I would have been able to live with the lack of interaction if I weren’t having any major problems with the product. But as such things go, I ran into one showstopping problem… It turns out that on my hardware (which is a big, tricked out server that cost a small fortune and which I am not replacing) VMWare Server 2 had major issues correctly virtualizing Windows Server 2008 x64. Just that one OS. Everything else worked fine: Windows 2003 x86 & x64, even Windows 2008 x86 ran without a hitch. It has to be said that this is not a generic problem, since most others either don’t run into the problem (on a HP nx6325 laptop I also have no issues whatsoever), or they just don’t understand why things are breaking. But I’m certainly not the only one, judging from the replies and the 300+ views on the thread I posted in the VMWare Server 2 beta 2 community.

Now, I could manage without Windows 2008 x64 servers for a good while, since Exchange 2007 also runs on Windows 2003 (or if you’re really nuts like me, you can hack the x86 version on Windows 2008 into production ). But now that I’m participating in the Exchange ‘14’ TAP, I just have to have a Windows 2008 x64 machine. Either that or just don’t bother at all.

In my experience with Microsoft Technology Adoption Programs, Microsoft usually goes above and beyond to help their customers if they run into a blocking problem with the product, even if you are the only customer experiencing the problem. The experience with VMWare was pretty much the opposite, unfortunately. I have filed not one but two Support Requests and never have gotten more interaction than the support engineer asking me to run their support-info-gathering script (vm-support.vbs) and attaching the output to the Support Request. After that, either the support engineers go deaf or they just can’t help me anymore

So now I have grown tired of waiting for information that won’t come and I have decided to uninstall VMWare Server 2 and install VMWare Workstation 6 instead. I would’ve installed Hyper-V, but alas my 1st gen AMD Opterons don’t support the CPU Virtualization extensions needed for Hyper-V…

I’m actually quite sad to see VMWare Server 2 go, because I really liked the way you could manage VMWare Server 2 via the standard VMWare Virtual Infrastructure Client, even over the internet. I liked where VMWare Server 2 was going but it seems it was just to immature for my bleeding-edge needs…

Anyway, Workstation 6 has taken over now and my first Exchange ‘14’ server is (virtually) buzzing with a large grin

That’s a dozen more mailboxes to add to the running-Exchange-‘14’-in-production-count, DavidEsp!

No, really. Security is very important in the DMZ. The DMZ is typically the area of interest for washing application functionality and washing data transfer. Most of us already do this for email and internet traffic. And of course the firewall is delivering our basic security needs. But there are still many holes!

First hole: SSL websites.
Very few proxy servers are able to ”wash” SSL secure websites. And HTTPS is moving up. I suspect it will not take long for bad websites to abuse this hole too. I came by a solution called Clearswift Cleartunnel that extends the common ISA server with a SSL proxy. Hopefully Microsoft will put this feature into there ForeFront ISA 2008 version by default.

Second hole: XML messages
Open standards are promoted. XML is the major spin-off. So we protect HTTP and a lot of web protocols too, but XML is allowed blindly. What are we doing?!?! XML meta information is very, very useful for hacking purposes. We should mask our internal resources more carefully. Read this hacking example. So watch out for Web services applications that exists in the DMZ zone. These are commonly the applications that talk the XML protocol. As a solution I propose to accept only appliations that are designed by the WS-Security protocol principles. Otherwise look out for a XML firewall solution. Examples are: ForumSystems Xwall (also available as an ISA add-on), Cisco ACE XML Gateway, Vordel and Layer7.

Third hole: encrypted email messages
Email is the equivalent for SPAM (90-95% true). No wonder that email encryption is increasing popularity. Again, scanning there email messages is not an out of the box activity. Ideally you already have a mail security gateway supporting the common standards PGP (OpenPGP too), S/MIME and webmail. Some secure email gateways even support PDF mail. If you wish to be as flexible as possible you should support all common encryption technologies, I think. Multi functional solutions to consider are Exedra IQ suite, PGP Universal Gateway or the Utimaco Safeguard Mailgateway.

