Category Archives: Exchange2013

POP3 Error Msg=UserConnectionLimitReached

Exchange 2016, Exchange2013, POP3/IMAP April 25, 2017 Leave a comment

Recently in one of the Exchange 2013 environment POP3 clients started getting the problems in downloading the emails from the server.

The strange issue was users were unable to download the emails intermittently and it was not permanent for POP3 accounts.
When this issue occurs the POP3 accounts will stall for a while and later after some time it would start collecting the emails from the server without any issues.

This really looked strange and inorder to troubleshoot further enabled the POP3  protocol logging by the below command

Set-POPSettings -Server “CAS01” -ProtocolLogEnabled $true

After a while looked into the POP3 logging and strange to see the below message

ADFS1

This issue is happening, because the POP3 connections are sending more requests to the server.

This  is the main reason for the application to intermittently drop the connection.

When the connection limit  per user exceeds the default allowed limit, the connection will be forcibly closed by the mail server. And then this connection reset will happen after 4 minutes after which the client can reestablish the connection , download the emails until it reaches the threshold limit of per user.

The default value for the single user is 16

Can be seen from EAC – Servers – Edit – POP3 

Also can be seen by  running Get-POPSettings | fl

ADFS1

So the POP3 Throttling policy allow the counter reset after 24000 milliseconds . So when the user connection limit exceeds the default value he wouldn’t be able to connect till the next counter reset happens.

Solution:

So the POP Connection limit can be increased by running the below command

Set-POPSettings -MaxConnectionsPerUser  “connectionvalue”

Its important to note that both the POP services POP& backend needs to be restarted after this change to take effect,so we can go ahead and run the below command for the restart of the services.

Get-Service *POP* | Restart-Service

Additional Info:

The POP3 throttling policy value can be seen by running the below command:

Get-ThrottlingPolicy -Identity Default* | fl POP*

POPMaxConCurrency – The PopMaxConcurrency parameter specifies how many concurrent connections a POP user can have against an Exchange server at one time. A connection is held from the moment a request is received until a response is sent in its entirety to the requestor.
POpMaxBurst-  The PopMaxBurst parameter specifies the amount of time that a user can consume an elevated amount of resources before being throttled.
POPRechargeRate – The PopRechargeRate parameter specifies the rate at which the user budget is charged back
POPCutoffBalance – The PopCutoffBalance parameter specifies the resource consumption limits for a user before that user is completely blocked from performing operations on a specific component.

There were Get-WorkloadPolicy IMAP,POP commandlets present before Exchange 2013 CU6 , but later now these commandlets have been removed post CU6 and replaced with Set-SettingsOverride but strictly this Set-SettingsOverride command should be used only under the supervision of Microsoft Support professional.

These values also can be modified based on the requirement , just in case if we have any applications which requires these values to be modified as per the requirement.

Thanks & Regards
Sathish Veerapandian

Frequent Popups in Outlook -The Microsoft Exchange Administrator has made a change that requires you quit and restart Outlook

Exchange 2016, Exchange2013 January 8, 2017 Comments: 2

This error message can  frequently appear for users after the mailbox migration from Exchange 2010 to 2013 or 2016 .

The actual cache is that this error will be coming up only for few users and it appears to be perfectly fine for rest of the users.The thing is that the Outlook will appear to be working fine , users will be able to send/receive emails except for this annoying message keeps prompting the users very often.

On Further Analysis identified that this occurs only for users who have  multiple delegated accounts mapped  under Outlook.The User mailbox resides  on different database and the mapped Delegated accounts resides on different databases.

The delegated account is not fully established the connection to the new Mailbox Databases after the migration due to some reason and the users delegated mailbox table did not receive the delegate permissions accounts information. We can further look  a deep analysis on the mailbox tables on the affected user by using MFCMAPI  and looking into ACL tables but then that will consume a lot of time.

Mostly the below two solutions will  fix this issue:

1)Recreate the Outlook profile which will reestablish the connectivity to the new databases for the delegated accounts and update the mailbox table for this user.
2)Moving the mailbox to a different database which will reset the mailbox table receive folder values , update the ACL tables for delegate accounts and solve the issue.

But still not sure what is causing this issue
Also there is one more possibility which might cause this issue
The msExchHomePublicMDB attribute on Exchange 2016 databases should not have the legacy public folder object(Exchange 2010).

If we find this value in Exchange 2016 databases we can go ahead and remove them ,Since there are no more OAB end points  that depends on PF’s and no more Outlook clients that require PF’s in Exchange 2013,2016 Environment.

