EzCloudInfo

Ports and protocols Requirement for Exchange and Lync Server Deployment

Exchange2010, Exchange2013, port October 25, 2014 Comments: 3

Very often we might get confused in a new deployment project if we are running into multiple issues and tasks. The most confusing part that we will often run into is the port requirements for internal,external as well as related services.I have consolidated and prepared a document for the port requirements for a new deployment of on-premise Lync and Exchange servers.

Lets have a look at the Lync server requirements first –

Following ports for the respective protocol and direction should be opened, for hassle free and full featured Lync enabled User to function perfectly fine.

Port Protocol Direction Usage

5060/5061 TCP/UDP Bidirectional For SIP

1434 UDP Bidirectional For SQL servers

443 STUN/TCP Outgoing Audio, video, application sharing sessions

444 HTTPS/TCP Bidirectional Lync Front End server

443 PSOM/TLS Outgoing Data sharing sessions

3478 STUN/UDP Outgoing Audio, video sessions, Desktop Sharing

5223 TCP Outgoing Lync Mobile pushes notifications

50000 – 59999 RTP/UDP Outgoing Audio, video sessions

5067 TCP/TLS Bidirectional Incoming SIP requests for Mediation servers.

57501-65535 TCP/UDP Bidirectional VideoConferencing

8057,8058 TCP/TLS Bidirectional Front End Service

For remote access to work for IM and Presence, it is mandatory that SIP traffic is allowed to flow bi-directionally. Hence, Port needs to be allowed as follows:

• Port 443 and 5061 from Internet to Access Edge External IP (bi-directional)
• Port 5061 from Edge Internal IP to Internal Network (bi-directional)

Edge server should be accessible from the Internet over port 443, 3478 and 5061.
Reverse Proxy require Port 443 to be opened.
For a Mobile Access user who is outside the corporate network, the request hits the Reverse Proxy and is then sent to the Front End pool or Director.No user level authentication is done on the reverse proxy.
Its always recommend to implement a Director Server Role for additional security.The Director is both offloading the authentication and providing an extra layer of security against DoS attacks.
Director must be in the same subnet where the Front End Servers reside which will be in the Private network. It should not be in the perimeter or DMZ.

Below will be the Flow of mobile application requests for Mobility Service :

All the External user Lync log in requests through mobile devices –> will go through the reverse proxy server –> and it will go to the edge server –> and hit the front end pool.
The Microsoft Lync Server gets user information from Auto-discover Service and then it returns all the Web Services URLs for the user’s home pool, including the Mobility Service URLs.

Below are the list of additional features that require external access through a reverse proxy for users accessing them externally.We need to think of validating them once the deployment is completed.

1) Enabling external users to download meeting content for any meetings.
2) Enabling external users to expand distribution groups.
3) Enabling remote users to download files from the Address Book service.
4) Accessing the Microsoft Lync Web App client.
5) Accessing the Dial-in Conferencing Settings webpage.
6) Accessing the Location Information service.
7) Enabling external devices to connect to Device Update web service and obtain updates.

Now we will look into the port requirement for Exchange servers as well.

Port Requirements for Exchange On-premise Servers (Applies to Exchange2 2010 and 2013):

Port Protocol Direction Usage

25 SMTP Bidirectional For Sending and receiving emails

50636 TCP Bidirectional From Hub to Edge and Vice Versa

135 TCP/RPC Outgoing HUB to Mailbox via MAPI

80/443 HTTP/HTTPS Bidirectional Autodiscover

993 TCP Incoming IMAP

995/110 TCP Incoming POP3(Any one of the port depends upon config)

5075-5077 TCP Incoming CAS to OCS Communications

5061 TCP Outgoing CAS to OCS Communications

For OWA and Outlook Anywhere port 443 should be opened in firewall.
For IMAP port 993 should be opened in Firewall.Port 25 should be opened on Firewall for both internal and external internet mail flow traffic.

I think most of the port requirement for Lync and Exchange deployment have been added above. Feel free to comment or correct me if anything needs to be added or corrected.

Also Refer – http://social.technet.microsoft.com/wiki/contents/articles/28141.ports-and-protocols-requirement-for-exchange-and-lync-server-deployment.aspx

References:

http://technet.microsoft.com/en-us/library/gg398833.aspx

http://technet.microsoft.com/en-us/library/bb331973.aspx

http://support.microsoft.com/kb/2409256#VerifyNetworkRequirements

http://support.microsoft.com/kb/2423848

http://technet.microsoft.com/en-us/library/gg425727

Thanks
Sathish Veerapandian

MVP – Exchange Server

PortQueryUI – GUI tool that can be used for troubleshooting port connectivity issues

Monitoring Tools October 19, 2014 Leave a comment

At times we might run into scenarios where user unable to do access any Exchange ,Lync,Mobility or any related External User Access functionalities. This might happen in multiple scenarios like in a new deployment, a firewall upgrade, a switch replacement or a network change etc.,

Microsoft has this Graphical User Interface of tool called PortQueryUI which can be used to troubleshoot these kind of scenarios with port connectivity issues.