Fourth hole: FTP
Ancient technology. That is what FTP is. The HTTP protocol is much better to scale, load balance and secure. So my advice is to move to HTTP as fast as you can. Windows SharePoint Services is free to use on a Windows Server. So why not use it? 

Want more answers? Do you know of more holes to explore? Please post a reaction.

- Paul

It turns out an actual leap year bug has found its way into the Exchange 2007 product, causing problems all around the world. Changing the date has been confirmed both by Microsoft PSS and from people in the field to fix the problem. For everyone who can’t or won’t temporarily change the date of their entire system, you will have to wait until after midnight before you get everything back to normal (I sure don’t blame you, I have to wait as well). I do recommend rebooting your Exchange servers after midnight because I don’t think the Address List Service will come back online on its own.

A leap year bug….sheesh!

Read more about it here: http://forums.microsoft.com/TechNet/ShowPost.aspx?PageIndex=1&SiteID=17&PageID=1&PostID=2928121

Meanwhile, I had already accepted the fact that I had to run the RPC-over-HTTP Proxy on a Windows 2003 machine for now, so that was how my environment was set up. However, when troubleshooting a different problem with Exchange, I stumbled upon the rootcause of the Outlook Anywhere problem! It turns out that the problem is in IPv6 and the way that Windows 2008 (and Vista btw) handles IPv6 as a preferred protocol over IPv4: When I did a “netstat -a -n” on my Windows 2008 machine, I noticed that Exchange was listening on the usual ports 6001, 6002 and 6004 on its IPv4 address, but only on ports 6001 and 6002 on its IPv6 address. The DSProxy service (port 6004) is NOT listening on the IPv6 stack!!! This now explains the behaviour that I was experiencing:

Below is a screenshot of the tool.

You can search for anything that you want but you have to know what kind of file you are looking for. If you select a lot of workspaces to search in you will see that it takes some time to complete. So knowing what you are looking for is key.

I know you all want this and the best thing about it is that it is free!!! And because I’m Dutch this is the best thing . There is even no registration page WHOEPIE!!!!! And because you guys need to search a lot these days I will spare you a Google moment and just point you to the link. Click on this LINK to go to the download page.

See ya

Jeroen

As you all have read in Jeroen’s post SP1 is RTM today and downloadable from the Microsoft Exchange Website
In the SP1 overvieuw some of the new features are discribed, but how do they look like in the interface ?

Watch & Learn:

A Default Active Sync profile is created for Mobile use.
Now it’s possible to change the refresh interval.

Public Folder Management Console (need I say more ??

This is all for now, I realy like what I see in SP1 and for sure I’m gonna like what I did’nt see.

Have a nice 1,

Erik Luppes

P.S. The management console now works in Vista

Yesterday Microsoft signed off build 240.6 the RTM build. With this build we can now update our beloved Exchange 2007 servers. I know that my trusty Exchange Edge 2007 RTM build was dreaming of the new bits. And now its there. I know for sure that my CAS would perform ever better. And what about my Mailbox server, he will have even more muscle power now and it is already such a show off. The Hub Server will hub even better and if I’m not mistaken I have the feeling that the speech from our UM Server sounds a bit more happier, or is this just the beer talking.

Yesterday I started to upgrade our demosite servers and they just loved the new bits as you can read above.So my baby’s are spinning like a charme.

With this SP1 build we now will be able to connect our OCS to Exchange and use SCR with DPM. I know there are allot of abbreviations here but Jim sure you readers (geek’s.) know what I’m talking about.

For download see here: http://www.microsoft.com/downloads/details.aspx?FamilyID=44C66AD6-F185-4A1D-A9AB-473C1188954C&displaylang=en&mdc_uxref=sl

If you want to know more about the Service Pack you will find the resource here:
http://technet.microsoft.com/en-us/library/06cce2d7-e2f4-4468-97c6-b83c7a300efc.aspx

Have fun and I will see you again soon.

