Disable RC4 and SSLV3 encryption for applications

Security August 4, 2016 Leave a comment

Once any web application is deployed its always recommended to perform a thorough security testing to identify if there are any security risks.

In this article im just sharing my experience to disable RC4 and SSLV3 for applications hosted on Windows Servers.

We can use the below URL site to test the server configuration for HTTPS protocol
https://www.ssllabs.com/ – that will test your server’s configuration for the HTTPS protocol

Why RC4 needs to be disabled ?

RC4 should not be used, due to crypto-analytical attacks.
It’s been more than 25 years since Ron Rivest invented his RC4 stream cipher but still being used by legacy clients and browsers.

How RC4 Encryption Works:

A ciphersuite consists of a key exchange algorithm, an encryption method and an integrity protection method.
RC4 is a stream cipher, so it encrypts plaintext by mixing it with a series of random bytes used to encrypt it. But, the bytes used to encrypt the plaintext aren’t really as random as they should be, at least at the beginning of the process.

That makes it possible for an attacker to figure out the plaintext of an encrypted message with access to enough TLS requests. The problem is that there are biases in the keystream, making life easier for an attacker.

Why its not Disabled by default on Windows Server 2008 R2, 2012 R2 ?

Unfortunately, servers default configuration tends to support backward compatibility  as well over security.
They are enabled by default only for supporting older versions of browsers and operating systems.
Basically we need to disable this on apps running Windows Server 2008 R2 , 2012 R2 and IIS.

Preventive Measures for RC4 Attack:

As a security its always recommend to use TLS 1.2 or above. So its better to disable them and support only the latest type of encryption.

Disable Ciphers by adding the below registry entries on the server hosting the application.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000

Disable SSLv3:

A Small history on SSL

SSLv1 was never publicly released.
SSLv2 was quickly found to be insecure.
SSLv3 was created, and, together with the newer TLSv1/1.1/1.2, it is still currently being used to secure the transport layer of the Internet.

Weakness of SSL V3:

Last year Google Engineers found the major loophole in SSLV3 with an exploitation technique known as POODLE Attack.
This is a plaintext recovery attack that focuses on HTTP headers and exploits a weakness in the SSLv3 protocol when used with block ciphers.
Its a protocol vulnerability attack.
So now its recommended to disable the SSLV3 on server side.
Preventive Measures for SSLV3 Attack:
Disable SSL V3 by adding the below registry entries on the server hosting the application.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
“Enabled”=dword:0000000
Always advisable to have encryption of more than TLS 1.2.

Note:
1) If you have this security enabled on the reverse proxy application through which your services are published, then the session for those connections will be terminated there itself.
But still its better to have this disabled on all the applications which are serving the clients.
2) Its very important to note that before disabling this type of connections we need to make sure that the application is not serving any clients with this encryption.If at all its found we need to make that application to work on TLS1.2 or later.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers and Services

Configure SCOM 2012 to receive Exchange 2016 Alerts in Email and SMS

Exchange 2016, SCOM August 2, 2016 Leave a comment

Its better if we receive alerts regarding Exchange service level unavailability during any outage.

Though the managed availability  self healing component is very much capable of self monitoring the Exchange services still few companies would request a display dashboard about the current Exchange services and to be notified via sms and email when there is any outage.

Below are the main prerequisites:

1) System Center Operations Manager 2012 R2 is in environment.
2) Exchange Server 2013 Management Pack is installed. Currently only Exchange 2013 management pack is present and it supports 2016.

Below are the high level steps that we need to perform in the SCOM 2012:

1) Create Channels – Basically a path through which the alert will be delivered to the destination (admins).
2) Create Subscribers – Persons who are supposed to be notified when an alert is identified in SCOM for Exchange.
3) Create Subscriptions – Selecting the components to be alerted when any Exchange services are unavailable.

This should be the case for any applications to be notified when there is an issue with their system.
To receive SCOM alerts in mobile as SMS we need to have an SMS routing agent configured.