Below explained is the functionality of this tool PortQueryUI.

Download the tool from the below link –

http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe

Accept the license agreement and proceed. Now we will be directed to unzip the files and choose a location to unzip.

Now we can open portquery UI application. There is no need to install this app and it opens up the GUI interface as shown below.

Its better to run this tool from the affected machine/server where we are experiencing the issues and then specify the destination IP of the server where we are experiencing the connectivity issues.

We could see there are 2 types of query.

1) Query Predefined Service – Which has few predefined services like, SQL,Web Service ,Exchange etc., .When we choose any predefined service it queries all the required ports and provides us the output of the result.

2) Manually input Query ports – Which can be used to query any specific ports on UDP ,TCP or both as shown below.

Also we have an option called predefined services in the help tab which helps us to see the list of ports that it queries for any specific service that we choose.

Below is an example for set of predefined services that it queries for Exchange.

It has an option to save the query result as shown below. Also it allows the end user to customize config.xml or provide a config input file for list of query that defines their own services. The config file should follow the same format as config.xml since it accepts only xml inputs.

This tool can be used to query open ports during any kind of troubleshooting scenarios.

Also published in – http://social.technet.microsoft.com/wiki/contents/articles/27661.portqueryui-gui-tool-that-can-be-used-for-troubleshooting-port-connectivity-issues.aspx

References – http://windowsitpro.com/windows/gui-tool-displays-status-tcp-and-udp-ports

Thanks

Sathish Veerapandian

MVP – Exchange Server

Steps to Delete circulated Suspicious emails with Search-Mailbox

Antispam, Exchange2010, Exchange2013 October 16, 2014 Comments: 6

In this article we will have a look at steps to identify the spam emails circulated in an environment. When a user suspects any spam email and informs the IT Team first and the foremost thing that would come to an Admin is that whether the emails have been circulated to everyone or not.

There are multiple scenarios where the spam messages can be circulated in an environment.

From single spam source email address to single recipient.
From Single spam email address to multiple recipients.
From multiple spam email address to multiple recipients with different subject line.

Its always better to make a search in the whole organization to make sure the emails are not circulated to all the users.

The easiest way to identify the spam emails is to run a search command with the subject line so that all the affected mailbox can be identified.

Now we will have a look at the steps to perform this action with search-mailbox command.

First we need to add the user who is going to perform this task to Discovery Management group
This should be done in order to use the search-mailbox command. If we do not add this then the user won’t be able to run search command.

Create a new role group as below. We need this in order to export/Import the contents from the source mailbox and copy it to the target mailbox.
Run the below commands to create the role group if we don’t have already . If we have the import/export rolegroup already then just add the user who is going to perform this action into that rolegroup.
To Create – New-RoleGroup “Mailbox Import-Export Management” -Roles “Mailbox Import Export”
To Add user – Add-RoleGroupMember “Mailbox Import-Export Management” -Member Administrator

Even if single user suspects a virus message it is better to search in the whole organization to make sure the emails are not circulated to others.Now run the below command to search the virus email throughout the organization. In our example we are going to identify an infected email with the subject “Virus Infected”

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -LogOnly -TargetMailbox administrator -TargetFolder filter -LogLevel Full

Once we run the command we could see the searching would be started as shown in the above screenshot. The search results may take some time depending upon the environment and number of mailboxes we have.

Upon a successful completion of search we can see the logs and the emails in the zip file attached as shown in the screenshot.

Now we need to run the below command to search the infected emails and delete all of them in the whole organization

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -TargetMailbox administrator -TargetFolder filter -deletecontent -LogLevel Full

Once it identifies the affected emails it would ask us for confirmation as shown above before deleting the suspected emails as shown in the screenshot above.

Apart from the above as an additional part of security check we can also run a message tracking with the subject in the whole organization to see to whom all the infected emails have been circulated and ensure all the emails have been deleted.

Run the below command to perform a Message Tracking with subject in the whole organization. In our case we are using the subject “Virus Infected” .

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Messagesubject “Virus Infected” | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp

Imp Note Note:

Hi Please add your account to Discovery Management role group for the search-mailbox command to work.

Add-RoleGroupMember -Identity “Discovery Management” -Member Administrator

Above method can be used to identify and delete any circulated spam email in our organization.

Thanks

Sathish Veerapandian

MVP – Exchange Server

AdminAuditlogging in Exchange 2013

Admin Audit Logging, Exchange2013 October 11, 2014 Leave a comment

By using Admin-audit logging options enabled we would be able to keep a track of the organizational,user level changes that has been made in an environment.This gives us more information if in case we need to track any major change that has been done and if we need to find which person has done that.