Inorder to remove them perform the below:

Open ADSIEDIT.MSC – Configuration Container – Navigate to Configuration Container – Expand Services – Microsoft Exchange – Domain – Administrative Group – Exchange Admininstrative Group – Databases – Right click on the databases seen on the righ pane and choose properties – Look for msExchHomePublicMDB and if it has any values clear them. Make sure to clear this values for all the other databases we have.

$_109.jpg

Very IMP note:

This above troubleshooting is applicable only for users migrated from Exchange 2007/2010 to 2013/2016 and not for the below  scenarios in any cases.

1) Issue occurs after the mailbox was moved to a new Exchange site or forest with same Exchange versions Exchange 2010.
3) Issue occurs after Changes were made to the public folder databases in Exchange 2010.
4) Issue occurs after Changes were made to the Exchange server endpoint.
5) Lync wasn’t restarted after the mailbox was moved or after the Exchange server endpoint was changed.
6) You’re running an older version of the Outlook client.
7) The service re-balances mailboxes on databases at various sites.

Thanks & Regards
Sathish Veerapandian
MVP  – Office Servers & Services

Configure New Store, storage , provisioning groups in Enterprise Vault in Exchange Environment

Enterprise Vault, Exchange2010, Exchange2013 November 17, 2015 Leave a comment

In this article we will have a look at the steps to provision the Enterprise Vault in the Storage, Policy and Group level.

If we talk about Enterprise Vault its again a big topic considering all the functionalities ,configuration , features , HA etc..,

So here we will focus only on how to provision archive only for end users in a new deployment

We will need to look at the steps to consider in creating a storage, Backup , creating policy based on the retention that end users are expecting.

So below things needs to be planned properly before the configuration:

a) Archive policy based on mailbox quota and number of months. eg: If the quota exceeds 80 percent and emails  greater than 5 months should be archived.

b) Archive retention period for end users. How long the archived emails will stay eg: like 5 years, 7 years etc

c) Retention of the shortcuts archived items in the mailbox after the archive.

Once planning on the above is done we need to configure Provisioning group, Archive policy and create a store group and a store for the archive process to happen.

Below things needs to be created :

a) Create a provisioning group to target the users who require the archive feature to be enabled.

b) Create a dedicated policy for this group based on the requirement.

c) Create a dedicated store-group and store to place all the archive .

d) Configure the backup for these stores.

 

We will look into the steps to create provisioning group first

Log in to the Vault Administration console and navigate to provisioning groups and select new provisioning group

 

PR

Give a name

Part15

Associate the targets for this group

Part16

Targets can be OU’s, Whole domain, Distribution Group. The best practice is to always target a Distribution group and add users who require EV since the OU’s will contain service accounts, vendor mailboxes which will unnecessarily consume licenses.

Part17

Then later you need to select the policy that you would need to apply for this group of users based on your requirement.

Part18

Set the retention category

Part19

Select the associated store and enable the option automatically provision the mailboxes for people who comes under this group

Part21

 

Now we will look in creating the Policy

It is better to have multiple policies since its always better to segregate users based on their quota, nature of job and the amount of emails they receive on daily basis.

To create a New Policy Open Vault Admin Console – Navigate to policies and create a new mailbox policy.

 

POlicy1

 

These are the default values once its created. Based on your requirement you can modify these values.

Part22

 

There is nothing much complexity involved in creating the policy but yes if the users retention is not understood properly then later you would be in trouble. So its better to set the clear expectations to the end users before setting the policy.

 

Now we should look in creating a store for the archived mailboxes.

Its better to create a store group first

SG1

 

Then create a Store under the Store group

SG2

 

You will get the below window

Part1

Give it a name and select the option whether open or closed. If you keep  this partition open then partition rollover can happen if any of the other partition are full. If you keep it closed then rollover to this partition will not happen.

Part2

Select the storage type by default it is NTFS

Part3

Then you need to specify the drives and drive path and finally you have to perform the run test which will indicate a success or failure of your config

Part6

This is the partition rollover which i was taking in earlier screenshots which is an amazing feature

You have an option to set the volume and time

Part7

Here you go for setting the backup for this partition. The beauty of the archive is when you create the store by specifying the SQL instance location the DB’s are automatically created.

So now these values needs to be chosen according to the type of backup you are using.

If you have a snap shot EV unaware backup then you need to select the option check for a trigger file.

