Author Archives: Sathish Veerapandian

Quick Bites – Troubleshooting POP and IMAP connectivity issues in Exchange 2013

Exchange2013, POP3/IMAP November 7, 2014 Comments: 5

In this article lets have a look at troubleshooting POP and IMAP connectivity issues in Exchange 2013.

First lets have a basic requirements  to check what are the features and things that needs to be enabled in-order for these services to work.

 
What ports should be used by the clients for each configuration : –

Port 25 for SMTP with or without TLS, anonymous authentication; (Outgoing)
Port 587 for SMTP with TLS; (Outgoing)
Port 143 for IMAP  without TLS (Incoming);
Port 993 for IMAP with SSL/TLS (Incoming)
Port 110 for POP3  without TLS (Incoming);
Port 995 for POP3 with SSL/TLS (Incoming);

Ensure that all the required ports are open in your firewall accoding to the configuration you have ( with or without TLS). Probably we can do a telnet from externally and see if we get a proper banner.

For POP – Telnet domainname 110
FOr IMAP – Telnet domainname 143

For TLS to work do we need to install any certificates on the servers : –

You should create certificate including your CAS server FQDN and Mailbox FQDN as the SAN name. It should not be self-signed certificate. You should get it from an internal CA or a public CA. Then assign the services SMTP, POP3, IMAP and IIS to this certificate only then it will work.

Do we need to configure anything on the server for POP and IMAP Authentication : –

For Authentication type for POP and IMAP Services, we can choose to use plaintextlogin or securelogin. You can refer to http://technet.microsoft.com/library/aa997188(v=exchg.141).aspx. It defines how the application provide the username and password to do authentication.

 
Below things can  also be checked for Troubleshooting POP and IMAP issues : –
We Can run Test-PopConnectivity and see the results
We Can run Test-imapconnectivity and see the results
Use the remote connectivity analyser for IMAP and POP and see the results

Run the below commands to see the POP and IMAP settings
Get-POPSettings -Server CASservername
Get-IMAPSettings -Server CASservername

Restart your POP3 service and see the results
Check if your POP3 service have valid certificate assigned
Run Get-ExchangeCertificate and see if the certificates are assigned for POP and IMAP services.

Check your ports config and ensure they are correct
Port 110 for POP3  without TLS;
Port 995 for POP3 with SSL;

If you have configured POP and IMAP with either SSL or TLS then a valid certificate should be configured for the same to respond to SSL or TLS(depends upon what type you choose)

Check the incoming and outgoing mail server in Outlook settings

We can enable the trace log and open the log in the location.

Please refer to http://technet.microsoft.com/en-us/library/aa997690(v=exchg.141).aspx to set the location and enable the log.

Thanks 

Sathish Veerapandian

MVP – Exchange Server

Convert bulk mailbox users to mail enabled users after staged Exchange Migration to Office 365 from Exchange 2007

Office 365 November 5, 2014 Leave a comment

The most important step that we need to do after a Exchange Migration from On-premise Exchange server to office 365 is to convert all the on premise Exchange mailboxes to Mail Enabled users.

What happens if we decommission on-premise servers without converting them to MEU’s

All the messaging related user information on the Cloud will be lost. Meaning which Dir-sync wont be able to find an associated target address for the users and users wont be able to connect to the cloud mailboxes which will result to an incomplete off-boarding to office 365.
Dir-sync wont be able to connect to the cloud mailbox and the user account in the DC.
Dir-sync wont be able to identify the target proxy address if we don’t have a MEU’s for the same and wont be able to locate the remote routing address.
Initially these values were stamped and provided on the on-premise mailboxes but now since we have moved all the mailboxes now we need to disable all the on-premise mailboxes, create a associated MEU’s for the same and then decommission the on-premise servers

There are scripts to help you convert mailboxes to MEUs which will make our job very easy.

•ExportO365UserInfo.ps1    Collects information from your cloud mailboxes and saves it to a CSV file. The Exchange2007MBtoMEU.ps1 script uses the information in the CSV file to bulk-create the MEUs.

