’m more in the Workplace and Microsoft 365 arena, so two keynotes about transforming your workplace to Microsoft 365 and transforming collaboration and communications with Microsoft 365. Amazing to see how Microsoft Teams is taking a big role these days. In the Microsoft cloud, Microsoft Teams will take over from Skype for Business Online. Starting October 1st, new smaller tenants will not get Skype for Business Online, but only Microsoft Teams. Skype for Business Online will continue to be available for existing tenants, but customers are encouraged to move from Skype for Business Online to Microsoft Teams.

You might have seen the following PowerPoint slide before, it’s about the Microsoft teamwork vision, the Inner Loop with people you work with often and the Outer Look with people you with cross organizations.

teamwork

For the Outlook Loop Yammer is still being used, and I’m a bit surprised with that. Personally I expected Yammer to go away now that Microsoft Teams is around. And there’s still development going on, there’s a Yammer tab in Teams, and also integration of various Office 365 services like Planner or Streams or getting into Yammer.

Also the new Virtual Desktop was showed, where a Windows 10 desktop is hosted in Microsoft Azure, available anytime and for any device, and deployed in a couple of minutes. Oh, and autopilot, where a desktop is automatically installed with Windows 10 from Microsoft 365, Office Click-2-Run and your (personal) data in OneDrive for Business. Very impressive and you’ll see more of this popping up in (larger) organizations the upcoming years.

More information regarding the technical sessions are to follow soon. After all, I’m a technical consultant and hope to get a lot of technical information here at Ignite. Stay tuned….