By default Admin Audit logging is enabled in a new installation of Exchange 2013. By using this in an organization we can make an entry of list of admin audit log enabled command-lets so that administrators whoever perform any task which is included in this list will be captured in the logs. By this we would be able to have a close security control over the messaging environment. Also we can make some exclusions for few commands in the admin audit logging by which those commands wont be captured on the logs.

There are few default set of cmdlets that will be logged once logging is enabled which will include all cmdlets except the Get, Search and Test cmdlets. Which means that Get, Search and Test cmdlets won’t be capture in the audit logs.This can be modified by the AdminAuditLogCmdlets. Each of the cmdlets to be monitored,excluded can be specified individually.

Now let’s have a look at enabling and modifying the admin audit logging properties

Run the below command to check the audit logging properties

Get-AdminAuditLogConfig

If you notice the parameters which i have highlighted in red-box are only the main things which we need to concentrate.

As we can see the AdminAuditlogCmdlets has value * which means it will log all the entries of commandlets except search and Get .Also we can see the excludedcmdlets value is set to null so there is no exclusions set by default.

I can enable logging only for few important org level commands by setting a value in AdminAuditlogCmdlets

Let’s say if i want to exclude only few commandlets which are necessary for the admins for daily operations i can include them in the excludedcmdlets

I’m giving an example in this scenario. The below example creates and tracks logs only for any changes that have been made in Accepted Domain, Mailbox Database and Send Connectors.
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *”New-AcceptedDomain,Set-Sendconnector,Dismount-Database”

Note: In-order to add multiple values you need to specify the command-lets in quotation and multiple comma values as shown in the screenshot

Now we can see only the below values in the loggingcmdlets

Below value will exclude the logging for Set-mailbox, Disable-Mailbox and Enable-Mailbox in our example.

Set-AdminAuditLogConfig -AdminAuditLogexcludedCmdlets *”Set-Mailbox,Disable-Mailbox,Enable-Mailbox”

Now we can see only the below values in the excluded loggingcmdlets

We have enabled adminaudit logging now. Now all the changes that we are doing for the AdminAdminAuditlog commandlets be stored.

Where does these logs gets stored?

From Exchange 2010 SP1 the audit mailbox gets created automatically when we enable audit logging.Its more secure.It will create adminaudit logs folder in the audit mailbox and stores these logs.Also even admins do not have access to this Audit Mailbox and its more secure.This audit mailbox account gets disabled by default.Even if any admins finds a way to access this audit mailbox it logs traces of that and there is no way to access this without any history of traces.

Below are the examples of searching few admin audit logs

Below command will help in finding admins who recently dismounted database made any changes in sendconnector configuration

Search-Adminauditlog -Cmdlets dismount-database | ft rundate,caller,objectmodified

Search-Adminauditlog -Cmdlets set-sendconnector | ft rundate,caller,objectmodified

If in case of scenarios during any outage and if you would like to bypass these logs we can use write-adminauditlog command to make an entry . So that this entry would be made in your name and can be excluded. Below is an example

Write-AdminAuditLog -Comment "Ran Dismount-Database and Mount-Database"

Over all it is very useful in monitoring the organizational changes.
If we possibly run this command once in a month then we would be able to monitor 
the organizational,server level changes done by admins.

Thanks
Sathish Veerapandian
MVP - Exchange Server

Script to identify the users forwarding, redirecting and forward as attachment emails to external ids

Exchange2013, Scripts October 7, 2014 Comments: 4

It’s always difficult to protect sensitive emails being leaked out from any organization. In order to avoid this there are few things that can be blocked on the global settings from the server end.

If we have the auto forwarding and autoreply option enabled on the default remote domain then any users can create an external contact in his local outlook profile and then he can forward all his emails to his external ids. Here is the possibility again where sensitive data being leaked out from organization.

The default remote domain will have autoforward and autoreply disabled . That is the recommended configuration.

We need to disable the autoforwarding, autoreply option in the default remote domain. If in case if we are forwarding any emails to trusted partners or vendors through any application we can specifically create a custom remote domain for them and enable auto forwarding for that particular remote domain alone. By doing this no end users will be able to redirect, forward or forwardas attachment their internal emails to their external ID’s.

We can check that by running the below command

Get-RemoteDomain | ft Auto*

If it is enabled run the below commands to disable them

Set-RemoteDomain -Identity default -AutoForwardEnabled $false
Set-RemoteDomain -Identity default -Autoreplyenabled $false

Recently I was looking for a solution for this kind of issue and came up with an idea of a script that can be used to pull out users who have redirect, forward or forwardas attachment options enabled in their outlook rules.

I have created a script which can be used to pull out this kind of information. The below script will run on all mailboxes in entire organization and will pull out users who have external rules set, and then it will send an email to administrator in CSV format by which he can see who all has this option enabled.