•Exchange2007MBtoMEU.ps1   Conerts on-premises  mailboxes to MEUs

Please follow the below link to download these scripts

http://community.office365.com/en-us/w/exchange/845.convert-exchange-2007-mailboxes-to-mail-enabled-users-after-a-staged-exchange-migration.aspx

 

If you want to change this value to single user you can use the below steps

First run the below command to get these values

$user = Get-ADUser username -IncludeAllProperties mail,department,ProxyAddresses

Then disable the on-premise mailbox

Get-Mailbox -identity $user | Disable-Mailbox -Confirm:$false

Now enable MEU for the single user

Enable-Mailuser -identity  username -PrimarySmtpAddress “give the value”  -externalemailaddress “give the value

Set the associated  proxy address for the single user

$user.ProxyAddresses = “set the proxy address value”

 

Imp Note : This article applies only for Exchange 2007 on premise and still if  you  bring any 2010/2013 into coexistence in onprem then  don’t need to follow since it  will convert the mail-enabled users to a MailUser after the remote move completes automatically.

Thanks

Sathish Veerapandian

MVP – Exchange Server

Update – Exchange Server meetings in Russian time zones as well as names of time zones may be incorrect after October 26, 2014

Exchange2010, Exchange2013, General Information October 28, 2014 Leave a comment

After October 26, 2014, Exchange Server some users who are in Russian time zones may see meeting times incorrect Time Zone-display names may be outdated in OWA.

Microsoft released an update (KB 2998527) for Windows on September 23, 2014 to address this change and it should be installed on the end user PC’s and Servers since exchange and outlook relies on windows for the time zone information.

How to obtain this update

The following files are available for download from the Microsoft Download Center.

Update for Windows Server 2012 R2 (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1bf7a4a0-3bc1-41cc-a374-b4ce39468c32

Update for Windows Server 2012 (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=4f9e0be3-8b1e-4a55-a901-397a4b63953b

Update for Windows 8.1 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=ab371992-26ff-41dc-9c4f-d5ada0f40f5c

Update for Windows 8.1 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=349e7859-5815-45f3-8f4a-8054a3db804d

Update for Windows 8 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3691d9fd-6a0a-47cd-b809-82ad81a71082

Update for Windows 8 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=2f8d1b1f-ec76-4a3c-9d48-a85bfc0394b4

Update for Windows Server 2008 R2 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=388ab764-8dd4-4ec9-ab03-d7005c553d9c

Update for Windows Server 2008 R2 for Itanium-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=de6ccda2-8ddc-4368-bf20-57e54d3b1d18

Update for Windows 7 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=c3aaf9fd-9bcb-45d6-9573-370a750ed200

Update for Windows 7 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1f09acc5-8791-4d63-ae59-8a9b8d4f0ef3

Update for Windows Embedded Standard 7 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3f1ec6b5-8d72-45e9-9c14-26afeb8a92fb

Update for Windows Embedded Standard 7 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=afe9f877-1554-465c-a89b-0be103ab5468

Update for Windows Server 2008 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=04ff80b6-4581-4f2c-8133-f344d26d5d35

Update for Windows Server 2008 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=dede4525-57c1-4cb2-b454-0b617f35e357

Update for Windows Server 2008 for Itanium-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=27a6e895-869b-4011-ae11-ada1c25e26e2

Update for Windows Vista for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=ef48921e-d478-46d3-9b6f-8620a53fa4e8

Update for Windows Vista for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1707623b-ae1c-4250-ad55-011ec063c279

Update for Windows Server 2003 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=8573abcf-47a0-4a24-88fc-d8adde177781

Update for Windows Server 2003 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1f44929a-fc1b-4b41-b179-c48e4a2b1975

Update for Windows Server 2003 for Itanium-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=de452734-bb99-4d05-873e-0f12988f61d6

 

Things that we can troubleshoot for the affected reported user even if any issues reported from end users after the above update is applied

1) Restart the affected user’s PC and see the results.

2) login to owa for the affected user and see the time zone whether it is set to UTC+4 as below

d

 

3) If it is set to different time zone then correct the value to UTC + 4 as above

Check the affected user date and time settings in his PC and it should reflect as UTC + 3 as below which is Russian Time Zone

Untitled1

4) Also run the below command to check to ensure that the affected user Time Zone is in Russian Standard Time

Get-MailboxRegionalConfiguration “affecteduserid”

 

img111

 

5) If you notice the user TimeZone is set to a different region then run the below command to change the user to Russian Standard Time

Set-MailboxRegionalConfiguration “affecteduserid” -TimeZone “russian standard time”

References – https://support.microsoft.com/kb/2998527?wa=wsignin1.0

Thanks 

Sathish Veerapandian

Update – ExPerfWiz 1.4 has been released

Exchange 2010/2013 Monitoring/Operational Scripts, Monitoring Tools October 27, 2014 1 Comment