If you have a EV aware backup most likely backup exec from Symantec then you can use the first option.

Note: Its very important that you need to keep in mind that these backups will never help you in restoring brick level for end users. These are meant only for system recovery scenarios.

So when a user permanently deletes an archive from EV its gone forever.

Part9

Then you need to use the file collection software if you are using the second option

Part11

And enter the time at which you need to place this file collection software.

Part12

After this once you click on finish the archive is configured to take place.So based on your Archiving Mailbox server Task schedule the archiving job would start happening.

There are few more backup configurations that needs to be done if you choose the 2nd option. We will look  that seperately in another write up since adding those information will definitely confuse and increase the length of reading this blog.

Thanks 

Sathish Veerapandian

MVP – Exchange Server

Best practices to be followed to configure Backup in Exchange 2010/2013

Backup, Exchange2010, Exchange2013 September 18, 2015 Leave a comment

Backing up the exchange server is very important thing to protect the data loss . If you aren’t running the Exchange Server Backups  then your Transaction logs will eventually fill up their storage volume

In this article we will  look at few steps that we need to look in configuring the backup in Exchange 2010/2013.

Backups are very much necessary during the case of a whole disaster, retention of datas for a period of time , performing a granular restore for the end users as well.

Choosing the Backup Media

Disk or Tape ?

Over the period of years Tape backup has been doing a great job. Cost wise also they are little bit lesser compared to the SATA storage and disk arrays which needs to be extended as users and our applications increases.
So, tape still has an advantage, particularly for larger backup volumes.
But when comparing the performance factor the disks backups wins the game.
Also Disk-based solutions will usually be better for faster recovery.

More realistically, a disk-based solution will involve copying data between two storage systems over a WAN from one site to another. If you are ready to pay for this expensive WAN links and replication then it should be fine with the disk backup.

Its always better to keep the daily and weekly backups in the disks (virtual tape library) which will help in disaster and daily restore scenarios and larger backups monthly,quarterly and annual in Tapes. Because there is no point to keep all these large data in expensive storage on data-centers  for the purpose of retention since the tapes will do the same job.

Plan for the Retention period

Planning for the retention of the data is very important. This plays a vital role in restoring the data as well as for any old data that is required for any legal cases.

Its very mandate retention needs to be followed for the following backups

Daily Backups

This decides on the single point of restoration for the end users on a specific day. Its better to have daily backup retention at-least to a period of 3 months so that granular restore for a specific date can be done.

Weekly Backups

This decides on the single point of restoration for the end users on a specific week. Its better to have this monthly backups to a retention of at-least 6 months which will help to recover emails if the first case fails.

Monthly Backups

This decides on the single point of restoration for the end users on a specific month. Its better to keep this retention atleast for a period of 1 year.

Quarterly Backups

Quarterly backups are very much important in restoring the data in case of dealing any cases , restoring emails from resigned staffs. So its better to keep this retention for 3 years.

Annual Backups

Annual Backups also does the same job of retention data for dealing with any cases . Its better to have the Annual Backups for a period of 5 Years.

Quarterly and Annual Backups can be taken in a Tape Drive and kept since they will not be used mostly and also will not involve in the disaster cases.

Setting end user Recovery Standards

Setting the scope of possible restores from the backup to the end users is very much important since they need to be aware of the possible restores.

So you need to carefully go through your backup retention periods and inform the users about the possible monthly restores. At any point of time if the users are missing out data within a month then its always advisable from the help-desk to restore them from the dumpster.

So its better you can prepare and create end user Recovery Standard scope document and hand it over to the help desk team so that they are aware of the possible restores.

Check  Mailbox server performance during the backup

This point is very much important and we need to check the performance of the mailbox servers during the backup period. Though the backup will be running on off-production hours but there are cases where your CEO   might be accessing an important  email  after working hours.

ESEUTIL will be running during backup process to verify integrity of the databases  which increases disk I\O intensive.Usually if the storage configuration is not proper then the normal disk read/write operations will increase.  There are chances if the storage is having bottleneck issues then the normal RPC read/write operations will get delayed due to which all the end users will severely experience connectivity issues.

When the backup is triggered you can go to the event viewer on the mailbox servers and look for any RPC , ESE , VSS writers, storage errors etc..,

Create a test account on any of the backup databases login to outlook,owa and activesync and measure the  performance.

If you have DAG configured in your setup and have Active/Passive combined distributed type check your active copies as well .Check if  the I/O operations are increasing on the active copies during the backup.Also you can check the event logs to see if you get anything related to them.