***************************************************

Set-Adserversettings -viewentireforest $true

foreach ($mbx in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $mbx.DistinguishedName | where {($_.ForwardTo -ne $null) -or ($_.redirectto -ne $null) -or ($_.forwardasattachment -ne $null)} | select MailboxOwnerID,Name,ForwardTo | export-csv d:\ForwardRule.csv} -Notypeinformation

Send-MailMessage -To alias@domain.com -cc alias@domain.com -From anyid@domain.com -Subject “Forward To” -Attachments d:\ForwardRule.csv -SmtpServer specifytransportserver

*******************************************************

Copy the above text in a notepad and then save them as ps1. Navigate to the location where you saved it and then you can execute the command

Things you need to modify in the above script

Set the drive location for the csv file in a place where you wish to save.

For sending email in the to and cc field give user for whom you need this report to be sent

From address specify the address from where it needs to be sent and give the mailbox server as smtp server if it’s 2013 or hub server if it is 2010 or 2007.

Here is the example

Just copy the code in text file and save it in ps1 format.

navigated to the location and ran.

Received the email

When we open the csv file the output is displayed for users who have forwardto,redirectto and forwardasattachment option set in outlook rules for external id’s.

Note:

This command pulls out rules from user’s mailbox only if they are enabled. If the user has a rule created and if he has disabled it temporarily then it won’t fetch that information.

Thanks

Sathish Veerapandian

MVP – Exchange Server

Product Review: SPAMfighter Exchange Module

Antispam, Monitoring Tools October 3, 2014 Comments: 5

Protecting the the IT infrastructure from Spam mails,Malicious codes ,Malwares is one of the important and challenging task and needs to be monitored always. There are different types of spam attack through which an user can try to crack the perimeter network of any organization and intrude to inject any kind of malicious codes or phishing emails. While the most widely used type of method for circulating SPAM is Email through which unwanted emails, more number of spam emails, reverse NDR attacks etc., are circulated by which the productivity of an organization will be adversely affected.

Its always better to have 2 step anti-spam filtering feature or even more in any organization to ensure that the spam never reaches our network especially the Messaging system.

Microsoft has built in Anti spam features which can be enabled from Exchange 2003 versions and they work perfectly fine and more accurate in filtering the spam emails. Its always recommended to have this feature enabled as a part of additional security along with additional spam configurations and settings in an environment.

But we need to always ensure that we are aware of all the settings configured in the spam filtering in all levels in our organization as it can interrupt the end users in sending and receiving emails if this configuration is not correct.

I just happened to walk through one of the most recent version of additional spam security feature from product SPAMfighter and was much impressed with all the Configurations, Options and user friendliness of the product r.

In this article lets walk through the installation and few functionalities of the product SPAMfighter Exchange Module.

What is SPAMfighter ?

It is an add-on to Exchange Server that fully integrates and offers anti spam protection. It works with Exchange versions Exchange 200,2003,2007,2010 and 2013.

How Does it works ?

Spam Fighter administration is managed through web interface which is much user friendly and has more options to explore.

It works integrated fully with Microsoft Exchange Server. It creates its own security groups and user account in AD which integrates with Exchange servers. This will be easier for us to manage easier way in terms of policy management and having separate control over Spam Fighter. Also by using this we can designate an individual to take care of these tasks who has control only on this software.

Prerequisites

There is no prerequisites required to install this software as i ran it from a member server ( Windows server 2008) . The only thing i noticed was it required install the Microsoft Visual C++ Run-time which it prompted for it and it found the software by its own and installed them which made my job simple.

Installation

The product can be downloaded from here

http://www.spamfighter.com/SPAMfighter/Product_SEM.asp

Its a 30 day trial version and should be downloaded on to Windows Servers.

The installation was pretty much standard as all the software does and it prompted me for the latest virus definition updates so i would not walk through the entire setup.

One interesting thing i found during the installation was it asked for user name and password for Spam Fighter administration and it automatically created respective AD account to integrate with the exchange modules.

Once the installation is done you can open up the web console through add or remove programs and select spam fighter and opens web console as below

Give the user name and password given during installation.

Was astonished to see more options

In addition to the administration part from the server end spam fighter has outlook add in as well which users can install and further customize filtering on their own.

It has good policies which can be filtered in various levels as shown below.

I can see policy defined for inbound,outbound and internal emails.

Also i could notice policy filter settings for user level too which is very good.

All the users can be modified individually as well.

Finally a statistics report can also be pulled over which shows up the graphical value of filtered emails as below.

Cost Factor

Like most of the apps which integrate with exchange makes licensing cost per user the spam fighter also have licensing structure cost per user basis for one year. However the cost factor reduces very well for organizations more than 2500 users.

You can view the pricing list here

http://www.spamfighter.com/SPAMfighter/Payment_Choose_Product_SEM.asp

Conclusion

Overall SPAMfighter product is much user friendly and latest version has much effective cool new features which can be integrated with Exchange Servers for better spam filtering.