ExPerfWiz 1.4 has been released on October 25th 2014

Following are the recent updates in the Experfwiz 1.4

Fixed Circular Logging bug in Windows 2008+
Added ability to convert BLG to CSV for 3rd party application analysis (does not need to be run from EMS, just Powershell 2.0+)
Updated maxsize for Exchange 2013 to default to 1024MB
Fixed filepath bug on Windows 2003
Added/Removed various counters
Fixed location of webhelp
Updated -help syntax

ExPerfWiz is a script developed by Microsoft to to collect the performance data together on Servers running Exchange 2007,2010 and 2013.

In the earlier version we have the option of running -nofull switch by which it will collect only the role based counters.The current version runs in full mode meaning which it collects all the performance counters related for Exchange troubleshooting purposes.

Below is the example to run the perfmon for a duration of 4 hours

Set duration to 4 hours, change interval to collect data every 5 seconds and set Data location to d:\Logs

.\experfwiz.ps1 -duration 04:00:00 -interval 5 -filepath D:\Logs

experf

If it finds previous data of Perfwiz logs it prompts for an option to delete the old entries, Stops the data collector sets, creates a new data collector sets and then it starts collecting the data.

Note: This script will take the local server name and will run locally on the serve  if no  remote server parameter  is specified.

More Examples can be found at – http://experfwiz.codeplex.com/

Source of Information  – https://social.technet.microsoft.com/Forums/exchange/en-US/f8aa3e90-d49f-479f-b00b-c8444afefa65/experfwiz-14-has-been-released?forum=exchangesvrgeneral

Thanks 
Sathish Veerapandian

MVP – Exchange Server 

Ports and protocols Requirement for Exchange and Lync Server Deployment

Exchange2010, Exchange2013, port October 25, 2014 Comments: 3

Very often we might get confused in a new deployment project if we are running into multiple issues and tasks. The most confusing part that we will often run into is the port requirements for internal,external as well as related services.I have consolidated and prepared a document for the port requirements for a new deployment of on-premise  Lync and Exchange servers.

Lets have a look at the Lync server requirements first –

Following ports for the respective protocol and direction  should be opened, for hassle free and full featured Lync enabled User to function perfectly fine.

Port                   Protocol            Direction               Usage

5060/5061          TCP/UDP               Bidirectional          For SIP

1434                  UDP                      Bidirectional          For SQL servers

443                    STUN/TCP            Outgoing              Audio, video, application sharing sessions

444                    HTTPS/TCP          Bidirectional          Lync Front End server

443                    PSOM/TLS            Outgoing              Data sharing sessions

3478                  STUN/UDP            Outgoing              Audio, video sessions, Desktop Sharing

5223                  TCP                     Outgoing              Lync Mobile pushes notifications

50000 – 59999    RTP/UDP              Outgoing              Audio, video sessions

5067                  TCP/TLS              Bidirectional          Incoming SIP requests for Mediation servers.

57501-65535     TCP/UDP              Bidirectional           VideoConferencing

8057,8058         TCP/TLS              Bidirectional          Front End Service

 
For remote access to work for IM and Presence, it is mandatory that SIP traffic is allowed to flow bi-directionally. Hence, Port needs to be allowed as follows:

• Port 443 and 5061 from Internet to Access Edge External IP (bi-directional)
• Port 5061 from Edge Internal IP to Internal Network (bi-directional)

Edge server should be accessible from the Internet over port 443, 3478 and 5061.
Reverse Proxy require Port 443 to be opened.
For a Mobile Access user who is outside the corporate network, the request hits the Reverse Proxy and is then sent to the Front End pool or Director.No user level authentication is done on the reverse proxy.
Its always recommend to implement a Director Server Role for additional security.The Director is both offloading the authentication and providing an extra layer of security against DoS attacks.
Director must be in the same subnet where the Front End Servers reside which will be in the Private network. It should not be in the perimeter or DMZ.

 
Below will be the Flow of mobile application requests for Mobility Service :

All the External user Lync log in requests through mobile devices –> will go through the reverse proxy server –> and it will go to the edge server –> and hit the front end pool.
The Microsoft Lync Server gets user information from Auto-discover Service and then it returns all the Web Services URLs for the user’s home pool, including the Mobility Service URLs.