Below work flow is the normal way of configuring to receive alerts in SMS :

SCOM – Mailbox Server Relay – Reaches Mail Contact local SMTP address domain.com – Finds the SMTP target address – Finds the appropriate send connector – Routes to the SMS routing Agent – Exchange Admin receives the SMS

To receive SCOM alerts in a Email:

Below work flow is the normal way of configuring to receive alerts in Email:

SCOM subscribers – Mailbox server relay – Finds Mail Group – Alerts Delivered to the Admin’s mailbox.

So we need to give relay permission to the SCOM 2012 server on the Exchange to send the alerts when any issue occurs.

First we need to create Channel :

To create a channel perform the below :

Navigate to Operations manager console – Click on Administration – Click on notifications- Select Channels

SCOm1.png

Right click on Channels – New Channel – Select the appropriate channel that we wish to route .

SCOm2.png
The best way always is to create only SMTP channels route them to exchange and from there deliver it to the appropriate destinations.
This will keep less complication.

Also we can create a DNS A record and point them to all mailbox servers to that record as well.

To create a Subscribers perform the below:

Navigate to Operations manager console – Click on Administration – Click on notifications- Select Channels

Right Click on Subscriptions – new Subscriber

SCOm3.png

Create a new Subscriber

SCOm4.png

Select always send notifications

SCOm5.png

Add the delivery address – admin email address if it needs to be delivered to email or email contact if it needs to be routed to his mobile device

SCOm6.png

Select the channel type as Email(SMTP) – Its better if we route all the messages via Exchange and from there we can route to the appropriate destinations. I feel this will make less complication in creating the channels.

SCOm7.png

Now we need to create the Subscriptions

To create a Subscriptions perform the below:

Navigate to Operations manager console – Click on Administration – Click on notifications- Select Channels
Right Click on Subscriptions – new Subscriptions

SCOm8.png

 

Now this part is very important. We further need to fine tune this based on the setup, issues. Here we are actually specifying and subscribing  the alerts which we will be notified on a application unavailability .

So you need to choose the alerts based on your request. For Exchange i can say if there is any issues with  Database copies unhealthy , Database dismounted we can specify them with specific name , description in this criteria section and get notified via SMS.

For the  exchange services EWS, Active Sync, MAPI we don’t need to configure here since we have the health probes configured on the load balancers and will be notified from them.

SCOm9.png

 

And in this part we specify the subscribers:

Usually the subscribers are the group of distribution that we created.

SCOm10.png

Now select the Channels  that was configured to route the alerts to Exchange servers.

SCOm11.png

After this is done we would be able to receive the Exchange 2016 alerts through email and SMS.

Thanks & Regards
Sathish Veerapandian
MVP – Office Server and Services

Resolve Frequent Account lockout of Notes ID

Lotus Notes July 28, 2016 Comments: 2

One of the notes user when trying to log in was getting the below message even though recovered and reset new notes ID was given to him from the server.

“Server error: Your password was expired and your account are locked; contact the system administrator to unlock it”
That message sounds more like a Windows lockout ,but the message is actually coming from Lotus Notes.
I was unaware that Notes would give a message like that and i’m seeing this for the first time . I haven’t worked much on  domino other than creating notes ID, recovering ID, creating routing mailboxes , creating new DB’s, copying /moving the DB’s and monitoring the services.

Posting this solution so it may help others if they face this issue.

Solution:

Open Domino Administrator – Go to the users person doc in the names.nsf – Go into edit mode – and then the administrator tab.

Go to Password management section in edit mode
Make sure check password is set to “don’t check password”
Set “Required Change Interval” to 0
Change the “Grace Period” to 0.
Clear the contents of the Password Digest field in the person document in the Domino Directory.

notes

Once above is done replicate notes topology ,replicate names.nsf through Notes Network.
Once after making the above change user is able to login to the notes.
Always make sure the password digest field is removed for any new ID creation as well as for recovered ID files , which will help the user to login in the first attempt itself by the provided recovered notes ID file.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers and Services

Offline Address Book Configuration in Exchange 2010 & 2016 Coexistence

Exchange 2016, Offline Address Book July 25, 2016 Comments: 4

In this article we will have a look at the OAB configuration in Exchange 2016 in coexistence.