Thanks

Sathish Veerapandian

MVP – Exchange Server

OWA,EWS configuration in Exchange 2013/2007 coexistence

Exchange 2007, Exchange2013, owa September 24, 2014 Leave a comment

We need to consider few factors while planning for coexistence between Exchange 2013 and legacy exchange servers especially exchange 2007 .We might run into few confusions. In this article i will mention few key points which needs to be considered while planning Exchange 2007 and 2013 coexistence for owa,ews setup.

In coexistence with exchange 2013 and legacy version the request happens in 2 types.
For Exchange 2010 – Exchange 2013 does a Proxy for owa and ews requests for users in exchange 2010.
For Exchange 2007 – Exchange 2013 does redirection for owa and ews requests for users in Exchange 2007.

When a user with an Exchange 2007 mailbox logins externally from OWA the requests goes to Exchange 2013. Now the Exchange 2013 needs this connection to be redirected to exchange
2007 server.

In Order to do this Exchange 2013 requires a dedicated external host name configured on exchange
2007 server’s for the required services accessed from externally. So the external and internal hostnames of the Exchange 2007 server need to be different from the hostnames of the Exchange 2013 server and need to be pointed to the Exchange 2007 server.

Better use the Exchange Server Deployment Assistant which will give much clear information.If
you are still confused then you can remember the following key points.

First all the services URL’s needs to be pointed to Exchange 2013 CAS server from exchange
2007.Exchange 2013 CAS server will redirect the connections to Exchange 2007 server.

Legacy Names:
Configure following Legacy host names for the below services in exchange 2007

OwaVirtualDirectory – Create https://ExternalLegacyHostName/owa
WebServicesVirtualDirectory – Create https://ExternalLegacyHostName/EWS/Exchange.asmx
UMVirtualDirectory – Create https://ExternalLegacyHostName/UnifiedMessaging/Service.asmx
OABVirtualDirectory – Create https://ExternalLegacyHostName/OAB
ActiveSyncVirtualDirectory – Create https://InternalLegacyHostName/Microsoft-Server-ActiveSync

Planning Internal and External owa URL’s

For Exchange 2013 OWA URL: Use same old URL for OWA access to Exchange 2013 and change the IP address from exchange 2007 to E15 internally.
Change the external owa url and redirect the connections to exchange 2013 CAS.

For Exchange 2007 OWA URL:

Create Legacy. Domain.com for external owa users.
Create Legacy.Domain.com for internal owa users.

Below is an example to Modify the OWA url :

On Exchange 2013 point the ExternalUrl ‘mail.contoso.com’ to Exchange internet facing CAS server.
On Exchange 2007 create the ExternalUrl as ‘legacy.contoso.com’

Certificates:

All the required SAN entries for UM,webservices and activesync should be created.
Add external owa legacy URL to the public certificate and install it on both Exchange 2007 and
Exchange 2013 only then owa redirection will work.
You need to Include internal Legacy. Domain.com on Exchange 2007 Certificate for OWA co-
Existence.
Following change needs to be done in Firewall

External OWA URL should be directed to exchange 2013 Internet Facing CAS.

External EWS URL should be directed to exchange 2013 Internet Facing CAS.

External Autodiscover URL should should be directed to Exchange 2013 CAS.
External ActivesyncVirtualDirectory should be directed to Exchange 2013 CAS.

External UMvirtualDirectory should be directed to Exchange 2013 CAS.

Create new NAT rule on firewall for Legacy.domain.com to Exchange 2007 CAS. You can do this as well.By doing this users will be able to log on directly using the URL https://legacy.domain.com/owa with a mailbox on Exchange 2007.

External and Internal DNS settings

Public DNS – Map all of your external public DNS records (ews,owa,activesync etc.,) to your
exchange 2013 public IP if you have dedicated one for 2013 or FQDN of your internet facing CAS server.
Example:
Current external owa URL (contoso.domain.com) – point it to dedicated exchange 2013 public ip or internet facing exchange 2013 CAS FQDN.
Current External Autodiscover – point it to dedicated exchange 2013 public ip or internet
facing exchange 2013 CAS FQDN

Internal DNS – Configure the Exchange 2007 to point SCP AutoDiscoverURI to Exchange 2013 Client
Access FQDN by changing DNS entry for Autodiscover.domain.com to exchange 2013 CAS sever Ip
address

The internal DNS records should point to the internal host name and IP address of your Exchange
2013 Client Access server
Make sure that legacy.contoso.com resolves to CAS2007 in internal and external DNS.

Authentication Settings:

This part is little bit tricky. You need to plan according to your organization. If you have FBA configured in TMG or ISA server then you need to configure accordingly.
Set the owa virtual directory authentication only to Basic in exchange 2007.
In exchange 2013 set owa virtual directory to only (Windows Authentication) or only (form-based authentication) or only (Basic, No redirection, SSL Enabled) depends according to your setup.