Below are the list of additional features that require external access through a reverse proxy for users accessing them externally.We need to think of validating them once the deployment is completed.

1) Enabling external users to download meeting content for any meetings.
2) Enabling external users to expand distribution groups.
3) Enabling remote users to download files from the Address Book service.
4) Accessing the Microsoft Lync Web App client.
5) Accessing the Dial-in Conferencing Settings webpage.
6) Accessing the Location Information service.
7) Enabling external devices to connect to Device Update web service and obtain updates.

Now we will look into the port requirement for Exchange servers as well.

Port Requirements for Exchange On-premise Servers (Applies to Exchange2 2010 and 2013):

Port                   Protocol            Direction               Usage

25                     SMTP                  Bidirectional            For Sending and receiving emails

50636                 TCP                   Bidirectional            From Hub to Edge and Vice Versa

135                    TCP/RPC             Outgoing                HUB to Mailbox via MAPI

80/443               HTTP/HTTPS       Bidirectional            Autodiscover

993                     TCP                   Incoming                IMAP

995/110               TCP                   Incoming                POP3(Any one of the port depends upon config)

5075-5077           TCP                   Incoming                CAS to OCS Communications

5061                   TCP                   Outgoing                 CAS to OCS Communications

 

For OWA and Outlook Anywhere port 443 should be opened in firewall.
For IMAP port 993 should be opened in Firewall.Port 25 should be opened on Firewall for both internal and external internet mail flow traffic.

I think most of the port requirement for Lync and Exchange deployment have been added above. Feel free to comment or correct me if anything needs to be added or corrected.

Also Refer – http://social.technet.microsoft.com/wiki/contents/articles/28141.ports-and-protocols-requirement-for-exchange-and-lync-server-deployment.aspx

References:

http://technet.microsoft.com/en-us/library/gg398833.aspx

http://technet.microsoft.com/en-us/library/bb331973.aspx

http://support.microsoft.com/kb/2409256#VerifyNetworkRequirements

http://support.microsoft.com/kb/2423848

http://technet.microsoft.com/en-us/library/gg425727

Thanks 
Sathish Veerapandian

MVP – Exchange Server

PortQueryUI – GUI tool that can be used for troubleshooting port connectivity issues

Monitoring Tools October 19, 2014 Leave a comment

At times we might run into scenarios where user unable to do  access any Exchange ,Lync,Mobility or any related External User Access functionalities. This might happen in multiple scenarios like in a new deployment, a firewall upgrade, a switch replacement or a network change etc.,

Microsoft has this Graphical User Interface of tool called PortQueryUI which can be used to troubleshoot these kind of scenarios with port connectivity issues.

Below explained is the functionality of this tool PortQueryUI.

Download the tool from the below link –

http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe

Accept the license agreement and proceed. Now we will be directed to unzip the files and choose a location to unzip.

 

PortQuery

Now we can open portquery UI application. There is no need to install this app and it opens up the GUI interface as shown below.

Its better to run this tool from the affected machine/server where we are experiencing the issues and then specify the destination IP of the server where we are experiencing the connectivity issues.

We could see there are 2 types of query.

1) Query Predefined Service – Which has few predefined services like, SQL,Web Service ,Exchange etc., .When we choose any predefined service it queries all the required ports and provides us the output of the result.

portquery3

2) Manually input Query ports – Which can be used to query any specific ports on UDP ,TCP or both as shown below.

portquery2

Also we have an option called predefined services  in the help tab which helps us to see the list of ports that it queries for any specific service that we choose.

portquery4

 

Below is an example for set of predefined services that it queries for Exchange.

portquery6

 

It has an option to save the query result as shown below. Also it allows the end user to customize config.xml or provide a config input file for list of query that defines their own services. The config file should follow the same format as config.xml since it accepts only xml inputs.

PortQuery5

 

This tool can be used to query open ports during any kind of troubleshooting scenarios.

Also published in – http://social.technet.microsoft.com/wiki/contents/articles/27661.portqueryui-gui-tool-that-can-be-used-for-troubleshooting-port-connectivity-issues.aspx

References – http://windowsitpro.com/windows/gui-tool-displays-status-tcp-and-udp-ports

Thanks 

Sathish Veerapandian

MVP – Exchange Server

Steps to Delete circulated Suspicious emails with Search-Mailbox

Antispam, Exchange2010, Exchange2013 October 16, 2014 Comments: 6

In this article we will have a look at steps to identify the spam emails circulated in an environment. When a user suspects any spam email and informs the IT Team  first and the foremost thing that would come to an Admin is that whether the emails have been circulated to everyone or not.