If you don’t see anything on them then the backup should be fine.

Note: The above steps are applicable only when you configure the backup solution for the first time on your mailbox servers.

Later you can prepare a daily check list on your backup status on all the mailbox servers to ensure the backups are completed.Daily checking of the backups is very important since the backup will truncate your old logs which will maintain space on your storage. There are many scripts written by experts on the Technet Gallery which you can schedule them and make them run through task scheduler.

Test the Backup

Testing the backup is very mandatory. As the backups has been configured its not that we are in safe side. Testing the backup is very much necessary.

There are several scenarios we can test and i have listed few of them

Check if the backup is supporting any other languages restore. For Example if i have an  end user who has French Mailbox with all emails in French and backup has been taken for him. When a restore is done for this mailbox it should be successful with all the emails both body and subject visible in French.

Take 2 users with the same UPN different SAM and see if the backup for them is restoring their contents,

Restore the Weekly backup and see the results.

Restore the monthly backup as well and see the results.

Thanks

Sathish Veerapandian

MVP – Exchange Server

Migrating Exchange 2010\2013 services from TMG to F5 Big IP

Exchange2013, TMG September 6, 2015 1 Comment

As we all know TMG was such a great fantastic and a fabulous product which was serving good for most of the external published web services. I know most of us are really worried about the reason of discontinuing this awesome product. So now people are moving towards alternatives for replacing TMG.

Among the few good alternatives F5 load balancer  is one of the great product. Recently i had a chance to involve and work in this project which was lead by messaging expert and network specialist.

I would like to share few experience that i gained and things that we need to consider during this migration.

In the TMG we had the option to publish any sites , setting up and controlling the authentication delegation , application settings  and we can set a secure way to access these url’s through this reverse proxy.

I still really feel bad for the reason ISA & TMG being abandoned by Microsoft as deploying exchange, lync  in a environment was equally working in ISA,TMG implementation for most of the deployments.

From F5 Big IP you need to use the IAPP template for the versions of the exchange that you are running currently from the F5 support website.

You can download the latest IAPP for Exchange  template from the link

https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13497.html

I’m not going to explain more on this IAPP templates of importing them on the LTM and how to configure the settings since in this blog i’m going to explain the best practices that we can follow for Exchange 2010 &  2013.

For people who would like to explore more on this they can always explore the virtual ITM trial version on the below link and publish exchange services via this

https://www.f5.com/trial/big-ip-ltm-virtual-edition.php

Just download them and install it on any VM to test this functionality.

Below are the things that we need to consider in this migration :

1) Choose your type of SSL method

Decide what type of SSL encryption that you are going to use.

SSL offload

If you are going to use SSL offload then all the  certificate decryption part will happen in the F5 itself. Then connections from the F5 to the CAS will go in un encrypted way.

Benefits of doing this :

Your CAS will not have the load of performing the SSL decryption.

Disadvantages :

There are possibilities of application layer attacks by doing this method since the connection from the n/w to the app layer goes in a un encrypted way.

SSL bridging :

If you are going to use this method then the SSL decryption will happen in the F5 and inturn it will re encrypt and send the connections encrypted to the CAS servers.

Benefits of doing this :

Double layer SSL connections check is done in the n/w layer by the F5 and the CAS servers.

Disadvantages : If you are using less number of CAS servers then the load on them might be increased which is happens in less scenarios.
I cannot recommend any on this because its you ultimately who needs to evaluate your network structure , performance and extra layer of security that is wrapped up in your environment.

But my best recommendation is always to stick on SSL bridging.

2) Prepare your SSL certificates for Exchange services

For doing any of the above activities you would need to have an SSL certificate for the BIGIP to offload and performing the decryption , encryption part. So get an SSL certificate and install it on the BIGIP system.

You need to  configure your Client Access servers to support SSL offloading, you must first follow the Microsoft documentation. See

http://social.technet.microsoft.com/wiki/contents/articles/how-to-configure-ssl-offloading-in-exchange-2010.aspx

3) If you are using  the new MAPI over HTTP transport protocol  in Exchange 2013 there is a little bit challenge. This new service is not yet included in the iApp template, so you must manually configure the BIG-IP system to support it.

4) As a part of testing in your migration don’t ever direct the external  exchange traffic from TMG to  F5 and then the CAS and later remove TMG.