Outlook will trigger an OAB download every 24 hours right from the time it received the last fully updated OAB files.

A small background functionality of OAB from Exchange 2016:
1)Outlook Queries OAB through Autodiscover URL.
2)Reaches the Exchange 2016 mailbox OAB Virtual Directory.
3)Exchange 2016 Mailbox  Client access service  queries Active Manager and finds out database hosting  organization  Arbitration mailbox.
4)Then OABGen Assistant from the Arbitration mailbox will provide the required information.
5)Like with Exchange Web Services, Autodiscover will provide the Offline Address Book URL.This request will then be proxies to OABGEN mailbox which had the OAB information and this information is served back to the client.
The OAB files are stored in the same place as we have in Exchange 2013 CAS server but now it will be on Exchange 2016 Mailbox server itself since we do not have the CAS role.

In Exchange 2016, the OAB files are generated and stored in the Organization arbitration Mailbox with persisted capability first and later copied to the location %ExchangeInstallPath%\ClientAccess\OAB\ folder in the Mailbox Server.

Below are the important things to perform:

1) When we introduce Exchange 2016 we need to create a new Offline Address Book
New-OfflineAddressBook –name “OAB NEW” –Addresslists “\Default Global Address List” -VirtualDirectories $null
2)Make sure 2016 OAB Virtual Directories URL’s are pointing to the Exchange 2016 Servers.
Run the below command to check the settings
Get-OabVirtualDirectory | ft identity,internalurl,externalurl -AutoSize

3)Change the default OAB on Exchange 2016 databases, to do so open Exchange 2016 Management Shell and run the following command:

Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “\Default Offline Address Book (Ex2016)

Enable GlobalWebDistribution
The recommendation is to enable global web distribution for all OABs hosted on Exchange 2016.

What is the benefit of doing this?
The main benefit is all Exchange 2016 Mailbox servers can take part only in web distribution.
The OAB generation still remains with the mailbox server which hosts the active copy of the DB which has the Arbitration Mailbox with Persisted capability.

How to check if GlobalWebDistributionEnabled is set to true
Run the below command.
Get-OfflineAddressBook Select | Identity,Name,GLobal* |Fl

If it is set to false set it to True by running the below command.
Set-OfflineAddressBook <E16OAB> -GlobalWebDistributionEnabled $true

What is this GlobalWebDistributionEnabled parameter?
This parameter is used by Autodiscover to determine which mailbox OAB virtual directories are eligible candidates for distributing the OAB to the clients.
By doing the above action we are making all Mailbox Servers to distribute the address book automatically.

Enable Shadow Distribution:

By enabling this we can have a shadow copy of an OAB instance generated by an Arbitration Mailbox to another Arbitration Mailbox.
Prior to enabling shadow distribution, we should deploy an OAB generation mailbox in each AD site where Exchange 2016 infrastructure is deployed.

Benefits of Shadow Distribution:
1)Prevents the OAB download across WAN if the user is connecting from different site.
2)If we don’t have this Shadow distribution enabled then it will trigger a full instance of OAB download if the user logs in from another site .

We can enable Shadow distribution by running the below command.
Set-OfflineAddressBook “Redmond OAB” -ShadowMailboxDistributionEnabled $True

Again we can enable this option if the end users are travelling and connecting in multiple sites randomly.
Point new Exchange 2016 On-Premises DBs to the new default Offline Address Book that was created.
And make sure current Ex 2010 DBs are pointing to Ex 2010 OAB until the migration is completed.
After installing the 1st Ex 2016 new Ex 2016 DBs should point to new default OAB.