There are multiple scenarios where the spam messages can be circulated in an environment.

  • From single spam source  email address to single recipient.
  • From Single spam email address to multiple recipients.
  • From multiple spam email address to multiple recipients with different subject line.

Its always better to make a search in the whole organization to make sure the emails are not circulated to all the users.

The easiest way to identify the spam emails is to run a search command with the subject line so that all the affected mailbox can be identified.

Now we will have a look at the steps to perform this action with search-mailbox command.

First we need to add the user who is going to perform this task to Discovery Management group
This should be done in order to use the search-mailbox command. If we do not add this then the user won’t be able to run search command.

Create a new role group as below. We need this in order to export/Import the contents from the source mailbox and copy it to the target mailbox.
Run the below commands to create the role group if we don’t have already . If we have the import/export rolegroup already then just add the user who is going to perform this action into that rolegroup.
To Create –  New-RoleGroup “Mailbox Import-Export Management” -Roles “Mailbox Import Export”
To Add user – Add-RoleGroupMember “Mailbox Import-Export Management” -Member Administrator

newsearch5

Even if single user suspects a virus message it is better to search in the whole organization to make sure the emails are not circulated to others.Now run the below command to search the virus email throughout the organization. In our example we are going to identify an infected email with the subject “Virus Infected”

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -LogOnly -TargetMailbox administrator -TargetFolder filter -LogLevel Full

NewSearch1

Once we run the command we could see the searching would be started as shown in the above screenshot. The search results may take some time depending upon the environment and number of mailboxes we have.

Upon a successful completion of search we can see the logs and the emails in the zip file attached as shown in the screenshot.

newsearch2

Now we need to run the below command to search the infected emails and delete all of them in the whole organization

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -TargetMailbox administrator -TargetFolder filter -deletecontent -LogLevel Full

newsearch4

Once it identifies the affected emails it would ask us for confirmation as shown above before deleting the suspected emails as shown in the screenshot above.

Apart from the above as an additional part of security check we can also run a message tracking with the subject in the whole organization to see to whom all the infected emails have been circulated and ensure all the emails have been deleted.

Run the below command to perform a Message Tracking with subject in the whole organization. In our case we are using the subject “Virus Infected” .

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Messagesubject “Virus Infected” | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp

newsearch6

Imp Note Note:

Hi Please add your account to Discovery Management role group for the search-mailbox command to work.

Add-RoleGroupMember -Identity “Discovery Management” -Member Administrator

Above method can be used to identify and delete any circulated spam email in our organization.

Thanks

Sathish Veerapandian

MVP – Exchange Server

AdminAuditlogging in Exchange 2013

Admin Audit Logging, Exchange2013 October 11, 2014 Leave a comment

By using Admin-audit logging options enabled we would be able to keep a track of the organizational,user level changes that has been made in an environment.This gives us more information if in case we need to track any major change that has been done and if we need to find which person has done that.

By default Admin Audit logging is enabled in a new installation of Exchange 2013. By using this in an organization we can make an entry of list of admin audit log enabled command-lets so that administrators whoever perform any task which is included in this list will be captured in the logs. By this we would be able to have a close security control  over the messaging environment. Also we can make some exclusions for few commands in the admin audit logging by which those commands wont be captured on the logs.

There are few default set of cmdlets that will be logged once logging is enabled  which will include all cmdlets except the Get, Search and Test cmdlets. Which means that  Get, Search and Test cmdlets won’t be capture in the audit logs.This can be modified by the AdminAuditLogCmdlets. Each of the cmdlets to be monitored,excluded  can be specified individually.

Now let’s have a look at enabling and modifying  the admin audit logging properties

Run the below command to check the audit logging properties

Get-AdminAuditLogConfig

Aud

 

If you notice the parameters which i have highlighted in red-box are only the main things which we need to concentrate.

As we can see the AdminAuditlogCmdlets has value * which means it will log all the entries of commandlets except search and Get .Also we can see the excludedcmdlets value is set to null so there is no exclusions set by default.