 

Below are the reasons:
a) TMG uses ARP requests to prevent switch port flooding in unicast NLB.

b) F5 extracts only the MAC address from the ethernet adapter instead of ARP requests. Since the TMG will mask the MAC address of the hosts F5 will not get the info what it requires.

5) Certificates that you obtain with multiple names must be only in SAN (Subject
Alternative Name) format, not SNI (Server Name Indication) format.

6) Enable TCP request Pooling on the Iapp template

TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections. You can choose this option if its a small deployment with one CAS server.

Basically if the TCP connections exceeds the capacity of the pool it holds the connections instead of dropping the connections.

7) Secure EAC access for Exchange 2013 only

Configure settings in iapp to restrict EAC access by group membership.Select this option if you want to restrict EAC access to the Organization Management group.

The BIG-IP APM module queries Active Directory group membership for the user making the
request to EAC. If the user is not a member of the Organization Management group, the BIG-IP APM policy denies access

8) Choose your authentication for OWA

Use the BIG-IP APM module to provide secure access and proxied authentication (pre-authentication) for
HTTP-based Client Access services: Outlook Web App, Outlook Anywhere, ActiveSync, and Auto-discover). The BIG-IP APM
presents a login page to end users that takes the place of the forms-based login page normally presented by Outlook Web App.

If you have configured the FBA in the CAS VD then you no need to configure this authentication in F5 because users will be prompted for doube authentication one in F5 and other in CAS VD which will be painful. I always prefer to do this part on CAS VD and leave the reverse proxy setting as such.

9) You can configure the health checks for the owa, outlook web app,outlook anywhere in the F5.YOu need to specify how often the system checks the health of the CAS servers. The default recommended value is 30 seconds. You can configure this to monitor all these services.

10 ) Decide and perform the migration

After performing and deciding all the above factors you need to plan for the migration of the services from TMG to F5 . Perform the following steps

a) Arrange a Test PAT ip for auto-discover, Outlook Anywhere and webmail from your Network team
Configure the rules in the iapp template to listen on these IP’s

b) Choose few set of users add host entries of auto-discover , Outlook Anywhere and webmail in their PC’s
c) Monitor and test the connectivity for couple of weeks.
d) If the connectivity tests are successful on a fine day shift the original IP’s of all the exchange services and stop all the TMG services.

The above are few guide lines which might help in migrating the exchange services from TMG to F5

Hope this helps

Sathish Veerapandian

MVP – Exchange Server

Custom address list for Unified Messaging and update speech grammar file in Exchange 2013

Exchange2013, Unified Communications July 21, 2015 Leave a comment

In this article lets have a look at few important things that we need to consider before enabling Unified Messaging feature for the end users.

When the Unified Messaging server feature is enabled it requires a grammar file to provide voice user interface (VUI) that uses Automatic Speech Recognition (ASR). It updates the  grammar for  the  UM enabled users through global address list based on the speech grammar filters , languages that are configured.

Its better to create a custom address list for the UM auto attendant and allow callers to send voice messages only to this custom address list.

There are few benefits of doing this.

1) You add only the users who require UM enabled on this custom address list.

2) You create the custom address list only with the mailbox users so that the contacts present in the address list will be excluded.

Now lets have a look at how to accomplish this task.

Run the below command to create a custom address list for the Unified Messaging.

New-Addresslist -Name UMVoice -IncludedRecipients MailboxUsers

AL1

 

IMP: For a grammar file to be generated for a distribution list, the distribution list must not be hidden.

Later scope the UMAutoAttendant only for this custom address list created as below.

Open EAC – Navigate to Unified Messaging –

UM2

 

Select the Transfer & Search option  and choose only the address list which was created for UM .You can add only the users for whom you have UM feature enabled.

UM3

You can run the below command as well to accomplish this task

Set-UMAutoAttendant -Identity MyUMAutoAttendant -ContactScope UMVoice

By this way you can exclude the contacts.

Exchange Unified messaging role gets the Speech inputs from users to perform directory look-ups. Then it looks the display name of  the UM enabled user in the GAL and then inserts into the speech grammar.

When the Display Names had periods then the speech inputs might not be recognized properly at times in Exchange 2010 UM servers.

You can run the below command to rectify this issue for exchange 2010:

Set-Csuser -Identity sathish@exchangequery.com -PhoneticDisplayName ‘Sathish Ravi’

After performing the above you need to ran Galgrammargenerator.exe/GGG.exe

For Exchange 2010 run this command – Galgrammargenerator.exe -d MyUMDialPlan

For Exchange 2013 as there is no commands to perform this action.