Do we need to move the Exchange 2010 OAB’s ?
No we don’t have to move, all OAB’s . They have already been created and stored in OABGEN mailbox and are Updating 12 times a day.
From Exchange 2013 all OABs have gone into <Default Offline Address Book>.

After the configuration try to browse the OAB end points and see if you are able to login
https://mail.domain.com/oab/07a8-6g35-7d30-36sh-84b5-15g4h/oab.xml

Below example of how it looks after successful authentication

OAB
OAB URL can be taken from Test Email AutoConfiguration Outlook results.
Download the OAB and see the results.

By default, a new OAB is generated every 8 hours in Exchange Server 2016, but we can change the interval by using the Exchange Management Shell by using a new-setting override.

New-SettingOverride -Name “OAB Generation Override” -Component MailboxAssistants -Section OABGeneratorAssistant -Parameters @(“WorkCycle=02:00:00”) -Reason “Generate OAB every 2 hours”

Note: It is better to leave the default work-cycle schedule and not modify them.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers & Services

Configure Enterprise Vault Office Mail App in Exchange 2016 Environment

Enterprise Vault, Exchange 2016 July 14, 2016 Comments: 4

The Enterprise Vault Office Mail App provides Enterprise Vault features in end users outlook and owa. This works in Integration with the Microsoft  Office Mail apps feature.
It is desired that users will try to  access  archived items via OWA as well when their older items are being archived by a  archive system.
The Enterprise Vault Office Mail App does not appear in Outlook or OWA by default.
It requires deployment to users  or organizational level and only then they will appear.

In this article i will explain quick steps to perform this action on a environment where we have the Archive enabled for Exchange 2016 users through Enterprise Vault

There are 3 possible methods to perform this action:

1)  We can deploy them to individual users.
2) We can deploy them to group of users.
3) We can deploy them to whole organization on the Mailbox Server Organization level.

The main methods are as below:

1)  We need to deploy the Office Mail App on the Newly introduced Exchange 2016 Server on the org level to EV server.
2) Setting up the Enterprise Vault Office Mail App
3) One important note that we need to make is that if we enable this feature on organizational level then this option will appear on all mailboxes including the one’s which has not EV enabled.
4) The same Enterprise Vault server is used for Office Mail App requests from
all users.

The high level steps are as follows :
1)We need to run the PowerShell command New-App in the Exchange Management
Shell on Exchange 2016 Server .
The command requires the following:
2)An Exchange 2016 Server  that is enabled for archiving and that you want to enable
for the Office Mail App.
3)The URL of the OfficeMailAppManifest.aspx page from the EV server.
The server that is specified in the URL can be any Enterprise Vault server
in your site can be http or https according to the IIS config on your EV server.
Office Mail Apps must only be served using Secure Sockets Layer (SSL). We need to  obtain a certificate from a certification authority.
4)The Exchange server sends a request to Enterprise Vault server EV1 to
configure a manifest file.

 

We need to run the below command to enable this feature on organizational level :

Add-Type -AssemblyName System.Web
$Mbx = get-mailbox “mailbox”
New-App -OrganizationApp -DefaultStateForUser:enabled -Url `
(“https://EV_server/EnterpriseVault/OfficeMailAppManifest.aspx?LegacyMbxDn=&#8221; +
[System.Web.HttpUtility]::UrlEncode($Mbx.LegacyExchangeDN))

Where:
■ mailbox is the name of a mailbox that is enabled for archiving.
■ EV_server is the name of Enterprise Vault server which has this manifest file in your organization.

 

When a user access the EV office mail app from the owa or Outlook following things happens:

EV
a) Basically this officeMailAppManifest.aspx page from EV server generates a manifest file
for Exchange and sends it to the Exchange 2016 server.
b) The manifest file contains the Office Mail App settings for Exchange.
c) The settings include the URL from which the Office Mail App will be loaded.
d) Later end user will be able to perform his archive action  from the Office Mail App.