I can enable logging only for few important org level commands by setting a value in AdminAuditlogCmdlets

Let’s say if i want to exclude only few commandlets which are necessary for the admins for daily operations i can include them in the excludedcmdlets

I’m giving an example in this scenario. The below example creates and tracks logs only for any changes that have been made in Accepted Domain, Mailbox Database and Send Connectors.
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *”New-AcceptedDomain,Set-Sendconnector,Dismount-Database”

Note: In-order to add multiple values  you need to specify the command-lets in quotation and multiple comma values as shown in the screenshot

actual

Now we can see only the below values in the loggingcmdlets

actual1

Below value will exclude the logging for Set-mailbox, Disable-Mailbox and Enable-Mailbox in our example.

Set-AdminAuditLogConfig  -AdminAuditLogexcludedCmdlets *”Set-Mailbox,Disable-Mailbox,Enable-Mailbox”

AUD3

Now we can see only the below values in the excluded loggingcmdlets

AUD4

We have enabled adminaudit logging now. Now all the changes that we are doing for the AdminAdminAuditlog commandlets be stored.

Where does these logs gets stored?

From Exchange 2010 SP1 the audit mailbox gets created automatically when we enable audit logging.Its more secure.It will create adminaudit logs folder in the audit mailbox and stores these logs.Also even admins do not have access to this Audit Mailbox and its more secure.This audit mailbox account gets disabled by default.Even if any admins finds a way to access this audit mailbox it logs traces of that and there is no way to access this without any history of traces.

Below are the examples of searching few admin audit logs

Below command will help in finding admins who recently dismounted database made any changes in sendconnector configuration

Search-Adminauditlog -Cmdlets dismount-database | ft rundate,caller,objectmodified

Search-Adminauditlog -Cmdlets set-sendconnector | ft rundate,caller,objectmodified

If in case of scenarios during any outage and if you would like to bypass these logs we can use write-adminauditlog command to make an entry . So that this entry would be made in your name and can be excluded. Below is an example

Write-AdminAuditLog -Comment "Ran Dismount-Database and Mount-Database"

Over all it is very useful in monitoring the organizational changes.
If we possibly run this command once in a month then we would be able to monitor 
the organizational,server level changes done by admins.

Thanks
Sathish Veerapandian
MVP - Exchange Server

Script to identify the users forwarding, redirecting and forward as attachment emails to external ids

Exchange2013, Scripts October 7, 2014 Comments: 4

It’s always difficult to protect sensitive emails being leaked out from any organization. In order to avoid this there are few things that can be blocked on the global settings from the server end.

If we have the auto forwarding and autoreply  option enabled on the default remote domain then any users can create an external contact in his local outlook profile and then he can forward all his emails to his external ids. Here is the possibility  again where sensitive data being leaked out from organization.

The default remote domain will have autoforward and autoreply disabled . That is the recommended configuration.

We need to disable the autoforwarding, autoreply  option in the default remote domain.  If in case if we are forwarding any emails to trusted partners or vendors through any application we can specifically create a custom remote domain for them and enable auto forwarding for that particular remote domain  alone. By doing this no end users will be able to redirect, forward or forwardas attachment their internal emails to their external ID’s.

We can check that by running the below command

Get-RemoteDomain | ft Auto*

Autoreply

If it is enabled run the below commands to disable them

Set-RemoteDomain -Identity default -AutoForwardEnabled $false
Set-RemoteDomain -Identity default -Autoreplyenabled $false

Recently I was looking for a solution for this kind of issue and came up with an idea of a script that can be used to pull out users who have redirect, forward or forwardas attachment options enabled in their outlook rules.

I have created a script which can be used to pull out this kind of information. The below script will run on all mailboxes in entire organization and will pull out users who have external rules set, and then it will send an email to administrator in CSV format by which he can see who all has this option enabled.

***************************************************

Set-Adserversettings -viewentireforest $true

foreach ($mbx in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $mbx.DistinguishedName | where {($_.ForwardTo -ne  $null) -or ($_.redirectto -ne $null) -or ($_.forwardasattachment -ne $null)} | select  MailboxOwnerID,Name,ForwardTo | export-csv d:\ForwardRule.csv} -Notypeinformation

Send-MailMessage -To alias@domain.com -cc alias@domain.com -From anyid@domain.com -Subject “Forward To” -Attachments d:\ForwardRule.csv -SmtpServer specifytransportserver

*******************************************************

Copy the above text in a notepad and then save them as ps1. Navigate to the location where you saved it and then you can execute the command

Things you need to modify in the above script

Set the drive location for the csv file in a place where you wish to save.