Things to check:

If you have redirection configured in IIS on the Exchange 2007 Server Make sure that the above
Virtual Directories doesn’t have it configured.

If you have FBA enabled on ISA or TMG then disable FBA on Exchange 2013 CAS else users will be prompted twice for authentication.

References:

http://technet.microsoft.com/en-us/library/jj898581(v=exchg.150).aspx

Checklist: Upgrade from Exchange 2007
http://technet.microsoft.com/en-us/library/ff805032(v=exchg.150).aspx

Install Exchange 2013 in an Existing Exchange 2007 Organization
http://technet.microsoft.com/en-us/library/jj898582(v=exchg.150).aspx

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-2-step-by-step-exchange-2007-to-2013-migration.aspx

Thanks

Sathish Veerapandian

Configure new UM Dial Plan and UM IP Gateway in Exchange 2013

Exchange2013, Lync, Unified Communications September 20, 2014 Leave a comment

UM server is the one that provides Voice Mail, Outlook Voice Access and other Exchange voice features. Integrating the UM functionality along with the existing telephony system or lync is one of the challenging role that admin would face. Planning should be done properly according to the enterprise voice plan which is used in the organization.

As we know from Exchange 2013 there is no separate role for UM. Their services are running in CAS server and Mailbox server and below are the list of services that are handling UM processes.

Microsoft Exchange Unified Messaging Call Router service

Routes the incoming SIP traffic from Lync server or any other IP-PBX or SBC which sends only SIP traffic. This traffic can come from a VoIP gateway, Session Border Controller (SBC), PBX or IP PBX. . Any media traffic sent to the Client Access servers would be redirected to a Mailbox server since the Client access servers are not capable of handling RTP and SRTP media traffics.

Microsoft Exchange Unified Messaging service

These servers will handle the initiating Session Initiation Protocol (SIP) traffic from the Lync server for voicemails are left over the Unified Messaging service. It accepts the connection either in port 5061 or 5060 (depends on your config secure or unsecure) and then redirects to Worker process in port 5065 or 5066 . This service does not do any media conversion.

Microsoft Exchange Unified Messaging Worker Process

Worker process receives the SIP requests only on port 5065 or 5066. Which means the actual media conversion takes place in this port. It does the following below thing

1) Does Registration of the process with Unified Communications Managed API 4.0 and converts all the required information for media processing for SRTP and RTP protocols.

2) Does the Initialization of Simple Mail Transfer Protocol (SMTP) message Submission and submits the voice message to the user’s mailbox who has UM enabled.

In this article we will have a look at the steps to configure UM and steps to integrating with Lync or existing telephone system in Exchange 2013.

Open EAC Click on Unified Messaging and select UM dial plans as shown below

Give it a name and provide the extension length that the users need for the subscriber access number to be used by Enterprise Voice users.

Select the Dial Plan type according to your Lync / IP-PBX or SBC settings you have.

Select the VoIP Security mode according to your enterprise voice plan settings that you have.

Select the appropriate country region and click save

Once finish click save and select configure the dial codes

Specify the codes according to your requirement.

Configure Outlook Voice Access as per requirement

Select settings and configure the options about searching the names when users are directed to the voice mailbox .

Configure the transfer and search options

Configure the transfer and search option according to the requirement and click save we are done.

Now we need to create a New UM IP gateway.

Things to consider before we create a new UM IP gateway

Run ExchUcUtil.ps1 and OcsUmUtil.exe only if you do not have any IP-PBX or SBC and if your are going to integrate your UM functionality with Lync or OCS pool. If you have multiple dial plans associated with different enterprise voice plan then you need to plan accordingly.

If you plan to integrate with Lync pool then run ExchUcUtil.ps1 on all Exchange Mailbox servers

Note : The ExchUcUtil.ps1 script creates one or more UM IP gateways for Lync integration. You must disable outgoing calls on all UM IP gateways except one gateway that the script created. This includes disabling outgoing calls on UM IP gateways that were created before you ran the script

Run OcsUmUtil.exe script on the Lync server

OcsUmUtil.exe Creates contact objects for each auto-attendant and subscriber access number to be used by Enterprise Voice users.

Verifies that the name of each Enterprise Voice dial plan matches its corresponding unified messaging (UM) dial plan phone context. This matching is necessary only if the UM dial plan is running on a version of Exchange earlier than Exchange 2010 Service Pack 1 (SP1).

If you are going to integrate UM with any IP-PBX or SBC directly then you can skip the above step.

Now we need to create a new UM IP gateway.

Open EAC click Unified Messaging and select New UM IP gateways

Give a name for the IP gateway

In the address tab give the FQDN or the IP address of the SBC or the IP-PBX that you have

Note: When you specify the FQDN on the IP-PBX or SBC then you need to create a Host A record for the same on DNS and map it to its IP.