For Exchange 2013 the GAL speech grammar file is stored in the arbitration mailbox and then later downloaded to all Mailbox servers in that Exchange organization.

By default, the Mailbox Assistant runs every 24 hours. You can adjust the frequency by using the Set-MailboxServer -ManagedFolderWorkCycle assistant cmdlet and change the frequency.

But the better way to address this is to just restart the Microsoft Exchange Mailbox Assistants after you create a new dial plan and leave the generation cycle as such to 24 hours.So when we restart t all the GAL speech grammar files will be updated.

Thanks 
Sathish Veerapandian

MVP – Exchange Server

 

Restrict end users from using third party active sync enabled applications

Active Sync, Exchange2013 July 6, 2015 Comments: 2

Now a days there are so many active sync enabled applications which end users can  download, install on their mobile devices and access emails .

If we have any MDM solutions in place to control the end users mobile devices then we don’t need to worry about this part.

In most of the MDM solutions the implementation will be segregation of the devices own device policy ,corporate device policy and applications that can be downloaded and accessed from the devices.

The challenge comes when we do not have an MDM solution in place and users accessing the emails from their mobile devices without any active sync policies configured.

In this article lets have a look at some troubleshooting guidelines that we can perform to block users trying to access the emails from their mobile device through any third party active sync enabled application.

 

How to find the Active Sync connections coming from different mobile applications ?

You can  filter and see the active-sync requests in the reverse-proxy/firewall.This is the best way and you can find them easily.
To find the users who are using any app to access emails via active-sync  perform the following :-

1) Filter the active sync requests in your firewall or reverse proxy accordingly and start the query.

2) Usually in most of the firewall and reverse proxy it will show you the source,destination and the request after the filter.

You need to concentrate on the request alone

Below is an example of normal active sync request

POST http://domain.com/Microsoft-Server-ActiveSync?User=userID&DeviceId=00ijhsad6564g2fd&DeviceType=iPhone&Cm

If the user device is connected through any application  Eg: cloudmagic you can see the word “cloud magic” in the request URL. By this way you can identify the users . It should be easy.

POST http://domain.com/Microsoft-Server-ActiveSync?User=userID&DeviceId=00ijhsad6564g2fd&DeviceType=iPhone&Cm=CloudMagic

 

Also you can use the exchange commands query string parameter and filter device access rule.This will help you to identify what type of devices are connecting .Use the below command to see the type of the connections through Active-sync

Get-ActivesyncDeviceAccessRule | Format-Table Name, Characteristic, QueryString, Accesslevel -AutoSize

Note: 

You will get any output of the above only if you have created any device access rule for the same.

In the Query String parameter you can see the type of the software that the active sync is used for connecting.

There is one more method to identify the type of devices that connect through active-sync from the IIS logs

Just an example below of how the log entry shows for the android device type.

POST http://domain.com/Microsoft-Server-ActiveSync?
default.eascmd=sync&deviceID=5a5d4d5fg8755gf5gh5g&DeviceType=Andriod

 

Now how do we block all these types of connections and allow only Native client ?

I have mentioned few points which will definitely help in address these kind of issues

1) Create a new device access rule and block the applications through which end users should not connect through

In my example i have created a new device access rule to stop the connections coming from cloudmagic application.

New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceType -QueryString “CloudMagic”

2) Add a query string value in the web.config file to stop the connection from specific applications

Edit the EWS web.config file on the mailbox server and add the below string to block the users accessing the emails through application in my case its cloud-magic

Below is the location – 
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews

<denyStrings>

     <add string=”CloudMagic” />

</denyStrings>

 

Better to add this value in the CAS front end proxy server as well

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync

do an iisreset after this

Note: Make sure that you take a backup of the web.config file before making this change.
Also additionally create a rule in the firewall,reverse proxy stating that any active-sync requests that come with the url “cloud magic” drop the connection and do not proceed.

After performing the above log into your  reverse proxy perform a filter and see if this query type with cloud magic is getting blocked(definitely it should be).

Hope this helps

Thanks

Sathish Veerapandian

MVP – Exchange Server

Troubleshoot Outlook Connectivity issues in Exchange 2013

Exchange2013, Outlook Anywhere May 26, 2015 Comments: 2

In earlier versions of exchange prior to Exchange 2013 troubleshooting outlook connectivity issues should be classified into  categories according to the versions of exchange type of connections that we have configured in our environment.