For sending email in the to and cc field give user for whom you need this report to be sent

From address specify the address from where it needs to be sent and give the mailbox server as smtp server if it’s 2013 or hub server if it is 2010 or 2007.

Here is the example

Just copy the code in text file and save it in ps1 format.

navigated to the location and ran.

Rules5

 

Received the email

rules4

 

 

When we open the csv file the output is displayed for users who have forwardto,redirectto and forwardasattachment option set in outlook rules for external id’s.

Rules3

 

Note:

This command pulls out rules from user’s mailbox only if they are enabled. If the user has a rule created and if he has disabled it temporarily then it won’t fetch that information.

 

Thanks

Sathish Veerapandian

MVP – Exchange Server

Product Review: SPAMfighter Exchange Module

Antispam, Monitoring Tools October 3, 2014 Comments: 5

Protecting the the IT infrastructure from Spam mails,Malicious codes ,Malwares is one of the important and challenging task and needs to be monitored always. There are different types of spam attack through which an user can try to crack the perimeter network of any organization and intrude to inject any kind of malicious codes or phishing emails. While the most widely used type of method for circulating SPAM is Email through which unwanted emails, more number of spam emails, reverse NDR attacks etc.,  are circulated by which the productivity of an organization will be adversely affected.

Its always better to have 2 step anti-spam filtering feature or even more in any organization to ensure that the spam never reaches our network especially the Messaging system.

Microsoft has built in Anti spam features which can be enabled from Exchange 2003 versions and they work perfectly fine and more accurate in filtering the spam emails. Its always recommended to have this feature enabled as a part of additional security along with additional spam configurations and settings  in an environment.

But we need to always ensure that we are aware of all the settings configured in the spam filtering in all levels in our organization as it can interrupt the end users in sending and receiving emails if this configuration is not correct.

I just happened to walk through one of the most recent version of additional  spam security feature from product SPAMfighter and was much impressed with all the Configurations, Options and user friendliness of the product r.

In this article lets walk through the installation and few functionalities of the product SPAMfighter Exchange Module.

What is SPAMfighter ?

It is an add-on to Exchange Server that fully integrates and offers anti spam protection.  It works with Exchange versions Exchange 200,2003,2007,2010 and 2013.

How Does it works ?

Spam Fighter administration is managed through web interface which is much user friendly and has more options to explore.

It works integrated fully with Microsoft Exchange Server. It creates its own security groups and user account in AD which integrates with Exchange servers. This will be easier for us to manage easier way in terms of policy management and having separate control over Spam Fighter. Also by using this we can designate an individual to take care of these tasks who has control only on this software.

Prerequisites 

There is no prerequisites required to install this software as i ran it from a member server ( Windows server 2008) . The only thing i noticed was it required install the Microsoft Visual C++ Run-time which it prompted for it and it found the software by its own and installed them which made my job simple.

Installation

The product can be downloaded from here

http://www.spamfighter.com/SPAMfighter/Product_SEM.asp

Its a 30 day trial version and should be downloaded on to Windows Servers.

The installation was pretty much standard as all the software does and it prompted me for the latest virus definition updates so i would not walk through the entire setup.

One interesting thing i found during the installation was it asked for user name and password for Spam Fighter administration and it automatically created respective AD account to integrate with the exchange modules.

 

s1

 

Once the installation is done you can open up the web console through add or remove programs and select spam fighter and opens web console as below

Give the user name and password given during installation.

S2

 

Was astonished to see more options

S3

 

In addition to the administration part from the server end spam fighter has outlook add in as well which users can install and further customize filtering on their own.

s4

 

 

It has good policies which can be filtered in various levels as shown below.

I can see policy defined for inbound,outbound and internal emails.

Also i could notice policy filter settings for user level too which is very good.

s5

 

All the users can be modified individually as well.

s6

 

 

Finally a statistics report can also be pulled over which shows up the graphical value of filtered emails as below.

s7

 

Cost Factor

Like most of the  apps which integrate with exchange makes licensing cost per user the spam fighter also have licensing structure  cost per user  basis for one year. However the cost factor reduces very well for organizations more than 2500 users.

You can view the pricing list here

http://www.spamfighter.com/SPAMfighter/Payment_Choose_Product_SEM.asp

Conclusion 

Overall SPAMfighter product is much user friendly and latest version  has much effective cool new features which can be integrated with Exchange Servers  for better spam filtering.

Thanks 

Sathish Veerapandian 

MVP – Exchange Server