Below are the steps to enable EV web app for individual users :

$mbx = Get-mailbox mailbox@domain.com | select LegacyExchangeDN
$url = “https://EVurl.com/EnterpriseVault/OfficeMailAppManifest.aspx?LegacyMbxDn=”+ $mbx.LegacyExchangeDN
New-App -Mailbox $mbx.LegacyExchangeDN -Url $url

Later we can verify the end user web app readiness by accessing the Manifest URL from his PC

https://evurl.com/EnterpriseVault/OfficeMailAppManifest.aspx?LegacyMbxDn=/o=MSG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=mailbox

On accessing the end user should be able to see the XML file an example below.

EV2

On a failure to see the XML file will not result in accessing this feature from end user level.

After its enabled this will how it will be displaying for end users on their OWA and Outlook when they open any emails.

EV1

Note:

1)  This office mail app  is not an mandatory feature to be enabled for all users . All users can see their archived items from the archive URL and the EV thick client on their desktops. This mail app gives more comfort for the end users to access, make operations on their archive from the owa and viewing their email on outlook itself.
2) Support for the Enterprise Vault Office Mail App is pending from Exchange 2016 CU1 and not in Symantec compatibility lists.At this moment the Office mail app is working only on owa in Exchange 2016 CU2. Symantec has confirmed that they will be soon releasing a patch which will support this feature on Outlook as well.
3) With Exchange 2016 CU2 Archive is working fine on the Outlook EV Client and the EV Web URL.
4) Enterprise vault to be compatible with Exchange 2016 Cu2 server version requires  Enterprise Vault 11.0.1 Cumulative Hotfix 4 or later.

Below are the following commands are available for managing Office
Mail Apps in Exchange 2016:

Get-App                  – Returns information about the installed Office Mail Apps.
New-App                  – Deploys an Office Mail App.
Remove-App               – Removes the specified Office Mail App.
Disable-App              – Disables a specific Office Mail App for a specific user.
Enable-App               – Enables an Office Mail App for a specific user.
Set-App                  – Sets configuration properties on an Office Mail App.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers and Services

Extending the existing storage on Linux applications

linux July 10, 2016 Comments: 2

It can happen that we arrive at a point where the storage is not sufficient or reached the maximum level on the Linux Servers.
In this case we need to add a new  physical disk ,create a physical volume and extend the existing  logical volumes assigned on the Linux based application.

There are many ways of doing this job.
In this article we will have a look at one step to accomplish this activity.
Before assigning the new physical disk  to the application  we need to check the below values.

Open Putty session ssh to the Linux server and run the below commands in order.
a. fdisk –l

This Fdisk command line utility is very useful in terms of creating space for new partitions, organising space for new drives, re-organizing an old drives and copying or moving data to new disks. It allows us to create a maximum of four new primary partition and number of logical (extended) partitions, based on size of the hard disk we have in our system.

In our case we use the above command to View all Disk Partitions their size and their name  in Linux system

Linux

b. pvs

This reports information about physical volumes.
pvs produces formatted output about physical volumes.
In our case we use this to check the current physical volume size.

Linux1

c. vgs
vgs command provides volume group information in a configurable form, displaying one line per volume group. The vgs command provides a great deal of format control, and is useful for scripting.
We are using this to display properties of LVM volume groups

Linux1

d. df 

To get the VG name and LVNAME

df displays the amount of disk space available on the file system containing each file name argument. If no file name is given, the space available on all currently mounted file systems is shown.
In our case why we are using this is to check the current free space on the disks currently assigned.

Linux2
Also we get the current disk VG and LV names ,so that we run the LV extend on them after assigning the new disk in the next steps.

Now we need to follow the below steps after assigning the new disk

a. fdisk –l
Now after assigning the new disk we need to Compare the output from previous step fdisk output to find out the new disk name.