Now lets see a small summary of Outlook connections from Exchange 2007 :

1) In Exchange 2007 though the other  client connections was handled by Client Access server but still the MAPI connections were established directly to the mailbox server.

 

2) In Exchange 2010 all the client connections including RPC went through the Client Access Server since the new service RPC client access service was introduced .

3) From Exchange 2013 we do not have the direct RPC over TCP connections at all and all connections should come only through RPC over HTTPS (Outlook Anywhere) or MAPI over HTTP if we have Exchange 2013 SP1 with outlook 2013 SP1  and mapi over http enabled.

I have collected few steps which will be useful if we come across these kind of scenarios in our environment :

Below are the things that can be checked during troubleshooting outlook connectivity issues in Exchange 2013 :

1) Check if you have MAPI over http or RPC over http enabled in your organization.

If you have MAPI enabled then please run the command Get-MapiVirtualDirectory and check the Mapi internal and external URL

MAPI1

Now run the command to check if MAPIhttp is enabled .By default it will be disabled and we need to enable them.

MAPI2

 

Now lets look into troubleshooting Outlook connectivity issues in both the scenarios:

Telnet from the affected Workstation to your outlook anywhere external URL and  ensure that the Outlook Anywhere URL is accessible on port 443.

Below is an example

Telnet

 

Telnet1

 

Check the Outlook Anywhere authentication settings.By default it should be NTLM or it can be NTLM & Basic Authentication settings

Get-OutlookAnywhere | fl Externalclientauthenticationmethod,internalclientauthenticationmethod

OA11

If Outlook anywhere is not accessible from a particular network or site then most likely the issue could be on their network side.
Probably you can check if Outlook anywhere URL is reachable from their side . Ping the Outlook Anywhere URL from any of the affected workstations and see the results.
Also you can check if there are any recent changes in their network ,on their proxy servers.
If the affected site is routing their internet connections through the proxy site then you can test the connectivity by excluding your outlook anywhere url in the proxy exclusions as below

Proxy

By doing this it will provide a direct connectivity to your site . Most likely these kind of issues might occur due to proxy connections.

 

If its happening only for a single or few sets of users possibly check the MAPIBlockOutlookRpcHttp settings for that affected user by running the below  command

Get-CASMailbox mailboxname | fl MAPIBlockOutlookRpcHttp

MAPI112

so this value should be set to false for the outlook anywhere to work. If this value is set to true then you have to set this value to false.

Ensure that the outlook anywhere hostnames are correct and they are added in your public certificates

You can use the below command to check the host names

get-outlookanywhere |fl *hostname

hs

If its for all users you can run outlookrpcselftestprobe on the affected mailbox server by running the below command

Test-OutlookConnectivity -ProbeIdentity "OutlookRpcSelfTestProbe"

Check if the RPC can connect to store’s port by using RPC ping utility test by runnig the below command

RpcPing –t ncacn_http –s ExchangeMBXServer -o RpcProxy=RpcProxyServer -P “user,domain,password” -I “user,domain,password” -H 1 –F 3 –a connect –u 10 –v 3 –e 6001

If it returns as following: Completed 1 calls in 60 ms 16 T/S or 60.000 ms/T, it means the RPC Ping Utility test succeeds.

You can also use EXRCA and see the results

https://testconnectivity.microsoft.com/

Steps to perform the EXRCA tests :

  1. On the ExRCA website, under Microsoft Office Outlook Connectivity Tests, select Outlook connectivity, and then select Next at the bottom of the page.
  2. Enter the required information on the next screen, including email address, domain and user name, and password.
  3. Choose whether to use Autodiscover to detect server settings or to manually specify server settings.
  4. Accept the disclaimer, enter the verification code, and then select Verify.
  5. Select Perform Test.

Though there are more factors that can block the outlook anywhere connections in Exchange 2013 above troubleshooting steps can be helpful in some cases.

Hope this article is helpful.

Thanks 

Sathish Veerapandian

MVP – Exchange Server

Modifying the log file size for safety net on Exchange 2013

Exchange2013, Safety Net March 9, 2015 Comments: 2

In this article lets see how to change the values of safety net in Exchange 2013.

Transport Dumpster  is replaced with Safety Net in Exchange 2013 unlike the earlier versions.It prevents data loss by maintaining a queue of successfully delivered messages. Unlike the earlier version of transport dumpster it also holds emails of mailbox that is not a member of DAG and also public folder mailboxes.