Now select the associated dial plan that you need

Now enable the option the allow outgoing calls and allow message waiting indicator. Also set forwarding address if you wish to set forwarding address.

Click on save and we are done configuring UM dial plan and UM IP gateway in Exchange 2013.

Note: Unified Messaging requires enterprise CAL licensing.

There is no mandatory requirement for Public UM certificate.UM cert can be internal as you do not need to publish this service to the outside world, since you’ll connect via Lync to it and therefore the communicationss are all internal in that respect.

References :

http://technet.microsoft.com/en-us/library/gg398193.aspx

http://technet.microsoft.com/en-us/library/bb125151(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/jj966276(v=exchg.150).aspx

Cheers

Sathish Veerapandian

Configure Text Messaging Delivery in Exchange 2013

Exchange2013, Text Messaging September 16, 2014 Comments: 5

By using the text messaging delivery option we would be able to route text messages to user’s mobile phones and notify them whenever a new email, Meeting request reaches the user mailbox.

In this article we will have a look at steps to configure Text Messaging in Exchange 2013

First let’s have a look at the functionality and the components involved in the text messaging delivery option

Exchange first stamps the Text messages with the local email address phonenumber@domain.com in the categorizer for the user whom we have this option enabled.

Basically this Text Messaging Delivery works on two types of Transport Agents working on the message categorization part.

Text Messaging Routing Agent
Text Messaging Delivery Agent

These 2 agents’ works with a help of dedicated connector DeliveryAgentConnector for this functionality which is enabled by default from Exchange 2010

We can see this connector by running the below command

Get-DeliveryAgentConnector | fl

Once the emails is processed for any user for whom the email needs to reach his mobile device by these 2 transport agents it then hand overs the job to the EWS. In EWS there is a component called textmessagingenabled. It verifies if this parameter enabled in OWA Virtual Directory. If this option is enabled then the text message is transferred to the user via ews to the public ip address. It reaches user telephone service provider and then message is delivered to user as message notification.

Below are the steps to configure the text messaging delivery option

First step is to check if the text messaging option is enabled on the CAS server OWA Virtual Directory.

Run the below command to check if its enabled

Get-OwaVirtualDirectory |Ft Servername,textmessagingenabled

To enable text messaging in all CAS servers run the below command

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –TextMessagingEnabled $True

To disable text messaging in CAS servers run the below command

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –TextMessagingEnabled $False

Now we need to ensure the transport agents are enabled only then textmessaging option will work.

Run the below command to check if the both the agents are enabled

Get-TransportAgent

If you find it disabled you can run below command to enable them

Enable-TransportAgent -Identity “Text Messaging Routing Agent”

Enable-TransportAgent -Identity “Text Messaging Delivery Agent”

Now run the below command to check if the delivery agent connector is enabled and ensure that deliveryprotocol to mobile is enabled.

Get-DeliveryAgentConnector | fl

We are done with the config on the server side . We need to enable this option for end user through OWA .Follow the below steps

Log on to outlook web app for user whom we need to enable this functionality and click on options

Now Click on phone and click on text messaging

Select Turn on Notifications option

Choose the mobile operator locale

Choose the mobile operator

Enter the phone number

Enter the Passcode sent to your mobile

Click on finish and we are done configuring text messaging notifications for user.

Note:

End user will be charged from his mobile operator for each and every notification that he receives in his mobile device.

Thanks
Sathish Veerapandian

Migrate from Lotus notes to Office 365 with Quest Co-Existence Manager

Lotus Notes, Office 365 September 12, 2014 Comments: 8

With Microsoft Office 365 becoming the most successful product most of the organizations prefer to move their messaging systems to Office 365 or they prefer to have a coexistence kind of hybrid setup with their on premise.

In this article we will have a look at readiness to prepare the Lotus Notes environment for successful migration from lotus notes to Microsoft Office 365.

First we need to prepare the readiness before we move all users to Office 365 cloud since 2 messaging systems are entirely different (Eg: notes uses mailin database ,routing mailboxes and exchange has mailboxes and connectors) and we need to achieve a way so that these 2 different systems can interact until the migration is complete.

We need to have a mediator which will be able to interact with both of these messaging systems. In order to accomplish this we have multiple third party solutions through which we can integrate.

There is Microsoft tool called Microsoft Notes Online Inspector. There is an article written for the same which you can refer below

http://www.v-and-m.com/vmhomepage.nsf/Content/Microsoft’s+%22Secret%22+Mail+Migration+Tool+?OpenDocument

You can do it from below Microsoft recommended third party migration partners as well

1) Quest Coexistence Manager.

2) Full Armor

3) Binary Tree Co-Existence

4) CASAHL Technology

In this article we will look at the Components, functionality and readiness to migrate with Quest coexistence manager

Overview of Quest Coexistence Manager

Quest Coexistence manager is a product of Quest software used for migrating from lotus notes to Microsoft Messaging platforms and Office 365

What this software does?