After identifying the new disk name we need to create the Physical Volume.

b. pvcreate /dev/sd<New Disk>

After we get the new disk name from the previous output we should run the above command with the new disk name.
Here we are actually choosing the newly assigned physical volumes that will be used to create the LVM.
We can create the physical volumes on the linux system using pvcreate command.

c. lvextend –lvresize +200GB /dev/VGNAME/LVNAME

lvresize can be used for both operations (shrinking and/or extending) The lvresize will resize only the virtual volumes.
In our case we are using this command utility to the newly added space to resize the existing LVs.

There are few other options to extend the logical volume. By using the above command syntax we are reserving additional 200 GB space on this physical disk.
This 200 GB free space can be extended any time online to any LV’s without need for a reboot or bringing down the application if we run out of space for the file system  in future.

So It is always important to include the plus (+) signs while resizing a logical volume.
If we don’t do this then we are setting a fixed size for the LV instead of resizing it.

d. Finally after all the above steps are done we can run pvs
After running PV’s we can Compare the output from previous step output of PVS;
After the comparison the we need to extend new  volume group by the below command.

resize2fs /dev/sd<newdisk>

Note:
Its very important to note that you need to understand how the LV’s , PV’s & VG’s are created and assigned on the Linux application.
Also do this only if you have worked and having knowledge on the Linux systems.
If you are not sure on this its always better to perform this action with Linux Admin.

Thanks & Regards
Sathish Veerapandian
MVP – Office Services & Servers

Technique for Monitoring Mailbox Audit Logging in Exchange Server 2010

Exchange2010 June 27, 2016 Leave a comment
Nowadays many business professionals want to track that who is accessing their mailbox in an organization to have details, who is performing certain actions on their mailbox items. To perform such monitoring of data, Exchange Server 2010 (SP1 or later) offers a feature known as Mailbox Audit Logging. This feature provides the monitoring mailbox audit logging in Exchange Server 2010. However, this functionality is not turned on by default. These are enable by the Exchange administrator for those mailboxes that are measured sensitive or can be accessed anywhere. In the following section, we will discuss the way to of enabling Mailbox Audit.

Continue reading

Setup Active Directory  thumbnail photo for Outlook ,Skype for Business client 

Active Directory, Exchange 2016 June 17, 2016 Leave a comment

In order to maintain identity information users of web-based applications or desktop-based applications want to set image in their account profile.

In a similar condition surfaced while working with an email server giant, MS Exchange, a query arises ‘how to setup user account image in Exchange 2016?’ As an answer to the same, the following segment will be discussing a few workarounds to let users know of the same procedure.

Prerequisites for Image to be Setup

Some parameters are applicable on the images to be uploaded on the User accounts are mentioned below:

  • The size of the image should not be more than 10KB
  • The file format of the image should be JPG (JPEG)

Ways to Set Up Account Image on Exchange Server

 Step1: Configuration of Global Catalog

The step comprises of following procedure to be followed, to configure the copy of image attributes to Global Catalog:

  • Open your machine and login to your session
  • From your keyboard, press Windows key + R to open the Run window on the screen. On that window, type regsrv32 schmmgmt.dll and press Enter

RUn

  • A ‘DIIRegisterServer in schmmgmt.dll succeded’ message box will appear as below in front of you, click on OK

PIC2

 

  • Again, press Windows key+R, type mmc and press Enter
  • Go to the menu bar of window and click on File >> Add/Remove Snap-ins >> Active Directory Schema >> Add >> OK

PIC3

  • Now expand the Active Directory Schema [<Your Server Name>] and then click on Attributes
  • In attributes list, search for thumbnailPhoto attribute and double-click on it

PIC4

  • From the options displaying in front of you, check on Replicate this attribute to the Global Catalog >> OK

 PIC5

Step 2: Import Pictures to Active Directory Users

For importing the picture that you want to set on your Exchange profile, you require a cmdlet: Import-RecipientDataProperty. The cmdlet is being used to import image in Exchange 2016.