See you at Exchange 14 in Redmond

Jeroen

There is, unfortunately, a catch. It will only work with receiving and sending Outlook 2007 clients. I don’t believe Microsoft will open this feature for use in other mail clients, except for their own Hotmail / Live mail.

Nevertheless I like the – little naive – way they think: slow down email behaviour so a spammer will have to expand computer power. Like they won’t use botnets or hack some else’s computer to send on be-halve…?!

The better part is that it is all “under the hood” functionality. Great! As a consumer I do not wish to be burdened with this stuff. My ISP (or IT dept.) should take counter measures.

I will put my money on the mail server initiatives like DKIM, SMTP authentication, EmailXT instead of client/point solutions.

- Paul 

<update may 2007>
As of May 2007 a new RFC has been introduced by companies involving Yahoo, Sendmail, Cisco and PGP corporation. This new solution against spam is called DKIM (DomainKeys Indentified Mail). It involves a common approach; using a PKI infrastructure. I wonder what this is going to cost to implement? PKI is not innovative technology and encryption / decryption technology is expensive in regards to the volume of email. It is true: SPAM is usually not encrypted. So the more email you encrypt, the less SPAM you receive/send?
</update>

But why this? What are the threads? Well, it is all about abuse of e-mail adresses or domains, because of:

1. Spammers want to prevent non-deliveries on their own e-mail addresses
2. Fraudsters want to stay anonymous and delete tracks
3. Computer worms want to cause confusion or do not really care what e-mail address it abuses
4. Phishers want to fake trusted or known senders to get hold of secred information like passwords of credit card numbers

SPF stands for “Sender Policy Framework” which is an open source standard. The development is initiated to secure and check the so called “sender envelope address”, better known as the mail-from address. The underlying technique is a SPF record in DNS. In short: when senders name and ip address deliver a match according to DNS the e-mail is considered authentic. This way, an IP address builts up a reputation. The receiver of the e-mail owns a crucial step in this process. It is the receiver that has to perform the check according to the SPF specs. Implementation is always part of the MTA agent.

More background information and software suppliers via: www.openspf.org or http://new.openspf.org/Implementations

Sender ID (SID) is a Microsoft development. To make use of it you must sign a licence but without fee costs. It is therfore not a GPL/GNU type of license and that of course is the main criticism towards this standard. It is actually a proposal for SPF v2. It still uses the same SPF record in DNS. Microsoft adds a PRA (purported responsible address) definition to it. Also Microsoft defined a SIDF (F for framework) on top of the technology to deliver the intelligence needed, e.g. historical information, logging, traffic analyses. Important to know is that Sendmail has adapted this standard too. Together with Exchange I think this is a strong bases for success. It is still a draft proposal. As is PRA.

More info: http://www.microsoft.com/senderid

MARID is the acronym for “MTA authentication records in DNS”. It is actually the name for an IETF workgroup. This workgroup wishes to create an open standard for SMTP authentication. It is also this workgroup that does not accept the way Microsoft delivers her SID technology to the public. At the same time they advise not to ignore this technology.

More information found on: www.ietf.org or the well known IT news sites like: www.windowsitpro.com.

Meanwhile over tens of thousands SPF registrations has been taken place. Of course it is not the holy grale of anti-spam, but it is one important counter measure that any organisation should implement. You should always prevent that your organisation appears on a black list.

Please share your experiences / ideas with SPF v1 / v2.  I look forward to your comments

- Paul

And this too:
I found it interesting to read that Microsoft in a press announcement has published that mr. Meng Weng Wong is the inventor of the SPF standard. The supporting SPF website openSPF strongly denies this fact!

Move Mailbox
This vital administrator tool has been beefed up to include import and export to a .pst

Even though Microsoft somehow now calls ‘Move Mailbox’ a ‘vital administrator tool’ (though it should be ‘move-mailbox’ since only the powershell cmdlet is actually quite powerful), it still means that import/export to .pst functionality will be back before the end of the year! I think that when SP1 is released, the Exchange community will make it a new worldwide holiday!