This software integrates and creates a pipeline between notes and Microsoft Exchange platform.

By doing the above

We can have an effective coexistence between the lotus notes and Exchange platforms
We can transfer the messaging system smoothly from lotus notes to Microsoft Messaging Platform without any hassle.

Basically this software consists of 3 roles or we can call it as components as well.

Directory Co-Existence.
Mail Co-Existence.
Free/Busy Co-Existence.

These above components are same as we had these 3 components in Microsoft Exchange Transport Suite which was legacy tool of Microsoft used to migrate from notes to Exchange 2007.

Below are the functionality of these 3 roles

Directory Coexistence Role:

Updates the directory data between the domino directory and Microsoft Active Directory or Microsoft Azure directory if it’s Office 365 .

This role is used to keep the data in users, Groups located in 2 different directories i.e, Domino directory and Microsoft Active Directory if it’s on premise or Microsoft Azure if its office 365 to be intact. Since in a organization new people can come and people can resign so these information should be reflected in office 365 Azure directory. So this Directory coexistence role gives a bidirectional update vice versa and keeps the directory information intact.

Mail Co-Existence Role:

This role is used to communicate users between the 2 different messaging platforms.It is used for communication and routing emails between non migrated users mailin database residing in notes database to the mailboxes which are present in the Microsoft Exchange server or office 365 environments.

Free/Busy Co-Existence Role:

This role is used to share the free busy information between notes and Exchange on premise/ Office 365 environment.

QcalCON

There is a separate component called QcalCON component of free/busy co-existence which needs to be installed on any one of the notes server. By using this component the notes server will route the calendar request that needs to goes to exchange server and vice versa.

Prerequisites:

We need to install these roles separately on hardware’s according to the number of users and size of environment we have.

If the organization has less number of users we can install all these 3 roles together on a single server.

If the organization has more number of users and domino servers then we need to install all these roles on separate servers for better synchronization.

These servers(Domino, Mail and Free/Busy) can be installed on minimum Windows server 2003 to Windows server 2008 R2Sp1

Hardware can be planned according to the size of the environment

Minimum Powershell version 2.0 is required on F/B connector

Source Servers should be the following:

Supported Domino Server versions

Versions – Minimum 6.5.1 to to maximum 8.5.3

Supported Notes Server Versions

Versions – Minimum 6.5.1 to to maximum 8.5.3

Target servers should be the following:

Exchange Servers version – Minimum Exchange 2007 RTM to Microsoft Office 365

SQL Servers Required

We need to have SQL server to store all these information as Co-Existence Manager uses SQL server to store the config information.

Licensing Quest Software:

Quest software sells licensing based on number of users present in the environment. They provide a single licensing by which we will be able to put this license on all these roles.

Coexistence between Notes and Office 365

Direct Coexistence between notes and office 365 practically is not possible. In these scenario we need to create a 2 step coexistence for both migration as well as hybrid scenarios

In order to achieve perform the following

Create a local AD server to sync the data between domino directory and Microsoft AD locally.
At least one local Exchange 2010 server with 3 roles installed which then synchronizes the data to office 365 through ADFS.
Create ADFS and Directory Synchronization between local AD server and Microsoft Azure Directory.
Configure Hybrid Deployment Wizard on the on premise Exchange server.
We need to choose the migration type as IMAP in the Hybrid Configuration Wizard as non Microsoft -Messaging platforms should be done only in IMAP Migration.

Note: Migration from notes to Office 365 will take time more than migration done from on prem exchange to office 365. The reason because since multiple components are involved and the MAPI throttling might take place.

Once we have met the above prerequisites we can migrate all the users from notes to office 365 with quest software without any issues.

Thanks

Sathish Veerapandian

EzCloudInfo

Ports and protocols Requirement for Exchange and Lync Server Deployment

PortQueryUI – GUI tool that can be used for troubleshooting port connectivity issues

Steps to Delete circulated Suspicious emails with Search-Mailbox

AdminAuditlogging in Exchange 2013

Script to identify the users forwarding, redirecting and forward as attachment emails to external ids

Product Review: SPAMfighter Exchange Module

OWA,EWS configuration in Exchange 2013/2007 coexistence

Configure new UM Dial Plan and UM IP Gateway in Exchange 2013

Configure Text Messaging Delivery in Exchange 2013

Migrate from Lotus notes to Office 365 with Quest Co-Existence Manager

Follow us on Facebook

New Blogs

Subscribe to EzCloudInfo via Email

Categories

Archives

Top Posts & Pages

Meet our Authors

About Me

Sathish Veerapandian

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

New Blogs

Subscribe to EzCloudInfo via Email

Choose your Favorite Category

Categories

Archives

Top Posts & Pages

Meet our Authors

About Me