 

You have to open command prompt window and type the following cmdlet:

Import-RecipientDataProperty-Identity <Mailbox> -Picture -FileData ([Byte[][]$(Get-Content-path<Image Path> -Encoding Byte -ReadCount 0))

 

Step 3: Validating the Procedure

To validate or check whether the image has been setup on your account or not, go to initial page of the Outlook and check whether the image has been uploaded or not. If not, then you must have performed the procedure incorrectly. In this case, repeat Step 1 and 2 until the image is not uploaded.

Conclusion

After going through the above information, we concluded with the fact that configuration of domain controller, i.e. Global Catalog is quite an important fact. If the configuration were improper, then the resultant would be that the Active Directory schema would not be activated. As a result, it was impossible to set the image on Exchange 2016. Moreover, if all goes correct, then user will successfully be able to setup account image in Exchange 2016.

Thanks & Regards
Tej Pratap

Configure Enterprise vault Archive for Exchange 2016 Server

Enterprise Vault, Exchange 2016 June 13, 2016 Leave a comment

In this article we will have a look at creating the EV Mailbox Archive task for Exchange 2016 server.

To know how to configure the storage can refer my previous post

Configure New Store, storage , provisioning groups in Enterprise Vault in Exchange Environment

To know the overview of the services can refer my previous post

All about enterprise vault services and its tasks

There are new additional configurations for the newly introduced Exchange 2016 in any environment for the Enterprise Vault archive to happen on them.We need to provision and target those servers for the archive to happen on their mailboxes.

As a first procedure we need to create system mailboxes for each new Exchange 2016 servers for the archive to happen on their mailboxes.System mailbox is nothing a dedicated mailbox which we need to create for the EV archive to happen on that server.
This mailbox should not be used for any other jobs and should not be hidden from the Address List.

Once we create this dedicated system mailboxes on new Exchange 2016 servers we need to grant permission to the Vault service account that is responsible to start the EV task on Exchange servers.Grant send as permission to the Vault service account on the newly created  Enterprise vault system mailboxes for Exchange 2016 archive to happen.

Its better we can move the Vault Service account to the Exchange 2016 server from the legacy server. This will not impact the previous exchange servers EV Archive process until the migration is complete.

Once this is done we need to run two powershell scripts  on the new Exchange servers to set the throttling policy and permission for the Enterprise Vault Service account.

These scripts are present by default on the Enterprise Vault Server in the below directory.

E16ev8

All we need to do is just need to copy these scripts on the Exchange server 2016 and run them as below

To set the EVthrottling policy run the below command 
.\SetEVThrottlingPOlicy.ps1  -User domain\username -server mbxserver -Version 2013 -DomainController DCname

Domain is the AD that the vault service account belongs to.
User name is the vault service account.
Server name is the Exchange 2016 server name.

Version is 2013 currently for 2016 server as well

To Assign Exchange Server permissions to the vault service account run the below command:
.\SetEVExchangePermissions.ps1 -user domain\user-name
domain is the AD that the vault service account belongs to
user name is the vault service account
server name is the Exchange 2016 server name

Once the above procedure is completed we need to create the target from the Enterprise Vault Server to the new Exchange 2016 servers

Inorder to do that

Login to Enterprise Vault Server with Enterprise Vault Service account

Open vault Admin Console

Navigate to Targets – Domain – Exchange server – New – Exchange Server

E16EV

Proceed with the next option

E16EV1

Select the Exchange Mailbox Task

E16Ev2

Select the system mailbox to use.Here we need to choose the designated EV system mailboxes that we created.

E16EV3

Once this is done the targets for the new server is successfully created.

Now we need to create a task for the each new Exchange 2016 servers for the archive to happen

In-order to do that open Vault admin console – Navigate to task – new exchange mailbox task.

E16ev11

Proceed with the next option

E16ev12.png

Choose the new provisioned Exchange 2016 Server

E16ev12

Once the new task for Exchange 2016 has been created we can schedule the archive period and the DB’s of those servers will be visible on the targets.

ee5

Do not make any change on the concurrent connections and the logon accounts on the task service its better to have them default.

After this is done we can move the mailboxes to Exchange 2016 from the previous version of exchange server.The provisioning group , targets and the retention policies will remain the same for the mailboxes moved to the exchange 2016 server.

Note: These steps are applicable only on a environment where there is an already existing Enterprise Vault configured on the legacy Exchange servers. These steps will be useful when we need to enable archive on newly introduced exchange servers. For a new configuration on the environment the Symantec configuration guide needs to be followed.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers & Services

Exchange 2016 policy tips explained

Exchange 2016, Policy Tips June 7, 2016 Leave a comment

Policy tips are used to notify senders who are violating the company security policies.
For example if you have a DLP configured on your exchange to prevent users sending credit card numbers, this policy tip can notify end users about the risk of sending this email since you are violating the company’s compliance policy.

Also there is an option to provide a business justification for the message that you are sending  via policy tip.These policy tips are managed by the exchange administrator

What is the difference between Mail tips & Policy Tips ?

The policy tip configuration are applicable only to the DLP rules configured in your environment.

Mail tips settings are specific to each exchange account that you have configured outlook to connect  . There is an option to set mail tips preferences for each account by selecting that account in the apply to this account.

An example below for mail tip

M1

Mail Tips is an organizational config which can be viewed by running the below command

Get-OrganizationalConfig | fl mail*

M2

How does policy tip and mail tips work?

EWS is the main component for both policy tips and mail tips.
The service configuration operation in ews is responsible to get the configuration information for policy tips and mailtips.Service configuration uses WSDL (web service definition language) operation.

GetServiceConfiguration operation for policy tip returns  below things:

Policy nudges- Policy nudges for display in your client.
PolicyNudgeRulesServiceConfiguration – Contains the policy tip configuration data
PolicyNudgeRulesConfigurationType – Specifies the set of DLP rules and classification definitions that are sent to a client.
PolicyNudgeRulesType – Specifies a collection of DLP rules.
PolicyNudgeRuleType – Specifies a single DLP rule.

How Policy Tips functions in the background:

a) Sender Composes a new message and addresses the message to a recipient.
b) During message composition the client submits a GetServiceConfiguration (Policy Nudges) request  through the  Exchange web services.The request is submitted as a SOAP message over HTTPS.
c) Exchange Web Service receives this SOAP request and uses the information to authenticate the SOAP request and then queries:
Active Directory – for the recipient. The active directory request is executed as an LDAP query.
Mailbox Servers – To retrieve DLP configuration and check the policy tips message notification configured for this DLP.
The Active Directory and mailbox servers then return the results to exchange web services.
Exchange web services – returns the result to the client.
Client-  will be able to see the Policy Tip information for that user account who is trying to compose an email which does not meet the company compliance policy according to the configured DLP.

In-order for the policy tip to work on Outlook the below option  policy tip notification must be enabled on the client side.

p1 (1).png

To enable the policy tip for the DLP we need to select either enforce or Test with policy tips option on the DLP we created like an example below

P2

We can further customize the policy tip from the below options

Notify Only – This shows an informative Policy Tip notification message about a policy violation.But the sender can send this message.
Allow the sender to override – Block the message unless it’s a false positive, Block the message, but allow the sender to override and send.
Block the message – Your text only appears when a Block the message action is initiated.
Link to compliance URL – This link is displayed in the Policy Tip when a user clicks the More details link.

P3

 

Further the policy tip configuration can be viewed by running the below command

Get-PolicyTipConfig | fl 

Note:

1.Policy Tips are available to people sending mail from Outlook 2013, Outlook Web App, or OWA for Devices.

2. Policy tips aren’t supported in Office 2010 or earlier versions of Office.

Thanks & Regards

Sathish Veerapandian
MVP – Office Server and Services