From exchange 2013 safety net does not mandatory requires DAG.Now the safety net is no more single point of failure since it has 2 queues primary safety net and shadow safety net.

Because of this we will notice huge difference in the log file size compared  to 2010 in 2013.

This is because of the safety net holding primary safety net and shadow safety net information in the queue.

So where does this Safety Net Queue Location resides ?

There is no dedicated Safety Net location in Exchange 2013 and it stores the messages in the same transport queue that is located in the mailbox server.

All the different queues are stored in a single ESE database. By default, this queue database is located on the transport server at %ExchangeInstallPath%TransportRoles\data\Queue.

Below is the location of the safety net queue in exchange 2013

Transport Queue

At times there might be a situation where the safety net queue will grow abnormally. Below are the steps that can be followed when we run into these kind of scenarios.

First we can create a new transport queue.

In-order to do that follow the below steps.

On each server with a large mail.queue file:
a. Stop the MSExchangeTransport service.
b. Delete the mail.que file.
c. Start the MSExchangeTransport service.

Also we can troubleshoot safety net by changing the safety net hold time.

By Default the hold period for the safety net will be 2 days. If you wish to change these values follow the below procedure.

To check the safety net hold time run the below command
Get-TransportConfig | ft name,Safety*

Transport2

In-order to change the value run the below command

Set-TransportConfig –SafetyNetHoldTime 1.00:00:00

Transport3

You will get the above warning once you run the above command. So you need to ensure that the SafetyNetHoldTime’ needs to Exceed ‘ReplayLagTime. Keep this in mind that  you need to plan this according to your lag copies. You need not worry about this if you do not have any lag copies.

Now there is something a value called message expiration time out. This is actually the message in the shadow safety that can remain the queue before it expires.

To see this value run the below command.

Get-TransportService |ft name,messageexpiration*

Transport4

To change this value run the below command

Transport5

These values can be changed from the EAC as well

Inroder to change the value through EAC perform the following steps

Open EAC- Click on mail flow tab – Click on receive connectors

Click on more and click on organizational transport settings

TransportEAC

Below you have the option to change the value of the safety net hold time as shown

TransportEAC2

Hope this article will help to change the safety net value in Exchange 2013.

Cheers

Sathish Veerapandian

Technology Evangelist

Steps to create/identify the list of public Ip’s used by exchange services

Exchange2010, Exchange2013 February 22, 2015 Leave a comment

In this article we will look at the steps to create and identify the list of public Ip’s used by exchange

In this article we will have a look at the steps to set all Outgoing SMTP from 1 IP address and to see all the ip address from the Exchange server.

First you have to run Get-SendConnector SourceIPAddress x.x.x.x from the EMS in order to see the source IP address of the exchange server

Note:

By default this value will be set only to 0.0.0.0 and exchange hub will take its default assigned ip to send emails to the smart host (firewall/spam filter/Spam cloud). However you can check this if there is any value set to be on the safer side.

Now how the mail flow will go from your Exchange server

From your Exchange – to your firewall – then its gets NAT’ed from local ip to public ip and to internet

We need to NAT our local IP to one public IP.

Inorder to do that Follow the below steps:

Now you need to accomplish this with a router/firewall with a feature called Policy Based Routing.

1)      Create a firewall/NAT rule to NAT outbound traffic from exchange ip address to your preferred public ip address.

2)      With this you could make a rule like: When traffic is coming from my mail server AND the destination port is 25, send the traffic through your ISP from one of your public IP.

To be more precise you will have to do many to one NAT in your firewall as below:

For Example below is your server

Server name      Private IP (Server)     (Public IP on firewall)               Port

Server1:               192.168.0.1          –> 65.55.33.118                           Port 25

Server2:               192.168.0.2          –> 65.55.33.118                           Port 25

If your servers configured as above your source public will be 65.55.33.118 from both the servers.

Also you should have PTR created for your external IP. If not please inform your ISP to create PTR for your external IP’s.

How to identify which Public IP your exchange services are using

There are multiple ways to identify the public ip address used by exchange server

The easiest way to identify them is through MX lookup

You can query all the Exchange url’s through nslookup to see the results

Things you need to query through nslookup:

1)      Query external autodiscover url

2)      Query webmail external url

3)      Query outlook anywhere external  url

Below is an example of mxlookup for Microsoft  records

This steps can be useful during the migration scenarios of exchange servers as well as firewall.

Thanks
Sathish Veerapandian

%d bloggers like this: