Unified Messaging

Technical Architecture of
Exchange Server 2007
Microsoft Corporation
Published: May 2007
Author: Microsoft Exchange Documentation Team
Microsoft .NET Framework Version 2.0, Microsoft Management Console (MMC) 3.0, Windows
PowerShell, Microsoft Active Directory; applies to all server roles except for Edge Transport
and Active Directory Application Mode (ADAM) SP1; applies to Edge Transport server role.
Abstract
Microsoft Exchange Server 2007 introduces several architectural changes from previous
versions of Exchange Server. This document provides descriptions and overviews of server
roles, topologies, and the transport architecture for Exchange 2007.
Important:
This document is a compilation of Exchange Server 2007 Help topics and is provided
as a convenience for customers who want to view the topics in print format. To read the
most up-to-date technical architecture topics, visit the Exchange Server 2007 Library.
Information in this document, including URL and other Internet Web site references, is subject
to change without notice. Unless otherwise noted, the companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted in examples
herein are fictitious. No association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or introduced
into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows Media, Windows Mobile, Windows NT, Windows
PowerShell, Windows Server, Windows Vista, Active Directory, ActiveSync, Excel, Forefront,
Internet Explorer, Outlook, SharePoint, SmartScreen, and Visual Basic are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Technical Architecture of
Exchange Server 2007..........................................................................................................1
Contents...................................................................................................................................3
Technical Architecture of Exchange Server 2007.....................................................................17
Exchange Server 2007: Platforms, Editions, and Versions.......................................................17
32-Bit vs. 64-Bit Version.......................................................................................................18
Exchange 2007 and Virtualization........................................................................................19
Exchange 2007 and Longhorn Server..................................................................................19
Evaluations and Product Keys.............................................................................................20
What's Missing from the 32-bit Version.................................................................................20
Final Build - Versioning........................................................................................................20
Server Roles...........................................................................................................................21
Overview of Server Roles....................................................................................................21
Client Access..........................................................................................................................22
Outlook Web Access............................................................................................................23
Exchange ActiveSync..........................................................................................................23
POP3 and IMAP..................................................................................................................24
The Availability Service........................................................................................................24
The Autodiscover Service....................................................................................................24
Overview of Client Access Server Security..............................................................................24
Overview of SSL for Client Access Servers..........................................................................25
Overview of Using ISA Server 2006 for Client Access..........................................................25
Configuring ISA Server 2006 for Exchange Client Access........................................................26
ISA Server 2006 and Exchange 2007...................................................................................26
Benefits of Using ISA Server 2006 with Exchange 2007.......................................................26
New Exchange Publishing Rule Wizard...............................................................................28
Understanding SSL for Client Access Servers.........................................................................29
Overview of Digital Certificates............................................................................................29
Types of Certificates............................................................................................................30
Choosing a Certificate Type.................................................................................................32
Overview of Exchange ActiveSync..........................................................................................33
Overview of Exchange ActiveSync.......................................................................................33
New Features in Exchange ActiveSync................................................................................33
Managing Exchange ActiveSync..........................................................................................34
Understanding Direct Push......................................................................................................35
Overview..............................................................................................................................36
Understanding Exchange ActiveSync Mailbox Policies............................................................39
Overview..............................................................................................................................39
Exchange ActiveSync Mailbox Policy Examples...................................................................42
Understanding Remote Device Wipe.......................................................................................43
Overview..............................................................................................................................43
Understanding Exchange ActiveSync Autodiscover.................................................................44
Overview of Autodiscover with Exchange ActiveSync...........................................................45
Understanding Mobile Device Connectivity..............................................................................46
Cellular Connectivity............................................................................................................46
Wireless Connectivity...........................................................................................................47
Understanding Mobile Devices................................................................................................47
Exchange ActiveSync Enabled Devices...............................................................................47
Devices Enabled for Exchange ActiveSync..........................................................................48
Overview of POP3 and IMAP4................................................................................................50
POP3 and IMAP4 Protocols.................................................................................................51
Managing POP3/IMAP4 Features........................................................................................51
Overview of Outlook Web Access............................................................................................51
Overview of Outlook Web Access........................................................................................51
Managing Outlook Web Access............................................................................................52
Overview of Outlook Anywhere................................................................................................52
Outlook Anywhere and Exchange 2007................................................................................52
Benefits of Using Outlook Anywhere....................................................................................52
Deploying Outlook Anywhere...............................................................................................53
Managing Outlook Anywhere...............................................................................................53
Coexistence.........................................................................................................................54
Recommendations for Outlook Anywhere................................................................................54
Using Your Own Certification Authority.................................................................................55
Overview of the Autodiscover Service......................................................................................55
Outlook 2007 and Autodiscover...........................................................................................56
How the Autodiscover Service Works...................................................................................56
Deployment Options for the Autodiscover Service................................................................58
Deployment Considerations for the Autodiscover Service........................................................59
Autodiscover Service Topology Requirements......................................................................59
Connecting to the Autodiscover Service from the Internet....................................................59
Configuring the Autodiscover Service to Use Site Affinity for Internal Communication..........61
Configuring the Autodiscover Service for Multiple Forests....................................................63
Hosted Environments and the Autodiscover Service............................................................64
Autodiscover Security..........................................................................................................65
Understanding Proxying and Redirection.................................................................................66
Overview of Proxying...........................................................................................................67
Overview of Redirection.......................................................................................................71
Proxying with Network Load Balancing................................................................................74
Summary of Client Access Methods.....................................................................................77
Proxying Performance and Scalability..................................................................................78
Edge Transport........................................................................................................................79
Mail Flow.............................................................................................................................79
Anti-Spam and Antivirus Functionality..................................................................................80
Messaging Policy and Compliance.......................................................................................80
Hub Transport.........................................................................................................................81
Transport Policy and Compliance.........................................................................................82
Mailbox...................................................................................................................................83
Mailbox Server Interactions..................................................................................................83
Understanding Recipients.......................................................................................................86
Exchange 2007 Recipient Types..........................................................................................86
Understanding Recipient Restrictions......................................................................................96
Message Size Restrictions...................................................................................................96
Message Delivery Restrictions.............................................................................................98
Maximum Recipients per Message Restrictions...................................................................99
Mailbox Size Restrictions.....................................................................................................99
Understanding Recipient Scope............................................................................................101
Recommendations for Working with Recipient Scope.........................................................102
Setting the Recipient Scope...............................................................................................103
Understanding Disconnected Mailboxes................................................................................106
Working with Disconnected Mailboxes...............................................................................107
Understanding Offline Address Books...................................................................................109
Outlook Clients and OAB Version.......................................................................................110
OAB Distribution Methods..................................................................................................111
OAB Considerations...........................................................................................................117
Understanding Address Lists.................................................................................................118
Default Address Lists..........................................................................................................119
Custom Address Lists........................................................................................................120
Best Practices for Creating Address Lists...........................................................................121
Improvements in Exchange 2007.......................................................................................121
Understanding E-Mail Address Policies.................................................................................122
Improvements in Exchange 2007.......................................................................................123
Understanding Exchange Search..........................................................................................124
Improvements Over Exchange Server 2003 Content Indexing...........................................125
Exchange Search and Attachments...................................................................................125
Difference Between Exchange Search and Exchange Store Search..................................126
Differences Between Using Outlook Online Mode and Cached Exchange Mode Search....126
Exchange Search and Localization....................................................................................127
Scenarios Where Exchange Search Could Return Unexpected Results.............................127
Understanding the Availability Service...................................................................................128
Improvements Over Exchange 2003 Free and Busy..........................................................130
Out-of-Office Information....................................................................................................131
Performance......................................................................................................................132
Distribution Group Handling...............................................................................................132
Availability Service API.......................................................................................................133
Understanding Quota Messages...........................................................................................133
Storage Quotas..................................................................................................................133
Quota Messages................................................................................................................134
Understanding the Exchange 2007 Store..............................................................................136
Storage Features in Exchange 2007 Enterprise and Standard Editions..............................137
Logical Components of the Exchange Store..........................................................................138
Storage groups..................................................................................................................139
Mailbox Databases............................................................................................................139
Public Folder Databases....................................................................................................140
File Structure of the Exchange Store.....................................................................................140
Storage Group Files...........................................................................................................140
Recommendations for Configuring Storage Groups and Databases......................................143
Recommended Database Sizing........................................................................................143
Recommended Databases per Storage Group...................................................................143
Recommended Disk Configuration.....................................................................................144
Understanding Transaction Logging......................................................................................145
Exchange Transaction Logging..........................................................................................145
Lost Log Resilience and Transaction Log Activity in Exchange 2007.....................................148
Lost Log Resiliency............................................................................................................149
Transaction Log Roll..........................................................................................................149
Extensible Storage Engine Architecture.................................................................................150
Transactions......................................................................................................................151
ACID Transactions.............................................................................................................151
The Version Store..............................................................................................................152
Snapshot Isolation.............................................................................................................152
ESE Database Structure....................................................................................................153
Database Pages................................................................................................................153
ECC Checksum.................................................................................................................154
Database Consistency and -1018 Errors............................................................................154
Database Tree Balancing...................................................................................................155
Split...................................................................................................................................156
Merge................................................................................................................................156
Fan-Out.............................................................................................................................157
Indexes..............................................................................................................................157
Long-Values.......................................................................................................................157
Record Format...................................................................................................................158
Column Data Types............................................................................................................158
Fixed and Variable Columns..............................................................................................159
Tagged Columns................................................................................................................159
Understanding Public Folders................................................................................................160
Creation of the Public Folder Database During Setup........................................................160
Public Folder Management................................................................................................161
Public Folder Trees............................................................................................................161
Public Folder Replication...................................................................................................162
Mail-Enabled Public Folders...............................................................................................163
Considerations with Mixed Exchange 2007 and Exchange 2003 Organizations.................163
Best Practices....................................................................................................................165
Understanding Messaging Records Management.................................................................167
Messaging Records Management Strategy........................................................................168
Unified Messaging.................................................................................................................170
Unified Messaging Architecture.............................................................................................173
Overview of Unified Messaging Services............................................................................173
Service Ports.....................................................................................................................175
Unified Messaging Services...............................................................................................176
Overview of Telephony Concepts and Components...............................................................179
Overview............................................................................................................................179
Concepts and Components................................................................................................180
Circuit-Switched Networks.................................................................................................180
Packet-Switched Networks.................................................................................................181
PBX...................................................................................................................................182
IP/PBX...............................................................................................................................183
VoIP...................................................................................................................................183
IP/VoIP Gateways..............................................................................................................183
Understanding Protocols, Ports, and Services in Unified Messaging.....................................184
UM Protocols and Services................................................................................................184
Port Assignments...............................................................................................................186
Understanding PBX and IP/PBX Configurations....................................................................187
Overview of Telephony Systems........................................................................................187
Legacy and Traditional PBX Configurations.......................................................................190
IP/PBX Configurations.......................................................................................................192
Calling or Called Party Identification...................................................................................194
Overview of Unified Messaging Components........................................................................196
Active Directory Unified Messaging Objects.......................................................................197
Auto Attendants.................................................................................................................197
Subscriber Access.............................................................................................................198
Understanding Unified Messaging Incoming Call Handling....................................................199
Overview............................................................................................................................199
Voice Calls.........................................................................................................................199
Fax Calls............................................................................................................................200
Outlook Voice Access.........................................................................................................200
The Play on Phone Feature...............................................................................................201
UM Auto Attendants...........................................................................................................201
Understanding Unified Messaging Subscriber Access...........................................................202
Subscriber Access.............................................................................................................202
Outlook Voice Access.........................................................................................................203
Understanding Unified Messaging Audio Prompts.................................................................206
Overview of Audio Prompts and Greetings.........................................................................206
System Prompts.................................................................................................................208
UM Dial Plan Greetings and Announcements.....................................................................208
UM Auto Attendant Greetings, Announcements, and Menu Prompts..................................209
Customizing Greetings, Announcements, and Menu Prompts............................................211
Understanding Unified Messaging Audio Codecs..................................................................212
UM Audio Codecs..............................................................................................................212
UM Message Sizing...........................................................................................................213
Understanding Custom Prompt Distribution...........................................................................215
Overview............................................................................................................................215
Architecture........................................................................................................................216
Changing the Prompt Publishing Point...............................................................................219
Understanding Unified Messaging Languages.......................................................................220
UM Language Packs..........................................................................................................220
UM Language Components and Features..........................................................................222
Unified Messaging Languages...........................................................................................224
Understanding Automatic Speech Recognition Directory Lookups.........................................226
Overview of Grammar Files................................................................................................227
Default Grammar Files.......................................................................................................227
Grammar Generation.........................................................................................................229
Customizing Grammar Files...............................................................................................234
Understanding the DTMF Interface........................................................................................235
DTMF Overview.................................................................................................................235
UM Dial Plans and Dial by Name.......................................................................................236
DTMF Maps.......................................................................................................................237
DTMF Maps for Users Who Are Not Enabled for UM..........................................................237
DTMF Maps for Users Who Are Enabled for UM................................................................239
Understanding Storage Quotas and Voice Mail......................................................................240
UM Dial Plans....................................................................................................................240
Storage Quotas..................................................................................................................241
Voice Mail Delivery.............................................................................................................242
Understanding Unified Messaging VoIP Security...................................................................244
Protecting Unified Messaging.............................................................................................245
Types of Certificates..........................................................................................................248
Configuring MTLS..............................................................................................................252
IPsec.................................................................................................................................253
UM Dial Plans and VoIP Security.......................................................................................254
How UM Determines Security Mode and Selects Certificates.............................................256
Understanding Faxing in Unified Messaging..........................................................................257
Overview of Faxing............................................................................................................258
Faxing with Unified Messaging...........................................................................................263
Faxing Configuration Options.............................................................................................265
Journaling UM Fax Messages............................................................................................269
Understanding Operator Transfers in Unified Messaging.......................................................270
Overview of Operators in Unified Messaging......................................................................270
Dial Plan Operators............................................................................................................272
Auto Attendant Operators...................................................................................................275
Personal Operators............................................................................................................280
Understanding Outdialing......................................................................................................281
Overview............................................................................................................................281
Outdialing Settings.............................................................................................................284
Configuring Outdialing........................................................................................................287
Applying Configured Dialing Rule Groups..........................................................................289
Understanding Dial Codes, Number Prefixes and Formats....................................................291
Overview............................................................................................................................291
Outside Line Access Code.................................................................................................295
National Number Prefix......................................................................................................295
In-Country/Region Access Code........................................................................................295
International Access Code..................................................................................................296
In-Country/Region and International Number Formats........................................................296
Overview of Unified Messaging Active Directory Objects.......................................................297
UM Active Directory Objects...............................................................................................297
Understanding Unified Messaging Hunt Groups....................................................................299
What is a Hunt Group?.......................................................................................................299
Pilot Number......................................................................................................................300
UM Hunt Groups................................................................................................................300
Understanding Unified Messaging Auto Attendants................................................................301
Auto Attendants.................................................................................................................301
UM Auto Attendants...........................................................................................................302
Auto Attendant with Multiple Languages.............................................................................303
Auto Attendant Examples...................................................................................................304
Understanding Unified Messaging Dial Plans........................................................................306
Overview of UM Dial Plans.................................................................................................307
How Dial Plans Work.........................................................................................................309
Outlook Voice Access.........................................................................................................309
Understanding Unified Messaging IP Gateways....................................................................310
Overview of IP/VoIP Gateways...........................................................................................310
IP Gateway Objects............................................................................................................311
Enabling and Disabling UM IP Gateways...........................................................................312
Understanding Unified Messaging Mailbox Policies...............................................................312
UM Mailbox Policies...........................................................................................................312
Unified Messaging Policy Examples...................................................................................313
Understanding Unified Messaging Servers............................................................................314
Computer Objects..............................................................................................................314
Server Operation................................................................................................................315
Understanding Unified Messaging Users...............................................................................316
User UM Properties...........................................................................................................317
The Relationship of the UM User to Other Active Directory Objects....................................317
Overview of the Unified Messaging Call Processing..............................................................318
Incoming Calls Overview....................................................................................................318
Message Flow....................................................................................................................319
Unified Messaging Voice and Fax Call Processing................................................................320
Voice and Fax Incoming Messages....................................................................................320
Unified Messaging Outlook Voice Access Call Processing.....................................................322
Outlook Voice Access.........................................................................................................322
Outlook Voice Access Message Flow.................................................................................322
Unified Messaging Auto Attendant Call Processing................................................................324
UM Auto Attendants...........................................................................................................324
Auto Attendant Message Flow............................................................................................324
Unified Messaging Play on Phone Call Processing................................................................326
Play on Phone...................................................................................................................326
Overview of Unified Messaging Server Topologies................................................................328
Unified Messaging Topology That Has a Single PBX..........................................................328
Unified Messaging Topology That Has Multiple PBXs.........................................................329
Services Installed by Exchange Setup...................................................................................331
Topologies.............................................................................................................................342
Exchange Delivery Locations.............................................................................................342
Exchange Topology Layers................................................................................................343
Logical Topologies.................................................................................................................344
Core Logical Topologies.....................................................................................................345
Physical Topologies...............................................................................................................346
Centralized vs. Distributed Messaging Systems.................................................................346
Characteristics of a Centralized Messaging System...........................................................347
Important Considerations...................................................................................................347
Characteristics of a Distributed Messaging System............................................................348
Important Considerations...................................................................................................349
Active Directory Forest Topologies........................................................................................350
Active Directory Forests.....................................................................................................350
Active Directory Domains...................................................................................................355
Active Directory Sites.........................................................................................................355
Active Directory Deployment Scenarios.............................................................................356
Organization Topologies........................................................................................................358
Network Layer of an Exchange Topology...........................................................................358
Active Directory Layer of an Exchange Topology................................................................360
Exchange Layer of an Exchange Topology.........................................................................363
Exchange Organization Topology Definitions......................................................................364
Transport Architecture...........................................................................................................365
Understanding Active Directory Site-Based Routing..............................................................369
Overview of Message Routing in Exchange 2007...............................................................369
Intra-organizational Routing Components..........................................................................372
Active Directory Sites.........................................................................................................374
IP Site Links.......................................................................................................................376
Exchange 2007 Routing Tables..........................................................................................380
Determining the Ultimate Destination.................................................................................382
Determining the Least Cost Routing Path...........................................................................384
Next Hop Selection............................................................................................................386
Rerouting and the Unreachable Queue..............................................................................396
Message Routing in a Coexistence Environment...................................................................397
Routing Changes...............................................................................................................397
Introducing the First Exchange 2007 Server.......................................................................398
Creating Additional Routing Group Connectors..................................................................399
Coexistence and Link State................................................................................................400
SMTP Connectors..............................................................................................................401
Anti-Spam and Antivirus Functionality....................................................................................403
Anti-Spam and Antivirus Filters..........................................................................................404
Anti-Spam Stamps.............................................................................................................406
Microsoft Update for Anti-Spam Services...........................................................................406
Using Exchange Hosted Services......................................................................................407
Anti-Spam Stamps................................................................................................................408
Viewing the Anti-Spam Stamps..........................................................................................408
Anti-Spam Report..............................................................................................................408
Phishing Confidence Level Stamp......................................................................................413
Spam Confidence Level Stamp..........................................................................................413
Sender ID Stamp...............................................................................................................414
Attachment Filtering..............................................................................................................415
Types of Attachment Filtering in Exchange 2007................................................................415
File Filtering by Using Forefront Security for Exchange Server...........................................416
Connection Filtering..............................................................................................................417
IP Allow Lists and IP Block Lists.........................................................................................418
Content Filtering....................................................................................................................421
Using the Content Filter Agent...........................................................................................422
Recipient Filtering..................................................................................................................424
Recipient Data Sources.....................................................................................................426
Tarpitting Functionality.......................................................................................................426
Multiple Namespaces.........................................................................................................427
Sender Filtering.....................................................................................................................428
Sender ID..............................................................................................................................429
Using Sender ID to Combat Spoofing.................................................................................429
Sender Reputation................................................................................................................431
Calculation of the Sender Reputation Level........................................................................431
Use of the SRL..................................................................................................................434
Safelist Aggregation..............................................................................................................435
Information Stored in the Outlook User's Safelist Collection...............................................435
How Exchange Uses the Safelist Collection.......................................................................436
Hashing of Safelist Collection Entries.................................................................................436
Enabling Safelist Aggregation............................................................................................437
Adjusting the Spam Confidence Level Threshold...................................................................438
SCL Threshold Actions in Exchange 2007..........................................................................439
Best Practice for Setting Up and Adjusting SCL Thresholds...............................................440
Spam Quarantine..................................................................................................................441
Spam Confidence Level.....................................................................................................441
Using Spam Quarantine.....................................................................................................442
Using Exchange Hosted Services......................................................................................443
Understanding Anti-Spam and Antivirus Mail Flow.................................................................443
Connection Filtering...........................................................................................................447
Sender Filtering.................................................................................................................449
Recipient Filtering..............................................................................................................449
Sender ID Filtering.............................................................................................................450
Content Filtering.................................................................................................................452
Attachment Filtering...........................................................................................................453
Antivirus Scanning.............................................................................................................454
Outlook Junk E-mail Filtering.............................................................................................455
Configuring Anti-Spam Features to Reduce the Volume of Spam..........................................456
Strategy.............................................................................................................................456
Anti-Spam Updates...............................................................................................................458
Manual Updates.................................................................................................................459
Automatic Updates.............................................................................................................459
Planning Antivirus Deployment..............................................................................................459
Running Antivirus Software on Edge Transport and Hub Transport Servers.......................460
Running Antivirus Software on Other Computers in the Organization.................................460
Using Exchange Hosted Services......................................................................................462
Transport Policy and Compliance Agents..............................................................................462
Using Exchange Hosted Services......................................................................................463
Understanding How Transport Rules Are Applied in an Exchange 2007 Organization............463
Transport Rule Scope........................................................................................................464
Transport Rule Replication.................................................................................................464
Predicates..........................................................................................................................465
Actions...............................................................................................................................467
Understanding Ethical Walls..................................................................................................467
Understanding Attorney-Client Privileged Communication.....................................................467
Understanding Journal Reports.............................................................................................468
What is a Journal Report?..................................................................................................468
Journal Report Fields.........................................................................................................468
Examples of Journal Reports.............................................................................................473
Protecting Journal Reports....................................................................................................475
Protecting Journal Reports Sent Inside an Exchange 2007 Organization...........................476
Protecting Journal Reports Sent to Third-Party Solution Providers.....................................476
Understanding How to Manage Journal Reports....................................................................477
Journaling Mailbox Size.....................................................................................................478
Alternate Journaling Mailbox..............................................................................................478
Understanding Journaling in a Mixed Exchange Server 2003 and Exchange Server 2007
Environment.......................................................................................................................480
Journaling in Exchange 2003.............................................................................................480
Journaling in Exchange 2007.............................................................................................480
How Exchange 2003 and Exchange 2007 Identify Journal Reports and Journaled Messages
.......................................................................................................................................481
Exchange 2003 and Exchange 2007 Journaling Interoperability.........................................482
Distribution Group Expansion.............................................................................................484
Understanding Edge Subscriptions........................................................................................486
Edge Subscription Process................................................................................................486
Resubscribing an Edge Transport Server...........................................................................491
Removing an Edge Subscription........................................................................................492
Adding an Edge Transport Server......................................................................................493
Adding or Removing a Hub Transport Server.....................................................................494
Verifying EdgeSync Results...............................................................................................494
EdgeSync Replication Data...................................................................................................495
Types of Data Replicated to ADAM....................................................................................496
Understanding the EdgeSync Synchronization Process........................................................501
Microsoft Exchange EdgeSync Service..............................................................................501
EdgeSync Synchronization Process...................................................................................502
Synchronization Schedule..................................................................................................504
EdgeSync and Send Connectors...........................................................................................505
Automatically Created Send Connectors............................................................................506
Manually Configuring Send Connectors.............................................................................510
Understanding Edge Subscription Credentials.......................................................................512
Edge Subscription Process................................................................................................513
EdgeSync Replication Accounts.........................................................................................514
Authenticating Initial Replication.........................................................................................516
Authenticating Scheduled Synchronization Sessions.........................................................517
Renewing EdgeSync Replication Accounts........................................................................518
Understanding Back Pressure...............................................................................................518
Options for Configuring Back Pressure..............................................................................519
How Back Pressure is Applied............................................................................................526
Back Pressure Logging Information....................................................................................529
Understanding Header Firewall.............................................................................................531
Custom Organization X-Headers and Forest X-Headers that Are Used in Exchange 2007. 531
Header Firewall for Organization X-Headers and Forest X-Headers...................................533
Header Firewall for Routing Headers.................................................................................539
Header Firewall and Earlier Versions of Exchange Server..................................................543
Understanding Content Conversion.......................................................................................546
Understanding the Structure of E-mail Messages...............................................................546
Exchange 2007 and Outlook Message Formats.................................................................550
Elements of Content Conversion........................................................................................553
Content Conversion Performed by the Store Driver............................................................555
TNEF Conversion Options.....................................................................................................555
TNEF Conversion Options for Messages That are Sent to Remote Domains.....................555
TNEF Conversion Options for Messages That are Sent to Mail Users and Mail Contacts...557
TNEF Conversion Options for Messages That are Available in Outlook..............................559
Order of Precedence for TNEF Conversion Options...........................................................561
Message Encoding Options...................................................................................................562
Message Encoding Options for Messages That are Sent to Remote Domains...................563
Message Encoding Options for Mail Users and Mail Contacts............................................566
Message Encoding Options That are Available in Outlook..................................................571
Order of Precedence for Message Encoding Options.........................................................574
Managing Content Conversion Tracing..................................................................................577
Configuring Content Conversion Tracing............................................................................577
How Content Conversion Tracing Works............................................................................578
Considerations for Content Conversion Tracing.................................................................579
Understanding Recipient Resolution......................................................................................580
17
Technical Architecture of Exchange Server
2007
Microsoft Exchange Server 2007 introduces several architectural changes from previous
versions of Exchange Server. Many features and components have been redesigned, some
features have been removed, and several new features have been added.
The following sections discuss Exchange 2007 architecture from an information technology (IT)
professional perspective:
•
Server Roles
•
Topologies
•
Transport Architecture
Architectural information for developers can be found in the Exchange 2007 Software
Development Kit (SDK).
Exchange Server 2007: Platforms, Editions,
and Versions
Microsoft Exchange Server 2007 is available in two server editions: the Standard Edition and
the Enterprise Edition. For more information about these editions including descriptions and
comparisons, see Exchange Server 2007 Editions and Client Access Licenses. As you can see
from the Exchange 2007 Edition Offerings table on that page, the primary differences are:
• Only the Enterprise edition can scale to 50 databases per server; the Standard edition
is limited to 5 databases per server.
• In a production environment, only the Enterprise edition is supported in a
Microsoft Windows failover cluster; the Standard edition is not supported in a
Windows failover cluster in production. Therefore, single copy clusters and cluster
continuous replication are only supported on the Enterprise Edition.
Even though Exchange 2007 comes in two edition offerings, these are licensing editions that
are defined by a product key. There is a single set of binary files for each platform (one for x64
systems and one for x86 systems), and the same binaries are used for both editions. When you
enter a valid, licensed product key, the supported edition for the server is established.
Product keys can be used for same edition key swaps and upgrades only, and they cannot be
used for downgrades. You can use a valid product key to go from the evaluation version (Trial
Edition) to either the Standard Edition or the Enterprise Edition; you can also use a valid
18
product key to go from the Standard Edition to the Enterprise Edition. You can also re-license
the server using the same edition product key. For example, if you had two Standard Edition
servers with two keys, but you accidentally used the same key on both servers, you can
change the key for one of them to be the other key that you were issued. You can take these
actions without having to reinstall or reconfigure anything. After you enter the product key and
restart the Microsoft Exchange Information Store service, the edition corresponding to that
product key will be reflected. However, you cannot use product keys to downgrade from the
Enterprise Edition to the Standard Edition, nor can you use them to revert to the Trial Edition.
These types of downgrades can only be done by uninstalling Exchange 2007, reinstalling
Exchange 2007, and entering in the correct product key.
Exchange 2007 also comes in two client access license (CAL) editions, which are also called
the Standard Edition and the Enterprise Edition. You can mix and match the server editions
with the CAL editions. For example, you can use Enterprise CALs against the Standard server
edition. Similarly, you can use Standard CALs against the Enterprise server edition. The
Enterprise CAL is an additive CAL, which means that you buy the Standard CAL, and then add
on an Enterprise CAL on top of it. An Enterprise CAL provides you with the features listed in the
last column of the Exchange 2007 CAL Offerings table. Note that, as that page says, some of
the listed features can only be purchased through a volume license program, and they are not
available as retail purchases. When you're ready to buy Exchange 2007, see How to Buy
Exchange Server 2007.
32-Bit vs. 64-Bit Version
Exchange 2007 is available in two platform versions: one platform version (the 64-bit version) is
for live production environments and the other platform version (the 32-bit version) is for nonproduction environments (such as labs, training facilities, demo, and evaluation environments).
Only the 64-bit version can be purchased because you cannot run 32-bit Exchange 2007
servers in production.
There are two exceptions with respect to production and non-production use of the 32-bit
platform because Microsoft does allow minimal supported use of the 32-bit version in
production environments. Specifically:
• You can use the 32-bit version in production to administer Exchange 2007 servers from
Windows Server 2003 or Windows XP. At this time, you cannot use either the 32-bit version
or the 64-bit version on Windows Vista, or on Microsoft Windows Server Code Name
"Longhorn". Support for Windows Vista and Windows Server Code Name "Longhorn" is
expected to be delivered in Service Pack 1 for Exchange 2007.
• You can use the 32-bit version in production to extend your Active Directory directory
service schema. For detailed steps to prepare Active Directory for Exchange 2007, see
How to Prepare Active Directory and Domains.
All other uses of the 32-bit version of Exchange 2007 in production environments are
unsupported.
19
Although the 64-bit version can be the Standard Edition or the Enterprise Edition, the 32-bit
version is always and only the Standard Edition. Single copy clusters (SCC) and cluster
continuous replication (CCR) are only supported in production on the Enterprise Edition of
Exchange 2007. However, Microsoft has made an exception in the 32-bit version code to allow
SCC and CCR to be used for non-production use on the 32-bit version, even though the 32-bit
version is the Standard Edition. This means that you can set up a 32-bit test lab for evaluating
or testing SCC and CCR. Because it's 32-bit, you can create the non-production environments
in a Microsoft Virtual Server environment for your lab or demos. See Video series - Exchange
2007 Cluster Continuous Replication (CCR) for a video demonstration of CCR that uses a
virtual environment.
Note:
You can also install Unified Messaging (UM) with the 32-bit version in a non-production
environment so that you can evaluate the UM-related features. For details about using
a software-based UM test phone to test or demo UM features, see Testing Unified
Messaging Server Functionality.
Exchange 2007 and Virtualization
Exchange 2007 is not supported in production in a virtual environment; however, as stated
above, Microsoft Virtual Server makes a great environment for training, labs, and demos.
Exchange 2007 is supported in production environments using only the 64-bit version of
Exchange 2007, and currently neither Microsoft Virtual Server nor Microsoft Virtual PC support
64-bit guest systems. Exchange 2007 is also not supported in production in a virtual
environment using non-Microsoft virtualization software. For details about the Microsoft support
policy for third-party virtualization software, see Microsoft Knowledge Base article 897615,
Support policy for Microsoft software running in non-Microsoft hardware virtualization software.
The first 64-bit guest support is expected to be included with Hypervisor, which is an add-on for
Windows Server Code Name "Longhorn" from Microsoft that is scheduled to ship within 180
days of Longhorn. Note that this is within 180 days, meaning it could ship the same day
as Longhorn, or it could ship 180 days after Longhorn ships. For more information about
Microsoft's virtualization plans, see the Microsoft Machine Virtualization Roadmap ChatTranscript.
Exchange 2007 and Longhorn Server
Exchange 2007 does not support Longhorn server, and Exchange 2007 cannot be installed on
Longhorn server. In addition, Exchange 2007 does not support Longhorn directory servers.
Active Directory sites with Longhorn directory servers must be isolated from
Active Directory sites that include Exchange 2007 servers. Support for Longhorn will arrive in a
future service pack for Exchange 2007.
20
Evaluations and Product Keys
When you install Exchange 2007, it is unlicensed and referred to as a Trial Edition. Unlicensed
(Trial Edition) servers appear as the Standard Edition, and they are not eligible for support from
Microsoft Product Support Services. The Trial Edition expires 120 days after the date of
installation. When you start the Exchange Management Console, if you have any unlicensed
Exchange 2007 servers in your organization, Exchange displays a list of all unlicensed
Exchange 2007 servers and the number of days that are remaining until the trial edition
expires. If you have expired unlicensed Exchange 2007 servers, you will also see a separate
warning for each expired server.
You can upgrade from the Trial Edition to the retail version by purchasing the appropriate
license(s) and by entering the product key that you get when you make the purchase. You can
find the product key on the Exchange 2007 DVD case. It's a 25-character alphanumeric string,
grouped in sets of five characters separated by hyphens. Step-by-step instructions for entering
your product key can be found in How to Enter the Product Key. These steps include
instructions for entering the key using either the Exchange Management Console or the
Exchange Management Shell. However, in the 32-bit version, there is no Exchange
Management Console interface for this because you can't purchase 32-bit licenses.
By using either the Exchange Management Console or the Exchange Management Shell, you
can see what edition you're running. By using the Exchange Management Shell, you can also
see how many days, hours, minutes, seconds, and yes, milliseconds, are left on the 120-day
trial period. Use the Get-ExchangeServer cmdlet, and look for the Edition and
RemainingTrialPeriod values.
What's Missing from the 32-bit Version
There are some things that are not available in the 32-bit version:
• Automatic anti-spam updates from Windows Update. Only a licensed 64-bit version
can get automatic anti-spam updates from Microsoft Update.
• Large numbers of storage groups and databases. You can have a maximum of 5
databases per server in as many as 5 storage groups on the 32-bit version.
Final Build - Versioning
The final RTM build of Exchange 2007 is build 685.25, but in some places it is listed as 685.24.
Both are correct, actually. When you view the version information in the Exchange
Management Console or examine the value of the AdminDisplayVersion property for
Exchange servers in the Exchange Management Shell, it shows the version as 685.24. When
you view the Exchange version information in the Windows registry, it shows 685.25. If you use
Microsoft Operations Manager, it also shows version 685.25, but if you view version information
in Microsoft Office Outlook, it shows 685.24.
21
An exception to this version mismatch problem is present on the Edge Transport server. That
will always and only display 685.25 for the version. This makes things interesting when looking
at several Exchange servers in the Exchange Management Console that include one or more
synchronized Edge Transport servers because the Version column will show both 685.24 (for
non-Edge Transport servers) and 685.25 (for Edge Transport servers).
Also, when you click Help | About Exchange Server 2007, you'll see a different version number
altogether: 685.018. This happens on all Exchange 2007 servers. These versioning
discrepancies are expected to be resolved in Service Pack 1 for Exchange 2007.
Finally, if you use the Get-ExchangeServer cmdlet and examine the ExchangeVersion
property, you'll notice yet another different version number: 0.1 (8.0.535.0). However, this
number does not refer to the version of an installed product, but rather it refers to the minimum
version of the product that can read the object. In this case, any Exchange server that is
version 8.0.535.0 or later can read this object because the last changes to this object's schema
were made in build 8.0.535.0.
Server Roles
In previous versions of Microsoft Exchange Server, administrators were offered limited choices
on what features could or could not be installed. For example, in Exchange Server 2003 and
Exchange 2000 Server, the setup process installed all features regardless of which features the
administrator planned to use. This behavior required the administrator to turn off or disable the
undesired features.
Because organizations tend to group their management tasks around a core set of server roles,
Exchange Server 2007 maps Exchange Server management to this more natural way of doing
things. System management in Exchange 2007 fundamentally shifts the administrative
experience for deploying and managing servers to focus on server roles.
Overview of Server Roles
A server role is a unit that logically groups the required features and components needed to
perform a specific function in the messaging environment. The requirement of a server role is
that it is a server that could be run as an atomic unit of scalability. A server role is composed of
a group of features.
Server roles, the primary unit of deployment, enable administrators to easily choose which
features are installed on an Exchange server. Logically grouping features in server roles offers
the following advantages:
•
Reduces attack surface on an Exchange server.
•
Allows you to install and configure an Exchange server the way you intend to use it.
22
• Offers a simple installation, and the ability to fully customize a server to support your
business goals and needs.
Exchange Server 2007 Server Roles
Exchange Server 2007 includes the following server roles:
• Mailbox Server This is a back-end server that can host mailboxes and public folders.
For more information about the Exchange 2007 Mailbox Server role, see Mailbox.
• Client Access Server This is the middle-tier server that hosts the client protocols,
such as Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4),
Secure Hypertext Transfer Protocol (HTTPS), Outlook Anywhere, Availability service, and
Autodiscover service. The Client Access Server also hosts Web services. For more
information about the Exchange 2007 Client Access Server role, see Client Access.
• Unified Messaging Server This is the middle-tier server that connects a Private
Branch eXchange (PBX) system to Exchange 2007. For more information about the
Exchange 2007 Unified Messaging Server role, see Unified Messaging.
• Hub Transport Server This is the mail routing server that routes mail within the
Exchange organization. For more information about the Exchange 2007 Hub Transport
Server role, see Hub Transport.
• Edge Transport Server This is the mail routing server that typically sits at the
perimeter of the topology and routes mail in to and out of the Exchange organization. For
more information about the Exchange 2007 Edge Transport Server role, see Edge
Transport.
Client Access
In Microsoft Exchange Server 2007, there are five server roles that you can install and then
configure on a computer that is running Microsoft Windows Server 2003. This topic provides an
overview of the Client Access server role. The Client Access server role supports the
Microsoft Office Outlook Web Access and Microsoft Exchange ActiveSync client applications,
and the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version
4rev1 (IMAP4) protocols. The Client Access server role also provides access to free/busy data
by using the Availability service and enables clients that are running Microsoft Outlook 2007
and certain mobile operating systems to download automatic configuration settings from the
Autodiscover service.
The Client Access server role accepts connections to your Exchange 2007 server from a
variety of different clients. Software clients such as Microsoft Outlook Express and Eudora use
POP3 or IMAP4 connections to communicate with the Exchange server. Hardware clients, such
23
as mobile devices, use ActiveSync, POP3, or IMAP4 to communicate with the Exchange
server. You must install the Client Access server role in every Exchange organization.
For more information about the new client features in Exchange Server 2007, see New Client
Functionality.
Outlook Web Access
Outlook Web Access in Exchange Server 2007 lets you access your e-mail from any Web
browser. Outlook Web Access has been redesigned in Exchange 2007 to enhance the user
experience and productivity in many ways. New features, such as smart meeting booking,
Microsoft Windows SharePoint Services and Windows file share integration, and improvements
in reminders and the address book give you a rich user experience from any computer that has
a Web browser. There are two versions of Outlook Web Access included in
Exchange Server 2007: the full-featured Outlook Web Access Premium client and the new
Outlook Web Access Light client. Outlook Web Access Light is designed to optimize your
Outlook Web Access experience for mobile devices, slower connections, and browsers other
than Internet Explorer.
For more information about Outlook Web Access, see the following topics:
•
Managing Outlook Web Access
•
Overview of Outlook Web Access
Exchange ActiveSync
Exchange ActiveSync lets you synchronize data between your mobile device and
Exchange 2007. You can synchronize e-mail, contacts, calendar information, and tasks.
Devices that run Microsoft Windows Mobile software, including Windows Mobile powered
Pocket PC 2002, Windows Mobile powered Pocket PC 2003, and Windows Mobile 5.0, are all
supported.
If you use a device that has Windows Mobile 5.0 and the Messaging Security and Feature Pack
(MSFP) installed, your mobile device will support Direct Push. Direct Push is a technology that
is built into Exchange ActiveSync that keeps a mobile device continuously synchronized with
an Exchange mailbox.
For more information about Exchange ActiveSync, see the following topics:
•
Overview of Exchange ActiveSync
•
Deploying Exchange ActiveSync
•
Managing Exchange ActiveSync
24
POP3 and IMAP
In addition to supporting MAPI and HTTP clients, Exchange Server 2007 also supports POP3
and IMAP4 clients. By default, POP3 and IMAP4 are installed but the services are disabled
when you install the Client Access server role.
For more information about POP3 and IMAP4, see the following topics:
•
How to Start and Stop POP3 Service
•
How to Start and Stop IMAP4 Service
The Availability Service
The Exchange 2007 Availability service improves free/busy data access for information workers
by providing secure, consistent, and up-to-date free/busy data to computers that are running
Microsoft Office Outlook 2007. Outlook 2007 uses the Autodiscover service to obtain the URL
of the Availability service. The Autodiscover service resembles the Domain Name System
(DNS) Web service for Outlook 2007. Essentially, the Autodiscover service helps Outlook 2007
locate various Web services, such as the Microsoft Exchange Unified Messaging, Offline
Address Book, and Availability services.
For more information about the Availability service, see the following topics:
•
Managing the Availability Service
The Autodiscover Service
The Autodiscover service enables Outlook clients and some mobile devices to receive their
necessary profile settings directly from the Exchange server by using the client's domain
credentials. These settings automatically update the client with the information that is needed
to create the user's profile.
For more information about the Autodiscover service, see the following topics.
•
Overview of the Autodiscover Service
•
Understanding Exchange ActiveSync Autodiscover
•
Managing Autodiscover
Overview of Client Access Server Security
Microsoft Exchange Server 2007 incorporates several features to enhance the security of your
Exchange 2007 organization. By default, communication between Exchange 2007 computers is
25
encrypted. Also by default, Secure Sockets Layer (SSL) is required on all virtual directories,
and a self-signed certificate is installed.
Overview of SSL for Client Access Servers
When you install Exchange 2007, a self-signed SSL certificate is installed. You can use this
self-signed SSL certificate to encrypt communication between clients and the Client Access
server, or you can replace the self-signed certificate with another certificate. There are two
sources for SSL certificates: a Microsoft Windows public key infrastructure (PKI) and a
commercial third party. For more information about SSL certificates, see Understanding SSL for
Client Access Servers.
Overview of Using ISA Server 2006 for Client
Access
Microsoft Internet Security and Acceleration (ISA) Server 2006 and Exchange Server 2007 are
designed to work together to provide a more secure messaging environment. ISA Server acts
as an advanced firewall that controls Internet-based traffic between multiple networks that are
connected to it through its multi-networking feature. When you deploy ISA Server 2006 for
Exchange 2007, ISA Server handles all client requests for Exchange information. This includes
incoming and outgoing Internet communication. For more information about ISA Server 2006,
see the following topics.
•
Configuring ISA Server 2006 for Exchange Client Access
•
Using ISA Server 2006 with Exchange 2007
For More Information
For more information about Client Access Server security, see the following topics.
•
Managing Client Access Security
•
Managing SSL For a Client Access Server
•
Using ISA Server 2006 with Exchange 2007
26
Configuring ISA Server 2006 for Exchange
Client Access
Microsoft Internet Security and Acceleration (ISA) Server 2006 and
Microsoft Exchange Server 2007 are designed to work together to provide a more secure
messaging environment.
ISA Server 2006 and Exchange 2007
ISA Server acts as an advanced firewall that controls Internet-based traffic between multiple
networks that are connected to it through its multi-networking feature. When you deploy ISA
Server 2006 for Exchange 2007, ISA Server handles all client requests for
Exchange information. This includes incoming and outgoing Internet communication.
Benefits of Using ISA Server 2006 with Exchange
2007
New features for ISA Server 2006 are designed specifically to enhance functionality for
Exchange 2007. Table 1 describes these features.
Table 1 New features for ISA Server 2006 and Exchange 2007
27
Feature
Description
How To
Web Publishing Load
Balancing
ISA Server 2006 balances the
request from the client to an
array of published servers.
This eliminates the need to
deploy Network Load
Balancing (NLB) on the
published array.
Web load balancing features
are automatically implemented
when you publish
Outlook Web Access and
Outlook Anywhere.
Outlook Web Access automati
cally selects a rule by using
cookie-based load
balancing. With cookie-based
load balancing, all requests
related to the same session
(the same unique cookie
provided by the server in each
response) are forwarded to
the same server. Outlook
Anywhere uses sourceIP based load balancing. With
source-IP based load
balancing, all requests from
the same client (source) IP
address are forwarded to the
same server.
Link Translation
Some published Web sites
may include references to
internal names of computers.
Because only the ISA
Server 2006 firewall and
external namespaces are
available to external clients,
these references appear as
broken links. ISA Server 2006
includes a link translation
feature that you can use to
create a dictionary of
definitions for internal
computer names that map to
publicly known names.
ISA Server 2006 implements
link translation automatically
when you configure Web
publishing for
Outlook Web Access.
28
Feature
Description
How To
Secure Sockets Layer (SSL)
Bridging Support
For authenticated and
encrypted client access, ISA
Server 2006 provides end-toend security and application
layer filtering by using SSL-toSSL bridging. This means that
encrypted data is inspected
before it reaches the
Exchange server. The ISA
Server 2006 firewall decrypts
the SSL stream, performs
stateful inspection, and then
re-encrypts the data and
forwards it to the published
Web server. Stateful
inspection is a firewall
architecture that works at the
network layer. Unlike static
packet filtering, which
examines a packet based on
the information in its header,
stateful inspection tracks each
connection traversing all
interfaces of the firewall and
makes sure they are valid.
ISA Server 2006 implements
SSL Bridging Support
automatically when you
configure Web publishing for
Outlook Web Access.
In addition to the features listed in Table 1, ISA Server 2006 is designed to work specifically
with the client access methods that you can use with Exchange 2007.
New Exchange Publishing Rule Wizard
When you deploy ISA Server 2006, you use the New Publishing Rule Wizard on the firewall
policy tasks to help you with the settings that must be configured to allow access for the
following features:
• Outlook Web Access When you deploy ISA Server 2006 for Outlook Web Access,
you use the New Exchange Publishing Rule Wizard that is on the Firewall Policy tasks.
This new wizard shows the specific settings that must be configured to allow for client
access by using Outlook Web Access. For more information about how to configure ISA
Server 2006 to use Outlook Web Access, see Using ISA Server 2006 with Outlook Web
Access.
29
• Exchange ActiveSync When you deploy ISA Server 2006 for Exchange ActiveSync,
you use the New Exchange Publishing Rule Wizard on the Firewall Policy tasks. This new
wizard shows you the specific settings that must be configured to allow for
Exchange ActiveSync access. Follow the instructions in the New Exchange Publishing
Rule Wizard for ISA Server 2006 to configure your Exchange deployment to use
Exchange ActiveSync.
• Outlook Anywhere When you deploy ISA Server 2006 for Outlook Anywhere, you
use the New Exchange Publishing Rule Wizard on the Firewall Policy tasks. This new
wizard shows you the specific settings that must be configured to allow for Outlook
Anywhere access. Follow the instructions in the New Exchange Publishing Rule Wizard for
ISA Server 2006 to configure your Exchange deployment to use Outlook Anywhere.
• POP3 and IMAP4 Access When you deploy ISA Server 2006 for POP3 and IMAP4
access to Exchange 2007, you use the New Exchange Publishing Rule Wizard on the
Firewall Policy tasks. This new wizard shows you the specific settings that must be
configured to allow for POP3 and IMAP4 access. Follow the instructions in the New
Exchange Publishing Rule Wizard for ISA Server 2006 to configure your Exchange
deployment to use POP3 and IMAP4.
Understanding SSL for Client Access
Servers
Secure Sockets Layer (SSL) is a method for securing communications between a client and a
server. For a computer that is running Microsoft Exchange Server 2007 that has the Client
Access server role installed, SSL is used to help secure communications between the server
and the clients. Clients include mobile devices, computers inside an organization's network,
and computers outside an organization's network. These include clients with and without virtual
private network (VPN) connections.
By default, when you install Exchange 2007, client communications are encrypted by using
SSL when you use Outlook Web Access, Exchange ActiveSync, and Outlook Anywhere. By
default, Post Office Protocol version 3 (POP3) and Internet Message Access Protocol Version 4
rev1 (IMAP4) are not configured to communicate over SSL.
SSL requires that you use digital certificates. This topic provides an overview of the various
types of digital certificates and information about how to configure the Client Access server to
use these types of digital certificates.
Overview of Digital Certificates
Digital certificates are electronic files that work like an online password to verify the identity of a
user or a computer. They are used to create the SSL encrypted channel that is used for client
30
communications. A certificate is a digital statement that is issued by a certification authority
(CA) that vouches for the identity of the certificate holder and enables the parties to
communicate in a secure manner by using encryption.
Digital certificates do the following:
• They authenticate that their holders—people, Web sites, and even network resources
such as routers—are truly who or what they claim to be.
•
They protect data that is exchanged online from theft or tampering.
Digital certificates can be issued by a trusted third-party CA or a Microsoft Windows public key
infrastructure (PKI) by using Certificate Services, or they can be self-signed. Each type of
certificate has advantages and disadvantages. Each type of digital certificate is tamper-proof
and cannot be forged.
Certificates can be issued for several uses. These uses include Web user authentication, Web
server authentication, Secure/Multipurpose Internet Mail Extensions (S/MIME), Internet
Protocol security (IPsec), Transport Layer Security (TLS), and code signing.
A certificate contains a public key and attaches that public key to the identity of a person,
computer, or service that holds the corresponding private key. The public and private keys are
used by the client and the server to encrypt the data before it is transmitted. For
Microsoft Windows-based users, computers, and services, trust in a CA is established when
there is a copy of the root certificate in the trusted root certificate store and the certificate
contains a valid certification path. For the certificate to be valid, the certificate must not have
been revoked and the validity period must not have expired.
Types of Certificates
There are three primary types of digital certificates: self-signed certificates, Windows PKIgenerated certificates, and third-party certificates.
Self-Signed Certificates
When you install Exchange 2007, a self-signed certificate is automatically configured. A selfsigned certificate is signed by the application that created it. The subject and the name of the
certificate match. The issuer and the subject are defined on the certificate. A self-signed
certificate will allow some client protocols to use SSL for their communications.
Microsoft Exchange ActiveSync and Office Outlook Web Access can establish an SSL
connection by using a self-signed certificate. Outlook Anywhere will not work with a self-signed
certificate. Self-signed certificates must be manually copied to the trusted root certificate store
on the client computer or mobile device. When a client connects to a server over SSL and the
server presents a self-signed certificate, the client will be prompted to verify that the certificate
was issued by a trusted authority. The client must explicitly trust the issuing authority. If the
client continues, SSL communications can continue.
31
Frequently, small organizations decide not to use a third-party certificate or not to install their
own PKI to issue their own certificates because of the expense, because their administrators
lack the experience and knowledge to create their own certificate hierarchy, or for both reasons.
The cost is minimal and the setup is simple when you use self-signed certificates. However, it is
much more difficult to establish an infrastructure for certificate life-cycle management, renewal,
trust management, and revocation when you use self-signed certificates.
Windows Public Key Infrastructure Certificates
The second type of certificate is a Windows PKI-generated certificate. A PKI is a system of
digital certificates, certification authorities, and registration authorities (RAs) that verify and
authenticate the validity of each party that is involved in an electronic transaction by using
public key cryptography. When you implement a CA in an organization that uses
Active Directory, you provide an infrastructure for certificate life-cycle management, renewal,
trust management, and revocation. However, there is some additional cost involved in
deploying servers and infrastructure to create and manage Windows PKI-generated
certificates.
Certificate Services are required to deploy a Windows PKI and can be installed through Add Or
Remove Programs in Control Panel. You can install Certificate Services on any server in the
domain.
If you obtain certificates from a domain-joined Windows CA, you can use the CA to request or
sign certificates to issue to your own servers or computers on your network. This enables you
to use a PKI that resembles a third-party certificate vendor, but is less expensive. Although
these PKI certificates cannot be deployed publicly, as other types of certificates can be, when a
PKI CA signs the requestor's certificate by using the private key, the requestor is verified. The
public key of this CA is part of the certificate. A server that has this certificate in the trusted root
certificate store can use that public key to decrypt the requestor's certificate and authenticate
the requestor.
The steps for deploying a PKI-generated certificate resemble those required for deploying a
self-signed certificate. You must still install a copy of the trusted root certificate from the PKI to
the trusted root certificate store of the computers or mobile devices that you want to be able to
establish an SSL connection to Microsoft Exchange.
A Windows PKI enables organizations to publish their own certificates. Clients can request and
receive certificates from a Windows PKI on the internal network. The Windows PKI can renew
or revoke certificates.
For more information, see the following topics:
• For more information about certificates, see Public Key Infrastructure for Windows
Server 2003.
• For more information about best practices for implementing a Windows PKI, see Best
Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure.
32
• For more information about how to deploy a Windows-based PKI, see the Windows
Server 2003 PKI Operations Guide.
Trusted Third-Party Certificates
Third-party or commercial certificates are certificates that are generated by a third-party or
commercial CA and then purchased for you to use on your network servers. One problem with
self-signed and PKI-based certificates is that, because the certificate is not automatically
trusted by the client computer or mobile device, you must make sure that you import the
certificate into the trusted root certificate store on client computers and devices. Third-party or
commercial certificates do not have this problem. Most commercial CA certificates are already
trusted because the certificate already resides in the trusted root certificate store. Because the
issuer is trusted, the certificate is also trusted. Using third-party certificates greatly simplifies
deployment.
For larger organizations or organizations that must publicly deploy certificates, the best solution
is to use a third-party or commercial certificate, even though there is a cost associated with the
certificate. Commercial certificates may not be the best solution for small and medium-size
organizations, and you might decide to use one of the other certificate options that are
available.
Choosing a Certificate Type
When you choose the type of certificate to install, there are several factors to consider. A
certificate must be signed to be valid. It can be self-signed or signed by a CA. A self-signed
certificate has limitations. For example, not all mobile devices let a user install a digital
certificate in the trusted root certificate store. The ability to install certificates on a mobile device
depends on the mobile device manufacturer and the mobile operator. Some manufacturers and
mobile operators disable access to the trusted root certificate store. In this case, neither a selfsigned certificate nor a certificate from a Windows PKI CA can be installed on the mobile
device.
Most mobile devices have several trusted third-party commercial certificates preinstalled. For
the optimal user experience, implement certificate-based authentication for
Exchange ActiveSync by using devices that are running Windows Mobile 6.0 and a digital
certificate from a trusted third-party CA.
For More Information
For more information, see the following topics:
•
Managing SSL For a Client Access Server
•
How to Configure SSL Certificates to Use Multiple Client Access Server Host Names
•
How to Install Certificates on a Windows Mobile Powered Device
33
Overview of Exchange ActiveSync
By default, when you install the Client Access server role on a computer that is running
Microsoft Exchange Server 2007, you enable Microsoft Exchange ActiveSync.
Exchange ActiveSync lets you synchronize a mobile device with your Exchange 2007 mailbox.
Overview of Exchange ActiveSync
Exchange ActiveSync is an Microsoft Exchange synchronization protocol that is optimized to
work together with high-latency and low-bandwidth networks. The protocol, based on HTTP
and XML, lets devices such as browser-enabled cellular telephones or Microsoft Windows
Mobile® powered devices access an organization's information on a server that is running
Microsoft Exchange. Exchange ActiveSync enables mobile device users to access their e-mail,
calendar, contacts, and tasks and to continue to be able to access this information while they
are working offline.
Note:
Exchange ActiveSync can synchronize e-mail messages, calendar items, contacts,
and tasks. You cannot use Exchange ActiveSync to synchronize notes in
Microsoft Outlook.
New Features in Exchange ActiveSync
Exchange ActiveSync has been enhanced in Exchange Server 2007. The following are some of
the new and enhanced features:
•
Support for HTML messages
•
Support for follow-up flags
•
Support for fast message retrieval
•
Meeting attendee information
•
Enhanced Exchange Search
• Windows SharePoint Services and Universal Naming Convention (UNC) document
access
•
PIN reset
•
Enhanced device security through password policies
•
Autodiscover for over the air provisioning
•
Support for Out of Office configuration
•
Support for tasks synchronization
34
•
Direct Push
Note:
The ability to use Autodiscover depends on the mobile device operating system that
you are using. Not all mobile device operating systems that support synchronization
with Exchange Server 2007 also support Autodiscover. For more information about
which operating systems support Autodiscover, contact the manufacturer of your
mobile device.
Note:
Many of these features require the use of the latest version of Windows Mobile that is
currently in development.
For more information about the new features in Exchange ActiveSync, see Client Features In
Exchange ActiveSync.
Managing Exchange ActiveSync
By default, Exchange ActiveSync is enabled. All users who have an Exchange mailbox can
synchronize their mobile device with the Microsoft Exchange server.
You can perform the following Exchange ActiveSync tasks:
•
Enable and disable Exchange ActiveSync for users
• Set policies such as minimum password length, device locking, and maximum failed
password attempts
•
Initiate a remote wipe to clear all data off a lost or stolen device
•
Run a variety of reports for viewing or exporting into a reporting solution
Security in Exchange ActiveSync
You can configure Exchange ActiveSync to use Secure Sockets Layer (SSL) encryption for
communications between the Exchange server and the mobile device client. Certificate-based
authentication works with a self-signed certificate, a certificate from an existing public key
infrastructure, or a third-party commercial certificate. You can use certificate-based
authentication together with other security features, such as local device wipe and a device
password, to turn the mobile device into a smartcard. The private key and certificate for client
authentication are stored in memory on the device. If an unauthorized user tries to bypass the
device password, all user data is purged. This includes the certificate and private key. For more
security, you can deploy RSA SecurID two-factor authentication on the Exchange server.
35
Device Security Features in Exchange ActiveSync
In addition to the ability to configure security options for communications between the
Exchange server and your mobile devices, Exchange ActiveSync offers the following features
to enhance the security of mobile devices:
• Remote wipe If your device is lost, stolen, or otherwise compromised, you can issue
a remote wipe command from the Exchange Server computer or from any Web browser by
using Microsoft Office Outlook Web Access. This command erases all data from the mobile
device.
• Device password policies Exchange ActiveSync lets you configure several options
for your device password. These options include the following:
• Minimum password length (characters) This option specifies the length of the
password for the device. The default length is four characters, but can include as many
as 18.
• Require alphanumeric password This option determines password strength.
You can enforce the usage of a character or symbol in the password in addition to
numbers.
• Inactivity time (seconds) This option determines how long the device must be
inactive before the user is prompted for a password to unlock the device.
• Wipe device after failed (attempts) This option lets you specify whether you
want the device memory wiped after multiple failed password attempts.
For More Information
For more information about Exchange ActiveSync, see the following topics:
•
How to Enable Exchange ActiveSync
•
How to Disable Exchange ActiveSync
•
How to Enable a User for Exchange ActiveSync
•
How to Disable a User for Exchange ActiveSync
•
Understanding Exchange ActiveSync Mailbox Policies
Understanding Direct Push
Direct Push is a feature that is built into Exchange Server 2007. Direct Push is designed to
keep a mobile device up-to-date over a cellular network connection. Introduced in
Exchange Server 2003 Service Pack 2, Direct Push provides notification to the mobile device
when new content is ready to be synchronized to the device.
36
Overview
For Direct Push to work, you must have a device that is Direct Push capable. These devices
include the following:
• Cellular telephones that have Windows Mobile® 5.0 and the Messaging & Security
Feature Pack (MSFP) and later versions of Windows Mobile software.
• Cellular telephones or mobile devices that are produced by Exchange ActiveSync
licensees and are designed specifically to be Direct Push compatible.
By default, Direct Push is enabled in Exchange 2007. Mobile devices that support Direct Push
issue a long-lived HTTPS request to the Exchange server. The Exchange server monitors
activity on the users’ mailbox and sends a response to the device if there are any changes,
such as new or changed e-mail messages or calendar or contact items. If changes occur within
the lifespan of the HTTPS request, the Exchange server issues a response to the device that
states that changes have occurred and the device should initiate synchronization with the
Exchange server. The device then issues a synchronization request to the server. When
synchronization is complete, a new long-lived HTTPS request is generated to start the process
over again. This guarantees that e-mail, calendar, contact, and task items are delivered quickly
to the mobile device and the device is always synchronized with the Exchange server.
Direct Push Topology
Figure 1 illustrates a typical Exchange Server 2007 topology that is configured for Direct Push.
This figure assumes that you have the Client Access server role and the Mailbox server role
installed on two separate Exchange Server computers. You can also install both server roles on
the same physical Exchange 2007 computer.
37
Figure 1 Direct Push Network Design
Direct Push operates in the following way:
1. A mobile device that is configured to synchronize with an Exchange 2007 server issues
an HTTPS request to the server. This request is known as a ping. The request tells the
server to notify the device if any items change in any folder that is configured to
synchronize in the next 15 minutes. Otherwise, the server should return an HTTP 200 OK
message. The mobile device will then stand by. The 15-minute time span is known as a
heartbeat interval.
2. If no items change in 15 minutes, the server returns a response of HTTP 200 OK. The
mobile device receives this response, resumes activity (called waking up), and issues its
request again. This restarts the process.
3. If any items change or new items are received within the 15 minute heartbeat interval,
the server sends a response that informs the mobile device that there is a new or changed
item and the name of the folder in which the new or changed item resides. After the mobile
device receives this response, it issues a synchronization request for the folder that has the
new or changed items. When synchronization is complete, the mobile device issues a new
ping request and the whole process starts over.
Direct Push depends on network conditions that support a long-standing HTTPS request. If the
carrier network for the mobile device or the firewall does not support long-standing HTTPS
38
requests, the HTTPS request is stopped. The following steps describe how Direct Push
operates when a mobile device's carrier network has a time-out value of 13 minutes.
1. A mobile device issues an HTTPS request to the server. The request tells the server to
notify the device if any items change in any folder that is configured to synchronize in the
next 15 minutes. Otherwise, the server should return an HTTP 200 OK message. The
mobile device then stands by.
2. If the server does not respond after 15 minutes, the mobile device wakes up and
concludes that the connection to the server was timed out by the network. The device
reissues the HTTPS request, but this time uses a heartbeat interval of eight minutes.
3. After eight minutes, the server sends an HTTP 200 OK message. The device will then
try to gain a longer connection by issuing a new HTTPS request to the server that has a
heartbeat interval of 12 minutes.
4. After four minutes, a new e-mail message is received and the server responds by
sending an HTTPS request that tells the device to synchronize. The device synchronizes
and reissues the HTTPS request that has a heartbeat of 12 minutes.
5. After 12 minutes, if there are no new or changed items, the server responds by
sending an HTTP 200 OK message. The device wakes up and concludes that network
conditions will support a heartbeat interval of 12 minutes. The device will then try to gain a
longer connection by reissuing an HTTPS request that has a heartbeat interval of 16
minutes.
6. After 16 minutes, no response is received from the server. The device wakes up and
concludes that network conditions cannot support a heartbeat interval of 16 minutes.
Because this failure occurred directly after the device tried to increase the heartbeat
interval, it concludes that the heartbeat interval has reached its maximum limit. The device
then issues an HTTPS request that has a heartbeat interval of 12 minutes because this
was the last successful heartbeat interval.
The mobile device tries to use the longest heartbeat interval the network supports. This extends
battery life on the device and minimizes the amount of data that is transferred over the network.
Mobile carriers can specify a maximum, minimum, and initial heartbeat value in the registry
settings for the mobile device.
Configuring Direct Push to Work Through Your Firewall
For Direct Push to work through your firewall, you must open the following ports:
• If you have the Client Access server role and the Mailbox server role installed on two
separate Exchange Server computers, you must open TCP port 135 for the RPC locator
service on any internal firewall that is between the two Exchange Server computers.
39
• TCP port 443 is required for Secure Sockets Layer (SSL) and must be opened
between the Internet and the Exchange Server computer that has the Client Access server
role installed.
In addition to opening ports on your firewall, for optimal Direct Push performance, you should
increase the time-out value on your firewall from the default to 15 to 30 minutes. The maximum
length of the HTTPS request is determined by the following settings:
• The maximum time-out that is set on the firewalls that control the traffic from the
Internet to the Exchange server that has the Client Access server role installed
•
The firewall time-outs that are set by the mobile carrier
A short time-out value causes the device to initiate a new HTTPS request more frequently. This
can shorten battery life on your device. For more information about how to configure your
firewall, see the ISA Server Product Documentation.
For More Information
For more information about Direct Push and how to synchronize mobile devices with
Exchange 2007, see the following topics:
•
How to Configure Mobile Devices to Synchronize with Exchange Server
•
Understanding Mobile Devices
•
Understanding Mobile Device Connectivity
Understanding Exchange ActiveSync
Mailbox Policies
This topic discusses Exchange ActiveSync mailbox policies and how they can be used in your
Microsoft Exchange Server 2007 environment.
Overview
Exchange ActiveSync mailbox policies let you apply a common set of policy or security settings
to a user or group of users. Table 2 summarizes the settings that you can specify by using
Exchange ActiveSync mailbox policies.
40
Table 2 Exchange ActiveSync mailbox policy settings
Setting
Description
Allow non-provisionable devices
Allows older devices (those that do not support
the Autodiscover service) to connect to
Exchange 2007 by using
Exchange ActiveSync.
Allow simple password
Enables or disables the ability to use a simple
password such as 1234.
Alphanumeric password required
Requires that a password contains numeric
and non-numeric characters.
Attachments enabled
Enables attachments to be downloaded to the
mobile device.
Device encryption enabled
Enables encryption on the device.
Password enabled
Enables the device password.
Password expiration
Enables the administrator to configure a length
of time after which a device password must be
changed.
Password history
The number of past passwords stored in the
user's mailbox. A user cannot reuse a
previously stored password.
Policy refresh interval
Defines how frequently the device updates the
Exchange ActiveSync policy from the server.
Maximum attachment size
Specifies the maximum size of attachments
that are automatically downloaded to the
device.
Maximum failed password attempts
Specifies how many times an incorrect
password can be entered before the device
performs a wipe of all data.
Maximum inactivity time lock
Specifies the length of time a device can go
without user input before it locks.
Minimum password length
Specifies the minimum password length.
Password recovery
Enables the device password to be recovered
from the server.
UNC file access
Enables access to files stored on Universal
Naming Convention (UNC) shares.
41
Setting
Description
WSS file access
Enables access to files stored on
Microsoft Windows SharePoint Services sites
For example, you can create a policy that you apply to all users in your Exchange organization.
Table 3 lists the settings that this policy could have.
Table 3 Sample Exchange ActiveSync mailbox policy settings for all users
Setting
Value
Allow non-provisionable devices
False
Allow simple password
False
Alphanumeric password required
True
Attachments enabled
True
Device encryption enabled
True
Password enabled
True
Password expiration
10 days
Password history
8 passwords stored
Maximum attachment size
500 kilobytes (KB)
Maximum failed password attempts
4
Minimum password length
4
UNC file access
Disabled
WSS file access
Disabled
Note:
You do not have to specify all policy settings when you create a new
Exchange ActiveSync mailbox policy. Any policy setting that you do not explicitly set
will retain its default value.
Exchange ActiveSync mailbox policies can be created in the Exchange Management Console
or the Exchange Management Shell. If you create a policy in the Exchange Management
Console, you can configure only a subset of the available settings. You can configure the rest
of the settings by using the Exchange Management Shell.
You do not have to assign a user to an Exchange ActiveSync mailbox policy. Table 4
summarizes the policy settings that are used if you do not assign a user to a policy.
42
Table 4 Default Exchange ActiveSync settings
Setting
Value
Allow non-provisionable devices
True
Allow simple password
False
Alphanumeric password required
False
Attachments enabled
True
Device encryption enabled
False
Password enabled
False
Password expiration
Unlimited
Password history
0
Policy refresh interval
Unlimited
Document browsing enabled
True
Maximum attachment size
Unlimited
Maximum failed password attempts
4
Maximum inactivity time lock
15 minutes
Minimum password length
4
Password recovery
Disabled
UNC file access
Enabled
WSS file access
Enabled
Exchange ActiveSync Mailbox Policy Examples
Figure 2 illustrates how Exchange ActiveSync mailbox policies can be created to control a
variety of settings for three different groups of users.
43
Figure 2 Example of Exchange ActiveSync mailbox policies
For More Information
For more information about how to manage Exchange ActiveSync by using policies, see
Managing Exchange ActiveSync with Policies.
Understanding Remote Device Wipe
One of the enhanced features available in Microsoft Exchange Server 2007 is the ability to
perform a remote device wipe of a mobile device. Remote device wipe is a feature that enables
the Exchange server to set a mobile device to delete all data the next time that the device
connects to the Exchange server.
A remote device wipe returns a device to its factory default condition. This can be useful when
a device is lost, stolen, or otherwise compromised, or when a device has to be reassigned from
one user to another.
Overview
Mobile devices can store sensitive corporate data and provide access to many corporate
resources. If a device is lost or stolen, that data can be compromised. Through
44
Exchange ActiveSync policies, you can add a password requirement to your mobile devices.
This requires that users enter a password to access their device. We recommend that, in
addition to requiring a device password, you configure your devices to automatically prompt for
a password after a period of inactivity. The combination of a device password and inactivity
locking provides more security for your corporate data.
In addition to these features, Exchange 2007 provides remote device wipe. You can issue a
remote wipe command from the Exchange Management Shell. Users can issue their own
remote wipe commands from the Outlook Web Access user interface.
The remote device wipe feature also includes a confirmation function that writes a timestamp in
the sync state data of the user's mailbox. This timestamp is displayed in Outlook Web Access
and in the user's mobile device properties dialog box in the Exchange Management Console.
Important:
In addition to resetting the device to factory default condition, a remote device wipe
also deletes any data on any storage card that is inserted in the device. If you are
performing a remote device wipe on a device in your possession and want to retain the
data on the storage card, remove the storage card before you initiate the remote
device wipe.
Remote Device Wipe vs. Local Device Wipe
Local device wipe is the mechanism by which a device wipes itself without the request coming
from the server. If your organization has implemented Exchange ActiveSync policies that
specify a maximum number of password attempts and that maximum is exceeded, the device
will perform a local device wipe. The result of a local device wipe is the same as that of a
remote device wipe. The device is returned to its factory default condition. When a device
performs a local device wipe, no confirmation is sent to the Exchange server.
For More Information
For more information about the remote device wipe feature, see the following topics:
•
How to Perform a Remote Wipe on a Device
•
Clear-ActiveSyncDevice
Understanding Exchange ActiveSync
Autodiscover
Microsoft Exchange Server 2007 introduces a new service that makes it easier to provision
devices for end users. The Autodiscover service simplifies the provisioning of your mobile
45
device by returning the required system settings after you enter your e-mail address and
password. By default, the Autodiscover service is enabled in Exchange 2007.
Overview of Autodiscover with Exchange
ActiveSync
If your mobile device supports Autodiscover, you can configure your device to synchronize with
Exchange 2007. Figure 3 illustrates this synchronization process.
Figure 3 Using Autodiscover with Exchange ActiveSync
1. The user enters their e-mail address and password on the device.
2. The device connects to a root DNS server to retrieve the URL for the Autodiscover
service and the IP address for the user's domain.
3. The device uses a Secure Sockets Layer (SSL) connection to connect through the
firewall to the Autodiscover service virtual directory. The Autodiscover service assembles
the XML response based on the server synchronization settings.
4. The Autodiscover service sends the XML response through the firewall over SSL. This
XML response is interpreted by the device and synchronization settings are configured
automatically on the device.
Note:
The ability to use Autodiscover depends on the operating system of the mobile
device that you are using. Not all mobile device operating systems that support
synchronization with Exchange Server 2007 support Autodiscover. For more
information about operating systems that support Autodiscover, contact the
manufacturer of your device.
46
Note:
Windows Mobile 5.0 does not support Autodiscover.
For More Information
For more information about how to manage the Autodiscover service, see Managing
Autodiscover.
Understanding Mobile Device Connectivity
A wide variety of mobile devices can synchronize with Microsoft Exchange Server 2007. Most
mobile devices that synchronize with Exchange 2007 are cellular telephones. These
devices can run operating systems such as Windows Mobile, Symbian, Palm, and Nokia. For
an overview of the different mobile devices that are enabled for Exchange ActiveSync, see
Understanding Mobile Devices.
Regardless of the type of device that you select, there are two primary ways to connect to
Exchange 2007: by using cellular connectivity and by using wireless connectivity. This topic
provides an overview of the two connectivity options.
Cellular Connectivity
All mobile devices that are enabled for Exchange ActiveSync can use cellular connectivity to
synchronize with Exchange 2007. There are several different types of cellular data networks.
Regardless of the type of cellular data network that your mobile device uses, the method of
synchronization is the same. If the operating system of your device is Windows Mobile 5.0 with
the Messaging & Security Feature Pack or Windows Mobile 6.0, synchronization is
accomplished through Direct Push. If your device has another operating system, manual
synchronization is used. When a device uses Direct Push to synchronize with Exchange 2007,
it establishes a long-standing HTTPS connection with the Exchange server. When the
connection is first established, the device sets a what is called a heartbeat interval. The default
heartbeat interval is 15 minutes. If any new messages are added to monitored folders on the
Exchange server within this heartbeat interval, the server informs the device and the device
initiates synchronization. When synchronization is complete, a new HTTPS request is initiated
and the process is repeated. For more information about Direct Push, see Understanding
Direct Push.
Cellular data plans can charge by the minute, by the megabyte, or offer unlimited data transfer.
When you use a cellular data connection with Exchange 2007 Direct Push, we recommend
purchasing an unlimited data plan.
47
Wireless Connectivity
Many of the mobile devices that are enabled for Exchange ActiveSync can connect to a
wireless LAN. Connecting to a wireless LAN can provide faster network speeds and better
coverage in areas where cellular coverage is unreliable. In addition, wireless access is
sometimes offered at commercial locations such as coffee shops and book stores. The primary
disadvantage to using wireless connectivity is that Direct Push will not work over a wireless
LAN. Users who connect over a wireless LAN can perform manual synchronizations or
configure scheduled synchronizations as frequently as every five minutes.
For More Information
For more information, see the following topics:
•
Understanding Mobile Devices
•
Understanding Direct Push
Understanding Mobile Devices
Mobile devices that are enabled for Exchange ActiveSync enable users to access most of their
Microsoft Exchange mailbox data any time, anywhere. There are a variety of different devices
that are enabled for Exchange ActiveSync. These include Windows Mobile powered devices,
Nokia devices, and Palm devices. This topic provides an overview of these mobile devices.
Exchange ActiveSync Enabled Devices
Exchange ActiveSync is a communications protocol that enables mobile access, over the air, to
e-mail messages, scheduling data, contacts, and tasks. Exchange ActiveSync is available on
Windows Mobile powered devices and third-party devices that are enabled for
Exchange ActiveSync.
Exchange ActiveSync offers Direct Push technology. Direct Push uses an encrypted HTTPS
connection that is established and maintained between the device and the server to push new
e-mail messages and other Exchange data to the device.
To use Direct Push with Exchange 2007, your users must have a mobile device that is running
Windows Mobile 5.0 with the Messaging & Security Feature Pack or another mobile operating
system that is designed to support Direct Push.
Note:
The Messaging & Security Feature Pack includes support for Direct Push, serverbased security policies, remote device wipe, Task synchronization, global address book
lookup, and many other features.
48
Exchange ActiveSync Features
Exchange ActiveSync provides access to a variety of features. These features enable you to
enforce device security policies. By using Exchange 2007, you can configure multiple
Exchange ActiveSync policies and control which devices can synchronize with your Exchange
server. Exchange ActiveSync enables you to send a remote device wipe command that wipes
all data from an existing device in case that device is lost or stolen. Users can also initiate a
remote device wipe from Microsoft Office Outlook Web Access.
For more information about Exchange ActiveSync, see Overview of Exchange ActiveSync.
Note:
Access to some of the features described in this topic require either Windows Mobile
5.0 with the Messaging & Security Feature Pack or the next version of Windows Mobile
software that is currently in development. For more information, see your device
documentation.
Devices Enabled for Exchange ActiveSync
Users can take advantage of Exchange ActiveSync by selecting mobile devices that are
compatible with Exchange ActiveSync. These devices are available from a variety of
manufacturers. Most of these devices do not support Direct Push. However, they do support
synchronization with Microsoft Exchange. For more information, see the device documentation.
Some of the devices that are compatible with Microsoft Exchange include the following:
• Nokia Nokia offers Mail for Exchange on their Eseries mobile devices. E-mail,
calendar, and contact data can be synchronized over a cellular network or a wireless LAN.
• Sony Ericsson Sony Ericsson offers Exchange ActiveSync support on several of
their newer smartphone devices. They also support Direct Push through a third-party
program.
• Palm Palm offers two smartphones that have the Windows Mobile 5.0 operating
system. These devices support Direct Push. Palm also supports Exchange ActiveSync on
the Treo 650 and 680 series smartphones. These devices do not support Direct Push.
• Motorola Motorola has its own synchronization framework that enables over-the-air
synchronization through Exchange ActiveSync on a variety of its devices.
• Symbian Symbian Limited licenses Exchange ActiveSync for use in the Symbian
operating system. This operating system is an open standard operating system for mobile
telephones.
49
Windows Mobile Software Feature Matrix
Mobile devices that have a version of Windows Mobile software as their operating system offer
the greatest functionality when synchronizing with Exchange 2007. Table 5 illustrates some of
the features that are available with the different versions of Windows Mobile software.
Table 5 Windows Mobile software feature matrix
Operating System
Windows Mobile 6.0
Productivity
Security
Administration
Enhancements
Enhancements
Enhancements
•
Direct Push
• HTML e-mail
support
• Message
flags
• Quick
message retrieval
• Enhanced
calendar views
• Meeting
attendee
information
• Out of Office
management
• Exchange se
arch
• Windows Sha
rePoint Services
and Windows file
share (UNC)
document access
• Enforcement
of
Exchange Active
Sync mailbox
policies
• Remote
device wipe
• Certificatebased
authentication
• S/MIME
support (with
Exchange 2007 S
P1)
• Device
storage card
encryption
• Rights
management
support
• Detailed
device monitoring
• Error
reporting
50
Operating System
Windows Mobile
powered devices with
the Messaging &
Security Feature Pack
Productivity
Security
Administration
Enhancements
Enhancements
Enhancements
•
Direct Push
• Global
address book
lookup
• Task
synchronization
• Enforcement
of
Exchange Active
Sync mailbox
policies
• Remote
device wipe
• Microsoft Ope
rations Manager
integration and
reporting
• Diagnostic
tasks and health
monitoring
• Certificatebased
authentication
• S/MIME
support (with
Exchange 2007 S
P1)
All Windows Mobile
powered devices
•
Synchronization
of e-mail
messages,
calendar, and
contact data
• Secure
Sockets Layer
(SSL) encryption
• Basic
authentication
• Integration
with Internet
Security and
Acceleration (ISA)
Server
• Microsoft Ope
rations Manager
integration and
reporting
• Diagnostic
tasks and health
monitoring
For more information about how to manage Windows Mobile powered devices, visit the
Windows Mobile Center Web site.
Overview of POP3 and IMAP4
This topic describes the Post Office Protocol version 3 (POP3) and Internet Message Access
Protocol Version 4rev1 (IMAP4) functionality for Microsoft Exchange Server 2007.
By default, POP3 and IMAP4 are disabled in Exchange 2007. To use these protocols, you must
first start the POP3 and IMAP4 services on the computer that is running Exchange 2007 that
has the Client Access server role installed.
51
POP3 and IMAP4 Protocols
Messaging systems that are based on POP3 and IMAP4 are best suited for home and personal
use where requirements for data recoverability and security are low. POP3 was designed to
support offline mail processing. With POP3, e-mail messages are removed from the server and
put on the local POP3 client. This puts the data management and security responsibility in the
hands of the user. IMAP4 offers offline and online access, but like POP3, IMAP4 does not offer
advanced collaboration features such as scheduling and group scheduling and task and
contact management.
Managing POP3/IMAP4 Features
With Exchange 2007, you can manage all the server settings for POP3 and IMAP4 by using the
Exchange Management Shell. For more information about how to use the Exchange
Management Shell to manage POP3 and IMAP4, see Managing POP3 and IMAP4.
Note:
There is no user interface in the Exchange Management Console for POP3 and
IMAP4. To manage these protocols, you must use the Exchange Management Shell.
For More Information
• For more information about how to enable POP3 and IMAP4 for use with
Exchange 2007, see Enabling POP3 and IMAP4 on a Client Access Server.
• For more information about managing the client functionality available in
Exchange 2007 for POP3 and IMAP4, see Managing POP3 and IMAP4.
Overview of Outlook Web Access
By default, when you install the Client Access server role on a computer that is running
Microsoft Exchange Server 2007, you enable
Microsoft Office Outlook Web Access. Outlook Web Access lets you access your
Exchange 2007 mailbox from any Web browser.
Overview of Outlook Web Access
Outlook Web Access has been redesigned for Exchange Server 2007 to create a new look,
add new features, and improve usability. For more information about Outlook Web Access
features, see Client Features in Outlook Web Access.
52
Managing Outlook Web Access
When you install the Client Access server role, four default virtual directories are created to
enable access to content that is stored on Exchange servers by using a Web browser. Of the
four virtual directories, the virtual directory named "owa" is used most frequently. For more
information about Outlook Web Access virtual directories, see Managing Outlook Web Access
Virtual Directories in Exchange Server 2007.
In Exchange 2007, the most common Outlook Web Access management tasks can be
accomplished in the Exchange Management Console. All these tasks, and many other tasks,
can be accomplished by using the Exchange Management Shell. You will still have to use tools
such as Internet Information Services (IIS) Manager for some tasks, such as configuring
Secure Sockets Layer (SSL) or setting up simple URLs for users.
For more information about how to manage Outlook Web Access, see the following topics
•
Managing Outlook Web Access
•
Managing Outlook Web Access Security
Overview of Outlook Anywhere
The Outlook Anywhere feature for Microsoft Exchange Server 2007 lets your
Microsoft Office Outlook 2007 and Outlook 2003 clients connect to their Exchange servers over
the Internet by using the RPC over HTTP Windows networking component. This topic
describes the Outlook Anywhere feature and the benefits of using Outlook Anywhere.
Outlook Anywhere and Exchange 2007
Exchange Server 2003 enabled users to use the Windows RPC over HTTP Proxy component
to access their Exchange information from the Internet. This technology wraps remote
procedure calls (RPCs) with an HTTP layer. This allows the traffic to traverse network firewalls
without requiring RPC ports to be opened. Exchange 2007 builds on this functionality and
greatly reduces the difficulty of deploying and managing this feature. To deploy Outlook
Anywhere in your Exchange messaging environment, you just have to enable at least one
Client Access server by using the Enable Outlook Anywhere Wizard.
Benefits of Using Outlook Anywhere
There are several benefits to using Outlook Anywhere to enable Outlook 2003 and
Outlook 2007 clients to access your Exchange messaging infrastructure. The benefits are as
follows:
•
Remote access to Exchange servers from the Internet.
53
• You can use the same URL and namespace that you use for
Microsoft Exchange ActiveSync and Outlook Web Access.
• You can use the same Secure Sockets Layer (SSL) server certificate that you use for
both Outlook Web Access and Exchange ActiveSync.
•
Unauthenticated requests from Outlook cannot access Exchange servers.
•
Clients must trust the certification authority that issues the certificate.
• You do not have to use a virtual private network (VPN) to access Exchange servers
across the Internet.
You must allow only port 443 through your firewall, because Outlook requests use HTTP over
SSL. If you already use Outlook Web Access with SSL or Exchange ActiveSync with SSL, you
do not have to open any additional ports from the Internet.
Deploying Outlook Anywhere
Deploying Outlook Anywhere for your organization is now a straightforward process. The
following recommendations should be followed to successfully deploy Outlook Anywhere:
• Use at least one Client Access server per site In Exchange 2007, a site is a
network location with high-bandwidth connectivity between all computers. We
recommend that you install at least one Client Access server in each site that is dedicated
to providing client access to the Exchange 2007 computer that has the Mailbox server role
installed. However, you can have multiple Client Access servers in each site for increased
performance and reliability.
• Enable Outlook Anywhere on at least one Client Access server We recommend
that you have one Client Access server in each site that has Outlook Anywhere enabled.
This lets Outlook 2007 clients connect to the Client Access server that is closest to a user's
mailbox. Users will connect to the Client Access server that is in the site together with the
Mailbox server that contains their mailbox by using HTTPS. This minimizes the risk
associated with using remote procedure calls (RPCs) across the Internet. Using RPCs
across the Internet can adversely affect performance.
For more information about how to enable Outlook Anywhere, see Deploying Outlook
Anywhere.
Managing Outlook Anywhere
You can Manage Outlook Anywhere by using the Exchange Management Console or the
Exchange Management Shell. By default, when you enable Outlook Anywhere on a Client
Access server, all users who have mailboxes on Exchange 2007 Mailbox servers are enabled
for Outlook Anywhere. For more information about how to manage Outlook Anywhere, see
Managing Outlook Anywhere.
54
Coexistence
Outlook Anywhere can be used in environments where Exchange 2003 is still being used. If
you have users who have mailboxes located on Exchange 2003 servers, and these users are
using Outlook 2007 or Outlook 2003, you must configure these clients manually. For more
information about Outlook Anywhere coexistence, see How to Configure Outlook Anywhere
with Exchange 2003.
Recommendations for Outlook Anywhere
This topic provides recommendations for using Outlook Anywhere in your Exchange
infrastructure.
We recommend that you use the following configuration when you use Exchange with Outlook
Anywhere:
• NTLM authentication over Secure Sockets Layer (SSL) We recommend that you
enable and require SSL on the Microsoft Exchange Server 2007 computer that has the
Client Access server role installed for all client-to-server communications. We also
recommend the use of NTLM Authentication. The HTTP session should always be
established over SSL (port 443). For information about how to configure Outlook Anywhere
authentication that uses SSL, see Managing Outlook Anywhere Security.
Important:
If you are using a firewall that does not handle NTLM, you will have to use Basic
authentication over SSL.
• Use an advanced firewall server on the perimeter network We recommend that
you use a dedicated firewall server to help enhance the security of the Exchange computer.
Microsoft Internet Security and Acceleration (ISA) Server 2006 is an example of a
dedicated firewall server product. ISA Server 2006 also lets you use NTLM authentication
instead of Basic authentication because ISA Server understands NTLM authentication
information. Other firewall servers may know how to use NTLM authentication. To
determine whether your firewall server allows for NTLM authentication, see the product
documentation for your firewall product.
• Obtain a certificate from a third-party certification authority (CA) To enable and
require SSL for all communications between the Client Access server and the Outlook
clients, you must obtain and publish a certificate at the default Web site level. We
recommend that you purchase your certificate from a third-party certification authority
whose certificates are trusted by a wide variety of Web browsers.
55
Using Your Own Certification Authority
Alternatively, you can use the Certification Authority tool in Microsoft Windows to install your
own certification authority. By default, applications and Web browsers do not trust your root
certification authority when you install your own certification authority. When a user tries to
connect in Microsoft Office Outlook 2007 or Outlook 2003 by using Outlook Anywhere, that user
loses the connection to Microsoft Exchange. The user is not notified. The user loses the
connection when one of the following conditions is true:
•
The client does not trust the certificate.
•
The certificate does not match the name to which the client tries to connect.
•
The certificate date is incorrect.
Therefore, you must make sure that the client computers trust the certification authority.
Additionally, if you use your own certification authority, when you issue a certificate to your
Client Access server, you must make sure that the Common Name field or the Issued to field
on that certificate contains the same name as the URL of the Client Access server that is
available on the Internet. For example, the Common Name field or the Issued to field must
contain a name that resembles mail.contoso.com. These fields cannot contain the internal fully
qualified domain name of the computer. For example, they cannot contain a name that
resembles mycomputer.contoso.com.
For More Information
For more information about Outlook Anywhere, see the following topics:
•
Overview of Outlook Anywhere.
•
Managing Outlook Anywhere.
•
Deploying Outlook Anywhere.
Overview of the Autodiscover Service
Microsoft Exchange Server 2007 includes a new Microsoft Exchange service named the
Autodiscover service. The Autodiscover service configures client computers that are running
Microsoft Office Outlook 2007. The Autodiscover service can also configure supported mobile
devices. The Autodiscover service provides access to Microsoft Exchange features for
Outlook 2007 clients that are connected to your Microsoft Exchange messaging environment.
The Autodiscover service must be deployed and configured correctly for Outlook 2007 clients to
automatically connect to Microsoft Exchange features, such as the offline address book, the
Availability service, and Unified Messaging (UM). Additionally, these Exchange features must
be configured correctly to provide external access for Outlook 2007 clients. For more
information, see How to Configure Exchange services for the Autodiscover service.
56
The Autodiscover service uses a user's e-mail address and password to provide profile settings
to Outlook 2007 clients and supported mobile devices. If the Outlook 2007 client is joined to the
domain, the user's domain account is used.
Note:
The Autodiscover service is available for Outlook 2007 clients and some mobile
devices. Earlier versions of Outlook, including Microsoft Outlook 2003, cannot use the
Autodiscover service.
Outlook 2007 and Autodiscover
The Autodiscover service makes it easier to configure Outlook 2007. Earlier versions of
Exchange and Outlook required you to configure all user profiles manually to access
Microsoft Exchange. Extra work was required to manage these profiles if changes occurred to
the messaging environment. Otherwise, the Outlook clients would stop functioning correctly.
The Autodiscover service uses a user's e-mail address or domain account to automatically
configure a user's profile. By using the e-mail address or domain account, the Autodiscover
service provides the following information to the client:
•
The user’s display name
•
Separate connection settings for internal and external connectivity
•
The location of the user’s Mailbox server
• The URLs for various Outlook features that govern such functionality as free/busy
information, Unified Messaging, and the offline address book
•
Outlook Anywhere server settings
When a user's Microsoft Exchange information is changed, Outlook automatically reconfigures
the user's profile by using the Autodiscover service. For example, if a user's mailbox is moved
or the client is unable to connect to the user's mailbox or to available Exchange features,
Outlook will contact the Autodiscover service and automatically update the user's profile to
have the information that is required to connect to the mailbox and Exchange features.
The following sections provide information that you must have to successfully deploy the
Autodiscover service for your organization.
How the Autodiscover Service Works
When you install the Client Access server role on a computer that is running Exchange 2007, a
new virtual directory named Autodiscover is created under the default Web site in Internet
Information Services (IIS). This virtual directory handles Autodiscover service requests from
Outlook 2007 clients and supported mobile devices in the following circumstances:
•
When a new user account is configured or updated.
57
•
When a user periodically checks for changes to the Exchange Web Services URLs.
• When underlying network connection changes occur in your Exchange messaging
environment.
Additionally, a new Active Directory object named the service connection point (SCP) is created
when you install the Client Access server role.
The SCP object contains the authoritative list of Autodiscover service URLs for the forest. You
can update the SCP object by using the Set-ClientAccessServer cmdlet. For more information
about the Set-ClientAccessServer cmdlet, see Set-ClientAccessServer.
Important:
Before you save the new Active Directory object, make sure that the Authenticated
Users account has Read permissions for the SCP object. If users do not have the
correct permissions, they will be unable to search for and read items.
For more information about SCP objects, see Publishing with Service Connection Points.
Figure 4 illustrates how a client connects to a Client Access server the first time from inside the
internal network.
Figure 4 The Autodiscover service process for internal access
For external access, the client locates the Autodiscover service on the Internet by using the
primary SMTP domain address from the user's e-mail address. Depending on whether you
have configured the Autodiscover service on a separate site, the Autodiscover service URL will
be either https://<smtp-address-domain>/autodiscover/autodiscover.xml or
https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml. Figure 5 illustrates
a simple topology with a client connecting from the Internet.
58
Figure 5 The Autodiscover service process for external access
When the client connects to the Active Directory directory service, the client looks for the
SCP object that was created during Setup. In deployments that include multiple Client Access
servers, an Autodiscover SCP object is created for each Client Access server. The SCP object
contains the ServiceBindingInfo attribute that has the FQDN of the Client Access server in the
form of https://CAS01/autodiscover/autodiscover.xml, where CAS01 is the FQDN for the Client
Access server. By using the user credentials, the Outlook 2007 client authenticates to
Active Directory and searches for the Autodiscover SCP objects. After the client obtains and
enumerates the instances of the Autodiscover service, the client connects to the first Client
Access server in the enumerated list and obtains the profile information in the form of XML data
that is needed to connect to the user's mailbox and available Microsoft Exchange features.
Deployment Options for the Autodiscover
Service
Deploying the Autodiscover service is only one step in making sure that your
Microsoft Exchange services, such as the Availability service, can be accessed by
Outlook 2007 clients. These services must be deployed and configured correctly for clients to
receive the correct profile configuration information from the Autodiscover service. For more
information about how to deploy your Microsoft Exchange services, see How to Configure
Exchange services for the Autodiscover service.
We recommend that you consider how to deploy the Autodiscover service when you plan the
Client Access server infrastructure for your Exchange messaging environment. For more
59
information about how to deploy the Autodiscover service, see Deployment Considerations for
the Autodiscover Service.
For More Information
For more information about how to deploy and manage the Autodiscover service, see the
following topics:
•
Deployment Considerations for the Autodiscover Service
•
How to Configure Exchange services for the Autodiscover service
•
Managing the Autodiscover Service
Deployment Considerations for the
Autodiscover Service
The Autodiscover service for Microsoft Exchange Server 2007 provides automatic profile
configuration for Microsoft Office Outlook 2007 clients that are connected to your Exchange
messaging environment.
Autodiscover Service Topology Requirements
For the Autodiscover service to function correctly for Outlook 2007, you must make sure that
your Exchange organization meets the following requirements:
• You must have at least one Exchange 2007 Client Access server installed in your
Exchange deployment. For Exchange features such as the Availability service and Unified
Messaging, you must also have the Unified Messaging, Mailbox, and Hub Transport server
roles installed on the Client Access server or another server.
• The Exchange 2007 Active Directory schema must be applied to the forest where the
Autodiscover service will be running.
Connecting to the Autodiscover Service from the
Internet
If you are providing external access to Microsoft Exchange by using Outlook Anywhere
(formerly known as RPC over HTTP), and you want your Outlook 2007 clients to be
automatically configured by using the Autodiscover service, you must install a valid Secure
Sockets Layer (SSL) certificate on the Client Access server that includes both the common
name (for example, mail.contoso.com) and a Subject Alternative Name for
60
autodiscover.contoso.com. For information about how to configure your SSL certificate to use a
Subject Alternative Name, see How to Configure SSL Certificates to Use Multiple Client Access
Server Host Names. Additionally, you must correctly configure your Exchange services, such as
the Availability service, before the Autodiscover service can provide the correct external URLs
to clients. For more information, see How to Configure Exchange services for the Autodiscover
service.
When the client tries to connect to your Microsoft Exchange deployment, the client locates the
Autodiscover service on the Internet by using the primary SMTP domain address from the
user's e-mail address. Based on whether you have configured the Autodiscover service to have
a separate name from your organization's existing DNS host name, the Autodiscover service
URL will be either https://<smtp-address-domain>/autodiscover/autodiscover.xml or
https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml. For example, if
the user's e-mail address is monica@contoso.com, the Autodiscover service should be located
at either https://contoso.com/autodiscover.xml or
https://autodiscover.contoso.com/autodiscover/autodiscover.xml. This means that you must
have a host record for the Autodiscover service added to your external DNS zone.
For more information, see How to Configure the Autodiscover Service for Internet Access.
Using Multiple Sites for Internet Access to the Autodiscover
Service
We recommend hosting the Autodiscover service on a separate site if you manage a frequently
visited Web site that also hosts your e-mail traffic. To host the Autodiscover service on a
separate site on the same computer as other Exchange features, follow these steps:
Note:
You must use one IP address per site.
1. (Optional) Configure a separate site on a Client Access computer to host the
Autodiscover service You can create a separate site to host Autodiscover service traffic
by using the New-AutodiscoverVirtualDirectory cmdlet. This optional step is
recommended if the SMTP address domain is the same as the corporate Web site address
and your corporate Web site is frequently visited. For example, if the company Web site is
www.contoso.com, the e-mail SMTP domain is contoso.com, and the company Web site
(www.contoso.com) is frequently visited, we recommend that you create a separate site
and host the Autodiscover service on autodiscover.contoso.com.
2. (Required) Configure a valid SSL certificate Configure a valid SSL certificate from
a certification authority (CA) that the client computer trusts. If you have decided to host the
Autodiscover service on a separate site, see How to Configure SSL Certificates to Use
Multiple Client Access Server Host Names.
61
3. (Optional) Update the SCP Object You must update the service connection point
(SCP) object in the Active Directory directory service to specify to which Client Access
server and Autodiscover virtual directory you want clients to connect.
For more information, see How to Configure the Autodiscover Service for Internet Access.
Figure 6 illustrates an environment in which the Autodiscover service is deployed in a different
Active Directory site than the Active Directory site where your Exchange servers reside.
Figure 6 Using multiple sites with the Autodiscover service
In Figure 6, the Internet Security and Acceleration (ISA) Server 2006 firewall is publishing two
sites by using two Web listeners. The first site, autodiscover.contoso.com, provides access to
the Autodiscover virtual directory on the Client Access server and is assigned to one IP
address. For internal traffic on the Client Access server, configure one Web listener and publish
all virtual directories on this site. The second site, mail.contoso.com, provides access to the
other Exchange features and has a unique second IP address. Do not publish the Autodiscover
virtual directory on this site.
Configuring the Autodiscover Service to Use Site
Affinity for Internal Communication
If you manage a large, distributed organization that has Active Directory sites that are
separated by low-bandwidth network connectivity, we recommend that you use site affinity for
the Autodiscover service for intranet-based traffic. To use site affinity, you specify which
Active Directory sites are preferred for clients to connect to a particular Autodiscover service
instance. Specifying which Active Directory sites are preferred is also known as configuring site
scope.
You configure site affinity by using the Set-ClientAccessServer cmdlet. This cmdlet lets you
specify the preferred Active Directory sites for connecting to the Autodiscover service on a
specific Client Access server. After you configure site affinity for the Autodiscover service, the
62
client will connect to the Autodiscover service as you specified. For information on the SetClientAccessServer cmdlet, see Set-ClientAccessServer.
Consider a topology that includes one forest with three sites that have the following names:
•
US-contoso A contoso site that is located in North America
•
Europe-contoso A contoso site that is located in Europe
•
APAC-contoso A contoso site that is located in Asia
In this example, the Autodiscover service is enabled on each site and each site includes user
mailboxes. The US-contoso site is connected to the Europe-contoso site by using a high-speed
connection. The US-contoso site is connected to the APAC-contoso site by using a low-speed
connection. The APAC-contoso site is connected to the Europe-contoso site by using a highspeed connection.
Based on these connectivity factors, you might want to allow users in the US-contoso and
Europe-contoso sites to use either the US-contoso or the Europe-contoso site, users in
Europe-contoso site to use any site to access the Autodiscover service, and users in the APACcontoso site to use the APAC-contoso or the Europe-contoso site. Finally, the Client Access
servers can be reached by using a common internal namespace across all sites.
You can configure site scope for Client Access servers in the US-contoso site, setting them to
prefer to use the US-contoso and Europe-contoso Active Directory sites to access the
Autodiscover service by using the following command.
Set-ClientAccessServer -Identity "us-cas"
-AutodiscoverServiceInternalURI
"https://internal.contoso.com/autodiscover/autodiscover.xml"
-AutodiscoverServiceSiteScope "us-contoso”,”europe-contoso”
You do not have to specify the Active Directory sites to which your users should connect to
access the Autodiscover service on Client Access servers in the Europe-contoso site because it
connects well to other sites. The following command enables all users in the Europe-Contoso
site to access any Client Access server to use the Autodiscover service:
Set-ClientAccessServer -Identity "europe-cas"
-AutodiscoverServiceInternalURI
"https://internal.contoso.com/autodiscover/autodiscover.xml"
Finally, you can configure site scope for the Autodiscover service on Client Access servers in
the APAC-contoso site, setting them to prefer to use the APAC-contoso and Europe-contoso
sites because they connect well to these sites. To do this, use the following command:
Set-ClientAccessServer -Identity "apac-cas"
-AutodiscoverServiceInternalURI
"https://internal.contoso.com/autodiscover/autodiscover.xml"
-AutodiscoverServiceSiteScope "apac-contoso”,”europe-contoso”
63
Therefore, if a client in the US-contoso site has a mailbox located in the Europe-contoso site
and tries to locate the Autodiscover service, the client can select the service instance that has
site=US-contoso or site=Europe-contoso.
If you do not specify site scope for the Autodiscover service, the client might return the
autodiscoverInternalUri parameter for the APAC-contoso site because of the slow connection to
the US-contoso site.
Note:
If you do not configure a specific set of Active Directory sites for clients to use,
Outlook 2007 will randomly select Client Access servers to use to access the
Autodiscover service.
For more information about site affinity, see How to Configure Autodiscover to Use Site Affinity.
Configuring the Autodiscover Service for
Multiple Forests
You can deploy Microsoft Exchange by using multiple forests. Two of the multiple forest
deployment scenarios are the resource forest topology and the multiple trusted forest topology.
The following sections describe how the Autodiscover service is used in these two deployment
scenarios.
Configuring the Autodiscover Service in a Resource Forest
Topology
If you are using a resource forest topology, user accounts reside in one forest (referred to as a
user account forest) and Microsoft Exchange is deployed in a separate forest (referred to as a
resource forest). In this scenario, the client contacts Active Directory in the user account forest
to locate the URL for the Autodiscover service. Because the service is hosted in the resource
forest, you must update Active Directory in the user account forest to include the information
that Active Directory requires to enable the client to access the resource forest. To do this, you
must create an Autodiscover SCP pointer record in Active Directory in the user account forest.
The Autodiscover SCP pointer record includes the Lightweight Directory Access Protocol
(LDAP) URL of the resource forest that the client will use to locate the Autodiscover service.
To create the Autodiscover SCP pointer record in the user account forest, run the ExportAutoDiscoveryConfig cmdlet from the resource forest that has the Autodiscover service
against the user account forest. For more information, see How to Configure the Autodiscover
Service for Multiple Forests.
64
Configuring the Autodiscover Service in a Multiple Trusted
Forest Topology
In the multiple trusted forest scenario, the user accounts and Microsoft Exchange are deployed
in multiple forests. Exchange 2007 features such as the Availability service and Unified
Messaging rely on the Autodiscover service to access them across forests. In this scenario, the
Autodiscover service must be available to users across multiple trusted forests. This scenario
resembles the resource forest scenario, except that the Autodiscover SCP object must be
configured in all forests. To configure the Autodiscover SCP object in the multiple forest
topology, run the Export-AutoDiscoveryConfig cmdlet from each forest that has the
Autodiscover service against each target forest where Microsoft Exchange is deployed. For
more information, see How to Configure Autodiscover for Multiple Forests.
Hosted Environments and the Autodiscover
Service
For hosted environments, the Autodiscover service must be redirected for each hosted domain
by using Internet Information Services (IIS). Figure 7 illustrates the Autodiscover service in a
hosted environment.
Figure 7 The Autodiscover service in a hosted Exchange environment
65
For each hosted e-mail domain, you should set up a site together with its corresponding DNS
entries. For example, the domain named for example contoso.no should be called
autodiscover.contoso.no, and the domain named example.contoso.se should be called
autodiscover.contoso.se. In the site in Figure 7, there is no need for any virtual directories and
you do not have to set up SSL certificates.
In IIS Manager, configure redirection for each of your sites to
https://mail.contoso.com/autodiscover/autodiscover.xml.
Note:
These sites should be configured only for HTTP (port 80) traffic.
When you configure redirection on these sites, you must use anonymous access and disable
authenticated access. Also, make sure that you do not configure other options such as The
exact URL entered above, A directory below URL entered, and A permanent redirection
for this resource. Configuring redirection in this manner ensures that the Outlook 2007 client
receives an HTTP 302 response.
After you configure redirection, Outlook 2007 clients will try to connect
to https://contoso.no/autodiscover/ and https://autodiscover.contoso.no/autodiscover/ by using
an HTTP POST request. Because these sites are unavailable, Outlook will try an HTTP GET
request to http://autodiscover.contoso.no/autodiscover.
Note:
No information, such as the user's e-mail address and password, is sent in this
request.
Because redirection is configured on this site, IIS will return a 302 redirection response for
https://mail.contoso.com/. The client will receive the response and prompt the user to accept or
reject the request. The user must accept this request. After this occurs, the client will then be
redirected by using an HTTPS POST request. In this example, there will be no security alert.
Finally, the client will receive the necessary Autodiscover service response.
Note:
When you configure a redirector to redirect clients to a new site, as in the previous
example, additional SSL certificates are not required. However, you must configure
additional IIS sites.
Autodiscover Security
If you use a separate site for the Autodiscover service together with an advanced firewall server
such as ISA Server 2006, you must configure ISA Server 2006 to have two Web listeners. ISA
Server Web listeners are used to indicate the IP address and port for the client to use. The first
Web listener is used for the Autodiscover service and the second Web listener is used for the
other Microsoft Exchange features, such as Microsoft Exchange ActiveSync and Outlook
66
Anywhere. You can configure the SSL certificate for a single site that uses both Web listeners
by using the subject alternate name property of the certificate. For more information, see How
to Configure SSL Certificates to Use Multiple Client Access Server Host Names.
By default, Exchange 2007 Setup offers the option to install a self-signed SSL certificate. It is
best not to use self-signed certificates for external sites. We recommend that you use a
certificate from a trusted certification authority. For more information about how to create and
use valid SSL certificates, see the following topics:
•
How to Create a Certificate or Certificate Request for TLS
•
How to Obtain a Server Certificate from a Certification Authority
•
How to Add Certificate Manager to Microsoft Management Console
For More Information
For more information about the Autodiscover service, see the following topics:
•
Overview of the Autodiscover Service
•
Managing the Autodiscover Service
Understanding Proxying and Redirection
In a Microsoft Exchange Server 2007 organization, a computer that is running
Exchange 2007 that has the Client Access server role installed can act as a proxy for other
Client Access servers within the organization. This is useful when multiple Client Access
servers are present in different Active Directory sites in an organization and only one is
exposed to the Internet.
A Client Access server can also perform redirection for Microsoft Office Outlook Web Access
URLs. Redirection is useful when a user is connecting to a Client Access server that is not in
their local Active Directory site.
This topic explains proxying and redirection, when each is used, and how to configure your
Client Access servers for each scenario.
Note:
If you do not have multiple Active Directory sites in your organization, you do not have
to configure Exchange 2007 for proxying or redirection.
Note:
Client Access servers that are not exposed to the Internet do not have to have
separate Secure Sockets Layer (SSL) certificates. They can use the self-signed
certificate that is installed by default with Exchange 2007.
67
Overview of Proxying
An Exchange 2007 Client Access server can proxy requests in the following two situations:
• Between Exchange 2007 Client Access servers Proxying requests between two
Exchange 2007 Client Access servers enables organizations that have multiple
Active Directory sites to designate one Client Access server as an Internet-facing server
and have that server proxy requests to Client Access servers in sites that have no Internet
presence. The Internet-facing Client Access server then proxies the request to the Client
Access server that is closest to the user's mailbox. This is known as CAS-CAS proxying.
• Between an Exchange 2007 Client Access server and an Exchange Server 2003
front-end server Proxying requests between an Exchange 2007 Client Access server
and a Microsoft Exchange Server 2003 front-end server enables Exchange 2007 and
Exchange 2003 to coexist in the same organization. External clients who connect to
Outlook Web Access by using the \Exchange virtual directory or connect to
Exchange ActiveSync by using the \Microsoft-Server-ActiveSync virtual directory will have
their requests proxied to the appropriate Exchange 2003 back-end server
Proxying is supported for clients that use Outlook Web Access, Exchange ActiveSync,
Exchange Web Services, and the Availability service. Figure 8 illustrates how proxying works in
an organization that has multiple Client Access servers and multiple mailbox servers.
Note:
In each Exchange organization, only one Client Access server must be Internet-facing.
A Client Access server that has no Internet presence does not have to have its own
Internet host name. It relies on the Internet-facing Client Access server to proxy all
pertinent requests from external clients.
Note:
Proxying will not work for Post Office Protocol version 3 (POP3) or Internet Message
Access Protocol version 4rev1 (IMAP4) clients. A client who is using POP3 or IMAP4
must connect to a Client Access server in the same Active Directory site as their
Mailbox server.
68
Figure 8 Client Access proxying
In the previous figure, the mailbox of User 1 is located on Mailbox server 01. The mailbox of
User 2 is located on Mailbox server 02, and the mailbox of User 3 is located on Mailbox server
03. User 1 can access their mailbox through Client Access server 01 without using proxying. If
User 1 tries to access Client Access server 02 by using Exchange ActiveSync, they will receive
an error because Client Access server 01 is the appropriate Client Access server for their
mailbox. If they try to access Client Access server 02 by using Outlook Web Access, their
browser will display a message that includes the correct URL for their Client Access server.
This process is known as redirection. If User 3 tries to access Client Access server 02, that
server will proxy their request to Client Access server 03. Client Access server 03 is not
Internet-facing but can receive requests from other servers inside the firewall. Proxying is not
visible to the user.
Note:
Communications between Client Access servers in different sites occur over Secure
HTTP (HTTPS).
Proxying for Exchange ActiveSync
The following scenario illustrates how incoming requests are handled for a user who connects
to an Exchange 2007 Client Access server named CAS-01 by using a mobile device.
1. The Client Access server queries the Active Directory directory service to determine
the location of the user's mailbox and the version of Microsoft Exchange that is installed on
the Mailbox server. If the user's mailbox is on an Exchange 2007 computer that has the
Mailbox server role installed, go to Step 3.
69
2. If the user's mailbox is on an Exchange 2003 server, the incoming request is proxied to
the Exchange 2003 server that hosts the user's mailbox and the Exchange ActiveSync
virtual directory. By default, in Exchange 2003, the Exchange ActiveSync virtual directory
was installed on all mailbox servers. If the incoming request is to an Exchange 2007 Client
Access server that is in a different Active Directory site than the destination back-end
server, the request will be proxied directly to the destination back-end server, even if there
is an Exchange 2007 Client Access server within the destination Active Directory site. If the
incoming request is to an Exchange 2007 Client Access server within the same
Active Directory site as the destination back-end server, the request will be proxied directly
to the destination back-end server.
3. If the user's mailbox is on an Exchange 2007 Mailbox server, CAS-01 locates a Client
Access server in the same Active Directory site as the user's Mailbox server. If there is a
Client Access server that is closer to the user's Mailbox server, Exchange 2007 determines
whether the Client Access server has the InternalURL property configured and if the
authentication method is Integrated Windows authentication. If so, the user is proxied to
the Client Access server specified by the InternalURL property. Otherwise, the request is
rejected. An error code is returned to the mobile device if the request is rejected.
Important:
Proxying is not supported between virtual directories that use Basic authentication.
For client communications to be proxied between virtual directories on different
servers, the virtual directories must use Integrated Windows authentication.
Proxying for Outlook Web Access
The following scenario illustrates how incoming requests are handled for a user who connects
to an Exchange 2007 Client Access server named CAS-01 by using Outlook Web Access.
1. The Client Access server queries Active Directory to determine the location of the
user's mailbox and the version of Microsoft Exchange that is installed on the Mailbox
server. If the user's mailbox is on an Exchange 2007 Mailbox server, go to Step 3.
2. If the user's mailbox is on an Exchange 2003 server and the user tried to access
Outlook Web Access by using https://domain name/owa, they will receive an error. If the
user tries to access https://domain name/exchange or https://domain name/public, the
incoming request is proxied to the Exchange 2003 server that hosts the user's mailbox and
the Outlook Web Access virtual directory. If the incoming request is to an
Exchange 2007 Client Access server in a different Active Directory site than the destination
back-end server, the request will be proxied to the destination back-end server directly,
even if there is an Exchange 2007 Client Access server within the destination
Active Directory site. If the incoming request is to an Exchange 2007 Client Access server
within the same Active Directory site as the destination back-end server, the request will be
proxied directly to the destination back-end server.
70
3. If the user's mailbox is on an Exchange 2007 mailbox server, CAS-01 locates a Client
Access server that is in the same Active Directory site as the user's mailbox server. When
one is found, Exchange 2007 determines whether the Client Access server has the
InternalURL property configured and if the authentication method on the virtual directory is
set to Integrated Windows authentication. CAS-01 then determines whether an external
URL is specified. If so, the user is redirected to the server that is specified by the
ExternalURL property. If an external URL is not specified, CAS-01 will proxy the user's
request to the Client Access server that is specified by the InternalURL property.
Note:
An internal URL is configured automatically during Exchange 2007 Setup. For
Client Access servers that do not have an Internet presence, the
ExternalURL property should be set to $null.
Proxying Configuration
If your Client Access server is Internet-facing, set the ExternalURL property on the
Exchange ActiveSync and Outlook Web Access virtual directories by using the Exchange
Management Console or the Exchange Management Shell. The InternalURL property is
configured automatically during the initial setup of Exchange 2007 and should rarely have to be
changed. The ExternalURL property should contain the domain name that is registered for
your Exchange organization in DNS. Table 6 contains the appropriate values for
the ExternalURL and InternalURL properties for an Internet-facing Client Access server for
the Exchange organization that is named www.contoso.com. Table 7 contains the appropriate
ExternalURL and InternalURL property values for a non-Internet-facing Client Access server
in a second Active Directory site for www.contoso.com. You must configure the authentication
method on all these virtual directories to be Integrated Windows authentication. Proxying is not
supported for virtual directories that use other authentication methods.
Note:
If new Outlook Web Access virtual directories are created by using the Exchange
Management Shell, you must manually configure the InternalURL property on those
virtual directories.
Table 6 Proxying InternalURL and ExternalURL settings for an Internet-facing Client
Access server
Exchange 2007 service
InternalURL setting
ExternalURL setting
Outlook Web Access
https://computername/OWA
https://www.contoso.com/OW
A
Exchange ActiveSync
https://computername/Microso https://www.contoso.com/Micr
ft-Server-ActiveSync
osoft-Server-ActiveSync
71
Exchange 2007 service
InternalURL setting
ExternalURL setting
Exchange Web Services
https://computername/EWS
https://www.contoso.com/EWS
Availability service
https://computername/AS
https://www.contoso.com/AS
Table 7 Proxying InternalURL and ExternalURL settings for a non-Internet-facing Client
Access server
Exchange 2007 service
InternalURL setting
ExternalURL setting
Outlook Web Access
https://computername/OWA
$N$Null
Exchange ActiveSync
https://computername/Microso $N$Null
ft-Server-ActiveSync
Exchange Web Services
https://computername/EWS
$Null
Availability service
https://computername/AS
$Null
For more information about how to configure virtual directories, see the following topics:
•
Managing Exchange ActiveSync Virtual Directories
•
Managing Outlook Web Access Virtual Directories in Exchange Server 2007
Overview of Redirection
Outlook Web Access users who access an Internet-facing Client Access server that is in a
different Active Directory site than the site that contains their mailbox can be redirected to the
Client Access server that is in the same site as their Mailbox server if that Client Access server
is Internet-facing. When an Outlook Web Access user tries to connect to a Client Access server
that is outside the Active Directory site that contains their Mailbox server, they will see a Web
page that contains a link to the correct Client Access server for their mailbox.
Figure 9 illustrates how redirection works in an organization that has multiple Client Access
servers in multiple Active Directory sites.
72
Figure 9 Redirection for Outlook Web Access in Exchange 2007
In the previous figure, the mailbox of User 1 is located on Mailbox server 01. The mailbox of
User 2 is located on Mailbox server 02, and the mailbox of User 3 is located on Mailbox server
03. User 1 can access their mailbox through Client Access server 01 without using redirection.
If User 1 tries to access Client Access server 02, their browser will display a message that
includes the correct URL for their Client Access server. The user will be prompted to click the
Outlook Web Access URL for their Client Access server. They will not be redirected
automatically. If User 3 tries to access Client Access server 02, that server will proxy their
request to Client Access server 03. Client Access server 03 is not Internet-facing, but can
receive requests from other servers within the firewall. Proxying is not visible to the user.
Note:
Redirection is supported only for clients that use Outlook Web Access. Clients that use
Exchange ActiveSync, Exchange Web Services, POP3, and IMAP4 cannot use
redirection.
Note:
When you install Exchange 2007, four virtual directories are created for
Outlook Web Access: owa, Exchange, Public, and ExchWeb. The owa virtual directory
provides access to Exchange 2007 mailboxes. The Exchange and Public virtual
directories provide Exchange 2003 mailbox access. If a user who has a mailbox on an
Exchange 2003 server logs on by using https://server name/owa, they will receive an
error telling them that their mailbox is on an Exchange 2003 server. They must use the
Exchange virtual directory. If they log on by using https://server name/Exchange, the
Exchange 2007 Client Access server will proxy their request to the
73
Exchange 2003 mailbox server. If a user who has a mailbox on
Exchange 2007 accesses Outlook Web Access by using https://server name/owa, they
will be able to access their mailbox directly. If they log on to Outlook Web Access by
using https://server name/Exchange, they will be redirected to https://server name/owa.
Configuring Redirection
If your Client Access server is Internet-facing, set the ExternalURL property on the
Outlook Web Access virtual directories by using the Exchange Management Console or the
Exchange Management Shell. The InternalURL property is configured automatically during the
initial setup of Exchange 2007 and should rarely have to be changed. You must also configure
the authentication method on these virtual directories to be Integrated Windows authentication.
Redirection is not supported for virtual directories that use other authentication methods. The
following two tables list the ExternalURL and InternalURL settings for Client Access servers in
two Active Directory sites for Contoso. The two sites are www.usa.contoso.com and
www.europe.contoso.com.
Note:
If new Outlook Web Access virtual directories are created by using the Exchange
Management Shell, you must manually configure the InternalURL property on those
virtual directories.
For more information about how to manage Outlook Web Access virtual directories, see
Managing Outlook Web Access Virtual Directories in Exchange Server 2007.
Table 8 Redirection InternalURL and ExternalURL settings for an Internet-facing Client
Access server in the usa.contoso.com site
Exchange 2007 service
InternalURL setting
ExternalURL setting
Outlook Web Access
https://computername/OWA
https://www.usa.contoso.com/
OWA
Table 9 Redirection InternalURL and ExternalURL settings for an Internet-facing Client
Access server in the europe.contoso.com site
Exchange 2007 service
InternalURL setting
ExternalURL setting
Outlook Web Access
https://computername/OWA
https://www.europe.contoso.co
m/OWA
Disabling Redirection
If your organization has multiple Internet-facing Active Directory sites and the Internet
connection to one of those sites is disabled, you can temporarily disable redirection and
74
configure Outlook Web Access to use proxying instead. After the Internet connection in the site
that has the problem is restored, you can reinstate redirection. You can disable redirection by
using the Set-OWAVirtualDirectory cmdlet with the following syntax:
set-owavirtualdirectory "owa (default web site)"
-RedirectToOptimalOWAServer $false
To restore redirection, use the same cmdlet and change the RedirectToOptimalOWAServer
parameter to $true.
Proxying with Network Load Balancing
In an organization that has multiple Active Directory sites and multiple Client Access servers in
each site, you can use Network Load Balancing (NLB) to optimize traffic among the Client
Access servers in each site. We recommend that you include only Client Access servers within
the same Active Directory site in a load-balancing array. You can deploy NLB in an Internetfacing Active Directory site and in a non-Internet-facing Active Directory site. Figure 10
illustrates two Active Directory sites that implement NLB.
Figure 10 Proxying in an organization that uses NLB
Table 10 lists the settings for the virtual directories that are on the Client Access servers CAS01 and CAS-02 for the Internet-facing Active Directory site www.contoso.com.
75
Table 10 Virtual directory settings for Internet-facing Client Access servers in an
organization that uses NLB
Virtual directory
InternalURL setting
ExternalURL setting
Authentication method
/OWA
https://computername
/OWA
https://www.contoso.c
om/OWA
Forms-based
authentication if the
Internet Security and
Acceleration (ISA)
Server computer is
using forms-based
authentication. If the
ISA Server computer
is not using formsbased authentication,
use Integrated
Windows
authentication.
/OAB
https://computername
/OAB
https://www.contoso.c
om /OAB
Integrated Windows
authentication
/UnifiedMessaging
https://computername
/UnifiedMessaging
https://www.contoso.c Integrated Windows
om /UnifiedMessaging authentication
/Microsoft-ServerActiveSync
https://computername
/Microsoft-ServerActiveSync
https://www.contoso.c
om /Microsoft-ServerActiveSync
Integrated Windows
authentication
/EWS
https://computername
/EWS
https://www.contoso.c
om /EWS
Integrated Windows
authentication
The non-Internet-facing Active Directory site has three servers: CAS-03, CAS-04, and CAS-05.
Table 11 lists the settings for the virtual directories for all three servers.
Table 11 Virtual directory settings for non-Internet-facing Client Access servers in an
organization that uses NLB
Virtual directory
InternalURL setting
ExternalURL setting
Authentication method
/OWA
https://computername
/OWA
$Null
Integrated Windows
authentication
/AS
https://NLBname/AS
$Null
Integrated Windows
authentication
/OAB
https://NLBname/OAB $Null
Integrated Windows
authentication
76
Virtual directory
InternalURL setting
ExternalURL setting
Authentication method
/UnifiedMessaging
https://NLBname/Unifi
edMessaging
$Null
Integrated Windows
authentication
/Microsoft-ServerActiveSync
https://NLBname/Micr
osoft-ServerActiveSync
$Null
Integrated Windows
authentication
/EWS
https://computername
/EWS
$Null
Integrated Windows
authentication
The ExternalURL property for all the virtual directories should be set to $Null. If the
ExternalURL property is set to anything other than $Null, the non-Internet-facing Client
Access servers will operate as if they are exposed to the Internet, and will prevent clients from
successfully connecting to these servers.
Outlook Web Access and Exchange Web Services handle load balancing differently than the
Availability service and Exchange ActiveSync. Outlook Web Access and Exchange Web
Services implement their own load balancing when they are deployed on multiple Client Access
servers within the same Active Directory site. If a user tries to access
Outlook Web Access through https://www.contoso.com/OWA and is proxied to CAS-01, the
next time that user tries to access Outlook Web Access, they will again be proxied to CAS-01,
even if CAS-02 has fewer concurrent connections. This occurs because of cookie-based load
balancing. If CAS-01 is unavailable, the user will be proxied to CAS-02.
The process is different for Exchange ActiveSync. When an Internet-facing Client Access
server proxies a request to a non-Internet-facing Client Access server, the connection is
maintained by using information that is stored in the local Administrator account. This
connection can then be used by other user requests. In a Network Load Balancing situation,
the Client Access servers in the Internet-facing NLB will establish connections to the Client
Access servers in the non-Internet-facing NLB. The number of connections will be equal to the
number of Client Access servers in the destination Active Directory site. We recommend
implementing round robin load balancing within the NLB array.
For the Availability service, we also recommend round robin load balancing. Availability service
requests do not have to maintain their connection state. In other words, two consecutive
Availability service requests from the same client can be proxied to different Client Access
servers in the destination Active Directory site without affecting performance.
For more information about Network Load Balancing, see the Windows Server 2003
documentation.
77
Summary of Client Access Methods
Table 12 summarizes the protocols that are used to access Exchange 2007 and how they are
used for proxying and redirection.
Table 12 Client Access protocols for redirection and proxying
Protocol
Client Access
Redirection
Proxying
Comments
server to Mailbox
supported
supported
server
between Client
between Client
communication
Access servers
Access servers
Outlook Web Acc No
ess
Yes
Yes
Must have a
Client Access
server in each
Active Directory
site to use
Outlook Web Acc
ess.
Exchange Active
Sync
No
No
(unnecessary)
Yes
Must have a
Client Access
server in each
Active Directory
site to use
Exchange Active
Sync.
Exchange Web
Services
No
No
Yes
Must have a
Client Access
server in each
Active Directory
site to use
Exchange Web
Services.
supported
between
Active Directory
sites
78
Protocol
Client Access
Redirection
Proxying
Comments
server to Mailbox
supported
supported
server
between Client
between Client
communication
Access servers
Access servers
Availability
No
service (used by
Office Outlook 20
07)
No
(unnecessary)
Yes
Must have a
Client Access
server in each
Active Directory
site to use the
Availability
service.
Outlook
Anywhere (RPC
over HTTP)
Yes, with RPC
No
Not applicable
Not applicable
WebDAV and
Exchange 2000
Server or
Exchange 2003
Yes, over HTTP
No
Not applicable
Not applicable
POP3 and
IMAP4
No
No
No
POP3 and IMAP4
clients must
access a Client
Access server in
the same
Active Directory
site as their
mailbox.
supported
between
Active Directory
sites
Proxying Performance and Scalability
In an Exchange 2007 proxying environment, poor performance can frequently result when the
Client Access servers receive lots of concurrent requests. This problem is frequently caused by
the exhaustion of threads and available connections due to Web service requests from
ASP.NET. This can cause the Client Access server to deny requests or exhibit high latency
when the requests are being processed.
79
To resolve these issues, you can configure several ASP.NET parameters by editing the
Machine.config file on the Client Access server computers. For more information about how to
configure these parameters, see Microsoft Knowledge Base article 821268, Contention, poor
performance, and deadlocks when you make Web service requests from ASP.NET applications.
Two of the parameters that are explained in the previous Knowledge Base article must be set
differently in an Exchange 2007 proxying environment. We recommend that you allow for 36
threads per processor and that you set the maxconnections value to 2000.
For more information about server performance, see the following topic:
•
Managing the .NET Framework on Windows Server 2003
For More Information
For more information, see the following topics:
•
Planning for Client Access Servers
•
Managing Outlook Web Access
•
Managing Exchange ActiveSync
•
Managing the Availability Service
•
Managing Outlook Web Access Virtual Directories in Exchange 2007
•
Managing the Exchange ActiveSync Virtual Directory
Edge Transport
The Microsoft Exchange Server 2007 Edge Transport server role is deployed in your
organization's perimeter network and handles all Internet-facing mail flow, providing protection
against spam and viruses.
Mail Flow
The Edge Transport server role accepts mail coming into the Exchange 2007 organization from
the Internet and routes all outbound messages to the Internet. The Edge Transport server role
acts as a smart host and SMTP relay for the Exchange organization. You configure Send
connectors and Receive connectors on the Edge Transport server to control message
processing.
80
Anti-Spam and Antivirus Functionality
Most viruses use spam-like tactics to gain access to your organization and to entice users to
open a piece of mail. If you can filter out most of your spam, or unsolicited commercial e-mail,
you are more likely to capture viruses before they enter into your organization. Spammers use
a variety of techniques to send spam into your organization. The Exchange 2007 Edge
Transport server role helps prevent users in your organization from receiving spam by providing
a collection of agents that work together to provide different layers of spam filtering and
protection:
• Attachment Filter agent This agent filters messages based on attachment file name,
file name extension, or file MIME content type. You can configure this agent to block a
message and its attachment, to strip the attachment and allow the message to pass
through, or silently delete the message and its attachment.
• Connection Filter agent This agent filters messages based on the IP address of the
remote server from which a message is sent. A variety of IP Block lists and IP Allow lists
and optional services are used to determine what action, if any, to take on a particular
message based on its source IP address.
• Content Filter agent This agent uses Microsoft SmartScreen technology to assess
the contents of a message. The Exchange Intelligent Message Filter is based on patented
machine learning technology from Microsoft Research. The Intelligent Message Filter
learns distinguishing characteristics of legitimate e-mail and of spam. Based on these
characteristics, the Intelligent Message Filter helps determine whether an incoming
message is spam or legitimate e-mail.
• Recipient Filter agent This agent compares the recipients that are identified in the
RCPT TO: SMTP header to known recipients identified in an IP Block list and to the local
recipient directory which stores valid recipients that exist inside the organization to
determine what action, if any, to take on a particular message.
• Sender Filter agent This agent compares the sender identified in the MAIL FROM:
SMTP header to known senders identified in an IP Block list to determine what action, if
any, to take on a particular message.
• Sender ID agent This agent relies on the RECEIVED: SMTP header and a query to
the sending system's DNS service to determine what action, if any, to take on a particular
message.
Messaging Policy and Compliance
Many organizations have legal, regulatory, or internal requirements to filter, process, and store
e-mail that is between users in the organization. Additionally, many organizations have
additional requirements for how to handle mail sent to or from the Internet. A collection of
messaging policy and compliance agents in Exchange 2007 helps organizations more easily
81
comply with these legal, regulatory, and internal requirements by providing ways to configure
rules and settings that help you meet these requirements. The following messaging policy and
compliance agents are available on the Edge Transport server role:
• Address Rewrite agent This agent enables the modification of the SMTP address for
any sender or recipient of messages sent or received by your organization. Address
rewriting can be useful in scenarios where an organization wants to hide internal domains,
to enable multiple organizations appear as a single organization, or to integrate services
that are provided to an organization by a third-party.
• Edge Rules agent You configure the Edge Rules agent on the Edge Transport server
role to create rules that control the flow of messages that are sent to or received from the
Internet. The Edge Transport rules help protect corporate network resources and data by
applying an action to messages that meet specified conditions. These rules are configured
for each server. Edge Transport rule conditions are based on data, such as specific words
or text patterns in the message subject, body, header, or From address, the spam
confidence level (SCL), or attachment type. Actions determine how the message is
processed when a specified condition is true. Possible actions include quarantine of a
message, dropping or rejecting a message, appending additional recipients, or logging an
event. Optional exceptions exempt particular messages from having an action applied.
For More Information
For more information, see the following topics:
•
Transport Architecture
•
Planning for Edge Transport Servers
Hub Transport
The Microsoft Exchange Server 2007 Hub Transport server role is deployed inside your
organization's Active Directory directory service. It handles all mail flow inside the organization,
applies organizational message policies, and is responsible for delivering messages to a
recipient's mailbox. Hub Transport servers provide the following functionality:
• Mail flow The Hub Transport server role processes all mail that is sent inside the
Exchange 2007 organization before it is delivered to a recipient's Inbox inside the
organization or routed to users outside the organization. There are no exceptions to this
behavior.
• Categorization The categorizer performs recipient resolution, routing resolution, and
content conversion for all messages that move through the Exchange 2007 transport
pipeline.
82
• Routing The Hub Transport server role determines the routing path for all messages
that are sent and received in the organization.
• Delivery Messages are delivered to a recipient's mailbox by the store driver.
Messages that are sent by users in your organization are picked up from the sender's
Outbox by the store driver and are put in the Submission queue on a Hub Transport server.
Transport Policy and Compliance
Many organizations have legal, regulatory, or internal requirements to filter, process, and store
e-mail that is between users in the organization. Additionally, many organizations have
additional requirements for how to handle mail sent to or from the Internet. A collection of
Transport Policy and Compliance agents in Exchange 2007 helps organizations more easily
comply with these legal, regulatory, and internal requirements by providing ways to configure
rules and settings that help you meet these requirements.
The following Transport Policy and Compliance agents are available in Exchange 2007 and run
on the Hub Transport server role:
• Transport Rulesagent This agent enables organizations to create rules based on
conditions, exceptions, and actions. Conditions apply to users, distribution lists, and
message contents. Exceptions let you exclude specific users, distribution lists, or SMTP
connectors. Actions define what happens to a message under which conditions and
exceptions, including redirecting, returning, sending to an alternative recipient, and deleting
the message. Rules that are defined on the Hub Transport server are applied to all users in
your organization and to all messages sent and received by users in your organization.
• Journaling agent This agent provides your organization with a method of recording
some or all e-mail messages that are sent or received by any user in your Exchange 2007
organization. You can scope journal rules to record messages that are sent and received
by users inside the same organization, to record messages that are sent to or received
from the Internet, or to record any message that passes through a Hub Transport server
during transport.
For More Information
For more information, see the following topics:
•
Transport Architecture
•
Transport Policy and Compliance Agents
83
Mailbox
In Microsoft Exchange Server 2007, the Mailbox server role is one of several server roles that
you can install and then configure on a computer. The Mailbox server role hosts mailbox and
public folder databases. It also generates the offline address book. Mailbox servers provide
services that calculate e-mail address policies and address lists for recipients, and enforce
managed folders.
Mailbox Server Interactions
The Mailbox server must interact directly with the following:
•
Active Directory directory service server
•
Hub Transport server
•
Client Access server
•
Unified Messaging (UM) server
•
Microsoft Outlook clients
84
Figure 11 The relationship between the Mailbox server and the other server roles,
clients, and Active Directory server
Figure 11 shows what protocol the Mailbox server uses to communicate with each of these
roles or computers. Each numbered interaction in 11 corresponds to the following list,
describing what types of information is shared between these roles and computers.
Note:
If more than one server role coexists on a single computer, the server roles still use the
protocols described in Figure 11 to communicate. However, the communication is
internal to a single computer instead of traveling across your network to reach a
different computer.
85
1. The Mailbox server accesses recipient, server, and organization configuration
information from Active Directory.
2. The Store driver on the Hub Transport server places messages from the transport
pipeline into the appropriate mailbox. The Store driver on the Hub Transport server also
adds messages from the Outbox of a sender on the Mailbox server to the transport
pipeline.
3. The Client Access server sends requests from clients to the Mailbox server, and
returns data from the Mailbox server to the clients. The Client Access server also accesses
offline address book files on the Mailbox server through NetBIOS file sharing. The types of
data that the Client Access server sends between the client and the Mailbox server are
messages, free/busy data, client profile settings, and offline address book data.
4. The Unified Messaging server retrieves e-mail and voice mail messages and calendar
information from the Mailbox server for Outlook Voice Access. The Unified Messaging
server also retrieves storage quota information from the Mailbox server.
5. Outlook clients that are inside your firewall can access a Mailbox server directly to
send and retrieve messages. Outlook clients outside the firewall can access a Mailbox
server using remote procedure call (RPC) over Hypertext Transfer Protocol (HTTP).
Note:
To send free/busy information and client profile settings between an Outlook client
and a Mailbox server, you must have the Client Access server role installed. This
information cannot be passed directly between the Outlook client and the Mailbox
server.
6. The administrator-only computer retrieves Active Directory topology information from
the Microsoft Exchange Active Directory Topology service. It also retrieves e-mail address
policy information and address list information.
For More Information
For more information about new features of the Exchange store in Exchange 2007, see New
Exchange Store Functionality.
For more information about the transport pipeline, see Transport Architecture.
For more information about the technical details of Mailbox server role features, see the
following topics:
•
Understanding Recipients
•
Understanding Recipient Restrictions
•
Understanding Recipient Scope
•
Understanding Disconnected Mailboxes
86
•
Understanding Offline Address Books
•
Understanding Address Lists
•
Understanding E-Mail Address Policies
•
Understanding Exchange Search
•
Understanding the Availability Service
•
Understanding Quota Messages
•
Understanding the Exchange 2007 Store
•
Understanding Public Folders
•
Understanding Messaging Records Management
Understanding Recipients
The people and resources that send and receive messages are the core of any messaging and
collaboration system. In an Exchange Server organization, these people and resources are
referred to as recipients. A recipient is any mail-enabled object in the Active Directory directory
service to which Exchange can deliver or route messages. This topic discusses various
recipient types that are supported in Microsoft Exchange Server 2007.
Exchange 2007 Recipient Types
Previous versions of Exchange used several recipient types, but it was not easy to determine
the exact type of a specific recipient. For example, a mail-enabled user and a mailbox user
appeared identical in Active Directory Users and Computers. To determine the specific recipient
type, you sometimes had to open and inspect the property pages of a user. It was even more
difficult to differentiate between mailboxes used for scheduling resources and user mailboxes
because there was no visual indication of the difference.
Exchange 2007 resolves this problem by defining several explicit recipient types. Each
recipient type is represented by a unique icon in the Exchange Management Console and a
unique name in the RecipientTypeDetails property in the Exchange Management Shell. The
use of explicit recipient types has the following benefits:
•
At a glance, you can differentiate between various recipient types.
•
You can search, sort, and filter by each recipient type.
•
It is easier for you to perform bulk management operations for each recipient type.
• The Exchange Management Console uses the recipient types to render different
property pages. For example, the resource capacity is displayed for a conference room
mailbox, but is not present for a user mailbox.
87
Table 13 lists the available recipient types in Exchange 2007. All of these recipient types are
discussed in more detail later in this topic.
Table 13 Exchange 2007 recipient types
Recipient type
Description
User mailbox
A mailbox that is assigned to an individual user
in your Exchange organization. It typically
contains messages, calendar items, contacts,
tasks, documents, and other important
business data.
Linked mailbox
A mailbox that is assigned to an individual user
in a separate, trusted forest.
Shared mailbox
A mailbox that is not primarily associated with
a single user and is generally configured to
allow logon access for multiple users.
Legacy mailbox
A mailbox that resides on a server running
Exchange Server 2003 or
Exchange 2000 Server.
Room mailbox
A resource mailbox that is assigned to a
meeting location, such as a conference room,
auditorium, or training room. Room mailboxes
can be included as resources in meeting
requests, providing a simple and efficient way
of organizing meetings for your users.
Equipment mailbox
A resource mailbox that is assigned to a nonlocation specific resource, such as a portable
computer projector, microphone, or a company
car. Equipment mailboxes can be included as
resources in meeting requests, providing a
simple and efficient way of utilizing resources
for your users.
Mail contact
A mail-enabled Active Directory contact that
contains information about people or
organizations that exist outside an
Exchange organization. Each mail contact has
an external e-mail address. All messages sent
to the mail contact are routed to this external
e-mail address.
88
Recipient type
Description
Mail forest contact
A mail contact that represents a recipient
object from another forest. Mail forest contacts
are typically created by Microsoft Identity
Integration Server (MIIS) synchronization.
Mail user
A mail-enabled Active Directory user that
represents a user outside the
Exchange organization. Each mail user has an
external e-mail address. All messages sent to
the mail user are routed to this external e-mail
address.
A mail user is similar to a mail contact, except
that a mail user has Active Directory logon
credentials and can access resources.
Mail-enabled universal distribution group
A mail-enabled Active Directory distribution
group object that can be used only to distribute
messages to a group of recipients.
Mail-enabled universal security group
A mail-enabled Active Directory security group
object that can be used to grant access
permissions to resources in Active Directory,
and can also be used to distribute messages.
Mail-enabled non-universal group
A mail-enabled Active Directory global or local
group object. Mail-enabled non-universal
groups are de-emphasized in
Exchange 2007 and can only exist if they were
migrated from previous versions of Exchange.
You cannot use Exchange 2007 to create new
non-universal distribution groups.
Dynamic distribution group
A distribution group that uses recipient filters
and conditions to derive its membership at the
time messages are sent.
Mail-enabled public folder
An Exchange public folder that is configured to
receive messages.
Mailboxes
Mailboxes are the most common recipient type used by information workers in an
Exchange organization. Each mailbox is associated with an Active Directory user account. The
89
user can use the mailbox to send and receive messages, and to store messages,
appointments, tasks, notes, and documents. It is the primary messaging and collaboration tool
for the users in your Exchange organization.
Mailbox Components
Each mailbox consists of an Active Directory user and the mailbox data that is stored in the
Exchange mailbox database (Figure 12). All configuration data for the mailbox is stored in the
Exchange attributes of the Active Directory user object. The mailbox database contains the
actual data that is in the mailbox associated with the user account.
Important:
When you create a mailbox for a new or existing user, the Exchange attributes that are
required for a mailbox are added to the user object in Active Directory. The associated
mailbox data is not created until the mailbox either receives a message or the user
logs on to it.
Figure 12 Components of a mailbox
Caution:
If you remove a mailbox, the mailbox data that is stored in the Exchange mailbox
database is marked for deletion and the associated user account is also deleted from
Active Directory. To retain the user account and delete only the mailbox data, you must
disable the mailbox.
Mailbox Types
Exchange 2007 supports the following mailbox types:
90
• User mailbox User mailboxes are assigned to individual users in your
Exchange organization. User mailboxes provide your users with a rich collaboration
platform. They can send and receive messages, manage their contacts, schedule
meetings, and maintain a task list. Users can also have voice mail messages delivered to
their mailboxes. User mailboxes are the most commonly used mailbox type, and it is
typically the mailbox type that is assigned to users in your organization.
• Linked mailbox Linked mailboxes are mailboxes that are accessed by users in a
separate, trusted forest. Linked mailboxes may be necessary for organizations that choose
to deploy Exchange in a resource forest. The resource forest scenario allows an
organization to centralize Exchange in a single forest, while allowing access to the
Exchange organization with user accounts in one or more trusted forests. For more
information about deploying Exchange in a resource forest topology, see the following
topics:
•
Planning for a Complex Exchange Organization
•
How to Deploy Exchange 2007 in an Exchange Resource Forest Topology
As stated in the "Mailbox Components" section earlier in this topic, every mailbox must
have a user account associated with it. However, the user account that will access the
linked mailbox does not exist in the forest where Exchange is deployed. Therefore, a
disabled user account that exists in the same forest as Exchange is associated with each
linked mailbox. Figure 13 illustrates the relationship between the linked user account that
will be used to access the linked mailbox and the disabled user account in the
Exchange resource forest that is associated with the linked mailbox.
Figure 13 Linked mailbox
• Shared mailbox Shared mailboxes are mailboxes that are not primarily associated
with individual users and are generally configured to allow logon access for multiple users.
91
Although it is possible to grant additional users the logon rights to any mailbox type, shared
mailboxes are dedicated for this functionality. The Active Directory user that is associated
with a shared mailbox must be a disabled account. After a shared mailbox is created, you
must grant permissions to all users that require access to the shared mailbox.
Important:
Even though Exchange 2007 supports shared mailboxes, it is a de-emphasized
feature. You can only use the Exchange Management Shell to manage shared
mailboxes. Shared mailboxes are not displayed in the Exchange Management
Console. We recommend that you use resource mailboxes or
Microsoft SharePoint Portal Server portals for collaboration instead of shared
mailboxes. To learn more about converting a shared mailbox to a resource
mailbox, see How to Convert a Mailbox.
• Legacy mailbox Legacy mailboxes are mailboxes that reside on servers running
Exchange 2003 or Exchange 2000. You can manage legacy mailboxes by using the
Exchange Management Console or the Exchange Management Shell. However, not all
Exchange 2007 features will apply to these mailboxes.
For more information about using Exchange 2007 with Exchange 2003 or Exchange 2000,
see Coexisting with Exchange Server 2003 and Exchange 2000 Server.
• Room and equipment mailbox Resource mailboxes are special mailboxes that are
designed to be used for scheduling resources. Like all mailbox types, a resource mailbox
has an associated Active Directory user account, but it must be a disabled account.
There are two types of resource mailboxes available in Exchange 2007:
• Room mailboxes These are resource mailboxes that are assigned to meeting
locations, such as conference rooms, auditoriums, and training rooms.
• Equipment mailboxes These are resource mailboxes that are assigned to nonlocation specific resources, such as portable computer projectors, microphones, or
company cars.
You can include both types of resource mailboxes as resources in meeting requests,
providing a simple and efficient way to utilize resources for your users. You can configure
resource mailboxes to automatically process incoming meeting requests based on the
resource booking policies that are defined by the resource owners. For example, you can
configure a conference room to automatically accept incoming meeting requests except
recurring meetings, which can be subject to approval by the resource owner. To learn more
about using resource mailboxes, see Managing Resource Scheduling.
New and Improved Mailbox Features
To help provide a rich collaboration platform for mailbox users, Exchange 2007 includes the
following new and improved mailbox features:
92
• Unified Messaging Exchange 2007 introduces Unified Messaging (UM) for mailbox
users. UM combines voice messaging, fax, and e-mail messaging into a single messaging
infrastructure. UM puts all e-mail, voice, and fax messages into Exchange 2007 mailboxes
that can be accessed from a variety of devices. After Exchange 2007 UM servers have
been deployed on the network, users can access their messages from a telephone by
using Microsoft Outlook Voice Access, from a mobile device, or from the computer of a
user who is running Microsoft Windows XP. To learn more about UM in Exchange 2007,
see New Unified Messaging Functionality.
• New and improved client functionality Exchange 2007 provides new and improved
ways for users to access their mailboxes. To learn more about new and improved client
features, see New Client Functionality.
• Information worker functionality Exchange 2007 includes several feature and
functionality improvements in the information worker area. These include improvements
and enhancements to calendaring, resource management, the Out of Office feature, and
messaging records management (MRM). To learn more about the new information worker
features, see New Information Worker Functionality.
Planning for Mailboxes
Mailboxes are created in mailbox databases on Exchange servers that have the Mailbox server
role installed. To help provide a reliable and effective platform for your mailbox users, detailed
planning for the deployment of Mailbox servers and databases is essential. To learn more about
planning for Mailbox servers and databases, see the following topics:
•
Planning Your Deployment
•
Planning for Mailbox Servers
•
Managing Mailbox Databases
•
Managing Mailbox Features
Distribution Groups
Distribution groups are mail-enabled Active Directory group objects that are primarily used for
distributing messages to multiple recipients. Any recipient type can be a member of a
distribution group.
Important:
It is important to note the terminology differences between Active Directory and
Exchange 2007. In Active Directory, a distribution group refers to any group that does
not have a security context, whether it is mail-enabled or not. In contrast, in
Exchange 2007, all mail-enabled groups are referred to as distribution groups, whether
they have a security context or not.
93
Exchange 2007 supports the following types of distribution groups:
• Mail-enabled universal distribution groups These are Active Directory distribution
group objects that are mail-enabled. They can be used only to distribute messages to a
group of recipients.
• Mail-enabled universal security groups These are Active Directory security group
objects that are mail-enabled. They can be used to grant access permissions to resources
in Active Directory and can also be used to distribute messages.
• Mail-enabled non-universal groups These are Active Directory global or local group
objects that are mail-enabled. In Exchange 2007, you can create or mail-enable only
universal distribution groups. You may have mail-enabled groups that were migrated from
previous versions of Exchange that are not universal groups. These groups can still be
managed by using the Exchange Management Console or the Exchange Management
Shell.
Note:
To convert a domain-local or a global group to a universal group, you can use the
Set-Group cmdlet in the Exchange Management Shell. For more information, see
Set-Group.
Dynamic Distribution Groups
Dynamic distribution groups (known as query-based distribution groups in Exchange 2003) are
distribution groups whose membership is based on specific recipient filters rather than a
defined set of recipients.
Unlike regular distribution groups, the membership list for dynamic distribution groups is
calculated each time a message is sent to them, based on the filters and conditions that you
specify. When an e-mail message is sent to a dynamic distribution group, it is delivered to all
recipients in the organization that match the criteria defined for that dynamic distribution group.
Important:
A dynamic distribution group includes any recipient in Active Directory that
has attributes that match the group's filter at the time a message is sent. If a recipient's
properties are modified to match the group's filter, that recipient could inadvertently
become a group member and start receiving messages that are sent to the dynamic
distribution group. Well-defined, consistent account provisioning processes can reduce
the chances of this issue occurring.
To help you create recipient filters for dynamic distribution groups, Exchange 2007 provides
precanned filters. A precanned filter is a commonly used Exchange 2007 filter that you can use
to meet a variety of recipient-filtering criteria. You can use these filters to specify the recipient
types that you want to include in a dynamic distribution group. In addition, you can also specify
94
a list of conditions that the recipients must meet. You can create precanned conditions based
on the following properties:
•
Custom attributes 1–15
•
State or province
•
Company
•
Department
You can also specify conditions based on recipient properties other than those previously listed.
To do this, you must use the Exchange Management Shell to create a custom query for the
dynamic distribution group. Keep in mind that the filter and condition settings for dynamic
distribution groups that have custom recipient filters can be managed only by using the
Exchange Management Shell. For an example of how to create a dynamic distribution group by
using a custom query, see How to Create a New Dynamic Distribution Group.
Note:
In the Exchange Management Console, you use the Distribution Group node
under Recipient Configuration to manage dynamic distribution groups. There is not a
separate node for dynamic distribution groups.
Mail Contacts
Mail contacts typically contain information about people or organizations that exist outside your
Exchange organization. Mail contacts can appear in the global address list (GAL) and other
address lists, and can be added as members to distribution groups. Each contact has an
external e-mail address, and all e-mail messages that are sent to a contact are automatically
forwarded to that address.
Exchange 2007 supports the following types of mail contacts:
• Mail contacts These are mail-enabled Active Directory directory service contacts that
contain information about people or organizations that exist outside your Exchange
organization.
• Mail forest contacts These represent recipient objects from another forest. These
contacts are typically created by MIIS synchronization.
Contacts are ideal for representing people external to your Exchange organization who do not
need access to any internal resources.
Mail Users
Mail users are similar to mail contacts. Both have external e-mail addresses, both contain
information about people outside your Exchange organization, and both can be displayed in the
GAL and other address lists. However, unlike a mail contact, mail
95
users have Active Directory logon credentials and can access resources to which they are
granted permission.
If a person external to your organization requires access to resources on your network, you
should create a mail user instead of a mail contact. For example, you may want to create mail
users for short-term consultants who require access to your server infrastructure, but who will
use their own external e-mail addresses.
Another scenario is to create mail users in your organization for whom you do not want to
maintain an Exchange mailbox. For example, after an acquisition, the acquired company may
maintain their separate messaging infrastructure, but may also need access to resources on
your network. For those users, you may want to create mail users instead of mailbox users.
Note:
In the Exchange Management Console, you use the Mail Contact node under
Recipient Configuration to manage mail users. There is not a separate node for mail
users.
Mail-Enabled Public Folders
Public folders are intended to serve as a repository for information that is shared among many
users. Mail-enabling a public folder provides an extra level of functionality to users. In addition
to being able to post messages to the folder, users can send e-mail messages to, and
sometimes receive e-mail messages from, the public folder. Each mail-enabled folder has an
object in Active Directory that stores its e-mail address, address book name, and other mailrelated attributes.
Note:
In Exchange 2007, you manage public folders by using the Exchange Management
Shell. (You can also perform a limited number of public folder database management
tasks in the Exchange Management Console.) For detailed instructions on configuring
mail-enabled public folders, see How to Configure the Settings of Mail-Enabled Public
Folders.
For More Information
• To learn more about planning for deploying the Mailbox server role, see Planning for
Mailbox Servers.
• For more information about managing mailbox databases, see Managing Mailbox
Databases.
• For more information about configuring mailbox features, see Managing Mailbox
Features.
•
For more information about managing mailboxes, see Managing Mailboxes.
96
• For more information about managing resource scheduling, see Managing Resource
Scheduling.
• For more information about managing distribution groups, see Managing Distribution
Groups.
• For more information about managing mail contacts and mail users, see Managing
Mail Contacts.
•
For more information about managing public folders, see Managing Public Folders.
Understanding Recipient Restrictions
In Microsoft Exchange Server 2007, you can configure various restrictions on the recipients in
your organization. These restrictions allow you to use recipients in a way that is consistent with
your organization's policies.
This topic discusses the following recipient restrictions:
•
Message size restrictions
•
Message delivery restrictions
•
Maximum recipients per message restrictions
•
Mailbox size restrictions
Message Size Restrictions
Message size restrictions are the most commonly used restrictions in any messaging system.
Setting a maximum message size prevents your messaging system, or the underlying network
infrastructure, from being overwhelmed.
Depending on what you want to accomplish, Exchange 2007 allows you to configure message
size restrictions for several components. For example, you can restrict the total size of a
message or the size of the individual message components (such as the message header,
attachments, or the number of recipients).
Although you can also specify whether message size restrictions are applied to your entire
Exchange 2007 organization or to a specific connector or user object, this section focuses only
on message size restrictions that you can apply to recipients. For a complete list of message
size restrictions that you can configure in an Exchange 2007 organization, see Managing
Message Size Limits.
When configuring message size restrictions for individual recipients, it is important to consider
other message size restrictions that may exist in your organization. For example, assume that
the Hub Transport servers in your organization are configured to restrict message size to 10
97
megabytes (MB). In this case, for a mail contact that has external addresses, you should set
the maximum receive size to be no larger than 10 MB. Although a sender in your organization
will be able to submit a message larger than 10 MB to this mail contact, the message would be
rejected by the Hub Transport server. To learn more about how different message size
restrictions affect each other and the order of precedence, see Managing Message Size Limits.
Message Size Restrictions for All Recipient Types
Exchange 2007 can deliver or route messages to all recipients. Therefore, you can set a
maximum receiving message size limit for any recipient type in your Exchange organization. If
a sender attempts to send a message that is larger than the specified size, the message is
returned to the sender with a descriptive error message.
In the Exchange Management Console, you set the maximum receiving message size by using
the Mail Flow Settings tab of the recipient's properties. In the Exchange Management Shell,
use the MaxReceiveSize parameter of the appropriate Set- cmdlet. For an example about how
to configure receiving message size restrictions for a recipient, see How to Configure Message
Size Limits for a Mailbox.
Message Size Restrictions Specific to Mailboxes
Mailboxes are the only recipient types that can submit messages to your
Exchange 2007 messaging system. Therefore, in addition to setting receiving message size
restrictions, you can also set sending message size restrictions for mailboxes.
In the Exchange Management Console, you set the maximum sending message size by using
the Mail Flow Settings tab of the mailbox properties. In the Exchange Management Shell, use
the MaxSendSize parameter of the Set-Mailbox cmdlet. For an example about how to
configure sending message size restrictions for a mailbox, see How to Configure Message Size
Limits for a Mailbox.
Important:
If you implement sending message size restrictions for your mailbox users, you should
also make sure that your Client Access servers are configured to accept client requests
that are equal to or larger than the sending message size limit that you configured.
Microsoft Outlook Web Access uses ASP.NET and is thereby affected by the ASP.NET
configuration. ASP.NET has a setting, maxRequestLength, which determines the
maximum amount of data that the Web browser can submit to the Client Access server.
If this limit is lower than the sending message size restriction, your users may receive a
confusing error. To learn more about managing the maximum message size in
Outlook Web Access, see How to Manage Maximum Message Size in Outlook Web
Access.
98
Message Delivery Restrictions
Exchange 2007 allows you to place restrictions on how messages are delivered to individual
recipients. Message delivery restrictions apply to all recipient types and can be useful for
controlling access to specific recipients in your Exchange 2007 organization. For example,
several organizations specify that only a small set of users can send messages to large
distribution groups.
You can configure the following message delivery restrictions for a recipient:
• Accept messages from a specific list of senders If you specify a list of senders
from which to accept messages, the recipient will receive messages only from those
senders. By default, all recipients are configured to accept messages from all senders.
Use this restriction for recipients for which you want only a small number of authorized
senders to be able to send messages. For example, you may want to configure a
distribution group that contains all the employees in your organization to accept messages
from only specific employees in the Human Resources department who are responsible for
company-wide communications. Another scenario where you can use this restriction is for
mail contacts that represent suppliers for a retail organization. You may want to configure
each of these mail contacts to accept messages from only the buyers who work directly
with those suppliers.
• Reject messages from a specific list of senders If you specify a list of senders
from which to reject messages, the recipient will reject messages from those senders. By
default, all recipients are configured not to reject messages from any senders.
Note:
This restriction overrides the Accept messages from a specific list of senders
restriction. If a sender is listed in both lists, any messages sent by that sender will
be rejected.
Use this restriction to block specific users from sending messages to specific recipients.
For an example about how this restriction is useful, consider the following scenario. You
create a distribution group called All Employees. You configure that distribution group to
accept messages from only those senders that are a member of the Human Resources
distribution group. However, the Human Resources distribution group also includes
mailboxes for interns whom you do not want to allow access to the All Employees
distribution group. Therefore, to prevent the intern mailboxes from sending messages to
the All Employees distribution group, you can specify the intern mailboxes when
configuring the Reject messages from a specific list of senders restriction for the All
Employees group.
• Require that all senders are authenticated If you configure a recipient to require
that all senders are authenticated, any messages from senders that do not have valid
logon credentials in your organization will be rejected. By default, only new distribution
99
groups and dynamic distribution groups are configured to require all senders to be
authenticated.
Note:
In previous versions of Exchange, by default, no recipients were configured to
require all senders to be authenticated. Therefore, any distribution groups that you
migrate from a previous version of Exchange will not have this restriction
configured.
Use this restriction to specify that recipients receive messages only from internal senders
that have been successfully authenticated. For example, to prevent messages that
originate outside of your Exchange organization from being delivered to distribution groups
that are used for internal communications, you can configure these groups to require
sender authentication.
For detailed steps about how to configure message delivery restrictions for a recipient, see
How to Configure Message Delivery Restrictions.
Maximum Recipients per Message Restrictions
It can take a significant amount of time for a Hub Transport server to route messages that are
addressed to a large number of recipients. As a result, this may affect the performance of the
Hub Transport server, which could impact the overall message delivery in your
Exchange organization.
To eliminate this risk, you can restrict the number of recipients that are allowed per message.
Although you can configure this restriction at the mailbox level, you can also configure it at a
higher level, such as the organization level, connector level (only for Receive connectors), and
Hub Transport server level. Generally, it is a best practice to configure this setting at a higher
level and use the mailbox-level configuration only for exceptions. For more information about
the different levels at which you can configure this restriction, as well as a list of default values,
see Managing Message Size Limits.
Mailbox Size Restrictions
In Exchange 2007, you can configure storage quotas for mailboxes. By using storage quotas,
you can control the size of mailboxes and manage the growth of mailbox databases. For
detailed steps about how to configure storage quotas for a mailbox, see How to Configure
Storage Quotas for a Mailbox.
Note:
You can also configure storage quotas at the mailbox database level. The quotas that
you configure for a mailbox database apply to all mailboxes in that database, unless
the mailbox is configured not to use mailbox database defaults. Generally, it is a best
100
practice to configure storage quotas at the mailbox database level and use the mailbox
level configuration only for exceptions. For detailed steps about how to configure
storage quotas for a mailbox database, see How to Configure Storage Quotas for a
Mailbox Database.
Because storage quotas have a direct impact on your storage capacity planning, you must plan
your storage quotas carefully. Storage quotas, number of mailboxes per mailbox database, and
the storage subsystem that hosts each mailbox database are all factors that you should
consider when planning your deployment. To learn more about how each of these factors
affects your deployment planning, see Planning Disk Storage.
Before deploying Unified Messaging (UM) in your Exchange organization, you must review any
existing storage quotas you have configured. Because Windows Media Audio (.wma) and
Waveform audio (.wav) files are attached to each voice message, voice messages may be
larger than e-mail messages. As a result, voice messages may cause user mailboxes to
exceed their quota more quickly than e-mail messages that do not include attachments. To
learn more about the impact of UM on storage quotas, see Understanding Storage Quotas and
Voice Mail.
For detailed steps about how to configure storage quotas for a mailbox, see How to Configure
Storage Quotas for a Mailbox.
Messaging Records Management
Exchange 2007 introduces a new feature called messaging records management (MRM). MRM
is not another storage restriction placed on a mailbox. However, the feature is mentioned in this
section because MRM policies can aid in managing mailbox sizes in your organization.
Specifically, MRM helps you manage mailbox sizes by:
• Reducing the risks that are associated with e-mail and other communications by
making it easier to keep what is needed to comply with company policy, government
regulations, or legal needs.
•
Removing content that has no legal or business value.
To learn more about MRM, see Understanding Messaging Records Management.
For More Information
• To learn more about the message size restrictions you can configure in an
Exchange 2007 organization, see Managing Message Size Limits.
•
To learn more about recipients, see Understanding Recipients.
•
For more information about managing recipients, see Managing Recipients.
101
Understanding Recipient Scope
In Microsoft Exchange Server 2007, you manage recipients by using the
Exchange Management Console and the Exchange Management Shell. These management
interfaces give you the flexibility to view and manage recipients that are stored at various levels
of an Active Directory hierarchy.
Exchange Server 2007 management interfaces accomplish this by utilizing a concept called the
recipient scope. Recipient scope refers to the specified portion of the Active Directory directory
service hierarchy that the Exchange Management Console and the Exchange Management
Shell will use for recipient management. When you set the recipient scope to a specific location
within Active Directory, you can view and manage all recipients stored in that location and all of
the containers under it. For example, if you set the recipient scope to a domain, the Exchange
management interface you are using allows you to view and manage all recipients that are
stored in all organizational units (OUs) within that domain.
Note:
The recipient scope is simply a view of Active Directory and has no security context.
You can access and manage only the objects and containers to which your user
account has been granted permission, regardless of the recipient scope setting. To
learn more about permissions in Exchange 2007, see "Permissions" in Security and
Protection.
Setting the recipient scope does more than just limit the number of recipients returned. When
you set the recipient scope, the management interface you are using operates within the
recipient scope that you specified. When performing recipient management tasks, the
management interface is able to view only the portion of Active Directory that you set as the
recipient scope. For example, assume that your company has the Active Directory structure
shown in Figure 14. If you set the recipient scope to the Field OU of the corp.contoso.com
domain, the Exchange management interface is able to view only the portion of Active Directory
that is highlighted in Figure 1.
102
Figure 14 Recipient scope
The recipient scope applies to the first class recipient objects. In Exchange 2007, first class
recipient objects refers to all mailboxes, mail contacts, mail users, distribution groups, and
dynamic distribution groups.
Important:
The properties of first class recipient objects are not bound by the recipient scope. For
example, when adding members to a distribution group, you can select any recipient in
the forest, regardless of the recipient scope. Similarly, when configuring the manager of
a mailbox user, you can select any mail-enabled user or contact in the forest.
Recommendations for Working with Recipient
Scope
The following are some recommendations for working with recipient scope:
• In large organizations, recipients may be spread across multiple domains or OUs. In
these cases, setting a recipient scope that focuses on the specific set of recipients you are
managing may reduce the number of recipients that are returned, thereby improving the
performance of the Exchange management interfaces.
• Set the recipient scope to the entire forest only when performing specific tasks that
apply to all recipients in the forest. When the recipient scope is set to the entire forest, the
management interfaces use a global catalog server to access Active Directory. The
recipient information that is displayed in the interfaces is dependent on the replication
latencies of Active Directory. As a result, the information that is displayed may not be
entirely up-to-date. Likewise, any updates made through the interfaces may not take effect
until Active Directory replicates the changes.
103
Furthermore, if you have a large Active Directory deployment with recipients spread across
multiple domains, using a forest-wide recipient scope can reduce the performance of the
management interfaces due to the sheer number of recipients that is returned.
• If you have a complex Active Directory replication topology, or if you have high
replication latency, specify the global catalog that is most up to date when setting the
recipient scope to the entire forest.
• If you use a specific domain controller on which all updates to Active Directory are
made, you can specify that domain controller as the preferred recipient domain controller
when setting the recipient scope. For example, if you have an account provisioning system
that works with a specific domain controller, you can specify that domain controller as the
preferred recipient domain controller.
Setting the Recipient Scope
Exchange 2007 management interfaces always start with the recipient scope at the domain
level. The default setting for the recipient scope is always set to the domain of the computer
that is running the management interface. Neither the user account that is being used nor the
Exchange servers being managed has bearing on the default value of the recipient scope.
To illustrate this point, consider the following scenario:
The organization contoso.com has an Active Directory forest with three domains: contoso.com
(which contains all computer accounts), users.contoso.com (which contains all user accounts),
and exchange.contoso.com (which contains the Exchange servers). To administer an
Exchange server in exchange.contoso.com, an administrator logs on to a computer in
contoso.com with a user account in users.contoso.com. When the administrator opens the
Exchange Management Console or the Exchange Management Shell, by default, the recipient
scope is set to contoso.com.
Depending on the task you need to accomplish, you can change the recipient scope to a
different location in Active Directory. You can set the recipient scope to a single OU, to the top
level of an OU hierarchy, to a domain, or even to the entire forest.
Recipient Scope in the Exchange Management Console
Changing the recipient scope in the Exchange Management Console changes the set of
recipients that are displayed in the result pane of the Recipient Configuration node. The
dialog boxes that you use to select recipients or OUs (located on various wizard pages) also
work within the same scope. For example, if you are mail-enabling an existing contact, the
Select Contact dialog box in the New Mail Contact wizard displays only the contacts within
the recipient scope that are not already mail-enabled.
104
Note:
The Microsoft Management Console (MMC) saves any changes you make to a snap-in
as preferences in your user profile on the administrator computer. The recipient scope
setting is also saved as one of your preferences. As a result, the next time you start the
Exchange Management Console on the same computer, the default setting of the
recipient scope is overwritten by the scope that you last specified. However, if you use
another computer or a different user account to run the Exchange Management
Console, you will need to adjust the recipient scope again.
To modify the recipient scope in the Exchange Management Console, select the Recipient
Configuration node, and then click Modify Recipient Scope in the action pane. For more
information about changing the recipient scope in the Exchange Management Console, see
How to Change the Recipient Scope.
Recipient Scope in the Exchange Management Shell
Because you must manually type all values in the Exchange Management Shell, it is important
that you keep the recipient scope in mind as you manage recipients. If you make references to
objects that are outside the recipient scope, you may receive errors. For example, if you try to
create a new distribution group in an OU that is not within the recipient scope you specified,
you will receive the error, "Organizational unit <OU name> was not found. Please make sure
you have typed it correctly".
You can view or modify the recipient scope by using various fields that are stored in the
$AdminSessionADSettings variable.
Note:
The fields that are stored in this variable are retained until the Exchange Management
Shell is closed and is reset to its default settings the next time that the Exchange
Management Shell is opened.
The $AdminSessionADSettings variable contains the following fields:
ViewEntireForest
If this field is set to $true, you can view and
manage all the recipients in the forest by using
the Exchange Management Shell. If set to
$false, the recipient scope that is specified
in the DefaultScope field will be used as the
recipient scope.
105
DefaultScope
This field stores the recipient scope for the
current session of the Exchange Management
Shell in canonical format. For example, if the
recipient scope is set to the Users OU in the
contoso.com domain, the value for
DefaultScope will be contoso.com/Users.
Note:
This field is ignored if the
ViewEntireForest field is set to $true.
PreferredGlobalCatalog
If this field is specified, and if ViewEntireForest
is set to $true, the Exchange Management
Shell will use the specified global catalog
server to query for recipients.
If this field is not specified, Exchange will
automatically select a suitable global catalog
server.
ConfigurationDomainController
This field specifies the domain controller that
the Exchange Management Shell uses to read
the Exchange configuration information.
PreferredDomainControllers
If this field is specified, and if ViewEntireForest
is set to $false, the Exchange Management
Shell will use the specified domain controllers
to query for recipients.
Note:
You can specify only one domain
controller per domain. You can specify
more than one domain controller only
if the recipient scope you are using
spans more than one domain.
If this field is not specified, Exchange will
automatically select a suitable domain
controller.
By manipulating the values that are stored in this variable, you can use the Exchange
Management Shell to control the recipient scope. For more information about modifying the
recipient scope in the Exchange Management Shell, see How to Change the Recipient Scope.
106
For More Information
•
To learn more about recipient types in Exchange 2007, see Understanding Recipients.
•
To learn more about recipient management, see Managing Recipients.
Understanding Disconnected Mailboxes
In Microsoft Exchange Server 2007, each mailbox consists of an Active Directory directory
service user and the mailbox data that is stored in the Exchange mailbox database. (For an
illustration of the components of a mailbox, see Figure 15.) All configuration data for a mailbox
is stored in the Exchange attributes of the Active Directory user object. The mailbox database
contains the mail data that is in the mailbox associated with the user account.
Important:
When you create a mailbox for a new or existing user, the Exchange attributes that are
required for a mailbox are added to the user object in Active Directory. The associated
mailbox object in the Exchange mailbox database is not created until the mailbox either
receives a message or the user logs on to it. If you create a new mailbox, and then
remove or disable that mailbox before the mailbox object in the Exchange mailbox
database is created, it will not be available as a disconnected mailbox.
Figure 15 Components of a mailbox
A disconnected mailbox is a mailbox object in an Exchange mailbox database that is not
associated with an Active Directory user account. When you remove or disable a mailbox, the
data that is stored in the Exchange mailbox database is no longer associated with the user
account in Active Directory and becomes a disconnected mailbox.
107
Caution:
If you remove a mailbox, the mailbox data that is stored in the Exchange mailbox
database is marked for deletion and the associated user account is also deleted from
Active Directory. To retain the user account and only disassociate the mailbox data
from the user account, you must disable the mailbox. For detailed instructions, see
How to Disable a Mailbox.
To provide a method for recovering mailbox data without having to restore the entire mailbox
database, disconnected mailboxes are retained in the mailbox database for a specific amount
of time. By default, Exchange retains a disconnected mailbox for 30 days. During this time, the
disconnected mailbox can be recovered by associating it with an existing Active Directory user
account. To learn more about deleted mailbox retention, see Configuring Deleted Mailbox and
Deleted Item Retention.
Working with Disconnected Mailboxes
There are two operations you can perform on a disconnected mailbox:
•
Connect it to an existing user account in Active Directory
•
Permanently delete it from the Exchange mailbox database
Connecting a Disconnected Mailbox
During the time a disconnected mailbox is retained in the Exchange mailbox database, you can
connect it to an existing Active Directory user account that is not associated with another
mailbox. Scenarios in which you may want to connect a mailbox include the following:
• You disabled a mailbox and now want to reconnect the mailbox to an Active Directory
user account.
• You removed a mailbox by using the Remove-Mailbox cmdlet without the Permanent
or StoreMailboxIdentity parameters and now want to reconnect the mailbox to a different
Active Directory user account.
• You want to convert a user mailbox to a linked mailbox that is associated with a user
account external to the forest in which your Exchange organization exists. The resource
forest scenario is an example of when you would want to associate a mailbox with an
external account. In a resource forest scenario, user objects in the Exchange forest have
mailboxes, but the user objects are disabled for logon. You must associate these mailbox
objects in the Exchange forest with enabled user objects in the external accounts forest.
You can use the Connect-Mailbox cmdlet in the Exchange Management Shell or the Connect
Mailbox wizard in the Exchange Management Console to connect a mailbox. The Connect
Mailbox wizard is available from the action pane when you select the Disconnected Mailbox
108
node under Recipient Configuration. For detailed instructions about how to connect a
disconnected mailbox, see How to Connect a Mailbox.
After you connect a mailbox to an existing Active Directory user account, that user account
becomes the owner of the mailbox and has full access to any content within the mailbox.
Permanently Deleting a Disconnected Mailbox
Exchange retains disconnected mailboxes in the mailbox database based on the deleted
mailbox retention settings configured for that mailbox database. After the specified retention
period, a disconnected mailbox is permanently deleted from the Exchange mailbox database.
You can also permanently delete a disconnected mailbox at any time by using the RemoveMailbox cmdlet in the Exchange Management Shell. To do this, you need to set the Permanent
parameter to $true when you run the command.
If you want to permanently delete the data within the mailbox database for a previously
disconnected mailbox, you must use the StoreMailboxIdentity parameter with the RemoveMailbox cmdlet. You can use the Get-MailboxStatistics cmdlet to determine the value you
need to supply to the StoreMailboxIdentity parameter for a disconnected mailbox. For an
example of this scenario, see the third code example in the reference topic Remove-Mailbox.
For detailed syntax and parameter information, see the Remove-Mailbox and GetMailboxStatistics reference topics.
For More Information
For detailed information about how to connect a disconnected mailbox, see How to Connect a
Mailbox.
For more information about deleted mailbox retention, see Configuring Deleted Mailbox and
Deleted Item Retention.
For more information about the Exchange Management Shell cmdlets that relate to
disconnected mailboxes, see the following topics:
•
Connect-Mailbox
•
Remove-Mailbox
•
Disable-Mailbox
•
Get-MailboxStatistics
•
Clean-MailboxDatabase
To learn more about mailboxes, see Understanding Recipients.
To learn more about managing mailboxes, see Managing Mailboxes.
109
Understanding Offline Address Books
An offline address book (OAB) is a copy of a collection of address lists that has been
downloaded so that a Microsoft Outlook user can access the information it contains while
disconnected from the server. Microsoft Exchange generates the new OAB files, compresses
the files, and then places the files on a local share. Exchange administrators can choose which
address lists are made available to users who work offline, and they can also configure the
method by which the address books are distributed.
For more information about address lists, see Understanding Address Lists.
Important:
In Microsoft Exchange Server 2007, OAB data is produced by the
Microsoft Exchange System Attendant service running as Local System. If an
administrator uses the security descriptor to prevent users from viewing certain
recipients in the Active Directory directory service, users who download the OAB will
be able to view those hidden recipients. Therefore, to hide a recipient from an address
list, you set the -HiddenFromAddressListsEnabled parameter on the SetPublicFolder, Set-MailContact, Set-MailUser, Set-DynamicDistributionGroup, SetMailbox, and Set-DistributionGroups cmdlets. Alternatively, you can create a new
default OAB that does not contain the hidden recipients. For more information about
how to add or remove address lists from an OAB, see How to Add or Remove an
Address List from an Offline Address Book.
The OAB in Exchange 2007 has several performance improvements. Specifically, these
improvements help minimize the network impact of users who download OAB information. The
following list describes some of the improvements to the OAB:
• Fewer situations will cause a client computer to download the entire OAB. Instead, the
client computer performs an asynchronous download of the OAB. This means that the
client computer downloads only the changes between the OAB that it currently has and the
OAB that is available for download. This type of download does not affect network and
client performance as much as a full download.
• Full OAB downloads are significantly reduced. This reduction is made possible by the
adoption of an improved compression mechanism for the OAB files.
• OAB indexing is based on the locale setting (language and country/region) of the client
computer. This enables users on the same server (who have different locale settings) to
correctly view the OAB based on their locale setting and not the server's local setting.
• Background Intelligent Transfer Service (BITS) allows you to transfer files
asynchronously between the client computer and the server. For more information, see
About BITS.
110
• Diagnostic logging improvements make it easier to notice problems that may occur
with OAB downloads. For more information, see Diagnostic Logging of Exchange
Processes.
Outlook Clients and OAB Version
In Exchange 2007, you can specify the OAB versions that are generated for client download.
The following options are available:
• OAB Version 2 (ANSI Offline Address Book) This OAB format is used with both
Microsoft Exchange 2000 Server and Exchange Server version 5.5. Exchange Server 2003
also supports ANSI OABs.
• OAB Version 3 (Unicode Offline Address Book) This OAB is used for
Exchange 2003. This OAB has additional information that helps Outlook reduce server
remote procedure calls (RPCs). Additionally, the Unicode OAB has new features that are
related to sorting rules for different language locales. These features permit Outlook to use
the correct sorting rule for the language locale with the OAB.
• OAB Version 4 (Unicode Offline Address Book) This OAB was introduced in
Exchange 2003 Service Pack 2 (SP2). This Unicode OAB allows client computers to
receive differential updates rather than full OAB downloads.
Outlook Clients That Use OAB Version 3 and Version 2
For Outlook clients that use OAB version 3 and version 2, if the size of the Changes.oab file is
one-eighth (or more) the size of the entire OAB file, Outlook initiates a full OAB download.
For example, Outlook will obtain the size of the compressed Changes.oab files. Outlook will
then obtain the total size of all the compressed full OAB files on the server, including the
templates. If the size of the Changes.oab files is greater than one-eighth the size of the full
OAB files, Outlook will download the full OAB instead of the incremental files.
Minor changes to recipient attributes will cause all recipient information to be included in the
Changes.oab file. The following are examples of these minor changes:
•
Updating phone numbers to reflect a new area code for a large number of recipients
•
Adding an additional proxy address to a large number of recipients
Therefore, changing minimal bytes of information for half of your recipients could create a
Changes.oab file that is larger than one-eighth the size of your entire OAB file.
Outlook Clients That Use OAB Version 4
For Outlook clients that use OAB version 4, if the size of the Changes.oab files is one-half (or
more) the size of the entire OAB files, Outlook initiates a full OAB download. For more
111
information about improvements that have been made in OAB version 4, see "Improvements in
Exchange Server 2003 SP2 and Outlook 2003 SP2" in Improvements for Offline Address
Books.
OAB Distribution Methods
You can choose which address books are made available to users who work offline. When the
OAB generation (OABGen) process occurs, Exchange generates new OAB files, compresses
the files, and then places the files on a local share. You can then configure the method by
which the address books are distributed. There are two methods by which the OAB is
distributed to client computers:
•
Web-based distribution
•
Public folder distribution
To determine which OAB download method to use, Microsoft Office Outlook 2007 uses
information that is provided by the Autodiscover service. If you have not selected an OAB
download method for your Exchange server, the Test E-mail AutoConfiguration tool in
Outlook 2007 will report Public Folder as the OAB URL. Outlook will then use the traditional
method (public folder distribution) to download OAB data. For more information about public
folder distribution methods, see "Public Folder Distribution" later in this document.
Web-Based Distribution
Web-based distribution is the distribution method by which Outlook 2007 clients that are
working offline or through a dial-up connection access the OAB. Web-based distribution does
not require the use of public folders.
With Web-based distribution, after the OAB is generated, the Client Access server replicates
the files. Web-based distribution uses HTTPS and BITS. For an overview about how BITS
works, see About BITS.
Important:
Although Web-based distribution is enabled by default and does not require further
configuration, we recommend that you enable Secure Sockets Layer (SSL) for the
OAB distribution point. For more information, see How to Require SSL for Offline
Address Book Distribution.
There are several advantages to using Web-based distribution, including:
•
Support of more concurrent client computers.
•
Reduction in bandwidth usage.
112
• More control over the OAB distribution points. With Web-based distribution, the
distribution point is the HTTPS Web address where client computers can download the
OAB.
To benefit most from Web-based distribution, client computers must be running Outlook 2007.
Organizations that also have client computers running Outlook 2003 or earlier can use both
public folder distribution and Web-based distribution. The Outlook 2003 and earlier clients will
still access their OABs by using public folders, while Outlook 2007 clients will take advantage of
the new Web-based distribution method.
To function properly, Web-based distribution depends on the following components:
• OAB generation process This is the process by which Exchange creates and
updates the OAB. To create and update the OAB, the OABGen service runs on the OAB
generation server. To support OAB distribution, this server must be an Exchange 2007
Mailbox server.
• Microsoft Exchange File Distribution service The Microsoft Exchange File
Distribution service runs on Client Access servers and is responsible for gathering the OAB
and keeping the content synched with the content on the Mailbox server.
• OAB virtual directory The OAB virtual directory is the distribution point used by the
Web-based distribution method. By default, when Exchange 2007 is installed, a new virtual
directory named OAB is created in the default internal Web site in Internet Information
Services (IIS). If you have client-side users that connect to Outlook from outside your
organization's firewall, you can add an external Web site. Alternatively, when you run the
New-OABVirtualDirectory cmdlet in the Exchange Management Shell, a new virtual
directory named OAB is created in the default IIS Web site on the local Exchange 2007
server. For information about how to create an OAB virtual directory, see How to Create an
Offline Address Book Virtual Directory.
• Autodiscover service This is a feature available in Outlook 2007 and some mobile
devices that automatically configures the clients for access to Exchange 2007. The service
runs on a Client Access server and returns the correct OAB URL for a specific client
connection. For more information about the Autodiscover service, see Overview of the
Autodiscover Service.
Figure 16 illustrates workflow for the OAB Web-based distribution method. The figure assumes
that all client users have the same OAB and that the OAB is distributed to all Client Access
servers.
113
Figure 16 OAB Web-based distribution workflow
In figure 16, a company has offices in London and San Paolo. The Mailbox servers for the
entire company are in the corporate headquarters in London. San Paolo, which is a slow link,
has Client Access servers to which the San Paolo client users connect to Outlook. In addition,
the company has users who work remotely and connect to the corporate network through the
Internet.
Before a user connects to a MAPI-based client computer, such as Outlook, the following
happens:
1. The OAB is generated on one of the Mailbox servers in the London office.
2. On each of the Client Access servers in London, the Microsoft Exchange File
Distribution service copies the new OAB files from the OAB Mailbox server in London.
3. On the Client Access server in Sao Paulo, the Microsoft Exchange File Distribution
service copies the files over the slow link from the Mailbox server in London. Depending on
the speed of the slow link, the copy process may take from several minutes to several
hours. The new OAB is not made available to client computers until it is completely copied
and verified.
Note:
Not all Client Access servers will copy the new OAB at the exact same time. There
is a poll interval (the default is 8 hours) that starts copying if there are new
differential files. The first poll occurs when the Microsoft Exchange File Distribution
114
service starts. Therefore, unless the Client Access servers were started at the
same time, the server polls will be different on each Client Access server.
After all of the Client Access servers have copied the OAB content, there are several scenarios
by which the client user will download the OAB:
•
Scenario 1 Onsite user
In this scenario, all actions occur in the London office:
a. User A, who is located in the London office and whose Outlook is set to
Cached Exchange Mode, connects to Outlook.
b. Outlook connects to the Autodiscover service to obtain the URL to the closest OAB
distribution point.
c. The Autodiscover service returns the URL to one of the Client Access servers in
London.
d. Outlook uses BITS to connect to the URL that was provided by the Autodiscover
service.
e. Outlook downloads the OAB.
•
Scenario 2 Slow link user
In this scenario, User B's mailbox resides in the London office because there are no
Mailbox servers in the Sao Paulo office. Because User B is preparing to leave for a
business trip and requires a local copy of the OAB, User B must download the OAB.
User B's OAB will be downloaded from the Client Access server that is closest to the San
Paolo office:
a. User B, who is located in the San Paolo office, connects to Outlook.
b. Outlook connects to the Autodiscover service to obtain the URL to the closest OAB
distribution point.
c. The Autodiscover service returns the URL to the Client Access server in San
Paolo.
d. Outlook uses BITS to connect to the URL that was provided by the Autodiscover
service.
e. Outlook downloads the OAB. However, because San Paolo's Client Access server
copies the OAB to London over a slow link, User B may not get the most recent
version of the OAB.
•
Scenario 3 Internet user
In this scenario, because the user connects using the Internet, Exchange cannot locate the
Client Access server that is closest to the user's physical location. Therefore,
Exchange defaults to a Client Access server that is close to the user's Mailbox server:
a. User C, whose mailbox server is in London, connects to Outlook from the Internet.
115
b. Outlook connects to the Autodiscover service to obtain the URL to the closest OAB
distribution point.
c. Because User C's mailbox is located on the Mailbox server in London, the
Autodiscover service returns the URL to one of the Client Access servers in London.
d. Outlook connects to the URL that was provided by the Autodiscover service by
using BITS.
e. Outlook downloads the OAB.
Public Folder Distribution
Public folder distribution is the distribution method by which Outlook 2003 or earlier clients that
are working offline or through a dial-up connection access the OAB. With public folder
distribution, the OAB generation process places the files directly in one of the public folders,
and then Exchange store replication copies the data to other public folder distribution points.
With public folder distribution, every request for a full OAB download is served immediately. For
example, if a public folder that is serving 10,000 users receives 1,000 requests in one hour, and
the OAB size is 5 megabytes (MB), the server will immediately transmit 5 gigabytes (GB) of
data. Depending on network speed and available bandwidth, this volume of traffic could
potentially overload the network for an extended period.
To prevent this overload, you can set a bandwidth threshold to limit the network bandwidth that
results from OAB downloads. This process is called throttling.
By default, throttling is turned off. You can activate throttling by adding the following entry to the
registry on all public folder servers that host OAB system folders.
Caution:
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry incorrectly
may not be able to be resolved. Before editing the registry, back up any valuable data.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Pa
rametersSystem
Type: DWORD
Value: OAB Bandwidth Threshold (KBps)
Value Data: bandwidth threshold setting (Range: 0 to 4194304
(decimal))
The bandwidth threshold setting is in kilobytes per second (KBps) and should be configured
with a decimal value. For example, setting the registry key to a decimal value of 5,000
configures the public folder server to use 5,000 KBps as the bandwidth threshold for OAB
downloads, which is approximately 40,960 kilobits per second (Kbps), or 40.96 megabits per
second (Mbps). After the setting has been added and configured, Exchange will dynamically
detect the registry entry and begin enforcing the bandwidth limit without requiring the
Microsoft Exchange Information Store service to restart.
116
Each time an OAB download request occurs, administrative rights on the Exchange server are
verified for the requestor. If the security context that is used for the request is the equivalent of
the local administrator on the Exchange server, it is assumed that an internal function is
requesting the download. In this event, the requestor is allowed to proceed with a full OAB
download. However, the bytes that are transmitted to the administrative client are still
calculated as part of the average full OAB bytes downloaded. If the requestor does not have
administrative rights, the average full OAB bytes that are downloaded over the last 10 seconds
are determined. If this value is less than the configured threshold, a full OAB download is
allowed.
Note:
Setting the registry key to 0 allows a maximum of one client without administrative
rights, in 10 second intervals, at a time to download a full OAB.
When setting the OAB download bandwidth threshold, we recommend that you configure
thresholds on the individual servers to values that will not cause an overload of the
Exchange server's network adapter or the network. If you have not already gathered and
analyzed network and Exchange server performance data, you should do so before you
configure the registry entry.
Effects of OAB Downloads on the Network When Using Public Folder
Distribution
Because there are several cases that can cause a large number of full OAB downloads, you
should understand the effect on bandwidth that a large OAB download has on the network.
The Exchange server can easily handle many download requests for the OAB. As a result,
multiple attempts to download a full OAB over a slow link can saturate a network. (All the
available bandwidth is being used.) When this happens, there are two significant effects:
• Applications that must use the wide area network (WAN) will perform slowly. This is
because they wait for their network requests to traverse the saturated WAN link.
• The actual traffic needed on the WAN increases because individual network requests
may time out, resulting in additional requests being made.
When the network becomes saturated, the latency increases, not only the time it takes for each
client computer to download the OAB, but the overall duration of the download process.
Normally, this means that the data rate for each client computer is reduced. However, if the
latency is too high, RPC packets will time out, causing additional RPC requests for the same
data to be retrieved. Also, if an Outlook user attempts to download the OAB and the download
is canceled or fails, Outlook deletes the data that has been downloaded and attempts to
download the OAB again. As a result, more data is requested, which in turn, increases the
overall duration for a large set of OAB downloads.
Outlook downloads the OAB from the Exchange server through a series of RPC packets. Each
packet is received and acknowledged, and then the next packet is sent. Based on the latency
117
between Outlook and Exchange, a single Outlook client is limited to how quickly it can receive
and acknowledge each packet. Because of this delay, a single Outlook client may not be able
to saturate a network link. However, as more Outlook clients begin to download the OAB, the
combined download rate of all clients could saturate the link. The link will remain saturated until
the full OABs are downloaded.
The relationship is linear in that the larger the latency between the Outlook client and the
Exchange server, the fewer packets can be received. Fewer clients are able to download an
OAB before a slow link is saturated. The reverse is also true. If latency is low, more clients are
needed to saturate a slow link. The number of Outlook clients that can download the OAB
simultaneously without saturating the WAN will increase as either network latency decreases or
network bandwidth increases.
OAB Considerations
As a best practice, whether you use a single OAB or multiple OABs, consider the following
factors as you plan and implement your OAB strategy:
• Size of each OAB in your organization. For more information, see "OAB Size
Considerations" later in this document.
•
Number of OAB downloads.
•
Number and frequency of parent distinguished named changes.
•
Simple Mail Transfer Protocol (SMTP) address mismatches.
•
Overall number of changes made to the directory.
OAB Size Considerations
For some organizations, the OAB is a small file that remote users occasionally download. For
these organizations, downloading the OAB is usually not a concern. However, for some large
organizations that have large directories, or for organizations that have deployed
Outlook 2003 in Cached Exchange Mode, it may be a concern, especially if the organizations
have consolidated Exchange servers into a regional data center.
OAB sizes can vary from a few megabytes to a few hundred megabytes. The following factors
can affect the size of the OAB:
• Usage of certificates in a company. The more public key infrastructure (PKI)
certificates, the larger the OAB. PKI certificates range from 1 kilobyte (KB) to 3 KB. They
are the single largest contributor to the OAB size.
•
Number of mail recipients in Active Directory.
•
Number of distribution groups in Active Directory.
118
• Information that a company adds to Active Directory for each mailbox-enabled or mailenabled object. For example, some organizations populate the address properties on each
user; others do not.
For More Information
For more information about OABs, see the following topics:
•
Managing Offline Address Books
•
Offline Address Book Cmdlets
For more information about address lists, see the following topics:
•
Understanding Address Lists
•
Managing Address Lists
Understanding Address Lists
An address list is a collection of recipient and other Active Directory directory service objects.
Each address list can contain one or more types of objects (for example, users, contacts,
groups, public folders, conferencing, and other resources). You can use address lists to
organize recipients and resources, making it easier to find the recipients and resources you
want. Address lists are updated dynamically. Therefore, when new recipients are added to your
organization, they are automatically added to the appropriate address lists.
As illustrated in figure 17, client applications, such as Outlook 2007, display the available
address lists that Exchange provides.
119
Figure 17 The Global Address List as displayed in Outlook 2007
Address lists reside in Active Directory. Therefore, mobile users who are disconnected from the
network are also disconnected from these server-side address lists. However, you can create
offline address books (OABs) for users who are disconnected from the network. These OABs
can be downloaded to a user's hard disk drive. Frequently, to conserve resources, OABs are
subsets of the information in the actual address lists that reside on your servers. For more
information, see Understanding Offline Address Books.
Note:
If you have a coexistence scenario with Exchange 2007 and Exchange 2003, you can
edit the global address list (GAL) and address list objects from Exchange 2003 or
Exchange 2007. However, you must upgrade Exchange 2003 objects before they be
edited by Exchange 2007. After you upgrade the object, it cannot be edited by
Exchange 2003.
Default Address Lists
When users want to use their client application to find recipient information, they can select
from available address lists. Several address lists, such as the GAL, are created by default.
Exchange 2007 contains the following default address lists, which are then automatically
populated with new users, contacts, groups, or rooms as they are added to your organization:
• All Contacts This address list contains all mail-enabled contacts in your organization.
Mail-enabled contacts are those recipients who have an external e-mail address. If you
want mail-enabled contact information to be available to all users in your organization, you
must include the contact in the GAL. To learn more about mail contacts, see Understanding
Recipients.
120
• All Groups This address list contains all mail-enabled groups in your organization.
Mail-enabled groups are a group of recipients that are created to expedite the mass emailing of messages and other information. When an e-mail message is sent to a mailenabled group, all members of that list receive a copy of the message. To learn more about
mail-enabled groups, see Understanding Recipients.
• All Rooms This address list contains all resources that have been designated as a
room in your organization. Rooms are resources in your organization that can be
scheduled by sending a meeting request from a client application. The user account that is
associated with a room is disabled. For instructions about how to add resource mailboxes
to an address list, see How to Add a Resource Mailbox to an Address List. To learn more
about resource mailboxes, see Understanding Recipients
• All Users This address list contains all mail-enabled users in your organization. A
mail-enabled user represents a user outside your Exchange organization. Each mailenabled user has an external e-mail address. All messages sent to mail-enabled users are
routed to this external e-mail address. A mail-enabled user is similar to a mail contact,
except that a mail-enabled user has Active Directory logon credentials and can access
resources. To learn more about mail-enabled users, see Understanding Recipients.
• Default Global Address List This address list contains all mail-enabled users,
contacts, groups, or rooms in the organization. During setup, Exchange creates various
default address lists. The most familiar address list is the GAL. By default, the GAL
contains all recipients in an Exchange organization. In other words, any mailbox-enabled or
mail-enabled object in an Active Directory forest that has Exchange installed is listed in the
GAL. For ease of use, the GAL is organized by name, not by e-mail address. For more
information, see Managing Global Address Lists.
• Public Folders This address list contains all public folders in your organization.
Access permissions determine who can view and use the folders. Public folders are stored
on computers running Exchange. For more information about public folders, see Managing
Public Folders.
Custom Address Lists
An Exchange organization can contain thousands of recipients. If you compile all your
recipients in the default address lists, those lists could become quite large. To prevent this, you
can create custom address lists to help users in your organization find what they are looking for
more easily.
For example, consider a company that has two large divisions and one Exchange organization.
One division, named Fourth Coffee, imports and sells coffee beans. The other division,
Contoso, Ltd, underwrites insurance policies. For most day-to-day activities, the employees at
Fourth Coffee do not communicate with the employees at Contoso, Ltd. Therefore, to make it
easier for employees to find recipients who exist only in their division, you can create two new
custom address lists—one for Fourth Coffee and one for Contoso, Ltd. When searching for
121
recipients in their division, these custom address lists allow employees to select only the
address list that is specific to their division. However, if an employee is unsure about the
division in which the recipient exists, the employee can search within the GAL, which contains
all recipients in both divisions.
You can also create subcategories of address lists called hierarchical address lists. For
example, you can create an address list that contains all recipients in Manchester and another
that contains all recipients in Stuttgart. called Research and Development within the
Manchester address list container that contains all employees who work in Manchester's
Research and Development department.
Best Practices for Creating Address Lists
Although address lists are useful tools for users, poorly planned address lists can cause
frustration. To make sure that your address lists are practical for users, consider the following
best practices:
• Avoid creating so many address lists that users will not be sure in which list to search
for recipients.
• Name your address lists in such a way that, when users glance at them, they will know
immediately which recipient types are contained in the list. If you have difficulty naming
your address lists, create fewer lists and remind users that they can find anyone in your
organization by using the GAL.
For detailed instructions about creating an address list, see How to Create an Address List.
Improvements in Exchange 2007
The following are improvements to address lists in Exchange 2007:
• No longer dependent on the Recipient Update Service In earlier versions of
Exchange, the Recipient Update Service (a component in the Exchange System Attendant
service) updated the address lists and e-mail addresses in Active Directory. In Exchange
2007, changes to e-mail addresses and address lists are applied directly to Active
Directory. As a result, when changes are made to address lists, you can immediately see
the changes in Active Directory Users and Computers without having to wait for RUS to
perform the update.
• Simplified precanned filters In Exchange Server 2003 and Exchange 2000 Server,
the graphical user interface (GUI) for filtering address lists was complex, containing nested
lists that had hundreds of properties. In Exchange Server 2007, the most common filters
are defined as precanned filters, which contain a simple and intuitive filter control.
• Easier custom-filter construction with OPATH filters For the few administrators
that require advanced filtering requirements not met by precanned filters, you can create
122
custom filters that can be defined by using the OPath filter syntax in the Exchange
Management Shell. OPath is a querying language designed to query object data sources.
For more information, see How to Create an Address List By Using Recipient Filters.
• Ability to filter recipient properties Exchange 2007 allows you to filter the results of
a command by using the recipient type. For example, the Get-User, Get-Recipient, GetMailbox, Get-MailUser, Get-Contact, Get-MailContact, Get-Group, GetDistributionGroup, and Get-DynamicDistributionGroup cmdlets all have a Filter
parameter with which you can specify the users or groups to retrieve with the command.
When combined with the Set-Address List or New-AddressList cmdlets, you can specify
a set of users or groups to retrieve by using a filter string. This type of filter does not modify
any configuration or attributes of objects. It only modifies the set of objects that the
command returns. For more information about how to create filters in recipient commands,
see Creating Filters in Recipient Commands.
• Ability to schedule application of address lists at a later time In Exchange 2007,
you can specify when changes to the address list should be applied. You can also specify
the amount of time that the tasks should run. For more information, see How to Edit an
Address List.
For More Information
For more information about address lists, see the following topics:
•
Managing Address Lists
•
Managing Global Address Lists
Understanding E-Mail Address Policies
In Microsoft Exchange Server 2007, recipients (which include users, resources, contacts, and
groups) are any mail-enabled object in the Active Directory directory service to which
Exchange can deliver or route messages. For a recipient to send or receive e-mail messages,
the recipient must have an e-mail address. E-mail address policies generate the primary and
secondary e-mail addresses for your recipients so they can receive and send e-mail.
By default, Exchange contains an e-mail address policy for every mail-enabled user. This
default policy specifies the recipient's alias as the local part of the e-mail address and uses the
default accepted domain. The local part of an e-mail address is the name that appears before
the at sign (@). However, you can change how your recipients' e-mail addresses will display.
For example, you can specify that your recipients' e-mail addresses display as
firstname.lastname@contoso.com.
Furthermore, if you want to specify additional e-mail addresses for all recipients or just a
subset, you can modify the default policy or create additional policies. For example, Figure 18
123
illustrates a configuration in which the recipient David Hamilton can receive e-mail messages
that are addressed to hdavid@mail.contoso.com and hamilton.david@mail.contoso.com.
Figure 18 E-mail address configuration for recipient “David Hamilton”
Improvements in Exchange 2007
Exchange Server 2003 used recipient policies to generate e-mail addresses for recipients in
the organization. However, after the e-mail address policy was created, it was applied only to
new recipients in the organization. Therefore, to improve the management of e-mail address
policies, Exchange 2007 applies the policy to all recipients that match the recipient filtering
criteria.
The following are additional improvements that Exchange 2007 e-mail address policies provide
over Exchange 2003 recipient policies:
124
• In Exchange 2007, the recipient policy functionality is divided into two features: e-mail
address policies and accepted domains.
Note:
A detailed discussion about accepted domains is outside the scope of this topic.
For information about accepted domains, see Managing Accepted Domains.
• Exchange 2007 has eliminated the asynchronous behavior of the
Exchange 2003 Recipient Update Service in favor of a more predictable, synchronous
provisioning process. When you run the Update-EmailAddressPolicy cmdlet in the
Exchange Management Shell, the recipient object is updated with the e-mail address
policy. For detailed syntax and parameter information, see Update-EmailAddressPolicy.
• In Exchange 2007, each time a recipient object is modified and saved,
Exchange 2007 enforces the correct application of the e-mail address criteria and settings.
When an e-mail address policy is modified and saved, all associated recipients are
updated with the change. In addition, if a recipient object is modified, that recipient's e-mail
address policy membership is re-evaluated and enforced.
For More Information
For information about managing e-mail address policies, see Managing E-mail Address
Policies.
For more information about accepted domains, see Managing Accepted Domains.
Understanding Exchange Search
Microsoft Exchange Server 2007 Search is a feature that allows you to quickly search text in
messages through the use of pre-built indexes. By using the Microsoft Search indexing engine
(MSSearch), Exchange Search creates the initial index by crawling all messages in mailboxes
within an Exchange 2007 database. As new messages arrive, Exchange Search updates the
index based on notifications from the Microsoft Exchange Information Store service.
Exchange Search (also known as full-text indexing) allows your users to perform full-text
searches across documents and attachments in messages that are stored in the mailbox
database. Full-text indexes are not stored in your Exchange databases. The search index data
for a particular mailbox database is stored in a directory that resides in the same location as the
database files. By default, Exchange Search is enabled for all new mailbox databases.
Typically, indexes occupy approximately 5 percent of the total mailbox database size, so it
should be safe to allocate 10 percent of the total mailbox size for the indexes.
125
Improvements Over Exchange Server 2003
Content Indexing
The search functionality in Exchange Server 2003 (content indexing) is replaced with
Exchange Search in Exchange 2007. Exchange Search provides the following feature and
functionality improvements over content indexing:
• Utilization of system resources such as CPU, memory, disk I/O, and disk space
required for its indexes is improved, which significantly increases overall performance.
• New messages are typically indexed within 10 seconds of arrival, and query results are
returned within seconds.
• Exchange Search is automatically enabled upon installation and does not require any
configuration.
• Attachments can now be indexed. Several attachment types are supported, including
Microsoft Office documents, text attachments, and HTML attachments.
• Indexing is automatically withheld for a specific mailbox database, which reduces the
disk I/O load. Also, indexing is automatically withheld for the entire Mailbox server, which
reduces both disk I/O and CPU utilization for Exchange Search.
• There is an easily accessible search bar in Microsoft Outlook Web Access 2007 and
query builder support in Microsoft Office Outlook 2007.
Exchange Search and Attachments
Depending on the version of Outlook you use, Exchange Search can search within attachments
as well. The following list shows how you can use various versions of Outlook to include
attachments when searching:
• Outlook 2007. Use the Instant Search feature or Advanced Find to include attachments
in your search. For more information, see Find a message or item by using Instant Search
in Outlook 2007 Help.
Note:
You must be in online mode to include attachments in your search.
• Outlook Web Access 2007. By default, Outlook Web Access 2007 includes
attachments in any text search.
• Outlook 2003. Use the Find or Advanced Find features, with the Subject Field &
Message Body box selected to include attachments in your search.
Note:
You must be in online mode to include attachments in your search.
126
• Outlook 2000. Use the Advanced Find feature (with the Subject Field & Message
Body box selected).
Difference Between Exchange Search and
Exchange Store Search
Exchange Search allows you to quickly search text in messages through the use of pre-built
indexes. Exchange Store Search, however, is based on a sequential scan of all the messages
in the search scope instead of using the pre-built indexes The following list describes some of
the other differences between Exchange Search and Exchange store search:
•
Exchange Search is faster than Exchange store search
• Exchange Search is based on words, phrases, and sentences. Exchange store search
is based on a stream of bytes. This means that Exchange Search will ignore punctuation
and spaces, and is also not case sensitive, whereas Exchange store search will find only
an exact match of all characters.
• Exchange Search searches within attachments types that are supported by the
installed filters. Exchange store search does not search within attachments.
• Exchange Search uses its full-text index to locate records. Exchange store search
performs a serial scan of the entire folder.
•
Exchange Search is not case sensitive. Exchange store search is case sensitive.
• Exchange Search can be used only for text searches. Exchange store search supports
the full set of MAPI restrictions, which includes non-text property types such as date and
time.
Differences Between Using Outlook Online Mode
and Cached Exchange Mode Search
In Outlook 2003 and later versions, users can create either Online or Cached Exchange Mode
profiles to access their e-mail messages. Using a Cached Exchange Mode profile allows users
to work with their e-mail even when a connection to their e-mail server is not available. There
are a several differences between Outlook Cached Exchange Mode and online mode search:
• In Office Outlook 2007, Cached Exchange Mode search uses Windows Desktop
Search, which is a prerequisite for the Outlook 2007 Instant Search(WDS 3.0) feature. If
WDS 3.0 is not installed, Instant Search falls back to the Outlook 2003 model - a sequential
scan of the entire search scope. Outlook 2007 in online mode uses Exchange Search if
possible, and reverts to using Exchange store search if Exchange Search is not available.
• In Outlook 2003, Cached Exchange Mode search does not use an index and runs on
the client computer to sequentially scan every message in the search
127
scope. Outlook 2003online mode search uses Exchange Search by using pre-built indexes,
and reverts to using Exchange store search if Exchange Search is not available.
• Cached Exchange Mode search uses an index that is built on the cached copy of the
user’s offline folder file l (.ost) and runs on the client computer. Online mode searches
occur on the server. While online mode searches have a performance impact on the
Exchange server, they are likely to have better performance because they can use the
resources of a server instead of a client computer.
Exchange Search and Localization
Localization support for Exchange Search is limited to scenarios in which the client locale
matches the message locale (which must also match the language that is used in the message
body). Exchange Search does not support instances where a single message has multiple
languages embedded in the body or where the client locale is different from the message
locale.
To get consistent results for localized searches, the following must be true:
• An e-mail message must be written in a single language and that language must match
the locale of the message.
•
The search expression must be in a single language.
• The language must match the locale of the client computer, as identified by the
connection to the server.
Scenarios Where Exchange Search Could Return
Unexpected Results
The following list describes some of the scenarios where Exchange Search returns unexpected
results:
• Documents that are encrypted with the Digital Rights Management feature will not be
indexed.
• For attachments that do not have associated filters, the attachment will not be indexed,
but the e-mail message will be indexed.
• Advanced search grammar (for instance, typing "From:xyz" in the basic search bar
searches the from: property for the string "xyz) is supported only when Instant Search is
enabled. Instant Search requires that Windows Desktop Search 3.0 is installed. For more
information, see Windows Desktop Search.
128
For More Information
For information about managing Exchange Search, see Managing Exchange Search.
Understanding the Availability Service
The Microsoft Exchange Server 2007 Availability service improves information workers'
calendaring and meeting scheduling experience by providing secure, consistent, and up-todate free and busy information to computers running Microsoft Office Outlook 2007.
Outlook 2007 uses the Autodiscover service to obtain the URL of the Availability service. The
Autodiscover service is similar to the Domain Name System (DNS) Web service for
Exchange 2007 Web services. Essentially, the Autodiscover service helps Outlook 2007 locate
various Web services, such as the Unified Messaging (UM), Offline Address Book (OAB), and
Availability services.
Note:
If you have Outlook 2007 clients running on Exchange Server 2003 mailboxes,
Outlook 2007 will use public folders for the free and busy information.
The Availability service is part of the Exchange 2007 programming interface. It will be available
as a public Web service to allow developers to write third-party tools for integration purposes.
Free and busy data is used extensively in meeting scheduling, which is one of the most
frequent activities performed by information workers.
Figure 19 illustrates the process flow for the Availability service.
129
Figure 19 Process flow for Availability service
130
Improvements Over Exchange 2003 Free and
Busy
Table 14 lists the improvements to free and busy functionality that Exchange 2007 provides
over Exchange 2003.
Table 14 Free and busy improvements
Free and busy component
Up-to-date information
Outlook 2003 running on
Outlook 2007 running on
Exchange 2003
Exchange 2007
There was no guarantee that
free and busy information was
up-to-date. There were
multiple factors that caused
free and busy information to
be outdated:
Free and busy information is
guaranteed to be up to date
within a small time period (60
seconds) on all the data
retrieved.
• By default,
Outlook only updated free
and busy information
every 45 minutes.
Furthermore, because of
bandwidth and scalability
issues, you could not
decrease this interval.
• There were latencies
that resulted from public
folder replication.
• In cross-forest
scenarios, there were
delays when you used the
Microsoft Exchange InterOrganization Replication
tool to replicate free and
busy information across
forests.
131
Free and busy component
Outlook 2003 running on
Outlook 2007 running on
Exchange 2003
Exchange 2007
Granularity
The four meeting states
(Free, Tentative, Busy, and
Out-Of-Office) were available
in one stream. To retrieve
appointment details,
additional MAPI calls were
required.
By default, free and busy
information displays the start
and end times for individual
appointments. Additional
calendar properties (such as
Subject and Location) will be
accessible through the
Availability service.
Security
For any authenticated user, all
free and busy data was
available in a public folder.
This meant that any
authenticated user could
delete, modify, or publish
another user's free and busy
information.
Free and busy information
provides increased security,
similar to general calendar
sharing. In compliance with
your company's policy, you
can specify the amount of free
and busy information to share
with a specific user. Because
the Availability service reads
directly from a user's mailbox,
a user cannot modify or
publish another user's free
and busy information.
Publishing frequency
Office Outlook 2003 has a 45minute default publishing
interval.
No publishing is required in an
Exchange 2007 and
Outlook 2007 organization.
Out-of-Office Information
The Availability service also provides access to out-of-office messages for out-of-office
appointments and global out-of-office information.
Information workers use the Out of Office feature in Outlook to alert others when they are
unavailable to respond to e-mail messages. To improve out-of-office management, the
Exchange 2007 implementation of the Out of Office feature makes configuring and managing
out-of-office tasks easier and more flexible for both information workers and administrators.
For more information about the Out of Office feature, see Managing the Out of Office Feature.
132
Performance
You can use the Performance Monitor tool to automatically collect performance data from local
or remote computers that are running Exchange 2007. You can define start and stop times for
automatic log generation, manage multiple logging sessions from a single console window, and
set an alert on a computer that enables a message to be sent or a log to be started when your
criteria are met.
For information about using Performance Monitor, see Windows Server 2003 Monitoring
Features and Tools in the Microsoft Exchange Service Management Guide.
You can use the following performance counters to collect information about the Availability
service:
•
Number of availability request serviced/second
•
Number of availability request dropped/second
•
Number of mailbox queried/second
•
Number of availability service referrals/second
•
Number of requests answered at none level/second
•
Number of requests answered at F/B level/second
•
Number of requests answered at detailed level/second
•
Number of unique user’s mailbox opened
Distribution Group Handling
In Exchange 2007, distribution group expansion has been moved to the Exchange 2007 server.
The primary benefit of moving distribution group expansion to Exchange 2007 is to provide
consistent behavior for any Availability service consumer. In previous versions of Exchange, if
the number of distribution group members was too large, the free and busy data for the
distribution group members would display as busy when expanded.
In Exchange 2007, the following improvements have been made to the handling of distribution
groups:
• The Availability service expands a distribution group up to only two-levels deep,
regardless of the total number of distribution group members.
• A distribution group's free and busy data can expand up to a maximum of one hundred
members.
133
Availability Service API
The Availability service is part of the Exchange 2007 programming interface. It will be available
as a public Web service to allow developers to write third-party tools for integration purposes.
For more information about developing with Exchange 2007 Web services, see Development:
Overview.
For More Information
For more information about the Autodiscover service, see the following topics:
•
Managing Autodiscover
•
How To Enable Outlook 2007 Autodiscovery
•
How to Disable Outlook 2007 Autodiscovery
For more information about providing secure Web communications on the Internet or intranet,
see Creating a Certificate or Certificate Request for TLS.
Understanding Quota Messages
A quota message is an e-mail message that is automatically sent by Microsoft Exchange to the
owners of a mailbox or a public folder when a size limit (called a storage quota) for the mailbox
or public folder is exceeded. You can use the New-SystemMessage, GetSystemMessage, Set-SystemMessage, and Remove-SystemMessage cmdlets in the
Exchange Management Shell to view existing quota messages or to create, view, modify, or
remove customized ones. For more information about customizing quota messages, see How
to Customize Quota Messages.
Storage Quotas
A storage quota is a storage size limit for a mailbox or a public folder. You can use the
Exchange Management Console or the Exchange Management Shell to view or set the storage
quotas for all of the mailboxes or public folders in a database. You can also use the
Exchange Management Console or the Exchange Management Shell to set storage quotas on
a per-mailbox basis, thereby overriding the storage quotas that are set at the database level.
However, storage quotas for individual public folders can be viewed or set only in the
Exchange Management Shell.
For more information about viewing and configuring storage quotas, see the following topics:
•
How to Configure Storage Quotas for a Mailbox Database
•
How to Configure Storage Quotas for a Mailbox
134
•
Set-MailboxDatabase
•
Set-Mailbox
•
How to Configure the Settings of Public Folders
•
Set-PublicFolderDatabase
•
Set-PublicFolder
Quota Messages
By default, Exchange sends a quota message to mailbox or public folder owners when a:
•
Mailbox or public folder exceeds its Issue warning limit (the lowest storage quota).
• Mailbox exceeds its Prohibit send limit or a public folder exceeds its Prohibit post
limit (the middle storage quota).
•
Mailbox exceeds its Prohibit send and receive quota (the highest storage quota).
Quota messages for mailboxes are sent to mailbox owners. If a mailbox is owned by a security
group (that is, if it is a shared mailbox), quota messages are sent to the security group. Quota
messages for public folders are sent to every public folder owner. Owners of mailboxes and
public folders can be users, contacts, or security groups.
Quota messages are sent with high importance and are not subject to storage quotas. They are
always delivered, even if the recipient's mailbox is full.
Exchange Server 2007 can generate quota messages in many languages. For a list of the
supported language locales that are available for use with quota messages, see Supported
Locales for Use with System Messages.
You can use the New-SystemMessage, Get-SystemMessage, Set-SystemMessage, and
Remove-SystemMessage cmdlets in the Exchange Management Shell to view existing quota
messages or to create, view, modify, or remove customized ones. For more information about
customizing quota messages, see How to Customize Quota Messages.
Quota Message Format
There are seven types of quota messages: four for mailboxes and three for public folders. All
quota messages include the following:
•
Text Microsoft Exchange in the From field
•
Brief, non-customizable description of the situation in the Subject field
•
Customizable message in the message body
• Graphical representation of the storage quota and the amount of storage used in the
message body (except for mailboxes or public folders of unlimited size)
135
Default Quota Messages
The following tables list the subject and the default message text for the seven default English
quota messages (four for mailboxes and three for public folders). The default message can be
customized, but the subject text cannot.
For information about customizing quota messages, see How to Customize Quota Messages.
Table 15 Mailbox quota messages
Event
Subject of message
Default message text
Mailbox of unlimited size
exceeds its Issue Warning
quota
Your mailbox is becoming too
large
Please reduce your mailbox
size. Delete any items you
don't need from your mailbox
and empty your Deleted Items
folder.
Mailbox of limited size
exceeds its Issue Warning
quota
Your mailbox is almost full
Please reduce your mailbox
size. Delete any items you
don't need from your mailbox
and empty your Deleted Items
folder.
Mailbox of limited size
exceeds its Prohibit Send
quota
Your mailbox is full
Your mailbox can no longer
send messages. Please
reduce your mailbox size.
Delete any items you don't
need from your mailbox and
empty your Deleted Items
folder.
Mailbox of limited size
exceeds its Prohibit Send
and Receive quota
Your mailbox is full
Your mailbox can no longer
send or receive messages.
Please reduce your mailbox
size. Delete any items you
don't need from your mailbox
and empty your Deleted Items
folder.
Table 16 Public folder quota messages
Event
Subject of message
Default message text
Public folder of unlimited size
exceeds its Issue Warning
quota
Your public folder is becoming
too large
Please reduce the size of your
public folder by deleting any
items you don't need
136
Event
Subject of message
Default message text
Public folder of limited size
exceeds its Issue Warning
quota
Your public folder is almost full Please reduce the size of your
public folder by deleting any
items you don't need.
Public folder of limited size
exceeds its Prohibit Post
quota
Your public folder is full
Users can no longer post
items to this folder. Please
reduce the size of your public
folder by deleting any items
you don't need.
For More Information
For more information about customizing quota messages, see How to Customize Quota
Messages.
For more information about using the Exchange Management Shell to manage quota
messages, see the following topics:
•
New-SystemMessage
•
Get-SystemMessage
•
Set-SystemMessage
•
Remove-SystemMessage
For information about how to manage recipient storage quotas, see Mailbox Recipient Tasks.
Understanding the Exchange 2007 Store
The Exchange store is a storage platform that provides a single repository for managing
multiple types of information in one infrastructure.
Note:
Microsoft Exchange Server 2007 tracks the attributes of its components across
multiple servers by storing the attributes centrally in the Active Directory directory
service, which contains objects for a number of Exchange 2007 components, including
administrative groups, storage groups, and databases.
Note:
To assure the highest possible levels of availability for your Exchange organization,
you can employ specialized and sophisticated storage group and database
management methods. For more information about managing for high availability, see
High Availability Strategies.
137
The following topics in this section provide an overview of the Exchange 2007 store
components:
•
Logical Components of the Exchange Store
This topic provides details about three logical components within the Exchange store:
storage groups, mailbox databases, and public folder databases.
•
File Structure of the Exchange Store
This topic provides details about the files used by the Exchange store,
including Exchange database (.edb) files, transaction logging (.log) files, and checkpoint
(.chk) files.
•
Recommendations for Configuring Storage Groups and Databases
This topic provides recommendations for configuring storage groups and databases,
including database sizing and disk recommendations.
•
Understanding Transaction Logging
This topic provides a detailed description about how transaction logging works, including
circular logging.
Storage Features in Exchange 2007 Enterprise
and Standard Editions
Exchange 2007 is available in two server editions: Standard Edition and Enterprise
Edition. Exchange 2007 Standard Edition is designed to meet the messaging and collaboration
needs of small and medium corporations, and it may also be appropriate for specific server
roles or branch offices. Exchange 2007 Enterprise Edition is designed for large enterprises.
Table 17 lists which storage group and database features are supported in each edition of
Exchange 2007.
Table 17 Storage group and database features supported in each edition of
Exchange 2007
Feature
Standard Edition
Enterprise Edition
Storage groups
Five storage groups are
supported.
50 storage groups are
supported.
Databases
Five databases are
supported.
50 databases are supported.
Single Copy Clusters
Not supported.
Supported.
Local Continuous Replication
Supported.
Supported.
138
Feature
Standard Edition
Enterprise Edition
Cluster Continuous
Replication
Not supported.
Supported.
For More Information
For more information about managing storage groups and databases in Exchange 2007, see
Managing Storage Groups and Databases.
For more information about managing public folders, see Managing Public Folders.
To learn more about storage in Exchange 2007, see the following Exchange Server Team Blog
articles:
Note:
The content of each blog and its URL are subject to change without notice.
•
Configuring, Validating and Monitoring Exchange 2007 Storage
•
Exchange 12 Server Roles and Disk IO
•
Exchange 2007 Mailbox Server Role Storage Requirements Calculator
For more information about storage design, see Going 64-bit with Microsoft Exchange Server
2007.
For a list of the Exchange Management Shell cmdlets that you can use to manage storage
groups and databases, see Storage Group and Database Cmdlets.
For more information about cluster continuous replication, see Cluster Continuous Replication.
For more information about local continuous replication, see Local Continuous Replication.
For more information about single copy clusters, see Single Copy Clusters.
Logical Components of the Exchange
Store
The Exchange store has several logical components that interact with each other. These
components can reside on a single server, or they can be distributed across multiple servers.
This topic provides details about the following primary components of the Exchange store:
•
Storage groups (including recovery storage groups)
•
Mailbox databases
•
Public folder databases
139
Storage groups
An Exchange storage group is a logical container for Exchange databases and their associated
system and transaction log files.
Storage groups are the basic unit for backing up and restoring data in
Microsoft Exchange (although you can restore a single database). All databases in a storage
group share a single backup schedule and a single set of transaction log files.
Exchange Server 2007 Enterprise Edition supports up to 50 storage groups.
Exchange 2007 Standard Edition supports up to five storage groups.
For information about managing storage groups, see Managing Storage Groups and
Databases and Understanding the Exchange 2007 Store.
Recovery Storage Groups
A recovery storage group (RSG) is a special administrative storage group that allows you to
mount mailbox databases and extract data from those databases. RSGs also allow you to
recover data from a backup or copy of a database without disturbing user access to current
data.
In Exchange 2007, RSGs are created and managed by using the Exchange Management Shell
or by using the Microsoft Exchange Server Disaster Recovery Analyzer Tool. You cannot
manage RSGs by using the Exchange Management Console, and RSGs are also not visible in
the Exchange Management Console.
For more information about RSGs, see Understanding Recovery Storage Groups.
Mailbox Databases
Mailbox databases contain the data, data definitions, indexes, checksums, flags, and other
information that comprise mailboxes in Exchange 2007. Mailbox databases hold data that is
private to an individual user and contain mailbox folders that are generated when a new
mailbox is created for that user. A mailbox database is stored as an Exchange database (.edb)
file.
Exchange 2007 Enterprise Edition supports a total of 50 databases. Exchange 2007 Standard
Edition supports a total of five databases. Both editions support a maximum of five databases
per storage group, and all five databases can be mailbox databases.
For information about managing mailbox databases, see Managing Mailbox Databases.
140
Public Folder Databases
Public folder databases contain the data, data definitions, indexes, checksums, flags, and other
information that comprise any public folders in your Exchange organization. Both editions of
Exchange 2007 support only one public folder database per server.
In Exchange 2007, you manage public folders by using the Exchange Management Shell. (You
can also perform a limited number of public folder database management tasks in the
Exchange Management Console.) For more information about managing public folders, see
Managing Public Folders and Understanding Public Folders.
For More Information
For more information about the file structure of the Exchange store, see File Structure of the
Exchange Store.
For recommendations about configuring storage groups and databases, see
Recommendations for Configuring Storage Groups and Databases.
File Structure of the Exchange Store
You manage the Exchange store by working with its logical components, such as storage
groups and databases. However, Microsoft Exchange Server 2007 stores data in a specialized
set of data files, such as Exchange database (.edb) files, transaction logging (.log) files, and
checkpoint (.chk) files. Unless you are backing up or restoring data, you will rarely interact with
these files directly.
Storage Group Files
Each storage group corresponds to an instance of the Extensible Storage Engine (ESE). On
each Exchange server, Exchange 2007 creates data directories for each storage group. The
data directory contains the database files for each of the databases in the storage group as
well as the log files for the storage group. Figure 20 illustrates the file structure that
corresponds to a specific logical structure as defined in the Exchange Management Console.
141
Figure 20 Logical structure of the storage groups and databases on a single server and
the resulting file structure
142
Database (.edb) Files
Exchange database (.edb) files are the repository for mailbox data. They are accessed by the
ESE directly and have a B-tree structure that is designed for quick access, thereby enabling
users to access any page of data within four I/O cycles. The Exchange database is composed
of multiple B-trees, with ancillary trees that work with the main tree by holding indexing and
views.
Note:
Exchange 2007 does not use the stream (.stm) file format that was used in
Exchange Server 2003. Data that was formerly divided between .edb and .stm files is
now stored only in .edb files.
Log (.log) Files
Exchange 2007 writes operations (such as creating or modifying a message) to a log (.log) file
for that database's storage group. Committed transactions are later written to the database
itself (in an .edb file). This approach guarantees that all completed and in-progress transactions
are logged, so data integrity is maintained in case of a service interruption. The databases in a
storage group share a single set of transaction logs that are named with consecutive numbers
(for example, E0000000001.log and E0000000002.log).
Checkpoint (.chk) Files
Checkpoint (.chk) files store information that indicates when a transaction is successfully saved
to the database files on the hard disk. Exchange 2007 uses checkpoint files to allow an
instance of the ESE to automatically replay log files into an inconsistent database when
recovering from a service interruption, starting with the next unwritten transaction.
For more information about transaction logging, see Understanding Transaction Logging.
For More Information
For recommendations about configuring storage groups and databases, see
Recommendations for Configuring Storage Groups and Databases.
• For more information about managing storage groups and databases in
Exchange 2007, see Managing Storage Groups and Databases.
143
Recommendations for Configuring Storage
Groups and Databases
This topic provides recommendations for the following Microsoft Exchange Server 2007
storage group and database configurations:
•
Database sizing
•
Databases per storage group
•
Disk configuration
Recommended Database Sizing
Determining the best database size requires the evaluation of many factors. Smaller databases
are generally better because they can be backed up and restored more quickly than larger
databases. However, database size should be balanced against other factors, especially
capacity and complexity. Immediately deploying the maximum number of databases may add
unnecessary complexity to your system. For example, you may end up managing more
databases and logical unit numbers (LUNs) than is necessary.
We recommend that Exchange databases be approximately 50 gigabytes (GB) in size.
On servers that do not use local continuous replication (LCR), we recommend that you limit the
database size to 100 GB. On servers that use LCR, we recommend that you limit the database
size to 200 GB. For more information, see Local Continuous Replication and Planning Disk
Storage.
Recommended Databases per Storage Group
We recommend that you place each new database in its own storage group until the maximum
number of storage groups is reached. This recommendation allows you to spread the load of
mailboxes across as many databases and storage groups as possible. It also creates an
Exchange storage topology that can be managed more easily. Such a topology has the
following advantages:
•
Databases can be smaller.
•
Log files and log traffic are not shared between multiple databases.
•
Drive input/output (I/O) can be better managed.
•
Recoverability is improved.
Databases in a storage group are not fully independent because they share transaction log
files. As the number of databases in a storage group increases, more transaction log files are
created during normal operation. This larger number of transaction log files requires additional
144
time for transaction log replay during recovery procedures. An increase in time for transaction
log replay consequently results in an increase in recovery times. If you implement LCR or
cluster continuous replication (CCR), you are limited to one database per storage group.
For more information about LCR and CCR, see Local Continuous Replication and Cluster
Continuous Replication.
For more information about transaction logging, see Understanding Transaction Logging.
For more information about disaster recovery, see Disaster Recovery Strategies.
Recommended Disk Configuration
Because I/O to log files is sequential and I/O to database files is random, for increased
performance, we recommend placing log files on a separate disk from database files. By using
one log file for many databases, you can reduce the number of disks that are required.
However, there are two disadvantages to this approach:
• If the disk that contains the log files fails, multiple databases are corrupted or lost
instead of just one.
•
Recovery from log files takes longer because the logs replay data for more databases.
For more information about disk configuration, see Planning Disk Storage.
For maximum performance and reliability, we recommend that even comparatively simple
systems, such as systems that contain a single storage group, should also place log files and
database files on separate disks.
For More Information
For more information about managing storage groups and databases in Exchange 2007, see
Managing Storage Groups and Databases.
For information about managing public folders, see Managing Public Folders.
For information about managing mailbox databases, see Managing Mailbox Databases.
To learn more about storage in Exchange 2007, see the following Exchange Server Team Blog
articles:
Note:
The content of each blog and its URL are subject to change without notice.
•
Configuring, Validating and Monitoring Exchange 2007 Storage
•
Exchange 12 Server Roles and Disk IO
•
Exchange 2007 Mailbox Server Role Storage Requirements Calculator
145
For more information about storage design, see Going 64-bit with Microsoft Exchange Server
2007.
For a list of the Exchange Management Shell cmdlets that you can use to manage storage
groups and databases, see Storage Group and Database Cmdlets.
Understanding Transaction Logging
This topic describes the details of transaction logging in Microsoft Exchange Server 2007 and
includes a brief description of circular logging.
Exchange Server transaction logging is a robust disaster recovery mechanism that is designed
to reliably restore an Exchange database to a consistent state after any sudden stop of the
database. The logging mechanism is also used when restoring online backups.
Exchange Transaction Logging
Before changes are made to an Exchange database file, Exchange writes the changes to a
transaction log file. After a change has been safely logged, it can then be written to the
database file. It is common for these changes to become available to end users just after the
changes have been secured to the transaction log, but before they have been written to the
database file.
Exchange employs a sophisticated internal memory management system that is tuned for high
performance and can efficiently manage the caching of dozens of gigabytes (GBs) of database
pages. Therefore, physically writing out changes to the database file is a low-priority task during
normal operation.
If a database suddenly stops, cached changes are not lost just because the memory cache
was destroyed. When the database restarts, Exchange scans the log files, and reconstructs
and applies any changes not yet written to the database file. This process is called replaying
log files. The database is structured so that Exchange can determine whether any operation in
any log file has already been applied to the database, needs to be applied to the database, or
does not belong to the database.
Rather than write all log information to a single large file, Exchange uses a series of log files,
each exactly one megabyte, or 1,024 kilobytes (KB), in size. When a log file is full,
Exchange closes it and renames it with a sequential number. The first log that is filled ends with
the name Enn00000001.log. The nn refers to a two-digit number known as the base name or
log prefix.
Log files for each storage group are distinguished by file names with numbered prefixes (for
example, E00, E01, E02, or E03). The log file currently open for a storage group is simply
named Enn.log—it does not have a sequence number until it has been filled and closed.
146
The checkpoint file (Enn.chk) tracks how far Exchange has progressed in writing logged
information to the database files. There is a checkpoint file for each log stream, and a separate
log stream for each storage group. Within a single storage group, all the databases share a
single log stream. Thus, a single log file often contains operations for multiple databases.
Log files are numbered in a hexadecimal manner, so the log file after E0000009.log is
E000000A.log, not E000010.log. You can convert log file sequence numbers to their decimal
values by using the Windows Calculator (Calc.exe) application in Scientific mode. To do this,
run Calc.exe, and then, from the View menu, click Scientific.
To view the decimal sequence number for a specific log file, you can examine its header by
using the Exchange Server Database Utilities (Eseutil.exe) tool. The first 4-KB page of each log
file contains header information that describes and identifies the log file and the databases it
belongs to. The command Eseutil /ml [log file name] displays the header information. For
more information about Eseutil, see Eseutil.
If you use the wrong switch for displaying a header (for example, by using /ml with a database
header instead of /mh), an error is displayed or the header information that is displayed may be
garbled or incorrect.
You cannot view the header of a database while it is mounted. You also cannot view the header
of the current log file (Enn.log) while any database in the storage group is mounted.
Exchange holds the current log file open as long as one database is using it. You can, however,
view the checkpoint file header while databases are mounted. Exchange updates the
checkpoint file every thirty seconds, and its header is viewable except during the moment when
an update is occurring.
As an Exchange administrator, it is valuable to understand Exchange file headers. If you
understand the file headers, you can determine which database and log files belong together
and which files are needed for successful recovery.
In the following log file header example, note the first four lines.
Base name: e00
Log file: e00.log
lGeneration: 11 (0xB)
Checkpoint: (0xB,7DC,6F)
These log file header lines show that this log file is the current log file because the log file name
does not have a sequence number. The lGeneration line shows that when the log is filled
and closed, its sequence number will be B, corresponding to the decimal value 11. The base
name is e00, and therefore the final log file name will be E000000B.log.
The Checkpoint value in the previous header example is not actually read from the log file
header, but it is displayed as if it were. Eseutil.exe reads the Checkpoint value directly from
Enn.chk, so you do not have to enter a separate command to learn where the checkpoint file is.
If the checkpoint file has been destroyed, the Checkpoint value reads NOT AVAILABLE. In
this case, the checkpoint is in the current log file (0xB), and the numbers 7DC and 6F indicate
147
how far into the log file the checkpoint is. Note that you will seldom have a practical need for
this information.
If the checkpoint file is destroyed, Exchange can still recover and replay log files appropriately.
But to do so, Exchange begins scanning log files, beginning with the oldest file available,
instead of starting at the checkpoint log. Exchange skips data that has already been applied to
the database and works sequentially through the logs until data that must be applied is
encountered.
Typically, it takes only one or two seconds for Exchange to scan a log file that has already been
applied to the database. If there are operations in a log file that must be written to the
database, it can take anywhere from 10 seconds to several minutes to apply them. On
average, a log file's contents can be written to the database in 30 seconds or less.
When an Exchange database shuts down normally, all outstanding data is written to the
database files. After normal shutdown, the database file set is considered consistent, and
Exchange detaches it from its log stream. This means that the database files are now selfcontained—they are completely up to date. The transaction logs are not required to start the
database files.
You can tell whether a database has been shut down cleanly by running the command
Eseutil /mh and examining the file headers.
With all databases in a storage group disconnected and in a Clean Shutdown state, all log files
can be safely deleted without affecting the databases. If you were then to delete all log files,
Exchange would generate a new sequence of logs starting with Enn00000001.log. You could
even move the database files to a different server or storage group that has existing log files,
and the databases would attach themselves to a different log stream.
Note:
Although you can delete the log files after all databases in a storage group have been
shut down, doing so will affect your ability to restore older backups and roll forward.
The current database no longer needs the existing log files, but they may be necessary
if you must restore an older database.
If a database is in a Dirty Shutdown state, all existing transaction logs from the checkpoint
forward must be present before you can mount the database again. If these logs are
unavailable, you must repair the database by running the command Eseutil /p to make the
database consistent and ready to start.
Caution:
If you have to repair a database, some data may be lost. Data loss is frequently
minimal; however, it may be catastrophic. After running Eseutil /p on a database, you
should completely repair the database with the following two operations: First, run
Eseutil/d to defragment the database. This operation discards and rebuilds all
database indexes and space trees. Second, run the Information Store Integrity
Checker (Isinteg.exe) tool in its –fix mode. This tool scans the database for logical
148
inconsistencies that are created by discarding outstanding transaction logs. For
example, there may be references in the database that are not up to date with each
other. Isinteg.exe attempts to correct such problems with the minimum data loss
possible.
In addition to allowing Exchange to recover reliably from an unexpected database stop,
transaction logging is also essential to making and restoring online backups. For more
information about making and restoring online backups, see Database Backup and Restore.
Circular Logging
Although it is not recommended as a best practice, you can configure Exchange to save disk
space by enabling circular logging. Circular logging allows Exchange to overwrite transaction
log files after the data that the log files contain has been committed to the database. However,
if circular logging is enabled, you can recover data only up until the last full backup.
In the standard transaction logging that is used by Exchange 2007, each database transaction
in a storage group is written to a log file and then to the database. When a log file reaches one
megabyte (MB) in size, it is renamed and a new log file is created. Over time, this results in a
set of log files. If Exchange stops unexpectedly, you can recover the transactions by replaying
the data from these log files into the database. Circular logging overwrites and reuses the first
log file after the data it contains has been written to the database.
In Exchange 2007, circular logging is disabled by default. By enabling it, you reduce drive
storage space requirements. However, without a complete set of transaction log files, you
cannot recover any data more recent than the last full backup. Therefore, in a normal
production environment, circular logging is not recommended.
Note:
If local continuous replication (LCR) is enabled, you cannot enable circular logging.
For information about how to enable and disable circular logging in Exchange 2007, see How
to Enable and Disable Circular Logging for a Storage Group.
Lost Log Resilience and Transaction Log
Activity in Exchange 2007
This topic discusses a new feature called lost log resilience (LLR) and a companion function
called log roll. These features are new in Microsoft Exchange Server 2007 and are present on
all Mailbox servers. However, the behavior of these features depends on the configuration of
the Mailbox server.
149
Lost Log Resiliency
In Exchange 2007, a new feature of Extensible Storage Engine (ESE), LLR, enables you to
recover Exchange databases even if one or more of the most recently generated transaction
log files have been lost or damaged. LLR is an internal ESE component that works with cluster
continuous replication (CCR). Specifically, LLR works with CCR by enabling a mailbox
database in a CCR environment to mount even when recently generated log files are
unavailable. The most common cause of this condition is a lossy failover, which is also known
as a scheduled outage. For more information about lossy failovers, see Scheduled and
Unscheduled Outages. LLR is enabled only on the active node in a CCR environment. LLR is
not used by the passive node, and the passive node is always kept as up to date as possible.
LLR works by delaying writes to the database until the specified number of log generations
have been created. The order of write operations of Exchange data is always memory, log file,
and then database. LLR delays updates to the database for a short time. In the event of a
failover, if the maximum number of lost logs has not been reached or exceeded, the database
will mount.
An administrator determines the maximum number of logs that can be lost before the database
cannot be mounted by setting the AutoDatabaseMountDial parameter. This parameter, which is
represented in the Active Directory directory service by an Exchange attribute called
msExchDataLossForAutoDatabaseMount, has three values: Lossless, Good Availability, and
Best Availability. Lossless is 0 logs lost, Good Availability is 3 logs lost, and Best Availability,
which is the default, is 6 logs lost. For detailed steps about how to configure these values, see
How to Tune Failover and Mount Settings for Cluster Continuous Replication. When configuring
the system for Good Availability or Best Availability, do not use spaces (for example, use
GoodAvailability and BestAvailability).
By default, LLR is enabled and active on all Exchange 2007 Mailbox servers. However, the
number of logs that can be lost is configurable only for clustered mailbox servers that have
been deployed in a CCR environment. The AutoDatabaseMountDial parameter is used only by
clustered mailbox servers in a CCR environment.
Transaction Log Roll
A mechanism called log roll is used to further minimize data loss. Log roll works by periodically
closing the current transaction log file and creating the next generation. This mechanism helps
LLR, and in turn CCR, to reduce database inconsistency that results from lost log files. It is
intended primarily to minimize data loss after a lossy failover.
Important:
The log roll mechanism generates transaction logs even in the absence of user or
other database activity.
150
Rolling a log forward means that the current (Exx.log) log file is closed and a new transaction
log file is generated, even if the current log file is not full. For more information about
transaction logging, see Understanding Transaction Logging.
Log Roll Size
For a log roll of significant size to develop in a storage group, the following conditions must be
met:
•
The storage group must have a mailbox database.
•
The storage group must have little user activity that creates transaction logs.
• The storage group must have one or more mailboxes that are frequently logged on to
by a process or by an application.
The maximum number of log files that will be generated each day for an idle storage group
depends on the configuration of the Mailbox server. The maximum number of log files per idle
storage group for each Mailbox server configuration is listed in Table 14.
Table 18 Maximum number of log files per idle storage group for each Mailbox server
configuration
Mailbox server configuration
Maximum number of transaction log files
generated per day by an idle storage group
•
Stand-alone (with and without LCR)
•
Single copy cluster
•
CCR with Lossless availability
96
CCR with Good Availability
384
CCR with Best Availability
675
Mailbox servers generally create more transaction logs than the value shown in the preceding
table because of user activity, online maintenance, and other factors.
Extensible Storage Engine Architecture
Exchange mailbox databases and the queue on Hub Transport servers and Edge Transport
servers utilize the Extensible Storage Engine (ESE) database. ESE is a multi-user, indexed
sequential access method (ISAM) table manager with full data manipulation language (DML)
and data definition language (DDL) capability. ESE allows applications to store records and
create indexes to access those records in different ways.
151
There are two versions of ESE:
• ESENTl The database engine for Active Directory and many Microsoft Windows
components. Unlike other versions of ESE (which use five MB log files and four KB page
sizes), the Active Directory implementation of ESENT uses ten MB log files and eight KB
pages.
• ESE98 The database engine in Exchange 2000 Server, Exchange Server 2003, and
Exchange Server 2007.
• ESE was previously known as Joint Engine Technology (JET) Blue. JET Blue is not the
same as the version of JET found in Microsoft Access (known as "JET Red").
Transactions
ESE is a sophisticated, transaction-based database engine. A transaction is a series of
operations that are treated as an atomic (indivisible) unit. All operations in a transaction are
either completed and permanently saved, or no operations are performed. Consider, for
example, the operations involved when moving a message from the Inbox to your Deleted
Items folder. The message is deleted from one folder, added to another folder, and the folder
properties are updated. If a failure occurs, you do not want two copies of the message, no
copies at all, or folder property values (such as item count) that are inconsistent with the actual
folder contents.
To prevent problems such as this, ESE bundles operations inside a transaction. ESE makes
sure that none of the operations are permanently applied until the transaction is committed to
the database file. When the transaction is committed to the database file, all the operations are
permanently applied.
If a server stops responding, ESE also handles automatic recovery when you restart the server
and rolls back any uncommitted transactions. If ESE fails before a transaction is committed, the
entire transaction is rolled back, and it is as if the transaction never occurred. If ESE stops
responding after the transaction is committed, the entire transaction is persisted, and the
changes are visible to clients.
ACID Transactions
Transactions such as those listed in the previous section are generally referred to as
ACIDtransactions. ACID is an acronym for the following attributes:
• Atomic This term indicates that a transaction state change is all or none. Atomic state
changes include database changes, and messages and actions on transducers.
• Consistent This term indicates that a transaction is a correct transformation of the
state. The actions taken as a group do not violate any one of the integrity constraints
associated with the state. This requires that the transaction be a correct program.
152
• Isolated This term indicates that even though transactions run at the same time, it
appears to each transaction (t), that other transactions executed either before t or after t,
but not both.
• Durable Committed transactions are preserved in the database, even if the system
stops responding.
The Version Store
The version store enables ESE to track and manage current transactions. Therefore, ESE can
pass the Isolated and Consistent parts of the ACID test. The version store maintains an inmemory list of modifications that were made to the database.
The version store is used in the following situations:
• Rollback If a transaction must roll back, it examines the version store to get the list of
operations it performed. By performing the inverse of all the operations, the transaction can
be rolled back.
• Write-conflict detection If two different sessions try to modify the same record, the
version store notices and rejects the second modification.
• Repeatable reads When a session starts a transaction, it always encounters the
same view of the database, even if other sessions modify the records that it is viewing.
When a session reads a record, the version store is consulted to determine what version of
the record the session should view. Repeatable reads provide an isolation level in which,
after a client starts a transaction, it views the state of the database as it was when the
transaction began, regardless of modifications made by other clients or sessions.
Repeatable reads are implemented by using the version store. With an in-memory list of
modifications made to the database, it can be determined what view of a record any
particular session should view.
• Deferred before-image logging This is a complex optimization that lets ESE log less
data than other comparable database engines.
Snapshot Isolation
After a transaction starts, ESE guarantees that the session views a single, consistent image of
the database, as it exists at the start of its transaction, plus its own changes. Because other
sessions can also modify the data and commit their transactions, these changes are invisible to
any transaction that started before the commit. A user can modify a record only if that user is
viewing the latest version. Otherwise, the update fails with JET_errWriteConflict. Versions
earlier than the latest transaction are automatically discarded.
ESE features a transaction isolation level called Snapshot Isolation. Snapshot Isolation level
allows users to access the last committed row using a transitionally consistent view of the
153
database. Snapshot Isolation is a concurrency control algorithm that was first described in the
paper A Critique of ANSI SQL Isolation Levels. Snapshot Isolation is implemented by ESE by
using repeatable reads.
ESE Database Structure
All data inside the rich-text database file is stored in B-trees. The "B" in B-tree, means
"balanced." "Tree" refers to an arrangement that is similar to a folder structure on a file system,
where a root is the parent of items (database pages) that in turn are parents to additional items.
B-trees are designed to provide fast access to data on disk. Because reading from and writing
to a disk is much slower than performing those operations in memory, a B-tree is divided into
four KB pages. This enables ESE to get the data it needs by using the minimum number of
Disk I/Os. An ESE database can contain up to 2^32 (2 to the 32nd power) pages or 16
terabytes. In reality, database size is limited only by your ability to back up, restore, and
perform other maintenance operations on the database (such as offline defragmentation and
database repairs) in a timely manner.
Database Pages
The page size in ESE is defined by the application that uses it. For example, ESE98 (Exchange
2000 Server and Exchange Server 2003) use four KB pages, whereas ESENT (Active
Directory) uses eight KB pages. Each of these four KB or eight KB pages contains pointers to
other pages or to the actual data that is being stored in the B-tree. The pointer and data pages
are intermixed in the file.
To increase performance wherever possible, pages are cached in a memory buffer for as long
as possible. This reduces the need to go to disk. Each page starts with a 40-byte page header,
which includes the following values:
•
pgnoThis This value indicates the page number of the page.
•
DbtimeDirtied This value indicates the Dbtime the page was last modified.
•
pgnoPrev This value indicates the page number of the adjacent left page on the leaf.
• pgnoNext This value indicates the page number of the adjacent right page on the
leaf.
• ObjidFDP This value indicates the Object ID of a special page in the database,
referred to as Father of the Data Page (FDP), which indicates which B-tree this page
belongs to. The FDP page is used during repair.
•
cbFree This value indicates the number of bytes available on the page.
• cbUncommittedFree This value indicates the number of uncommitted bytes
available (bytes that are free but available for reclaim by rollback) on the page.
154
• ibMicFree This value indicates the page offset for the next available byte at the top of
the page.
ECC Checksum
Error Correcting Code (ECC) Checksum enables the correction of single-bit errors in database
pages (in the .edb file).
It consists of two 32-bit checksums. The first is an XOR checksum in which the page number is
used as a seed in the calculation. The second 32-bit checksum is an ECC checksum, which
allows for the correction of single-bit errors on the page.
Database Consistency and -1018 Errors
When a page is read, ESE examines a flag on the page to see whether the page has the
current checksum format. The appropriate checksum is then calculated. If there is a checksum
mismatch with the current format checksum, ESE tries to correct the error. If the error cannot
be automatically corrected, Exchange reports a -1018 error.
The Exchange store might be responsible for self-generating a -1018 error, if the Exchange
store does one of the following:
•
Constructs a page that has the wrong checksum.
• Constructs a page correctly, but tells the operating system to write the page in the
wrong location.
If a system administrator encounters a -1018 error or runs diagnostic hardware tests against
the server and these tests report no issues, the administrator might conclude that Exchange
must be responsible for the issue, because the hardware passed the initial analysis.
Frequently, additional investigation by Microsoft or hardware vendors uncovered subtle issues
in hardware, firmware, or device drivers that are actually responsible for damaging the
database file.
Ordinary diagnostic tests might not detect all the transient faults for several reasons. Issues in
firmware or driver software might fall outside the capabilities of diagnostic programs. Diagnostic
tests might be unable to adequately simulate long run times or complex loads. Also, the
addition of diagnostic monitoring or debug logging might change the system enough to prevent
the issue from appearing again.
The simplicity and stability of the Exchange mechanisms that generate checksums and write
pages to the database file suggest that a -1018 error is probably caused by something other
than Exchange. The checksum and incorrect page detection mechanisms are simple and
reliable, and have remained fundamentally the same since the first Exchange release, except
for minor changes to adapt to database page format changes between database versions.
155
A checksum is generated for a page that is about to be written to disk, after all other data is
written to the page, including the page number itself. After Exchange adds the checksum to the
page, Exchange instructs the Microsoft Windows Server operating system to write the page to
disk by using standard, published Windows Server APIs.
The checksum might be generated correctly for a page, but the page might be written to the
wrong location on the hard disk. This can be caused by a transient memory error, such as a "bit
flip." For example, suppose Exchange constructs a new version of page 70. The page itself
does not experience an error, but the copy of the page number that is used by the disk
controller or by the operating system is randomly changed. This problem can occur if 70 (binary
1000110) has been changed to 6 (binary 000110) by an unstable memory cell. The page's
checksum is still correct, but the location of the page in the database is now wrong. Exchange
reports a -1018 error for the page when it detects that the logical page number does not match
the physical location of the page.
Another kind of page numbering error (caused by Exchange) may occur if Exchange writes the
wrong page number on the page itself. But this causes other errors, not the -1018 error. If
Exchange writes 71 on page 70, and then performs the checksum on the page correctly, the
page is written to location 71 and passes both the page number and checksum tests.
Frequently, a single -1018 error that is reported in an Exchange database does not cause the
database to stop or result in a symptom other than the presence of the -1018 error itself. The
page might be in a folder that is infrequently accessed (for example, the Sent or Deleted Items
folders), or in an attachment that is seldom opened, or even empty.
Even though a single -1018 error is unlikely to cause extensive data loss, -1018 errors are still
cause for concern because a -1018 error is proof that your storage system did not reliably store
or retrieve data at least one time. Although the -1018 error might be a transient issue that never
occurs again, it is more likely that this error is an early warning of an issue that will become
progressively worse. Even if the first -1018 error is on an empty page in the database, you
cannot know which page might be damaged next. If a critical global table is damaged, the
database might not start, and database repair might be partly or completely unsuccessful.
After a -1018 error is logged, you must consider and plan for the possibility of imminent failure
or additional random damage to the database, until you find and eliminate the root cause.
Database Tree Balancing
One of the primary functions of ESE is to keep the database tree balanced at all times. The
process of balancing the tree is finished when all the pages are either split or merged. As you
can see in figure 21, the same number of nodes is always at the root level of the tree as is at
the leaf level of the tree. Therefore, the tree is balanced.
156
Figure 21 Balanced tree
Note:
Although the trees inside an ESE database are generally referred to as B-trees, they
are actually B+ trees. B+ trees include all the characteristics of B-trees, but additionally
each data page in the B+ tree has page pointers to its previous and next adjacent page
on the leaf. Although there is an overhead during insertion or split and merge
operations to keep these pointers up-to-date, the pointers allow for faster sequential
seeking through the data in the B+ tree structure.
From an ESE perspective, a database table is a collection of B-trees. Each table consists of
one B-tree that contains the data, although there can be many secondary index B-trees used to
provide different views of the data. If a column or field in a table becomes too wide to store in
the B-tree, it is divided to a separate B-tree, named the long-value tree.
The definition of these tables and their associated B-trees is stored in another B-tree, named
the system catalog. Loss of the system catalog is a serious problem. Therefore, ESE keeps two
identical copies of this B-tree in each database.
Split
When a page becomes almost full, about half the data is put on a secondary page and an extra
key is put in the secondary page's parent page. This process is performed unless the parent
page is also full. In this event, the parent page is split, and a pointer is added to this page's
parent page. Ultimately, every pointer page up to the root block might need to be split. If the
root block needs to be split, an additional level of pages is inserted into the tree. Figuratively
speaking, the tree grows in height.
Merge
When a page is almost empty, it is merged with an adjacent page, the pointers in the parent
page are updated, and if it is required, the page is merged. Ultimately, if every pointer page up
157
to the root block is merged, the tree shrinks in height. To obtain to a leaf (data), ESE starts at
the root node and follows the page pointers until it gets to the desired leaf node.
Fan-Out
The tree structure of an ESE B-tree has very high fan-out. High fan-out means ESE can reach
any piece of data in a 50 GB table with no more than four disk reads (three pointer pages and
the data page itself). ESE stores over 200 page pointers per four KB page, enabling ESE to
use trees with a minimal number of parent/child levels (also called shallow trees). ESE also
stores a key of the current tree, which enables ESE to quickly search down the current tree.
The preceding diagram is a tree with three parent/child levels; a tree with four parent/child
levels can store many gigabytes of data.
Indexes
A traditional B-tree is indexed in only one particular way. It uses one key, and the data must be
retrieved using that key. For example, the records in the messages table are indexed on a
message's unique identifier, called the message transfer service (MTS)-ID. However, a user
probably wants to view the data in the messages table ordered in a more user friendly format.
Indexes, or more specifically, secondary indexes, are used to retrieve the data. Each secondary
index is another B-tree that maps the chosen secondary key to the primary key. This makes Btrees small compared to the data they index.
To understand how a secondary index is used, consider what occurs when a user changes the
way messages are presented in a messaging folder. If you change your folder view in Outlook
so that subject, instead of received time, orders the view, Outlook causes the store and ESE to
build a new, secondary index on your message folder table.
When you change views on a large folder for the first time, you will experience a delay. If you
look closely at the server, you see a small spike in disk activity. When you switch to that view
again, the index is already built, and the response is much quicker.
The Microsoft Exchange Information Store services' secondary index B-trees live for eight
days. If they are not used, the Microsoft Exchange Information Store service deletes them as a
background operation.
Long-Values
A column or a record in ESE cannot span pages in the data B-tree. There are values (such as
PR_BODY, which is the message body of a message) that break the 4KB boundary of a page.
These are referred to as long-values (LV). A table's long-value B-tree is used to store these
large values.
158
If a piece of data is entered in an ESE table, and it is too large to go into the data B-tree, it is
divided into four KB sized pages and stored in the table's separate long-value B-tree. The
record in the data B-tree contains a pointer to the long-value. This pointer is called the longvalue ID (LID) and means that the record has a pointer to LID 256.
Record Format
A collection of B-trees represents a table, and a table is a collection of rows. A row is also
called a record. A record consists of many columns. The maximum size of a record, and
therefore the number of columns that appear in a single record, is governed by the database
page size, minus the size of the header. ESE has a four KB-page size. Therefore, the
maximum record size is approximately 4,050 bytes (4,096 bytes, minus the size of the page
header).
Column Data Types
Each column definition must specify the data type that is stored in the column. ESE supports
the data types described in the following table.
Table 19 Extensible Storage Engine column data types
Column Data Types
Description
Bit
NULL, 0, or non-0
Unsigned Byte
1-byte unsigned integer
Short
2-byte signed integer
Unsigned Short
2-byte unsigned integer
Long
4-byte signed integer
Unsigned Long
4-byte unsigned integer
LongLong
8-byte signed integer
Currency
8-byte signed integer
IEEE Single
4-byte floating-point number
IEEE Double
8-byte floating-point number
Date Time
8-byte date-time (integral date, fractional time)
GUID
16-byte unique identifier
Binary
Binary string, length <= 255
Text
ANSI or Unicode string, length <= 255 bytes
159
Column Data Types
Description
Long Binary
Large value binary string, length < 2 GB
Long Text
Large value ANSI or Unicode string, length < 2
GB
The column data types fall into two categories. The first category is fixed and variable columns.
The second category is tagged columns. Each column is defined as a 16-byte FIELD structure,
plus the size of the column name.
When a table is created in an ESE database, the table is defined by using an array of FIELD
structures. This array identifies the individual columns in the table. Within this array, each
column is represented through an index value, called the column ID. This is similar to an
ordinary array in which you can reference array members by ID, such as array[0], array[1], and
so on. Columns are quickly accessed by ID, but a search by column name requires a linear
scan through the array of FIELD structures.
Fixed and Variable Columns
Fixed columns contain a fixed data length. Each record occupies a defined amount of record
space, even if no value is defined. Data type IDs 1 to 10 can be defined as fixed columns. Each
table can define up to 126 fixed columns (column ID 1 to 127).
Variable columns can contain up to 256 bytes of data. An offset array is stored in the record
with the highest variable column set. Each column requires two bytes. Data type Ids 10 and 11
can be defined as variable columns. Each table can define up to 127 variable columns (column
ID 128 to 256).
Tagged Columns
ESE defines columns that occur rarely or have multiple occurrences in a single record as
tagged columns. An undefined tagged column incurs no space overhead. A tagged column can
have repeated occurrences in the same record. If a tagged column is represented in a
secondary index, each distinct occurrence of the column is referenced by the index.
Tagged columns can contain an unlimited, variable length of data. The column ID and length
are stored with the data. All data types can be defined as tagged columns. Each table can
define up to 64,993 tagged columns.
160
Understanding Public Folders
Public folders, introduced in the first version of Microsoft Exchange, are designed for shared
access and provide an easy and effective way to collect, organize, and share information with
other people in your workgroup or organization. Public folders can be used to share files or to
store data, such as calendars and contacts, which are shared by two or more people. Public
folders are hierarchically organized, stored in dedicated databases, and can be replicated
between Exchange servers.
In Exchange Server 2007, public folders are an optional feature. If all client computers in your
organization are running Microsoft Office Outlook 2007, there will be no dependencies on
public folders for features such as free and busy information and offline address book (OAB)
downloads. Instead of using public folders for OAB downloads and free and busy information,
in Exchange 2007, these features are serviced by the Autodiscover service, the Microsoft
Exchange System Attendant service, and the Microsoft Exchange File Distribution service.
To connect to Exchange for OAB and Schedule+ free and busy functionality, all client
computers running Outlook 2003, Outlook 2002, or Outlook 98 require public folders to be
deployed. Exchange 2007 is the first version of Exchange that provides you with the option to
not use public folders. However, until all client computers in your organization are running
Outlook 2007, you should continue using public folders.
Note:
In a pure Exchange 2007 organization, you cannot access public folders by using
Outlook Web Access.
This topic provides the following information about public folders in Exchange 2007:
•
Creation of the public folder database during setup
•
Public folder management
•
Public folder trees
•
Public folder replication
•
Mail-enabled public folders
•
Considerations with mixed Exchange 2007 and Exchange Server 2003 organizations
•
Best practices
Creation of the Public Folder Database During
Setup
Computers running Outlook 2003 and earlier or Microsoft Entourage require a public folder
database (previously called the public folder store) to connect to Exchange 2007. Therefore, in
161
a pure Exchange 2007 organization, as you install the Mailbox server role on the first server,
Setup will prompt you with the question: "Do you have any client computers running
Outlook 2003 and earlier or Entourage in your organization?" If the answer is Yes, a public
folder database is created. If the answer is No, a public folder database is not created.
When you install the second server, you are not prompted with the question, and Setup does
not create a public folder database. Whether a public folder database is needed in the
organization is decided only when you install the first server. After that, all public folder
databases are optional. If you do not create a public folder database during Setup, you can
always create one anytime after Setup is complete. For more information about how to create a
public folder database, see How to Create a New Public Folder Database.
In a mixed Exchange organization, Setup does not prompt you with the question. In these
organizations, to ensure backward compatibility to Exchange versions prior to Exchange 2007,
a public folder database is created by default. Specifically, because Exchange 2007 is installed
in its own administrative group, this public folder database will support legacy Schedule+ free
and busy functionality.
For more information about installing Exchange 2007, see Deployment.
Public Folder Management
In Exchange 2007, all public folder management tasks are performed by using the
Exchange Management Shell. However, you can perform a limited number of public folder
database management tasks in the Exchange Management Console. For more information
about managing public folders, see Managing Public Folders.
Public Folder Trees
Exchange 2003 supports the use of a non-MAPI folder tree, otherwise known as an Application
folder tree or General Purpose folder tree. Exchange 2007 only supports the default MAPI
folder tree. The MAPI folder tree is divided into the following subtrees:
• Default Public Folders (also known as the IPM_Subtree) Users can access these
folders directly by using client applications such as Outlook.
• System Public Folders (also known as the Non IPM_Subtree) Users cannot
access these folders directly by using conventional methods. Client applications such as
Outlook use these folders to store information such as free and busy data, OABs, and
organizational forms. Other system folders contain configuration information that is used by
custom applications or by Exchange itself. The Public Folders tree contains additional
system folders, such as the EFORMS REGISTRY folder, that do not exist in generalpurpose public folder trees. System folders include the following:
• EFORMS REGISTRY and Events Root By default, one content replica of each
of these folders resides in the default public folder database on the first
162
Exchange 2007 server that is installed in the first administrative group. This is the
location where organizational forms are stored for legacy Outlook clients (clients using
an Outlook version earlier than Outlook 2007).
• Offline Address Book and Schedule+ Free Busy The Offline Address Book
folder and the Schedule+ Free Busyfolder automatically contain a subfolder for each
administrative group (or site) in your topology. By default, a content replica of a specific
administrative group folder resides on the first server that is installed in the
administrative group. These folders are used to store legacy free and busy information
and OAB data for legacy Outlook clients. Legacy Outlook clients do not support the
new features in Exchange 2007 that manage free and busy information and OAB data.
(These features include the Availability service, the Autodiscover service, and OAB
distribution on Client Access servers).
• OWAScratchPad Each public folder database has an OWAScratchPad folder,
which is used to temporarily store attachments that are being accessed by using
Outlook Web Access. Do not modify this folder. Outlook Web Access running on
Exchange 2007 Client Access servers does not use these folders to store attachment
data. However, this folder is created during a pure installation of Exchange 2007.
• StoreEvents Each public folder database has a StoreEvents folder, which holds
registration information for custom Exchange database events. Do not modify these
folders.
• Other folders To support internal Exchange database operations, a tree may
contain several other system folders, such as schema-root. Do not modify these
folders.
Public Folder Replication
Public folder databases replicate two types of public folder information:
• Hierarchy Properties of the folders and organizational information about the folders
(including the tree structure). All public folder databases have a copy of the hierarchy
information. For a specific folder, the public folder database can use hierarchy information
to identify the following:
•
Permissions on the folder
•
Servers that hold content replicas of the folder
• The folder's position in the public folder tree (including its parent and child folders,
if any)
• Content Messages that form the content of the folders. To replicate content, you must
configure a folder to replicate its content to a specific public folder database or list of
databases. Only the databases that you specify will have copies of the content. A copy of
the folder that includes content is called a content replica.
163
For information about managing the replication of public folder content, see the following
topics:
•
How to Suspend Public Folder Content Replication
•
How to Resume Public Folder Content Replication
Mail-Enabled Public Folders
Mail-enabling a public folder provides an extra level of functionality to users. In addition to
being able to post messages to the folder, users can send e-mail messages to, and sometimes
receive e-mail messages from, the folder. If you are developing custom applications, you can
use this feature to move messages or documents into or out of public folders.
A mail-enabled folder is a public folder that has an e-mail address. Depending on how the
folder is configured, it may appear in the global address list (GAL). Each mail-enabled folder
has an object in the Active Directory directory service that stores its e-mail address, address list
name, and other mail-related attributes.
Because mail that is sent to public folders is directed to the public folder database instead of to
a mailbox in the mailbox database, Exchange routes e-mail messages by using a method that
is slightly different from the method that is used to route e-mail messages to a regular mailbox.
Considerations with Mixed Exchange 2007 and
Exchange 2003 Organizations
This section provides considerations for implementing and managing public folders in a mixed
Exchange 2007 and Exchange 2003 organization.
Setup
When you install Exchange 2007 in a mixed Exchange 2007 and Exchange 2003 organization,
Setup automatically creates a new administrative group and routing group within the
Exchange 2003 organization. The Exchange 2007 servers that are added to your organization
will be included in the new administrative group and routing group. As previously mentioned,
Setup also installs a public folder database on the first Exchange 2007 Mailbox server. In that
public folder database, Exchange 2007 creates a new free and busy folder for the new
administrative group. The legacyExchangeDN property for users whose mailboxes
were created on an Exchange 2007 server (not migrated from Exchange 2003) will map to the
Exchange 2007 administrative group name, and will therefore also map to the Free/Busy
folder. By default, to facilitate free and busy searches from Outlook 2003 and earlier client
users whose mailboxes reside on an Exchange 2003 server, the client users' free and busy
information will be posted to the Free/Busy public folder.
164
Management
In a mixed Exchange 2007 and Exchange 2003 organization, you can use Exchange System
Manager to manage public folders. The following scenarios are supported:
• Exchange System Manager should only connect to the Exchange 2003 public folder
database for administration. From there, changes will replicate to Exchange 2007.
• In a pure Exchange 2007 organization, you cannot reinstall Exchange System
Manager to manage public folders. You must use the Exchange Management Shell.
• When verifying hierarchy replication or when viewing the Local Replica Age Limit value
on a folder, we recommend using Exchange System Manager for public folders that exist
on an Exchange 2003 server and using the Exchange Management Shell for public folders
that exist on an Exchange 2007 server.
Outlook Web Access
In a mixed Exchange 2007 and Exchange 2003 organization, Exchange 2007 Client Access
servers have a virtual directory named /public. However, this virtual directory is used only to
access legacy public folders. Specifically, the /public virtual directory will not connect to another
Exchange 2007 Mailbox server because the Mailbox server does not support access to a
/public virtual directory.
Updating the Public Folder Hierarchy
If you notice that the public folder hierarchy on one server is different from the public folder
hierarchy on other servers in your mixed Exchange 2007 and Exchange 2003 organization, you
may want to synchronize the hierarchy. In Exchange 2003 Service Pack 2 (SP2), the
Synchronize Hierarchy command is used to synchronize the public folder hierarchy on an
Exchange 2003 server with the other servers in your organization. In Exchange 2007, the
Update-PublicFolderHierarchy cmdlet is used to synchronize the public folder hierarchy on
the Exchange 2007 server with the rest of the servers in your organization.
Note:
You cannot run the Synchronize Hierarchy command on an Exchange 2007 server.
Similarly, you cannot run the Update-PublicFolderHierarchy cmdlet on an
Exchange 2003 server. However, running either command will update the public folder
hierarchy in your entire organization.
For more information, see How to Update a Public Folder Hierarchy.
165
Replicating Public Folder Content Replication
To help stop public folder content replication errors in your organization, you can suspend the
replication of public folder content. Suspending replication allows you to reconfigure the public
folder hierarchy and replication schedules.
To suspend or resume the replication of public folder content in a mixed Exchange 2007 and
Exchange 2003 organization, on an Exchange 2007 server, run the SuspendPublicFolderReplication cmdlet or the Resume-PublicFolderReplication cmdlet in the
Exchange Management Shell. Although you run these on an Exchange 2007 server, they will
suspend or resume the replication of public folder content on all servers in your mixed
organization. For information about using the Exchange Management Shell to suspend or
resume the replication of public folder content, see the following topics:
•
How to Suspend Public Folder Content Replication
•
How to Resume Public Folder Content Replication
Best Practices
This section provides the best practices to consider when performing the following public folder
tasks in your Exchange 2007 organization:
•
Creating public folder databases
•
Designing the public folder hierarchy
Creating Public Folder Databases
When you plan for how many public folder databases to create in your organization, consider
the following best practices:
• For large enterprise topologies where public folders are heavily used, deploy dedicated
public folder servers. This best practice stems from the general best practice of dedicating
CPU resources and disk resources to isolated server functions.
• Having fewer larger public folder databases scales better and is more easily managed
than having several smaller public folder databases. By reducing the number of public
folder databases, you can decrease the time that is required to back up and restore many
smaller databases. You also reduce the amount of background replication traffic.
Additionally, online maintenance of fewer larger databases is quicker than online
maintenance of many smaller databases. Finally, it is easier to manage a smaller number
of public folder databases from the perspective of applying permissions and content
access, and implementing efficient replication and referrals.
The best practice of having fewer larger public folder databases is especially helpful when
you consider your topology from the organization level. However, at the server level, some
management and maintenance tasks, such as backup and restore processes, can be more
166
quickly performed if you have several smaller databases. Ultimately, the number of public
folder databases that you deploy must address your business requirements. As you
determine the number of databases that you want to deploy, you must balance the cost of
replication traffic against the costs of database backup, maintenance, and restore times.
Designing the Public Folder Hierarchy
As you design your public folder hierarchy, you must recognize the effect of hierarchy
replication in your environment. Deep public folder hierarchies scale better than wide
hierarchies. A deep hierarchy consists of many vertically nested folders, instead of many
higher-level folders. A wide hierarchy consists of many higher-level folders with fewer vertically
nested subfolders.
For example, consider how 250 folders might be arranged in a specific hierarchy. A wide
hierarchy might have 250 direct subfolders under one parent folder. A deep hierarchy might
have five top level folders, each with five direct subfolders. Inside each of those subfolders may
be 10 subfolders.
In both these examples, there are 250 folders (5 × 5 × 10 = 250). However, the deep hierarchy
offers better performance than the wide hierarchy for the following reasons:
• The way that replication handles folders that have different permissions applied to
them is more efficient in deep hierarchies.
• Client computer actions (such as sort, search, and expand) against a folder that has 10
subfolders is much less expensive than a folder that has 250 subfolders.
While deep hierarchies scale better than wide hierarchies, it is a best practice not to exceed
250 subfolders per folder. Exceeding 250 subfolders likely will cause an unacceptable client
experience when a client computer requests access.
A factor to consider as you implement a hierarchy is the effect that permissions have on the
experience a user has when they want to gain access to public folders. When each public
folder subfolder has its own access control list (ACL) entries defined, every time that the
Exchange server receives a new public folder replication message, the ACL for the parent
public folder must be evaluated to determine which users have rights to view the changes to
the parent public folder. If the parent public folder has a large discretionary access control list
(DACL) entry, it may take a long time to update the view for each public folder subscriber.
Note:
The DACL for the parent folder consists of the sum of the DACLs of all the public folder
subfolders.
You may have many megabytes (MB) of DACL data that must be parsed if the following
conditions are true:
•
You have many subfolders under a single parent public folder.
167
•
Each of those subfolders has its own ACL defined.
This DACL data must be parsed so that the display can be updated for all the public folder
subscribers every time that a public folder replication message is received.
Therefore, it is recommended that you arrange your public folder hierarchy according to the
user sets that gain access to the parent folders. Additionally, do not implement complex
permission models for your public folder hierarchies.
For More Information
For more information about how to manage public folders from Exchange 2007, see the
following topics:
•
Managing Public Folders
•
Configuring Public Folder Permissions
•
Scripts for Managing Public Folders in the Exchange Management Shell
For more information about how to create and manage public folders by using Outlook 2007,
see Public folders.
For more information about how to create and manage public folders by using Outlook 2003,
see Using Public Folders.
For more information about how to create and manage public folders by using Outlook 2000,
see Create an Office document library in an Outlook public folder.
Understanding Messaging Records
Management
Messaging records management (MRM) is the records management technology in Microsoft
Exchange Server 2007 that helps organizations to reduce the legal risks that are associated
with e-mail and other communications. MRM makes it easier to keep messages that are
needed to comply with company policy, government regulations, or legal needs, and to remove
content that has no legal or business value. This is accomplished through the use of managed
folders, which are Inbox folders to which managed folder mailbox policies have been applied.
The administrator or the user places these managed folders in the user's Inbox, and then the
user sorts messages into the managed folders according to organization policy. Messages
placed in the managed folders are then periodically processed by Exchange according to the
mailbox policies. When a message reaches a retention limit, it is archived, deleted, or flagged
for user attention, or the event is simply logged.
168
Figure 22 Messaging records management process
Messaging Records Management Strategy
Messaging management policies help organizations to comply with legal requirements and
conserve information technology resources. However, in the past, enforcing those policies has
often been challenging and ineffective. Monitoring user compliance has been difficult, and
complying with legal discovery orders has been expensive and time consuming. Attempts to
automate the messaging management process have met with limited success. The MRM
functionality in Exchange 2007 addresses and lessens these challenges.
The strategy to make Exchange 2007 messaging management and policy enforcement more
reliable, effective, and easy to use is based on three principles:
•
Users classify their own messages.
169
•
Obsolete messages are removed.
•
Required messages are retained.
Users Classify Their Own Messages
With Exchange 2007, users participate in the MRM process by classifying their own messages
and sorting them into special mailbox folders called managed folders. This sorting process
ensures that messages are classified according to users' wants and the organization's needs,
and helps eliminate the mishandling of messages that can occur with a completely automated
messaging management solution.
Managed folders are similar to the other folders in users' mailboxes, except that they cannot be
moved, renamed, or (in most cases) deleted. Users can file items by placing them in the
managed folder that is appropriate for that type of content. Messages can also be sorted into
the appropriate folder by using rules.
Managed folders can be added to users' mailboxes by system administrators (by means of the
Exchange Management Console or the Exchange Management Shell). If the organization
creates a Web services site for that purpose, users can add or remove managed folders from
their own mailboxes at that site. For more information about using Web services with
Exchange 2007, see Microsoft Exchange Server 2007 SDK Documentation.
Managed folders for users of Microsoft Office Outlook 2007 can have storage limits and can
display a description of the messaging management policy that applies to them. Managed
folders with size limits and folder descriptions cannot be assigned to mailboxes accessed by
earlier versions of Outlook.
MRM policies can be enforced on a per-folder basis and according to content type, providing
administrators with detailed control over the management process.
For information about how to create managed custom folders, see How to Create a Managed
Custom Folder.
Obsolete Messages Are Removed
Managed folder mailbox policies enable you to process and remove outdated content from
users' mailboxes. These policies are configurable by content age and by message type (for
example, voice mail or appointments), and can be applied to any of the folders in users'
mailboxes.
Actions that can be taken when applying MRM policies include:
• Deleting content permanently, or deleting content so that it can still be recovered with
the Recover Deleted Items command in Outlook 2007.
170
• Moving the content to a managed folder that is set up for user review before deleting
the content. This gives users a chance to review items before the items are permanently
removed.
• Marking messages as past their retention date in the user's mailbox in Outlook 2007,
prompting the user to take any required action.
For more information about how to handle obsolete messages, see How to Create Managed
Content Settings.
Required Messages Are Retained
You can retain any content that you want to keep by creating a managed folder mailbox policy
that journals (copies) the content to another location. This can be any location with a Simple
Mail Transfer Protocol (SMTP) e-mail address, including another Exchange mailbox. Data that
is sent to such a repository is stamped with a label to preserve its classification information.
Retention settings are configurable at the folder level and according to the message type (for
example, voice mail or appointments).
For more information about how to configure retention settings, see How to Create Managed
Content Settings.
For More Information
For information about implementing and managing MRM, see Managing Messaging Records
Management.
Unified Messaging
In Microsoft Exchange Server 2007, the Unified Messaging server role is one of several server
roles that you can install and then configure on a computer that is running Exchange 2007.
Unified Messaging (UM) is new to the Exchange product line, and its introduction brings new
concepts that may not be familiar to an Exchange administrator.
Unified Messaging combines voice messaging, fax, and e-mail messaging into one store,
accessible from a telephone and a computer. Exchange 2007 Unified Messaging integrates
Exchange Server with telephony networks and brings the Unified Messaging features to the
core of Exchange Server. Figure 22 illustrates the relationship between an organization's
telephony network components and the Exchange 2007 Unified Messaging system.
171
Figure 23 The relationship between telephony components and Exchange Server 2007
Unified Messaging
Currently, most users and IT departments manage their voice mail and fax messages
separately from their e-mail. Voice mail and e-mail exist as separate inboxes hosted on
separate servers that are accessed through the desktop for e-mail and through the telephone
for voice mail. Fax messages are not received into a user's inbox, but are instead received by
stand-alone fax machines or a centralized fax server. Unified Messaging offers an integrated
store for all messages and access to content through the computer and the telephone.
Exchange 2007 Unified Messaging provides a single point of message administration for
Exchange administrators in an organization. The features within Exchange 2007 Unified
Messaging enable an Exchange administrator to:
•
Manage the voice mail, e-mail, and fax systems from a single platform.
172
•
Manage Unified Messaging using scriptable commands.
•
Build highly available and reliable Unified Messaging infrastructures.
The Unified Messaging server role in Exchange 2007 lets users access voice mail, e-mail, fax
messages, and calendar information that is located in their Exchange 2007 mailbox from an email client such as Microsoft Outlook or Outlook Web Access, from a mobile device that has
Microsoft Exchange ActiveSync enabled, such as a Windows Mobile® powered smartphone or
a personal digital assistant (PDA), or from a telephone.
Unified Messaging in Exchange 2007 gives users features such as:
• Call Answering Call answering includes answering an incoming call on behalf of a
user, playing their personal greeting, recording a message, and submitting it for delivery to
their inbox as an e-mail message.
• Fax Receiving Fax receiving is the process of submitting a fax message for delivery
to the Inbox. The fax receiving feature lets users receive fax messages in their Inbox.
• Subscriber Access The subscriber access feature enables dial-in access for
company users. Company users or subscribers who are dialing into the Unified Messaging
system can access their mailbox using Outlook Voice Access. Subscribers who use
Outlook Voice Access can access the Unified Messaging system by using the telephone
keypad or voice inputs. By using a telephone, a subscriber or user can:
•
Access voice mail over a telephone.
•
Listen, forward, or reply to e-mail messages over a telephone.
•
Listen to calendar information over a telephone.
• Access or dial contacts stored in the global address list or a personal contact list
over a telephone.
•
Accept or cancel meeting requests over a telephone.
•
Set a voice mail Out-of-Office message.
•
Set user security preferences and personal options.
• Auto Attendant An auto attendant is a set of voice prompts that gives external users
access to the Exchange 2007 Unified Messaging system. An auto attendant lets the user
use either the telephone keypad or speech inputs to navigate the menu structure, place a
call to a user, or locate a user and then place a call to that user. An auto attendant gives
the administrator the ability to:
•
Create a customizable set of menus for external users.
• Define informational greetings, business hours greetings, and non-business hours
greetings.
•
Define holiday schedules.
•
Describe how to search the organization's directory.
173
• Describe how to connect to a user's extension so external callers can call a user
by specifying their extension.
• Describe how to search the organization's directory so external callers can search
the organization's directory and call a specific user.
•
Enable external users to call the operator.
Note:
Installing and running the Unified Messaging server role in a virtualized
environment is not supported.
For More Information
For more information about Unified Messaging components, see Overview of Unified
Messaging Components.
For more information about the Unified Messaging objects, see Overview of Unified Messaging
Active Directory Objects.
For more information about telephony concepts and components, see Overview of Unified
Messaging Components.
For more information about Unified Messaging message flow, see Overview of the Unified
Messaging Call Processing.
For more information about Unified Messaging topologies, see Overview of Unified Messaging
Server Topologies.
Unified Messaging Architecture
When you install the Unified Messaging (UM) server role on a computer that is running
Microsoft Exchange Server 2007, several UM-specific components and services are installed.
The Unified Messaging services and components that are installed by Setup enable a Unified
Messaging server to answer and process incoming voice and fax calls and enable users to
interact with the Unified Messaging system by using Outlook Voice Access or by hearing a UM
auto attendant when they call in to the UM system. This topic discusses the interaction between
these UM components and services how the services and components provide the features
that are offered by Unified Messaging.
Overview of Unified Messaging Services
The features and components of Unified Messaging rely on the functionality of two
Exchange 2007 services: the Microsoft Exchange Unified Messaging service (UMservice.exe)
174
and the Microsoft Exchange Speech Engine service (SpeechService.exe). The Service Control
Manager controls and monitors both of these services and their related processes.
The Microsoft Exchange Unified Messaging service enables voice and fax messages to be
stored in an Exchange 2007 mailbox and gives users telephone access to e-mail, voice mail,
calendar, and contacts. If you stop this service, Unified Messaging features will not be available
for users in your organization. For the Microsoft Exchange Unified Messaging service to work,
the Microsoft Exchange Speech Engine service must already be started and functioning
correctly.
The Microsoft Exchange Speech Engine service controls the following:
•
The dual tone multi-frequency (DTMF), also known as touchtone, interface
• Automatic Speech Recognition (ASR) that is used with the Voice User Interface (VUI)
in Outlook Voice Access
• The Text-to-Speech Engine (TTS) that reads e-mail, voice mail, and calendar items
and plays the menu prompts for callers
When the Microsoft Exchange Unified Messaging service and Microsoft Exchange Speech
Engine service are starting, they each create their own worker processes: the UM worker
process (UMWorkerProcess.exe) and the Speech Engine service worker process
(SESWorker.exe). Each UM worker process enables the Microsoft Exchange Unified
Messaging service and the Microsoft Exchange Speech Engine service to interact to provide
Outlook Voice Access and call answering. The Speech Engine service worker process provides
the TTS engine features, enables callers to use both Outlook Voice Access interfaces, and
plays the system prompts for callers. For more information about Outlook Voice Access, see
Understanding Unified Messaging Subscriber Access. For more information about Unified
Messaging system prompts, see Understanding Unified Messaging Audio Prompts.
Figure 23 illustrates the relationships between Unified Messaging components.
175
Figure 24 Unified Messaging architecture
Service Ports
The Microsoft Exchange Unified Messaging service and the UM worker process use multiple
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) service ports to
communicate with IP/VoIP gateways and the Speech Engine service worker process that is
created by the Microsoft Exchange Speech Engine service at startup. The Microsoft Exchange
Unified Messaging service and the UM worker process use Session Initiation Protocol (SIP)
over TCP. By default, the Microsoft Exchange Unified Messaging service listens on TCP port
5060 in unsecured mode and TCP port 5061 when Transport Layer Security (TLS) is used.
Each UM worker process that is created listens on TCP port 5065 and 5066. However, a UM
worker process sends all Realtime Transport Protocol (RTP) traffic to the Speech Engine
service worker process by using valid UDP ports that range from 1024 through 65535.
A TCP control port is also used on a Unified Messaging server. When a UM worker process is
created, the Microsoft Exchange Unified Messaging service passes the appropriate
configuration options to the UM worker process. The configuration options that are sent include
the parameters for the TCP control port number that is used for communication between the
Microsoft Exchange Unified Messaging service and the UM worker process. The TCP control
port that is chosen will fall between TCP ports 16,000 to 17,000.
176
Unified Messaging Services
The Microsoft Exchange Unified Messaging service is one of the two services that provide
Unified Messaging services for your network. The Microsoft Exchange Unified Messaging
service performs the following functions:
•
Retrieves the dial plan configuration from the Active Directory directory service
• Loads the configuration information for monitoring Unified Messaging worker
processes from the UmRecycleConfig.xml file
•
Initializes the UM Worker Process Manager and the startup of a UM worker process
•
Registers SIP endpoints
The Microsoft Exchange Unified Messaging service first accepts all incoming connections, and
then reroutes those requests to a UM worker process that handles the incoming request. In
addition, the Microsoft Exchange Unified Messaging service monitors any UM worker process
that is created and ensures that the UM worker process is functioning correctly. If a UM worker
process becomes unresponsive, the Microsoft Exchange Unified Messaging service stops the
UM worker process, and then create a new UM worker process to replace it.
Note:
By default, each UM worker process will be recycled every seven days or 604800
seconds. The setting can be found in the \bin\umrecyclerconfig.xml file.
The Microsoft Exchange Unified Messaging service works with the Microsoft Exchange Speech
Engine service to implement all the telephony features that are offered by Exchange 2007
Unified Messaging. The Microsoft Exchange Unified Messaging service handles call control
and interacts with the Microsoft Exchange Speech Engine service to handle the incoming
media streams that are negotiated in the SIP signaling information between the
Microsoft Exchange Unified Messaging service and a SIP-enabled telephony device such as an
IP/VoIP gateway or IP/PBX. The following events occur when an incoming call is initiated by the
Microsoft Exchange Unified Messaging service:
1. A call session is initiated by the Microsoft Exchange Unified Messaging service.
2. The Microsoft Exchange Unified Messaging service redirects the call to a UM worker
process.
3. The UM worker process requests that a media session be established with the
Microsoft Exchange Speech Engine service, and then the UM worker process relays the
media information back to the caller.
4. The Speech Engine Service worker process that is created by the Microsoft Exchange
Speech Engine service provides a UDP port for the RTP stream.
5. The UM worker process uses the SIP signaling information to inform the Speech
Engine Services worker process to end the call session when the RTP media stream is no
longer needed.
177
Unified Messaging Worker Process
A Unified Messaging worker process is a process that is created during the startup of the
Microsoft Exchange Unified Messaging service. UM worker processes interact with all incoming
and outgoing requests that have been received by the Microsoft Exchange Unified Messaging
service.
The Unified Messaging Worker Process Manager is also a component of the
Microsoft Exchange Unified Messaging service. The UM Worker Process Manager handles the
creation and monitoring of all the UM worker processes that are created. The UM Worker
Process Manager creates new instances of a UM worker process based on the configuration
settings that are located in the UmRecyclerConfig.xml file and also monitors the health of these
processes. As a new incoming call arrives, the UM Worker Process Manager is used to
determine the appropriate instance of a UM worker process to which to redirect the call. The
UM worker process then interacts with the Microsoft Exchange Speech Engine service
components to correctly process incoming and outgoing requests. The UM worker process is
responsible for the following startup tasks:
•
Allocation of the runtime management objects
•
Loading of the UM configuration from UMConfig.xml
•
Initialization of the fax job listener
•
Registration of the process with the Microsoft Exchange Speech Engine service
•
Initialization of Simple Mail Transfer Protocol (SMTP) message submission
For more information about Voice over IP (VoIP) security in Unified Messaging, see
Understanding Unified Messaging VoIP Security.
The Unified Messaging worker process also contains a fax provider that lets users receive fax
messages in their Exchange 2007 mailbox. The fax provider that is included in a UM worker
process uses the T.38 protocol over UDP Transport Layer (UDPTL). This UM worker process
transfers the fax message and then creates and processes the compressed Tagged Image File
Format (TIFF) of the fax message that is received. For more information about faxing in Unified
Messaging, see Understanding Faxing in Unified Messaging.
Microsoft Exchange Speech Services
The Microsoft Exchange Speech Engine service is an embedded speech engine that is
installed when you install the Unified Messaging server role. This Microsoft Exchange Speech
Engine service is an Interactive Voice Response (IVR) platform that provides speech
recognition capability that is used to recognize user input and provide Text-to-Speech (TTS)
capabilities.
The applications in an IVR platform communicate with end users through a telephony or VoIP
network. The Microsoft Exchange Speech Engine service supports SIP and RTP for telephony
connectivity and TLS. For Unified Messaging, when an incoming call is received, the
178
Microsoft Exchange Speech Engine service processes the RTP stream that is associated with
the call, and then passes the information and events to the UM worker process that is
managing the SIP connection. The Microsoft Exchange Speech Engine service supports the
following features in Unified Messaging:
•
Automatic Speech Recognition (ASR) input recognition
•
DTMF, or touchtone, input recognition
•
The TTS conversion process
•
Recording e-mail and voice mail messages
•
Playing e-mail and voice mail messages to the user
For more information about Automatic Speech Recognition, see Understanding Automatic
Speech Recognition Directory Lookups. For more information about the TTS engine, see
Understanding Unified Messaging Audio Prompts.
When the Microsoft Exchange Speech Engine service is starting, it creates the Speech Engine
Service worker process. During call flow, the Speech Engine Service worker process is
responsible for recognizing touchtone or voice input from the user. For example, if
a caller uses ASR or voice inputs to navigate the main menu, the following steps occur:
1. An Outlook Voice user calls a subscriber access number and logs on to their mailbox
or an outside caller dials in to a number that is configured to have a UM auto attendant and
they use ASR or voice inputs to navigate the main menu.
2. When a call is received by a Unified Messaging server, the Unified Messaging server
determines whether the menu is speech-enabled. If the menu is speech-enabled, the
Unified Messaging server uses specific prompts and grammars.
3. The UM worker process notifies the Speech Engine Service worker process to begin
recognition based on the grammar file that is needed. For this example, the main menu is
needed. Therefore, the Speech Engine Service worker process loads the mainmenu.grxml
file. The Microsoft Exchange Speech Engine service plays the main menu prompts over the
telephone to the Outlook Voice Access user.
4. For example, the user may respond by saying “e-mail”. The voice traffic that is created
is sent over an RTP stream and is received by the Speech Engine Service worker process.
The Speech Engine Service worker process, which has already loaded the
mainmenu.grxml file, compares the voice recognition results to the contents in the file. The
result is sent to the UM worker process.
5. The UM worker process determines what transition to make based on the results from
the Speech Engine Service worker process. For this example, the next transition state is to
play the menu of e-mail options to the user.
6. The correct activity manager is loaded into memory for playing the e-mail menu. The
corresponding grammar file for the e-mail menu, which is email.grxml, is then loaded by the
Speech Engine Service worker process.
179
7. The UM worker process sends a request to the Microsoft Exchange Speech Engine
service to play the corresponding prompts for the e-mail menu.
For more information about the grammar files that are used in Unified Messaging, see
Understanding Automatic Speech Recognition Directory Lookups.
A similar series of events occurs when a caller is using DTMF, or touchtone, inputs to navigate
the menus. Handling of DTMF input resembles handling voice inputs, except that the Speech
Engine Service worker process notifies the UM worker process when DTMF events are
detected in the RTP stream. The data that is passed by this event corresponds to the number
pressed by the caller. For more information about the DTMF or touchtone interface, see
Understanding the DTMF Interface.
For More Information
For an overview of Unified Messaging, see Unified Messaging.
For more information about telephony concepts and components, see Overview of Telephony
Concepts and Components.
Overview of Telephony Concepts and
Components
If you are planning and deploying Microsoft Exchange Server 2007 Unified Messaging (UM) on
your network, you must broaden your understanding and knowledge of Unified Messaging and
telephony networks. This topic provides an overview of telephony infrastructure concepts and
components and will help you plan and deploy a server that is running Exchange 2007 Unified
Messaging.
Overview
In earlier versions of Microsoft Exchange, the Exchange administrator's main responsibility was
managing e-mail messages and, sometimes, managing a network infrastructure.
However, the earlier versions of Exchange did not have unified messaging capabilities. The
Exchange Server version 5.5, Exchange 2000 Server, and Exchange Server 2003
administrator had to focus only on the Exchange environment and the network infrastructure
and relied heavily on telephony consultants to manage their telephony environment and
infrastructure.
To successfully deploy a Unified Messaging server, you must have a good understanding of
basic telephony concepts and telephony components. After you gain a good understanding of
180
telephony basics, you can successfully integrate Exchange 2007 Unified Messaging into an
Exchange 2007 organization.
Concepts and Components
To successfully deploy an Exchange 2007 Unified Messaging server in an Exchange
organization, the Exchange administrator must become knowledgeable about data networking
concepts and telephony terminology and concepts. This topic provides an overview of
networking and telephony components and concepts that you must have to understand Unified
Messaging. These include the following:
•
Circuit- and packet-switched networks
•
Private Branch eXchange (PBX)
•
Internet Protocol Private Branch eXchange (IP/PBX)
•
Voice over Internet Protocol (VoIP)
•
IP/VoIP gateways
Circuit-Switched Networks
In circuit-switched networks, such as the Public Switched Telephone Network (PSTN), multiple
calls are transmitted across the same transmission medium. Frequently, the medium that is
used in the PSTN is copper. However, fiber optic cable might also be used.
A circuit-switched network is a network in which there exists a dedicated connection. A
dedicated connection is a circuit or channel that is set up between two nodes so that they can
communicate. After a call is established between two nodes, the connection may be used only
by these two nodes. When the call is ended by one of the nodes, the connection is canceled.
Note:
PSTN is a grouping of the world's public circuit-switched telephone networks. This
grouping resembles the way that the Internet is a grouping of the world's public IPbased packet-switched networks.
There are two basic types of circuit-switched networks: analog and digital. Analog was
designed for voice transmission. For many years, the PSTN was only analog, but today, circuitbased networks such as the PSTN have transitioned from analog to digital. To support an
analog voice transmission signal over a digital network, the analog transmission signal must be
encoded or converted into a digital format before it enters the telephony WAN. On the receiving
end of the connection, the digital signal must be decoded or converted back into an analog
signal format.
There are advantages and disadvantages to circuit-switched networks. Circuit-switched
networks have several disadvantages. Circuit-switched networks can be relatively inefficient,
181
because bandwidth can be wasted. This is not the case when VoIP is used on a packetswitched network. VoIP shares the available bandwidth with all other network applications and
makes more efficient use of the available bandwidth. Another disadvantage to circuit-switched
networks is that you have to provision for the maximum number of telephone calls that will be
required for peak usage times and then pay for the use of the circuit or circuits to support the
maximum number of calls.
Circuit switching has one big advantage over packet-switched networks. In a circuit-switched
network when you use a circuit, you have the full circuit for the time that you are using the
circuit without competition from other users. This is not the case with packet switched networks.
Note:
Synchronous Digital Hierarchy (SDH) has become the primary transmission protocol
for most PSTN networks. SDH is carried over fiber optic networks.
Packet-Switched Networks
Packet switching is a technique that divides a data message into smaller units that are called
packets. Packets are sent to their destination by the best route available, and then they are
reassembled at the receiving end.
In packet-switch networks such as the Internet, packets are routed to their destination through
the most expedient route, but not all packets traveling between two hosts travel the same route,
even those from a single message. This almost guarantees that the packets will arrive at
different times and out of order. In a packet-switched network, packets (messages or fragments
of messages) are individually routed between nodes over data links that may be shared by
other nodes. With packet switching, unlike circuit switching, multiple connections to nodes on
the network share the available bandwidth.
Note:
With circuit switching, all packets go to the receiver in order and along a single path.
Packet-switched networks exist to enable data communication on the Internet throughout the
world. A public data network or packet-switched network is the data counterpart to the PSTN.
Packet-switched networks are also found in such network environments as LAN and WAN
networks. A WAN packet-switched environment relies on telephone circuits, but the circuits are
arranged so that they retain a permanent connection with their end point. In a LAN packetswitched environment, such as with an Ethernet network, the transmission of the data packets
relies on packet switches, routers, and LAN cables. In a LAN, the switch establishes a
connection between two segments only long enough to send the current packet. Incoming
packets are saved to a temporary memory area or buffer in memory. In an Ethernet-based
LAN, an Ethernet frame contains the payload or data portion of the packet and a special
header that includes the media access control (MAC) address information for the source and
destination of the packet. When the packets arrive at their destination, they are put back in
182
order by a packet assembler. A packet assembler is needed because of the different routes that
the packets may take.
Packet-switched networking has made it possible for the Internet to exist and, at the same time,
has made data networks—especially LAN-based IP networks—more available and widespread.
PBX
A legacy PBX is a telephony device that acts as a switch for switching calls in a telephony or
circuit-switched network.
Note:
A legacy PBX is a PBX that cannot pass IP packets. In many businesses, legacy PBXs
have been replaced by IP/PBXs.
A PBX is a telephony device that is used by most medium- and larger-sized companies. A PBX
enables users or subscribers of the PBX to share a certain number of outside lines for making
telephone calls that are considered external to the PBX. A PBX is a much less expensive
solution than giving each user in a business a dedicated external telephone line. Telephone
sets, in addition to fax machines, modems, and many other communication devices, can be
connected to a PBX.
The PBX equipment is typically installed at a business's premises and connects calls between
the telephones located and installed in the business site. A limited number of outside lines, also
known as trunk lines, are typically available for making and receiving calls that are external to
the business from an external source such as the PSTN.
Internal business calls made to external telephone numbers by using a PBX are made by
dialing 9 or 0 in some systems followed by the external number. An outgoing trunk line is
automatically selected to complete the call. Conversely, the calls placed between users within
the business do not ordinarily require special dialing digits or use of an external trunk line. This
is because the internal calls are routed or switched by the PBX between telephones that are
physically connected to the PBX.
In medium- and larger-sized businesses, the following PBX configurations are possible:
•
A single PBX that supports the whole business.
•
A grouping of two or more PBXs that are not networked or connected to each other.
•
A grouping of two or more PBXs that are connected together or networked.
Note:
An Exchange 2007 Unified Messaging dial plan can span more than one PBX and one
IP/VoIP gateway.
183
IP/PBX
An IP/PBX is a Private Branch eXchange (PBX) that supports the IP protocol to connect
phones by using an Ethernet or packet-switched LAN and sends its voice conversations in IP
packets. A hybrid IP/PBX supports the IP protocol for sending voice conversations in packets,
but also connects traditional analog and digital circuit-switched Time Division Multiplex (TDM)
telephones. An IP/PBX is telephone switching equipment that resides in a private business
instead of the telephone company.
IP/PBXs are frequently easier to administer than legacy PBXs, because administrators can
easily configure their IP/PBX services by using an Internet browser or another IP-based utility.
Plus, no additional wiring, cabling, or patch panels must be installed. With an IP/PBX, moving
an IP-based telephone is as simple as unplugging a telephone and plugging it in at a new
location, instead of the costly service calls to move a telephone from legacy PBX vendors.
Additionally, businesses that own an IP/PBX do not have the additional infrastructure costs that
are required to maintain and manage two separate circuit-switched and packet-switched
networks.
VoIP
Voice over Internet Protocol (VoIP) is a technology that contains hardware and software that
enables people to use an IP-based network as the transmission medium for telephone calls. In
VoIP, voice data is sent in packets by using IP instead of by traditional circuit transmissions or
the circuit-switched telephone lines of the PSTN. An IP/VoIP gateway that you connect to your
IP network uses VoIP to send voice data packets between an Exchange 2007 Unified
Messaging server and a PBX system.
IP/VoIP Gateways
An IP/VoIP gateway is a third-party hardware device or product that connects a legacy PBX to
your LAN. The IP/VoIP gateway lets the PBX system communicate with your Exchange 2007
Unified Messaging server that is running IP.
Note:
The IP/VoIP gateway can also connect to PBX systems that use VoIP instead of PSTN
circuit-switched protocols.
Exchange 2007 Unified Messaging relies on the gateway's abilities to translate or convert TDM
or telephony circuit-switched based protocols like ISDN and QSIG from a PBX to IP- or VoIPbased protocols like Session Initiated Protocol (SIP), Real-Time Transport Protocol (RTP), or
T.38 for Real-Time Facsimile Transport. The IP/VoIP gateway is integral to the functionality and
operation of Unified Messaging.
184
Important:
After you install the IP/VoIP gateway, you must create an IP Gateway object in the
Active Directory directory service to represent the IP/VoIP gateway.
For More Information
• For more information about UM IP gateways, see Understanding Unified Messaging IP
Gateways.
• For more information about how to create a UM IP gateway in Active Directory, see
How to Create a New Unified Messaging IP Gateway Object.
• For more information about the IP/VoIP gateways that are supported for
Exchange 2007, see Supported IP/VoIP Gateways.
Understanding Protocols, Ports, and
Services in Unified Messaging
Microsoft Exchange Server 2007 Unified Messaging (UM) requires that several TCP and UDP
ports be used to establish communication between Exchange 2007 servers and other devices.
By allowing access through these IP ports, you enable Unified Messaging to function correctly.
This topic discusses the TCP and UDP ports that are used in Exchange 2007 Unified
Messaging.
UM Protocols and Services
Exchange 2007 Unified Messaging features and services rely on static and dynamic TCP and
UDP ports to ensure correct operation of the computer that is running the Unified Messaging
server role.
Session Initiation Protocol
Session Initiation Protocol (SIP) is a protocol that is used for initiating, modifying, and ending
an interactive user session that involves multimedia elements such as video, voice, instant
messaging, online games, and virtual reality. It is one of the leading signaling protocols for
Voice over IP (VoIP), together with H.323. Most VoIP standards-based solutions use either the
H.323 or Session Initiation Protocol (SIP) protocols. However, several proprietary designs and
protocols also exist. The VoIP protocols typically support features such as call waiting,
conference calling, and call transfer.
185
SIP clients such as IP/VoIP gateways and IP/PBXs can use TCP and UDP port 5060 to connect
to SIP servers. SIP is used only for setting up and tearing down voice or video calls. All voice
and video communications occur over Real-time Transport Protocol (RTP).
Real-time Transport Protocol
Real-time Transport Protocol (RTP) defines a standard packet format for delivering audio and
video over a given network, such as the Internet. RTP carries only voice/video data over the
network. Call setup and tear-down are generally performed by the SIP protocol.
RTP does not require a standard or static TCP or UDP port to communicate with. RTP
communications occur on an even UDP port, and the next higher odd port is used for TCP
communications. Although there are no standard port range assignments, RTP is generally
configured to use ports 16384-32767. It is difficult for RTP to traverse firewalls because it uses
a dynamic port range.
T.38
T.38 is a faxing standard and protocol that enables faxing over an IP-based network. The IPbased network then uses SMTP and MIME to send the message to a recipient's mailbox. T.38
allows for IP fax transmissions for IP-enabled fax devices and fax gateways. The devices can
include IP network-based hosts such as client computers and printers. In Exchange 2007
Unified Messaging, the fax images are separate documents encoded as TIFF images and
attached to an e-mail message. Both the e-mail message and the TIFF attachment are sent to
the recipient's Exchange 2007 UM-enabled mailbox.
UM Web Services
The Unified Messaging Web Services installed on a computer that is running Exchange 2007
that has the Client Access server role installed use IP for network communication between a
client, the Unified Messaging server, the Client Access server, and computers that are running
other Exchange 2007 server roles. There are several Exchange 2007 Outlook Web Access and
Microsoft Office Outlook 2007 client features that rely on the UM Web Service to operate
correctly.
The following Unified Messaging client features rely on the UM Web Service:
• The voice mail options that are available with Exchange 2007 Outlook Web Access,
including the Play on Phone feature and the ability to reset a PIN.
•
The Play on Phone feature found in the Outlook 2007 client.
Note:
When an organization uses the Play on Phone and other client features in
Exchange 2007 Unified Messaging, a computer that is running the Client Access, Hub
186
Transport, and Mailbox server roles within the same Active Directory site is required in
addition to the computer or computers that have the Unified Messaging server role
installed.
Port Assignments
Table 20 shows the IP ports that Unified Messaging uses for each protocol and whether the IP
ports that are used for each protocol can be changed.
Table 20 IP Ports that are used for Unified Messaging protocols
Protocol
TCP Port
SIP - UM Service
5060 (TCP)
UDP Port
Ports are hard-coded
and cannot be set by
using the XML
configuration file.
5061 (MTLS)
SIP - Worker Process
Can ports be
changed?
5065 and 5066
Ports are set by using
the XML configuration
file.
RTP
Port range above
1024
The range of ports
can be changed in the
registry.
T.38
Dynamic port above
1024
Ports are defined by
the system.
UM Web Service
Dynamic port above
1024
Ports are defined by
the system.
For More Information
For more information about new UM client features, see Client Features in Unified Messaging.
For more information about the Unified Messaging client features found in Outlook 2007, see
Managing Outlook Features for Exchange Unified Messaging.
For more information about the Play on Phone feature, see Outlook Features for Exchange
Unified Messaging: Play on Phone.
187
Understanding PBX and IP/PBX
Configurations
Increasingly, organizations are purchasing, installing, and maintaining the hardware
components, such as Private Branch eXchanges (PBXs) or IP/PBXs, which are required to
support their own telephony system. Many organizations are buying their own telephony
equipment and training their staff to reduce expenses that are associated with maintaining their
telephony systems, and because they want more control over the telephony features that they
offer.
For an organization to own and maintain their telephony network, they must buy the required
telephony hardware components. They must also consider the day-to-day maintenance of the
telephony equipment and the training that is required for their staff to support their telephony
system. This topic discusses the different types of telephony business or organizational
systems, the telephony hardware components that are required, and gives examples of the
different types of telephony configurations.
Important:
We recommend that all customers who plan to deploy
Microsoft Exchange Server 2007 Unified Messaging (UM) obtain the help of a Unified
Messaging specialist. This will help ensure a smooth transition from a legacy voice mail
system. Rolling out a new UM deployment or performing an upgrade of an existing
voice mail system requires significant knowledge about PBXs, IP/PBXs, and
Exchange 2007 Unified Messaging. For more information about who to contact, see
the Microsoft Exchange Server 2007 Unified Messaging (UM) Specialists Web site.
Overview of Telephony Systems
In circuit-switched networks, such as the Public Switched Telephone Network (PSTN), multiple
calls are transmitted across the same transmission medium. Frequently, the medium that is
used in the PSTN is copper. However, fiber optic cable might also be used.
A circuit-switched network is a network in which there exists a dedicated connection. A
dedicated connection is a circuit or channel that is set up between two nodes so that they can
communicate. After a call is established between two nodes, the connection may be used only
by these two nodes. When the call is ended by one of the nodes, the connection is canceled.
There are several different types or categories of telephone systems that are found in
businesses and organizations that can include a circuit-based network, and IP-based network,
or both. Each type of telephone system has distinct advantages and disadvantages that should
be considered when you plan and implement a telephony system.
• Centrex Centrex is a type of telephone service that telephone companies lease to
businesses and organizations. A traditional Centrex telephone system eliminates the need
188
for a business or organization to purchase the telephony hardware that is used onsite to
support the organization's telephone system. Typically, Centrex systems are used by small
offices that rent Centrex services from a telephone company on a line-by-line and monthby-month basis. Centrex telephony systems are sometimes used by larger organizations,
but are most frequently found in government, public, and private organizations. Centrex
frequently uses analog telephone lines for the connections to a business or organization.
However, it can also use T1-circuits with a demultiplexer onsite to support analog and
digital telephones or ISDN lines.
In a Centrex-based telephony system, the telephone company's central office acts as the
telephone exchange. It is designed specifically to support the needs of a given
organization. The central telephone office routes the calls that originate from inside the
company to the appropriate internal or external telephone number. Centrex uses the
telephone company’s central office exchange to route internal calls back to an extension.
For example, with Centrex, the telephone exchange or telephone company's central office
knows which extensions are internal. Therefore, an employee who is located within the
organization's telephony network can dial another employee in the same telephony network
or dial plan by using a 4-digit extension number. When a call is dialed to the internal
telephone extension number, it is forwarded to the telephone company’s central office and
then is routed back to the extension number that initiated the call.
A variation of a traditional Centrex telephony system is called IP Centrex. In an IP Centrex
telephone system, the call is sent through an IP/VoIP gateway that is located at a telephone
company’s central office or located onsite at a service provider. In this kind of telephone
system, the IP/VoIP gateway translates the call into IP-based data packets that can be sent
over the Internet or sent over a Voice over IP (VoIP)-based network. However, if the call is sent
over the Internet, there is typically another IP/VoIP gateway that receives the call and then
translates the call back to a traditional circuit-switched call.
Organizations that currently have a traditional Centrex telephone system in place must install,
deploy, and maintain one or more IP/VoIP gateways for Exchange 2007 Unified Messaging to
work correctly. Exchange 2007 Unified Messaging may require that you install, deploy, and
maintain IP/VoIP gateways to work with IP Centrex. There are several variables that will
determine whether you must have need an IP/VoIP gateway. These variables include the type
of telephones that are used in your organization (analog, digital, or IP) and the protocols that
are supported by the IP Centrex system.
• Key telephone In a Key telephone system, the telephone company’s central office is
connected to the organization by using standard analog or digital telephone lines. A single
telephone extension number is connected to multiple telephones so that when a call is
placed into the organization by using this telephone number, all the telephones that are
associated with that line or extension number will ring at the same time.
With Key telephone systems, individual users share lines across telephones. Therefore, callers
will not experience frequent busy signals when they try to call into an organization. Key
189
telephone systems are typically used by small offices where internal call volume is high but
external call volume is low.
Key telephone systems have become more sophisticated over time and can work with
Exchange 2007 Unified Messaging if an IP/VoIP gateway is added. However, some less
sophisticated systems may not work even if a supported IP/VoIP gateway is used.
• PBX A legacy PBX is a telephony device that switches calls in a telephony or circuitswitched network. A legacy PBX is a PBX that does not have a network adapter and cannot
pass IP packets. Because they cannot pass IP packets, some businesses and
organizations have replaced legacy PBXs with IP/PBXs. For a list of PBXs that are
supported by Exchange 2007 Unified Messaging, see the Telephony Advisor for Exchange
Server 2007 Web site.
PBXs are used by most medium- and larger-sized companies. A PBX enables users or
subscribers of the PBX to share a certain number of outside lines for making telephone
calls that are considered external to the PBX. A PBX is a much less expensive solution
than giving each user in a business a dedicated external telephone line. Telephones, in
addition to fax machines, modems, and many other communication devices, can be
connected to a PBX.
The PBX equipment is typically installed on an organization's premises and connects calls
between the telephones located onsite and the telephone company. A limited number of
outside lines, also known as trunk lines, are typically available for making and receiving
calls that are external to the business from an external source such as the PSTN.
To enable a legacy PBX to be used with Exchange 2007 Unified Messaging, you must
deploy a supported IP/VoIP gateway. For a list of supported IP/VoIP gateways, see the
Telephony Advisor for Exchange Server 2007 Web site.
• IP/PBX An IP/PBX is a PBX that has a network adapter that supports the IP protocol.
It is a piece of telephone switching equipment that generally resides in an organization or
business instead of being located at a telephone company office. There are two types of
IP/PBXs: traditional IP/PBXs and hybrid IP/PBXs. Both traditional IP/PBXs and hybrid
IP/PBXs support the IP protocol for sending voice conversations in packets to VoIP-based
telephones. However, hybrid IP/PBXs also connects traditional analog and digital
telephones.
IP/PBXs are frequently easier to administer than legacy PBXs, because administrators can
more easily configure IP/PBX services by using an Internet browser or another IP-based
tool. Also, no additional wiring, cabling, or patch panels must be installed. With an IP/PBX,
you can move an IP-based telephone by merely unplugging a telephone and plugging it in
at a new location. This enables you to avoid the costly service calls that are required to
move a telephone from legacy PBX vendors. Additionally, organizations that own an
IP/PBX do not have to incur the additional infrastructure costs that are required to maintain
and manage separate circuit-switched and packet-switched networks. For a list of IP/PBXs
190
that are supported for Exchange 2007 Unified Messaging, see the Telephony Advisor for
Exchange Server 2007 Web site.
Legacy and Traditional PBX Configurations
On telephony networks that have legacy or traditional PBXs, a PBX does the following:
•
Creates connections or circuits between the telephone sets of two users
•
Maintains the connection as long as the users need the connection.
•
Provides information for accounting purposes (for example, meters calls)
In addition to the three functions included in the previous list, PBXs may offer other calling
features such as:
•
Auto attendants
•
Call accounting
•
Call pick-up
•
Call transfer
•
Call waiting
•
Conference calling
•
Direct Inward Dialing (DID)
•
Do Not Disturb (DND)
Although there are several manufacturers of PBXs, they all fit into two basic categories: analog
and digital. These types of PBXs are frequently known as legacy or traditional PBXs.
Typically, PBX systems are connected to the telephone company’s central office by using
special telephone lines, known as T1- and E1-lines. T1- and E1-lines have multiple channels.
These telephone lines are also known as trunk lines. They enable the central office or the PBX
to send multiple calls over the same line for better efficiency by using a simplified wiring layout.
A PBX can also work with analog or ISDN lines.
You can control how many channels or lines you want to configure to receive calls that come
from external callers and how many channels or lines to devote to calls that come from callers
inside your organization by correctly configuring your PBX. Configuring the number of channels
or lines helps prevent busy signals and enables you to configure the number of channels or
lines that can be devoted to applications such as call centers. Correctly configuring your PBX is
a cost effective method for managing the channels or lines in your organization because it
reduces the number of leased lines that are needed.
A PBX can route a specific dialed telephone number to a specific telephone so that users can
have their own individual telephone number or extension number. This is known as a Direct
Inward Dialing (DID) number. When the telephone number is dialed for a user, the telephone
191
company sends the DID number to the PBX by using Dialed Number Identification Service
(DNIS). Because the telephone company uses DNIS to send the number, there is no need for
operator intervention to route the call. The PBX has the information about the call to correctly
route it to the number that was dialed by the caller. For a list of PBXs that are supported by
Exchange 2007 Unified Messaging, see the Telephony Advisor for Exchange Server 2007 Web
site.
Analog and Digital PBXs
Analog PBXs send voice and call signaling information, such as the touch tones of a dialed
telephone number, as an analog sound. Therefore, the sound is never digitized. To correctly
direct the call, the PBX and the telephone company’s central office have to listen for the
signaling information.
Note:
Touchtone is more technically known as dual tone multi-frequency (DTMF). When a
caller presses a key on a telephone keypad, the telephone produces two separate
tones: a high frequency tone and a low frequency tone. When a person speaks into the
telephone, only a single tone or frequency is emitted. Sending two tones with different
frequencies at the same time reduces the possibility that the signaling tones will be
interpreted as a human voice or that a human voice will be interpreted as the signaling
tones.
Digital PBXs encode or digitize the analog sound into a digital format. Digital PBXs typically
encode the voice sounds using a standard industry audio codec like G.711 or G.729. After the
digitized voice is encoded, it is sent over a channel by using circuit switching. Circuit switching
sets up an end-to-end open connection. It leaves the channel open for the length of the call and
for the caller's exclusive use. However, the signaling method that is used by the PBX depends
on the manufacturer. PBX manufacturers may have their own proprietary signaling method for
call setup. For more information about the audio codecs that are used, see Understanding
Unified Messaging Audio Codecs.
Note:
Digital PBXs can support both digital and analog trunk lines.
In larger organizations, PBXs make it possible for employees in separate physical locations to
contact one another by dialing an extension number for a user. This can be done by using a
single PBX or may involve multiple PBXs that are networked together. PBXs at different office
locations can be connected to a single transparent circuit-switched network by using T1- or E1lines. When these lines connect PBXs together, they are frequently known as tie lines. The
PBXs communicate with one another other across the tie lines by using a PBX-to-PBX
protocol, such as QSIG. QSIG lets a set of PBXs act as if they are a single PBX.
This kind of PBX environment can also include advanced features, such as call transferring and
telephone conferencing. In addition to allowing for advanced features, having two connected
192
PBXs can also save the organization money because long distance charges between
employees in the different locations will be reduced. This is because a call made between two
employees remains on a tie line between the PBXs and requires that the user dial only an
extension number for the other user instead of placing a long distance call.
Figure 25 illustrates a typical telephony and data network that includes legacy or traditional
PBXs.
Figure 25 Legacy and traditional PBX configuration
In a telephony environment that includes a single or multiple analog or digital PBXs, an IP/VoIP
gateway is required between the PBX and the Exchange 2007 computer that has the Unified
Messaging server role installed to convert the circuit-based protocols that are found on a
telephony network into the IP-based protocols that are found on a data network. For more
information about IP/VoIP gateways, see the following topics:
•
Supported IP/VoIP Gateways
•
IP/PBX and PBX Support
•
Managing IP/VoIP Gateways
For a list of IP/VoIP gateways that are supported for Exchange 2007 Unified Messaging, see
the Telephony Advisor for Exchange Server 2007 Web site.
IP/PBX Configurations
An IP/PBX is a PBX that supports the IP protocol to connect telephones by using an Ethernet
or packet-switched LAN. It sends voice conversations in IP or data packets. An IP/PBX may
have multiple interfaces. These include interfaces for a data network and other interfaces that
allow for a connection to a telephony or circuit-switched network.
The development of real-time Internet protocols has made it possible to successfully send
voice and fax messages over a data network. Such real-time Internet protocols include the
VoIP protocols that are used with Exchange 2007 Unified Messaging: Session Initiation
Protocol (SIP) over Transmission Control Protocol (TCP) for voice messaging and T.38 for
faxing. These protocols have made it possible to successfully send voice and fax
messages over a data network. Real-time VoIP protocols are required to send voice messages
193
over a packet-switched or data network so that the delivery order and timing of data packets
can be maintained and controlled. If these protocols were not used to maintain and control the
delivery and timing of the data packets, a person's voice would be broken up and would be
sound incoherent or the images might appear garbled. For more information about VoIP
protocols that are used in Exchange 2007 Unified Messaging, see Understanding Protocols,
Ports, and Services in Unified Messaging. For a list of IP/PBXs that are supported for
Exchange 2007 Unified Messaging, see the Telephony Advisor for Exchange Server 2007 Web
site.
Note:
Exchange 2007 Unified Messaging supports only SIP over TCP.
Traditional IP/PBX Configurations
A standard or traditional IP/PBX contains at least a single network interface that connects to a
data network by using VoIP protocols. It may also contain additional network interfaces or other
telephony interfaces that enable it to connect to an existing telephony network such as the
PSTN. The connection to the data network allows for communication with other VoIP hosts that
are located on the data network by using IP data packets. These VoIP hosts include other
IP/PBXs, VoIP-based telephones, IP/VoIP gateways. and Exchange 2007 Unified Messaging
servers. A traditional IP/PBX is does not support analog or digital telephones. It supports only
VoIP telephones.
Figure 26 illustrates a typical telephony and data network that includes a traditional IP/PBX.
Figure 26 IP/PBX configuration
Because the IP/PBX can already connect to a data network and can convert the circuit-based
protocols from the PSTN to packet-switched VoIP protocols, an IP/VoIP gateway may not be
required to enable communication with Unified Messaging servers on the data network.
194
IP/PBX Hybrid Configurations
Hybrid IP/PBXs can provide analog, digital, and VoIP-based capabilities. If the correct
interfaces are installed on an IP/PBX and the software that supports multiple types of interfaces
is installed correctly, the IP/PBX is considered a hybrid IP/PBX. An IP/PBX hybrid makes it
possible to use a mixture of analog, digital, and IP-based telephones.
Most modern IP/PBXs can support and provide all three types of voice communication or a
traditional IP/PBX can be upgraded to a hybrid IP/PBX by installing the necessary interfaces
and software or firmware updates.
The mixture of analog, digital, and IP-based telephones makes it possible for users in your
organization to use many new features and also provides great flexibility in your telephony
environment. Using an IP/PBX hybrid also allows for a more gradual migration to a completely
VoIP-based telephony environment and voice messaging system for your organization.
The following Figure 27 illustrates a typical telephony and data network that includes an IP/PBX
hybrid configuration.
Figure 27 IP/PBX hybrid configuration
There are several factors that determine whether an IP/VoIP gateway will be required when you
connect with an Exchange 2007 Unified Messaging server. One of these factors is the
compatibility of the VoIP protocols that are used by the IP/PBX or hybrid IP/PBX and
Exchange 2007 Unified Messaging. If an IP/VoIP gateway is not required, it will reduce the
complexity of the telephony infrastructure, and the support that you must have
for Exchange 2007 Unified Messaging will be simpler.
Calling or Called Party Identification
Calling or called party identification is a telephone company service that can tell the person
who is receiving the call the telephone number and sometimes the name of the person who is
calling and other information about the call. This information is sent over a serial cable by using
195
call signaling. When a call is received by a PBX or IP/PBX from a telephone company, the call
includes calling identification information such as the following:
•
The calling party's number
•
The called party's number
• Status codes such as a ring-no-answer, the state or condition of the line, line busy, and
call forward always (CFA)
•
The line or port number that is being used for the call
Note:
The call information, which is sent by using one of the signaling methods that is listed
later in this section, is also used to enable Message Waiting Indicator (MWI)
functionality. Exchange 2007 Unified Messaging does not include support for the
Message Waiting Indicator (MWI) feature. However, you can obtain information about
how to enable this feature by visiting the Geomant Web site. This third-party
application extends Exchange 2007 Unified Messaging to include the Message Waiting
Indicator (MWI) and Short Message Service text messaging capability.
Note:
The third-party Web site information in this topic is provided to help you find the
technical information you need. The URLs are subject to change without notice.
In telephony, the signaling information is used to exchange information between endpoints on a
network to set up, control, and end calls. Several signaling methods that are used by IP/VoIP
gateways and IP/PBXs are supported by Exchange 2007 Unified Messaging. The signaling
method that is used depends on the type of device that is being used and the type of signaling
method that is used by the telephone company. The most important factor is that the device
that is connecting to the telephone company and to the IP/VoIP gateway or IP/PBX must
support at least one of the signaling methods that enable calling or called party information to
be sent and received by callers. For more information about signaling configuration information
for a supported IP/VoIP gateway, see the following:
•
For AudioCodes IP/VoIP gateways, see the Microsoft UM Specialist Resource Page.
• For Dialogic IP/VoIP gateways, see the Certified Dialogic Media Gateways for
Microsoft Exchange Server 2007 Unified Messaging.
Note:
The third-party Web site information in this topic is provided to help you find the
technical information you need. The URLs are subject to change without notice.
Although there are other signaling methods that can be used, the two most popular signaling
methods are as follows:
• Simplified Message Desk Interface (SMDI) SMDI is a protocol that is used to
provide signaling, call control, and calling identification information from an interface
196
between a telephone system and a voice mail system. It is used to provide the voice mail
system with the information that it must have to process an incoming call. Every time that
an incoming call is sent by using SMDI over a serial interface or RS-232 interface, the
information that is sent will identify the line or port, the type of call, and the calling or called
party numbers. The SMDI cable connects from a device such as a PBX to a serial
connection on the IP/VoIP gateway. However, SMDI is also used with IP/PBXs. The SMDI
protocol allows for a maximum of only 10 digits for each calling and called number. This is
a limitation of the protocol and cannot be changed.
• In-band In-band signaling allows for the exchange of signaling, call control, and
calling identification information from a telephone company. This information is sent over
the same channel and in the same band (300 Hz to 3.4 kHz) as the voice and other sounds
that are being made during the call. For example, when a user places a call by using DTMF
or touchtone dialing and talks to the called party, both the touchtone and the voice
conversation use the same channel and band. In-band signaling is less secure because
the control signals are exposed to the user and is a less popular signaling method than
SMDI. In-band signaling applies only to Channel Associated Signaling (CAS).
Important:
We recommend that all customers who plan to deploy Exchange 2007 Unified
Messaging obtain the assistance of a Unified Messaging specialist. A Unified
Messaging specialist will help make sure that there is a smooth transition to
Exchange 2007 Unified Messaging from a legacy voice mail system. Performing a
new deployment or upgrading a legacy voice mail system requires significant PBX
and Exchange 2007 Unified Messaging knowledge. For more information about
how to contact a Unified Messaging specialist, see the Microsoft Exchange Server
2007 Unified Messaging (UM) Specialists Web site.
For More Information
For more information about other telephony concepts, see Overview of Telephony Concepts
and Components.
Overview of Unified Messaging
Components
The Microsoft Exchange Server 2007 Unified Messaging (UM) server role introduces new
concepts in Exchange messaging. Exchange 2007 Unified Messaging provides a single
storage location for e-mail, voice mail, and fax messages.
This topic provides an overview of the new components, features, and concepts in
Exchange 2007 Unified Messaging, including the following:
197
•
Active Directory Unified Messaging objects
•
Auto attendants
•
Subscriber access by using Outlook Voice Access
Active Directory Unified Messaging Objects
After you install and configure the Unified Messaging server role on a computer that is running
Exchange 2007, you create Active Directory objects that enable the Unified Messaging
functionality that is found in Exchange 2007. You must create the following objects after you
successfully install the Unified Messaging server role:
•
Dial Plan objects
•
IP Gateway objects
•
Hunt Group objects
•
Mailbox Policy objects
•
Auto Attendant objects
•
Unified Messaging Server objects
The Active Directory UM objects provide the configuration information that is required to
integrate Exchange 2007 Unified Messaging, Active Directory, and the existing telephony
infrastructure. Each type of object that is created in Active Directory controls a feature set in
Exchange 2007 Unified Messaging.
For example, when you create a UM Auto Attendant object, the settings on the Auto Attendant
object control the features and settings for that auto attendant. When you configure or modify
an Auto Attendant object, you control such settings as business hours, non-business hours,
informational greetings, and whether to use dual tone multi-frequency (DTMF) inputs or to
enable speech recognition for the auto attendant.
For more information about Unified Messaging objects, see Overview of Unified Messaging
Active Directory Objects.
Auto Attendants
When internal or external callers call in to the Exchange 2007 Unified Messaging system, a
series of voice prompts assists them in moving through the menu system called an auto
attendant. The auto attendant enables the caller to connect to a person in an organization or
locate a user in the organization so that they can place a call without assistance from a human
operator. Callers hear voice prompts instead of a human operator, such as, "Press 1 for
technical support."
198
You can create multiple auto attendants in Exchange 2007 Unified Messaging. Within
Active Directory, each auto attendant is represented as an object. Configuration settings for an
auto attendant are made on the Active Directory object and can include language settings,
customized menus, and other menu navigational settings. You can also configure each UM
auto attendant so that when an external caller or an internal caller places a call, and it is
answered by a UM auto attendant, the caller can use either DTMF inputs or voice inputs to
move through the Unified Messaging menu system.
Note:
When a caller uses the keypad on a telephone to move through the menu system, it is
called DTMF input. If this is the case, the telephone user interface (TUI) is used.
For more information about auto attendants, see Understanding Unified Messaging Auto
Attendants.
Subscriber Access
Exchange 2007 Unified Messaging gives subscribers access to the Unified Messaging system.
A subscriber is an internal business user or network user who has been enabled for Unified
Messaging and has an Exchange 2007 mailbox. Subscriber access is used by the internal
users to access their individual mailboxes to retrieve e-mail, voice messages, and contact and
calendar information. Each Dial Plan object that is created contains at least one subscriber
access number or extension number. Subscribers use this telephone or extension number to
access their individual mailboxes.
For more information about subscriber access, see Understanding Unified Messaging
Subscriber Access.
There are two Exchange 2007 Unified Messaging user interfaces available to UM-enabled
subscribers: the telephone user interface (TUI) and the voice user interface (VUI). In
Exchange 2007, these two interfaces together are called Outlook Voice Access. A subscriber
can use Outlook Voice Access when they access the Unified Messaging system from an
external or internal telephone. They can use Outlook Voice Access to access their
Exchange 2007 mailbox, including their personal e-mail, voice messages, and calendar
information.
Note:
For a copy of the Microsoft Exchange 2007 Unified Messaging Outlook Voice Access
Quick Reference Guide, visit the Microsoft Download Center.
For More Information
• For more information about Unified Messaging call answering, see Understanding
Unified Messaging Incoming Call Handling.
199
• For more information about Exchange 2007 Unified Messaging, see Unified
Messaging.
• For more information about telephony concepts and components, see Overview of
Telephony Concepts and Components.
Understanding Unified Messaging
Incoming Call Handling
This topic provides an overview of the call handling features that are included with
Microsoft Exchange Server 2007 Unified Messaging (UM). Each section in this topic gives you
the information that is required to understand one or more of the call handling features that are
included in Exchange 2007 Unified Messaging.
Overview
Call handling is a term that is used to describe how incoming calls are answered and handled
by a computer that is running Exchange 2007 Unified Messaging. The types of incoming calls
that are handled by Exchange 2007 UM include the following:
•
Voice calls
•
Fax calls
•
Outlook Voice Access
•
The Play on Phone feature
•
UM auto attendants
For more information about Unified Messaging message flow and routing, see Overview of the
Unified Messaging Call Processing.
Voice Calls
Voice call handling is used when an internal or external user leaves a voice message for a
subscriber on the Exchange 2007 Unified Messaging system. Incoming voice calls are created
as MIME messages and then submitted by using Simple Mail Transfer Protocol (SMTP) from
the Exchange 2007 computer that has the Unified Messaging server role installed to an
Exchange 2007 computer that has the Hub Transport server role installed. The two server roles
must be installed in the same Active Directory site. The SMTP message transport for incoming
voice calls is not only site aware, but all voice messages are submitted to the Hub Transport
server by using SMTP, even if the mailbox resides on the same computer that has the Mailbox
server role installed.
200
For more information about voice calls and message routing, see Unified Messaging Voice and
Fax Call Processing.
Fax Calls
Fax call handling is used when an internal or external user sends a fax message to a UMenabled recipient on the Exchange 2007 Unified Messaging system. Incoming fax calls are
created as MIME messages and are submitted from the Unified Messaging server to a Hub
Transport server in the same Active Directory site by using SMTP. The SMTP message
transport for incoming fax calls is not only site aware, but all fax messages are submitted to the
Hub Transport server by using SMTP, even if the mailbox resides on the same Mailbox server.
For more information about fax calls and message routing, see Unified Messaging Voice and
Fax Call Processing.
Outlook Voice Access
Unified Messaging servers also process and route incoming calls that are received by Outlook
Voice Access users. When a UM-enabled user or subscriber dials a subscriber access number
that is set on a UM dial plan to access their Exchange 2007 mailbox, they are presented with a
welcome message and a series of telephone user interface (TUI) voice prompts. The voice
menu system that is presented to the user is called Outlook Voice Access. These voice prompts
help the user to navigate and interact with the Unified Messaging system by using touchtone or
speech inputs.
Note:
When an Outlook Voice Access caller uses touchtone inputs on a telephone keypad,
the TUI is used. When the same caller uses speech inputs over the telephone, the
voice user interface (VUI) is used.
For more information about the TUI voice prompts found in Exchange 2007 Unified Messaging,
see Understanding Unified Messaging Audio Prompts.
Outlook Voice Access is the feature that enables a UM-enabled user to access their
Exchange 2007 mailbox by using an analog, digital, or cellular telephone. By accessing their
Exchange 2007 mailbox they can perform the following tasks:
•
Listen to new and saved e-mail and voice mail messages.
•
Forward, reply, save, and delete e-mail and voice messages.
•
Interact with their calendar, including:
•
Listening to daily calendar appointments and meeting details.
•
Accepting or declining e-mail and meeting requests.
•
Sending an "I'll be late" message to meeting participants.
201
• Replying to a meeting request by using voice inputs to send a message to meeting
participants.
•
Declining or canceling meetings.
• Interact with global address list (GAL) and personal contacts. These interactions may
include:
•
•
Locating a person in the GAL or personal contacts.
•
Inputting a telephone extension number to leave a message for a person.
•
Sending a voice message to a person.
Change their PIN, spoken name, or greetings.
For more information about how to navigate the Outlook Voice Access menus, see the
Microsoft Exchange Server 2007 Unified Messaging Outlook Voice Access Quick Start Guide.
This guide is available in the <Program Files>\Microsoft\Exchange Server\bin folder.
For more information about Outlook Voice Access message routing, see Unified Messaging
Outlook Voice Access Call Processing.
The Play on Phone Feature
To enable the Play on Phone feature for UM-enabled users, the UM server must first answer
and then correctly route a call when it is placed by a user who is using
Exchange 2007 Outlook Web Access or Microsoft Office Outlook 2007. If a UM-enabled user is
in a location that is not private or the voice message is confidential, they will likely not want to
play their voice message over their computer speakers. The Exchange 2007 Unified Messaging
Play on Phone feature lets a UM-enabled user listen to a voice message by using a telephone
instead of playing it over their computer speakers or headphones.
For more information about Play on Phone message flow see, Unified Messaging Play on
Phone Call Processing.
UM Auto Attendants
To enable the UM auto attendant feature found in Exchange 2007 Unified Messaging, UM
servers must correctly answer and then route the incoming calls that are received from internal
and external anonymous or unauthenticated users.
To enable a UM auto attendant to answer incoming calls, you must first enable and configure a
UM auto attendant. Creating and configuring UM auto attendants is an optional feature in
Exchange 2007 Unified Messaging. However, auto attendants help internal and external callers
locate and place calls to company users or departments that are in an organization.
A UM auto attendant is a set of voice prompts that callers hear instead of a human operator
when they place a call to an organization that has Exchange 2007 Unified Messaging. A UM
202
auto attendant helps callers navigate the organization's menu system by using dual tone multifrequency (DTMF) (also known as touchtone) inputs or voice-activated inputs that use Speech
Recognition so that they can locate a user or caller in an organization and then place a call to
that user or department.
• For more information about UM auto attendant message routing, see Unified
Messaging Auto Attendant Call Processing.
• For more information about UM auto attendants, see Understanding Unified Messaging
Auto Attendants.
For More Information
• For more information about Unified Messaging concepts, see Overview of Unified
Messaging Components.
• For more information about subscriber access, see Understanding Unified Messaging
Subscriber Access.
Understanding Unified Messaging
Subscriber Access
When you are deploying Microsoft Exchange Server 2007 Unified Messaging, you must
understand subscriber access and the new features that are included with Exchange 2007 that
depend on subscriber access. This topic describes subscriber access and how it is used
in Exchange 2007 Unified Messaging to let subscribers, also known as UM-enabled users,
access their Exchange 2007 mailbox.
Subscriber Access
A subscriber is an internal business user or network user who is enabled for Exchange 2007
Unified Messaging. Subscriber access is used by users to access their individual mailboxes to
retrieve e-mail, voice messages, contacts, and calendaring information. Outlook Voice Access
is the new Exchange 2007 Unified Messaging feature that lets subscribers access their
Exchange 2007 mailbox.
When you enable subscriber access for Exchange 2007 UM-enabled users, you must install
the Exchange 2007 Unified Messaging server role on the computer that is running
Exchange 2007 and verify that at least one of each of the following have been created:
•
UM dial plan
•
UM mailbox policy
203
•
UM IP gateway
•
UM hunt group
Note:
If you want to prevent a user from receiving voice mail but want to allow them
access to their Exchange 2007 mailbox by using Outlook Voice Access, you can
enable the user for Unified Messaging and configure the user's mailbox with an
extension number that is currently not being used by another user in the
organization.
• When you configure subscriber access, you configure the UM dial plan to have a
subscriber access number. The telephone number or number that is configured on the UM
dial plan is the telephone number that subscribers will use to access their Exchange 2007
mailboxes over the telephone by using Outlook Voice Access. The subscriber access
feature included with Exchange 2007 Unified Messaging resembles other unified
messaging solutions. However, Exchange 2007 offers more advanced features than other
unified messaging solutions. For more information about how to create or modify UM dial
plans and enable subscriber access, see How to Create a New Unified Messaging Dial
Plan.
Note:
A UM dial plan must contain at least one subscriber access number, but can contain
multiple subscriber access numbers.
For more information about how to enable a user for Unified Messaging, see How to Enable a
User for Unified Messaging.
Outlook Voice Access
There are two Exchange 2007 Unified Messaging user interfaces available to subscribers: the
Telephone User Interface (TUI) and the Voice User Interface (VUI). In Exchange 2007 these
two interfaces together are called Outlook Voice Access. Outlook Voice Access can be used
when a subscriber accesses the Unified Messaging system from an external or internal
telephone to access their individual mailbox, including their personal e-mail, voice messages,
contacts, and calendaring information in their Exchange 2007 mailbox.
Note:
For a copy of the Microsoft Exchange 2007 Unified Messaging Outlook Voice Access
Quick Reference Guide, see the Microsoft Download Center.
The following scenarios demonstrate how Outlook Voice Access can be used for subscriber
access:
• From a telephone: An Outlook Voice Access user places a call to the subscriber access
number from a telephone and wants to access their voice mail. The voice prompt says,
204
"Welcome. You are connected to Microsoft Exchange. To access your mailbox, please
enter your extension. To contact someone, press the # key." After the user enters their
mailbox extension number, the voice prompt will say, "Please enter your PIN and press the
# key." After the user enters their PIN, the voice prompt says, "You have 2 new voice mails,
10 new e-mail messages, and your next meeting is at 10:00 A.M. Please say voice mail, email, calendar, personal contacts, directory, or personal options." When the user says "Email", UM reads the message header and then the name, subject, time, and priority for the
messages that are in the subscriber's mailbox.
• From a telephone: An Outlook Voice Access user places a call to the subscriber access
number from a telephone and wants to access their voice mail. The voice prompt says,
"Welcome. You are connected to Microsoft Exchange. To access your mailbox, please
enter your extension. To contact someone, press the # key." After the user enters their
mailbox extension, the voice prompt will say, "Please enter your PIN and press the # key."
After the user enters their PIN, the voice prompt says, "You have 2 new voice mails, 10
new e-mail messages, and your next meeting is at 10:00 A.M. Please say voice mail, email, calendar, personal contacts, directory, or personal options." When the user says
"Calendar", UM says, "Sure, and which day should I open?" The user says, "Today's
calendar." UM responds by saying, "Opening today's calendar." UM reads each of the
calendar appointments for that day for the user.
Note:
If a Unified Messaging server encounters a corrupt calendar item in a user's
mailbox, it will fail to read the item, but will return the caller to the Outlook Voice
Access main menu and will skip reading any additional meetings that may be
scheduled for the rest of the day.
• From a telephone: An Outlook Voice Access user places a call to the subscriber access
number from a telephone and wants to access their voice mail. The voice prompt says,
"Welcome. You are connected to Microsoft Exchange. To access your mailbox, please
enter your extension. To contact someone, press the # key." After the user enters their
mailbox extension number, the voice prompt will say, "Please enter your PIN and press the
# key." After the user enters their PIN, the voice prompt says, "You have 2 new voice mails,
10 new e-mail messages, and your next meeting is at 10:00 A.M. Please say voice mail, email, calendar, personal contacts, directory, or personal options." The user says "Voice
mail" and UM reads the message header and then the name, subject, time, and priority for
the voice messages that are in the user's mailbox.
Important:
For the VUI or Automatic Speech Recognition (ASR) to be used for subscriber
access, it must be enabled on the UM dial plan to enable the VUI functionality as
described in the earlier scenarios.
205
Note:
If speech recognition is enabled, users can access their UM-enabled mailbox by
using speech input. However, subscribers can also use touchtone, also known
as dual tone multi-frequency (DTMF), by pressing 0. Speech recognition is not
enabled for PIN input.
• From a telephone: An Outlook Voice Access user places a call to the subscriber access
number from a telephone and wants to locate a person in the directory by spelling their email alias. The voice prompt says, "Welcome. You are connected to Microsoft Exchange.
To contact someone, press the # key." The user presses the # key, and then spells the
name of the person they want to contact by using DTMF or touchtone inputs.
Note:
The directory search feature with subscriber access is not speech-enabled. Users
will be able to spell the name of the person who they want to contact only by using
DTMF inputs.
Important:
• In some companies (especially in East Asia), office telephones may not have
letters on the keys of the telephone. This makes the spell-the-name feature that uses
the DTMF interface almost impossible without a working knowledge of the key
mappings. By default, Exchange 2007 Unified Messaging uses the E.161 key mapping.
For example, 2=ABC, 3=DEF, 4=GHI, 5=JKL, 6=MNO, 7=PQRS, 8=TUV, 9=WXYZ.
• When inputting the combination of letters and numbers, for example "Mike1092",
the numeric digits are mapped to themselves. For an e-mail alias of "Mike1092" to be
entered correctly, the user will have to press the numbers 64531092. Also, for
characters other than A-Z and 0-9, there will not be a telephone key equivalent.
Therefore, these characters should not be entered. For example, the e-mail alias
"mike.wilson" would be entered as 6453945766. Even though there are 11 characters
to be input, only 10 digits are entered by the user because the period (.) does not have
a digit equivalent.
For More Information
• For more information about Unified Messaging call answering, see Understanding
Unified Messaging Incoming Call Handling.
206
Understanding Unified Messaging Audio
Prompts
When you install the Unified Messaging server role on a computer that is running
Microsoft Exchange Server 2007, a common set of default audio files that are used for Unified
Messaging system and menu prompts, greetings, and informational announcements are copied
to the computer that is running the Unified Messaging server role. Although you can have a
fully functional UM auto attendant or a dial plan that uses only the default audio prompts that
are included in Exchange 2007, the audio files that are installed for greetings, informational
announcements, and system and menu prompts are too generic to serve as an acceptable
public interface for many companies. This topic discusses the system and menu prompts,
greetings, and informational announcements that are used by UM dial plans and auto
attendants and how they are used when callers access the Unified Messaging system.
Overview of Audio Prompts and Greetings
After the Unified Messaging server role has been installed, audio files for UM dial plans and
auto attendants are copied to the UM server. By default, the installation program copies the
audio files to the Program Files\Microsoft\Exchange Server\Unified
Messaging\Prompts\<language> folder. If you have installed the U.S. English version of
Exchange 2007, a folder named \en is created during installation to hold the U.S. English
versions of the system prompts. These system prompts are played to callers by the UM server
to enable them to hear greetings, menu prompts, and informational announcements and to
enable callers to navigate the Unified Messaging menus.
These system audio files or prompts that are copied to the UM server should never be
changed. However, Unified Messaging does enable you to customize UM dial plan and auto
attendant welcome greetings, main menu prompts, and informational announcements.
Table 21 summarizes the prompts and greetings that are used with UM dial plans.
Table 21 Audio prompts for UM dial plans
Prompts and greetings
Description
System prompts
Must not be modified.
Welcome greeting
The default welcome greeting is a system
prompt that is played by default. However, you
can use a customized greeting file that you
create.
207
Prompts and greetings
Description
Informational announcement
By default, informational announcements are
disabled. If you enable an informational
announcement, you must specify a customized
greeting file.
Table 22 summarizes the prompts and greetings that are used with UM auto attendants.
Table 22 Audio prompts for UM auto attendants
Prompts and greetings
Description
System prompts
Must not be modified.
Business hours menu prompts
By default, business hours menu prompts are
enabled and a system prompt is played.
However, you can use a customized greeting
file that you create.
Non-business hours menu prompts
By default, non-business hours prompts are
enabled and a system prompt is played.
However, you can use a customized greeting
file that you create.
Business hours greeting
By default, a business hours greeting is
enabled and a system prompt is played.
However, you can use a customized greeting
file that you create. This is also known as a
welcome greeting.
Non-business hours greeting
By default, a non-business hours greeting is
enabled and a system prompt is played.
However, you can use a customized greeting
file that you create. This is also known as a
welcome greeting.
Informational announcement
By default, informational announcements are
disabled. If you enable an informational
announcement, you must specify a customized
greeting file.
Caution:
Modifying the system prompts that are installed is not a supported configuration.
208
System Prompts
Exchange 2007 Unified Messaging (UM) is installed with a set of default audio prompts for use
with Outlook Voice Access, dial plans, and auto attendants. There are hundreds of system
prompts for each language that are installed on the computer that is running the Unified
Messaging server role. The UM server plays the audio files for these system prompts to callers
when they access the Unified Messaging system. Examples of these system prompts include
the following:
•
"Please enter your PIN."
•
"To access your mailbox, enter your extension."
•
"To contact someone, press the # key."
•
"Spell the name of the person you are calling, last name first."
•
"To reach a specific person, just tell me their name."
Caution:
Modifying the system prompts that are installed is not a supported configuration.
Note:
When the Microsoft Exchange Unified Messaging service starts on the computer
that is running the Unified Messaging server role, it will verify that all the system
prompts are available. If a system prompt cannot be found, it will return an error. To
fix the error that is returned, locate the event by using Event Viewer and copy the
file that is listed in the Event Properties window from the Exchange 2007
installation DVD into the appropriate folder on the UM server.
UM Dial Plan Greetings and Announcements
After you install the Unified Messaging server role and create a UM dial plan, you have the
option to use the audio files for the default system prompts that are copied to the UM server
during installation or to create customized audio files that can be used with UM dial plans.
UM dial plans have a welcome greeting and an optional informational announcement that you
can modify. The welcome greeting is used when Outlook Voice Access users or another caller
calls the subscriber access number. The callers hear a default welcome greeting that
says, "Welcome, you are connected to Microsoft Exchange." This audio file is the default
greeting for a UM dial plan. However, you might want to change this greeting and provide an
alternative welcome greeting that is specific to your company, such as, "Welcome to Outlook
Voice Access for Woodgrove Bank." If you customize this greeting, you record the customized
greeting and save it as a .wav file, and then you configure the dial plan to use this customized
greeting.
209
UM allows for an informational announcement to follow the welcome greeting. By default, there
is no informational announcement configured. However, you may want to provide one for
callers. You can use the informational announcement for general announcements that change
more frequently than the welcome greeting or for announcements that are required by
corporate compliance policies. When it is important that the whole informational announcement
is heard, you can configure it to be uninterruptible. This prevents a caller from pressing a key or
speaking a command to interrupt and stop the informational announcement.
Table 23 describes the UM dial plan greetings and informational announcements.
Table 23 UM dial plan greetings and informational announcements
Greeting
Default example
Customized example
Welcome greeting
"Welcome, you are connected
to Microsoft Exchange."
"Welcome to Outlook Voice
Access for Woodgrove Bank."
Informational announcement
By default, an informational
announcement is not
configured.
"By using this system you
agree to adhere to all
corporate policies when you
are accessing this system."
When you are customizing and configuring greetings and announcements, make sure that the
language setting that is configured on the UM dial plan is that same as the language of the
custom prompts that you create. If not, a caller may hear one message or greeting in one
language and another message or greeting in a different language.
UM Auto Attendant Greetings, Announcements,
and Menu Prompts
Like with UM dial plans, UM auto attendants have a welcome greeting, an optional
informational announcement, and an optional custom menu prompt. There are different
versions of the welcome greeting and menu prompt that you can configure for business hours
and non-business hours. You can modify all of them.
The welcome greeting is the first thing that a caller hears when a UM auto attendant answers
their call. By default, this says, "Welcome to the Microsoft Exchange auto attendant." The audio
file that is played for the call is the default system prompt for the UM auto attendant. However,
you may want to provide an alternative greeting that is specific to your company, such
as, "Thank you for calling Woodgrove Bank." To customize this welcome greeting, record the
customized greeting and save it as a .wav file, and then configure the auto attendant to use this
customized greeting. As with the welcome greetings, you can also customize the menu
prompts.
210
UM also allows for an informational announcement to follow a business hours greeting or a
non-business hour greeting. By default, no informational announcement is configured, but you
may want to provide one to callers. The informational announcement can announce your
company's business hours, for example, "Our business hours are 8:00 A.M. to 5:00 P.M.,
Monday through Friday, and 8:30 A.M. to 1:00 P.M. on Saturday." The informational
announcement can also provide information that is required for compliance with corporate
policies, for example, "Calls may be monitored for training purposes." When it is important that
the whole informational announcement is heard, you can configure it to be uninterruptible. This
prevents the caller from pressing a key or speaking a command to interrupt and stop the
informational announcement.
Table 24 describes the UM auto attendant greetings and informational announcements.
Table 24 UM auto attendant greetings, informational announcement and menu prompts
Greeting
Default example
Customized example
Business hours greeting
"Welcome to the
Exchange auto attendant."
"Thank you for calling
Woodgrove Bank."
Non-business hours greeting
No default non-business
hours greeting is played until
you configure the business
hours for the auto attendant.
However, the business hours
greeting is played for callers
during all times of the day.
"You have reached
Woodgrove Bank after
business hours. Our business
hours are from 8:00 A.M. until
5:00 P.M., Monday through
Friday."
Informational announcement
By default, informational
announcements are not
configured.
"Calls may be monitored for
training purposes."
Business hours main menu
prompt
No default business hours
main menu prompt will be
played until you configure key
mappings on the auto
attendant.
"For technical support, press
or say 1. For corporate offices
and administration, press or
say 2. For sales, press or say
3."
Non-business hours main
menu prompt
No default non-business
hours main menu prompt will
be played until you configure
key mappings and the
business hours schedule on
the auto attendant.
"Your call is very important to
us. However, you have
reached Woodgrove Bank
after business hours. If you
want to leave a message,
please press or say 1, and we
will return your call as soon as
possible."
211
Like with UM dial plans, make sure that the language setting that is configured on the UM auto
attendant is the same as the language of the custom greetings that you create and is set to the
same language as the UM dial plan. If not, a caller may hear one message or greeting in one
language and another message or greeting in a different language.
Customizing Greetings, Announcements, and
Menu Prompts
Although the system prompts must not be replaced or changed, you will probably want to
customize the greetings, informational announcements, and menu prompts that are used with
UM dial plans and auto attendants. After the Unified Messaging server role is installed, you can
configure the UM dial plans and auto attendants to use these custom audio files (.wav). You
must perform the following steps before you can enable custom voice prompts for callers:
• Record the custom greeting and save it as a .wav file. The Linear PCM (16 bit/sample),
8 kilohertz (kHz) audio codec must be used to encode the .wav file.
• Copy the customized greeting to the correct folder on a UM server by using the CopyUMCustomPromptExchange Management Shell cmdlet or configure a custom greeting or
prompt by using the Exchange Management Console.
•
Configure the UM dial plan or auto attendant to use the customized greeting.
After you create the audio file for the custom prompt, announcement, or greeting you must use
the Copy-UMCustomPromptExchange Management Shell cmdlet to copy the audio file to the
UM prompt publishing point. The prompt publishing point is a property that is configured on a
UM dial plan and is a shared folder structure that is created on the first UM server that is
installed. The prompt publishing point distributes UM custom prompts to other UM servers in
the Exchange 2007 organization. The Copy-UMCustomPrompt cmdlet supports the use of
UM custom audio prompts by copying the specified audio file to the correct location for
distribution to other UM servers in the Exchange 2007 organization.
Unified Messaging servers access the UM server prompt publishing point and copy the
necessary .wav audio files to their local installation folder. After the file has been copied locally
to the UM server, the UM server can provide the audio for a given custom prompt. For more
information about custom prompt publishing, see Understanding Custom Prompt Distribution.
For More Information
• For more information about how to manage audio prompts in Unified Messaging, see
Managing Custom Audio Prompts.
212
Understanding Unified Messaging Audio
Codecs
Microsoft Exchange 2007 Unified Messaging (UM) can use one of three audio codecs for
creating voice messages: Windows Media Audio (WMA), Group System Mobile (GSM) 06.10,
and G.711 Pulse Code Modulation (PCM) Linear. Part of planning your Unified Messaging (UM)
system is selecting the correct audio codec based on the needs and requirements of your
organization. This topic discusses the three audio codecs that Unified Messaging can use and
will help you correctly plan your UM deployment.
Important:
On 64-bit Unified Messaging servers, you must install the Windows Media Encoder if
you plan to use the WMA UM dial plan codec. For more information about how to
install the Windows Media encoder, see Availability of the Windows Media Audio 9
Voice codec for x64-based computers or the Microsoft Download Center.
UM Audio Codecs
Unified Messaging dial plans are integral to the operation of Unified Messaging. By default,
when you create a UM dial plan, the UM dial plan uses the WMA audio codec. However, after
you create the UM dial plan, you can configure the UM dial plan to use GSM 06.10 or G.711
PCM Linear audio codecs.
Each audio codec has advantages and disadvantages. The WMA audio codec was selected as
the default audio codec because of its sound quality and compression properties. GSM 06.10
and G.711 PCM Linear audio codecs were selected as available options for their ability to
support other types of messaging systems.
When you plan for Unified Messaging, you must balance the size and the relative quality of the
audio file that will be created for voice mail messages. Generally, the higher the bit rate for an
audio file, the higher the quality. However, you must also consider whether the audio file is
compressed. The sample bit rate (bit/sec) and compression properties for each audio codec
that is used in Unified Messaging are as follows:
•
WMA – 16-bit – compressed file
•
G.711 – 16-bit – uncompressed file
•
GSM 06.10 – 8-bit – compressed file
The term "codec" is a combination of the words "coding" and "decoding" regarding digital data.
A codec is a computer program or software that transforms digital data into an audio file format
or streaming audio format. In Exchange 2007 Unified Messaging, the WMA, GSM 06.10, and
G.711 PCM Linear audio codecs are used to create .wma and .wav audio files for voice
messages. However, the file type that is created depends on the audio codec that is used to
213
create the voice message audio file. In Exchange 2007 Unified Messaging the .wma audio
codec creates .wma audio files and the GSM 06.10 and G.711 PCM Linear audio codecs
produce .wav audio files. Both kinds of audio files are sent together with the e-mail message to
the intended voice mail recipient.
Frequently, but not always, coding and decoding the digital data also involves compression or
decompression. Audio compression is a form of data compression that reduces the size of
audio data files. The type of audio compression algorithm that is used is based on the type of
audio codec that is selected in the UM dial plan properties. The audio compression algorithm
that is used by the audio codec compresses the .wma or .wav audio files. After the audio file is
created and, if it is needed, compressed, it is attached to the voice message.
Sometimes during compression and decompression, information from the digital data is lost.
This is a trade-off that you must consider. The higher the compression that is used to compress
the audio file, the bigger the loss of information during the conversion, but less disk space is
used because of the reduced size of the audio file. Conversely, the lower the compression, the
lower the loss of the information, but more disk space must be used because of the increased
size of each audio file.
UM Message Sizing
You can configure UM to use one of the three following audio codecs for creating voice
messages: WMA, GSM 06.10, and G.711 PCM Linear. The WMA audio codec is always stored
in the Windows Media format and the attachment is a file that has a .wma file name extension.
Audio files encoded by using the GSM or G.711 PCM Linear audio codecs are always stored in
RIFF/WAV format, and the attachment is a file that has a .wav file name extension.
The size of Unified Messaging voice messages depends on the size of the attachment that
holds the voice data. In turn, the size of the attachment depends on the following factors:
•
The duration of the voice mail recording
•
The audio codec that is used
•
The audio file storage format
Figure 28 illustrates how the size of the audio file depends on the duration of the voice mail
recording for the three audio codecs that you can use in UM.
Note:
In Figure 28, the average length of a call-answered voice message is approximately 30
seconds.
214
Figure 28 Audio file size
WMA
WMA is the most highly compressed audio codec of the three kinds of codecs. The
compression is approximately 11,000 bytes for each 10 seconds of audio. However, the .wma
file format has a much larger header section than the .wav file format. The .wma file header
section is approximately 7 kilobytes (KB), whereas the header section for the .wav file is less
than 100 bytes. Although WMA audio recordings are recorded for longer than 15 seconds, they
become smaller than GSM audio recordings. Therefore, for the smallest, yet highest quality
audio files, use the WMA audio codec.
G.711 PCM Linear
The G.711 PCM Linear audio codec creates .wav audio files that are not compressed.
Therefore, G.711 PCM Linear .wav audio files occupy the most space at any given duration
when they are compared to the GSM and WMA audio codecs. G.711 PCM Linear .wav audio
files occupy just over 160,000 bytes for each 10 seconds of audio. G.711 PCM Linear .wav
audio files have the highest audio quality of the three audio codecs that are used by Unified
Messaging. However, the quality of comparable audio files that are created by using the WMA
and GSM audio codecs are acceptable to most users who listen to voice messages.
215
GSM
The GSM audio codec creates .wav audio files that are compressed. GSM .wav audio files are
just over 16,000 bytes for each 10 seconds of audio. However, GSM creates an audio file that
is larger than the audio file that is created by the WMA audio codec. Therefore, when you are
balancing the quality of the voice message and the size, this may not be the best choice.
For More Information
For more information about UM dial plans, see Understanding Unified Messaging Dial Plans.
For more information about how to configure the audio codec on a UM dial plan, see How to
Modify a Unified Messaging Dial Plan.
Understanding Custom Prompt
Distribution
In Microsoft Exchange Server 2007 Unified Messaging (UM) you can create and configure UM
dial plans or auto attendants that are fully functional but that use only the default audio prompts
that are included in Exchange 2007. However, the audio files that are installed for greetings,
informational announcements, and menu prompts are generic and should be customized and
then distributed to all the Unified Messaging servers in your organization. This topic explains
how a custom prompt is copied to all computers that have the Unified Messaging server role
installed. This ensures that the custom audio prompts will be available to all callers who use
Outlook Voice Access and UM auto attendants.
Overview
Custom prompt publishing is the process by which custom audio files are made available to all
Outlook Voice Access users and callers who dial in to UM auto attendants. After you have
created a custom audio prompt, you must first copy the custom prompt to the Unified
Messaging server that you have designated as the prompt publishing point. The prompt
publishing point is a shared folder that is located on the first server to be associated with a
single UM dial plan. After the custom audio file is copied to the prompt publishing point, all the
Unified Messaging servers that are members of the same dial plan will copy the custom audio
prompt to a local folder. By copying the custom audio file to a local folder, the Unified
Messaging server or servers will be able to play the custom file for Outlook Voice Access users
or when callers dial in to a UM auto attendant.
The UM custom prompts that exist in the prompt publishing point will be copied locally by a
Unified Messaging server regardless of the number of Unified Messaging servers that belong to
the UM dial plan. Each UM dial plan represents a set of Unified Messaging servers and the set
216
of UM-enabled users for whom the Unified Messaging servers answer incoming calls. Small
dial plans that serve hundreds of users or fewer may have only one Unified Messaging server.
Large dial plans that have several thousand users or more or that provide redundancy to help
maintain UM service availability have two or more Unified Messaging servers.
Publishing custom prompts has the following benefits:
• Consistent user experience To the user, custom prompts appear to always work in
the same manner and at the same speed.
• Consistent server configuration You do not have to make sure that each Unified
Messaging server is updated correctly.
After you create a single copy of the custom audio file that you want to use as an audio prompt,
greeting, or information announcement, you must make sure that all the Unified Messaging
servers associated with the UM dial plan receive a copy of this custom audio file. You do this by
configuring the UM dial plan or UM auto attendant to use the custom prompt by using the
Exchange Management Console or by using the Copy-UMCustomPrompt cmdlet in the
Exchange Management Shell.
Architecture
When you install the Unified Messaging server role, the audio files for the system prompts are
copied to a folder on the Unified Messaging server. The system prompts that are copied to the
Unified Messaging server are used as the default prompts for UM dial plans and auto
attendants. Because the system prompts are generic, you might want to enable custom
greetings, announcements, and menu prompts in your Unified Messaging environment. You
must first create your custom audio prompts, enable the custom prompts on a UM dial plan or
auto attendant, and then make sure that your custom prompts are available on each Unified
Messaging server that belongs to a single UM dial plan.
You can use the Exchange Management Console or the Exchange Management Shell to copy
the required custom audio files. To make sure that the custom prompts are available to each
Unified Messaging server, you perform the following tasks by using the CopyUMCustomPrompt cmdlet or when you select the custom audio file in the
Exchange Management Console:
•
Locate the prompt publishing point in the Active Directory directory service.
•
Copy the custom prompt to the prompt publishing point.
• Update the configuration for Unified Messaging in the Active Directory directory
service.
After these tasks are performed, the Microsoft Exchange File Distribution service updates each
Unified Messaging server that is associated with the dial plan.
217
Caution:
We do not recommend that you use the Copy-Item cmdlet,
Microsoft Windows Explorer, or another program such xcopy.exe to copy the custom
prompt .wav files into a folder within the custom prompt publishing point folder.
Figure 29 illustrates the custom prompt publishing architecture and tasks that are performed by
the Copy-UMCustomPrompt cmdlet or when you configure the dial plan or auto attendant to
use a custom audio file by using the Exchange Management Console.
Figure 29 Custom prompt publishing architecture
The Copy-UMCustomPrompt cmdlet queries the appropriate dial plan object in
Active Directory to determine the location of the prompt publishing point. There is only one
prompt publishing point for each dial plan, and it is stored as a Windows file share (also known
as UNC) path that identifies a file share that is available for custom prompts. After the location
of the prompt publishing point is determined, the cmdlet validates the content in the custom
prompt, verifies that it is in the correct format, and that it uses a supported audio codec. If the
custom prompt passes the validation tests, the Exchange Management Shell command copies
the prompt content to the prompt publishing point.
The custom audio files in the prompt publishing point are automatically organized into a
directory structure that reflects the dial plans and auto attendants that are configured in your
Exchange 2007 organization.
218
Figure 30 illustrates the prompt publishing point directory structure. In Figure 2, a prompt
publishing point has various subdirectories that correspond to UM dial plans and. There are
auto attendants within each dial plan.
Figure 30 Prompt publishing point directory structure
Each UM dial plan and UM auto attendant that is created is given a unique ID. The directory
names are generated from the unique IDs that are given to the dial plan or auto attendant when
their configuration objects are created. You do not have to know the exact names or locations
of files under the prompt publishing point, because the Copy-UMCustomPrompt cmdlet uses
the unique ID that is associated with the dial plan or auto attendant to make sure that the
custom prompt is copied to the correct location in the directory structure.
After the custom prompt is copied to the prompt publishing point and any necessary directory
updates are made, the prompt is copied to each Unified Messaging server in the dial plan. After
the custom prompt is added to the appropriate folder on the Unified Messaging server that is
configured as the prompt publishing point, the Microsoft Exchange File Distribution service that
runs on each Unified Messaging server refers to the prompt publishing point and
determines whether the files in the prompt publishing point have changed or if additional files
have been added. If files have been changed or additional files exist, the other Unified
Messaging servers pull the custom prompts from the prompt publishing point and copy them to
the correct location in the \\<Server name>\ExchangeUM folder that exists on a local drive.
219
Note:
The Microsoft Exchange File Distribution service is installed together with the Unified
Messaging server role. It is also installed with the Client Access server role, because it
is also used to copy the offline address book for clients that are running
Microsoft Office Outlook Web Access.
All the Microsoft Exchange File Distribution service information is stored in Active Directory.
However, you should back up the source locations for replicated files, such as offline address
books and UM prompts. The offline address book source is the Mailbox server that generates
the offline address book, and the UM prompt location is on the first Unified Messaging server,
unless otherwise specified. As long as the source is backed up or restored, the Microsoft
Exchange File Distribution service replicates the content. If any of the replica servers go down,
Microsoft Exchange File Distribution service replicates content from the source as soon as they
are back online without any administrator intervention. You can run UpdateFileDistributionService to force replication if you do not want to wait for the automated
process to occur.
Important:
After you have configured a new custom prompt or updated one, it may take several
minutes for the Microsoft Exchange File Distribution service to make the custom
prompt available on all Unified Messaging servers in your
Exchange 2007 organization. If you want to make the custom prompt available
immediately on all the Unified Messaging servers in your organization, you must run
the Update-FileDistributionService cmdlet to ensure that the custom prompt is
copied to all Unified Messaging servers in your organization.
Changing the Prompt Publishing Point
The prompt publishing point for a UM dial plan is automatically set at the time that the first
Unified Messaging server joins the dial plan. It can be located on any server that can be
accessed by the Unified Messaging servers that are associated with a particular dial plan. The
prompt publishing point is a property that is set on a UM dial plan and is set to \\<server
name>\ExchangeUM, where <server name> is replaced by the NetBIOS name of the Unified
Messaging server.
For dial plans that have one Unified Messaging server, there is little reason to change the
location of the prompt publishing point. However, you may want to move the prompt publishing
point for the following reasons:
• In a dial plan that has multiple Unified Messaging servers, the prompt publishing point
represents a single point of failure.
• A Unified Messaging server generally does not act as a file server. A Unified Messaging
server may not be backed up as frequently as other servers and may not be configured to
have disk storage devices such as redundant array of independent disks (RAID) arrays. If a
220
file server that has a RAID array exists on the network, you may want to use it for the
master copy of the UM custom prompts.
Important:
You must move the prompt publishing point to another location before you can
uninstall the Unified Messaging server role.
For More Information
• For more information about Unified Messaging audio prompts, see Understanding
Unified Messaging Audio Prompts.
• For more information about how to manage Unified Messaging custom audio prompts,
see Managing Custom Audio Prompts.
Understanding Unified Messaging
Languages
You can install and configure language packs to support multiple languages in
Microsoft Exchange Server 2007 Unified Messaging (UM) environments.
Exchange 2007 UM language packs enable callers and Outlook Voice Access users to interact
with the Unified Messaging system in multiple languages. After you install an additional
language on a Unified Messaging server, callers and Outlook Voice Access users can hear email messages and interact with the Unified Messaging system in this language.
Each UM language pack includes a Text-to-Speech (TTS) engine and the prerecorded prompts
for a given language. UM language packs are offered in 16 different languages, and all 16
language packs are included on the Exchange 2007 DVD. However, not all the UM language
packs contain support for Automatic Speech Recognition (ASR).
There are several key components that rely on UM language packs to enable users and callers
to interact effectively with Exchange 2007 Unified Messaging in multiple languages. This topic
discusses UM language packs, the UM components that use the UM language packs, and how
the UM language packs, after they are installed, can be used to configure UM dial plans and
UM auto attendants to use other languages.
UM Language Packs
The UM language packs that are included with Exchange 2007 contain prerecorded prompts,
Text-to-Speech (TTS) conversion support for a given language, and in some cases, support for
Automatic Speech Recognition (ASR). In multilanguage environments, you may have to install
additional UM language packs because some callers prefer to be prompted in a given
221
language, or because they receive e-mail in more than one language. You must install multiple
UM language packs to support the ability for the Unified Messaging server to read an e-mail
that contains more than one language, because the TTS conversion system must be instructed
which language to select based on the text of the message that will be read. If the Unified
Messaging language pack has not been installed, the e-mail message will be illogical and
incoherent when it is read back to the user. Installing the appropriate language pack enables
the TTS engine to read e-mail and calendar items to the Outlook Voice Access user by using
the correct language and also provides the language-specific prerecorded prompts for Unified
Messaging. In some cases, they may also provide support for ASR.
Note:
The TTS engine converts text to speech but does not convert from speech to text. A
UM-enabled user can send an e-mail message that has a voice file attached to another
user. However, they cannot create and send a text-based e-mail message to another
user.
When you install a language pack, the installation program does the following:
1. Copies the language prompts that will be used to configure UM dial plans and auto
attendants.
2. Allows the TTS engine to read messages when an Outlook Voice Access user
accesses their Inbox.
3. Enables ASR for speech-enabled UM dial plans and auto attendants for the language
that is installed.
Caution:
You cannot use the .msi file for UM language packs to install Unified Messaging
language packs. You must use Setup.com to install additional language packs.
You must add and remove UM language packs by using the Setup.com command. There is no
graphical user interface or Exchange Management Shell cmdlet that you can use to add or
remove languages from a Unified Messaging server. For more information about how to install
a UM language pack, see How to Add a Unified Messaging Language to a Unified Messaging
Server. For more information about how to remove a UM language pack, see How to Remove
a Unified Messaging Language from a Unified Messaging Server.
Note:
By default, when you install either the U.S.-English version of Exchange 2007 or a
localized version of Exchange 2007, the U.S.-English language will be installed and
cannot be removed unless you remove the Unified Messaging server role from the
computer.
Table 25 lists the Unified Messaging language packs. It also lists the file name for each UM
language pack and the value for the UM language when you are using the setup.com
/addUMlanguagepack or setup.com /removeUMlanguagepack commands.
222
Table 25 UM language packs and file names
UM language pack
File name
Value
US English
umlang-en-US.msi
en-US
German
umlang-de-DE.msi
de-DE
French
umlang-fr-FR.msi
fr-FR
Japanese
umlang-ja-JP.msi
ja-JP
UK English
umlang-en-GB.msi
en-GB
Korean
umlang-ko-KR.msi
ko-KR
Spanish (Iberian)
umlang-es-ES.msi
es-ES
Mandarin (China)
umlang-zh-CN.msi
zh-CN
Mandarin (Taiwan)
umlang-zh-TW.msi
zh-TW
Dutch
umlang-nl-NL.msi
nl-NL
Italian
umlang-it-IT.msi
it-IT
Portuguese (Brazil)
umlang-pt-BR.msi
pt-BR
Swedish
umlang-sv-SE.msi
sv-SE
Australian English
umlang-en-AU.msi
en-AU
Canadian French
umlang-fr-CA.msi
fr-CA
Latin American Spanish
umlang-es-US.msi
es-US
Note:
All the UM language packs that are available are located on the Exchange Server 2007
DVD. However, if you have downloaded Exchange 2007 from the Web and you need
additional UM language packs, you must download them from the Unified Messaging
Language Packs for Exchange Server 2007 page on the Exchange Server TechCenter.
UM Language Components and Features
There are several key components and features in Exchange 2007 Unified Messaging that
enable users and callers to interact with a multilanguage Unified Messaging system. For these
components and features to work correctly and enable callers to interact with the system in
multiple languages, the UM language packs must be installed correctly on a Unified Messaging
server.
223
Prerecorded Prompts
The Exchange 2007 Unified Messaging server role is installed with a set of default audio
prompts, and these audio file are the recordings that are used for menu prompts for Outlook
Voice Access, voice mail greetings, and numbers that are used by Exchange Unified
Messaging. These audio files are played by a Unified Messaging server to incoming internal
and external callers. Many of the audio files are default prompts that provide the users of the
telephony user interface (TUI) and Outlook Voice Access the information that they need to
move through the TUI and the voice user interface (VUI). The prompts are located in <Program
Files>\Microsoft\Exchange Server\. The prompts that are used by the Unified Messaging server
to help callers move through the menus should not be replaced or changed. However, when an
additional UM language pack is installed, the prerecorded prompts for that language will also
be installed. After a UM language pack has been installed, the prerecorded prompts for that
language can be used by UM dial plans and auto attendants.
TTS Languages
Unified Messaging relies on the Text-to-Speech (TTS) engine. TTS functionality is provided by
the Microsoft Speech Server service. The TTS engine reads and converts written text into
audible output that can be heard by a caller. The TTS engine reads and converts the following
items in a user's mailbox:
•
E-mail and voice mail message bodies, subjects, and names
•
Calendar item bodies, subjects, locations, and names
•
Personal contact names
•
The user's default voice mail greetings
Note:
After a user has recorded personalized voice mail greetings, the TTS version of their
voice mail greetings is no longer used.
Automatic Speech Recognition
In addition to TTS, Automatic Speech Recognition (ASR) support is included in Exchange 2007
Unified Messaging. ASR functionality is provided by the Microsoft Speech Server
service. ASR enables callers to use voice commands to interact with the Unified Messaging
system. By using ASR, callers can move through menus and interact with items from their
individual mailboxes, including messages, personal contacts, and calendar.
Currently, Exchange 2007 Unified Messaging includes ASR support for only the English version
of Exchange 2007. Other UM language packs do not contain support for ASR. However, if you
install a localized version of Exchange 2007, for example Japanese, ASR support is not
224
included for Japanese. However, because English is always installed together with localized
versions of Exchange 2007, ASR for English will work.
There are plans to include ASR support in UM language packs for other languages after
Exchange 2007 has released. After new language packs have been released and after you
have installed the appropriate language pack that includes ASR support for a language other
than English, users will be able to use this language to interact with the Unified Messaging
system by using speech input.
Unified Messaging Languages
To enable callers to use the multilanguage features found in Exchange 2007 Unified
Messaging, you must first install a UM language pack. Then you have the option of
configuring other UM components.
•
Install the UM language pack on the Unified Messaging server.
• If you have to, configure the default language for a UM dial plan. This lets Outlook
Voice Access users who are associated with the UM dial plan use the new language when
they access their mailbox. However, the user can still configure their language setting in
the options that are available in Outlook Web Access.
• If you have to, configure the language setting on a UM auto attendant. By default, a
UM auto attendant uses the UM dial plan language. However, you can change this setting
and enable unauthenticated callers to connect to your organization and move through the
auto attendant menus in the specified language.
Unified Messaging Server Languages
You install a UM language pack on the Unified Messaging server by using Setup.com. After you
have installed the new language pack on the Unified Messaging server, the language
associated with the language pack will be added to the list of available languages that you can
use. You can view the languages that have been installed by using the UM Settings tab on the
Unified Messaging server properties in the Exchange Management Console or by using the
Get-UMServer cmdlet in the Exchange Management Shell.
Installing the UM language pack copies the files that are used by the TTS engine and the
prerecorded prompts for the chosen language and makes them available when a user connects
to the Unified Messaging system.
UM Dial Plan Languages
Each UM dial plan that is created contains a default language setting. The UM dial plan
language setting is needed because Unified Messaging may have to use Text-to-Speech
conversion or play a standard audio prompt for Outlook Voice Access users when they access
their Exchange 2007 mailbox. You do not have to select a default dial plan
225
language. However, each dial plan that is created is configured to have a default language that
is based on the language version of Exchange 2007 that is installed. If you install the U.S.English version, U.S. English will be the default language for all dial plans that are created. If
you installed a localized version of Exchange, for example Japanese, Japanese will be
configured as the default language when dial plans are created.
After you have created a new dial plan, you can configure the default language setting on each
dial plan. If you install the U.S.-English version of Exchange 2007, U.S. English will be the only
available option. You can add other UM languages to the U.S.-English version by installing
other UM language packs. After you install a UM language pack on a Unified Messaging server,
the language associated with the language pack will also be listed as an available option when
you configure the default language for the dial plan. However, U.S. English is the default
language that will be used when dial plans are created.
For example, you first install the U.S.-English version of Exchange 2007 and then install the
Japanese UM language pack by using the Setup.com /AddUmLanguagePack command.
Then you install another UM language pack on a Unified Messaging server, for example
French. After you have successfully installed the UM language packs, U.S. English, Japanese,
and French, will be available options. However, by default, U.S. English is the language that will
be chosen for each dial plan that is created.
When you install a localized version of Exchange 2007, for example, Japanese, the default
language for the dial plan will be Japanese. However, after you have created a new dial plan,
you will be able to configure the dial plan to use either Japanese or U.S. English as the default
language. When localized versions of Exchange 2007 are installed, U.S. English is also
installed. For example, you first install the localized Japanese version of Exchange 2007 and
then install the French UM language. After you have successfully installed the UM language
pack on the localized version of Exchange 2007, Japanese, U.S. English, and French, will be
available but, by default, Japanese will be the language that is chosen for each dial plan that is
created.
The default language is important to callers. When an Outlook Voice Access user calls in to the
Unified Messaging system, the language setting that is chosen is based on the language
setting that is configured in Outlook Web Access that was set when the user first logged on to
their mailbox by using Outlook Web Access. Unified Messaging then compares the language
that is set in Outlook Web Access to the list of available languages on the dial plan with which
the user is associated. If there is no suitable match for the language, the default UM dial plan
language will be used. Sometimes, you may have to set this language as the default language.
For example, if you have a dial plan that contains only users from France, you may want to
change the default language setting on the dial plan to French. For more information about how
to change the default language for a UM dial plan, see How to Configure a Unified Messaging
Dial Plan with a Default Language.
226
UM Auto Attendant Languages
By default, because UM auto attendants are associated with a UM dial plan when they are
created, they use the default language setting of the associated UM dial plan. However, this
setting can be changed after the UM auto attendant is created.
The UM auto attendant language setting is needed because Unified Messaging may have to
use Text-to-Speech conversion or play a standard audio prompt to a caller. Unified Messaging
does not check that the language of custom prompts for the auto attendant matches the
language setting on the auto attendant. However, as a best practice, make sure that the
language setting of the auto attendant matches the language of the custom prompts.
Otherwise, the caller may hear the system shift from one language to another.
Being able to change the UM auto attendant language setting is also useful if you need several
different language-specific auto attendants for callers. For more information about how to
configure language settings on a UM auto attendant, see How to Configure the Language
Setting on a Unified Messaging Auto Attendant.
For More Information
For more information about the language support that is available in Exchange 2007, see
Exchange 2007 Language Support.
Understanding Automatic Speech
Recognition Directory Lookups
Microsoft Exchange Server 2007 Unified Messaging offers a voice user interface (VUI) that
uses Automatic Speech Recognition (ASR). This is the telephone interface that callers use to
navigate the menu systems and access their mailbox by using speech inputs. ASR enables
callers to use speech inputs instead of dual tone multi-frequency (DTMF), also known as
touchtone, inputs to navigate the UM auto attendant menus or when a UM-enabled user
accesses their mailbox. This topic discusses how ASR is used in Exchange Server 2007
Unified Messaging and how grammar files are used with ASR.
Note:
ASR for directory lookups and searches is currently available only in English for
Outlook Voice Access users and for calls to UM auto attendants. However, support for
ASR in other languages is planned for a future release.
227
Overview of Grammar Files
A speech grammar file contains words and phrases that the speech engine will try to recognize
when the grammar file is being used. Grammar files define things such as the commands that
are available to a user while they are reviewing their mail or their calendar or the names of
people who are recognized by the speech engine when a caller searches the directory. Speech
grammar files are first generated as files that have a .grxml extension. They are then processed
into a compiled form that has a .cfg extension before they are loaded into the speech engine.
However, the .cfg file is loaded into the memory of the Microsoft Exchange Speech Engine
service. Therefore, there is no .cfg file that is created and saved to a disk. Figure 31 illustrates
how the grammar files are used by callers.
Figure 31 Grammar file overview
Note:
If you want to locate the .grxml file that corresponds to a .cfg file, look in the event log
for events that have the IDs 1040 or 1041. The event will show which .grxml file was
used to produce a particular .cfg file.
Default Grammar Files
When the Unified Messaging server role is installed, many files are copied to the server. These
files include the default grammar files that are used by ASR to enable the voice user interface
(VUI). By default, these grammar files are installed in the
\UnifiedMessaging\grammars\<language> folder. However, when these grammar files are used
by the Unified Messaging server, they are loaded and compiled into a .cfg file by the
Microsoft Exchange Speech Engine service.
The default grammar files include the following files:
228
•
Calendar.grxml
•
Common.grxml
•
Contacts.grxml
•
Email.grxml
•
Mainmenu.grxml
Custom Grammar Files
Several custom grammar files are created when the Unified Messaging server role is installed
and then again when you create Unified Messaging objects in the Active Directory directory
service and the Microsoft Exchange Unified Messaging service runs grammar generation at its
scheduled time, one time each day. These grammar files contain the names of users and other
objects, for example distribution lists, that are in the Active Directory. For each name there is
additional data, for example an e-mail alias. This data enables the name to be associated with
a unique object.
The following grammar files are created when the Microsoft Exchange Unified Messaging
service runs grammar generation at the scheduled time:
•
Gal.grxml
•
<DialPlanGUID>.grxml
•
<AddressListGUID>.grxml
•
DistributionList.grxml
Note:
When a custom address list is updated, a UM-enabled user may not be
immediately available for callers. You must run the update-addresslist cmdlet to
update the custom address list, and then either wait until the next scheduled
grammar generation to occur or manually run the galgrammargenerator.exe
command to include the UM-enabled user's name in a grammar file.
When the Unified Messaging server is creating a speech grammar file, it will examine many
directory objects to determine which names should be added to the speech grammar file. The
types of objects that it will process are based on the scope of the grammar that is being
created. However, for all these objects, Unified Messaging will not add the object to the
grammar if the object is hidden from the Exchange 2007 address lists or the
msExchHideFromAddressLists attribute is set to true for the object.
• For the global address list (GAL) grammar file, Unified Messaging will consider the
following:
•
Mail-enabled users
•
Mail-enabled contacts
229
•
For dial plan grammar files, Unified Messaging will consider the following:
•
•
UM-enabled users in the specified dial plan
For the distribution list grammar file, Unified Messaging will consider the following:
•
Distribution lists that are visible in address lists
A default GAL is created when the Mailbox server role is installed on a computer that is running
Exchange 2007. When the Unified Messaging server role is installed, it creates a grammar file
for the GAL that is based on the speech grammar filters that are configured. If you create
custom address lists or distribution lists in your Exchange 2007 organization, additional
grammar files will be created for each custom address list or distribution list that you create.
Note:
For a grammar file to be generated for a distribution list, the distribution list must not be
hidden.
When you first create a UM dial plan, no grammar files are created. However, when a Unified
Messaging server joins a dial plan for the first time, a single grammar file for the UM dial plan is
created in the appropriate language folder. The UM dial plan speech grammar file is then
filtered to include only UM-enabled users who are associated with the dial plan. The grammar
files for these objects are named by using the GUIDs of the objects that they represent after
they are compiled, for example, 2da514a1-06f4-44a1-9ce5-610854f7d2ee.grxml or the
corresponding .cfg file.
When the grammar files for UM dial plans, the GAL, address lists, and distribution lists are
created, they are created in a language-specific folder on the local Unified Messaging server.
The language folder that is used is selected based on the default language that is configured
on the UM dial plan. For example, if the default language on the dial plan is set to US-English
(en-US), a grammar file will be created in the \UnifiedMessaging\grammars\en folder. After the
grammar file has been created, it will be updated according to the schedule that is configured
on the Unified Messaging server.
For more information, see the following topics:
•
How to Add a Unified Messaging Server to a Dial Plan
•
How to Create a New Unified Messaging Dial Plan
•
How to Create a New Unified Messaging Auto Attendant
Grammar Generation
Frequently, the default grammar generation schedule will fit your needs. However, there will be
times when you must manually generate grammar files or update existing grammar files before
the scheduled grammar generation task runs. There may also be times when you will want to
change the default grammar generation schedule.
230
Grammar generation occurs in the following situations:
• When the Unified Messaging server is added to a UM dial plan, and daily after that at a
scheduled interval.
• When you run the galgrammargenerator.exe command to manually update or create
grammar files.
The grammar file that is created is then updated when the scheduled grammar generation task
runs. To display the default grammar generation schedule for a Unified Messaging server, use
the following Exchange Management Shell cmdlet:
(Get-UMServer $env:COMPUTERNAME).GrammarGenerationSchedule
For more information about the Get-UMServer cmdlet, see Get-UMServer.
By default, grammar generation occurs daily at the time that is specified by the
GrammarGenerationSchedule parameter of the Unified Messaging server. By default, the
schedule is defined so that grammar generation will start at 2:00 A.M. each day. However, the
grammar generation schedule can be changed and is controlled by using the Set-UMserver
cmdlet in the Exchange Management Shell. There is no graphical user interface that you can
use to control the grammar generator schedule. This schedule can be controlled only by using
the Set-UMserver cmdlet in the Exchange Management Shell. For more information about how
to change the phonetic display name by using the Set-UMServer cmdlet, see Set-UMServer.
By default, the grammar generation schedule is set to start one time per day at 2:00 A.M. local
time on the Unified Messaging server. After it starts, grammar generation will run until it is
completed, whether this is before the scheduled end time for the active period or not; grammar
generation will not run if there is another grammar generation that is running. Although you can
configure additional scheduled times, grammar generation will not run within one hour of a
previously scheduled grammar generation period. Because grammar generation uses a
significant amount of system resources, we recommend that you configure all grammar
generation schedules so that grammar generation will occur during off-peak hours. However,
you can stagger the grammar generation schedules on multiple Unified Messaging servers, for
example, Umserver1 starts at 2:00 A.M., Umserver2 starts at 2:30 A.M., and Umserver3 starts
at 3:00 A.M. This will help minimize the effect of grammar generation on the
Active Directory domain controllers.
Note:
A log file that is named UMSpeechGrammar.log will be created in the %ExchangeRoot
%\UnifiedMessaging\temp folder. This log file contains information about all grammar
files that are created or updated on a Unified Messaging server. This file will be
overwritten every time that scheduled grammar generation runs.
In the following circumstances, you can wait for the next scheduled grammar generation for the
changes to be reflected, or you can force an update by using the galgrammargenerator.exe
command.
231
• When you complete a new installation of the Unified Messaging server role and enable
users for Unified Messaging
• When a UM dial plan, UM auto attendant, custom address list, or custom distribution
list is created
•
When you create UM-enabled users
•
If you change a UM dial plan or UM auto attendant
Note:
When an Outlook Voice Access user tries to locate a UM-enabled user by using the
directory search feature with Automatic Speech Recognition (ASR) immediately after
you have completed a new installation of the Unified Messaging server role and
enabled users for UM, the caller will hear a system prompt that says, "I am sorry I
could not help." Then they will be disconnected. This occurs because a grammar file
for the global address list (GAL) has not been generated. Use the
galgrammargenerator.exe command to create the required grammar file for the GAL.
For example, when you first enable users for UM, those users will not be available to callers
who use ASR to perform a directory search until the scheduled grammar generation task runs.
To make sure that those new users who were recently UM-enabled are visible to callers, run
the galgrammargenerator.exe program to force the .grxml files to be created or updated and to
compile the appropriate .cfg files so that callers can use ASR to move through the menu
systems or locate users by using ASR.
Galgrammargenerator.exe is also useful when a Unified Messaging server has joined a dial
plan and one or more speech-enabled auto attendants are associated with the dial plan. By
default, callers who call into a speech-enabled auto attendant can only reach UM-enabled
users who are associated with the dial plan. Before callers can be transferred to UM-enabled
users by using voice inputs, a grammar file must be generated. The grammar file is not
generated automatically when the server joins a dial plan. Instead, it is generated the next time
grammar generation is scheduled. Grammar generation occurs according to the default
schedule, at 2:00 AM local time each day, unless the schedule has been changed.
If you want UM-enabled users to be available from a directory search from the speech-enabled
auto attendant immediately after you create the auto attendant, you must generate the required
grammar file for the auto attendant by using galgrammargenerator.exe with the –d option.
A grammar file is not required with auto attendants that are not speech-enabled. This is
because a DTMF map is added to the Active Directory for each user when they are enabled for
UM. DTMF maps enable callers to enter the digits that correspond to the letters of the user's
name or e-mail alias on a telephone keypad.
However, a DTMF map will not automatically be created for users who are not UM-enabled. By
using galgrammargenerator.exe with the -u option, you can generate a DTMF map for all users
who are mail-enabled but not UM-enabled. This lets users who are mail-enabled but not UMenabled be reached from the auto attendant when their name or e-mail alias is entered by a
232
caller by using DTMF inputs. For more information about the DTMF interface, see
Understanding the DTMF Interface.
Table 26 lists the switches and descriptions for the switches for the galgrammargenerator.exe
program.
Table 26 Galgrammargenerator.exe and the switches
Switch
Description
-d <dialplan>
Creates a grammar file that contains the
names of UM-enabled users only in the
specified UM dial plan.
-g
Generates the grammar file.
-l
Generates a grammar file for a distribution list.
-o
Generates a log file. The path can be an
absolute path, for example, C:\Logfiles. By
default, the Unified Messaging server will also
automatically create a log file in the
\UnifiedMessaging\Temp folder.
-p
Preload all generated grammars into the
Microsoft Speech Server platform.
-s <UMserver>
Creates a grammar file for each UM dial plan
to which the specified Unified Messaging
server belongs.
233
Switch
Description
-u
Creates or updates DTMF maps for users who
are enabled for UM and who are not enabled
for UM.
Note:
If a mailbox-enabled user or a mailenabled contact has a character in
their e-mail alias that is not valid and
you run the
galgrammargenerator.exe /u
command to create a DTMF map for
users, the command will not complete
successfully and Unified Messaging
will report an error. To ensure that all
mailbox users and mail-enabled
contacts have no characters in their email addresses that are not valid, use
the Get-User cmdlet to view all users.
The Get-User cmdlet will perform a
validation check for the user attributes.
If any field has a character that is not
valid, an error will be generated that
identifies the recipient and the field
that contains the character.
-x
Defines the speech filter list that is used in
XML format.
Note:
The default speech grammar filter list (SpeechGrammarFilterList.xml) is installed in the
%ExchangeRoot%\bin folder on each server that has the Unified Messaging server
role installed. The contents of the speech filter list file must be the same on each
Unified Messaging server. The speech grammar filter list contains several rules that
specify input patterns against which display names are matched and output patterns
that define transformations of the matched name. If the name matches a pattern it will
be replaced in the speech grammar by the name or names that are generated from the
associated output pattern or patterns. If the name does not match a pattern, it is
passed through unchanged to the speech grammar. Names will be rejected from
insertion in the speech grammar if they to have two or more distinct ways of being said.
We recommend that you do not manually modify the SpeechGrammarFilterList.xml file.
234
Customizing Grammar Files
Currently, ASR is available only in English and includes the prerecorded prompts and text-tospeech support for English. Although ASR support is included in the English language pack,
there will be times when it is difficult for speech recognition to locate the correct UM-enabled
user because the user has a name that is difficult to pronounce, the caller's speech is matched
against the wrong name, or the caller speaks a form of the user's name that differs from the
name that exists in the speech grammar. However, adding an additional UM language pack will
not resolve this problem.
Unified Messaging uses two Active Directory attributes to generate names to use with
ASR grammar files: Display name (displayName) and Phonetic display name (msDSPhoneticName). By default, Unified Messaging uses the displayName attribute to recognize
the name of a user when a caller speaks their name. This works well if the user's name is easy
to pronounce. However, in some cases, users have names that are difficult to pronounce. To
help Unified Messaging find users whose names are difficult to pronounce, we recommend that
you configure the Unified Messaging system by supplying a phonetic display name for users
who have names that ASR has trouble recognizing. However, to supply a phonetic display
name, you must predict how the speech engine would perceive a certain spelling of a name to
provide an accurate pronunciation for the phonetic name.
Note:
By default, the Unified Messaging server will try to insert both the phonetic display
name, if one exists, and the display name into the speech grammar file.
For example, the display name "Kweku Ako-Adjei" could be given a phonetic display name of
"Quaykoo Akoo Oddjay", and UM would insert that into the speech grammar file. The drawback
to creating phonetic names for users is that it is difficult to do on a large scale. It would be very
time-consuming to create and test phonetic display names for every user whose name is not
correctly recognized by ASR, especially in large enterprise environments.
To add or change the phonetic display name for a UM-enabled user, you must use ADSI Edit
(AdsiEdit.msc) or the Set-UserExchange Management Shell cmdlet. You cannot use
Active Directory Users and Computers or the Exchange Management Console to change a
user's phonetic display name. For more information about how to change a phonetic display
name by using the Set-User cmdlet, see Set-User.
The PhoneticDisplayName parameter specifies a phonetic pronunciation for the display name.
The display name is specified by using the DisplayName parameter. If the display name is not
easy for the Unified Messaging server to pronounce or recognize, you can use the
PhoneticDisplayName parameter to specify a phonetic version. If you specify a value, it is used
by ASR to recognize the user's name and by the Text to Speech (TTS) engine to pronounce the
user's name. If you do not specify a value, the Unified Messaging server uses the DisplayName
parameter. The maximum length of this parameter value is 255 characters.
For more information about ADSI Edit, see Adsiedit Overview.
235
For More Information
For more information about how to update the speech grammar files that are used with ASR,
see How to Update the Speech Grammar Files.
For more information about Unified Messaging dial plans, see Understanding Unified
Messaging Dial Plans.
For more information about Unified Messaging auto attendants, see Understanding Unified
Messaging Auto Attendants.
Understanding the DTMF Interface
In Microsoft Exchange Server 2007 Unified Messaging (UM), callers can use dual tone multifrequency (DTMF), also referred to as touch-tone, and voice inputs to interact with the system.
The method callers can use depends on how the UM dial plans and auto attendants are
configured.
The DTMF interface enables callers to use the telephone keypad to locate users and navigate
the UM menu system when they call a subscriber access number that is configured on a dial
plan or when they call a telephone number that is configured on an auto attendant. This topic
discusses the DTMF interface and how it is used by callers to locate users and to navigate the
Exchange 2007 Unified Messaging menu system.
For more information about how voice inputs are used in Unified Messaging, see
Understanding Automatic Speech Recognition Directory Lookups.
DTMF Overview
DTMF requires a caller to press a key on the telephone keypad that corresponds to a Unified
Messaging menu option or to input a user's name by using the letters on the keys to spell the
user's name or e-mail alias. Callers might use DTMF because Automatic Speech Recognition
(ASR) has not been enabled or because they tried to use voice commands and failed. In either
case, DTMF inputs are used to navigate menus and search for users.
By default, in Exchange 2007 Unified Messaging, DTMF inputs are used on dial plans and are
the default caller interface for UM auto attendants.
Note:
Only auto attendants that are configured to use English can be speech-enabled.
DTMF inputs may be used by callers for:
•
Dial plan subscriber access by using Outlook Voice Access.
•
Dial plan directory lookups and searches to locate users.
236
•
Auto attendants that are not speech-enabled.
• Auto attendants that are speech-enabled that do or do not have a DTMF fallback auto
attendant configured.
•
DTMF fallback auto attendants (not speech-enabled).
UM Dial Plans and Dial by Name
When you create a UM dial plan, you can configure the primary and secondary input method
that callers will use to look up names when they search for a user or want to contact a user.
These settings are located on the dial plan's Settings tab and are called Dial by name
primary method and Dial by name secondary method. The following options are available
for the Dial by name primary method and the Dial by name secondary method:
•
Last First
•
First Last
•
SMTP Address
Additionally, None is an available option on the Dial by name secondary method.
By default, Last First is selected for the Dial by name primary method and SMTP Address is
selected as the Dial by name secondary method. Therefore, when a caller dials in to the
subscriber access number that is configured on the UM dial plan, the dial plan's welcome
message will be played and the operator will say something like, "Welcome to Contoso Outlook
Voice Access. To access your mailbox, enter your extension. To contact someone, press the #
key." After the caller has pressed the # key, the system will respond with "Spell the name of the
person you are calling, last name first, or to spell their e-mail alias, press the # key twice." In
this scenario, depending on how your dial plan is configured, the system then prompts the
caller to enter the user's last name first and then the user's first name (Last First) or to spell
their e-mail alias, excluding the domain name.
For example, if the user's e-mail alias is tsmith@contoso.com, the caller would enter tsmith. If
you want to change this configuration because the default setting does not meet your needs,
you can change it to enable callers to enter the users e-mail alias first or the user's first name
followed by their last name. In this case, you would configure the Dial by name primary
method with the SMTP Address setting and configure the Dial by name secondary method
with the First Last setting. The settings for the dial by name methods will also apply to any UM
auto attendants that are associated with the dial plan. For callers to be able to enter the name
of the user by using DTMF inputs or the keys on the telephone keypad, a DTMF map and
values for the user must exist within the Active Directory directory service.
For more information about how to change the dial by name primary and secondary methods
on a Unified Messaging dial plan, see How to Change the Dial By Name Primary Method on a
Unified Messaging Dial Plan and How to Change the Dial By Name Secondary Method on a
Unified Messaging Dial Plan.
237
DTMF Maps
In an Exchange 2007 organization, an attribute named msExchUMDtmfMap is associated with
each user that is created in Active Directory. This attribute is used by Unified Messaging to map
the user's first name, last name, and e-mail alias to a set of numbers. This mapping is referred
to as a DTMF map. A DTMF map enables a caller to enter the digits on the telephone keypad
that correspond to the letters of the user's name or e-mail alias. This attribute contains the
values that are needed to create a DTMF map for the user's first name followed by their last
name, for the user's last name followed by their first name, and for the user's e-mail alias.
Table 27 shows the DTMF map values that would be stored in Active Directory on the
msExchUMDtmfMap attribute for a UM-enabled user named Tony Smith with an alias of
tsmith@contoso.com.
Table 27 DTMF values that are stored in Active Directory for a UM-enabled user named
Tony Smith
Active Directory entry
User's name
•
firstNameLastName:866976484
tonysmith
•
lastNameFirstName:764848669
smithtony
•
emailAddress:876484
tsmith
• Names and e-mail aliases may contain other non-alphabetic characters such as
commas, hyphens, underscores, or periods. Characters such as these will not be used in a
DTMF map for a user. For example, if the e-mail alias for Tony Smith is tonysmith@contoso.com, the DTMF map value would be 866976484 and the hyphen would not
be included. However, if a user's e-mail alias contains a number or numbers, for example,
tonysmith123@contoso.com, the numbers would be used in the DTMF map that is created.
The DTMF map for tonysmith123 would be 866976484123.
A DTMF map must exist for a user for callers to be able to enter the user's name or e-mail
alias. However, in some cases, not all users will have a DTMF map associated with their user
account.
DTMF Maps for Users Who Are Not Enabled for
UM
Users, including mailbox-enabled users, are not enabled for Unified Messaging by default.
Therefore, the msExchUMDtmfMap attribute is not populated with the values that are needed
for a DTMF map for those users. Figure 32 illustrates the properties of a user for which the
msExchUMDtmfMap attribute has not been populated.
238
Figure 32 msExchUMDtmfMap attribute without values
Because the users shown in the previous diagram do not have DTMF map values defined for
their user accounts, callers will be unable to contact them when they press a telephone key
from a UM auto attendant menu or perform a directory search. Also, UM-enabled users will be
unable to send messages or transfer calls to users who do not have a DTMF map unless they
can use ASR. To enable callers to transfer calls or contact non UM-enabled users by using the
telephone keypad, you must create the necessary values for the DTMF map for users. To
create the values for a DTMF map for users who are not enabled for Unified Messaging, you
can run the galgrammargenerator.exe -u command. This command updates the DTMF maps
for all users within your Microsoft Exchange. The galgrammargenerator.exe command
updates or creates DTMF maps for all non UM-enabled users. You can use the Set-User
cmdlet with the -CreateDtmfMap parameter to create and update a single user's DTMF map or
update a DTMF map for a user if the name of the user was changed after a DTMF map was
already created. Optionally, you can create an Exchange Management Shell script by using this
cmdlet to update the DTMF map values for multiple users.
For more information about the Set-UserExchange Management Shell cmdlet, see Set-User.
For more information about galgrammargenerator.exe, see Understanding Automatic Speech
Recognition Directory Lookups.
239
DTMF Maps for Users Who Are Enabled for UM
A DTMF map is created for each UM-enabled user so that callers can contact them. By default,
a DTMF map is created for users when they are enabled for Unified Messaging. This makes it
possible for calls to be transferred to a UM-enabled user from external callers, non users who
are not enabled for UM, and other UM-enabled users who use the telephone keypad to spell
the user's name or e-mail alias. Figure 33 illustrates the properties on a user account where the
msExchUMDtmfMap attribute has been populated with DTMF map values.
Figure 33 msExchUMDtmfMap attribute with values
After the DTMF map values have been created for a UM-enabled user, callers can use the
directory search feature. Callers use directory search when they use the telephone keypad to in
the following situations:
•
To identify or search for a user when they call in to the subscriber access number
• To locate or transfer calls to a UM-enabled user when they call in to a UM auto
attendant.
For more information about how to enable a user for Unified Messaging, see How to Enable a
User for Unified Messaging.
Sometimes a user's first name, last name, or e-mail alias changes after they have been
enabled for Unified Messaging. The user's DTMF map values will not be updated automatically
240
in Active Directory. If a caller enters the user's new last name or e-mail alias and the user's
DTMF map has not been updated to reflect the change to the name or e-mail alias, the caller
will be unable to locate the user in the directory, send a message to the user, or transfer calls to
the user. If you have to update a user's DTMF map after they have been enabled for Unified
Messaging, you can use the Set-User cmdlet with the -CreateDtmfMap parameter. You can
also create an Exchange Management Shell script by using this cmdlet if you want to update
the DTMF maps for multiple UM-enabled users.
Note:
You can also use the galgrammargenerator.exe -u command to update the DTMF
map for UM-enabled users. However, if you use the galgrammargenerator.exe -u
command, it will update or create DTMF maps for all users.
Caution:
We do not recommended that you manually change the DTMF values for users by
using a tool such as ADSI Edit because it might result in inconsistent configurations or
other errors. We recommend that you only use galgrammargenerator.exe or the SetUser cmdlet to create or update DTMF maps for users.
For More Information
• For more information about Unified Messaging dial plans, see Understanding Unified
Messaging Dial Plans.
• For more information about how to manage Unified Messaging dial plans, see
Managing Unified Messaging Dial Plans.
•
For more information about ADSI Edit, see Adsiedit Overview.
Understanding Storage Quotas and Voice
Mail
When a caller leaves a voice message for a UM-enabled user, the storage quotas or limits that
are configured on the user's mailbox may prevent voice messages from being delivered
correctly. This topic discusses the relationship between the configuration of the computer that is
running Microsoft Exchange Server 2007 that has the Unified Messaging server role installed
and the storage quotas that could potentially prevent a caller from recording a voice message.
UM Dial Plans
Although there are many Active Directory objects that must be created and configured when
Exchange 2007 Unified Messaging is deployed, UM dial plan objects are the central
241
component of the Unified Messaging system. A UM dial plan object is an Exchange 2007
organization-wide object that is created in the Active Directory directory service.
After you install the Unified Messaging server role, you must associate the Unified Messaging
server with at least one UM dial plan. You can also associate a single Unified Messaging server
with multiple UM dial plans. For more information about how to create a new UM dial plan, see
How to Create a New Unified Messaging Dial Plan.
There are many configuration settings that you can change after you create a UM dial plan to
meet the needs of your organization. After you create a UM dial plan, you can configure
subscriber access numbers, greetings, message properties, and other UM dial plan features.
Although there are many settings that can be changed to control your Unified Messaging
environment, one of the more important mailbox settings is storage quotas. If you do not set the
storage quotas for users correctly, you might unintentionally prevent voice messages from
being recorded for Exchange users in your organization.
Because Windows Media Audio (.wma) and .wav files are attached to each voice message,
voice messages may be larger than e-mail messages. This may cause problems for users by
filling up their mailbox more quickly than e-mail messages that do not include
attachments. When you plan your storage quotas for users, you should consider the maximum
length of a voice message that a caller will leave. Very long voice messages create large files.
However, you can control the size of the voice files by reducing the length of time that callers
have to leave a voice message.
The Maximum recording duration (minutes) setting controls the maximum length for the
recorded messages from callers. This setting can range from 5 to 100 minutes, but the default
setting is 20 minutes. You can change this setting by using the Exchange Management
Console or by using the Set-UMDialPlan cmdlet in the Exchange Management Shell. For more
information about how to configure settings on a UM dial plan, see How to Modify a Unified
Messaging Dial Plan.
In some Exchange environments, the default setting of 20 minutes may be too high or too low.
If the storage quota is set too high, you may risk taking up too much storage space on your
Exchange servers or users may exceed their storage quotas too quickly. If the storage quota is
set too low, it may frustrate callers by not giving them enough time to leave a whole message.
Callers may then have to call back to leave another voice message for the user.
Storage Quotas
Users may store too many e-mail, voice, and fax messages in their mailbox, in addition to
attached files. If users in your organization store lots of e-mail messages, voice messages, fax
messages, and attached files, you may have to limit the storage space that is allocated to each
user's mailbox to reduce the storage demands on your computers that are running
Exchange 2007. Frequently, large mailbox stores lead to long backup and restore times. Large
mailbox stores may also affect the availability and reliability of your Exchange environment.
Therefore, we recommend that you control the size of users' mailboxes to avoid running out of
242
storage space on your Exchange servers. When users do not have a storage quota configured
or they have a large storage quota configured, they could possibly fill up the disk drives on an
Exchange server. To prevent this, enable and configure storage quotas on users' mailboxes. By
default, and starting with the first installation, each new mailbox database includes the following
default limits:
•
Warning - 1991680 KB
•
Prohibit Send - 2097152 KB
•
Prohibit Send/Receive - 2411520 KB
After you configure storage quotas, if a storage limit is exceeded, the mailbox-enabled user is
warned or prohibited from sending or receiving e-mail. You can use the default storage limits, or
you can set your own storage limits to control the amount of data that can be stored in a user's
mailbox. For more information about how to manage recipient storage quotas, see Mailbox
Recipient Tasks.
Because storage quotas are implemented in most Exchange environments, there may be times
when a caller cannot leave a voice message for a user. Make sure that you understand the
effect that setting storage quotas can have on your Unified Messaging environment and
correctly plan your storage quotas for users so that voice messages are recorded correctly.
Voice Mail Delivery
The following three scenarios describe what can occur when a voice message is delivered to a
user's mailbox in different circumstances:
•
The voice message fits into the user's mailbox.
• The voice message cannot fit into the user's mailbox and it fills up the remaining
storage space in the user's mailbox.
•
The user's mailbox has already reached its storage capacity.
In the first scenario, the telephone rings and there is no answer. The call is transferred to the
Private Branch eXchange (PBX) and then to the Unified Messaging server. The Unified
Messaging server checks the user's mailbox storage quota. If the user's mailbox has not
reached its storage limit and a voice message is created by the Unified Messaging server for
the caller, the voice message is submitted to a computer that has the Hub Transport server role
installed. The Hub Transport server then routes and submits the voice message to the
appropriate Mailbox server. Because the voice message does not exceed the storage quota set
for the user's mailbox and the storage quota has not already been reached, the voice message
is delivered to the mailbox of the intended recipient.
In the second scenario, the Unified Messaging server checks the user's mailbox storage quota.
If the user's mailbox has not reached the storage limit, the voice mail message is submitted to a
Hub Transport server. The Hub Transport server routes the voice mail message to the
appropriate Mailbox server. The voice message is submitted to the Mailbox server, but the
243
voice message fills up the remaining storage space and exceeds the set storage quota for the
user. When this occurs, the voice message is still delivered. Even though the storage quota is
exceeded when the voice message is delivered, the voice message is still delivered the same
way a non-delivery report (NDR) is delivered to a user even though the mailbox has reached its
capacity.
Figure 34 illustrates how a voice message is submitted when the user's storage quota has not
been reached and how a message is submitted when a voice message causes the storage
quota to be reached for the user's mailbox.
Figure 34 Submission of voice mail when a user's storage quota has been reached
before delivery or when the voice message was delivered to the mailbox but then
exceeded the mailbox quota
In the third scenario, the Unified Messaging server checks the user's mailbox storage quota.
Because the user's mailbox has already reached its storage capacity, the Unified Messaging
server will not record a voice message and informs the caller that the recipient's mailbox is full.
The user must delete or archive messages to reduce the size of their mailbox to be lower than
the storage quota to be able to receive voice messages again.
Figure 35 illustrates how a call is handled when a user's mailbox storage quota has been
reached.
244
Figure 35 How a call is handled when a user's mailbox storage quota has been reached
For More Information
For more information about how to manage storage quotas, see Managing Mailbox Features.
For more information about UM dial plans, see Understanding Unified Messaging Dial Plans.
Understanding Unified Messaging VoIP
Security
An important aspect of your network security is the ability to protect your Unified Messaging
infrastructure. There are components within your Unified Messaging environment that you must
correctly configure to help protect the data that is sent and received from Unified Messaging
servers on your network. These include components such as Unified Messaging servers and
dial plans. This topic discusses how you can increase protection for the Unified Messaging
network data and servers in your organization. You must follow these steps to help secure your
Unified Messaging environment and enable VoIP security:
1. Install the Unified Messaging server role.
2. Create a UM dial plan and configure the UM dial plan to use Voice over IP (VoIP)
security.
3. Associate the Unified Messaging servers with the UM dial plan.
4. Export and import the required certificates to allow the Unified Messaging servers,
IP/VoIP gateways, IP Private Branch eXchanges (IP/PBXs), and other servers that are
running Microsoft Exchange Server 2007 to use Mutual Transport Layer Security (MTLS).
245
5. Configure the UM IP gateways that are used with a fully qualified domain name
(FQDN).
Protecting Unified Messaging
There are several security methods that can help you protect your Unified Messaging servers
and the network traffic that is sent between your IP/VoIP gateways and Unified Messaging
servers and between your Unified Messaging servers and other Exchange 2007 servers in your
organization. Table 28 lists some of the possible threats to your Unified Messaging
infrastructure and the security methods that can be implemented to help protect it.
Table 28 Protecting Unified Messaging
What am I protecting against?
How can I protect it?
Monitoring voice traffic
• Use Internet Protocol security (IPsec).
However, the IP gateway or IP/PBX must
support IPsec.
Monitoring fax traffic
• Use IPsec. However, the IP gateway
or IP/PBX must support IPsec.
An attack against an IP/VoIP gateway or
IP/PBX
•
Use strong authentication methods.
•
Use strong administrative passwords.
• Use Secure Sockets Layer (SSL) to
protect administrative credentials. The IP
gateway or IP/PBX must support SSL.
• Use Secure Shell (SSH) instead of
Telnet.
Unauthorized long distance calls
• Use UM dial plan rules and dialing
restrictions. These can be configured on
the UM dial plan and UM mailbox policies.
• Optionally, you may be able to enforce
other dialing restrictions by configuring
your PBX.
246
What am I protecting against?
A denial of service attack
A Session Initiation Protocol (SIP) proxy
impersonation
How can I protect it?
• The Unified Messaging server
communicates only with UM IP gateways
or IP/PBXs that are included in the list of
trusted VoIP devices or servers. This list of
trusted VoIP devices or servers is created
when a UM IP gateway is created in the
Active Directory directory service.
•
Use MTLS.
•
Use MTLS.
• Use IPsec. However, the IP gateway
or IP/PBX must support IPsec.
• Configure trusted LANs such as
VLANs, dedicated WAN circuits, or virtual
private networks (VPNs).
Eavesdropping and session hijacking
• Use MTLS to reduce signaling
eavesdropping.
• Use IPsec. However, the IP gateway
or IP/PBX must support IPsec.
• Configure trusted LANs such as
VLANs, dedicated WAN circuits, or VPNs.
There are several security methods listed in Table 28 that you can use to protect your Unified
Messaging environment. One of the most important mechanisms for protecting your Unified
Messaging infrastructure and the network traffic that is generated by Unified Messaging is
Mutual Transport Layer Security (MTLS).
You can use MTLS to encrypt SIP traffic that is passed between IP/VoIP gateways, IP/PBXs,
and other Exchange 2007 servers and the Unified Messaging servers on your network. Using
MTLS to encrypt the SIP data is the best choice for protecting this data.
However, depending on the security threat, you can also configure IPsec policies to enable
data encryption between IP/VoIP gateways or IP/PBXs and a Unified Messaging server or
between a Unified Messaging server and other Exchange 2007 servers on your network. In
some environments, you might be unable to use IPsec because IPsec may be unavailable or
may not be supported on the IP/VoIP gateways or IP/PBXs. Additionally, IPsec puts an
additional processing load on system resources on Unified Messaging servers. Considering
these two factors, MTLS is a better choice for protecting the VoIP network traffic in your Unified
Messaging environment.
247
After you have correctly implemented and configured MTLS, the SIP traffic between the IP
gateways, IP/PBXs, and from other Exchange servers to the Unified Messaging servers will be
encrypted. However, when MTLS cannot be used to help secure the traffic that is sent or
received from a Unified Messaging server, such as when a Unified Messaging server
communicates with another server on your network, such as an Active Directory domain
controller or an Exchange 2007 Mailbox server, other types of encryption are used to protect
the data. Figure 36 shows the methods of encryption that you can use to protect Unified
Messaging.
Figure 36 UM VoIP security
248
Types of Certificates
Digital certificates are electronic files that work like an online passport to verify the identity of a
user or computer and are used to create an encrypted channel that is used to protect data. A
certificate is basically a digital statement that is issued by a certification authority (CA) that
vouches for the identity of the certificate holder and enables the parties to communicate in a
secure manner by using encryption. They can be issued by a trusted third-party CA, such as by
using Certificate Services, or be self-signed. Each type of certificate has its advantages and
disadvantages. However, in every case, certificates are tamper-proof, and cannot be forged.
Certificates can be issued for a variety of functions, such as Web user authentication, Web
server authentication, S/MIME, IPsec, Transport Layer Security (TLS), and code signing.
A certificate binds a public key to the identity of the person, computer, or service that holds the
corresponding private key. The public and private keys are used by both the client and the
server to encrypt the data before it is transmitted across the wire. Certificates are used by a
variety of public key security services and applications that provide authentication, data
integrity, and secure communications across networks such as the Internet. For Windowsbased users, computers, and services, trust in a CA is established when there is a copy of the
root certificate in the trusted root store and the certificate contains a valid certification path. This
means that no certificates in the certification path have been revoked or have had the validity
period expire.
Digital certificates do the following two things:
• They authenticate that their holders—people, Web sites, and even network resources
such as routers—are truly who or what they claim to be.
•
They protect data that is exchanged online from theft or tampering.
There are traditionally three options or kinds of certificates that Unified Messaging and IP/VoIP
gateways or IP/PBXs can use. In all three approaches or options, the public key of the
certificate owner is part of the certificate so that the server, user, Web site, or other resource
that is on the other end can decrypt the messages. The private key is known only to the signer
of the certificate. Each certificate has an EnhancedKeyUsage attribute set on it to dictate the
specific usage for the certificate. For example, usage could be specified only for server
authentication or for use with the encrypting file system. Unified Messaging uses the certificate
for server authentication and data encryption.
Self-Signed Certificates
A self-signed certificate is a certificate that is signed by its own creator. The subject and the
name of the certificate match. On self-signed certificates, the issuer and subject are defined on
the certificate. Self-signed certificates do not require the presence of a CA from your
organization or from a third party. You must configure these certificates explicitly and copy them
to the trusted root certificate store on each IP/VoIP gateway, IP/PBX, other Unified Messaging
249
servers, and other Exchange 2007 computers if they are to be trusted by the Unified
Messaging server that has issued the certificate.
If a public key infrastructure (PKI)-based or third-party certificate is unavailable, the Unified
Messaging server will search for a self-signed certificate in the local certificate store. If it cannot
find a PKI or third party certificate, it will generate a self-signed certificate for MTLS. However,
because it is a self-signed certificate, it will not be trusted by the IP/VoIP gateways, IP/PBXs on
the network, or other servers on the network. To ensure that the self-signed certificate is trusted
by IP/VoIP gateways, IP/PBXs, or other servers, you have to import the self-signed certificate
into the local trusted root certificate store for the devices and servers. After you do this, when
the Unified Messaging server presents this self-signed certificate to the IP/VoIP gateway, IPPBX, or server, it will be able to verify that the certificate was issued by a trusted authority
because the issuer will equal the subject that is defined on the self-signed certificate.
If you are using only self-signed certificates, you must import a single self-signed certificate for
each IP/VoIP gateway, IP/PBX, or server. In large network environments with multiple devices
or computers, this may not be the best choice for implementing MTLS. Using self signed
certificates in a large enterprise network does not scale well because of the additional
administrative overhead. However, administrative overhead is not a problem if you have
multiple devices and you are using a PKI or commercial third party certificate. This is because
each device has a certificate that has been issued by the same trusted root authority. Having a
certificate from the same trusted root authority ensures that all IP/VoIP gateways, IP/PBXs, and
other servers trust the Unified Messaging server.
For MTLS to work using self-signed certificates:
1. Take the Unified Messaging server's self-signed certificate and import it into the trusted
root certificate store on each IP/VoIP gateway, IP/PBX, and other servers such as a Client
Access server and other servers that the Unified Messaging server will communicate with
by using MTLS.
2. Take the self-signed certificate from each IP/VoIP gateway, IP/PBX, or other server and
import it into the Unified Messing server's trusted root certificate store. If you are using a
PKI or third-party certificate, you will import the certification authority's certificate into the
trusted root certificate store on all devices and servers.
Self-signed certificates are frequently not the best certificate option when you deploy MTLS or
certificate-based authentication. However, smaller organizations with a limited number of
devices or computers may decide to use the self-signed certificate method because it is the
most simple to configure and the least expensive method to use when you implement MTLS.
Frequently, smaller organizations decide not to use a third-party certificate or to install their own
PKI to issue their own certificates because of the expense, because their administrators lack
the experience and knowledge to create their own certificate hierarchy, or for both reasons. The
cost is minimal and the setup is simple when you are using self-signed certificates. However,
establishing an infrastructure for certificate life-cycle management, renewal, trust management,
and revocation is much more difficult with self-signed certificates.
250
Public Key Infrastructure
A public key infrastructure (PKI) is a system of digital certificates, certification authorities (CAs),
and registration authorities (RAs) that verify and authenticate the validity of each party that is
involved in an electronic transaction by using public key cryptography. When you implement a
CA in an organization that uses Active Directory, you provide an infrastructure for certificate lifecycle management, renewal, trust management, and revocation. These qualities provide a solid
infrastructure for all the certificates in your organization. However, there is some cost involved
in deploying additional servers and infrastructure to create and manage these types of
certificates.
You can install Certificate Services on any server in the domain. If you obtain certificates from a
domain Windows-based CA, you can use the CA to request or sign certificates to issue to your
own servers or computers on your network. This enables you to use a PKI that is similar to
using a third-party certificate vendor but is less expensive. Although these PKIs cannot be
deployed publicly, as other types of certificates can be, when a PKI is used, a CA signs the
requestor’s certificate by using the private key and the requestor is verified. The public key of
this CA is part of the CA’s own certificate. Anyone who has this CA’s certificate as a root
certificate can use that public key to decrypt the requestor’s certificate and authenticate the
requestor.
When you use a PKI certificate to implement MTLS, you must copy the required certificates to
the IP/VoIP gateways or IP/PBXs. You must then copy the certificates on the IP/VoIP gateways
or IP/PBXs to the Unified Messaging servers that are associated with the UM dial plan that has
been configured in secure mode.
The setup and configuration for using PKI certificates and third-party certificates are similar to
the procedures that you perform when importing and exporting the self-signed certificates.
However, you must not only install the computer certificate into the trusted root certificate store,
but you must also import or copy the trusted root certificate for the PKI into the trusted root
certificate store on the Unified Messaging servers and the IP/VoIP gateways and IP/PBXs on
your network.
To deploy MTLS when you have already deployed a PKI infrastructure, follow these steps:
1. Generate a certificate request on each IP/VoIP gateway or PBX.
2. Copy the certificate request to use when requesting the certificate from a certification
authority.
3. Request a certificate from the certification authority by using the certificate request.
Save the certificate.
4. Import the certificate you saved onto each device or computer.
5. Download the trusted root certificate for your PKI.
6. Import the trusted root certificate from your PKI on each device. If you are importing
the trusted root certificate on an Exchange 2007 computer that is running the Unified
251
Messaging role, you can also use Group Policy to import the trusted root certificate into the
trusted root certificate store on the Unified Messaging server or other Exchange 2007
servers. However, this process is also used when you are configuring a server that is
running the Unified Messaging server role.
Note:
You will use the same steps if you are using a commercial third-party certificate to
implement MTLS.
For more information about certificates and PKIs, see the following topics.
• For more information about certificates, see Public Key Infrastructure for Windows
Server 2003.
• For more information about best practices for implementing a
Microsoft Windows Server 2003 public key infrastructure, see Best Practices for
Implementing a Microsoft Windows Server 2003 Public Key Infrastructure.
• For more information about how to deploy a Windows-based PKI, see the Windows
Server 2003 PKI Operations Guide.
Third-Party Certification Authorities
Third-party or commercial certificates are certificates that are generated by a third-party or
commercial CA and then purchased for you to use on your network servers. One problem with
self-signed and PKI-based certificates is that because the certificate is not trusted, you must
make sure that you import the certificate into the trusted root certificate store on client
computers, servers, and other devices. Third-party or commercial certificates do not have this
problem. Most commercial CA certificates are already trusted because the certificate already
resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also
trusted. Using third-party certificates greatly simplifies deployment.
For larger organizations or organizations that must publicly deploy certificates, using a thirdparty or commercial certificate is the best solution, even though there is a cost associated with
the certificate. Commercial certificates may not be the best solution for smaller and mediumsize organizations, and you might decide to use one of the other certificate options that are
available.
Depending on the configuration of the IP/VoIP gateway or IP/PBX, you might still have to import
the third-party or commercial certificate into the trusted certificate store on the IP/VoIP
gateways and IP/PBXs to be able to use the third-party certificate for MTLS. However, in some
cases, the third-party certificate will be included in the trusted root certificate store on your
Unified Messaging server and other Exchange 2007 computers in your organization.
The procedures that you perform to use a commercial third-party certificate for enabling MTLS
are the same procedures that you perform when you use a PKI certificate. The only difference
is that you will not have to generate a PKI certificate because you have purchased a certificate
252
from a commercial third-party certificate vendor that will be imported into the trusted root
certificate store on the servers and devices on your network.
Configuring MTLS
By default, when an incoming call is received from an IP/VoIP gateway, the SIP traffic is not
encrypted and does not use MTLS. However, the security setting for a Unified Messaging
server is configured on the Unified Messaging dial plan that is associated with the Unified
Messaging server. To enable the Unified Messaging server to communicate securely with
IP/VoIP gateways, IP/PBXs, and other Exchange 2007 servers, you must use the SetUMDialPlan cmdlet to configure VoIP security on the UM dial plan, and then enable MTLS for
the Unified Messaging servers that are associated with the UM dial plan.
Note:
If the Microsoft Exchange Unified Messaging service is already running and you add
the Unified Messaging server to a UM dial plan, you must restart the
Microsoft Exchange Unified Messaging service for the security setting on the dial plan
to be enforced.
After you have used the VoIPSecurity parameter on the Set-UMDialPlan cmdlet to enable VoIP
security on the UM dial plan, all Unified Messaging servers that are associated with the UM dial
plan can communicate in a secure manner. However, depending on the type of certificate that
you use for enabling MTLS, you must first import and export the required certificates both on
the Unified Messaging servers and the IP/VoIP gateways and PBXs. After the required
certificate or certificates have been imported on the Unified Messaging server, you must restart
the Microsoft Exchange Unified Messaging service to be able to use the certificate that was
imported to establish a secure channel with the IP/VoIP gateways or IP/PBXs. For more
information about how to import and export certificates, see Importing and Exporting
Certificates.
After you have successfully imported and exported the required trusted certificates, the IP/VoIP
gateway will request a certificate from the Unified Messaging server, and then it will request a
certificate from the IP/VoIP gateway. Exchanging the trusted certificates between the IP/VoIP
gateway and the Unified Messaging server enables the IP/VoIP gateway and Unified
Messaging server to communicate over a secure channel by using MTLS. When an incoming
call is received by an IP/VoIP gateway or IP/PBX, it will initiate a certificate exchange and
negotiate security by using MTLS with the Unified Messaging server. The Microsoft Exchange
Unified Messaging service is not involved in the certificate exchange process or in determining
whether the certificate is valid. However, if a trusted certificate cannot be located on a Unified
Messaging server, a trusted certificate is found but is not valid, or a call is rejected because of
an MTLS negotiation failure, the Unified Messaging server will receive a notification from the
Microsoft Exchange Unified Messaging service.
253
Although the Microsoft Exchange Unified Messaging service does not participate in the
certificate exchange between the Unified Messaging server and the IP/VoIP gateways, the
Microsoft Exchange Unified Messaging service does the following:
• Provides a list of fully qualified domain names (FQDNs) to the
Microsoft Exchange Speech service so that calls from only the IP/VoIP gateways or
IP/PBXs that are included on the list are accepted.
• Passes the issuerName and SerialNumber attributes of a certificate to the
Microsoft Exchange Speech service. These attributes uniquely identify the certificate that
the Unified Messaging server will use when an IP/VoIP gateway or IP/PBX requests a
certificate.
After the Unified Messaging server and the IP/VoIP gateways or IP/PBXs have performed the
key exchange to establish a secure channel by using MTLS, the Unified Messaging servers will
communicate with the IP/VoIP gateways and IP/PBXs by using a secure channel. The Unified
Messaging servers will also communicate with other Exchange 2007 servers, such as Client
Access servers and Hub Transport servers, by using a secure channel that uses MTLS.
However, MTLS will only be used to encrypt the traffic or messages that are submitted from the
Unified Messaging server to a Hub Transport server.
Important:
To be able to enable MTLS between a UM IP gateway and a dial plan that is operating
in secure mode, you must first configure the UM IP gateway with an FQDN and
configure it to listen on port 5061. To configure a UM IP gateway, run the following
command: Set-UMIPgateway -identity MyUMIPgateway -Port 5061. You must also
verify that any IP/VoIP gateways or IP/PBXs have also been configured to listen on
port 5061 for MTLS.
IPsec
IPsec also uses certificates to encrypt data. It provides a key line of defense against private
network and Internet attacks.
IPsec has the following goals:
•
To protect the contents of IP packets.
• To defend against network attacks through packet filtering and the enforcement of
trusted communication.
IPsec is a framework of open standards that helps ensure private, secure communications over
IP networks by using cryptographic security services.
IPsec uses cryptography-based protection services, security protocols, and dynamic key
management. It provides the strength and flexibility to protect communications between private
254
network computers, domains, sites, remote sites, extranets, and dial-up clients. It can even be
used to block receipt or transmission of specific types of traffic.
IPsec is based on an end-to-end security model that establishes trust and security from a
source IP address to a destination IP address. The IP address itself does not have to be
considered an identity. Instead, the system behind the IP address has an identity that is
validated through an authentication process. The only computers that must know about the
traffic that is being secured are the sending and receiving computers. Each computer handles
security at its respective end and operates under the assumption that the medium over which
the communication occurs is not secure. Computers that route data only from source to
destination are not required to support IPsec unless firewall-type packet filtering or network
address translation is being done between the two computers. This enables IPsec to be
deployed successfully for the following organizational scenarios:
•
LAN: client-to-server, server to server, and server-to-VoIP device
•
WAN: router-to-router and gateway-to-gateway
•
Remote access: dial-up clients and Internet access from private networks
Typically, both sides require IPsec configuration to set options and security settings that will
allow two systems to agree on how to secure traffic between them. This is known as an IPsec
policy. The Microsoft Windows 2000 Server, Windows XP, and the Windows Server 2003 family
implementations of IPsec are based on industry standards that were developed by the Internet
Engineering Task Force (IETF) IPsec working group. Parts of IPsec-related services were
jointly developed by Microsoft and Cisco Systems, Inc. For more information about how to
configure IPsec policies, see Creating, modifying, and assigning IPsec policies.
For more information about IPsec, see IPSec Concepts.
Caution:
If you currently have IPsec policies implemented on your network, you must exclude
the IP/VoIP gateways and IP/PBXs from the IPsec policy. If you do not, for every 3
seconds of a voice mail there will be a 1 second drop of the voice transmission. This is
a known issue and a hotfix for Microsoft Windows Server 2003. For more information
about this hotfix, see How to simplify the creation and maintenance of Internet Protocol
(IPsec) security filters in Windows Server 2003 and Windows XP.
UM Dial Plans and VoIP Security
Unified Messaging can communicate with IP/VoIP gateways, IP/PBXs, and other
Exchange 2007 computers in either a secure or an unsecure mode depending on how the UM
dial plan has been configured. By default, UM dial plans communicate in an unsecure mode.
You can use the Get-UMDialPlan cmdlet in the Exchange Management Shell to determine the
security setting for a given UM dial plan. If the VoIP security parameter has been enabled, you
can verify that the Microsoft Exchange Unified Messaging service has started in secure mode
255
by checking the application event log to see whether information events numbered 1114 and
1112 have been logged.
By default, Unified Messaging dial plans and the Unified Messaging servers that are associated
with the UM dial plan send and receive data by using no encryption. Therefore, they are
configured in unsecured mode. In unsecured mode, the VoIP and SIP traffic will not be
encrypted. However, the UM dial plans and the Unified Messaging server that are associated
with the UM dial plan can be configured by using the VoIPSecurity parameter. The VoIPSecurity
parameter configures the dial plan to encrypt the VoIP and SIP traffic by using MTLS.
Unified Messaging uses the VoIP protocols Realtime Transport Protocol (RTP) and SIP to
communicate with other devices and servers. When you configure the UM dial plan to use VoIP
security or secure mode, the SIP signaling channel will be encrypted. The SIP signaling
channel can use SIP that is secured by using MTLS. However, the media channels that use
RTP will still use Transmission Control Protocol (TCP), which is unsecured.
Note:
A secure signaling media channel that uses Secure Realtime Transport Protocol
(SRTP) will also use MTLS to encrypt the VoIP data. SRTP is unavailable in this
release of the product. However, SRTP support is planned for a future release. This
means that the SIP data and the media channels that are used by Exchange 2007
Unified Messaging will both be encrypted.
After you have created a UM dial plan, you must use the Set-UMDialPlan cmdlet to set the
VoIP security mode. When you configure the UM dial plan to use VoIP security, the Unified
Messaging servers that are associated with the UM dial plan will use the secure mode or
encryption. However, to be able to send encrypted data to and from a Unified Messaging
server, you must correctly configure the UM dial plan and devices such as IP/VoIP gateways or
IP/PBXs must support MTLS.
A Unified Messaging server can be associated with a single or multiple UM dial plans. However,
a single Unified Messaging server can use either MTLS (secured) or TCP (unsecured), but not
both. This is a limitation of the SIP signaling stack. Therefore, a single Unified Messaging
server can only be associated with multiple dial plans that have the same security
configuration.
By default, when a dial plan is created, it will use unsecured mode or no encryption. However, if
you have a Unified Messaging server that is associated with a UM dial plan that has been
configured to use MTLS to encrypt the VoIP traffic, and you have to disable VoIP security for
the dial plan, you must perform the following tasks:
1. Remove all Unified Messaging servers from the UM dial plan that is currently running
in secured mode.
2. Use the Set-UMDialPlan cmdlet to set the dial plan to unsecured mode.
3. Associate the Unified Messaging servers with the dial plan that is now running in
unsecured mode.
256
How UM Determines Security Mode and Selects
Certificates
When the Microsoft Exchange Unified Messaging service starts, it checks the associated UM
dial plan and the VoipSecurity parameter setting and identifies whether it should start in secure
or unsecure mode. If it determines that it must start in secure mode, it will then determine
whether it has access to the required certificates. If the Unified Messaging server is not
associated with any UM dial plans, it will determine which mode to start in by looking at the
StartSecured parameter in the UMRecyclerConfig.xml file. This parameter can be set with a
value of 0 or 1. A value of 1 starts the Unified Messaging server in secure mode and a value of
0 starts the server in unsecure mode. If you want to change the startup behavior of the Unified
Messaging server from secure to unsecure or from unsecure to secure, you can associate the
server with the appropriate UM dial plans and then restart the Unified Messaging server. You
can also change the configuration setting in the UMRecyclerConfig.xml configuration file and
the restart the Microsoft Exchange Unified Messaging service.
If the Microsoft Exchange Unified Messaging service is started in unsecure mode, it will start
normally. However, make sure that you verify that the IP/VoIP gateways and IP/PBXs are also
running in unsecure mode. Also, if you are testing the Unified Messaging server's connectivity
in unsecure mode, use the Test-UMConnectivity cmdlet with the -Secured:false parameter.
If the Microsoft Exchange Unified Messaging service is started in secure mode, it will query the
local certificate store to find a valid certificate to use for MTLS to enable encryption. The service
will first look for a valid PKI or commercial certificate and then, if an appropriate certificate is not
found, it will look for a self-signed certificate to use. If no PKI, commercial, or self-signed
certificate is found, the Microsoft Exchange Unified Messaging service will create a self-signed
certificate to use to start.
All the details of the certificate that is used to start in secure mode will be logged whenever a
certificate is used or if the certificate has changed. Some of the details that are logged include
the following:
•
Issuer Name
•
Serial Number
•
Thumbprint
The thumbprint is the Secure Hash Algorithm (SHA1) hash and can be used to uniquely identify
the certificate that is used. You can then export the certificate that is used by the
Microsoft Exchange Unified Messaging service to start in secure mode from the local certificate
store and then import this certificate on the IP/VoIP gateways and IP/PBXs on your network into
the trusted certificate store.
After an appropriate certificate has been found and is used, and no additional changes have
occurred, the Microsoft Exchange Unified Messaging service will log an event one month
before the certificate that is being used expires. If you do not make any changes to the
257
certificate during this time, the Microsoft Exchange Unified Messaging service will log an event
each day until the certificate expires and each day after the certificate has expired.
When the Unified Messaging server is looking for a certificate to use for MTLS to establish a
secure channel, it will look in the trusted root certificate store. If there are multiple certificates
that are valid and are from different issuers, the Unified Messaging server will choose the valid
certificate that has the longest time before the certificate will expire. If multiple certificates exist,
the Unified Messaging server will choose the certificates based on the issuer and the date that
the certificate will expire. The Unified Messaging server will look for a valid certificate in this
order.
1. PKI or commercial certificate with the longest expiration period.
2. PKI or commercial certificate with the shortest expiration period.
3. Self signed certificate with the longest expiration period.
4. Self signed certificate with the shortest expiration period.
For More Information
• For more information about how to start the Microsoft Exchange Unified Messaging
service, see How to Start the Microsoft Exchange Unified Messaging Service.
• For more information about how to stop the Microsoft Exchange Unified Messaging
service, see How to Stop the Microsoft Exchange Unified Messaging Service.
• For more information about how to configure a UM dial plan to use secure mode, see
Set-UMDialplan.
• For more information about the supported IP/VoIP gateways, see Supported IP/VoIP
Gateways.
•
For more information about IP/PBX and PBX support, see IP/PBX and PBX Support.
• For more information about how to associate a Unified Messaging server with a UM
dial plan, see How to Add a Unified Messaging Server to a Dial Plan.
Understanding Faxing in Unified
Messaging
Microsoft Exchange 2007 Unified Messaging (UM) enables voice mail messages to be
delivered into a user's Exchange 2007 mailbox, and also lets users receive fax messages in
their Exchange 2007 mailbox. In Exchange 2007 Unified Messaging, a fax message is sent to
the user's mailbox as an e-mail message that has an image file with a .tif extension attached.
When an e-mail message that has an image attachment is received into their mailbox, a user
can open the attached file by using a software application that can open and view image files
258
that have a .tif extension. This topic discusses faxing and how it works in Exchange 2007
Unified Messaging.
Note:
Although Unified Messaging does not let users send outgoing faxes, many third-party
solutions, such as an Internet fax service, e-mail faxing services, or a third-party fax
server application can be used to send outgoing faxes.
Overview of Faxing
Fax is an abbreviation for the word facsimile. It is a technology that is used to electronically
transfer documents. Generally, faxes are sent and received by fax machines or computer
fax/modems by using the Public Switched Telephone Network (PSTN), a telephony or circuitbased network. However, there are other faxing options that can be used to send and receive
faxes.
Almost all organizations today need their users to send and receive faxes. Most organizations
use one or more of the methods described in the following list to send or receive faxes over the
PSTN or over the Internet. There are advantages and disadvantages to each of these methods.
•
Traditional fax machines and computer-based faxing
•
Faxing by using fax servers or gateways
•
Faxing by using a Voice over IP (VoIP) network
•
Faxing by using an e-mail client application
For users in an organization to send a fax message, they may have to do the following:
•
it.
Print a hard copy of the document to be faxed and use a physical fax machine to send
•
Save the document on their computer and use a fax modem to send the fax.
•
Use an Internet fax service that lets them fax a document from a software application.
• Send an outgoing fax to a fax server by using a software application that is configured
to use the fax server.
For users in an organization to receive a fax, they may have to do the following:
•
Receive a fax on a physical fax machine within the organization.
•
Receive a fax by using a fax modem that is installed on their computer.
•
Receive a fax from an Internet faxing service.
•
Receive a fax from a fax server that is configured on a network.
•
Receive a fax from a Unified Messaging server on a VoIP network.
259
Faxing Methods
There are several options for sending and receiving faxes, including the following:
Traditional fax machines and computer-based faxing Scanners, a fax modem in a
computer, a printer with built-in faxing capabilities, or a dedicated fax machine can be used to
send and receive faxes. They are used to transmit data in the form of pulses by using a
telephone line to another fax device, usually another fax machine or computer that has a fax
modem. The pulses are then transformed into images or used to print the image on paper.
The traditional fax method requires at least a single telephone line on the sending and
receiving device, and only one fax can be sent or received at a time. A disadvantage of sending
and receiving faxes by using a fax modem is that the computer must be turned on and running
fax software or a fax service. This kind of computer-based faxing does not use the Internet to
send or receive faxes. The following figure illustrates how traditional and computer-based
faxing is used to send and receive faxes.
Figure 37 Traditional and computer-based faxing
Fax servers or gateways and Internet fax services There are several ways to send and
receive faxes over the Internet. These include using a software application on a computer or
using an e-mail client to receive faxes. In most cases, this kind of faxing involves using a fax
server or fax gateway to convert between faxes and e-mail. This has become increasingly
popular because it enables organizations to remove or not purchase additional fax machines. It
also eliminates the need to install additional telephone lines. This kind of faxing involves
creating the document, including a fax cover page with the correct identifying information, and
sending the document to a traditional fax machine. For example, the user uses a software
260
application such as Microsoft Office Word or Microsoft Office Outlook to create and send the
fax to the fax server or gateway. The fax server or gateway receives the fax and then sends
it by using a traditional telephone line to a fax machine or fax modem that is installed on a
computer. The following figure illustrates how fax servers, gateways, and Internet fax services
can be used to send and receive faxes.
Figure 38 Faxing by using fax servers or gateways
Internet fax services let a user send faxes from a computer by using the Internet. A software
application such as Office Word or Outlook can be used to create and send the fax to an
Internet fax service. There are many companies that offer Internet faxing services on a
subscription basis or by charging for each fax message that is sent. Internet fax services offer
the following advantages:
•
No fax machine is required
•
No software or hardware must be installed
•
No dedicated telephone lines are required
•
Confidentiality
•
Multiple faxes can be sent at the same time
•
Faxes can be received when the computer is shut off
The following figure illustrates how Internet fax services can be used to send and receive faxes.
261
Figure 39 Internet fax services
Faxing by using an e-mail client application Faxes can be sent and received by a fax
machine over the Internet and then received by an e-mail client such as Outlook.
The T.37 protocol was designed to enable a fax machine to send fax messages over the
Internet to an e-mail client. The faxes are sent over the Internet as an e-mail attachment,
typically as .tif or .pdf files. In this kind of faxing, a fax machine that supports iFax or T.37 is
required, in addition to an e-mail address for the sending and receiving fax machines. To work
with existing traditional fax machines and fax modems, all T.37 fax machines support standard
faxing by using a telephone line. However, in some cases, T.37 fax machines can be used
when a fax gateway is also being used. Figure 40 illustrates how T.37-based fax machines and
e-mail clients can be used to send and receive faxes.
Figure 40 Faxing with e-mail
Faxing by using a VoIP network VoIP is a technology that contains hardware and software
that enables people to use an IP-based network as the transmission medium for telephone
calls. On a VoIP network, voice and fax data is sent in packets by using IP instead of by
262
traditional circuit transmissions or the circuit-switched telephone lines of the PSTN. An IP/VoIP
gateway that you connect to your IP network uses VoIP to send voice data packets between an
Exchange 2007 Unified Messaging server and a Private Branch eXchange (PBX)
system. Alternatively, you can use an IP/PBX to perform the functions of both an IP/VoIP
gateway and a PBX.
There are two basic types of networks: circuit-switched and packet-switched. A circuit-switched
network is a network in which there exists a dedicated connection. A dedicated connection is a
circuit or channel that is set up between two nodes so that they can communicate. After a call is
established between two nodes, the connection may be used only by these two nodes. When
the call is ended by one of the nodes, the connection is canceled. In circuit-switched networks,
such as the PSTN, multiple calls are transmitted across the same transmission medium.
Frequently, the medium that is used in the PSTN is copper. However, fiber optic cable might
also be used.
In packet-switched networks such as the Internet or a local area network (LAN), packets are
routed to their destination through the most expedient route, but not all packets traveling
between two hosts travel the same route, even those from a single message. This almost
guarantees that the packets will arrive at different times and out of order. In a packet-switched
network, packets (messages or fragments of messages) are individually routed between nodes
over data links that may be shared by other nodes. With packet switching, unlike circuit
switching, multiple connections to nodes on the network share the available bandwidth. Packetswitched networking has made it possible for the Internet to exist and, at the same time, has
made data networks—especially LAN-based IP and VoIP networks—more available and
widespread. Figure 41 illustrates how a VoIP network and Exchange Unified Messaging can be
used to deliver faxes.
Figure 41 Faxing on a VoIP network
T.38
T.38 is a faxing standard and protocol that enables faxing over an IP-based network. An IPbased network that uses the T.38 protocol uses Simple Mail Transfer Protocol (SMTP) and
MIME to send the message to a recipient's mailbox. T.38 allows for IP fax transmissions for IPenabled fax devices and fax gateways. The devices can include IP network-based hosts such
as client computers and printers. In Exchange 2007 Unified Messaging, the fax images are
separate documents encoded as .tif files and attached to an e-mail message. Both the e-mail
263
message and the .tif file attachment are sent to the recipient's Exchange 2007 UM-enabled
mailbox.
Exchange 2007 Unified Messaging relies on the gateway's abilities to translate or convert Time
Division Multiplex (TDM) or telephony circuit-switched based protocols like Integrated Services
Digital Network (ISDN) and QSIG from a PBX to IP- or VoIP-based protocols like Session
Initiation Protocol (SIP), Real-Time Transport Protocol (RTP), or T.38 for receiving fax
messages. The IP/VoIP gateway is integral to the functionality and operation of Unified
Messaging. The IP/VoIP gateway is responsible for sensing fax tones. Unified Messaging
servers rely on the IP/VoIP gateway to send a notification that a fax has been detected, at
which point the Unified Messaging server will renegotiate the media session and use the T.38
protocol.
Faxing with Unified Messaging
Receiving a fax on a VoIP network differs from receiving a fax on a standard fax machine or by
using a fax server that is located on an IP-based network. To enable faxes to be sent and
received over a VoIP network, you must have an IP/VoIP gateway or an IP/PBX that supports
the T.38 protocol and a server that also supports T.38. T.38 allows for IP-based fax
transmissions for IP network-based hosts such as client computers, printers with built-in faxing
capabilities, and servers such as a Unified Messaging server.
When a call is received into a PBX, the PBX forwards the call to the appropriate extension. If a
ring no answer occurs at the user's extension number, the PBX forwards the call to an IP/VoIP
gateway and the IP/VoIP gateway forwards the fax call to the appropriate Unified Messaging
server. When the call is received by the Unified Messaging server, the Unified Messaging
server must decide whether it is a voice call or a fax call. When the SIP protocol is used, the
Unified Messaging server processes the call as a voice message. However, if the T.38 protocol
is used from the IP/VoIP gateway, the Unified Messaging server recognizes that the call is for a
fax and processes the call. It generates the e-mail message and the .tif attachment, and then
submits the fax message to an Exchange 2007 computer that has the Hub Transport
server installed that is in the same Active Directory site for delivery to the user's
Exchange 2007 mailbox.
By default, when you install the Unified Messaging server role, the server is configured to allow
incoming fax calls to be processed and then delivered to a UM-enabled user. However, you can
disable the ability for Unified Messaging users to receive faxes by doing any of the following:
•
Disabling faxing on a UM dial plan
•
Configuring the number of incoming fax calls to 0 on a Unified Messaging server
•
Configuring the mailbox for a specific Exchange 2007 user to disable faxing.
For more information about how incoming faxes are sent to a user's mailbox, see Unified
Messaging Voice and Fax Call Processing.
264
In Exchange 2007 Unified Messaging, the user receives the fax images as separate documents
encoded as .tif image files that are attached to an e-mail message. Both the e-mail message
and the .tif attachment are sent to the recipient's Exchange 2007 UM-enabled mailbox.
There are several advantages to sending a fax message to the user's mailbox. These
advantages include the following:
•
You can reduce the number of physical or traditional fax machines.
• The number of telephone lines used for faxing in an organization can be reduced,
because the Unified Messaging server can queue many faxes and send each fax when
one of the telephone lines becomes available.
• Faxes that are received as a .tif image file are better quality than a traditional fax.
Incoming faxes can be printed by a local or shared printer.
• Faxes sent to the user's mailbox are more secure because they are less likely than
hard copy faxes to be picked up by someone other than the recipient.
•
Users can receive faxes without leaving their desk.
• Fax messages that are received can be monitored to make sure that they comply with
an organization's security policies.
A single fax message can be sent only to a single UM-enabled user. Exchange 2007 Unified
Messaging cannot forward fax messages to a distribution list. If you must have this functionality,
you must:
1. Create a mailbox to answer the fax call. This will be the mailbox for the distribution list.
2. UM-enable the distribution list mailbox.
3. Create a rule for this UM-enabled mailbox. The rule will be configured to forward all
messages to the chosen distribution list.
Enabling UM-Enabled Users to Receive Faxes
There are three components that must be configured correctly for users to be able to receive
faxes by using Exchange 2007 Unified Messaging. Although, by default, all three of these
components allow faxes to be received, you must verify that each setting has been configured
correctly. To enable UM-enabled users to receive faxes, you must do the following:
• Verify that each UM dial plan allows the users who are associated with the dial plan to
receive faxes. By default, all users who are associated with a dial plan can receive fax
messages. To allow UM-enabled users to receive fax messages in their mailbox, each
Unified Messaging server that is associated with the dial plan must be configured to accept
incoming fax calls. You must also enable fax messages to be received by users who are
associated with the dial plan. For more information about how to enable or disable the
ability for users to receive faxes for a dial plan, see How to Enable UM-Enabled Users to
Receive Faxes.
265
Note:
If you prevent fax messages from being received on a dial plan, all users who are
associated with the dial plan will be unable to receive fax messages, even if you
configure an individual user's properties to allow them to receive fax messages.
Enabling or disabling faxing on a UM dial plan takes precedence over the settings
for an individual UM-enabled user.
• Verify that the Unified Messaging servers that are associated with the UM dial plan are
configured to allow one or more incoming fax calls to be processed. By default, when you
install the Unified Messaging server role, the Unified Messaging server will accept 100
concurrent incoming fax calls. This allows UM-enabled users who are associated with a
UM dial plan to receive fax messages into their mailbox. However, there may be times
when these default settings have changed and UM-enabled users cannot receive fax
messages. For more information about how to configure the number of incoming fax calls,
see How to Modify the Number of Concurrent Fax Calls Setting.
You can also prevent all users from receiving fax messages by setting the number of
incoming fax calls to 0 on each Unified Messaging server that is associated with a dial
plan. If each Unified Messaging server that is associated with a dial plan is configured to
receive incoming fax calls but the dial plan is configured to disallow faxing, all users who
are associated with the dial plan will be unable to receive faxes. Therefore, the fax settings
that are configured on a UM dial plan will take precedence over the fax settings that are
configured on a Unified Messaging server.
• Verify that the Exchange 2007 mailbox that is UM-enabled can receive fax
messages. By default, all users who are associated with a dial plan can receive faxes.
However, there may be situations when a user cannot receive faxes, because the ability to
receive faxes has been disabled on their mailbox. For more information about how to
enable a UM-enabled user to receive faxes, see How to Enable a Unified Messaging User
to Receive Faxes.
You can prevent a single user who is associated with a dial plan from receiving fax
messages. To do this, configure the properties for the user by using the Exchange
Management Console or by using the Set-UMMailbox cmdlet in the Exchange
Management Shell. You can also use the Set-UMMailbox cmdlet to prevent multiple users
from receiving fax messages. For more information about how to prevent a user or users
from receiving fax messages, see How to Prevent a UM-Enabled User from Receiving
Faxes.
Faxing Configuration Options
In Exchange 2007 Unified Messaging, you have the following options when you are configuring
UM-enabled users to receive fax messages:
•
A Direct Inward Dial (DID) telephone number that is used with voice mail.
266
•
A separate DID telephone number that is used for receiving faxes.
•
A central fax telephone number that will receive all faxes.
A Single DID Telephone Number
When you enable a user for Unified Messaging by using the Enable Unified Messaging Wizard
or by using the Enable-UMMailbox cmdlet, you must specify at least a single extension
number for the user. This extension number is enabled on a per-user basis and must be unique
within a given dial plan. This extension is used by Unified Messaging to locate the appropriate
user in the Active Directory directory service and is used to deliver voice and fax messages into
the user's Exchange 2007 mailbox. For more information about the Enable-UMMailbox cmdlet,
see Enable-UMMailbox.
In this scenario, the user will use a single DID number for voice and fax. This configuration is
easy to administer and does not waste additional DID numbers. If the user is away or on the
telephone when a fax call arrives, UM answers the call, detects the fax tone, creates the fax
message, and sends it to the user.
However, in this scenario, the user may receive calls from fax machines. The user can:
• Not answer the telephone when it rings, so that the fax call will be forwarded and
answered by a Unified Messaging server and the fax message will be created and
forwarded to the user's mailbox.
• Answer the fax call, and then transfer it to himself or herself, so that the call will be
forwarded and answered by a Unified Messaging server and the fax message will be
created and forwarded to the user's mailbox.
• Wait for the caller to retry sending the fax and let the fax call be transferred to a Unified
Messaging server.
In summary, using a single DID number requires that the user performs additional actions to be
able to receive fax messages.
Multiple DID Telephone Numbers
When you enable a user for Unified Messaging, you must enter a single extension number for
that user. However, you can also add multiple extension numbers for a UM-enabled user by
using the Set-UMMailbox cmdlet. For more information about the Set-UMMailbox cmdlet, see
Set-UMMailbox.
Adding multiple extension numbers is useful when a UM-enabled user:
•
Receives many faxes
•
Does not want to be bothered with answering the telephone to receive a fax
•
Does not want to hear a fax tone when they answer their telephone
267
Adding multiple extensions is more complex than using a single extension, and may require
additional configuration settings on a PBX. To configure multiple extension numbers for a UMenabled user, you must have DID extension numbers that are available but are not being used
in your organization. Therefore, it is not a good idea to use multiple numbers for a UM-enabled
user if your organization has a limited number of available DID extension numbers. For more
information about the IP/PBXs and PBXs that are supported by Exchange 2007 Unified
Messaging, see IP/PBX and PBX Support.
The benefit of using multiple DID telephone numbers is that the UM-enabled user receives
voice calls on one DID extension number and fax calls on the other DID extension number.
Although, this may be more complex and requires additional configuration steps, using
separate DID numbers for voice mail and fax calls is easier for the user.
If you configure two DID extension numbers for a specific user, the DID extension numbers can
come from separate UM dial plans. In this scenario, you can create a dial plan, add Unified
Messaging servers to the dial plan, and use the Unified Messaging server as a dedicated
server that will receive fax calls and forward fax messages to the users. For more information
about how to create a UM dial plan, see How to Create a New Unified Messaging Dial Plan.
You have the following options for configuring multiple DID extension numbers for UM-enabled
users:
• Multiple DID numbers (one for fax without Unified Messaging and one for
voice) This type of configuration is enabled on a per-user basis and is used when you
have extra or unused DID extension numbers available. One DID extension number is
published as the user’s voice mail number and the other DID extension number is
published as the user's fax number. In this scenario, voice calls that are answered by a
ring-no-answer or busy signal are forwarded to a Unified Messaging server, and a voice
mail message is created and sent to the UM-enabled user's mailbox. The other extension
number can be connected to a fax machine or to another computer that has a fax modem.
Although this configuration is possible, it does not require that Unified Messaging servers
process the fax calls and fax messages will not be sent to the UM-enabled user's mailbox.
• Multiple DID numbers (one for fax and one for voice) This type of configuration is
enabled on a per-user basis and can be used when your organization has many DID
extension numbers available. In this scenario, both DID extension numbers that are
answered by a ring-no-answer or a busy signal are forwarded to a Unified Messaging
server that will create a voice or fax message depending on the DID extension number that
is called. Although the user will publish one number for voice and one for fax, the Unified
Messaging server detects the type of call that is being received on the DID extension
number and can create a voice or fax message from calls to either of the DID extension
numbers. This is very useful when a user does not have a separate fax machine or
dedicated computer that has a fax modem to answer incoming fax calls.
• Two DID numbers (one “phantom” extension for fax and one for voice) This type
of configuration is enabled on a per-user basis. It is basically the same as the configuration
that uses two DID numbers (one for fax and one for voice). However, in this configuration,
268
the number that is published for fax calls for the UM-enabled user is configured in the PBX
as a “phantom” extension. Incoming calls that are received on this "phantom" DID
extension number are always forwarded to a Unified Messaging server.
The advantage of this kind of configuration is that incoming fax calls are answered by a
Unified Messaging server. When a ring no answer occurs, a fax is created and forwarded
by the Unified Messaging server to the UM-enabled user's mailbox without disturbing the
user. This happens because no telephone or fax device is positioned close to the user, and
the user does not hear the ring of an incoming call.
The disadvantages of this kind of configuration are that you must have additional DID
extensions available and that you must configure the PBX to forward the call to a Unified
Messaging server.
Central Fax Telephone Number
When you enable a user for Unified Messaging by using the Enable Unified Messaging Wizard
or by using the Enable-UMMailbox cmdlet, you must specify at least a single extension
number for the user. This kind of fax configuration is defined on each Unified Messaging dial
plan.
In some organizations, especially those that receive many faxes each day, you might have to
publish one fax number for the whole organization. This fax number would be used by all
callers when they submit faxes to users in the organization. This kind of configuration is useful
in the following situations:
• A user within the organization receives too many faxes in their mailbox to manage
them effectively.
•
A user receives too many spam faxes in their mailbox.
• Business logic is too complex to warrant creating a transport rule. This might be the
case if your organization requires that you route certain faxes to one group and other faxes
to another group. For more information about transport rules, see the following topics:
•
Overview of Transport Rules
• Understanding How Transport Rules Are Applied in an Exchange 2007
Organization
•
Filtering fax messages by using Outlook is not effective.
Publishing one fax number for the whole organization enables your organization to control the
types of faxes that are received by users. The advantage of this configuration is that it requires
only a single DID extension number or an external telephone number. Also, it does not require
a separate DID number for faxing for each UM-enabled user. However, it does require a "fax
secretary" or other person to distribute the incoming faxes to users within the organization
based on information that is included on the fax cover page or in the fax message itself.
269
Note:
Using a central fax number with optical character recognition (OCR) is not available in
Exchange 2007 Unified Messaging. This kind of configuration can use a central fax
number. However, instead of having to be routed to the recipient by a person, the
faxing software receives the fax, performs OCR, and then tries to locate the recipient
based on the information on the cover page or fax message.
Journaling UM Fax Messages
Many organizations that implement journaling may also use Unified Messaging to consolidate
their e-mail, voice mail, and fax infrastructure. However, you may not want the journaling
process to generate journal reports for messages that are generated by Unified Messaging. In
this case, you can decide whether to journal voice mail messages and missed call notification
messages that are handled by an Exchange 2007 Unified Messaging server or to skip such
messages. If your organization does not require journaling of such messages, you can reduce
the hard disk space that is required to store journal reports by skipping such messages. When
you enable or disable the journaling of voice mail messages and missed call notification
messages, your change is applied to all Hub Transport servers in your organization. For more
information about journaling in Exchange 2007, see Overview of Journaling.
Note:
Messages that contain faxes that are generated by a Unified Messaging server are
always journaled, even if you configure a journal rule that specifies not to journal
Unified Messaging voice mail and missed call notification messages.
For More Information
• For more information about fax call processing, see Unified Messaging Voice and Fax
Call Processing.
• For more information about how fax calls are handled in Unified Messaging, see
Understanding Unified Messaging Incoming Call Handling.
• For more information about other telephony concepts, see Overview of Telephony
Concepts and Components.
• For more information about other protocols, ports, and services in Unified Messaging,
see Understanding Protocols, Ports, and Services in Unified Messaging.
270
Understanding Operator Transfers in
Unified Messaging
Microsoft Exchange Server 2007 Unified Messaging includes functionality that enables callers
to be transferred to an operator if the caller is unable to correctly navigate the system or
must speak to a human operator. There are several types of operators that you can
configure. These operators allow callers to be forwarded to the extension number of a
receptionist, administrative assistant, operator, or auto attendant instead of the calls being
transferred. This topic discusses the different operators that you can configure in
Exchange 2007 Unified Messaging and how incoming calls can be transferred to each type of
operator depending on how the caller dials into the Unified Messaging system.
Overview of Operators in Unified Messaging
In Exchange 2007 Unified Messaging, you can configure one or all the following kinds of
operators:
•
A dial plan operator
•
An auto attendant operator
•
A personal operator
The following figure illustrates the different types of operators found in Exchange 2007 Unified
Messaging.
271
Figure 42 Unified Messaging operators
With Exchange 2007 Unified Messaging, you have the option to configure an operator
extension on UM dial plans, UM auto attendants, and on a UM-enabled user's mailbox. If you
have configured an operator extension number on a UM dial plan or on a non-speech enabled
UM auto attendant, the caller will hear a voice prompt that says "To reach an operator, press 0".
When a caller calls in to a speech-enabled UM auto attendant and an operator extension
number is configured, the caller will have the option to press 0 or say "operator" or "reception"
and be transferred to an operator extension number.
272
When you configure an operator extension number for a UM dial plan, auto attendant, or
personal operator, you can configure the operator extension number by using one of the
following:
• An internal telephone extension number This can be an extension number for a
specific user such as a receptionist, administrative assistant, or another person within the
organization that is available to answer the call. Generally, this will be an extension number
where a person is always available to answer an incoming call.
• An extension number for a UM auto attendant This can be used when you want to
allow the caller additional menu options before they are transferred to a human operator or
when your organization does not have a human operator. In this case, you can configure
an extension number that transfers the incoming call to the extension number that is
associated with a UM auto attendant. The auto attendant can be either speech-enabled or
not speech-enabled.
• An external telephone number This can be used when a vendor or external
answering service is used to answer incoming calls for your organization. If you choose to
configure an operator extension number with a telephone number that is external to your
organization, you must verify that you have correctly configured your outdialing rules on the
UM dial plans and Private Branch eXchanges (PBXs) so that the call transfers will be
successful.
At a minimum, we recommended that you configure either the UM dial plan or a UM auto
attendant that is associated with the dial plan to have an operator extension number to help
callers find the user they are trying to reach or navigate the menu system. For more information
about how to configure an operator extension on a UM auto attendant, see How to Configure
an Operator Extension on a Unified Messaging Auto Attendant. For more information about
how to configure an operator extension number on a UM dial plan, see How to Configure an
Operator Extension on a Unified Messaging Dial Plan.
Dial Plan Operators
Although Exchange 2007 Unified Messaging has many Active Directory objects that must be
created and configured during deployment, UM dial plan objects are the central component of
the Unified Messaging system. A UM dial plan object is an Exchange 2007 organization-wide
object that is created in the Active Directory directory service.
The Unified Messaging dial plan is an Active Directory container object that logically represents
sets or groupings of PBXs that share common user extension numbers. In practical terms, user
extensions that are hosted on PBXs share a common extension numbering format. Users in the
same dial plan can dial one another's telephone extensions without appending a special
number to the extension or dialing a full telephone number. Therefore, a UM dial plan is a
logical representation of a telephony dial plan that is created on a PBX or IP/PBX.
273
There are two types of callers who will access the Unified Messaging system by using the
subscriber access number that is configured on a UM dial plan: unauthenticated callers and
authenticated callers. When a caller dials the subscriber access number that is configured on a
dial plan, the caller is considered anonymous or unauthenticated until they input information.
This information includes their voice mail extension and a PIN. The only option that is available
to anonymous or unauthenticated callers is the directory search feature. However, if an
operator extension number is configured on the dial plan, the unauthenticated user can use the
directory search feature and can also press 0 to be transferred to the operator's extension
number that is configured on the dial plan.
After the caller inputs their extension number and their PIN, they will be authenticated and
given access to their Exchange 2007 mailbox. After the caller gains access to their mailbox,
they will use Outlook Voice Access. Outlook Voice Access is a series of voice prompts that
allow the authenticated caller to access their e-mail, voice mail, calendar, and contact
information by using a standard analog, digital, or cellular telephone. Outlook Voice Access
also enables authenticated callers to navigate their personal information in their mailbox, place
calls, locate users, and navigate the system prompts and menus by using dual tone multifrequency (DTMF) or voice inputs.
When a UM-enabled user uses Outlook Voice Access, they can perform the following tasks:
•
Listen to new and saved e-mail and voice mail messages.
•
Forward, reply, save, and delete e-mail and voice mail messages.
•
Interact with their calendar.
•
Locate a person in the global address list (GAL) or personal contacts.
•
Send a voice message to a person.
•
Change their PIN, spoken name, or greetings.
When an Outlook Voice Access user dials the subscriber access number that is configured on a
UM dial plan and an operator extension is configured on the dial plan, when the caller presses
the 0 key or says "operator" or "reception", they will be transferred to the telephone number that
you have configured on the UM dial plan. If no telephone number is configured for an operator
extension on the dial plan, the user will not be given an option to reach an operator and will be
politely disconnected from the Unified Messaging system. The following figure illustrates the
operator transfer options that are available to an Outlook Voice Access user when they dial
in to a subscriber access number.
274
Figure 43 Operator transfers with Outlook Voice Access
For more information about subscriber access in Exchange 2007 Unified Messaging, see
Understanding Unified Messaging Subscriber Access.
For a printable copy of the menus and options that are available with Outlook Voice Access,
see the Microsoft Download Center for a copy of the Outlook Voice Access Quick Reference
Guide.
275
Auto Attendant Operators
In Exchange 2007 Unified Messaging, many Active Directory objects must be created and
configured during and after deployment. UM auto attendants are not required objects. They are
an optional component of the Unified Messaging system that you can configure. A UM auto
attendant object is an Exchange 2007 organization-wide object that is created in
Active Directory.
Exchange 2007 Unified Messaging enables you to create one or more UM auto attendants,
depending on the needs of your organization. UM auto attendants can be used to create a
voice menu system for an organization. This voice menu system lets external and internal
callers locate users in an organization and place or transfer calls to users, departments, or to
an operator extension number that has been configured on the UM auto attendant.
You can configure an operator extension number on speech-enabled and non-speech enabled
UM auto attendants. Configuring an operator extension number on a UM auto attendant allows
callers to press 0 or say "operator" or "receptionist" to transfer to a human operator or another
auto attendant if they cannot navigate the auto attendant menu. There are three types of UM
auto attendants that you can configure to use an operator extension number:
•
A non-speech enabled auto attendant
•
A speech-enabled auto attendant that does not have a DTMF fallback
•
A speech-enabled auto attendant that has a DTMF fallback
You can configure the operator extension number on a UM auto attendant to be the extension
number of a human operator, another auto attendant, a UM-enabled mailbox, or a telephone
number that is external to an organization. An internal or external telephone number from 1 to
20 digits can be entered for the operator's extension number. If you use an external telephone
number, you must verify that you have correctly configured the appropriate outdialing rule
groups and entries to enable this functionality. For more information about how to configure
outdialing entries, see How to Create a Dialing Rule Entry on a Unified Messaging Dial Plan.
If you have created a speech-enabled auto attendant and have configured an operator
extension on the speech-enabled auto attendant, when the caller says "operator", the auto
attendant will forward the call to the number that is configured on the speech-enabled auto
attendant. If the speech-enabled auto attendant is configured to have a DTMF fallback auto
attendant but not to have an operator extension number and the DTMF auto attendant is
configured to have an operator extension number, the operator extension number on the DTMF
fallback auto attendant will be dialed. If no extension number is configured on the speechenabled auto attendant or the DTMF fallback auto attendant and the caller says "operator", the
system will call the operator extension that is configured on the dial plan that is associated with
the auto attendant. If neither of the auto attendants or the dial plan is configured to have an
operator extension, the system will respond by saying "Sorry. Neither the operator or the
touchtone service are available".
276
Note:
At a minimum, we recommend that you configure either the auto attendant or the dial
plan that is associated with the auto attendant to have an operator extension number
to help callers.
For UM auto attendants, you can configure business hours operator transfers on the properties
for the UM auto attendant. However, by default, business hours transfers are enabled. You can
also configure non-business hours operator transfers on the UM auto attendant. However, by
default, the business hours for a UM auto attendant are 24 hours a day. This means that nonbusiness hours or after hours operator transfers will not be available. To configure operator
transfers after business hours, you must first configure the business hours schedule on the UM
auto attendant properties and then enable or disable operator transfers during business or nonbusiness or hours.
• For more information about how to configure the business hours for a UM auto
attendant, see How to Configure Business Hours for a Unified Messaging Auto Attendant.
• For more information about how to enable or disable operator transfers after business
hours, see How to Enable or Disable Operator Transfers After Business Hours on a Unified
Messaging Auto Attendant.
• For more information about how to enable or disable operator transfers during
business hours, see How to Enable or Disable Operator Transfers During Business Hours
on a Unified Messaging Auto Attendant.
The following figure illustrates the operator transfer options that are available to a caller when
they dial in to a UM auto attendant this is not speech-enabled. For more information about how
to create a UM auto attendant, see How to Create a New Unified Messaging Auto Attendant.
277
Figure 44 Auto attendant that is not speech-enabled
Figure 45 illustrates the operator transfer options that are available to a caller when they dial in
to a UM auto attendant that is speech-enabled but does not have a DTMF fallback auto
attendant configured. For more information about how to speech-enable a UM auto attendant,
see How to Speech-Enable a Unified Messaging Auto Attendant.
278
Figure 45 Speech-enabled auto attendant without a DTMF fallback auto attendant
Figure 46 illustrates the operator transfer options that are available to a caller when they dial in
to a UM auto attendant that is speech-enabled and also has a DTMF fallback auto attendant
configured. For more information about how to configure a UM auto attendant that has a DTMF
fallback auto attendant, see How to Configure a Unified Messaging Auto Attendant with a
DTMF Fallback Auto Attendant.
279
Figure 46 Speech-enabled auto attendant with a DTMF fallback auto attendant
Although UM auto attendants are an optional feature that can be created and configured when
you are deploying Unified Messaging, we recommended that, if you make the choice to create
and configure a single UM auto attendant or multiple auto attendants, you take the time to plan
them carefully. One of the most important factors when planning for auto attendants is to make
sure that callers can contact a human operator or another auto attendant to correctly direct
their calls. If you do not plan and implement the auto attendants for your organization correctly,
the system could frustrate callers enough that they will not call in to the system again.
280
Personal Operators
Exchange 2007 Unified Messaging enables you to configure a personal operator extension
number on a user's UM-enabled mailbox. As the administrator, you can configure a personal
operator for a UM-enabled user. However, the UM-enabled user will be unable to configure this
setting. If the UM-enabled user were to have access to configure this setting, they could
potentially forward all their calls to another UM-enabled user or to an internal extension number
that is not valid. This could be very frustrating for the user to whom the calls were being
forwarded for callers. Callers would be unable to leave a voice message for the UM-enabled
user they were trying to contact and could lose their place in the menu system, and eventually
give up without reaching the user they were trying to contact.
The personal operator extension setting on a UM-enabled user's mailbox can be used when an
administrative assistant or personal assistant will answer incoming calls for a specific user
instead of a voice mail being generated for the user. By default, a personal operator extension
number is not defined.
For a caller to be transferred to a personal operator, the caller must enter 0 on the telephone
keypad when the user's custom voice mail message greeting is being played. Therefore, we
recommended that, if a user is going to use a personal operator, they include information in
their custom voice mail greeting to give the caller instructions about how to access their
personal operator.
However, if the user has not configured a customized voice mail greeting, the default system
greeting will be used and the system will add the operator prompt automatically. For example,
"Please leave a message for Tony Smith. To speak to an administrative assistant and leave a
message, press 0". If the caller does not press 0 during the voice mail greeting, the caller will
be able to leave a voice message for the user.
If you have not configured a personal operator extension for a UM-enabled user's mailbox, the
Unified Messaging server will use the operator extension number that is configured on the UM
auto attendant or UM dial plan, depending on which number the caller has called. If the caller
has called an auto attendant telephone extension number, they will be forwarded to the
operator, if one has been configured on the UM auto attendant. If they have called the
subscriber access number that is configured on a UM dial plan, the caller will be forwarded to
the operator extension number that is configured on the UM dial plan. If an operator extension
has not been configured, the caller will be politely disconnected from the system. For more
information about how to configure a personal operator, see How to Configure a Personal
Operator for a UM-enabled User.
In most cases, an internal extension number for an administrative assistant, receptionist, or
operator will be configured as a personal operator. A personal operator extension number can
be configured as an internal or external telephone number that ranges from 1 to 20 digits.
However, if you use an external telephone number, you must verify that you have correctly
configured the appropriate outdialing rule groups and entries to enable this functionality. For
281
more information about how to configure outdialing entries, see How to Create a Dialing Rule
Entry on a Unified Messaging Dial Plan.
For More Information
• For more information about Unified Messaging dial plans, see Understanding Unified
Messaging Dial Plans.
• For more information about Unified Messaging auto attendants, see Understanding
Unified Messaging Auto Attendants.
• For more information about Unified Messaging users, see Understanding Unified
Messaging Users.
Understanding Outdialing
You can configure many outdialing settings that are used by a UM server to dial internal and
external calls for users. To configure outdialing you will need to configure dialing rule groups,
dialing rule entries, and dialing restrictions on UM dial plans and UM mailbox policies.
Additionally, you can also configure UM dial plans with dialing or access codes, a national
number prefix, and in-country/region or international number formats that allow you to control
outdialing in your organization. This topic discusses dialing rule groups, dialing rule entries, the
allowed dialing rule groups and dialing restrictions and how they are used to control outdialing
for your organization.
Overview
Outdialing is the process that is used by users whey they call into a UM dial plan or UM auto
attendant and place or transfer a call to an internal or external telephone number. When a user
calls into a UM dial plan or auto attendant and then places a call, a Unified Messaging server
will use the settings that are configured on the dial plan, auto attendant and if appropriate, the
UM mailbox policy to place the call. The outdialing process happens when a Unified Messaging
server:
•
Places a call to an external telephone number for a caller.
•
Transfers a call to an auto attendant.
•
Transfers a call to a UM-enabled or non UM-enabled user within your organization.
• When a UM-enabled user uses the Play-on-Phone feature found in Outlook 2007 or
Exchange 2007 Outlook Web Access.
There are two types of users that can use the outdialing feature in Unified Messaging;
authenticated and non-authenticated. The users that call into a subscriber access number
282
configured on a UM dial plan are initially unauthenticated but all users that call into a UM auto
attendant are unauthenticated. When a user calls into a subscriber access number, they are
considered unauthenticated because they have not provided their extension number and PIN
and logged in to their Exchange 2007 mailbox. They are authenticated after they provide their
extension number and PIN and successfully log on to their Exchange 2007 mailbox. Figure 47
illustrates the outdialing process for a user that has been authenticated.
Figure 47 Outdialing process for an authenticated user
Figure 48 illustrates the outdialing process for an unauthenticated user.
283
Figure 48 Outdialing process for an unauthenticated user
When the user calls into a subscriber access number but does not log in to their Exchange
2007 mailbox and attempts to place or transfer a call, only the UM dial plan outdialing settings
will apply to the call. However, when an unauthenticated user calls into a UM auto attendant,
the outdialing settings on not only the auto attendant will be applied to the call, but the
outdialing settings that are configured on the dial plan that is associated with the auto attendant
will also apply. When a user calls into the subscriber access number configured on a dial plan
and successfully logs on to their Exchange 2007 mailbox and becomes an authenticated user,
the configuration settings from the UM dial plan and the UM mailbox policy that is associated
with the authenticated user will both be applied to any outdialing calls the user may make.
284
Outdialing Settings
There are several settings that you must configure to apply outdialing rules for your
organization. To control outdialing you must configure the UM dial plans, auto attendants and
UM mailbox policies that you have been created. The following outdialing settings are
configured on dial plans, auto attendants and UM mailbox policies:
•
Outside line, country/region and international access codes
•
National number prefixes
•
In-country/region and international number formats
•
Configured in-country/region and international dialing rule groups
•
Allowed in-country/region and international dialing rule groups
•
Dialing rule entries
•
Dialing restrictions
For you to successfully configure outdialing for your Exchange 2007 organization, you first be
able to define each of the components that will need to be configured and how they can be
used with outdialing. Table 29 introduces each of the components that will need to be properly
configured on UM dial plans, auto attendants and UM mailbox policies to allow outdialing to
function properly.
Table 29 Outdialing Components
Component
Description
Dial Codes, prefixes and number formats.
Access codes, number prefixes, and number
formats are used by a UM server to determine
the correct number to dial when placing an
outgoing call and can be configured to restrict
outgoing calls for users that dial into a UM
auto attendant that is associated with a UM
dial plan or when a user dials into the
subscriber access number that is configured
on the dial plan.
For more information about dial codes,
prefixes and number formats, see
Understanding Dial Codes, Number Prefixes
and Formats.
285
Component
Description
Dialing rule groups
Dialing rule groups are created to modify a
phone number before sending it to the PBX for
outbound calls. Dialing rule groups remove
numbers from or add numbers to telephone
numbers that are being placed by a Unified
Messaging server. For example, you can have
a dialing rule group that automatically adds a 9
as a prefix to a 7-digit telephone number to
provide access to an outside line. In this
example, users that place outgoing calls will
not have to dial the 9 and the telephone
number to reach someone external to the
organization.
Each dialing rule group determines the types
of in-country or region and international calls
that users within a dialing rule group can
make. These dialing rule groups apply to the
users that are associated with the UM dial plan
or auto attendants and UM mailbox policies
that are associated with the UM dial plan.
Each dialing group rule must contain at least
one dialing rule entry.
Dial rule entries
A dial rule entry is used to determine the types
of calls that users within a dialing rule group
can make. When you are creating a dialing
rule group, you configure one or more dialing
rule entry.
When you are configuring each dial rule entry
you will need to enter the name, number mask,
dialed number and an optional comment.
When you are adding a number mask and the
dialed number to a dialing rule entry, you can
substitute the letter x to replace a digit in a
telephone number for example 91425xxxxxxx.
You can optionally use an * symbol as a
wildcard character for example, 91425*.
286
Component
Description
Dialing restrictions
A dialing restriction uses dialing rule groups
used to apply dialing restrictions for users that
are associated with a given UM mailbox policy.
They can also be used when allowing users to
place calls to in-country/region or international
telephone numbers.
After you create a dialing group rule on a UM
dial plan, you will then add the dialing rule
group to the UM mailbox policy. After the
dialing rule group is added to a UM mailbox
policy, all settings or rules that are defined will
apply to UM-enabled users that are associated
with the UM mailbox policy.
When you are configuring outdialing on your dial plans, auto attendants and UM mailbox
policies, it is recommended that you follow the steps outlined in Figure 49 to ensure that
outdialing will function properly.
287
Figure 49 Configuring outdialing
Configuring Outdialing
A dialing rule group is a collection of one or more dialing rule entries that are configured on a
UM dial plan. There are two types of dialing rule groups that can be configured on a UM dial
plan: in-country or region and international. In-country or region dialing rule groups apply to
country or region telephone numbers, where as international dialing rule groups will apply to
international telephone numbers that are dialed. Dialing rule groups that are configured and
dialing rule groups that are allowed. Each UM dial plan can contain one or more dialing rule
groups. If you want to apply the dialing rule group to a set of users, after you create a dialing
rule group, you must then add the "configured" dialing rule group to the list of "allowed" dialing
rule groups on the UM dial plan.
Dialing rule groups allow administrators to specify dialing rule entries that fall into a specific
category or that are based on the needs of your organization. You can create a dialing rule
group by using the Exchange Management Console or the Set-UMDialPlan cmdlet. When you
create a dialing rule group, you will need to define at least one dialing rule entry for the dialing
rule group. The dialing rule group takes the telephone number that is dialed by a user and
288
replaces this number with another telephone number that is the actual number that is dialed by
the Unified Messaging server. The telephone number that is sent to the Unified Messaging
server is compared to the dialing group entries that are defined on the dialing rule group. If a
match between the number being dialed and a dialing rule entry is found, the Unified
Messaging server will then dial the telephone number or digits that are list in the
"DialedNumber" section of the dialing rule entry.
Table 30 shows a simple example of dialing group rules and dialing rule entries. In this
example, "Local-Calls-Only" and "Low-Rate" are the dialing rule groups that have been created.
For each dialing rule group "Local-Calls-Only" and "Low-Rate", there are two dialing rule
entries; 91425* and 91206* and 91509* and 91360* respectively.
Table 30 Dialing rule groups and dialing rule entries
Name
NumberMask
DialedNumber
Comment
Local-Calls-Only
91425*
91*
Local calls
Local-Calls-Only
91206*
91*
Local calls
Low-Rate
91509*
9*
In-state calls
Low-Rate
91360*
9*
In-state calls
For example, when a user dials 9,1-425-555-1234, the telephone number that the Unified
Messaging server will dial will be 4255551234. The Unified Messaging server will remove any
non-numeric characters and apply the number mask from the dialing rule entry. In this case, the
Unified Messaging server will apply the number mask 91*, which tells the Unified Messaging
server to not to dial the 9 or the 1 but to dial all of the other numbers that are included in the
telephone number that was sent including the number that is represented by the * symbol.
You can use the Exchange Management Console, Exchange Management Shell to create and
configure single or multiple in-country or region and international dialing rule groups and dialing
rule entries. However, if you are creating numerous or complex dialing rule groups and dialing
rule entries, you can optionally use the Exchange Management Shell to use a .CSV (Comma
Separated Value) file. You can import or export a list of dialing rule groups and dialing rule
entries.
Run Set-UMDialPlan cmdlet below to import a list of dialing rule groups and dialing rule entries
that you have defined in a .CSV file:
Set-UMDialPlan ”MyUMDialPlan” –ConfiguredInCountryOrRegionGroups $
(IMPORT-CSV c:\dialrules\InCountryRegion.csv)
To retrieve a list of the dialing rule groups that are configured on a UM dial plan run the GetUMDialPlan cmdlet below:
289
(Get-UMDialPlan –id
“MyUMDialPlan”).ConfiguredInCountryOrRegionGroups | EXPORT-CSV
C:\incountryorregion.csv
The CSV file must be created and saved in the proper format for the file to be used. Each line
in the CSV file represents one dial rule entry. However, each dialing rule entry, can use the
same dialing rule group. Each entry in the file will have four sections that are all separated by
comma; These sections are: name, number mask, dialed number and comment. Each of the
sections are required and you must input the proper information into each section except for
the comment section. There should not be any spaces between the text entry and the comma
for next section or do not put any blank lines in between entries or at the end. Following is an
example of a CSV file that can be used to create in-country or region dialing rule groups and
dialing group entries:
Name,NumberMask,DialedNumber,Comment
Low-rate,91425xxxxxxx,9xxxxxxx,Local call
Low-rate,9425xxxxxxx,9xxxxxxx,Local call
Low-rate,9xxxxxxx,9xxxxxxx,Local call
Any,91*,91*,Open access to in-country/region numbers
Long-distance,91408*,91408*,long distance
The following is an example of a CSV file that can be used to create international dialing rule
groups and dialing rule entries:
Name,NumberMask,DialedNumber,Comment
International, 901144*, 901144*, international call
International, 901133*, 901133*, international call
Applying Configured Dialing Rule Groups
Dialing rule groups are created on a UM dial plan, however, the dialing rule entries and dialing
restrictions can be applied to a UM dial plan, a UM auto attendant or to user's associated with a
UM mailbox policy depending on the telephone number the user calls to access the system.
You can create in-country or region or international dialing rule groups by using the Exchange
Management Console or the Set-UMDialPlan cmdlet. After you create the appropriate dialing
rule groups on UM dial plan and define the dialing group entries, you will then need to apply the
dialing rule groups that you created to a dial plan, auto attendant or UM mailbox policy. You can
apply the dialing rule groups that you created on a UM dial plan to:
• The same dial plan The settings will apply to all users that call into the subscriber
access number but do not log in to their Exchange 2007 mailbox. To apply in-country or
region dialing rule group named "MyAllowedDialRuleGroup" to the same dial plan, use the
290
Exchange Management Shell Set-UMDialPlan cmdlet as follows: Set-UMDialPlan
-Identity MyUMDialPlan -AllowedInCountryOrRegionGroups
MyAllowedDialRuleGroup
• A single or multiple UM mailbox policies This will apply to all users that are
associated with a given UM mailbox policy. This includes the user that calls into a
subscriber access number and logs in to their Exchange 2007 mailbox. To apply in-country
or region dialing rule group named "MyAllowedDialRuleGroup" to a single UM mailbox
policy, use the Dialing Restrictions tab in the Exchange Management Console or use the
Exchange Management Shell Set-UMMailboxPolicy cmdlet as follows: SetUMMailboxPolicy -Identity MyUMMailboxPolicy --AllowedInCountryOrRegionGroups
MyAllowedDialRuleGroup
• Single or multiple auto attendants that are associated with the UM dial plan This
will apply to all users the call into a UM auto attendant. To apply the in-country or region
dialing rule group named "MyAllowedDialRuleGroup" to a single UM auto attendant, use
the Exchange Management Shell Set-UMAutoAttendant cmdlet as follows: SetUMAutoAttendant -Identity MyUMAutoAttendant -AllowedInCountryOrRegionGroups
MyAllowedDialRuleGroup
Table 31 summarizes how the dialing rule groups are applied in Unified Messaging.
Table 31 Applying outdialing rules
Caller Type
Scope
Outdialing settings applied
Subscriber access or Outlook
Voice Access
User calls a dial plan
subscriber access number
and logs on to their mailbox.
UM mailbox policy
Anonymous caller
User calls a dial plan
subscriber access number.
UM dial plan
Anonymous caller
User calls an auto attendant
pilot number.
UM auto attendant
Caller from within the
organization
User calls the Play on Phone
number.
UM mailbox policy
291
Understanding Dial Codes, Number
Prefixes and Formats
You can configure several dial codes that are used by a Unified Messaging server to dial
internal and external calls for UM-enabled users. In many cases, you will want to configure a
dial plan together with the dial or access codes, a national number prefix, or the incountry/region or international number formats to allow you to control outdialing for users within
your organization. This topic discusses dial codes, number prefixes, and number formats and
how they are used to control outdialing for your organization.
Overview
Outdialing is the process that is used by users whey they call into a UM dial plan or UM auto
attendant and place a call to an internal or external telephone number. When a user calls into a
UM dial plan or UM auto attendant and then places a call, a Unified Messaging server uses the
settings that are configured on the dial plan to place the call. The following events cause the
outdialing process to happen:
•
A Unified Messaging server places a call to an external telephone number for a caller.
•
A Unified Messaging server transfers a call to an auto attendant.
• A Unified Messaging server transfers a call to a UM-enabled or non UM-enabled user
within your organization.
• A UM-enabled user uses the Play on Phone feature in Microsoft Office Outlook 2007 or
Microsoft Exchange Server 2007 Outlook Web Access.
• There are two types of users who will use outdialing: unauthenticated users who call
into a subscriber access number that is configured on a UM dial plan and unauthenticated
users who call into a number that is configured on a UM auto attendant. When a user calls
into a subscriber access number, they are considered unauthenticated because they have
not provided their extension number and PIN and logged on to their mailbox. They are
authenticated after they provide their extension number and PIN and successfully log on to
their Exchange 2007 mailbox.
• When an unauthenticated user places a call by using outdialing, the outdialing settings
that are configured on the UM dial plan are the only settings that will be used. However,
when a user has successfully logged on to their Exchange 2007 mailbox, configuration
settings from the dial plan and the UM mailbox policy that are associated with the
authenticated user are applied to the authenticated user.
There are several settings that you must configure to control outdialing for your organization. To
control outdialing you must configure the UM dial plans and UM mailbox policies in
292
Exchange 2007 Unified Messaging. The following settings can be configured on UM dial plans
and auto attendants to control outdialing:
•
Outside line, country/region, and international access codes
•
National number prefixes
•
In-country/region and international number formats
•
Configured in-country/region and international dialing rule groups
•
Allowed in-country/region and international dialing rule groups
•
Dialing rule entries
Access codes, number prefixes, and number formats are configured on a UM dial plan on the
Dial Codes tab in the Exchange Management Console. They can also be configured by using
the Set-UMDialPlan cmdlet. You can choose to configure all of the settings, none of the
settings, or only some of the settings. However, each setting controls a specific part of the
outdialing process. Access codes, number prefixes, and number formats are used by a Unified
Messaging server to determine the correct number to dial and can be configured to restrict
outgoing calls for users who dial into a UM auto attendant that is associated with a UM dial plan
or when a user dials into the subscriber access number that is configured on the dial
plan. Figure 50 illustrates the outdialing process and how access codes can be used to control
outdialing.
293
Figure 50 Outdialing overview
294
295
For more information about outdialing in Unified Messaging, see Understanding Outdialing.
•
For more information on how to configure outdialing, see Managing Outdialing.
Outside Line Access Code
An outside line access code should be configured on each dial plan that you create. However,
this depends on the type of telephony network you have and how it is configured. On each dial
plan that you create you can configure an outside line access code, also called a "trunk access
code". This is the number that is used to get access to an outside telephone line and is also
configured on the Private Branch eXchanges (PBXs) or IP/PBXs in your organization. In most
telephony networks, the number 9 is used by users to gain access to an outside line and place
a call to an external telephone number.
If you do not configure the outgoing dial codes on a dial plan, when a Unified Messaging server
that is associated with the dial plan dials an outgoing call the PBX or IP/PBX may not be able to
recognize the number string that is sent and will not be able to complete the outgoing call for
the user. For example, in many organizations the access code that is used to get an outside
line is 9, and this is configured on a PBX or IP/PBX. In this case, the Unified Messaging server
will need to prepend the number 9 to the telephone number string for the PBX or IP/PBX to
correctly dial the outgoing number. If you configure the dial code so that the Unified Messaging
server will append the outside line access code, the Unified Messaging server will then be able
use the outside line access code get an outside line before dialing the external telephone
number string. This setting will apply to all users who are associated with the UM dial plan.
National Number Prefix
The national number prefix and the country/region code can also be configured on a UM dial
plan. The national number prefix is used by the Unified Messaging server to dial the correct
national number prefix or country/region code when a user dials an outgoing call that is
destined for another country or is an international call. For example, when a user places an
outgoing international call to Europe, the Unified Messaging server will prepend the national
number prefix to the number string that it sends to the PBX to place the outgoing call. In this
example, the Unified Messaging server will prepend the number 0 for Europe to the telephone
number string. The number 1 is used as the national number prefix for North America.
In-Country/Region Access Code
An in-country/region access code can be configured on a UM dial plan. The in-country/region
access code is the digits that are associated with a specific country or region that will be
prepended to the telephone number to be dialed by a Unified Messaging server. The incountry/region access code is used by the Unified Messaging server to dial the correct in-
296
country/region access code when a call is placed within a specific country or region. The
Unified Messaging server will prepend this number to the number string that it sends to the
PBX or IP/PBX when it places the outgoing call. For example, the Unified Messaging server will
prepend the number 1 for the United States. For the United Kingdom the in-country/region code
is 44.
International Access Code
An international access code can be configured on a UM dial plan. The international access
code is the digits that is used to access international telephone numbers that will be prepended
to the telephone number to be dialed by a Unified Messaging server. The international access
code is used by the Unified Messaging server to dial the correct international access code
when a call is placed. The Unified Messaging server will prepend this number to the number
string that it sends to the PBX or IP/PBX when it places the outgoing call. For example, the
Unified Messaging server will use 011 as the international access code for the United States.
For Europe, the international access code is 00.
In-Country/Region and International Number
Formats
You can configure the incoming call configuration for in-country/region and international
numbers on a UM dial plan. By configuring these settings, the Unified Messaging server will be
able to recognize incoming calls from within a country or region and internationally from other
dial plans within the same organization. Configuring these options also enables your
organization to save money for outgoing calls that should not be made by users from within
your organization and helps to prevent toll fraud. The Unified Messaging server will use the
information that you configure to match the characteristics of the incoming call and verify that
the pattern matches before accepting the call. For example, within an organization you may
have multiple dial plans that exist within the same Active Directory forest. If you have one dial
plan for the United States and another for Great Britain, you may want to allow users in the
United States dial plan to have Unified Messaging servers place calls to users who are located
in the Great Britain dial plan but not allow the users in the United States dial plan to place calls
directly.
For More Information
• For more information about how to configure dial codes, prefixes, and number formats,
see How to Configure Dial Codes on a Unified Messaging Dial Plan.
• For more information about Unified Messaging auto attendants, see Understanding
Unified Messaging Auto Attendants.
297
• For more information about Unified Messaging dial plans, see Understanding Unified
Messaging Dial Plans.
Overview of Unified Messaging Active
Directory Objects
Active Directory objects are required for the deployment and operation of
Microsoft Exchange Server 2007 Unified Messaging (UM). The Active Directory UM objects
connect the telephony infrastructure and the Exchange Server 2007 Unified Messaging
Active Directory environment.
UM Active Directory Objects
The UM Active Directory objects enable the integration of Exchange Server 2007 Unified
Messaging into the Active Directory directory service and the existing telephony infrastructure.
Active Directory acts as a container for all the UM objects that are created and their
configuration settings. Each UM object within Exchange Server 2007 is necessary to support
Unified Messaging in an Active Directory environment. Some UM Active Directory objects are
created to logically represent a telephony hardware device whereas others are created to
represent a telephony dial plan for an organization or to support a specific feature of
Exchange Server 2007 Unified Messaging. Figure 51 illustrates the relationships between the
Unified Messaging objects that are found in Active Directory.
298
Figure 51 The relationships between UM Active Directory objects
There exists a tightly integrated and interconnected relationship between the UM
Active Directory objects and the features that are available in Exchange Server 2007 Unified
Messaging. In order to successfully plan and deploy Exchange Server 2007 Unified Messaging
in your organization you must fully understand this logical relationship between each of the UM
objects.
For more information about the UM Active Directory objects, see:
•
Understanding Unified Messaging Users
•
Understanding Unified Messaging Mailbox Policies
•
Understanding Unified Messaging Dial Plans
•
Understanding Unified Messaging IP Gateways
•
Understanding Unified Messaging Hunt Groups
•
Understanding Unified Messaging Auto Attendants
299
For More Information
• For more information about how to manage Unified Messaging Active Directory
objects, see Managing Unified Messaging Objects.
• For more information about Exchange Server 2007 Unified Messaging, see Unified
Messaging.
Understanding Unified Messaging Hunt
Groups
This topic discusses Microsoft Exchange Server 2007 Unified Messaging (UM) hunt groups
and how UM hunt groups must be implemented in your Exchange 2007 organization to support
Unified Messaging.
What is a Hunt Group?
Hunt group is a term that is used to describe a group of Private Branch eXchange (PBX) or IPPBX resources or extension numbers that are shared by users. Hunt groups are used to
efficiently distribute calls into or out of a given business unit. For example, a PBX or IP-PBX
might be configured to have 10 extension numbers for the sales department. The 10 sales
extension numbers would be configured as one hunt group. In a PBX or IP-PBX, hunt groups
are used to efficiently locate an open line, extension, or channel when an incoming call is
received.
In a telephony network a hunt group is defined as a set of extension numbers that are grouped
as a single logical unit. When an incoming call is received, the PBX or IP-PBX uses the hunt
group or group of extensions that are defined to "hunt" for an available or open line, extension,
or channel that can be used to receive the call.
There are multiple algorithms or methods that have been created to be used by a PBX or IPPBX to define how the open line, extension, or channel will be located. These include:
•
Round robin
•
Most idle
•
Start with lowest number
Creating and defining a hunt group in a PBX or IP-PBX minimizes the chance that a caller who
places an incoming call will receive a busy signal when the call is received.
300
Pilot Number
In a telephony network, a PBX or IP-PBX can be configured to have a single hunt group or
multiple hunt groups. Each hunt group that is created on a PBX or IP-PBX must have an
associated pilot number. The PBX or IP-PBX uses the pilot number to locate the hunt group
and in turn to locate the telephone extension number on which the incoming call was received.
Without a defined pilot number, the PBX or IP-PBX cannot locate where the incoming call was
received.
A pilot number is the address or location of the hunt group inside the PBX or IP-PBX. A pilot
number is generally defined as a "blank" extension number or one extension number from a
hunt group of extension numbers that does not have a person or telephone associated with it.
For example, you configure a hunt group on a PBX or IP-PBX to contain extension numbers
4100, 4101, 4102, 4103, 4104, and 4105. The pilot number for the hunt group is configured as
extension 4100. When a call is received on the extension number 4100, the PBX or IP-PBX
looks for the next available extension number to determine where to deliver the call. In this
case, the PBX or IP-PBX looks at the extension numbers 4101, 4102, 4103, 4104, and 4105.
Using a pilot number helps eliminate busy signals and helps route incoming calls to the circuits
that are available. The PBX or IP-PBX pilot number, when it is used with
Exchange Server 2007 Unified Messaging, is used as the target. When an incoming call is
unanswered or the line is busy, the call is correctly routed to an Exchange Server 2007 Unified
Messaging server.
For more information about telephony concepts, see Overview of Telephony Concepts and
Components.
UM Hunt Groups
Unified Messaging hunt groups are critical to the operation of the Unified Messaging system.
The UM hunt group is a logical representation of an existing PBX or IP-PBX hunt group. UM
hunt groups act as a connection or link between the UM IP gateway and the UM dial plan.
Therefore, a single UM hunt group must be associated with at least one UM IP gateway and
one UM dial plan.
Unified Messaging hunt groups are used to locate the PBX or IP-PBX hunt group from which
the incoming call was received. A pilot number that is defined for a hunt group in the PBX or IPPBX must also be defined within the UM Hunt group. The pilot number is used to match the
information presented for incoming calls through the Session Initiation Protocol (SIP) signaling
message information on the message. The pilot number enables the Unified Messaging server
to interpret the call together with the correct dial plan so that the call can be routed correctly.
The absence of a hunt group prevents the Unified Messaging server from knowing the origin or
location of the incoming call. It is very important to configure the Unified Messaging hunt
groups correctly, because incoming calls that do not correctly match the pilot number defined
on the UM hunt group will not be answered and incoming call routing will fail.
301
When you create a Unified Messaging hunt group, you are enabling all Unified Messaging
servers that are specified within the UM dial plan to communicate with an IP/VoIP gateway. If
you delete the Unified Messaging hunt group, the associated IP/VoIP gateway will no longer
service calls with the specified pilot number. If the IP/VoIP gateway is left without remaining UM
hunt groups, the IP/VoIP gateway will be unable to handle incoming calls.
For more information about IP/VoIP gateways, see Understanding Unified Messaging IP
Gateways.
For More Information
• For more information about how to manage hunt groups, see Managing Unified
Messaging Hunt Groups.
• For more information about how to deploy an Exchange 2007 Unified Messaging
server, see Deploying Server Roles
Understanding Unified Messaging Auto
Attendants
Microsoft Exchange Server 2007 Unified Messaging enables you to create a single or multiple
UM auto attendants, depending on the needs of your organization. Unlike other Unified
Messaging objects, such as UM dial plans and UM IP gateways, you are not required to create
UM auto attendants. However, auto attendants help internal and external callers locate users or
departments that exist in an organization and transfer calls to them. This topic discusses the
UM auto attendant feature found in Exchange Server 2007 Unified Messaging.
Auto Attendants
In telephony or Unified Messaging environments, an automated attendant or auto attendant
menu system transfers callers to the extension of a user or department without the intervention
of a receptionist or an operator. In many auto attendant systems, a receptionist or operator can
be reached by pressing or saying zero. The automated attendant is a feature on most modern
Private Branch eXchange (PBX) and Unified Messaging solutions.
In some auto attendant systems, there are message-only information menus and voice menus
that are used so that an organization can provide business hours, directions to their premises,
information about job opportunities, and answers to other frequently-asked questions. After the
message plays, the caller is forwarded to the receptionist or operator or they can return to the
main menu.
In more complex auto attendant systems, the menu system can be used to search for other
auto attendant menus, locate a user in the system, or transfer to another outside telephone
302
line. They can also be used to let the caller interact with the system in certain situation, such as
when a student enrolls for a college class or checks their grades or when you activate a credit
card over the telephone.
Although auto attendants can be very useful, if they are not designed and configured correctly,
they can confuse and frustrate callers. For example, specifically in large organizations, when
auto attendants are not designed correctly, callers can be led through an endless series of
questions and menu prompts before they are finally transferred to a person to have their
question answered.
UM Auto Attendants
Exchange 2007 Unified Messaging enables you to create one or more UM auto attendants
depending on the needs of your organization. UM auto attendants can be used to create a
voice menu system for an organization that lets external and internal callers move through the
UM auto attendant menu system to locate and place or transfer calls to company users or
departments in an organization.
When anonymous or unauthenticated users call an external business telephone number, or
when internal callers call a defined extension number, they are presented with a series of voice
prompts that help them place a call to a user or locate a user in the organization and then place
a call to that user. The UM auto attendant is a series of voice prompts or .wav files that callers
hear instead of a human operator when they call an organization that has
Microsoft Exchange Server 2007 Unified Messaging. The UM auto attendant lets callers move
through the menu system, place calls, or locate users by using dual tone multi-frequency
(DTMF) or voice inputs. However, for automatic speech recognition (ASR) or voice inputs to be
used, you must enable ASR on the UM auto attendant.
Important:
In some companies (especially in East Asia), office telephones may not have letters on
the keys of the telephone. This makes the spell-the-name feature that uses the DTMF
interface almost impossible without a working knowledge of the key mappings. By
default, Exchange 2007 Unified Messaging uses the E.161 key mapping. For example,
2=ABC, 3=DEF, 4=GHI, 5=JKL, 6=MNO, 7=PQRS, 8=TUV, 9=WXYZ. When inputting
the combination of letters and numbers, for example "Mike1092", the numeric digits are
mapped to themselves. For an e-mail alias of "Mike1092" to be entered correctly, the
user will have to press the numbers 64531092. Also for characters other than A-Z and
0-9 there will not be a telephone key equivalent. Therefore, these characters should
not be entered. For example, the e-mail alias "mike.wilson" would be entered as
6453945766. Even though there are 11 characters to be input, only 10 digits are
entered by the user because the period (.) does not have a digit equivalent.
A UM auto attendant has the following features:
•
It provides corporate or informational greetings.
303
• It provides custom corporate menus. You can customize these menus to have more
than one level.
• It provides a directory search function that enables a caller to search the organization's
directory for a name.
• It enables a caller to connect to the telephone of, or leave a message for, members of
the organization.
In the Active Directory directory service, each UM auto attendant that is created is represented
as an object. There is no limit to the number of UM auto attendants that you can create in
Active Directory. Each Exchange 2007 Unified Messaging auto attendant can support an
unlimited number of extensions. A UM auto attendant can reference one, and only one, UM dial
plan. However, UM auto attendants can reference or link to other UM auto attendants.
An incoming call that is received from an external telephone number or an internal telephone
extension is processed by a Unified Messaging server and then sent to a UM auto attendant
that has been created. The UM auto attendant is configured by the system administrator to use
pre-recorded voice (.wav) files that are then played over the telephone to the caller and that
enable the caller to move through the Unified Messaging menu system. You can customize all
the .wav files that are used when you configure a UM auto attendant to meet the needs of your
organization.
For more information about message flow with UM auto attendants, see Unified Messaging
Auto Attendant Call Processing.
Auto Attendant with Multiple Languages
There are situations in which you may have to provide callers with auto attendants that have
different languages. The language setting that is available on a UM auto attendant enables you
to configure the default prompt language on the auto attendant. When you are using the default
system prompts for the auto attendant this is the language that the caller will hear when the
auto attendant answers the incoming call. This language setting will affect only the default
system prompts that are provided when the Unified Messaging server role is installed. This
setting will have no affect on custom prompts that have been configured on an auto attendant.
The language that is selected as the default for the auto attendant is based on the version of
Exchange 2007 that is installed.
When you install the U.S.-English version of Exchange 2007, there will be only one language
available to configure on UM auto attendants: U.S. English. However, if you install a localized
version of Exchange 2007, for example, Japanese, you will be able to configure the auto
attendant that you create to use Japanese or U.S. English for the default language. Additional
UM language packs can be installed on a Unified Messaging server to enable you to use other
default language options on an auto attendant.
304
Caution:
You cannot install UM language packs by using the .msi file for the language.
For example, if you have a business that is based in the United States but requires a menu
system that gives callers the options of U.S. English, Spanish, and French, you must first install
the UM language packs that you need. In this case, if you have installed the U.S.-English
version of Exchange 2007, you would install the UM language packs for Spanish and French.
However, because a Unified Messaging auto attendant can have only one language configured
at a time, you would create four auto attendants: a main auto attendant that is configured to
use U.S. English and then one auto attendant for each language: US English, Spanish, and
French. You would then configure the main auto attendant to have the appropriate key
mappings to access the other auto attendants that you have created for each language. In this
example, the main auto attendant would answer the incoming call and the caller would hear,
"Welcome to Contoso, Ltd. For English, press or say 1. For Spanish, press or say 2. For
French, press or say 3."
Auto Attendant Examples
The following examples demonstrate how you can use UM auto attendants together with
Exchange 2007 Unified Messaging:
Example 1: At a company called Contoso, Ltd., external customers can use three external
telephone numbers: 425-555-1111 (Corporate Offices), 425-555-2222 (Product Support), and
425-555-3333 (Sales). The Human Resources, Administration, and Accounting departments
have internal telephone extensions and must be accessed from the Corporate Offices UM auto
attendant.
To create a UM auto attendant structure that supports this scenario, create and configure three
UM auto attendants that have the appropriate external telephone numbers. Create three other
UM auto attendants for each department in the Corporate Offices. You then configure each UM
auto attendant based on your requirements, such as the greeting type or other navigational
information.
Figure 52 is a graphical representation of how Unified Messaging auto attendants can be used
in Example 1.
305
Figure 52 How to configure multiple UM auto attendants with multiple outside business
telephone lines
Example 2: At a company called Contoso, Ltd., external customers call one main number for
the business, 425-555-1000. When an external caller calls the external number, the UM auto
attendant answers and prompts the caller by saying, "Welcome to Contoso, Ltd. Please press
or say 'One' to be transferred to corporate administration. Please press or say 'Two' to be
transferred to product support. Please press or say 'Three' to be transferred to corporate
information. Please press or say 'Zero' to be transferred to the operator." To create a UM auto
attendant structure that supports this scenario, you create a UM auto attendant that has
customized extensions that route the call to the appropriate extension number.
Figure 53 is a graphical representation of how Unified Messaging auto attendants can be used
in Example 2.
306
Figure 53 How to configure multiple UM auto attendants with a single outside business
telephone line
For more information about how to create or modify UM auto attendants, see How to Create a
New Unified Messaging Auto Attendant or How to Modify a Unified Messaging Auto Attendant.
For More Information
• For more information about Unified Messaging call answering, see Understanding
Unified Messaging Incoming Call Handling.
Understanding Unified Messaging Dial
Plans
Unified Messaging dial plans are integral to the operation of Microsoft Exchange Server 2007
Unified Messaging and are required to successfully deploy Unified Messaging on your network.
307
The following sections discuss Unified Messaging dial plans and how UM dial plans are used
when you deploy Exchange 2007 Unified Messaging on your network.
Overview of UM Dial Plans
Although Exchange 2007 Unified Messaging has many Active Directory objects that must be
created and configured during deployment, UM dial plan objects are the central component of
the Unified Messaging system. A UM dial plan object is an Exchange 2007 organization-wide
object that is created in Active Directory.
The Unified Messaging dial plan is an Active Directory container object that logically represents
sets or groupings of Private Branch eXchanges (PBXs) that share common user extension
numbers. In practical terms, users' extensions that are hosted on PBXs share a common
extension number. Users can dial one another’s telephone extensions without appending a
special number to the extension or dialing a full telephone number. A UM dial plan is a logical
representation of a telephony dial plan.
Note:
A telephony dial plan is configured on a legacy PBX or IP/PBX.
For more information about telephony components, see Overview of Telephony Concepts and
Components.
In Exchange 2007 Unified Messaging, the following UM dial plan topologies can exist:
• A single dial plan that represents a subset of extensions or all extensions for an
organization that has one PBX.
• A single dial plan that represents a subset of extensions or all extensions for an
organization that has multiple networked PBXs.
• Multiple dial plans that represent a subset of extensions or all extensions for an
organization that has one PBX.
• Multiple dial plans that represent a subset of extensions or all extensions for an
organization that has multiple PBXs.
Users who belong to the same dial plan have the following characteristics:
•
An extension number that uniquely identifies the user mailbox in the dial plan.
• The ability to call or send voice messages to other members in the dial plan by using
only the extension number.
For more information about how to enable a user for Unified Messaging, see How to Enable a
User for Unified Messaging.
UM dial plans are implemented in Exchange 2007 Unified Messaging to ensure that user
telephone extensions are unique. In some telephony networks, multiple PBXs can exist. In
these telephony networks, there could be two different users in Active Directory who have
308
identical telephone extensions. UM dial plans resolve this situation. You can put the two users
into two separate UM dial plans. This makes their extensions unique.
Note:
A user can be a member of only one UM dial plan. You can also use a UM dial plan to
establish a common set of policies for a group of users. For example, you can enable
different languages for different UM dial plans, or you can enable different features for
different UM dial plans.
Figure 54 illustrates how Unified Messaging dial plans can be used in an organization that has
a single forest and multiple physical sites.
Figure 54 UM dial plans in a single forest in an organization that has multiple physical
sites
309
How Dial Plans Work
When you integrate a telephony network together with Exchange 2007 Unified Messaging,
there must be a hardware device called an IP/VoIP gateway that connects your telephony
network together with your IP-based network. IP/VoIP gateways convert circuit-switched
protocols that are found in a telephony network to a data-switched protocol such as IP. Each
IP/VoIP gateway in your organization is represented by a Unified Messaging IP gateway in
Active Directory. For more information about UM IP gateways, see Understanding Unified
Messaging IP Gateways.
Exchange 2007 Unified Messaging requires that you create at least one UM dial plan and that
the UM dial plan has a UM server and a UM IP gateway associated with it. After you install the
Unified Messaging server role on a computer that is running Exchange 2007, you must
associate the UM server together with at least one UM dial plan. You can also associate a
single UM server with multiple UM dial plans. After the UM server is associated with a UM dial
plan, you must create a UM IP gateway and associate it to the UM dial plan that was created.
Important:
Each time that you create a UM dial plan, a UM mailbox policy will also be created. The
UM mailbox policy will be named <DialPlanName> Default Policy.
When you create the first UM IP gateway and do not specify a UM dial plan at the time that you
create it, a default UM hunt group is also created. Creating and associating these objects in
Active Directory enables the Unified Messaging server to receive calls from the IP/VoIP
gateway and then process incoming calls for users who are associated with the UM dial plan.
When a call comes in to the IP/VoIP gateway, it forwards the call to a UM server and the
Unified Messaging server tries to match the extension number of the user to the associated UM
dial plan.
Note:
A default UM mailbox policy is created after you create the first UM dial plan.
For more information about how to add a Unified Messaging server to a UM dial plan, see How
to Add a Unified Messaging Server to a Dial Plan.
Outlook Voice Access
There are two types of callers who will access the Unified Messaging system by using the
subscriber access number that is configured on a UM dial plan: unauthenticated callers and
authenticated callers. When a caller dials the subscriber access number that is configured on a
dial plan, the caller is considered anonymous or unauthenticated until they input information
including their voice mail extension and a PIN. However, the only option that is available to
anonymous or unauthenticated callers is the directory search feature. After the caller inputs
their voice mail extension and their PIN, they will be authenticated and given access to their
mailbox. After they gain access to the system, they are using Outlook Voice Access. Outlook
310
Voice Access is a series of voice prompts that allow the caller access to e-mail, voice mail,
calendar, and other information. Subscriber access lets authenticated callers navigate their
personal information in their mailbox, place calls, or locate users by using dual tone multifrequency (DTMF) or voice inputs.
Important:
In some companies (especially in East Asia), office telephones may not have letters on
the keys of the telephone. This makes the spell-the-name feature using the DTMF
interface almost impossible without a working knowledge of this mapping. By default,
Exchange 2007 Unified Messaging uses the E.161 key mapping. For example, 2=ABC,
3=DEF, 4=GHI, 5=JKL, 6=MNO, 7=PQRS, 8=TUV, 9=WXYZ. When inputting the
combination of letters and numbers, for example "Mike1092", the numeric digits are
mapped to themselves. For an e-mail alias of "Mike1092" to be entered correctly, the
user will have to press the numbers 64531092. Also for characters other than A-Z and
0-9 there will not be a telephone key equivalent and should not be entered. For
example, the e-mail alias "mike.wilson" would be entered as 6453945766. Therefore,
there are 11 characters to be input, but only 10 digits will be entered by the user
because the '.' does not have a digit equivalent.
For More Information
• For more information about how to install the Unified Messaging server role, see How
to Perform a Custom Installation Using Exchange Server 2007 Setup.
• For more information about Unified Messaging in Exchange Server 2007, see Unified
Messaging.
Understanding Unified Messaging IP
Gateways
The Unified Messaging (UM) IP gateway is a container object that logically represents a
physical IP/VoIP gateway hardware device. Before the IP/VoIP gateway can be used to process
Unified Messaging calls, the IP/VoIP gateway must be represented by an object in the
Active Directory directory service.
Overview of IP/VoIP Gateways
Traditionally, "gateway" is a term that describes a physical device that connects two
incompatible networks. With Microsoft Exchange Server 2007 Unified Messaging and other
unified messaging solutions, the IP/VoIP gateway is used to translate between the Public
311
Switched Telephone Network (PSTN)/Time Division Multiplex (TDM) or circuit-switched based
telephony network and an Internet Protocol (IP) or packet-switched data network.
Note:
A packet-switched network is a network in which packets (messages or fragments of
messages) are individually routed between nodes that may be shared by many other
nodes. This contrasts with a circuit-switched network that sets up a dedicated
connection between the two nodes for their exclusive use for the duration of the
communication.
Exchange 2007 Unified Messaging relies on the ability of the IP/VoIP gateway to translate TDM
or telephony circuit-switched based protocols, such as Integrated Services Digital Network
(ISDN) or QSIG, from a Private Branch eXchange (PBX) to protocols based on VoIP or IP, such
as Session Initiation Protocol (SIP), Realtime Transport Protocol (RTP), or T.38 for real-time
facsimile transport.
Types of IP/VoIP Gateways
Although there are many types and manufacturers of PBXs, IP/VoIP gateways, and IP/PBXs,
there are basically two types of IP/VoIP gateway component configurations:
•
IP/PBX A single device
•
PBX (legacy) and an IP/VoIP gateway Two separate components
To support Exchange 2007 Unified Messaging, one or both types of IP/VoIP device
configurations are used when connecting a telephony network infrastructure to a data network
infrastructure.
IP Gateway Objects
The UM IP gateway is an Active Directory container object that contains one or more
Active Directory UM hunt groups and other UM IP gateway configuration settings. UM IP
gateways are created within Active Directory to logically represent a physical hardware device
called an IP gateway or IP/VoIP gateway. The UM IP gateway can represent either an IP/VoIP
gateway or an IP/PBX. The combination of the IP/VoIP gateway object and a UM hunt group
object establishes a logical link between an IP/VoIP gateway hardware device and a UM dial
plan.
After the UM IP gateway is created, the IP gateway can be linked to or associated with a single
or multiple UM hunt groups and UM dial plans. The UM hunt group provides a link between the
UM IP gateway and a UM dial plan. By creating multiple UM hunt groups, you can associate a
single UM IP gateway with multiple UM dial plans.
312
Note:
Before an IP/VoIP gateway can be used to process calls, a UM IP gateway must be
associated with at least one UM dial plan. Also, at least one UM server must be
associated with at least one UM dial plan.
Enabling and Disabling UM IP Gateways
By default, IP gateways are left in an enabled state after they are created. However, the UM IP
gateway can be enabled or disabled. If you disable a UM IP gateway, it can be in one of two
disabled modes. The first disabled mode forces all associated UM servers to drop existing
calls. The second disabled mode forces the UM server associated with the UM IP gateway to
stop handling any new calls presented by the IP/VoIP gateway.
Note:
If a Unified Messaging IP gateway is deleted, the UM servers associated with the IP
gateway will no longer be able accept or process new call requests from the IP/VoIP
gateway.
For More Information
• For more information about Unified Messaging Active Directory objects, see Overview
of Unified Messaging Active Directory Objects.
• For more information about how to manage Unified Messaging objects, see Managing
Unified Messaging Objects.
Understanding Unified Messaging Mailbox
Policies
This topic discusses Microsoft Exchange Server 2007 Unified Messaging (UM) mailbox policies
and how they can be used in your Exchange 2007 Unified Messaging environment.
UM Mailbox Policies
Unified Messaging Active Directory mailbox policies are required when you enable users for
Exchange 2007 Unified Messaging. They are useful for applying and standardizing Unified
Messaging configuration settings for UM-enabled users. You create UM mailbox policies to
apply a common set of policies or security settings to a collection of UM-enabled mailboxes.
You use Unified Messaging mailbox policies to set Unified Messaging settings for UM-enabled
users, such as the following:
313
•
PIN policies
•
Dialing restrictions
•
Other general UM mailbox policy properties
For example, you can create a UM mailbox policy to increase the level of PIN security by
reducing the maximum number of logon failures for a specific group of UM-enabled users, such
as executives.
Unified Messaging mailbox policies are created in the Configuration container in the
Active Directory directory service by using the Exchange Management Shell or the Exchange
Management Console. By default, a single UM mailbox policy is created every time that you
create a UM dial plan. The new UM mailbox policy is associated with the UM dial plan and part
of the dial plan name is included in the display name of the UM mailbox policy. However, you
can create additional UM mailbox policies based on the needs of your organization. Although a
single UM mailbox policy is required to enable users for Unified Messaging, you can create
additional UM mailbox policies and apply a common set of mailbox policy settings for other
groups of users.
Each UM-enabled user's mailbox must be linked to a single UM mailbox policy. After you create
a UM mailbox policy, you link one or more UM-enabled mailboxes to the UM mailbox policy.
This lets you control PIN security settings such as the minimum number of digits in a PIN or the
maximum number of logon attempts for the UM-enabled users who are associated with the UM
mailbox policy. If you prefer, you can also control message text settings or dialing restrictions
for the same or a different group of UM-enabled mailboxes.
Multiple UM-enabled users can be linked to a single UM mailbox policy. However, a single user
can be associated with only one UM mailbox policy. When a user is enabled for Unified
Messaging, you must specify an existing UM mailbox policy to be linked to the UM-enabled
user's mailbox. After you create a new UM mailbox policy and link it to a UM dial plan, the UM
mailbox policy settings that are defined are then applied to the UM-enabled users. The settings
that are defined on a UM mailbox policy apply only to UM-enabled users to which the UM dial
plan is linked and the UM mailbox policy is associated.
Unified Messaging Policy Examples
Figure 55 illustrates how Unified Messaging mailbox policies can be created to control dialing
restrictions and PIN security settings for three different groups.
314
Figure 55 Example of Unified Messaging mailbox policies
For More Information
• For more information about dial plans, see Understanding Unified Messaging Dial
Plans.
•
For more information about PIN security, see Unified Messaging PIN Security.
• For more information about how to manage Unified Messaging mailbox policies, see
Managing Unified Messaging Mailbox Policies.
Understanding Unified Messaging Servers
When you install the Unified Messaging (UM) role on a computer running
Exchange Server 2007 a computer object is created in the Active Directory directory service.
This topic discusses Microsoft Exchange Server 2007 Unified Messaging server objects and
UM server operation found in Exchange Server 2007 Unified Messaging.
Computer Objects
Unified Messaging Active Directory directory service computer objects are those objects which
are created during the installation of the Unified Messaging server role. The Unified Messaging
Active Directory computer objects are the connection between your organization's telephony
infrastructure and the Exchange Server 2007 Unified Messaging Active Directory networking
environment.
315
The Unified Messaging computer object that is created in Active Directory is an essential part
of the Unified Messaging system. During an installation of the Exchange Server 2007 Unified
Messaging server role, a Unified Messaging computer object is created in the Computers
container in Active Directory . The Unified Messaging computer object created in
Active Directory is a logical representation of a physical server on which the
Exchange Server 2007 Unified Messaging server role is installed.
Important:
The Exchange Server 2007 Unified Messaging server must be a member of a domain
before the Unified Messaging server role is installed for a new Unified Messaging
computer object to be created during the installation.
After the computer object has been created, you can then perform the necessary procedures to
successfully deploy Unified Messaging on your network.
Note:
After the computer running Exchange Server 2007 has bee added to the domain you
can also apply Group Policy settings to the computer.
Server Operation
A Unified Messaging server will not process incoming calls unless the operational state is set to
enabled. However, by default, the operational status of the UM server is set to enabled after
installation This allows the UM server to process incoming and outgoing voice calls and
incoming fax calls and route the messages to the intended recipients in your Exchange
organization.
Although the operational status of the UM server is set to enabled after installation, the UM
server also maintains a logical status parameter that is used to control the operational status of
the Exchange Server 2007 Unified Messaging server. The intention of the logical status
variable is to let you stop call processing so that the UM server can be taken offline in a
controlled way.
The Unified Messaging server's operational status can be controlled by the enable and disable
commands in the Exchange Management Console and the Exchange Management Shell.
There are three status modes for Unified Messaging servers:
•
Enabled - Process all incoming calls.
•
Disabled - Do not accept any new calls and drop all existing calls.
•
Disabled - Do not accept any new calls but process all existing calls.
For more information about how to enable and disable a Unified Messaging server, see How to
Enable Unified Messaging on Exchange 2007 and How to Disable Unified Messaging on
Exchange 2007.
316
Even though the UM server operational status is set to enabled after installation of the Unified
Messaging server role, the UM server will still not be able to correctly process and route
incoming calls to UM-enabled users without being associated with at least one UM dial plan
and the UM dial plan associated with at least one UM IP gateway. For more information about
how to add a UM server to a UM dial plan, see How to Add a Unified Messaging Server to a
Dial Plan.
For more information about UM IP Gateways, see Understanding Unified Messaging IP
Gateways.
When the UM server is started, the UM server will locate all IP/VoIP gateways that are
associated with the UM dial plans and are associated with the UM server. To detect and identify
any configuration changes on either UM dial plans or UM IP gateways, the UM server will either
register a change notification or re-check the configuration every 10 minutes.
If the UM IP gateway list changes, the UM server will react accordingly and either start to use
or stop using the appropriate IP/VoIP gateways. After a UM server is working as an associated
member of a UM dial plan and is communicating with an IP/VoIP gateway or IP-Private Branch
eXchange (PBX), you can run a set of diagnostic operations to verify the correct operation and
connectivity.
For more information about how to test the operation of a Unified Messaging server, see How
to Test UM Server Operation and How to Test UM Server Connectivity to IP Gateways and
PBXs.
Understanding Unified Messaging Users
With Microsoft Exchange Server 2007 Unified Messaging (UM), the users in an Exchange 2007
organization can receive all their e-mail, voice, and fax messages in one mailbox. The Unified
Messaging functionality found in Exchange 2007 greatly increases user productivity and
enables more flexible messaging throughout an organization.
When you are creating an Exchange 2007 recipient, you are given the option of creating a
mailbox or connecting to an existing mailbox. After the mailbox is created for the user or the
user is connected to an existing mailbox, you must enable the mailbox so that the user can use
the Unified Messaging capabilities found in Exchange 2007. After the user is enabled for UM,
all e-mail, voice, and fax messages will be delivered to the user's Inbox. By using
Outlook 2007, Outlook Web Access, a mobile device that is enabled for Exchange ActiveSync,
or a regular or cellular telephone, the user can access their e-mail, voice and fax messages,
and calendaring information.
317
User UM Properties
By default, a user who has an Exchange 2007 mailbox is not enabled for UM. You must create
a mailbox for the Exchange 2007 user before the user can be enabled for UM. After the user is
enabled for UM, you can manage, modify, and configure the UM properties for the user.
Note:
To enable multiple UM users, use the Enable-UMMailboxExchange Management
Shell cmdlet.
There are two locations in which UM properties are stored for a user: the Mailbox object and
the user's Active Directory object. When you enable a user for Unified Messaging, you set the
UM property on the user's Mailbox object. After the Mailbox property is set to "enabled" for
Unified Messaging, the user can use the Unified Messaging features found in Exchange 2007.
After a user is enabled for UM, the user's Unified Messaging properties are stored in the user
properties and the user's mailbox. The user's Unified Messaging properties, such as the user's
extension number, spoken name, and other properties for the user, are stored in the user's
properties in the Active Directory directory service.
You can manage Unified Messaging (UM) properties for an Active Directory user on the
mailbox of the Exchange 2007 Unified Messaging user by using the Exchange Management
Shell or the Exchange Management Console.
The Relationship of the UM User to Other Active
Directory Objects
When you enable a user for Unified Messaging, the user must be associated with or linked to
an existing UM mailbox policy and you must provide the extension number for the user. You
can associate a user with a UM mailbox policy by using the Enable-UMMailbox cmdlet or by
selecting the UM mailbox policy when you create the user's Exchange mailbox.
A UM mailbox policy contains settings such as the dialing restrictions and PIN policies for a
user. When a UM mailbox policy is created, the UM mailbox policy must be associated with
only one UM dial plan. The UM dial plan is then associated with at least one Unified Messaging
server. Any Unified Messaging server that is associated with the UM dial plan can provide
Unified Messaging services for a UM-enabled user who uses the UM dial plan. Associating
these Active Directory objects in this manner delivers the Unified Messaging services by using
Active Directory. After the user is enabled for UM, the settings from a UM mailbox policy object
are applied to the UM-enabled user.
Note:
In a circuit-switched telephony environment, the user's telephone must be programmed
in the Private Branch eXchange (PBX) to forward busy or unanswered calls to a UM
IP/VoIP gateway that is associated with the user's dial plan.
318
For More Information
• For more information about how to manage UM users, see Managing Unified
Messaging Users.
• For more information about UM mailbox policies, see Understanding Unified
Messaging Mailbox Policies.
• For more information about UM dial plans, see Understanding Unified Messaging Dial
Plans.
• For more information about Unified Messaging Active Directory objects, see Overview
of Unified Messaging Active Directory Objects.
• For more information about Exchange 2007 Unified Messaging, see Unified
Messaging.
Overview of the Unified Messaging Call
Processing
This section introduces topics that describe how Microsoft Exchange Server 2007 Unified
Messaging handles message flow in different incoming call scenarios.
Incoming Calls Overview
Exchange 2007 Unified Messaging handles the following types of incoming calls:
•
Voice
•
Fax
•
Outlook Voice Access
•
Play on Phone
•
Auto attendant
Note:
Call handling is a term that describes how incoming calls are answered and handled by
a computer that is running Exchange 2007 that has the Unified Messaging server role
installed.
When an incoming call is received by an Exchange 2007 Unified Messaging server, the call is
answered and then routed by using a message transport such as Simple Mail Transfer Protocol
(SMTP), MAPI, remote procedure call (RPC), or Lightweight Directory Access Protocol (LDAP).
The message transport that is used when messages are routed depends on the type of
incoming call that the Unified Messaging server answers.
319
Exchange 2007 Unified Messaging depends on the Active Directory directory service to route
incoming calls. Each UM-enabled recipient must have a telephone extension number listed in
Active Directory for call answering to function correctly. The extension number for the recipient
is listed in Active Directory and is mapped to the extension number that is configured on the
user's UM-enabled Exchange mailbox. When a Unified Messaging server answers a call, an
Active Directory lookup is performed to locate the appropriate UM-enabled recipient and the
message is routed to the recipient's mailbox.
Message Flow
Message flow in Unified Messaging is the process by which a message that is received by a
Unified Messaging server is routed in an Exchange 2007 organization. Depending on the type
of incoming message or call that is answered by a Unified Messaging server, a different
transport protocol is used.
Note:
In earlier versions of Exchange, routing groups were used to route messages between
bridgehead servers—known in Exchange 2007 as Hub Transport servers. There are no
routing groups in Exchange 2007.
For example, in an incoming call scenario that includes incoming voice and fax messages, a
Hub Transport server uses the SMTP transport to submit the voice or fax mail message to the
Mailbox server. In a routing scenario that includes multiple Hub Transport servers, the incoming
voice or fax mail message is first submitted to the closest Hub Transport server and is then
routed to the appropriate Mailbox server that contains the UM-enabled mailbox.
Note:
To make sure that all incoming messages are transmitted and delivered to UM-enabled
recipients, the Unified Messaging servers use a spooling or re-try algorithm. The
Unified Messaging servers try to connect to a Hub Transport server every 30 seconds
to submit all messages that are stored on the Unified Messaging server.
For more information about how the Exchange 2007 Unified Messaging server handles
incoming calls and how the messages flow in Exchange 2007 Unified Messaging, see the
following topics:
•
Unified Messaging Voice and Fax Call Processing
•
Unified Messaging Outlook Voice Access Call Processing
•
Unified Messaging Auto Attendant Call Processing
•
Unified Messaging Play on Phone Call Processing
320
For More Information
• For more information about Unified Messaging call handling, see Understanding
Unified Messaging Incoming Call Handling.
Unified Messaging Voice and Fax Call
Processing
Incoming voice and fax messages are received by your organization's telephony network and
then passed to a Microsoft Exchange Server 2007 Unified Messaging server that handles and
routes the incoming call. This topic discusses the message flow for incoming voice and fax
messages that are received by a Unified Messaging server.
Voice and Fax Incoming Messages
Voice and fax calls that come in to an Exchange 2007 organization can be received from users
who are inside or outside the organization. When a caller places a call to a UM-enabled user's
telephone extension and the user is unavailable to answer the call, the Private Branch
eXchange (PBX) forwards or routes the incoming call to an IP/VoIP gateway and then to the
Unified Messaging server. In a Unified Messaging system that uses an IP/PBX, the IP/PBX
forwards the incoming message to the Unified Messaging server. The IP/VoIP gateway or the
IP/PBX translates or converts the incoming stream into a VoIP protocol such as the Session
Initiation Protocol (SIP) for incoming voice messages or the T.38 protocol for incoming fax
messages. The stream of IP data is then passed on to the Unified Messaging server. After the
Unified Messaging server receives the call, the Unified Messaging server processes the
message and determines how to route the message.
Figure 56 illustrates how incoming voice and fax messages flow in an Exchange 2007
organization.
321
Figure 56 The flow of incoming voice and fax messages in an Exchange 2007
organization
For More Information
• For more information about the different types of messages that an Exchange 2007
Unified Messaging server handles, see Overview of the Unified Messaging Call
Processing.
• For more information about Outlook Voice Access message flow, see Unified
Messaging Outlook Voice Access Call Processing.
• For more information about Play on Phone message flow, see Unified Messaging Play
on Phone Call Processing.
322
• For more information about auto attendant message flow, see Unified Messaging Auto
Attendant Call Processing.
Unified Messaging Outlook Voice Access
Call Processing
When an authenticated UM-enabled user calls in to the Microsoft Exchange 2007 Unified
Messaging system, the call is received by your organization's telephony network and then
passed to an Exchange 2007 Unified Messaging server that handles and routes the incoming
call. This topic discusses the message flow for incoming Outlook Voice Access calls to an
Exchange 2007 Unified Messaging server.
Outlook Voice Access
With Exchange 2007 Unified Messaging, UM-enabled users or subscribers can access their email, contacts, and calendaring information by using a standard analog, digital, or cellular
telephone. When a UM-enabled user uses Outlook Voice Access, they can perform the
following tasks:
•
Listen to new and saved e-mail and voice mail messages.
•
Forward, reply, save, and delete e-mail and voice mail messages.
•
Interact with their calendar.
•
Locate a person in the global address list (GAL) or personal contacts.
•
Send a voice message to a person
•
Change their PIN, spoken name, or greetings.
• For more information about subscriber access in Exchange 2007 Unified Messaging,
see Understanding Unified Messaging Subscriber Access.
Outlook Voice Access Message Flow
Outlook Voice Access incoming calls and messages that are created by using Outlook Voice
Access are routed to an Exchange 2007 Unified Messaging server and then to the Mailbox
server. However, if a message is submitted by using Outlook Voice Access, for example, a
change in the schedule of a meeting from a subscriber, the message is submitted to a Hub
Transport server before it is routed to the appropriate mailbox for the Exchange 2007 recipient
or recipients.
Figure 57 illustrates how incoming calls and messages placed by subscribers or UM-enabled
users flow in an Exchange 2007 organization.
323
Figure 57 Outlook Voice Access message flow in an Exchange 2007 organization
For More Information
• For more information about the different types of messages that an Exchange 2007
Unified Messaging server handles, see Overview of the Unified Messaging Call
Processing.
• For more information about Outlook Voice Access message flow, see Unified
Messaging Voice and Fax Call Processing.
• For more information about Unified Messaging Play on Phone message flow, see
Unified Messaging Play on Phone Call Processing.
324
• For more information about Unified Messaging auto attendant message flow, see
Unified Messaging Auto Attendant Call Processing.
Unified Messaging Auto Attendant Call
Processing
Incoming calls that are received by a Unified Messaging (UM) auto attendant are first passed
through your organization's telephony network and then to a Microsoft Exchange Server 2007
Unified Messaging server that handles and routes the incoming call. This topic discusses the
message flow for incoming messages that are received by an Exchange 2007 Unified
Messaging auto attendant.
UM Auto Attendants
When external or anonymous callers place a call by using an external business telephone
number, or an internal anonymous caller places a call to an internal extension number, they are
presented with voice prompts to help them navigate the Unified Messaging menu system. The
UM auto attendant is a set of voice prompts or .wav files that are played to callers in place of a
human operator or receptionist when they call into an organization that has Exchange 2007
Unified Messaging. Exchange 2007 Unified Messaging enables you to create one or more auto
attendants depending on the needs of your organization. For more information about UM auto
attendants, see Understanding Unified Messaging Auto Attendants.
Auto Attendant Message Flow
When a call is received by an Exchange 2007 Unified Messaging server, the Unified Messaging
server performs a Lightweight Directory Access Protocol (LDAP) query to an Active Directory
directory service domain controller to determine how to handle the incoming call.
Figure 58 illustrates the message flow process when Unified Messaging auto attendants are
used in an Exchange 2007 organization.
325
Figure 58 UM auto attendant message flow
For More Information
• For more information about the different types of messages that an Exchange 2007
Unified Messaging server handles, see Overview of the Unified Messaging Call
Processing.
• For more information about voice and fax message flow, see Unified Messaging Voice
and Fax Call Processing.
• For more information about Outlook Voice Access message flow, see Unified
Messaging Outlook Voice Access Call Processing.
326
• For more information about Play on Phone message flow, see Unified Messaging Play
on Phone Call Processing.
Unified Messaging Play on Phone Call
Processing
Incoming calls that are placed by users who are using the Play on Phone feature are received
and routed by a computer that is running Microsoft Exchange Server 2007 that has the Unified
Messaging server role installed. This topic discusses the message flow for calls that are made
by a UM-enabled user who uses the Play on Phone feature in Exchange 2007 Unified
Messaging.
Play on Phone
The Exchange 2007 Unified Messaging Play on Phone feature enables a UM-enabled user to
access a voice mail message. However, instead of playing the media file over their computer
speakers, they can listen to the message on a telephone.
When users sit in office cubicles, use a public computer, have a computer that is not enabled
for multimedia, or have a voice message that is confidential, a UM-enabled user may not want
to or may be unable to play a voice message over their computer speakers. The Play on Phone
feature lets the UM-enabled user play the voice message over a telephone. The Play on Phone
feature is available in Exchange 2007 Outlook Web Access and in Office Outlook 2007.
Figure 59 illustrates how Exchange 2007 Unified Messaging routes the incoming calls for UMenabled users who use the Play on Phone feature.
327
Figure 59 Message flow for incoming calls when the Play on Phone feature is used
Note:
The Unified Messaging Web services are installed on a computer that has the Client
Access server role installed. Unified Messaging Web services enable Session Initiation
Protocol (SIP) functionality on a Client Access server. This functionality enables a user
to record a voice mail greeting or use the Play on Phone feature. The Unified
Messaging server uses only SIP to communicate. Therefore, the UM Web service is
installed on a computer running the Client Access server role and is required to enable
the Client Access server to communicate with the Unified Messaging server.
Important:
By default, SIP data, which includes Unified Messaging server settings and other call
information that is sent from a Unified Messaging server to a Client Access server, is
328
not encrypted. This could pose a security threat. To help protect all SIP traffic, use
Transport Layer Security (TLS) to encrypt the traffic between a Client Access server
and a Unified Messaging server by configuring TLS security settings on the UM dial
plan. For more information about SIP security and TLS, see Understanding Unified
Messaging VoIP Security.
For More Information
• For more information about the different types of messages that an Exchange 2007
Unified Messaging server handles, see Overview of the Unified Messaging Call
Processing.
• For more information about Outlook Voice Access message flow, see Unified
Messaging Outlook Voice Access Call Processing.
• For more information about Unified Messaging auto attendant message flow, see
Unified Messaging Auto Attendant Call Processing.
• For more information about Unified Messaging voice and fax message flow, see
Unified Messaging Voice and Fax Call Processing.
Overview of Unified Messaging Server
Topologies
Microsoft Exchange Server 2007 supports a server architecture that distributes server tasks
among different server roles. In this kind of architecture, a computer that is running
Exchange Server 2007 that has the Unified Messaging server role installed accepts incoming
calls. The Unified Messaging server then routes the messages to the appropriate server for
processing. This could be the Client Access server, the Mailbox server, or the Hub Transport
server. The server that has the Hub Transport server role installed was formerly known as a
bridgehead server.
This topic describes the relationship between the Exchange Server 2007 Unified Messaging
servers on a typical network and the telephony components in an organization.
Unified Messaging Topology That Has a Single
PBX
Figure 60 illustrates an Exchange Server 2007 Unified Messaging topology that contains a
single Private Branch eXchange (PBX).
329
Figure 60 Exchange Server 2007 UM topology that has a single PBX
Unified Messaging Topology That Has Multiple
PBXs
Figure 61 illustrates an Exchange Server 2007 Unified Messaging topology that contains
multiple PBXs.
330
Figure 61 Exchange Server 2007 UM topology that has multiple PBXs
For More Information
•
For more information about Unified Messaging, see Unified Messaging.
• For more information about Unified Messaging concepts, see Overview of Unified
Messaging Components.
• For more information about telephony concepts, see Overview of Telephony Concepts
and Components.
• For more information about how to deploy Exchange Server 2007 Unified Messaging,
see Post-Installation Tasks.
331
Services Installed by Exchange Setup
During the installation of Microsoft Exchange Server 2007, Setup runs a set of tasks that install
new Microsoft Windows services. A Windows service is a background process that can be
launched during operating system startup by the Service Control Manager in
Microsoft Windows Server 2003. Services are executable files that are designed to operate
independently and without administrative intervention. A service can run using either a
graphical user interface mode or a console mode.
Services are not new to Microsoft Exchange Server. All previous versions of Exchange Server
included components that were implemented as services.
Each server role includes services that are part of or may be needed by the server role to
perform its functions. Although Setup will install all services whether they are immediately
needed or not, some services will only become active when specific features are used.
Table 32 lists by name and by short name the various services that are installed by
Exchange 2007. Also included is a description of each service, the server role that installs the
service, and whether the service is required or optional. In Table 27, optional means that the
service is installed by Setup, but it can be disabled by an administrator if the administrator
determines that the function provided by the service is not needed by the administrator's
organization.
Table 32 Services installed by Exchange Setup
Service name
Service short
Security
Description
name
context
and
Server role(s)
Required (R)
or optional (O)
dependencies
Microsoft Exc
hange Active
Directory
Topology
MSExchange
ADTopology
Local System
Provides
Active Directo
ry topology
information to
several
Exchange Ser
ver
components.
This service
does not have
any
dependencies
.
Mailbox,
R
Client Access,
Hub
Transport,
Unified
Messaging
332
Microsoft Exc
hange ADAM
ADAM_MSEx
change
Network
Service
Active Directo Edge
ry Application Transport
Mode
(ADAM) is
used to store
configuration
data and
recipient data
on the Edge
Transport
server. This
service
represents
the named
instance of
ADAM that is
automatically
created by
Setup during
Edge
Transport
server
installation.
R
Microsoft Exc
hange
Credential
Service
EdgeCredenti
alSvc
Local System
Monitors
credential
changes in
ADAM and
installs the
changes on
the Edge
Transport
server.
R
Edge
Transport
333
Microsoft Exc
hange
EdgeSync
MSExchange
EdgeSync
Local System
Connects to
ADAM
instance on
subscribed
Edge
Transport
servers over
secure
Lightweight
Directory
Access
Protocol
(LDAP)
channel to
synchronize
data between
a Hub
Transport
server and an
Edge
Transport
server. This
service is
dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service.
Hub
Transport
R
334
Microsoft Exc
hange File
Distribution
Service
MSExchange
FDS
Local System
Used to
distribute
offline
address book
and custom
Unified
Messaging
prompts. This
service is
dependent
upon the
Microsoft Exc
hange Active
Directory
Topology and
Workstation
services.
Client Access, R
Unified
Messaging
Microsoft Exc
hange Antispam Update
MSExchange
AntispamUpd
ate
Local System
Used to
automatically
download
anti-spam
filter updates
from
Microsoft
Update. This
service does
not have any
dependencies
.
Hub
Transport,
Edge
Transport
O
Microsoft Exc
hange IMAP4
MSExchangeI Local System
MAP4
Provides
IMAP4
services to
IMAP clients.
This service
is dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service.
Client Access
O
335
Microsoft Exc
hange
Information
Store
MSExchangeI Local System
S
Manages
Mailbox
Exchange Ser
ver
databases.
Provides data
storage for
messaging
clients. This
service is
dependent
upon the
following
services:
Event Log,
NT LM
Security
Support
Provider,
Remote
Procedure
Call (RPC),
Server, and
Workstation.
R
Microsoft Exc
hange Mail
Submission
Service
MSExchange
MailSubmissi
on
Submits
messages
from a
Mailbox
server to a
Hub
Transport
server. This
service is
dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service.
R
Local System
Mailbox
336
Microsoft Exc
hange
Mailbox
Assistants
MSExchange
MailboxAssist
ants
Local System
Provides
Mailbox
functionality
for Calendar
Attendant,
Resource
Booking
Attendant,
Out of Office
Assistant, and
Managed
Folder
Mailbox
Assistant.
This service
is dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service.
R
Microsoft Exc
hange
Monitoring
MSExchange
Monitoring
Local System
Provides a
All
remote
procedure call
(RPC) server
that can be
used to
invoke
diagnostic
cmdlets. This
service does
not have any
dependencies
.
O
337
Microsoft Exc
hange POP3
MSExchange
POP3
Local System
Provides
POP3
services to
POP3 clients.
This service
is dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service.
Client Access
O
Microsoft Exc
hange
Replication
Service
MSExchange
Repl
Local System
Provides log
shipping
functionality
for local
continuous
replication
(LCR) and
cluster
continuous
replication
(CCR). This
service is
dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service.
Mailbox
R
338
Microsoft Exc MSExchange
hange Search Search
Indexer
Local System
Provides
Mailbox
content to the
Microsoft
Search
(Exchange Se
rver) service
for indexing.
This service
is dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service and
the Microsoft
Search
(Exchange Se
rver) service.
O
339
Microsoft Exc
hange
Service Host
MSExchange
ServiceHost
Local System
Configures
Mailbox,
the RPC
Client Access
virtual
directory in
Internet
Information
Services (IIS),
and registry
data for
ValidPorts,
NSPI
Interface
Protocol
Sequences,
and
AllowAnony
mous for
Outlook
Anywhere.
This service
is dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service.
R
Microsoft Exc
hange
Speech
Engine
MSS
Network
Service
Provides
speech
processing
services for
Unified
Messaging.
This service
is dependent
upon the
Windows
Management
Instrumentati
on service.
R
Unified
Messaging
340
Microsoft Exc
hange
System
Attendant
MSExchange
SA
Local System
Provides
Mailbox
monitoring,
maintenance,
and directory
lookup
services for
Exchange Ser
ver. This
service is
dependent
upon the
following
services:
Event Log,
NT LM
Security
Support
Provider,
Remote
Procedure
Call (RPC),
Server, and
Workstation.
R
Microsoft Exc
hange
Transport
MSExchange
Transport
Network
Service
Provides
Simple
Message
Transfer
Protocol
(SMTP)
server and
transport
stack. This
service is
dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service.
R
Hub
Transport,
Edge
Transport
341
Microsoft Exc MSExchange
hange
TransportLog
Transport Log Search
Search
Local System
Provides
message
tracking and
transport log
searching.
This service
has no
dependencies
.
Mailbox, Hub
Transport,
Edge
Transport
Microsoft Exc MSExchange
hange Unified UM
Messaging
Local System
Provides
Unified
Unified
Messaging
Messaging
features, such
as the storing
of inbound
faxes and
voice mail
messages in
a user's
mailbox, and
access to that
mailbox via
Outlook Voice
Access. This
service is
dependent
upon the
Microsoft Exc
hange Active
Directory
Topology
service and
the
Microsoft Exc
hange
Speech
Engine
service.
O
R
342
Microsoft
MSFTESQLSearch
Exchange
(Exchange Se
rver)
Local System
Provides fulltext indexing
of mailbox
data content.
This is a
Microsoft Exc
hangecustomized
version of
Microsoft
Search. This
service is
dependent
upon the
Remote
Procedure
Call (RPC)
service.
Mailbox
O
Topologies
Microsoft Exchange server topologies vary from customer to customer. The choice of
topologies can range from small business customers who typically run a single all-in-one server
to large enterprise customers who typically separate servers based on functionality or location.
Active Directory directory service deployments also vary from customer to customer.
Microsoft Exchange Server 2007 depends upon Active Directory to a greater extent than
previous versions of Exchange due to its use of the Active Directory site topology for routing
and service discovery.
Exchange Delivery Locations
Exchange topologies are heavily dependent upon the physical relationships that exist between
where the service is provided (where the Exchange servers and dependent infrastructure
components are placed), and where the service is consumed (where the clients are located).
The availability of adequate network resources is a significant decision factor when considering
how to deploy Exchange 2007 into your environment.
343
Service Delivery Location
A Service Delivery Location (SDL) refers to a physical location where Exchange and other
servers reside. The network at and throughout an SDL must provide sufficient bandwidth and
reliability to support Exchange, directory services, and other applications. An SDL must provide
all dependent services that Exchange requires through resources deployed locally at and
throughout the SDL. The minimum set of dependent services includes:
•
Network availability, usually in the form of a local area network (LAN).
•
Name resolution using Domain Name System (DNS).
•
Directory services using Active Directory domain controllers and global catalog servers.
Other services that an SDL may provide include public external network connectivity (Internet)
and perimeter network isolation, although these services are implementation specific and not a
requirement of every SDL.
An SDL may be comprised of one or more subnets and may contain one or more
Active Directory sites. SDLs correspond to a single physical building or campus environment
with a common backbone network with LAN or greater speed and the appropriate level of
redundancy. SDLs are always separated from one another by a wide area network (WAN) link.
Client Service Location
A Client Service Location (CSL) refers to any location from which Exchange services may be
accessed by a collective group of clients. A CSL may be co-located with an SDL on a common
LAN, reside on a LAN physically separated from the SDL over a WAN, MAN, or Internet link; or
refer to devices that use a common client access protocol over a public network. Examples of
clients include Microsoft Office Outlook 2007, Outlook Web Access, Outlook Voice Access,
Post Office Protocol 3 (POP3), and Internet Message Access Protocol 4 (IMAP4) clients, such
as Outlook Express and Microsoft Exchange ActiveSync.
Exchange Topology Layers
Generally, three types of topologies describe an Exchange-based messaging infrastructure: the
logical topology, the physical topology, and the Exchange topology.
To correctly plan an Exchange 2007 deployment, we recommend that you become familiar with
the possible topology options and their related terminology. Each type of topology is briefly
described in the following sections with links to more detailed information.
Logical Topology
A logical topology for Exchange 2007 maps groupings of resources together to provide scoping
for either features or security. Logical topologies help map resources closer to your business
model.
344
With Exchange 2007, the logical topology refers to Active Directory forest design. Possible
logical topologies for Exchange 2007 include single forest, multiple forest, and dedicated
Exchange resource forest deployments.
For more information about Exchange 2007 logical topologies, see Logical Topologies.
Physical Topology
A physical topology for Exchange 2007 maps physical elements to geographical locations. A
physical topology is typically used to describe a network or the location of servers. Possible
physical topologies for Exchange 2007 include single server, multiple server, and multiple site
deployments. Physical topologies also frequently classify the distribution of servers and
management roles into two primary categories: centralized servers and administration, and
distributed servers and administration.
For more information about Exchange 2007 physical topologies, see Physical Topologies.
Exchange Organization Topology
Exchange 2007 is an enterprise messaging system, and it requires three basic elements:
directory services, transport mechanisms, and storage. Specifically, Exchange requires and
uses Active Directory for directory services, various TCP/IP-based protocols for transport—
such as the Simple Mail Transfer Protocol (SMTP) and the Hypertext Transfer Protocol (HTTP)
—and the Extensible Storage Engine (ESE), which is built into Exchange, for storage.
Although Exchange has many components that make up an Exchange topology, all
components that are required by Exchange can be categorized into three layers that combine
to form an Exchange topology:
•
Network layer
•
Active Directory layer
•
Exchange layer
From the perspective of an Exchange topology, each of these layers can be described in terms
of both a logical topology and a physical topology. For more information about Exchange
topologies, see Organization Topologies.
Logical Topologies
With Microsoft Exchange Server 2007, the logical topology refers to the Active Directory
directory service forest design and implementation. A logical topology for Exchange 2007 maps
groupings of resources together to provide scoping for either features or security. Logical
topologies help map resources closer to your business model. Generally, all logical topologies
345
are based on specific and unique organizational requirements to scope resources based on
security and business requirements.
Core Logical Topologies
Exchange 2007 supports a variety of Active Directory forest options, such as:
• No Forest Active Directory is required for most Exchange 2007 deployments.
However, there is an Exchange 2007 server role that does not require Active Directory. The
Edge Transport Server Role in Exchange 2007 has been designed specifically to be
operated outside of an Active Directory forest. The Edge Transport Server Role does not
use Active Directory for transport and routing or for storing server configuration information.
Instead, it uses Active Directory Application Mode (ADAM).
• Single Forest In this topology, Exchange is installed in a single Active Directory forest
that spans the whole organization. All user and group accounts and all the Exchange
configuration information are located within the same forest.
• Resource Forest This topology is one of two multiple forest topologies supported by
Exchange 2007. In this topology, Exchange is installed in an Active Directory forest that
does not contain the user and group accounts. This topology is typically deployed to
facilitate separation of Active Directory and the Exchange administration space. In a
resource forest, one forest is used for accounts and authentication, and a separate
Exchange forest is used for Exchange. All Exchange and mailbox configuration data is
contained in the Exchange resource forest.
• Cross-Forest This topology is one of two multiple forest topologies supported by
Exchange 2007. In this topology, Exchange is installed into multiple, different
Active Directory forests. This topology is typically deployed in highly distributed
organizations, where different groups want to retain management ownership of their
individual space. In this topology, each forest has a complete Exchange deployment and a
unique Exchange organization object. The separate Exchange systems are frequently
configured to synchronize recipients between forests to provide a single global address list.
They may also be configured to share other common messaging features, such as e-mail
messages, free/busy data, and public folders by one or more connectors.
Note:
For the discussions in these topics, the cross-forest and resource forest topologies
do not include federated environments. Federated environments exist between two
or more disparate organizations where there is no common organization or
relationship. In the earlier discussion of multi-forest topologies, some relationships
exist between the different forests. The forests are part of a company, an
organization, or some other common unit.
346
For More Information
For more information about forest topologies for Exchange 2007, see Active Directory Forest
Topologies.
Physical Topologies
A physical topology for Microsoft Exchange Server 2007 maps physical elements to
geographical locations. A physical topology is typically used to describe a network or the
location of servers. Generally, all physical topologies are based on specific and unique
organizational requirements to scope resources based on security and business requirements.
Physical topologies also frequently classify the distribution of servers and management roles
into two primary categories: centralized servers and administration, and distributed servers and
administration.
Centralized vs. Distributed Messaging Systems
If your company is composed of offices that are all connected by high-bandwidth and reliable
network connections, regardless of the distance between offices, you can implement a
centralized messaging system. A centralized messaging system means that all of your servers
that are running Exchange are located and managed in a central data center. When planning
your messaging system, it is best to start by considering this model because it is the most costeffective and easily managed.
If your company contains remote offices with low-bandwidth, high-latency, or unreliable network
connections, you can introduce servers to control how messaging traffic is routed from one
location to another. However, remote locations and multiple routing groups do not prevent you
from centralizing your administrative model. In addition, with the features in
Microsoft Windows Server 2003, Exchange 2007, and Microsoft Office Outlook 2007, you can
also consolidate your server hardware by removing servers that are running Exchange from
remote sites. With these changes, users can log on remotely to Microsoft Windows services
and Exchange 2007 and experience fewer problems related to a decrease in performance or
connectivity.
Service Level Management
Regardless of whether you choose a centralized or distributed messaging system, your
deployment should include service level management (SLM). SLM aims to align and manage
information technology (IT) services through a process of definition, agreement, operation
measurement, and review. The scope of SLM includes defining the IT services for the
organization and establishing service level agreements (SLAs) for them. Fulfilling SLAs is
assured by using underpinning contracts and operating level agreements for internal or
347
external delivery of the services. SLM also includes continual measurement of mutually
agreed–on service-level thresholds and the initiation of corrective actions if the thresholds are
breached. Services are monitored and measured according to the agreed-on SLA criteria to
ensure compliance with the SLAs.
Characteristics of a Centralized Messaging
System
A centralized messaging system consists of a large data center that hosts all server resources,
including the Active Directory directory service, global catalog servers, domain controllers, and
Exchange servers. The data center supports all messaging system users, whether they
connect locally or remotely. The following are characteristics of a centralized messaging
system:
• Data is hosted and managed in a centralized location regardless of whether the users
are connected remotely. This contrasts with the distributed model, where users have local
access to mailboxes but server administration is more complex.
•
Software upgrades can be rolled out from a centralized location.
• The data center incorporates power-insulating devices such as an uninterruptible
power supply (UPS) and hot site, warm site, or cold site contingencies. A hot site is a fullservice commercial site that is up and running continuously with data replicated to it, so
that it can be used immediately. A warm site is a full-service site that provides all the
equipment needed for a company to continue operations if a disaster were to occur.
However, the equipment is not ready for immediate use, and some administrative tasks are
required to make the site user-ready. A cold site is a service that provides space, but it is a
site that the company must furnish and set up. A hot site gets the company operational
faster, but a cold site is a less expensive option.
Business requirements associated with reducing cost and security requirements are usually the
driving forces behind centralizing systems. The requirements revolve around location
centralization (reducing the number of sites that provide server resources), physical
consolidation (replacing smaller servers with high-end servers), administrative consolidation,
and data consolidation (centralizing storage solutions that provide backup and disaster
recovery capabilities).
Important Considerations
Consider a centralized design only if prerequisites in the following areas are already met or are
included in the project plan:
• Data center hardware costs Compare the cost of installing high-end servers and
clusters in the data center to the administrative cost savings of centralizing the servers. We
recommend that you cluster the back-end servers to build high availability and redundancy
348
into the system, but this choice does involve greater initial costs. However, these costs may
be more than offset by reductions in operational costs, infrastructure costs, reduced
downtime, and greater scalability.
• Contingency planning When you centralize server and data resources across the
organization, you increase the number of possible single points of failure. You must make
contingency plans in the event a catastrophic event affects your data center.
• Network outages Consider the impact that a network outage will have on users in
remote locations. If the users have Cached Exchange Mode enabled in Outlook, this
consideration is less of an issue.
• Operational and administrative cost reductions Centralizing server resources can
reduce operational costs because service capacity and growth are achieved by having
better use of resources. It also reduces infrastructure costs associated with storage and
backup requirements.
• Data storage With larger centralized data volumes, you must use more reliable
storage systems to improve the integrity of your data. Additionally, by reducing the
complexity of the server infrastructure, you can more easily restore services and data when
a failure occurs.
• LAN and WAN connectivity If your current network does not provide the type of
bandwidth and speed required for centralizing servers, you have to build a network
upgrade into the project plan.
• Security A centralized model gives you easier security management, and therefore,
more control. This control makes it easier for security staff to maintain up-to-date virus
signatures and take timely action in response to security incidents. Another advantage of a
centralized design is that it locates your servers in a data center that you can physically
secure.
Characteristics of a Distributed Messaging
System
A branch office or distributed messaging deployment is one where many branch offices or
smaller distributed sites have slow connections to a corporate hub or data center. The branches
contain their own servers that are running Exchange, domain controllers, and global catalog
servers. A distributed messaging system is usually adopted when the network cannot handle
traffic to a central hub for services. Therefore, the operating system and messaging servers are
placed locally. User requirements may be another factor. If the requirements for user
experience and availability cannot be met by connecting to a data center, you may have no
choice but to position servers in the remote sites.
An Exchange branch office deployment has the following characteristics:
349
• The messaging system consists of many locations (branches), and each contains a
server that is running Exchange, domain controllers, and at least one global catalog server.
•
The branch office locations usually contain a small or varying number of users.
•
The network is usually structured as a hub-and-spoke topology.
• The network connections between the branch office locations and the central hub or
data center are typically low-bandwidth, high-latency, or unreliable.
The main reasons for deploying a distributed messaging system include the following:
•
The company's users are dispersed across sites.
• The company's network infrastructure cannot handle traffic to a central hub for
services.
• The user requirements dictate that a server be placed locally to provide optimal user
experience and availability.
Important Considerations
Consider the following issues when you think about a distributed design:
• Software upgrades Rolling out important updates can be much more challenging in
a distributed messaging system.
• Using Outlook Anywhere If you want to use Outlook Anywhere (formerly RPC over
HTTP), all computers in your messaging environment that users will have to use with
Outlook Anywhere communication must be running Windows Server 2003. This
requirement extends to all global catalog servers and all servers that are running Exchange
that your Outlook users will access.
• Operational and administrative costs Distributed messaging systems require more
servers and cause higher operational and administrative costs.
• Data storage With distributed servers, the service infrastructure is more complex,
which makes it more difficult to restore services and data when a failure occurs. Features
such as local continuous replication (LCR) and cluster continuous replication (CCR) are
especially useful in a distributed messaging environment. For more information about LCR,
see Local Continuous Replication. For more information about CCR, see Cluster
Continuous Replication.
• Network connections For remote offices, we recommend that the network
connection to the hub site or data center be no less than 64 kilobits per second (Kbps)
between servers. However, we recommend a higher connection speed between a hub and
an office.
350
• Security The physical security of servers in branch offices is a major consideration. In
a branch office design, you must take precautions to make sure that servers are not
located in open areas and that the servers are physically secured.
Active Directory Forest Topologies
Because Microsoft Windows Server 2003 and Microsoft Exchange Server 2007 both rely on the
Active Directory directory service for directory services, you must determine how to integrate
Exchange 2007 into your Active Directory structure. Active Directory includes the following
logical elements that combine to define an Active Directory topology:
•
Forest
•
One or more domains
•
One or more Active Directory sites
Active Directory Forests
A forest represents the outermost boundary of the directory service. A forest operates within the
context of a continuous security context such that all resources within a forest implicitly trust
each other regardless of where in the forest they are located. Within each forest, there is a
common directory schema and configuration of the directory service. A forest can be comprised
of one or more domains. There are two types of forest topologies: the single forest and the
multiple forest.
Single Forest Topology
In a single forest topology, Exchange is installed into a single Active Directory forest that spans
the whole organization. All user and group accounts and all Exchange configuration information
are located in the same forest.
If your organization has a single Active Directory forest, you can implement Exchange 2007 in
that forest. We recommend the single forest Exchange design because it offers the richest set
of e-mail system features, and also because it has the most streamlined administrative model.
Because all resources are contained in a single forest, a single global address list (GAL)
contains all users across the forest. The following figure illustrates this scenario.
351
Figure 62 Two examples of implementing Exchange in a single Active Directory forest
The single forest option offers the following advantages:
•
Provides the richest set of e-mail system features.
•
Provides a streamlined administrative model.
•
Takes advantage of an existing Active Directory structure.
•
Uses existing domain controllers and global catalog servers.
•
Does not require GAL synchronization.
The main disadvantage associated with a single forest is that administrators must determine
how to share or divide responsibilities for managing Active Directory and Exchange objects.
Multiple Forest Topology
Although we recommend a single forest topology because it provides the richest set of
messaging features, there are various reasons you may want to implement multiple forests.
Some of these reasons include:
•
You have multiple business units that require messaging service isolation.
•
You have multiple business units that have separate schema requirements.
•
You are confronted with a merger, acquisition, or divestiture.
Whatever the reason, the only way to establish strict boundaries between business units is to
create a separate Active Directory forest for each business unit. If this is your Active Directory
configuration, the preferred way to implement Exchange is to create an Exchange resource
forest. For more information about Exchange resource forests, see "Resource Forest Topology"
later in this document.
352
However, there are scenarios in which a resource forest may not be feasible (for example, with
mergers or acquisitions or when multiple forests are already running their own instances of
Exchange). In these cases, you can implement a cross-forest topology.
Cross-Forest Topology
In a cross-forest topology, a company has multiple Active Directory forests, each containing an
Exchange organization. Unlike a resource forest topology, user accounts are not separated
from their mailboxes. Instead, a user account and its associated mailbox are in the same forest.
The main advantage to implementing a cross-forest topology is that you can maintain data
isolation and security boundaries between the Exchange organizations. The disadvantages
associated with this topology include:
•
The richest set of messaging features is not provided.
•
Rules are not preserved during a cross-forest move.
• Mailbox delegate permissions are not preserved when you move mailboxes from one
forest to another.
• Although you can synchronize free/busy information across forests and use it to
schedule meetings, you cannot use the Open Other User's Folder feature in
Microsoft Office Outlook to view the calendar details for a user in another forest.
• Because a group from another forest is represented as a contact, you cannot view the
group's members. Group membership is not expanded until mail is sent to the forest
containing the group that is represented as the contact.
• Synchronization of directory objects across forests, as well as replication of free/busy
data information is required. Historically, the most commonly used solutions for directory
synchronization were Microsoft Identity Integration Server (MIIS) or Identity Integration
Feature Pack 1a for Microsoft Windows Server Active Directory. These solutions have not
been tested with Exchange 2007, and are therefore not supported. The Availability service
in Exchange 2007 can be used to share free/busy and calendaring information between
Exchange organizations in different forests.
353
Figure 63 Exchange in a cross-forest topology
Resource Forest Topology
There are some cases in which you may have to set up a separate Active Directory forest that
is dedicated to running Exchange. For example, you may have an existing Active Directory
forest that you want to retain. Or, you may have to separate the administration of
Active Directory objects and Exchange objects. Therefore, you may want to set up a separate
Active Directory forest that is dedicated to running Exchange. The separate dedicated forest is
referred to as an Exchange resource forest. In the resource forest model, Exchange is installed
in an Active Directory forest that is separate from the Active Directory forest where users,
computers, and application servers are installed. Companies that require security boundaries
between Active Directory administration and Exchange administration typically use this option.
The Exchange resource forest is dedicated to running Exchange and hosting mailboxes. User
accounts are contained in one or more forests called the accounts forests. Accounts forests are
separate from the Exchange resource forest. A one-way trust between the accounts forest and
the Exchange resource forest is created and allows the Exchange forest to trust the accounts
forest so that users in the accounts forest are granted access to mailboxes in the Exchange
resource forest. Because an Exchange organization cannot cross an Active Directory forest
boundary, each mailbox that is created in the Exchange resource forest must have a
corresponding user object in the Exchange resource forest. The user objects in the Exchange
resource forest are never logged on to by a user and are disabled to prevent them from being a
point of exploitation. Users are typically not even aware that the duplicate account exists.
Because the account in the Exchange resource forest is disabled and not used for logon
purposes, a user's real account from the account forest must be granted access to log on to the
mailbox. Access is granted by including the security identifier (SID) of the accounts forest user
354
object in the msExchMasterAccountSID attribute on the disabled user object in the Exchange
resource forest.
When an Exchange resource forest is used, it is possible that directory synchronization will not
be required. From the perspective of Exchange and Outlook, all the objects that are listed in the
directory service are sourced from a single location, in this case, the directory service that
hosts the Exchange resource forest. However, if GAL-related data is present in the account
forests, synchronization must occur to get the data into the Exchange resource forest for GAL
usage. In addition, you may need to set up a process so that when accounts are created in the
accounts forest, a disabled account with a mailbox is created in the Exchange resource forest.
The enabled user from the accounts forest is associated with a mailbox attached to a disabled
user in the resource forest. This configuration allows users to access mailboxes that reside in
different forests. In this scenario, you configure a trust relationship between the resource forest
and the accounts forest. You may also have to set up a provisioning process so that every time
an administrator creates a user in the accounts forest, a disabled user with a mailbox is created
in the Exchange resource forest.
Because all Exchange resources are contained in a single forest, a single GAL contains all
users across the forest. The main advantage of the dedicated Exchange forest scenario is a
security boundary between Active Directory and Exchange administration.
The disadvantages associated with this topology include:
• Implementing a resource forest allows for segregation of Exchange and
Active Directory administration, however, the cost associated with deploying a resource
forest may outweigh the need for this segregation.
• Installing additional domain controllers and global catalog servers in
Microsoft Windows sites where Exchange will run is required, thereby increasing cost.
• Provisioning process is required so that Active Directory updates are reflected in
Exchange. When you create an object in one forest, you must make sure that
corresponding objects are created in the other forest. For example, if you create a user in
one forest, make sure that a placeholder is created for that user in the other forest. You can
create the corresponding objects manually, or you can automate the process.
A variation of the resource forest scenario is a multiple forest where one forest hosts Exchange.
If you have multiple Active Directory forests, how you deploy Exchange depends on the degree
of autonomy that you want to maintain between the forests. Companies with business units that
require security (forest) boundaries for directory objects, but can share Exchange objects, may
choose to deploy Exchange in one of the forests and use it to host mailboxes for the other
forests in the company. Because all Exchange resources are contained in a single forest, a
single GAL contains all users across all forests.
The main advantages associated with this scenario include:
•
Uses an existing Active Directory structure.
•
Uses existing domain controllers and global catalog servers.
355
•
Provides strict security boundaries between forests.
The disadvantages associated with this scenario include:
• Requires a provisioning process so that Active Directory updates are reflected in
Exchange. For example, you can create a script so that creating a new Active Directory
user in Forest A generates a mailbox-enabled object with permissions that is disabled in
Forest B.
• Requires that forest administrators determine how to share or divide responsibilities for
managing Active Directory and Exchange objects.
Figure 64
Exchange in a resource forest topology
Active Directory Domains
A domain is a grouping of security principals and other objects that are administered
collectively. Domains are flexible. The implementation of what comprises a domain is open and
subject to an administrator's discretion. For example, a domain can represent a group of users
and computers that are located at a single physical location, or it can represent all users and
computers across many locations or a large geographical region. As consolidation of
administration and infrastructure support occurs, it is common for domains to be deployed
across large geographical areas to decrease support costs. However, as the scope of a
directory service increases, it is necessary to be able to target directory access to the
appropriate resources as efficiently as possibly.
Active Directory Sites
Active Directory sites represent a logical grouping of computers within Active Directory that
have reliable connectivity. With an Active Directory site, it is possible to partition client
356
computers to use a particular set or group of directory resources. An Active Directory site is one
or more well-connected TCP/IP subnets that allow administrators to configure Active Directory
access and replication. These subnets may or may not correspond to the physical topology.
The following figure illustrates some of the more commonly deployed relationships between
Active Directory logical definitions and physical locations.
Figure 65 Forests, domains, locations, and sites
Active Directory Deployment Scenarios
There are four main scenarios for integrating Exchange with Active Directory:
•
Single forest
•
Resource forest
•
Cross-forest
•
Mergers and acquisitions
357
The following table summarizes the benefits of each scenario.
Table 33 Benefits of Active Directory scenarios
Active Directory scenario
Description
Single forest
Users and their mailboxes are
contained in the same forest.
Why you use this scenario
• Richest set of mail
system features
• Streamlined
administration
• Uses existing
Active Directory structure
• Does not require
synchronization with other
forests
Resource forest
One forest is dedicated to
running Exchange and
hosting Exchange mailboxes.
The user accounts associated
with the mailboxes are
contained in one or more
separate forests.
• Security boundary
between Active Directory
and Exchange
administration
• Easier deployment of
Exchange in a multiple
forest environment
• Limited control of
network and user account
infrastructure
Cross-forest
Exchange runs in separate
forests, but e-mail
functionality is available
across forests.
• Multiple business
units require data and
service isolation
• Multiple business
units have separate
schema requirements
• Merger, acquisition, or
divestiture
358
Mergers and acquisitions
Mergers and acquisitions
frequently involve coexistence
between Exchange
organizations until they are
merged. The planning
considerations are similar to
those of the multiple forest
scenario, with additional
migration concerns.
Mergers and acquisitions are
a special case for a multiple
forest deployment that
requires extra attention to
migration issues
Organization Topologies
Although Microsoft Exchange Server 2007 includes several components that make up an
Exchange topology, all of the components needed by Exchange 2007 can be categorized into
three layers that combine to form an Exchange topology:
•
The network layer
•
The Active Directory directory service layer
•
The Exchange layer
From the perspective of an Exchange topology, each of these layers can be described in terms
of both logical and physical layers.
Network Layer of an Exchange Topology
The physical network layer provides the base foundation for all computers that need to
communicate together. The physical network layer defines the path that computers use to send
data to each other.
The logical network layer maps the naming convention and name resolution scheme that is
used to identify the IP address based on the Domain Name System (DNS) name. The DNS
layout typically maps to an organization's internal structure.
Physical Network Layer
IP addresses, IP subnets, LAN or WAN links, and routers and firewalls comprise the physical
network layer.
359
Elements
Definition
IP address
A base element of the network layer that is
used to uniquely identify a computer on the
network. Exchange 2007 supports IPv4
addresses only. IPv6 addresses are not
supported.
Boundaries
Definition
IP subnet
A non-overlapping grouping of IP addresses
that is used to control how data packets are
routed. Typically, IP subnets map to an
organization's geographic locations. However,
it is also common for a single location to have
multiple IP subnets.
Boundary property
Definition
LAN or WAN link
IP subnets that are highly connected, meaning
that they have a large amount of bandwidth
between them and are connected by a LAN
link. Geographic locations are typically linked
by a slower WAN link, which makes
consideration of the amount of traffic that
travels over these links important during the
planning process.
Router and firewall
A LAN or WAN link uses a router and firewall
as an interface between IP subnets, which can
define the network ports and protocols that can
be passed between IP subnets.
Logical Network Layer
DNS zones that include separate boundaries for Active Directory domain DNS zones, company
DNS zones, and Internet DNS zones comprise the logical network layer.
360
Elements
Definition
DNS zones
A contiguous portion of the DNS tree that is
administered as a single separate entity by a
DNS server. The zone contains resource
records for all names within the zone.
Boundaries
Definition
Internet zone ("." root)
This zone is used to resolve any domain that is
registered to be available from the Internet.
DNS needs to be configured to resolve to an
authoritative root domain server to
successfully resolve Internet DNS URLs.
Company zone
Each company is responsible for its own
domain and domain name. A zone name
begins at a specified name and ends at a
delegation point. A delegation point indicates
where one zone ends and another begins. To
successfully deploy Exchange, and to allow for
messages from the Internet, an appropriate
MX resource record needs to be created and
published in the company's DNS zone.
Domain zone
Active Directory uses service (SRV) resource
records in DNS to register a list of domain
controllers for client use.
Active Directory Layer of an Exchange Topology
The physical Active Directory layer provides the infrastructure that domain members can use to
contact the closest directory server and to control the behavior of replication traffic between
directory servers.
The logical Active Directory layer describes the layout of the authentication and authorization
model. The logical Active Directory layer lets each organization configure and deploy security
policies that map their security needs to their business structure.
Physical Active Directory Layer
Domain controllers, global catalog servers, and Active Directory site links comprise the physical
Active Directory layer.
361
Elements
Definition
Domain controller
A server that authenticates domain logons and
maintains the security policy and master
accounts database for a domain.
Global catalog server
A directory server that contains a partial replica
of Active Directory for every domain in an
enterprise forest.
Boundary property
Definition
Active Directory site links
The defined connection that controls
replication traffic between
Active Directory sites. There are two attributes
of an IP site link that are used to control the
replication behavior between
Active Directory sites: Schedule and Site Link
Cost. In many environments, Schedule and
Site Link Cost are used interchangeably (for
example, Site Link Cost increases as
Schedule interval increases). For
Exchange 2007 to make intelligent routing
decisions, it must have an understanding of
the physical relationships that exist between
Active Directory sites. We recommend that you
define Site Link Cost in terms of the available
network resources, where lower costs indicate
a higher-bandwidth and more reliable link.
Doing this will allow Exchange 2007 to make
routing decisions that use network resources
more efficiently.
362
Boundary connections
Definition
Active Directory site link connectors
Active Directory defines two types of site link
connectors: IP and Simple Mail Transfer
Protocol (SMTP). Exchange 2007 only
supports IP-based site link connectors. Any
Active Directory site used to host computers
running Exchange 2007 must make use of IPbased Active Directory site links to other
Active Directory sites. All intermediate
Active Directory site link connections between
Active Directory sites hosting computers
running Exchange 2007 must also use IPbased Active Directory site links.
Logical Active Directory Layer
Users, groups, forests, sites, domains, and organizational units comprise the logical
Active Directory layer.
Elements
Definition
User
A directory object used to identify a specific
and unique account in Active Directory.
Group
A collection of users, computers, contacts, and
other groups. Groups can be used as security
or as e-mail distribution collections. In
Exchange topologies, groups are often
referred to as distribution lists.
Boundaries
Definition
Forest
A collection of one or more Active Directory
domains that are organized as peers and
connected by two-way transitive trust
relationships. All domains in a forest share a
common schema, configuration, and global
catalog.
363
Active Directory site
A location on the network that contains
Active Directory servers that communicate
directly with each other. A site is defined as
one or more well-connected IP subnets.
Domain
A networked set of computers that share a
Security Accounts Manager (SAM) database
and that can be administered as a group.
Organizational unit (OU)
An Active Directory container used within
domains. OUs are logical containers into which
users, groups, computers, and other OUs are
placed. It can only contain objects from its
parent domain. An OU is the smallest unit of
scope to which a group policy or delegate
authority can be applied.
Exchange Layer of an Exchange Topology
The physical Exchange layer defines how mail is delivered between Exchange servers. The
physical Exchange layer is also used to scope public folder replication when optimizing traffic
across slow links. In Exchange 2007, the physical layer also defines which middle tier and
back-end servers are well-connected so that traffic is optimized between them.
The logical Exchange layer describes how Exchange resources are grouped together for
purposes of security and delegation management.
Physical Exchange Layer
Exchange servers and mail connectors comprise the physical Exchange layer.
Elements
Definition
Exchange server
Any server that has any Exchange services
installed on it.
Boundary property
Definition
Mail connector
A mail connector is used to define how mail
should be routed outside the server's routing
boundaries.
364
Logical Exchange Layer
Mailboxes, public folders, databases, Exchange servers, distribution lists, administrative
groups, and an organizational boundary comprise the logical Exchange layer.
Elements
Definition
Mailbox
A repository of private folders that is
associated with a user account and maintained
in a mailbox database on an Exchange server.
Public folder
A repository of public folders that is organized
into a logical tree called the public folder
hierarchy.
Database
An Extensible Storage Engine (ESE) database
file that contains mailboxes or public folders.
Exchange server
Any server that has any Exchange services
installed on it.
Distribution list
A collection of users, computers, contacts, and
other groups. Groups can be used as security
or as e-mail distribution collections.
Boundaries
Definition
Organization
A logical container that groups Exchange
resources together. Exchange resources within
an organization are tightly integrated and
share a common security context. There can
be only one Exchange organization per forest.
Exchange Organization Topology Definitions
The defined Exchange organization topologies are presented as a continuum. The definitions
build incrementally upon each other from the most simple to the most complex. A key
assumption of the topologies presented here is that, as new characteristics are added to a
topology, all of the characteristics defined in the previously defined topology are applicable to
the subsequent topologies as well.
There are four standard Exchange organization topologies that can be deployed:
365
• Simple Exchange organization The simple Exchange organization represents the
most basic topology into which Exchange 2007 can be deployed. For more information
about simple Exchange organizations, see Simple Exchange Organization.
• Standard Exchange organization The standard Exchange organization is the
classification for topologies that are not simple, large, or complex. For more information
about standard Exchange organizations, see Standard Exchange Organization.
• Large Exchange organization The large Exchange organization is an
Exchange organization that contains more than five Active Directory sites. In an
Exchange organization that includes Exchange Server 2003 or Exchange 2000 Server, the
definition of the large Exchange organization also includes any Exchange organization that
has more than five routing groups. For more information about large
Exchange organizations, see Large Exchange Organization.
• Complex Exchange organization The complex Exchange organization is any
Exchange organization that contains multiple Active Directory forests. A complex
Exchange organization typically also includes Microsoft Identity Integration Server. For
more information about complex Exchange organizations, see Complex Exchange
Organization.
Deploying Exchange 2007 outside of one of these defined topologies is not supported. You can
run the Microsoft Exchange Server Best Practices Analyzer Tool (ExBPA) to determine your
current organization model. You can do this by launching ExBPA from the Toolbox Work Center
in the Exchange Management Console.
Transport Architecture
In Microsoft Exchange Server 2007, the transport pipeline is a collection of Exchange 2007
server roles, connections, components, and queues that work together to route all messages to
the categorizer on a Hub Transport server inside the organization. Messages from outside the
organization enter the transport pipeline through a Receive connector on an Edge Transport
server and are then routed to a Hub Transport server inside the organization. Messages inside
the organization enter the transport pipeline on a Hub Transport server in one of the following
ways:
•
Through a Receive connector
•
From the Pickup directory or the Replay directory
•
By direct placement in the Submission queue by the Store driver
•
Through agent submission
Every message that is sent or received by an Exchange 2007 client must be categorized on a
Hub Transport server before it can be routed and delivered. After a message has been
categorized, it is put in a delivery queue for delivery to a mailbox in the same Active Directory
366
directory service site as the Hub Transport server on which the message was categorized or for
routing to a recipient in a different Active Directory site or forest, or to a recipient outside the
organization.
The Exchange 2007 transport pipeline consists of the following components and processes:
• SMTP Receive When messages are received at the Edge Transport server, antispam and antivirus agents filter connections and message contents, and help identify the
sender and the recipient of a message while the message is being accepted into the
organization. When messages are received at a Hub Transport server, transport rules are
applied and, if anti-spam and antivirus agents are configured, these agents provide an
additional layer of anti-spam and antivirus protection.
The SMTP session has a series of events that work together in a specific order to validate
the contents of a message before it is accepted into the organization. After a message has
passed completely through SMTP Receive and is not rejected by receive events or by an
anti-spam and antivirus agent, it is put in the Submission queue.
• Submission Submission is the process of putting messages into the Submission
queue. The categorizer then picks up one message at a time for categorization. There are
four types of submission:
•
SMTP submission through a Receive connector
• Submission through the Pickup directory or the Replay directory. These directories
exist on the Hub Transport server or Edge Transport server. Correctly formatted
message files that are copied into the Pickup directory or the Replay directory are put
directly into the Submission queue.
• Submission by the Store driver, which picks up messages from a sender’s Outbox
as they are sent
•
Submission by an agent
On the Edge Transport server, submission is generally only through the Receive connector.
On the Hub Transport server, submission can occur through a Receive connector, through
the Pickup directory, through the Replay directory or by the Store driver.
• Categorizer The categorizer picks up one message at a time from the Submission
queue. On the Edge Transport server, categorization is a short process in which the
message is put directly in the delivery queue. From the delivery queue, the message is
routed to a computer that is running a Hub Transport server role in the organization.
On the Hub Transport server, the categorizer completes the following steps:
• Recipient resolution, which includes top-level addressing, expansion, and
bifurcation
•
Routing resolution
•
Content conversion
367
Additionally, mail flow rules that are defined by the organization are applied. After
messages have been categorized, they are put into a delivery queue. A mailbox delivery
queue delivers the message to a local mailbox by using the Store driver. A remote delivery
queue delivers the message to a remote recipient through a Send connector.
• Local Delivery Only messages that are sent to a recipient with a mailbox in the same
Active Directory site as the Hub Transport server on which categorization occurred are
delivered locally. In this case, local delivery means delivery in the same Active Directory
site. All messages delivered locally are picked up from a delivery queue by the Store driver
and put in the recipient’s inbox on a Mailbox server.
• SMTP Send Messages that are sent to recipients in Active Directory sites that differ
from the computer that is running a Hub Transport server role on which categorization
occurred are delivered remotely or outside the organization. All messages that are sent to a
different Active Directory site, to a mailbox that resides on a computer that is running an
earlier version of Exchange, or to a mailbox that resides in a different Active Directory
forest must be routed through a Send connector to a Hub Transport server that can deliver
the message to the intended recipient. All messages that require delivery through the
Internet must be routed through a Send connector to an Edge Transport server that can
send messages to the Internet for delivery outside the organization.
• Client Access and Unified Messaging Scenarios Several client access scenarios
and Unified Message scenarios do not interact directly with the transport pipeline. Users of
Microsoft Office Outlook 2003, Office Outlook Web Access, Outlook by Phone, and
Exchange ActiveSync interact directly with the Client Access server role, Unified
Messaging server role, and Mailbox server role to access their mailbox. In each case,
when mail is sent, the message is put in the sender’s outbox directly on the Mailbox server
by Outlook or the Client Access server on behalf of the sender.
Note:
Outlook by Phone requires interaction with the Client Access server and with the
Mailbox server through the Unified Messaging server.
After the message is put in the sender’s outbox, the Store driver is alerted by the Microsoft
Exchange Mail Submission service, retrieves the message from the sender’s Outbox, and
then puts it into the Submission queue on a Hub Transport server in the same
Active Directory site as the mailbox from which the message was retrieved.
Figure 66 shows the relationships between the components in the Exchange 2007 transport
pipeline.
368
Figure 66 Overview of the transport pipeline
369
Understanding Active Directory Site-Based
Routing
Microsoft Exchange Server 2007 Hub Transport servers are responsible for routing messages
to mailboxes in the organization. In addition, Hub Transport servers are responsible for routing
messages that are to be delivered to a remote domain to a connector that is configured to
handle message delivery for that remote domain. In Exchange 2007, the intra-organizational
message routing topology and routing decisions are based on the existing Active Directory
directory service site topology. This topic explains how Exchange 2007 implements
Active Directory site-based routing between transport servers in the same Exchange
organization.
Overview of Message Routing in Exchange 2007
Routing decisions are made during message categorization. The categorizer is a component of
the Microsoft Exchange Transport service that processes all incoming messages and
determines what to do with the messages based on information about the intended recipients.
The categorizer processes messages in several dependent phases and also uses other
components of the Microsoft Exchange Transport service during message processing. After a
message is received by an Exchange 2007 transport server, and after the preliminary
processing that occurs during SMTP Receive finishes, the message is delivered to the
Submission queue. Messages move from the Submission queue through the categorizer in the
following phases:
• Agent processing of submitted messages Some agent processing on the Hub
Transport server occurs when the message is received for categorization. The agents that
are applied during this phase include the optional Forefront Security for
Exchange Server antivirus agent and the Journaling agent.
• Recipient resolution During this phase, the recipient's e-mail address is resolved to
determine whether the recipient has a mailbox in the Exchange organization or an external
e-mail address.
• Routing After information about the recipient is resolved, the routing component of
the categorizer determines the ultimate destination for the message and the route to that
destination, selects the next segment, or hop, for message relay, and resolves the next hop
information to a list of physical servers and IP addresses.
• Content conversion Before a message is relayed to its next hop, content conversion
occurs so that the message is sent in a format that is readable by the recipient. Content
conversion transforms e-mail messages from one format to another format for mail flow or
storage, such as MAPI to MIME, or UUENCODE to Base64 encoded, or for appropriate
rendering that is specific to an e-mail client, such as HTML to RTF to plain text.
370
• Agent processing of routed messages After the routing decisions for a particular
message are made, the Transport Rules agent and the Journaling agent are applied on the
Hub Transport server. The Journaling agent is applied both when the message is submitted
and when it is routed so that any changes that are made to the message by the Transport
Rules agent, for example, when it modifies a delivery address or applies a messagespecific journaling requirement, do not bypass the Journaling agent.
• Message packaging and DSN generation The final categorized message is
assembled and is moved to a delivery queue. A delivery status notification (DSN) may also
be generated during this phase.
Messages are next processed by SMTP Send, the store driver, or the foreign gateway
connection handler. This depends on the ultimate destination. The foreign gateway connection
handler is a component of the Microsoft Exchange Transport service that manages delivery of
messages to drop directories that are configured for use by foreign connectors. If a route
cannot be found for a recipient, the messages are queued to the Unreachable queue. Each
delivery queue represents the next hop destination.
Figure 67 shows how message processing occurs in the different routing phases and how
messages are queued for delivery to the next hop destination.
371
Figure 67 Routing context in mail flow
The routing topology and components of Exchange 2007 differ significantly from those of
Exchange Server 2003 and Exchange 2000 Server but generally correlate in the following
ways:
• The Active Directory site correlates to routing groups in Exchange 2003 and
Exchange 2000.
•
IP site links correlate to the concept of routing group connectors.
• The functionality of the Hub Transport server role in Exchange 2007 correlates to the
functionality of a dedicated bridgehead server in Exchange 2003 and Exchange 2000.
372
However, each Exchange server version differs in the method that is used to determine routing
paths. For more information about how these differences affect routing when more than one
version of Exchange Server is deployed in the same organization, see Message Routing in a
Coexistence Environment.
Intra-organizational Routing Components
To implement Active Directory site-based routing, Exchange 2007 must access configuration
information that is stored in Active Directory. On an Edge Transport server, configuration
information is stored in and accessed from the Active Directory Application Mode (ADAM)
directory service instance on the local server. Microsoft Windows and Exchange 2007 services
work together to create mappings of the configuration data. These mappings are cached in
routing tables. Exchange 2007 references these tables when it makes routing decisions. The
cache is updated when the routing topology changes. The Exchange services that are used
during message transport are common to both the Hub Transport server role and the Edge
Transport server role. However, the Edge Transport server role does not cache information
about the Active Directory topology.
The following configuration and service components are important to internal message routing:
• Active Directory sites An Active Directory site represents the routing boundary for
Hub Transport servers. A Hub Transport server delivers directly to Mailbox servers,
distribution group expansion servers, and to source servers for connectors in the local
Active Directory site and to Edge Transport servers subscribed to that site. However, a Hub
Transport server must relay messages to another Hub Transport server for recipients,
expansion servers, and connectors that are located in remote Active Directory sites. The
Hub Transport server role must be deployed in every Active Directory site that contains
other Exchange 2007 server roles.
• Active Directory IP site links Active Directory IP site links define logical paths
between Active Directory sites. Exchange 2007 references the IP site link objects to
determine the least cost routing path of remote Active Directory sites.
• Send connectors Send connectors are used for routing messages to address
spaces. When a message is delivered to an external domain, the routing destination is
typically a Send connector. An Exchange organization that accepts messages for more
than one e-mail domain may decide to create Send connectors that are dedicated to each
address space.
• Routing groups Routing groups represent a routing boundary for Exchange 2003
and Exchange 2000. If Exchange 2007 is deployed in an existing organization, routing
must consider the location of servers within routing groups to deliver a message to a
mailbox or a connector that resides on an earlier version of Exchange Server. To implement
compatibility with earlier versions of Exchange Server, all computers that are
running Exchange 2007 deployed in the organization belong to a single, global routing
group.
373
• Routing group connectors Routing group connectors define logical paths between
Exchange routing groups. If Exchange 2007 is deployed in an existing Exchange 2003 or
Exchange 2000 organization, messages are routed between server versions through
routing group connectors. When the first Hub Transport server is deployed, the setup
process prompts you to create a routing group connector from the global Exchange 2007
routing group to a legacy routing group. For more information about message routing in an
environment where more than one version of Exchange Server version is deployed,
see Message Routing in a Coexistence Environment.
• Microsoft Exchange Transport service The Microsoft Exchange Transport service
is the Simple Mail Transfer Protocol (SMTP) provider for Exchange 2007 and controls
every component of message processing, from SMTP IN to SMTP OUT. A series of
configurable SMTP Receive agents are triggered at various SMTP events.
The Microsoft Exchange Transport service enables these agents to process messages as
they pass through SMTP transport and perform anti-spam, antivirus, and other tasks before
messages are submitted to the categorizer.
Recipient resolution, routing, and content conversion occur during categorization.
Additional agents are also triggered at this point of the transport pipeline. The
Microsoft Exchange Transport service also uses the topology discovery module for
Exchange topology discovery. For more information about the components and processing
provided by the Microsoft Exchange Transport service, see Microsoft Exchange Server
2007 Transport Architecture Diagrams.
• Microsoft Exchange Active Directory Topology service The
Microsoft Exchange Active Directory Topology service is responsible for locating the
domain controllers and global catalog servers that Exchange 2007 can use to retrieve
configuration and recipient data from Active Directory. The
Microsoft Exchange Active Directory Topology service is also responsible for keeping
Active Directory site affinity for an Exchange 2007 server up to date.
• Routing tables The routing tables hold the information that the routing component
uses to make routing decisions. The routing table is composed of a map of topology
components and their relationship to one another.
• DNS Exchange 2007 uses an enhanced Domain Name System (DNS) client, a
component of the Microsoft Exchange Transport service, to resolve the next hop selection
to a list of target server names. The standard DNS client is used to resolve that list of
server names to IP addresses. Enhanced DNS also provides load-balancing functionality
for Exchange 2007 transport servers by using round robin.
• SMTP SMTP is used for communication when messages are relayed between SMTP
servers. An SMTP server can be a Hub Transport server, Edge Transport server,
Exchange 2000 server, Exchange 2003 server, or even a smart host. A Hub Transport
server uses remote procedure call (RPC) to deliver messages directly to Mailbox servers
that have the same Active Directory site membership as the Hub Transport server.
374
Active Directory Sites
An Active Directory site is a logical configuration component that is based on the physical
aspects of the network. The primary purpose for creating an Active Directory site is to define
which subnets in the network are connected in a way that optimizes control of Active Directory
replication traffic. Replication traffic in an Active Directory site can flow without using
connectors or scheduling. However, when replication traffic must flow between Active Directory
sites, it is controlled by the configuration of Active Directory site links. Active Directory sites can
host servers from more than one domain. And a domain can be represented in more than one
Active Directory site.
The Active Directory site represents a routing boundary for Exchange 2007. Computers that
have the Hub Transport server role installed make routing decisions based on the
Active Directory site topology.
Determining Site Membership
By default, an Active Directory forest contains only one Active Directory site. The default name
for this Active Directory site is Default-First-Site-Name. If no other Active Directory sites are
created, all domain member computers in the forest are members of Default-First-Site-Name.
And you don't have to configure a subnet-to-site association. If additional Active Directory sites
are created, you must specify the subnets that are assigned to that Active Directory site.
Each Active Directory site is associated with one or more IP subnets. An administrator
assigns Active Directory site membership to computers that are configured as domain
controllers and global catalog servers. Other domain member computers, such as Exchange
servers, are assigned Active Directory site membership automatically when they are configured
to use an IP address that is in an IP subnet that is associated with an Active Directory site.
Computers that have the same Active Directory site membership are presumed to have good
network connectivity. A server is always a member of a single Active Directory site.
When an application can determine the Active Directory site membership of the computer
where it is installed and of other computers in the forest, and then use that information to
control communication flow, it is a site-aware application. When site-aware applications must
use the services of another server, such as a domain controller or global catalog server, priority
is given to the servers that have the same Active Directory site membership as the computer
that is requesting those services.
Exchange 2007 is a site-aware application and uses the Active Directory topology for message
routing and to communicate with the services that are running on computers that have other
Exchange 2007 server roles installed. The Active Directory site is not only the routing boundary.
It is also the service discovery boundary.
Determining site membership for a domain member computer depends on a series of DNS
queries to compare the local IP address to defined subnets and then determine the appropriate
site membership association. To reduce the overhead that is associated with DNS queries, the
375
Exchange 2007 Active Directory schema additions include the msExchServerSite attribute for
the Exchange server object. The value of this attribute is the distinguished name of the
Active Directory site of an Exchange server. This attribute is a property of each Exchange
server object. When site membership affinity is stored as an attribute of the server object, the
current topology can be read directly from Active Directory instead of relying on DNS queries
and a site membership association is enabled for a non-domain computer, such as a
subscribed Edge Transport server.
The value for the msExchServerSite attribute is populated and kept up to date by the
Microsoft Exchange Active Directory Topology service. When a Windows-based computer
starts, the Net Logon service determines site membership for the computer. The Net Logon
service uses that information to locate domain controllers that are located in the same
Active Directory site as the local computer and then directs authorization and authentication
requests to those servers. The Microsoft Exchange Active Directory Topology service uses the
DsGetSiteName API call to retrieve the site membership value from the Net Logon service and
writes the Active Directory site's distinguished name to the msExchangeServerSite attribute
for the Exchange server object in Active Directory.
Table 34 shows how an organization might define Active Directory sites. In this example, three
Active Directory sites are defined, and each Active Directory site is associated with more than
one IP subnet.
Table 34 Example of an Active Directory site-to-subnet association
Active Directory site name
Associated IP subnets
Site A
192.168.1.0/24
192.168.2.0/24
Site B
192.168.3.0/24
192.168.4.0/24
Site C
192.168.5.0/24
192.168.6.0/24
If a server named HubTransportA has the IP address of 192.168.1.1, it is a member of Site A.
By changing the IP address of a server, you may change its site membership. If you change the
IP address of HubTransportA to 192.168.2.1, it won't change the server's Active Directory site
membership because that subnet is also associated with Site A. However, if you move the
server and the IP address changes to 192.168.3.1, the server would be considered a member
of Site B.
A change in site membership can also occur if you change the association of subnets to
Active Directory sites. For example, if you remove the subnet 192.168.3.0 from association with
Site B and associate it with Site A, the site membership of a server that has the IP address of
376
192.168.3.1 also changes to Site A. Whenever a change in site membership occurs,
Exchange 2007 must update its configuration data so that the change is considered when
Exchange 2007 makes routing decisions. Some latency occurs between the time that a change
in an Active Directory site membership occurs and the topology change is fully propagated. The
following communication must occur in the following order to propagate topology changes:
1. The change in site membership is written to a domain controller. The updated
information replicates between the domain controllers in each Active Directory site in the
forest. The time that is required for the change to propagate fully throughout the forest
depends on the Active Directory replication topology and schedule as defined by site links.
2. The Net Logon service runs on all Windows-based computers and polls frequently for
changes in Active Directory site membership. The Net Logon service polls at five-minute
intervals. Therefore, the change is detected by the Net Logon service within five minutes of
the local domain controller receiving the update.
3. The Microsoft Exchange Active Directory Topology service queries the Net Logon
service at 15-minute intervals to determine the Active Directory site membership of the
local Exchange server. If a change is detected, the Microsoft Exchange Active Directory
Topology service updates the MsExchServerSite attribute.
4. The changed site attribute value of the Exchange server configuration object is then
replicated throughout the organization. The Exchange servers in the organization detect
this change. Then the routing tables are updated with the new Active Directory site
membership attribute value.
Some latency occurs between the time that an Active Directory site membership change takes
effect and the time that the updated information is available to another Exchange 2007 server.
For more information about how Exchange 2007 handles these types of configuration changes,
see "Rerouting and the Unreachable Queue" later in this document.
IP Site Links
Site links are logical paths between Active Directory sites. A site link object represents a set of
sites that can communicate at a uniform cost through a specified intersite transport. Site links
don't correspond to the actual path taken by network packets on the physical network.
However, the cost assigned to the site link by the administrator typically relates to the
underlying network reliability, speed, and available bandwidth. For example, the
Active Directory administrator would assign a lower cost to a network connection with a speed
of 100 megabits per second (Mbps) than to a network connection with a speed of 10 Mbps.
The default cost for a site link is 100. A valid site link cost can be any number from 1 to 99,999.
If you specify redundant links, the link with the lowest cost assignment is always preferred.
By default, all site links are transitive. This means that if Site A has a link to Site B, and Site B
has a link to Site C, Site A is transitively linked to Site C. The transitive link between Site A and
Site C is also known as a site-link bridge. If an IP network is not fully routed, an Active Directory
377
administrator can disable automatic bridging of all site links and manually specify the site links
that can communicate transitively by configuring site-link bridges. Disabling the automatic
bridging of all site links is not supported for Exchange 2007.
An Active Directory site link can be configured to use either IP or SMTP as the transport
protocol for communication. Exchange 2007 considers only IP site links when it makes routing
decisions. An SMTP site link is limited in the types of data that can be replicated by using that
protocol and is designed to provide a store and forward mechanism for replication between
Active Directory sites that do not have a reliable network link. An IP site link is not limited in the
types of data that can be replicated across it. Exchange 2007 uses only IP site links to
determine its routing topology. The cost that is assigned to the IP site link will be considered by
the routing component of Exchange 2007 when calculating a routing table. These costs are
used to calculate the least cost routing path to the ultimate destination for a message.
Note:
An IP site link can also be assigned a schedule and a replication interval. Those
attributes do not affect Exchange 2007 mail flow.
Every Active Directory site must be associated with at least one IP site link. There is a single
default IP site link named DEFAULTIPSITELINK. When you create an Active Directory site, you
must associate that site to an IP site link. You can create additional IP site links to implement
the desired topology or you can associate every Active Directory site to the
DEFAULTIPSITELINK. Each Active Directory site that is part of an IP site link can communicate
directly with every other site in that link at a uniform cost. An IP site link always enables
communication between servers in both directions. If additional IP site links are not created,
and all Active Directory sites are associated with the DEFAULTIPSITELINK, the effect is called
a full mesh topology. A full mesh topology is a network architecture in which each network
segment can reach any other network segment directly through a point-to-point physical or
logical connection.
In Figure 68, four Active Directory sites are configured in the forest. Every site has been
associated with the DEFAULTIPSITELINK. Therefore, each Active Directory site communicates
directly with every other site by using the same cost metric. More than one communication path
is indicated, but only a single IP site link is defined.
378
Figure 68 Full mesh topology with a single IP site link
In Figure 69, four Active Directory sites are configured in the forest. In this topology, the
administrator has configured IP site links to create a hub-and-spoke topology of
Active Directory sites. Each spoke site can communicate directly with the central site, and the
spoke sites can communicate with one another by using the transitive IP site links.
Figure 69 Hub-and-spoke topology of Active Directory IP site links
An Active Directory administrator implements the topology that best represents the connectivity
and communication requirements of the forest. Because the same topology is used by
Exchange 2007, you must make sure that the current topology supports efficient messaging
communication. An Exchange Organization Administrator can assign an Exchange-specific cost
to an IP site link. If an Exchange cost is assigned to an IP site link, it will be used by
379
Exchange 2007. Otherwise, the Active Directory cost is used. For more information about how
to set an Exchange cost on an IP site link, see "Controlling IP Site Link Costs" later in this
document. An administrator who has membership in the Enterprise Administrators group can
create additional IP site links.
For more information about Active Directory site configuration, see Designing the Site Topology.
Topology Discovery
The Exchange 2007 topology relies on the Active Directory site topology and does not have its
own configuration. The Active Directory topology is made available to Exchange 2007 by the
following required elements:
•
The Microsoft Exchange Active Directory Topology service
•
The topology discovery module inside the Microsoft Exchange Transport service
The Microsoft Exchange Active Directory Topology service runs on all Exchange 2007 server
roles, except the Edge Transport server role. These Exchange 2007 servers use the
Microsoft Exchange Active Directory Topology service to discover the domain controllers and
global catalogs servers that can be used by the Exchange servers to read and write
Active Directory data. Exchange 2007 binds to the identified directory servers whenever
Microsoft Exchange has to read from or write to Active Directory.
The topology discovery module is part of the Microsoft Exchange Transport service and
provides information about the Active Directory topology to Exchange servers. This API
discovers the Exchange servers and roles in the organization and determines their relationship
to the Active Directory configuration objects. Configuration data is retrieved from
Active Directory and then cached so that it can be accessed by the Exchange services that are
running on that computer.
The topology discovery module performs the following steps to generate an Exchange routing
topology:
1. Data is read from Active Directory. All the following objects are retrieved:
•
Active Directory sites.
•
IP site links.
• All Exchange servers. This includes information about the Exchange 2007
server roles deployed on those servers.
2. The data that is retrieved in step 1 is used to create the initial topology and to begin
linking and mapping the related configuration objects.
3. Exchange servers are matched to Active Directory sites by retrieving the site attribute
value from the Exchange server object that is stored in Active Directory.
4. Routing tables are updated with the collection of information retrieved.
380
This process makes every Exchange 2007 server aware of the other Exchange servers in the
organization and of how close the Exchange servers to one another.
Exchange 2007 Routing Tables
When the Microsoft Exchange Transport service starts, it calculates a set of routing tables that
is based on the snapshot of information that is retrieved from Active Directory or, on an Edge
Transport server, from ADAM. The configuration information that is stored in ADAM includes
available connectors and accepted domains, but does not include topology data.
The routing component refers to the routing tables to determine how to route messages to
recipients. When configuration changes are made, the routing tables are rebuilt. The new
routing tables are used to route new incoming messages. Messages in remote delivery queues
are also rerouted if the routing component determines that they are affected by the
configuration changes. For more information about message rerouting, see "Rerouting and the
Unreachable Queue" later in this document.
The following configuration data is retrieved from Active Directory and made available to the
routing component of Hub Transport servers:
•
Active Directory sites
•
Active Directory IP site links
•
Exchange servers and their relationship to Active Directory sites
•
SMTP connectors
• Non-SMTP connectors. This includes Exchange 2007 foreign connectors and any nonSMTP connectors hosted by Exchange 2003 or Exchange 2000
•
Routing groups
•
Routing group connectors
•
Mailbox stores (private message databases [MDBs])
•
Public folder stores (public MDBs)
•
Public folder hierarchies
Based on this data, the routing component of the Microsoft Exchange Transport
service populates routing tables to help streamline routing decisions. The routing table
correlates the data to create a topology map. This topology map contains the following
elements:
• Linked connectors map This map correlates the identifiers of Receive connectors
on the local server to the linked Send connector.
• Server map All Exchange 2007 Hub Transport servers, Edge Transport servers,
Mailbox servers, and Exchange 2000 and Exchange 2003 servers in the organization are
381
contained in the server map. This map correlates the distinguished name of each
Exchange server to server routing data. This includes the total cost to reach that server.
• Legacy server map All Exchange 2007 Hub Transport servers, Edge Transport
servers, Mailbox servers, and Exchange 2000 and Exchange 2003 servers in the
organization are contained in the legacy server map. This map correlates the legacy
distinguished name of each Exchange server to server routing data. This includes the total
cost to reach that server. This map supports store override functionality. Store override
functionality is specific to public folders.
• MDB map All MDBs in the organization are contained in the MDB map. This map
correlates the distinguished name of each MDB to server routing data. This includes the
total cost to reach that server.
• Active Directory site map This map correlates each Active Directory site to a
structure that contains the least cost routing path from the local site to every other site. The
map includes any hub sites along the least cost routing path. Each routing path hop also
identifies all Hub Transport servers in that site that will be used by the enhanced DNS
component.
• Routing groups map This map associates the total cost and first hop routing group
connector for the least cost routing path from the Exchange 2007 routing group to each
legacy routing group.
• Send connectors map This map identifies the Send connectors configured in the
organization and the source servers for each connector.
The routing tables are built every time that a transport server is started and recalculated when
configuration changes are received. Configuration changes can be detected in any of the
following ways:
• Active Directory change notifications There is a delay between the time that a
notification is received and the time that the change is written to the routing tables. This
delay lets the routing component batch the changes and process more than one change in
a single operation. By default, each notification causes the routing component to delay
processing it by five seconds. For example, if five notifications are received exactly
one second after the previous notification, routing delays processing the change for a total
of nine seconds.
• Configuration reloading caused by service control commands The routing
component reloads the configuration data when the Microsoft Exchange Transport service
is restarted.
• Periodic reload to track changes that are not supported by Active Directory
notifications By default, routing will periodically reload the configuration data to make
sure that all changes are tracked. The configuration reload occurs at six-hour intervals.
The information in the routing tables is logged to routing logs. By default, these logs are located
in the C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\Routing folder. A new
382
log is generated every time that the routing tables are calculated. If for some reason the Hub
Transport server is unable to contact Active Directory, routing continues to make routing
decisions based on the currently cached data, even though that data may not be up to date.
For more information, see Managing Routing Table Logging.
Determining the Ultimate Destination
A message can be received by a Hub Transport server from any of the following sources:
•
An Edge Transport server that is relaying a message into the organization
•
Mailbox server submission
•
The Pickup directory or Replay directory
•
A Unified Messaging server
•
Internally generated system mail, such as a DSN
•
Another Hub Transport server
•
An Exchange 2003 or Exchange 2000 server
•
Foreign gateways submitting to the Pickup directory
•
Third-party SMTP servers
When a message is received by a Hub Transport server, the message must be categorized.
The first phase of message categorization is recipient resolution. After the recipient has been
resolved, the ultimate destination can be determined. The next phase, routing, determines how
to best reach that destination. A single, deterministic route is selected. That route is not
recalculated unless the routing configuration changes.
From the perspective of the sending server, each delivery queue represents the destination for
a particular message. When the Hub Transport server or Edge Transport server selects the
destination for a message, the destination is stamped on the recipient as the
NextHopSolutionKey attribute. If a single message is being sent to more than one recipient,
each recipient has the NextHopSolutionKey attribute. The receiving server also performs
message categorization and queues the message for delivery. After a message is queued, you
can examine the delivery type for a particular queue to determine whether a message will be
relayed again when it reaches the next hop destination.
The destination for a message can be classified as one of the following delivery types:
• DNS connector delivery The messages are queued for delivery to an external
recipient by using an SMTP Send connector for which the local server is a source server.
The connector is configured to use DNS to resolve the recipient addresses.
• Non-SMTP gateway delivery The messages are queued for delivery to an external
recipient by using a foreign connector for which the local server is a source server. This
383
delivery type is used only when the messages are being delivered to the foreign connector
drop directory on the local server.
• Smart host connector delivery The messages are queued for delivery to an
external recipient by using an SMTP Send connector for which the local server is a source
server. The connector is configured to use a smart host for delivery.
• SMTP relay in an Active Directory Site to an Edge Transport server The
messages are queued for delivery to an external recipient by using an SMTP Send
connector for which the source server is an Edge Transport server that is subscribed to the
local Active Directory site.
• MAPI delivery The messages are queued for delivery to a recipient's mailbox, a
public folder, or a public folder store that is located on a Mailbox server that is located in
the local Active Directory site.
• SMTP relay in an Active Directory site The messages are queued for delivery to a
Hub Transport server that is located in the same Active Directory site as the local server.
The destination server can be the source server for a Send connector or foreign connector,
the source server of a routing group connector, or a distribution group expansion server.
• SMTP Relay to a Remote Active Directory Site The messages are queued for
delivery to a Hub Transport server that is located in a remote Active Directory site. The
destination server in the remote Active Directory site can be any of the following:
• The source server for a connector that is configured to transport messages for
external recipients
•
The source server for a routing group connector
•
A distribution group expansion server
•
A Mailbox server that is located in the remote Active Directory site
The messages are delivered to one of the Hub Transport servers in the destination site.
The receiving server relays the message within the Active Directory site if it is necessary.
• SMTP relay to a legacy routing group The messages are queued for delivery to the
first hop routing group connector used to reach an Exchange 2003 or
Exchange 2000 routing group. The destination server can be any of the following:
•
The source server for a connector
•
An expansion server
• An Exchange 2003 bridgehead server that delivers messages addressed to
mailbox recipients that are located in the routing group
• Unreachable A route to the recipient could not be determined and the messages are
located in the Unreachable queue.
384
Determining the Least Cost Routing Path
When multiple routing paths exist to a destination, Exchange 2007 routing uses deterministic
algorithms to select a single, deterministic routing path over which to route the message.
Depending on the individual message routing scenario, the following factors may influence the
selection of a least cost routing path:
• Linked connectors If the Receive connector that the message is received on is
linked to a Send connector, messages are routed to that Send connector regardless of
cost. This configuration always takes precedence.
• The cost assigned to the IP site links and routing group connectors that must be
traversed to reach the destination If more than one routing path exists between a
source server and a destination server, the routing path with the lowest aggregate cost is
selected.
• The name assigned to an Active Directory site If more than one routing path
results in the same aggregate cost, the routing component makes an alphanumeric
comparison of the name of the Active Directory sites that precede the target site along
each routing path. And the routing path where the Active Directory site nearest to the
destination is lowest in alphanumeric order is used.
• The name assigned to a routing group connector If more than one routing path
results in the same aggregate cost, the routing component makes an alphanumeric
comparison of the name of the routing group connectors that come before the target
destination along each routing path. The routing path where the routing group connector
nearest to the destination is lowest in alphanumeric order is used.
• The address space assigned to a Send connector The Send connector with the
most specific address space match to the destination is selected.
• The cost assigned to the address space configured on a Send connector If more
than one Send connector is assigned the same address space, the routing component
compares the cost assigned to the address space. The Send connector with the lowest
cost is selected.
• The connector state The Exchange 2007 routing component only considers enabled
connectors when it calculates the routing path. However, earlier versions of
Exchange Server do not consider connector state. For more information, see Message
Routing in a Coexistence Environment.
• Connector scope A connector may be limited to use by Exchange 2007 servers that
are located in the same Active Directory site as the source transport servers for the
connector. In earlier versions of Exchange Server, the connector scope could be limited to
servers that have the same routing group membership.
• Message size restrictions The message size constraint specified on a connector
must be larger than the size of the message being routed. Connectors with a message size
385
restriction that is less than the size of the message are eliminated from routing
consideration.
• The proximity of the destination to the sending server Routing will prefer the
server that is closest, in this order: local server, server in the same Active Directory site,
server in a remote Active Directory site or routing group.
As explained earlier, Exchange 2007 uses a deterministic algorithm to select the least cost
routing path. The following logic is used to select the routing path:
• First, calculate the least cost routing path by adding the cost of the IP site links and of
any routing group connectors that must be traversed to reach the destination. If the
destination is a connector, the cost assigned to the address space is added to the cost to
reach the selected connector. If multiple routing paths are possible, only the routing path
with the lowest aggregate cost is used.
• If more than one routing path has the same aggregate cost, the number of hops in
each path is evaluated and the routing path with the least number of hops is used.
• If more than one routing path is still available, the name assigned to the
Active Directory sites or routing group connectors before the destination are
considered. The routing path where the Active Directory site nearest to the destination is
lowest in alphanumeric order is used. If the site nearest to the destination is the same for
all routing paths being evaluated, an earlier site name is considered.
Figure 70 shows the routing topology for an Exchange organization. This topology is used in
the following examples to demonstrate the logic used by the routing algorithm to select the
least cost routing path.
Figure 70 An Exchange 2007 routing topology
386
Example 1 A message that is being relayed from Site A to Site D can follow two possible
routing paths: Site A-Site B-Site D and Site A-Site C-Site D. The costs assigned to the IP site
links in each routing path are added to determine the total cost to route the message. In this
example, the routing path Site A-Site B-Site D has an aggregate cost of 20. The routing path
Site A-Site C-Site D has an aggregate cost of 10. Routing selects path Site A-Site C-Site D.
Example 2 A message is being relayed from Site B to Site D. There are three possible routing
paths: Site B-Site D with a cost of 15, Site B-Site E-Site C-Site D with a cost of 15, and Site BSite A-Site C-Site D with a cost of 15. Because more than one routing path results in the same
cost, routing selects the routing path Site B-Site D. This has the least number of hops.
Example 3 A message is being relayed from Site A to Site E. There are two possible routing
paths: Site A-Site B-Site E with a cost of 10, and Site A-Site C-Site E with a cost of ten. Both
routing paths have the same cost and same number of hops. The alphanumeric order of the
Active Directory sites immediately before Site E is compared. Site B has a lower alphanumeric
value than Site C. Therefore, routing selects the routing path Site A-Site B-Site E.
After the least cost routing path has been determined, the Exchange 2007 routing component
does not consider alternative routing paths.
An Active Directory site that does not have any Hub Transport servers deployed is not
recognized by routing and does not participate in Exchange topology. However, if such a site
exists along the least cost routing path between sites where Hub Transport servers are
deployed, the IP site link costs of the links connecting that site are considered in the least cost
routing path calculation.
Next Hop Selection
Exchange 2007 Hub Transport servers do not relay to each Active Directory site along the least
cost routing path. After the routing path is determined, the message is relayed directly from the
source server to the next hop. The next hop selection tries to deliver the messages as close as
possible to the ultimate destination. Additional intrasite relay may be required to arrive at the
ultimate destination. When routing to legacy routing groups, direct relay to the Active Directory
site where the source server for the first hop routing group connector resides occurs. After the
message is relayed to the legacy environment, standard legacy routing happens.
Figure 71 shows a simple Exchange topology and illustrates many of the Exchange routing
components.
387
Figure 71 Exchange topology and routing components
Using Figure 71 as a reference, a message that is sent from Mailbox1 in Site A, to the external
recipient joe@contoso.com is processed as follows:
1. The Microsoft Exchange Mailbox Submission service that is running on Mailbox1
notifies a Hub Transport server that is located in the same Active Directory site of the new
mail item for transport.
2. Using RPC, the store driver component on a Hub Transport server in the same
Active Directory site retrieves the message and puts it in the Submission queue on the
local server.
3. From the Submission queue, the message moves through categorization. The
categorizer first performs recipient resolution and determines that joe@contoso.com is an
external recipient.
4. The routing component selects the best connector through which to route the message
and calculates the least cost routing path to that connector. In this example, a Send
388
connector has the address space *.contoso.com and is the connector selected by the
routing component. All the source servers for this Send connector are located in Site B.
5. The routing component determines the next hop required to reach a source server for
the Send connector. The Hub Transport server in Site A queues the message for SMTP
delivery to Site B.
6. If the receiving server in Site B is a source server for the Send connector, it queues the
message for delivery to that Send connector. If the receiving server is not a source server
for the *.contoso.com Send connector, the message is relayed by using SMTP to a Hub
Transport server in Site B that is the source server for the connector.
Table 35 provides additional examples of the next hop selection for several recipients based on
the topology shown in Figure 71.
Table 35 Examples of next hop selection in Figure 71
Receiving server
Ultimate destination
Next hop
Queue delivery type
Hub1
Mailbox1
Mailbox1
MAPI delivery
Hub1
Mailbox2
Site B
SMTP relay to a
remote
Active Directory site
Hub1
Mailbox3
Routing group
connector 1
SMTP relay to a
legacy routing group
Hub1
Recipient@fourthcoffe Hub3
e.com
SMTP relay in an
Active Directory site
Hub1
Recipient@contoso.c
om
Site B
SMTP relay to a
remote
Active Directory site
Hub2
Mailbox1
Site A
SMTP relay to a
remote
Active Directory site
Hub2
Mailbox2
Mailbox2
MAPI Delivery
Hub2
Mailbox3
Site A
SMTP relay to a
remote
Active Directory site
Hub2
Recipient@contoso.c
om
Send connector 2
DNS connector
delivery
389
Hub2
Recipient@fourthcoffe Site A
e.com
SMTP relay to a
remote
Active Directory site
Hub3
Mailbox1
MAPI delivery
Hub3
Recipient@fourthcoffe Send connector 1
e.com
Mailbox1
Smart host connector
delivery
After the least cost routing path has been calculated and the next hop destination has been
chosen, Exchange 2007 routing tries to relay the message directly to the destination. However,
in some configuration scenarios, direct relay does not occur. For example, an Exchange
administrator can configure an Active Directory hub site to force message delivery to relay
through a particular Active Directory site in situations where direct communication between
Active Directory sites is not possible because of network security or connectivity restrictions.
For more information, see "Implementing Hub Sites" later in this document.
A message that is being delivered to more than one recipient may also be relayed through an
interim site. Exchange 2007 is designed to minimize network bandwidth usage. One feature of
this design is the ability to delay generation of multiple copies of a message for delivery to
recipients in different destinations until a fork in the delivery path is reached. This feature is
known as delayed fan-out. For more information, see "Delayed Fan-Out" later in this document.
Queue at Point of Failure
The least cost routing path calculation is used to determine a backoff path when message
delivery to the next hop fails. In Exchange 2007, backoff is a mechanism used to deliver
messages at an interim hop along the least cost routing path when direct relay fails for any
reason, such as network issues or servers going offline. The routing component tries to deliver
messages as close to the destination as possible by backing off, hop by hop, along the least
cost routing path until a connection is made. First, a connection attempt is made to each Hub
Transport server in the destination Active Directory site. If no Hub Transport servers in the
Active Directory site respond, the least cost routing path is checked to determine how to start
backing off from the delivery site. The goal is to deliver the message as close as possible to the
destination and queue it at a Hub Transport server in that Active Directory site. This behavior is
known as queue at point of failure. When the message is queued at the point in the delivery
path where communication failed, this will help you determine why the message delivery failed.
In Figure 6, if a message is being delivered between Site A and Site D, the least cost routing
path may be Site A-Site B-Site C-Site D. Delivery will first be tried directly from Site A to Site D.
If no Hub Transport server in Site D responds, delivery will be tried to the Hub Transport
servers in Site C. This process continues until a Hub Transport server accepts the message. If
all intermediate sites are unavailable, the message will be queued at the source site. If the
message is queued in Site C, you can start investigating the failure at the Hub Transport
servers in Site D or the network connectivity between Site C and Site D. When the message is
390
queued at the point of failure, the queue is put in a retry state and delivery attempts continue
based on the message retry intervals until delivery succeeds or the message expires. The
queue is automatically resubmitted for recategorization after a default interval of 12 hours.
Queues that have a connector as the next hop destination are not automatically resubmitted
unless a configuration change that causes resubmission occurs.
You can use the Exchange Mail Flow Troubleshooter to help diagnose problems with mail flow.
This tool is a component of the Microsoft Exchange Troubleshooting Assistant and can be run
from the Toolbox of the Exchange Management Console.
In Figure 72, a message is being sent from Site A for delivery to Site D. The Hub Transport
servers in Site D are offline. Therefore, the message queues at Site C.
Figure 72 Queue at point of failure
In more complex topologies, the least cost routing path between two Active Directory sites can
contain many intermediate Active Directory sites. If a network issue occurs somewhere early
along the routing path, it may be too inefficient to back off site by site from the end and try to
deliver to every one of the intermediate sites. If the routing path is longer than four hops, binary
backoff is implemented until four or fewer sites are remaining. Binary backoff means that the
next connection attempt is made at the halfway point in the routing path. For example, if the
least cost routing path from Active Directory Site A to Site Q is A - B - C - D - E - F - G - H - I - J
- K - L - M - N - O - P- Q and the network failure occurs at the link between Site B and Site C,
the first connection attempt is made to all Hub Transport servers in Site Q. When the
connection attempt fails, the next attempt is made to all Hub Transport servers in Site I. This is
halfway to Site Q. When that connection attempt fails, the next connection attempt is made to
all Hub Transport servers in Site E. This is halfway between Site A and Site I. When that
connection attempt fails, connection attempts are made to Site D, Site C, and Site B because
they are closer than four links to the source site. The message will eventually be queued on a
Hub Transport server in Site B until the B-C link connectivity is restored.
391
Implementing Hub Sites
In your Exchange organization, you may have to force all message delivery to be relayed
through a particular Active Directory site. In this scenario, connectivity may prevent direct
SMTP relay between sites. Therefore, messages must be relayed through an interim site
before they are sent to their destination. Because of an Exchange organization's internal
policies, an administrator may also want to relay all messages through a particular site. You
can use Exchange Management Shell tasks to designate an Active Directory site as a hub site.
By designating an Active Directory site as a hub site, you cause additional overall overhead
because more servers are involved in message delivery. For example, consider a message that
is sent from Site A to Site E. If the least cost routing path is Site A-Site B-Site C-Site D-Site E,
and you designate Site C as a hub site, the message is relayed from Site A to Site C and then
relayed from Site C to Site E.
You use the Set-ADSite cmdlet to specify an Active Directory site as a hub site. Whenever a
hub site exists along the least cost routing path for message delivery, the messages queue and
are processed by the Hub Transport servers in the hub site before they are relayed to their
ultimate destination. To set Site C as a hub site, run the following command in the Exchange
Management Shell:
Set-AdSite -Identity "Site C" -HubSiteEnabled $true
After the least cost routing path is chosen, routing determines whether there is a hub site along
that routing path. If a hub site is configured, messages stop at a Hub Transport server in the
hub site before they are relayed to the target destination. If there is more than one hub site
along the least cost routing path, messages stop at each hub site along the routing path.
You must understand that this variation to direct relay routing only is in effect when the hub site
is located along the least cost routing path. Figure 73 shows the correct use of a hub site. In
this diagram, Site B is configured as a hub site. Messages that are relayed from Site A to Site D
are relayed to Site B before they are delivered to Site D.
392
Figure 73 Message delivery with a hub site
Figure 74 shows how IP site link costs affect routing to a hub site. In this scenario, Site B has
been designated as a hub site. However, because it does not exist along the least cost routing
path between any other sites, queuing at Site B before delivery to the destination does not
occur. An Active Directory site is never used as a hub site if it is not on the least cost routing
path between two other sites.
393
Figure 74 Misconfigured hub site
You can configure any Active Directory site as a hub site. However, for this configuration to
work correctly, you must have deployed at least one Hub Transport server in the hub site.
Controlling IP Site Link Costs
As an Exchange administrator, you should work closely with the Active Directory administrator
of your organization when you evaluate how the Active Directory site topology affects Exchange
routing. Because Active Directory IP site links costs are based on relative network speed
compared to all network connections in the wide area network, and are designed to produce a
reliable and efficient replication topology, the existing IP site link costs should work well for
Exchange 2007 message routing. However, if, after documenting the existing Active Directory
site and IP site link topology, you verify that the Active Directory IP site link costs and traffic flow
patterns are not optimal for Exchange 2007, you can make adjustments to the costs evaluated
by Microsoft Exchange. As an Exchange administrator, you cannot and should not modify the
cost assigned to the IP site link by using Active Directory tools. Instead, use the SetADSiteLink cmdlet in the Exchange Management Shell to assign an Exchange-specific cost to
the IP site link. For example, to set a different cost on the IP site link SITELINKAB for message
routing purposes, run the following command in the Exchange Management Shell:
Set-AdSiteLink -Identity SITELINKAB -ExchangeCost 25
When an Exchange cost is assigned to an IP site link, the Exchange cost overrides the
Active Directory cost for message routing purposes, and routing only considers the Exchange
394
cost when it evaluates the least cost routing path. Otherwise, the Active Directory replication
cost is used.
Adjusting IP site link costs can be useful when the message routing topology has to diverge
from the Active Directory replication topology. Exchange costs can be used to force all
message routes to use a hub site. Exchange costs can also be used to control where
messages are queued when communication to an Active Directory site fails. Figure 75 shows
an Active Directory topology with four sites.
Figure 75 Topology with Exchange costs configured on IP site links
In Figure 75, the network connection between Site C and Site D is a low bandwidth connection
that is only used for Active Directory replication and should not be used for message routing.
However, the Active Directory IP site link costs cause that link to be included in the least cost
routing path from any other Active Directory site to Site D. Therefore, messages are delivered
to the Site D queue in Site C. The Exchange administrator prefers that the least cost routing
path include Site B instead so that if Site D is unavailable, the messages will queue at Site B.
Configuring a high Exchange cost on the IP site link between Site C and Site D prevents that IP
site link from being included in the least cost routing path to Site D.
395
Delayed Fan-Out
A single e-mail message can be addressed to more than one recipient. These recipients may
have internal mailboxes, or they may be external recipients. To route a single message to more
than one recipient, the following steps occur:
1. Recipient resolution Each recipient of the message is resolved to a delivery
destination.
2. Routing The least cost routing path for each recipient is determined. This includes
whether a hub site is configured.
3. Message splitting To route the message to recipients that have different delivery
locations, the message must be split into multiple copies.
After each recipient has been resolved and a routing path to each delivery destination is
determined, Exchange 2007 compares the routing path for each recipient. To preserve
bandwidth, the bifurcation, or splitting of the message into multiple copies, does not occur until
a fork in the routing path is encountered.
For example, if multiple recipients of a single message share part of or all of the least cost
routing path, a single copy of the message is sent until the message reaches the point in the
routing path where a fork occurs. When the divergence in routing paths occurs, the message
splits to create a separate copy for each recipient.
In Figure 76, a single message is sent from Site A to recipients in Site C, Site D, and Site E.
The least cost routing path is shared until the message reaches Site B. In this scenario, a
single copy of the message that contains all recipients is relayed to Site B. This represents the
first fork in the routing path. From Site B, a single message copy is routed to the recipient in
Site D, and a single copy is relayed to Site C. In Site C, the message splits again. A copy of the
message is delivered to the recipient in Site C. And a copy of the message is relayed to Site E
for delivery to the recipient in that site.
396
Figure 76 Delayed message fan-out
Rerouting and the Unreachable Queue
If routing is unable to determine a route for a valid recipient for any reason, the messages are
put in the Unreachable queue. Messages in this queue are rerouted when the configuration
changes are processed and routing tables are recalculated. Messages are not rerouted in the
following scenarios. Instead, a non-delivery report (NDR) is returned to the sender:
• The recipient is a non-SMTP address and a matching connector for the address space
cannot be found.
•
The message does not meet the message size restrictions of any matching connector.
The store driver resubmits the message for rerouting if the following conditions are true:
•
A message is in a MAPI delivery queue.
• Between the time that the next hop was selected and the time that the message is
ready to be delivered, the mailbox is moved to another Mailbox server.
During enhanced DNS resolution, routing tries to detect if a queue has to be rerouted. During
this phase, the NextHopSolutionKey attribute is resolved to a list of targets. This enables
397
routing to automatically detect any configuration changes that invalidate or modify the
NextHopSolutionKey attribute. If routing detects that configuration changes require rerouting
of messages in a queue, the messages in the affected queue are resubmitted to the categorizer
for rerouting.
Not all configuration changes require resubmission of the messages in the queue. For
example, a change to the list of smart hosts for a connector is automatically detected.
For More Information
For more information, see the following topics:
•
Message Routing in a Coexistence Environment
•
How to Configure a Hub Site
•
How to Set an Exchange Cost on an Active Directory IP Site Link
•
Managing Connectors
•
EdgeSync and Send Connectors
Message Routing in a Coexistence
Environment
This topic describes how message routing occurs when Microsoft Exchange Server 2007
coexists in the same Exchange organization with Exchange Server 2003 or
Exchange 2000 Server computers. Make sure that you understand the routing changes that are
introduced by the addition of Exchange 2007 to an existing Exchange organization so that you
can configure connectors and avoid routing loops. When a large organization is transitioning
from Exchange 2003 to Exchange 2007, a period of coexistence between the versions is likely.
Routing Changes
Exchange 2007 introduces routing changes that take advantage of the existing
Active Directory directory service site topology and the underlying network to provide an
efficient, deterministic routing topology. When Exchange 2007 coexists with Exchange 2003 or
Exchange 2000, you must perform additional configuration tasks to support message routing
between the server versions. Table 36 summarizes the changes in message routing between
versions of Exchange Server.
Table 36 Routing differences between versions of Exchange Server
398
Exchange 2007
Exchange 2000 and Exchange 2003
Exchange uses Active Directory sites to
determine an intra-organizational routing
topology. All Exchange 2007 servers are
associated with a single routing group for the
purposes of routing to earlier versions of
Exchange Server.
Exchange uses routing groups to determine an
intra-organizational routing topology.
Exchange determines the least cost route
between Hub Transport servers by using
Active Directory directory service IP site link
costs.
Exchange determines the least cost route
between bridgehead servers by using routing
group connector costs.
Exchange uses direct relay to deliver
messages between Hub Transport servers.
Exchange relays through bridgehead servers
in each routing group in the routing path.
When Exchange can't connect, it uses the
least cost routing path information to back off
from the destination until a connection can be
made to a Hub Transport server. Messages
queue at the reachable site that is closest to
the destination. This behavior is known as
queue at point of failure.
When Exchange can't connect to the next hop
in a routing path, tries to reroute the message
over an alternative path.
When a message is being sent to multiple
recipients, Exchange delays message splitting
until a fork in the routing path is reached. This
behavior is known as delayed fan-out.
When a message is being sent to multiple
recipients, message splitting occurs
immediately after recipient resolution.
Each Hub Transport server queries
Active Directory separately to retrieve the
routing configuration used to calculate a
routing table and to receive configuration
updates.
Exchange uses a link state table to store a
routing table and advertises configuration
changes by using link state updates. The
routing group master retrieves updates from
Active Directory and coordinates the
propagation of link state changes that are
learned by servers in its routing group.
Introducing the First Exchange 2007 Server
When the first Exchange 2007 server is installed in an existing Exchange organization, you are
prompted to select a bridgehead server in the existing organization with which to establish the
initial routing group connector. Exchange 2007 only uses routing group connectors when it
communicates with Exchange 2003 or Exchange 2000 servers in the same Exchange
organization. During Exchange 2007 setup, a routing group connector is created in both
399
directions between the Exchange 2007 routing group and an Exchange 2003 or Exchange
2000 routing group. The Exchange 2003 or Exchange 2000 bridgehead server that you select
during setup determines with which routing group the connection is made. After setup is
complete, it is a best practice to add source and target servers to the routing group connectors
for load balancing and redundancy.
All Exchange 2007 servers are automatically put in a single routing group that is called
Exchange Routing Group (DWBGZMFD01QNBJR). Exchange 2007 servers and Exchange
2003 or Exchange 2000 servers cannot reside in the same routing group. You cannot create
additional routing groups in which to put Exchange 2007 servers. The Exchange 2007 routing
group is created strictly for coexisting with earlier versions of Exchange. The initial routing
group connectors that are created during setup determine how messages flow between
Exchange versions. The initial routing group connector is assigned a cost of 1. The Hub
Transport server role that you installed and the Exchange 2003 or 2000 bridgehead server that
you selected are set as the source and target servers. Permissions are granted to the
bridgehead server to send e-mail to and receive e-mail from Exchange 2007 Hub Transport
servers.
Important:
Do not move Exchange 2007 servers out of Exchange Routing Group
(DWBGZMFD01QNBJR) and do not rename Exchange Routing Group
(DWBGZMFD01QNBJR) by using a low-level directory editor. Exchange 2007 must
use this routing group to communicate with earlier versions of Exchange. We do not
support moving Exchange 2007 servers out of Exchange Routing Group
(DWBGZMFD01QNBJR) or renaming of Exchange Routing Group
(DWBGZMFD01QNBJR).
The Exchange 2003 routing group to which you create your initial connection is important and
depends on the structure of your current environment. Ideally, your routing groups mirror your
Active Directory site structure, and your routing group connectors are in a hub-and-spoke
format. In this scenario, your first Exchange 2007 deployment will be near the hub routing
group. You should create your first connector to a bridgehead server in that routing group.
Creating Additional Routing Group Connectors
All messages that are relayed between Exchange 2007 and Exchange 2003 are routed through
the initial routing group connector. This can create excessive routing hops as more Exchange
2007 servers are deployed in additional Active Directory sites. Exchange 2007 servers in all
sites are considered members of the same routing group. For example, suppose you have
routing groups in Hong Kong, London, and Chicago. If your first Exchange 2007 server is
deployed in Chicago, it makes sense to establish the first routing group connector to a
bridgehead server in Chicago. However, if you then deploy an Exchange 2007 server in Hong
Kong, when messages are sent from users whose mailboxes are on Exchange 2003 servers in
400
Hong Kong to users whose mailboxes are on Exchange 2007 servers in Hong Kong, the
messages will be routed through Chicago.
To avoid such excessive routing hops, you can create another routing group connector that
connects the single Exchange 2007 routing group to the Hong Kong routing group. In this
scenario, you must make sure that you perform the configuration steps that avoid potential
routing loops. We recommend that you transition all the Exchange 2003 servers in a routing
group at the same time to avoid a routing topology that results in many hops.
To create a routing group connector that includes an Exchange 2007 Hub Transport server as
either a source server or target server, you must use the New-RoutingGroupConnector
cmdlet in the Exchange Management Shell. By default, a routing group connector that is
created by using this cmdlet will have a default cost of 1 and will have public folder referrals
enabled. To create the reciprocal routing group connector in a single operation, you must set
the Bidirectional parameter is $True. For more information, see the following topics:
•
Routing Group Connector Cmdlets
• How to Create Routing Group Connectors from Exchange 2007 to Exchange Server
2003
Coexistence and Link State
When only one routing group connector is established between Exchange 2003 and Exchange
2007, you do not have to make any changes to link state, and routing loops will not occur.
However, if more than one routing group connector is configured between Exchange 2003 and
Exchange 2007, the minor link state updates that are transmitted between Exchange 2003
servers can introduce problems. When Exchange 2003 detects that a connector is unavailable,
link state updates are communicated throughout the Exchange organization to notify them of
the connector down state. The Exchange 2003 bridgehead server also tries to determine an
alternative route for message transfer to the destination server. However, Exchange 2007 does
not use link state to determine a routing path. The Exchange 2007 Hub Transport server will be
unaware of the down connector state and may decide to route a message back through a
routing path that Exchange 2003 is trying to route around.
Exchange 2003 may try a routing path other than the least cost routing path when it detects
that a connector is down. However, Exchange 2007 will always use the least cost route,
introducing the potential for a routing loop to occur.
To avoid routing loops, you must suppress minor link state updates before introducing
additional routing group connectors. Minor link state updates are sent between Exchange 2003
servers to update the link state routing table to indicate that a connector is down. When the
SuppressStateChanges registry key is set, you are turning off the ability for a connector to be
marked as down. Link state messages are also used to notify Exchange 2003 servers of
configuration changes to the Exchange organization, such as the addition or removal of a
401
connector or a server. When you suppress minor link state updates, it does not prevent these
major link state update messages from being communicated.
When minor link state updates are suppressed, Exchange 2003 also only uses least cost
routing. This eliminates the chance for routing loops to occur. We recommend that you
suppress link state updates on every Exchange 2003 server in the organization to maintain a
consistent configuration.
Important:
If configuration changes are made in Exchange Routing Group
(DWBGZMFD01QNBJR) some latency may occur before those changes are received
by Exchange Server 2003 servers and propagated by the Exchange 2003 routing
group masters. The delay will depend on how frequently the routing group masters poll
for configuration changes in other routing groups. By default, the polling interval is set
to one hour. To immediately register all changes in Exchange Routing Group
(DWBGZMFD01QNBJR) on Exchange 2003 servers, you must restart the routing
group masters.
SMTP Connectors
Exchange 2003 and Exchange 2007 can both route to a connector that is hosted by either
Exchange Server version. However, because of schema differences in connector configuration,
some settings of the Send connector on an Exchange 2007 server will not be recognized by an
Exchange 2003 server, and some settings on an SMTP connector on an Exchange 2003 server
will not be recognized by an Exchange 2007 server. These differences can cause conflicts
when the routing selection is made. Table 37 summarizes the differences in connector feature
support between Exchange 2003 and Exchange 2007.
Table 37 Connector feature support
Connector feature
Exchange Server version
Comment
support
Per user connector delivery
restrictions
Exchange 2003
Exchange 2007 may route a
message to an
Exchange 2003 connector that
does not allow connections
from the sending user.
402
Message priorities
Exchange 2003
Exchange 2007 does not
assign message priority and
will bypass any priority
restrictions set on an
Exchange 2003 SMTP
connector.
Message type (system and
non-system designations)
Exchange 2003
Exchange 2007 does not
assign message type and will
bypass any message type
restrictions set on an
Exchange 2003 SMTP
connector.
Connector scope
Exchange 2003 and
Exchange 2007
Exchange 2003 and
Exchange 2007 define
connector scope differently. An
Exchange 2003 connector can
be scoped to only allow
servers within the same
routing group to use the
connector. An Exchange 2007
connector can be scoped to
only allow servers within the
same Active Directory site to
use the
connector. Exchange 2003 will
recognize all scoped
connectors in other routing
groups as out of scope,
including any scoped
connectors in the
Exchange 2007 routing group.
Exchange 2007 will recognize
all scoped
Exchange 2003 connectors
and scoped
Exchange 2007 connectors in
other Active Directory sites as
out of scope. Messages are
not routed to connectors that
are recognized as being out of
scope.
403
Maximum message size
Exchange 2003 and
Exchange 2007
Message size restrictions set
on either server version will be
applied to all messages that
are routed through the
connector.
Enabled and disabled
property setting
Exchange 2007
Exchange 2003 does not
recognize this setting and will
continue to route to an
Exchange 2007 connector that
is disabled.
For More Information
For more information, see the following topics:
•
Planning for Coexistence
•
Planning to Use Active Directory Sites for Routing Mail
•
Best Practices for Transitioning an Exchange Organization
•
Upgrading to Exchange 2007
•
Coexisting with Exchange Server 2003 and Exchange 2000 Server
•
Routing Group Connector Cmdlets
•
How to Install Exchange 2007 in an Existing Exchange Server 2003 Organization
Anti-Spam and Antivirus Functionality
Spammers, or malicious senders, use a variety of techniques to send spam into your
organization. No single tool or process can eliminate all spam.
Microsoft Exchange Server 2007 builds on the foundation of Exchange Server 2003 to provide
a layered, multipronged, and multifaceted approach to reducing spam and viruses.
Exchange 2007 includes a variety of anti-spam and antivirus features that are designed to work
cumulatively to reduce the spam that enters your organization. Exchange 2007 also includes
improved infrastructure for antivirus applications.
You can reduce the incidences of virus outbreaks and attacks by malicious software, which is
also referred to as malware, in your organization if you reduce the overall volume of spam that
enters your organization. When you eliminate the bulk of the spam at the computer that has the
Edge Transport server role installed, you save lots of processing resources, bandwidth, and
404
storage when the messages are scanned for viruses and other malware further along the mail
flow path.
The layered approach to reducing spam refers to the configuration of several anti-spam and
antivirus features that filter inbound messages in a specific order. Each feature filters for a
specific characteristic or set of related characteristics on the inbound message.
The following sections provide brief descriptions of each default anti-spam and antivirus
feature.
Anti-Spam and Antivirus Filters
The anti-spam and antivirus filters are applied in the following order. For more information, see
Understanding Anti-Spam and Antivirus Mail Flow.
• Connection filtering Connection filtering inspects the IP address of the remote
server that is trying to send messages to determine what action, if any, to take on an
inbound message. The remote IP address is available to the Connection Filter agent as a
byproduct of the underlying TCP/IP connection that is required for the Simple Mail Transfer
Protocol (SMTP) session. Connection filtering uses a variety of IP Block lists, IP Allow lists,
as well as IP Block Providers services or IP Allow Provider services to determine whether
the connection from the specific IP should be blocked or should be allowed in the
organization.
• Sender filtering Sender filtering compares the sender on the MAIL FROM: SMTP
command to an administrator-defined list of senders or sender domains who are prohibited
from sending messages to the organization to determine what action, if any, to take on an
inbound message.
• Recipient filtering Recipient filtering compares the message recipients on the RCPT
TO: SMTP command to an administrator-defined Recipient Block list. If a match is found,
the message is not permitted to enter the organization. The recipient filter also compares
recipients on inbound messages to the local recipient directory to determine whether the
message is addressed to valid recipients. When a message is not addressed to valid
recipients, the message can be rejected at the organization's network perimeter.
• Sender ID Sender ID relies on the IP address of the sending server and the
Purported Responsible Address (PRA) of the sender to determine whether the sender is
spoofed or not. PRA is calculated based on the following message headers:
•
Resent-Sender:
•
Resent-From:
•
Sender:
•
From:
For more information about the PRA, see Sender ID and RFC 4407.
405
• Content filtering Content filtering uses Microsoft SmartScreen technology to assess
the contents of a message. Intelligent Message Filter is the underlying technology of
Exchange content filtering. Intelligent Message Filter is based on patented machinelearning technology from Microsoft Research. During its development, Intelligent Message
Filter learned distinguishing characteristics of legitimate e-mail messages and spam.
Regular updates with Microsoft Anti-spam Update Service ensure that the most up-to-date
information is always included when the Intelligent Message Filter runs. Based on the
characteristics of millions of messages, Intelligent Message Filter recognizes indicators of
both legitimate messages and spam messages. Intelligent Message Filter can accurately
assess the probability that an inbound e-mail message is either a legitimate message or
spam.
Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing
legitimate messages that are incorrectly classified as spam. Spam quarantine provides a
temporary storage location for messages that are identified as spam and that should not be
delivered to a user mailbox inside the organization.
Content filtering also acts on the safelist aggregation feature. Safelist aggregation collects
data from the anti-spam safe lists that Microsoft Outlook and
Office Outlook Web Access users configure and makes this data available to the Content
Filter agent on the computer that has the Edge Transport server role installed in
Exchange 2007.
When an Exchange administrator enables and correctly configures safelist aggregation, the
Content Filter agent passes safe e-mail messages to the enterprise mailbox without
additional processing. E-mail messages that Outlook users receive from contacts or that
those users have added to their Outlook Safe Senders List or have trusted are identified by
the Content Filter agent as safe. The result is that messages that are identified as safe are
not classified as spam and unintentionally filtered out of the messaging system.
• Sender reputation Sender reputation relies on persisted data about the IP address of
the sending server to determine what action, if any, to take on an inbound message. The
Protocol Analysis agent is the underlying agent that implements the sender reputation
functionality. A sender reputation level (SRL) is calculated from several sender
characteristics that are derived from message analysis and external tests.
Senders whose SRL exceeds a configurable threshold will be temporarily blocked. All their
future connections are rejected for up to 48 hours. In addition to the locally calculated IP
reputation, Exchange 2007 also takes advantage of IP Reputation anti-spam updates,
available via Microsoft Update, which provide sender reputation information about IP
addresses that are known to send spam.
• Attachment filtering Attachment filtering filters messages based on attachment file
name, file name extension, or file MIME content type. You can configure attachment
filtering to block a message and its attachment, to strip the attachment and allow the
message to pass through, or to silently delete the message and its attachment.
406
• Microsoft Forefront Security for Exchange Server Forefront Security for Exchange
Server is an antivirus software package that is tightly integrated with Exchange 2007 and
offers antivirus protection for the Exchange environment. The antivirus protection that is
provided by Forefront Security for Exchange Server is language independent. However, the
setup, administration of the product, and end-user notifications are available in 11 server
languages.
• Outlook Junk E-mail filtering The Outlook Junk E-Mail Filter uses state-of-the-art
technology to evaluate whether a message should be treated as a junk e-mail message
based on several factors, such as the time that the message was sent and the content and
structure of the message, and the metadata collected by the Exchange Server anti-spam
filters. Messages caught by the filter are moved to a special Junk E-mail folder, where the
recipient can access them later.
Anti-Spam Stamps
Anti-spam stamps help you diagnose spam-related problems by applying diagnostic metadata,
or "stamps," such as sender-specific information, puzzle validation results, and content filtering
results, to messages as they pass through the anti-spam features that filter inbound messages
from the Internet. These stamps are visible to the end-user mail client and encode senderspecific information, the version of the spam filter definition file, Outlook puzzle validation
results, and content filtering results.
Microsoft Update for Anti-Spam Services
Exchange 2007 now offers additional services to help keep anti-spam components up to
date, taking advantage of the proven Microsoft Update infrastructure.
Microsoft Exchange 2007 Standard Anti-spam Filter Updates offer anti-spam updates every two
weeks via Microsoft Update.
The Forefront Security for Exchange Server anti-spam update service is a premium service that
updates the content filter daily via Microsoft Update. In addition, the premium service includes
the Spam Signature and IP Reputation Service updates that are available on an as-needed
basis, up to several times a day. Spam Signature updates identify the most recent spam
campaigns. IP Reputation Service updates provide sender reputation information about IP
addresses that are known to send spam.
Note:
To use the premium service, you must have the Exchange Enterprise Client Access
License (CAL).
407
Using Exchange Hosted Services
Spam filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted
Services. Exchange Hosted Services is a set of four distinct hosted services:
• Hosted Filtering, which helps organizations protect themselves from e-mail-borne
malware, including viruses and spam
•
Hosted Archive, which helps them satisfy retention requirements for compliance
•
Hosted Encryption, which helps them encrypt data to preserve confidentiality
• Hosted Continuity, which helps them preserve access to e-mail during and after
emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or
Hosted Exchange e-mail services that are offered through service providers. For more
information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
For More Information
For more information about anti-spam and antivirus features, see the following topics:
•
Anti-Spam Stamps
•
Attachment Filtering
•
Connection Filtering
•
Content Filtering
•
Microsoft Forefront Security for Exchange Server User Guide
•
Recipient Filtering
•
Safelist Aggregation
•
Adjusting the Spam Confidence Level Threshold
•
Spam Quarantine
•
Sender Filtering
•
Sender ID
•
Sender Reputation
•
Configuring Anti-Spam Features to Reduce the Volume of Spam
•
Understanding Anti-Spam and Antivirus Mail Flow
•
Anti-Spam Updates
•
Planning Antivirus Deployment
408
Anti-Spam Stamps
In Microsoft Exchange Server 2007, anti-spam stamps help you diagnose spam-related
problems by applying diagnostic metadata, or "stamps," such as sender-specific information,
puzzle validation results, and content filtering results, to messages as they pass through the
anti-spam features that filter inbound messages from the Internet.
This topic explains how to view anti-spam stamps and describes the different anti-spam
stamps: the anti-spam report, the phishing confidence level stamp, the spam confidence level
(SCL) stamp, and the Sender ID stamp.
You can use anti-spam stamps as diagnostic tools to determine what actions to take on falsepositives and on suspected spam messages that individuals receive in their mailboxes.
Viewing the Anti-Spam Stamps
You can view anti-spam stamps by using Microsoft Office Outlook 2007. For more information
about how to view anti-spam stamps, see How to View Anti-spam Stamps in Outlook 2007.
Anti-Spam Report
The anti-spam report is a summary report of the anti-spam filter results that have been applied
to an e-mail message. The Content Filter agent applies this stamp to the message envelope in
the form of an X-header as follows:
X-MS-Exchange-Organization-Antispam-Report:
DV:<DATVersion>;CW:CustomList;PCL:PhishingVerdict
<verdict>;P100:PhishingBlock;PP:Presolve;SID:SenderIDStatus
<status>;TIME:<SendReceiveDelta>;MIME:MimeCompliance
Table 38 describes the filter information that can appear in an anti-spam report.
Note:
The anti-spam report only displays information from the filters that were applied to the
specific message. An anti-spam report doesn't usually contain all the information listed
in Table 1. For example, you may receive the following anti-spam report:
DV:3.1.3924.1409;SID:SenderIDStatus Fail;PCL:PhishingLevel
SUSPICIOUS;CW:CustomList;PP:Presolved;TIME:TimeBasedFeatures.
409
Table 38 Filter information in an anti-spam report
Stamp
Description
SID
The Sender ID (SID) stamp is based on the
sender policy framework (SPF) that authorizes
the use of domains in e-mail. The SPF is
displayed in the message envelope as
Received-SPF. The Sender ID evaluation
process generates a Sender ID status for the
message. This status can be returned as one
of the following values:
• Pass The IP Address and Purported
Responsible Domain pair passed the
Sender ID verification check.
• Neutral The Sender ID verification
check was inconclusive.
• Softfail The IP Address may not be
in the SPF. Softfail is considered less
trusted than Neutral.
• Fail The IP address is not listed in
the SPF.
• None No published SPF data exists
in the sender's Domain Name System
(DNS).
• TempError A temporary DNS failure
occurred, such as an unavailable DNS
server.
• PermError The DNS record is
invalid, such as an error in the record
format.
For more information about Sender ID, see
Sender ID.
DV
The DAT version (DV) stamp indicates the
version of the spam definition file that was
used when scanning the message.
SA
The signature action (SA) stamp indicates that
the message was either recovered or deleted
because of a signature that was found in the
message.
410
SV
The signature DAT version (SV) stamp
indicates the version of the signature file that
was used when scanning the message.
PCL
The phishing confidence level (PCL) of the
message displays the following values, which
are based on the PCL Stamp described later in
this topic:
• Neutral The message's content is
not likely to be phishing.
• Suspicious The message's content
is likely to be phishing.
Outlook uses the PCL stamp to block the
content of suspicious messages.
SCL
The spam confidence level (SCL) of the
message displays the rating of the message
based on its content. The SCL value is
between 0 and 9, where 0 is considered less
likely to be spam, and 9 is considered more
likely to be spam. The actions that
Exchange Server and Outlook take depend on
your SCL threshold settings. For more
information about SCL thresholds and actions,
see Adjusting the Spam Confidence Level
Threshold.
411
CW
The custom weight (CW) of a message
indicates that the message contains an
unapproved word or phrase and that the SCL
value, or "weight," of that unapproved word or
phrase was applied to the final SCL score:
• Unapproved phrases, or Block
phrases, have maximum weight and
change the SCL score to 9.
• Approved words or phrases, or Allow
phrases, have minimum weight and
change the SCL to 0.
For more information about how to add
approved and unapproved words or phrases to
the content filtering agent, see How to
Configure Allow or Block Phrases for Content
Filtering.
PP
The presolved puzzle (PP) stamp indicates
that if a sender's message contains a valid,
solved computational postmark, based on
Outlook E-mail Postmark validation
functionality, it is unlikely that the sender is a
malicious sender. In this case, the Content
Filter agent would reduce the SCL rating.
The Content Filter agent does not change the
SCL rating if the E-mail Postmark validation
feature is enabled and either of the following
conditions is true:
• An inbound message does not contain
a computational postmark header.
• The computational postmark header is
not valid.
For more information about the postmark
validation feature, see How to Enable or
Disable Outlook E-mail Postmark Validation.
412
TIME: TimeBasedFeatures
The TIME stamp indicates that there was a
significant time delay between the time that the
message was sent and the time that the
message was received. The TIME stamp is
used to determine the final SCL rating for the
message.
MIME:MIMECompliance
The MIME stamp indicates that the e-mail
message is not MIME-compliant.
P100:PhishingBlock
The P100 stamp indicates that the message
contains a URL that is present in a phishing
definition file.
IPOnAllowList
The IPOnAllowList stamp indicates that the
sender's IP address is on the IP Allow list. For
more information about the IP Allow list, see
Connection Filtering.
MessageSecurityAntispamBypass
The MessageSecurityAntispamBypass stamp
indicates that the message was not filtered for
content and that the sender has been granted
permission to bypass the anti-spam filters.
SenderBypassed
The SenderBypassed stamp indicates that the
Content Filter agent does not process any
content filtering for messages that are received
from this sender. For more information, see
How to Specify Recipient and Sender
Exceptions for Content Filtering.
413
AllRecipientsBypassed
The AllRecipientsBypassed stamp indicates
that one of the following conditions was met for
all recipients listed in the message:
• The AntispamBypassedEnabled
parameter on the recipient's mailbox is set
to $True. This is a per-recipient setting
that can only be set by an administrator.
For more information about this setting,
see Set-Mailbox.
• The message sender is in the
recipient's Outlook Safe Senders List. For
more information about the Safe Senders
List, see How to Configure Safelist
Aggregation.
• The Content Filter agent does not
process any content filtering for messages
that are sent to this recipient. For more
information about recipient exceptions,
see How to Specify Recipient and Sender
Exceptions for Content Filtering.
Phishing Confidence Level Stamp
The phishing confidence level (PCL) stamp is a property that the Outlook Junk E-mail filter
stamps each e-mail message when the message is processed in the Outlook Junk E-mail
folder. The PCL stamp is displayed as an X-header in the message envelope as follows:
X-MS-Exchange-Organization-PCL:<status>
The PCL stamp displays the rating of the message based on its content. The PCL value is
between 1 and 8. The values are used to determine what action Outlook takes on
messages. Outlook uses the PCL stamp to block the content of suspicious messages. A PCL
rating of 1 to 3 returns a status of Neutral in the anti-spam report. This means that the
message's content is not likely to be phishing. A PCL rating of 4 to 8 returns a status of
Suspicious in the anti-spam report. This means that the message is likely to be phishing.
Spam Confidence Level Stamp
The spam confidence level (SCL) stamp displays the rating of the message based on its
content. The SCL stamp is displayed as an X-header in the message envelope as follows:
X-MS-Exchange-Organization-SCL:<status>
414
The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a
message and to assign an SCL rating to each message. The SCL value is between 0 and 9,
where 0 is considered less likely to be spam, and 9 is considered more likely to be spam. The
actions that Exchange Server and Outlook take depend on your SCL threshold settings. For
more information about the SCL thresholds and actions, see Adjusting the Spam Confidence
Level Threshold.
Sender ID Stamp
The Sender ID stamp is based on the SPF that authorizes the use of domains in e-mail. The
SPF is displayed in the message envelope as Received-SPF. The Sender ID stamp is
displayed as an X-Header in the message envelope as follows:
X-MS-Exchange-Organization-SenderIdResult:<status>
The Sender ID evaluation process generates a Sender ID status for the message. This status
can be set to one of the following values:
• Pass The IP Address and Purported Responsible Domain pair passed the Sender ID
verification check.
•
Neutral The Sender ID verification check was inconclusive.
• Soft fail The IP Address may not be in the SPF. Softfail is considered less trusted
than Neutral.
•
Fail The IP address is not listed in the SPF.
•
None No published SPF data exists in the sender's DNS.
•
TempError A temporary DNS failure occurred, such as an unavailable DNS server.
•
PermError The DNS record is invalid, such as an error in the record format.
For more information about how to configure Sender ID, see Configuring Sender ID.
For More Information
For more information about content filtering, see the following topics:
•
Content Filtering
•
Configuring Content Filtering
For more information about Sender ID, see the following topics:
•
Sender ID
•
Configuring Sender ID
415
Attachment Filtering
In Microsoft Exchange Server 2007, attachment filtering lets you apply filters at the server level
to control the attachments that users receive. Attachment filtering is increasingly important in
today's environment, where many attachments contain harmful viruses or inappropriate
material that may cause significant damage to the user's computer or to the organization as a
whole by damaging important documentation or releasing sensitive information to the public.
Note:
As a best practice, don't remove attachments from digitally signed, encrypted, or rightsprotected e-mail messages. If you remove attachments from such messages, you
invalidate the digitally signed messages and make encrypted and rights-protected
messages unreadable.
Types of Attachment Filtering in Exchange 2007
You can use the following types of attachment filtering to control attachments that enter or
leave your organization:
• Filtering based on file name or file name extension You can filter attachments by
specifying the exact file name or file name extension to be filtered. An example of an exact
file name filter is BadFilename.exe. An example of a file name extension filter is *.exe.
• Filtering based on file MIME content type You can also filter attachments by
specifying the MIME content type to be filtered. MIME content types indicate what the
attachment is, whether it is a JPEG image, an executable file, a
Microsoft Office Excel 2003 file, or some other file type. Content types are expressed as
type/subtype. For example, the JPEG image content type is expressed as
image/jpeg.
To view a complete list of all file name extensions and content types that attachment
filtering can filter on, run the following command:
Get-AttachmentFilterEntry | FL
To run the Get-AttachmentFilterEntry cmdlet on a computer that is joined to a domain,
you the account you use must be delegated Exchange View-Only Administrators role.
To run the Get-AttachmentFilterEntry cmdlet on a computer that has the Edge Transport
server role installed, you must log on by using an account that is a member of the local
Administrators group on that computer.
For more information about permissions, delegating roles, and the rights that are required
to administer Exchange Server 2007, see Permission Considerations.
416
If an attachment matches one of these filtering criteria, you can configure one of the following
actions to be performed on the attachment:
• Block whole message and attachment An attachment that matches an attachment
filter together with its whole e-mail message can be blocked from entering the messaging
system. If an attachment and e-mail message are blocked, the sender receives a delivery
status notification (DSN) message that states that the message contains an unacceptable
attachment file name.
• Strip attachment but allow message through An attachment that matches an
attachment filter can be removed whereas the e-mail message and any other attachments
that do not match the filter are allowed through. If an attachment is stripped, it is replaced
with a text file that explains why the attachment was removed. This action is the default
setting.
• Silently delete message and attachment An attachment that matches an
attachment filter together with its whole e-mail message can be blocked from entering the
messaging system. If an attachment and e-mail message are blocked, neither the sender
nor the recipient receives notification.
Caution:
You cannot retrieve e-mail messages and attachments that are blocked or
attachments that are stripped. When you configure attachment filters, make sure
that you carefully examine all possible file name matches and verify that legitimate
attachments will not be affected by the filter.
For more information, see How to Configure Attachment Filtering.
File Filtering by Using Forefront Security for
Exchange Server
The file filtering functionality that is provided by Microsoft Forefront Security for Exchange
Server includes advanced features that are unavailable in the default Attachment Filter agent
that is included with Microsoft Exchange Server 2007 Standard Edition.
For example, container files, which are files that contain other files, can be scanned for
offending file types. Forefront Security for Exchange Server filtering can scan the following
container files and act upon embedded files:
•
PKZip (.zip)
•
GNU Zip (.gzip)
•
Self-extracting ZIP archives
•
Zip files (.zip)
•
Java archive (.jar)
417
•
TNEF (winmail.dat)
•
Structured storage (.doc, .xls, .ppt, etc.)
•
MIME (.eml)
•
SMIME (.eml)
•
UUEncode (.uue)
•
Unix tape archive (.tar)
•
RAR archive (.rar)
•
MACBinary (.bin)
Note:
The default Attachment Filter agent that is included with Exchange Server 2007
Standard Edition detects file types even if they have been renamed. Attachment
filtering also makes sure that compressed Zip and LZH files do not contain blocked
attachments by performing a file name extension match against the files in the
compressed Zip or LZH file. Forefront Security for Exchange Server file filtering has the
additional capability of determining if a blocked attachment has been renamed within a
container file.
You can also filter files by file size. Additionally, you can configure Forefront Security for
Exchange Server to quarantine filtered files or to send e-mail notifications based on file filter
matches.
For more information, see Microsoft Forefront Security for Exchange Server User Guide.
Connection Filtering
The Connection Filter agent is an anti-spam agent that is enabled on computers that have the
Microsoft Exchange Server 2007 Edge Transport server role installed. The Connection Filter
agent relies on the IP address of the remote server that is trying to connect to determine what
action, if any, to take on an inbound message. The remote IP address is available to the
Connection Filter agent as a by-product of the underlying TCP/IP connection that is required for
the Simple Mail Transfer Protocol (SMTP) session. Because the Connection Filter agent must
evaluate the IP address of the remote server that is sending the message to be effective, the
Connection Filter agent is typically enabled on the Internet-facing Edge Transport server.
However, you may also perform additional configuration to run the Connection Filter agent
deeper in the inbound message path.
When you configure anti-spam agents on an Edge Transport server, the agents act on
messages cumulatively to reduce the number of unsolicited messages that enter the
organization. To reduce redundancy and improve overall system performance and efficiency,
418
you must understand the order in which the agents evaluate inbound messages.
Understanding the order in which the filters evaluate inbound messages will help you optimize
your configuration of the Edge Transport servers. For more information about how to plan and
deploy the anti-spam agents, see Anti-Spam and Antivirus Functionality.
When you enable the Connection Filter agent, the Connection Filter agent is the first anti-spam
agent to run when an inbound message is evaluated.
When an inbound message is submitted to an Edge Transport server on which the Connection
Filter agent is enabled, the source IP address of the SMTP connection is checked against IP
Allow lists and IP Block lists. If the source IP address is listed on an IP Allow list, the message
is sent to the destination without additional processing by other anti-spam agents. If the source
IP address is listed on an IP Block list, the SMTP connection is dropped after all RCPT TO
headers in the message are processed.
Note:
The timing of when a given connection is dropped may depend on other anti-spam
configurations. For example, you can specify which recipients always receive e-mail
messages, even if the source IP address is blocked. Additionally, you may have
configured other agents that rely on content from the DATA command to be parsed.
The Connection Filter agent always drops blocked connections according to the overall
anti-spam configuration.
If the source IP address is not listed on any IP Allow list or IP Block list, the message continues
to flow through other anti-spam agents if other anti-spam agents are configured.
For detailed information about how to configure the Connection Filter agent, see How to
Configure Connection Filtering.
IP Allow Lists and IP Block Lists
The Connection Filter agent compares the IP address of the server that is sending a message
to any of the following data stores of IP addresses:
•
Administrator-defined IP Allow lists and IP Block lists
•
IP Block List providers
•
IP Allow List providers
For more information about IP Block List providers, see "IP Block List Providers" later in this
document.
You must configure at least one of these data stores of IP addresses for the Connection Filter
agent to be operational. If the data stores of IP addresses do not contain the IP addresses on
the IP Allow lists or IP Block lists, or if you do not have any IP Block List providers or IP Allow
List providers configured, you should disable the Connection Filter agent.
419
Administrator-Defined IP Allow Lists and IP Block Lists
Administrators of Edge Transport servers maintain administrator-defined lists of IP addresses.
You can enter and delete the IP addresses that you want to allow or block by using the
Exchange Management Console or the Exchange Management Shell. You can add IP
addresses individually, by IP address range, or by IP address and subnet mask.
When you add an IP address or IP address range, you must specify the IP address or IP
address range as an IP Block address or an IP Allow address. Additionally, you can specify an
expiration time for each IP Block List entry that you create. When you set the expiration time,
the expiration time specifies how long the IP Block List entry is active. When the expiration time
duration is reached, the IP Block List entry is disabled.
By using administrator-defined IP Allow lists and IP Block lists, you can configure connection
filtering to support the following scenarios:
• To exempt IP addresses from the IP Block lists of IP Block List providers You
may have to exempt IP addresses from the IP Block lists of IP Block List providers when
legitimate senders are unintentionally put on an IP Block List provider's IP Block list. For
example, legitimate senders could be unintentionally put on an IP Block list when an SMTP
server was unintentionally configured to act as an open relay. In this scenario, the sender
will probably try to correct the misconfiguration and remove their IP address from the IP
Block List provider's IP Block list.
For more information about IP Block List providers, see "IP Block List Providers" later in
this document.
• To deny access from IP addresses that are a source of unsolicited e-mail messages
but are not found on an IP Block List provider's IP Block lists Sometimes, you may
receive a large quantity of unsolicited messages from a source that was not yet identified
by a real-time block list (RBL) service to which you subscribe.
IP Block List Providers
IP Block List provider services can help you reduce the number of unsolicited e-mail messages
that enter your organization.
Note:
IP Block List provider services are frequently referred to as real-time block list (RBL)
services. The Exchange Management Console refers to RBL services as IP Block List
provider services. The terms "RBL services" and "IP Block List provider services" are
equivalent.
IP Block List provider services compile lists of IP addresses from which spam has originated in
the past. Additionally, some IP Block List providers provide lists of IP addresses for which
SMTP is configured for open relay. There are also IP Block List provider services that provide
lists of IP addresses that support dial-up access. Internet service providers (ISP) that provide
420
dial-up access services to their clients assign dynamic IP addresses for each dial-up session.
Some ISPs block SMTP traffic from dial-up accounts. These ISPs and the attendant dial-up IP
ranges are not typically added to IP Block lists. However, some ISPs allow clients to send
SMTP traffic from dial-up accounts. Malicious users take advantage of ISPs that allow SMTP
traffic to send spam on dynamically assigned IP addresses. When the IP address is put on an
IP Block list, the malicious users start another dial-up session and receive a new IP address.
Frequently, a single IP Block List provider can provide a list of IP addresses that covers all
these spam threats.
You can configure multiple IP Block List provider configurations by using the Exchange
Management Console or the Exchange Management Shell. Each service requires a separate
IP Block List provider configuration in the Exchange Management Console or the Exchange
Management Shell.
When you configure the Connection Filter agent to use an IP Block List provider, the
Connection Filter agent queries the IP Block List provider service to determine whether a match
exists with the connecting IP addresses before the message is accepted into the organization.
Before the Connection Filter agent contacts the IP Block List provider to verify an IP address,
the IP address is first compared to the administrator-defined IP Allow list and IP Block list. If the
IP address does not exist on either the administrator-defined IP Allow list or IP Block list, the
Connection Filter agent queries the IP Block List provider services according to the priority
rating that is assigned to each provider. If the IP address appears on the IP Block list of an IP
Block List provider, the Edge Transport server waits for and parses the RCPT TO header,
responds to the sending system with an SMTP 550 error, and closes the connection. If the IP
address does not appear on the IP Block lists of any one of the IP Block List providers, the next
agent in the anti-spam chain processes the connection. For more information about the order in
which the default anti-spam and antivirus agents filter inbound messages from the Internet, see
Anti-Spam and Antivirus Functionality.
When you use the Connection Filter agent, it is a best practice to use one or more IP Block List
providers to manage access into your organization. The use of an administrator-defined block
list to maintain your own IP Block list is very time-consuming and may be impossible from a
human resource perspective in most organizations. Therefore, the use of an external IP Block
List provider service, whose sole purpose is to maintain IP Block lists, is highly recommended.
However, there may be some disadvantages to using an IP Block List provider. Because the
Connection Filter agent must query an external entity for each unknown IP address, outages or
delays at the IP Block List provider service can cause delays in the processing of messages on
the Edge Transport server. In extreme cases, such outages or delays could cause a mail-flow
bottleneck on the Edge Transport server.
The other disadvantage of using an external IP Block List provider service is that legitimate
senders are sometimes added to the IP Block lists of IP Block List providers by mistake.
Legitimate senders can be added to the IP Block lists that are maintained by IP Block List
provider as the result of an SMTP misconfiguration, where the SMTP server was unintentionally
configured to act as an open relay is an example of such a misconfiguration.
421
For more information about IP Block List providers, see Real-time Spam Black Lists (RBL).
Note:
The third-party Web site information in this topic is provided to help you find the
technical information you need. The URLs are subject to change without notice.
IP Allow List Providers
You can also manage inbound messages by using IP Allow List provider services that provide
IP Allow lists. IP Allow lists are sometimes referred to as IP safe lists or "white" lists elsewhere
in the software industry. IP Allow List providers maintain lists of IP addresses that are
definitively known not to be associated with any spam activity. When an IP Allow List provider
returns an IP Allow match, which indicates that the sender's IP address is more likely to be a
reputable or "safe" sender, the Connection Filter agent relays the message to the next agent in
the anti-spam chain.
For information about how to configure IP Allow List providers, see How to Configure
Connection Filtering.
For More Information
For more information about how to configure connection filtering by using the Exchange
Management Console, see the following topics:
•
Configuring Connection Filtering
•
How to Enable Connection Filtering
•
How to Add IP Addresses to the IP Allow List and IP Block Lists
•
How to Configure IP Allow List and IP Block List Providers
For more information about how to configure connection filtering by using the Exchange
Management Shell, see Connection Filter Agent Commands.
Content Filtering
In Microsoft Exchange Server 2007, the Content Filter agent is the next generation of
Exchange Intelligent Message Filter, which is included with Exchange Server 2003.
Intelligent Message Filter is based on patented machine-learning technology from Microsoft
Research. During its development, Intelligent Message Filter learned the distinguishing
characteristics of legitimate messages and unsolicited commercial e-mail messages (spam),
which were submitted by Microsoft partners and classified as either legitimate messages or
spam.
422
Intelligent Message Filter evaluates inbound e-mail messages and assesses the probability that
an inbound message is legitimate or spam. Unlike many other filtering technologies, Intelligent
Message Filter uses characteristics from a statistically significant sample of e-mail messages.
The inclusion of legitimate messages in this sample reduces the chance of mistakes. Because
Intelligent Message Filter recognizes characteristics of legitimate messages and spam, the
accuracy of Intelligent Message Filter is increased.
Intelligent Message Filter machine-learning is an ongoing, cumulative process. Updates to
Intelligent Message Filter are available periodically through Microsoft Update.
Using the Content Filter Agent
The Content Filter agent is one of several anti-spam agents. When you configure anti-spam
agents on a computer that has the Edge Transport server role installed, the agents act on
messages cumulatively to reduce the amount of spam that enters the organization. For more
information about how to plan and deploy anti-spam agents, see Anti-Spam and Antivirus
Functionality.
The Content Filter agent assigns a spam confidence level (SCL) rating to each message. The
SCL rating is a number between 0 and 9. A higher SCL rating indicates that a message is more
likely to be spam.
You can configure the Content Filter agent to take the following actions on messages according
to their SCL rating:
•
Delete message
•
Reject message
•
Quarantine message
For example, you may determine that messages that have an SCL rating of 7 or higher must be
deleted, messages that have an SCL rating of 6 must be rejected, and messages that have an
SCL rating of 5 must be quarantined.
You can adjust the SCL threshold behavior by assigning different SCL ratings to each of these
actions. For more information about how to adjust the SCL threshold to suit your organization's
requirements and about per-recipient SCL thresholds, see Adjusting the Spam Confidence
Level Threshold.
Note:
Messages that are over 11 MB are not scanned by the Intelligent Message Filter.
Instead, they pass through the Content Filter without being scanned. However, the
default maximum message size limit configured on Exchange 2007 Receive
connectors is 10 MB. Therefore, the 11 MB threshold for the Intelligent Message
Filter is not a practical concern in the default Exchange configuration.
423
Allow Phrases and Block Phrases
You can customize how the Content Filter agent assigns SCL values by configuring custom
words. Custom words are individual words or phrases that the Content Filter agent uses to
apply appropriate filter processing. You configure approved words or phrases with Allow
phrases and unapproved words or phrases with Block phrases. When the Content Filter agent
detects a preconfigured Allow phrase in an inbound message, the Content Filter agent
automatically assigns an SCL value of 0 to the message. Alternatively, when the Content Filter
agent detects a configured Block phrase in an inbound message, the Content Filter agent
assigns an SCL rating of 9.
Outlook E-mail Postmark Validation
The Content Filter agent also includes Microsoft Office Outlook E-mail Postmark validation, a
computational proof that Outlook applies to outgoing messages to help recipient messaging
systems distinguish legitimate e-mail from junk e-mail. This feature helps reduce the chance of
false positives. In the context of spam filtering, a false positive exists when a spam filter
incorrectly identifies a message from a legitimate sender as spam. When Outlook E-mail
Postmark validation is enabled, the Content Filter agent parses the inbound message for a
computational postmark header. The presence of a valid, solved computational postmark
header in the message indicates that the client computer that generated the message solved
the computational postmark.
Computers do not require significant processing time to solve individual computational
postmarks. However, processing postmarks for many messages may be prohibitive to a
malicious sender. Anyone who sends millions of spam messages is unlikely to invest the
processing power that is required to solve computational postmarks for all outbound spam. If a
sender's e-mail contains a valid, solved computational postmark, it is unlikely that the sender is
a malicious sender. In this case, the Content Filter agent would lower the SCL rating. If the
postmark validation feature is enabled and an inbound message either does not contain a
computational postmark header or the computational postmark header is not valid, the Content
Filter agent would not change the SCL rating.
Bypassing the Recipient, Sender, and Sender Domain
In some organizations, all e-mail to certain aliases must be accepted. This scenario can
introduce problems if your organization is in an industry that manages significant volumes of
spam.
For example, a company named Woodgrove Bank has an alias named
customerloans@woodgrovebank.com that provides e-mail-based support to external loan
customers. The Exchange administrators configure the Content Filter agent to set Block
phrases that filter out words or phrases that are typically used in spam that is sent by
unscrupulous loan agencies. To prevent potentially legitimate messages from being rejected,
424
the administrators set exceptions to content filtering by entering a list of SMTP e-mail recipient
addresses in the Content Filter agent configuration.
You can also specify senders and sender domains that you do not want the Content Filter
agent to block.
Safelist Aggregation
In Exchange Server 2007, the Content Filter agent on the Edge Transport server uses the
Microsoft Office Outlook 2003 Safe Senders Lists, Safe Recipients Lists, and trusted contacts
from Outlook to optimize spam filtering. Safelist aggregation is a set of anti-spam functionality
that is shared across Outlook and Exchange Server 2007. As its name suggests, this
functionality collects data from the anti-spam safe lists that Outlook users configure and makes
this data available to the anti-spam agents on the Edge Transport server. When an Exchange
administrator enables and correctly configures safelist aggregation, the Content Filter agent
passes safe e-mail messages to the enterprise mailbox without additional processing. E-mail
messages that Outlook users receive from contacts that those users have added to their
Outlook Safe Recipients List, Safe Senders List, or trusted contacts list are identified by the
Content Filter agent as safe. For more information, see Safelist Aggregation.
Configuring the Content Filter Agent
You configure the Content Filter agent by using the Exchange Management Console or the
Exchange Management Shell.
Important:
Configuration changes that you make to the Content Filter agent by using the
Exchange Management Console or the Exchange Management Shell are only made to
the local computer that has the Edge Transport server role installed. If you have
multiple instances of the Edge Transport server role running in your organization, you
must make Content Filter configuration changes to each computer.
For more information about how to configure content filtering, see Configuring Content Filtering.
Recipient Filtering
The Recipient Filter agent is an anti-spam agent that is enabled on computers that have the
Microsoft Exchange Server 2007 Edge Transport server role installed. The Recipient Filter
agent relies on the RCPT TO Simple Mail Transfer Protocol (SMTP) header to determine what
action, if any, to take on an inbound message.
When you configure anti-spam agents on an Edge Transport server, the agents act on
messages cumulatively to reduce the number of unsolicited messages that enter the
425
organization. For more information about how to plan and deploy the anti-spam agents, see
Anti-Spam and Antivirus Functionality.
The Recipient Filter agent blocks messages according to the characteristics of the intended
recipient in the organization. The Recipient Filter agent can help you prevent the acceptance of
messages in the following scenarios:
• Nonexistent recipients You can prevent delivery to recipients that are not in the
organization's address book. For example, you may want to stop delivery to frequently
misused account names, such as administrator@contoso.com or support@contoso.com.
• Restricted distribution lists You can prevent delivery of Internet mail to distribution
lists that should be used only by internal users.
• Mailboxes that should never receive messages from the Internet You can prevent
delivery of Internet mail to a specific mailbox or alias that is typically used inside the
organization, such as Helpdesk.
The Recipient Filter agent acts on recipients that are stored in one or both of the following data
sources:
• Recipient Block list An administrator-defined list of recipients for which inbound
messages from the Internet should never be accepted.
• Recipient Lookup Verification that the recipient is in the organization. Recipient
Lookup requires access to Active Directory directory service information that is provided by
EdgeSync to Active Directory Application Mode (ADAM).
For more information about Recipient Block lists and Recipient Lookup functionality, see
"Recipient Data Sources" later in this document.
When you enable the Recipient Filter agent, one of the following actions is taken on inbound
messages according to the characteristics of the recipients. These recipients are indicated by
the RCPT TO header.
• If the inbound message contains a recipient that is on the Recipient Block list, the Edge
Transport server sends a "550 5.1.1 User unknown" SMTP session error to the sending
server.
• If the inbound message contains a recipient that does not match any recipients in
Recipient Lookup, the Edge Transport server sends a "550 5.1.1 User unknown" SMTP
session error to the sending server.
• If the recipient is not on the Recipient Block list and the recipient is in Recipient
Lookup, the Edge Transport server sends a "250 2.1.5 Recipient OK" SMTP response to
the sending server, and the next anti-spam agent in the chain processes the message.
426
Recipient Data Sources
As mentioned earlier, the Recipient Filter agent references two data sources when it compares
recipients on inbound messages: the Recipient Block list and Recipient Lookup.
Recipient Block List
The Recipient Block list is a list that is maintained by the Edge Transport server administrators.
The Recipient Block list data is stored in the Edge Transport server instance of ADAM. You
must enter blocked recipients on each Edge Transport server computer.
You can enter the recipients that you want the Recipient Filter agent to block in the Exchange
Management Console on the Blocked Recipients tab of the Recipient Filtering Properties
page. You use the Set-RecipientFilterConfig command in the Exchange Management Shell to
enter recipients. For more information about how to configure the Recipient Filter agent, see
How to Configure Recipient Filtering.
Recipient Lookup
One benefit of the Recipient Filter agent is the ability to verify that the recipients on an inbound
message are in your organization before Exchange 2007 transmits the message into your
organization. The ability to verify recipients in your organization relies on a recipient data
source that is available to the Edge Transport server. Because the Edge Transport server is not
an Active Directory domain-joined computer and could be segregated from the organization by
a firewall, you must configure a Recipient Lookup data source for the Edge Transport server to
use.
The Edge Transport server role uses ADAM for configuration and data storage. For more
information, see Using EdgeSync to Populate ADAM with Active Directory Data.
Tarpitting Functionality
Recipient Lookup functionality enables the sending server to determine whether an e-mail
address is valid or invalid. As mentioned earlier, when the recipient of an inbound message is a
known recipient, the Edge Transport server sends back a "250 2.1.5 Recipient OK" SMTP
response to the sending server. This functionality provides an ideal environment for a directory
harvest attack.
A directory harvest attack is an attempt to collect valid e-mail addresses from a particular
organization so that the e-mail addresses can be added to a spam database. Because all spam
income relies on trying to make people open e-mail messages, addresses that are known to be
active are a commodity that malicious users, or spammers, pay for. Because the SMTP
protocol provides feedback for known senders and unknown senders, a spammer can write an
automated program that uses common names or dictionary terms to construct e-mail
427
addresses to a specific domain. The program collects all e-mail addresses that return a
"250 2.1.5 Recipient OK" SMTP response and discards all e-mail addresses that return a
"550 5.1.1 User unknown" SMTP session error. The spammer can then sell the valid e-mail
addresses or use them as recipients for unsolicited messages.
To combat directory harvest attacks, Exchange 2007 includes tarpitting functionality. Tarpitting
is the practice of artificially delaying server responses for specific SMTP communication
patterns that indicate high volumes of spam or other unwelcome messages. The intent of
tarpitting is to slow down the communication process for such e-mail traffic so that the cost of
sending spam increases for the person or organization that is sending the spam. Tarpitting
makes directory harvest attacks too costly to automate efficiently.
If tarpitting is not configured, Exchange Server immediately returns a "550 5.1.1 User unknown"
SMTP session error to the sender when a recipient is not located in Recipient Lookup.
Alternatively, if tarpitting is configured, SMTP waits a specified number of seconds before it
returns the "550 5.1.1 User unknown" error. This pause in the SMTP session makes
automating a directory harvest attack more difficult and less cost-effective for the spammer. By
default, tarpitting is configured for 5 seconds on Receive connectors.
To configure the time before SMTP returns the "550 5.1.1 User unknown" error, use the
Exchange Management Console or the Exchange Management Shell to set the TarpitInterval
value on the Receive connector. For more information about how to administer and configure
Receive connectors, see SMTP Receive Connectors.
Multiple Namespaces
Some organizations accept e-mail messages for multiple domains. For example, one
organization may accept messages for both the Contoso.com and the Woodgrovebank.com
domains. Sometimes organizations are authoritative for all the domains for which they accept
messages. In the context of SMTP, the organization is authoritative for a domain if the
organization hosts and manages the mailboxes for that domain. This relationship extends to the
Edge Transport server. An Edge Transport server may accept messages for multiple domains,
but it may not be authoritative for all the domains. For example, an Edge Transport server can
be configured to be authoritative for all recipients in the Contoso.com domain, but the Edge
Transport server still accepts and forwards messages for the Woodgrovebank.com domain.
When you enable the Recipient Filter agent, the Recipient Filter agent performs recipient
lookups only for the domains that are specified as authoritative in the Transport Server
configuration. If an Edge Transport server accepts and forwards messages on behalf of another
domain, but the Edge Transport server is not configured as authoritative, the Recipient Filter
agent does not perform a recipient lookup. However, if a non-authoritative recipient is specified
in the Recipient Block list, the recipient will still be blocked.
428
For More Information
For more information, see the following topics:
•
Configuring Recipient Filtering
•
How to Enable Recipient Filtering
•
How to Add Recipients to the Recipients Block List
•
Get-RecipientFilterConfig
•
Set-RecipientFilterConfig
Sender Filtering
The Sender Filter agent is an anti-spam filter that is enabled on computers that have the
Microsoft Exchange Server 2007 Edge Transport server role installed. The Sender Filter agent
relies on the MAIL FROM: Simple Mail Transfer Protocol (SMTP) header to determine what
action, if any, to take on an inbound e-mail message.
When you configure anti-spam filters on an Edge Transport server, the filters act on messages
cumulatively to reduce the number of unsolicited messages that enter the enterprise. For more
information about how to plan and deploy the anti-spam features, see Anti-Spam and Antivirus
Functionality.
The Sender Filter agent acts on messages from specific senders outside the organization.
Administrators of Edge Transport servers maintain a list of senders who are blocked from
sending messages to the organization. As an administrator, you can block single senders
(kim@contoso.com), whole domains (*@.contoso.com), or domains and all subdomains
(*@*.contoso.com). You can also configure what action the Sender Filter agent should take
when a message that has a blocked sender is found. You can configure the following actions:
• You can configure the Sender Filter agent to reject the SMTP request with a "554 5.1.0
Sender Denied" SMTP session error and to close the connection.
• You can configure the Sender Filter agent to accept the message and update the
message to indicate that the message came from a blocked sender. Because the message
came from a blocked sender and it is marked as such, the Content Filter agent will use this
information when it calculates the spam confidence level (SCL).
You can use the Exchange Management Console or the Exchange Management Shell to
designate blocked senders and to define how the Sender Filter agent should act on messages
from blocked senders. For more information about how to configure the Sender Filter agent,
see How to Configure Sender Filtering.
429
Important:
The MAIL FROM: SMTP headers can be spoofed. Therefore, you should not rely on
the Sender Filter agent only. Use the Sender Filter agent and the Sender ID agent
together. The Sender ID agent uses the originating IP address of the sending server to
try to verify that the domain in the MAIL FROM: SMTP header matches the domain that
is registered. For more information about the Sender ID agent, see Sender ID.
Sender ID
The Sender ID agent is an anti-spam agent that is enabled on computers that have the
Microsoft Exchange Server 2007 Edge Transport server role installed. The Sender ID agent
relies on the RECEIVED Simple Mail Transfer Protocol (SMTP) header and a query to the
sending system's domain name system (DNS) service to determine what action, if any, to take
on an inbound message.
When you configure anti-spam agents on an Edge Transport server, the agents act on
messages cumulatively to reduce the number of unsolicited e-mail messages that enter the
organization. For more information about how to plan and deploy the anti-spam agents, see
Anti-Spam and Antivirus Functionality.
Sender ID is intended to combat the impersonation of a sender and a domain, a practice that is
frequently called spoofing. A spoofed mail is an e-mail message that has a sending address
that was modified to appear as if it originates from a sender other than the actual sender of the
message.
Spoofed mails typically contain a From: address that purports to be from a certain organization.
In the past, it was relatively easy to spoof the From: address, in both the SMTP session, such
as the MAIL FROM: header, and in the RFC 822 message data, such as From: "Masato Kawai"
masato@contoso.com, because the headers were not validated.
Using Sender ID to Combat Spoofing
In Exchange Server 2007, Sender ID makes spoofing more difficult. When you enable Sender
ID, each message contains a Sender ID status in the metadata of the message. When an email message is received, the Edge Transport server queries the sender's DNS server to verify
that the IP address from which the message was received is authorized to send messages for
the domain that is specified in the message headers. The IP address of the authorized sending
server is referred to as the purported responsible address (PRA).
Domain administrators publish sender policy framework (SPF) records on their DNS servers.
SPF records identify authorized outbound e-mail servers. If an SPF record is configured on the
sender's DNS server, the Edge Transport server parses the SPF record and determines
whether the IP address from which the message was received is authorized to send e-mail on
430
behalf of the domain that is specified in the message. For more information about what an SPF
record contains and how to create an SPF record, see Sender ID.
The Edge Transport server updates the message metadata with the Sender ID status based on
the SPF record. After the Edge Transport server updates the message metadata, the Edge
Transport server delivers the message as it ordinarily would.
Sender ID Status Values
The Sender ID evaluation process generates a Sender ID status for the message. The Sender
ID status is used to evaluate the SCL rating for the message. This status can be set to one of
the following seven values:
•
Pass The IP address for the PRA is in the permitted set.
•
Neutral Published Sender ID data is explicitly inconclusive.
•
Soft fail The IP address for the PRA may be in the not permitted set.
•
Fail The IP address for the PRA is in the not permitted set.
•
None There is no published data in DNS.
•
TempError There is a transient error, such as an unavailable DNS server.
•
PermError There is an unrecoverable error, such as an error in the record format.
The Sender ID status is added to the message metadata and is later converted to a MAPI
property. The Junk E-mail filter in Microsoft Office Outlook uses the MAPI property during the
generation of the spam confidence level (SCL) value.
Outlook neither displays the Sender ID status nor necessarily flags a message as junk at
certain Sender ID values. Outlook uses the Sender ID status value only during the calculation
of the SCL value.
Besides the seven scenarios that generate the Sender ID statuses, the Sender ID evaluation
process may reveal instances where the From: IP address is missing. If the From: IP address is
missing, the Sender ID status cannot be set. If the Sender ID status cannot be set,
Exchange Server continues to process the message without including a Sender ID status on
the message. The message is not discarded or rejected. In this scenario, Sender ID status is
not set, and an application event is logged.
For more information about how the Sender ID status is displayed in messages, see Anti-Spam
Stamps.
Sender ID Options for Handling Spoofed Mail and
Unreachable DNS Servers
You can also define how the Edge Transport server handles messages that are identified as
spoofed mail and how the Edge Transport server handles messages when a DNS server
431
cannot be reached. The options for how the Edge Transport server handles spoofed mail and
unreachable DNS servers include the following actions:
• Stamp the status This option is the default action. All inbound messages to your
organization have the Sender ID status included in the metadata of the message.
• Reject This option rejects the message and sends an SMTP error response to the
sending server. The SMTP error response is a 5xx level protocol response with text that
corresponds to the Sender ID status.
• Delete This option deletes the message without informing the sending system of the
deletion. In fact, the Edge Transport server sends a fake "OK" SMTP command to the
sending server and then deletes the message. Because the sending server assumes the
message was sent, it does not retry sending the message in the same session.
For more information about how to configure the Sender ID agent, see How to Configure
SenderID.
For More Information
For more information, see the following topics:
•
Anti-Spam Stamps
•
Content Filtering
•
Configuring Sender ID
•
Configuring Content Filtering
Sender Reputation
Sender Reputation is anti-spam functionality that is enabled on computers that have the
Microsoft Exchange Server 2007 Edge Transport server role installed to block messages
according to many characteristics of the sender. Sender reputation relies on persisted data
about the sender to determine what action, if any, to take on an inbound message.
When you configure anti-spam agents on an Edge Transport server, the agents act on
messages cumulatively to reduce the number of unsolicited messages that enter the
organization. For more information about how to plan and deploy the anti-spam agents, see
Anti-Spam and Antivirus Functionality.
Calculation of the Sender Reputation Level
A sender reputation level (SRL) is calculated from the following statistics:
432
• HELO/EHLO analysis The HELO and EHLO SMTP commands are intended to
provide the domain name, such as Contoso.com, or IP address of the sending SMTP
server to the receiving SMTP server. Malicious users, or spammers, frequently forge the
HELO/EHLO statement in various ways. For example, they type an IP address that does
not match the IP address from which the connection originated. Spammers also put
domains that are known to be locally supported at the receiving server in the HELO
statement in an attempt to appear as if the domains are in the organization. In other cases,
spammers change the domain that is passed in the HELO statement. The typical behavior
of a legitimate user may be to use a different, but a relatively constant, set of domains in
their HELO statements.
Therefore, analysis of the HELO/EHLO statement on a per-sender basis may indicate that
the sender is likely to be a spammer. For example, a sender that provides many different
unique HELO/EHLO statements in a specific time period is more likely to be a spammer.
Senders who consistently provide an IP address in the HELO statement that does not
match the originating IP address as determined by the Connection Filter agent are also
more likely to be spammers, as are remote senders who consistently provide a local
domain name, which is in the same organization as the Edge Transport server, in the
HELO statement.
• Reverse DNS lookup Sender reputation also verifies that the originating IP address
from which the sender transmitted the message matches the registered domain name that
the sender submits in the HELO or EHLO SMTP command.
Sender reputation performs a reverse DNS query by submitting the originating IP address
to DNS. The result that is returned by DNS is the domain name that is registered by using
the domain naming authority for that IP address. Sender reputation compares the domain
name that is returned by DNS to the domain name that the sender submitted in the
HELO/EHLO SMTP command. If the domain names do not match, the sender is likely to be
a spammer, and the overall SRL rating for the sender is adjusted upward.
The Sender ID agent performs a similar task, but the success of the Sender ID agent relies
on legitimate senders to update their DNS infrastructure to identify all the e-mail-sending
SMTP servers in their organization. By performing a reverse DNS lookup, you can help
identify potential spammers.
• Analysis of SCL ratings on messages from a particular sender When the Content
Filter agent processes a message, it assigns a spam confidence level (SCL) rating to the
message. The SCL rating is a number between 0 and 9. A higher SCL rating indicates that
a message is more likely to be spam. Data about each sender and the SCL ratings that
their messages yield is persisted for analysis by sender reputation. Sender reputation
calculates statistics about a sender according to the ratio between all messages from that
sender that had a low SCL rating in the past and all messages from that sender that had a
high SCL rating in the past. Additionally, the number of messages that have a high SCL
rating that the sender has sent in the last day is applied to the overall SRL.
433
• Sender open proxy test An open proxy is a proxy server that accepts connection
requests from anyone anywhere and forwards the traffic as if it originated from the local
hosts. Proxy servers relay TCP traffic through firewall hosts to provide user applications
transparent access across the firewall. Because proxy protocols are lightweight and
independent of user application protocols, proxies can be used by many different services.
Proxies can also be used to share a single Internet connection by multiple hosts. Proxies
are usually set up so that only trusted hosts inside the firewall can cross through the
proxies.
Open proxies can exist because of either of the following conditions:
•
Unintentional misconfiguration
• Malicious Trojan horse programs. A Trojan horse program is a program that
masquerades as another common program in an attempt to receive information.
Frequently with insufficient logging, open proxies provide an ideal way for malicious users
to hide their true identities and launch denial of service (DoS) attacks or send spam. As
more proxy servers are configured to be “open by default,” open proxies have become
more common. Additionally, malicious users can use multiple open proxies together to hide
the sender's originating IP address.
When sender reputation performs an open proxy test, it does so by formatting an SMTP
request in an attempt to connect back to the Edge Transport server from the open proxy. If
an SMTP request is received from the proxy, sender reputation verifies that the proxy is an
open proxy and updates the open proxy test statistic for that sender.
Sender reputation weighs each of these statistics and calculates an SRL for each sender. The
SRL is a number between 0 and 9 that predicts the probability that a specific sender is a
spammer or otherwise malicious user. A value of 0 indicates that the sender is not likely to be a
spammer; a value of 9 indicates that the sender is likely to be a spammer.
You can configure a block threshold between 0 and 9 at which sender reputation issues a
request to the Sender Filter agent, and, therefore, blocks the sender from sending a message
into the organization. When a sender is blocked, the sender is added to the Blocked Senders
list for a configurable period. How blocked messages are handled depends on the configuration
of the Sender Filter agent. The following actions are the options for handling blocked
messages:
•
Reject
•
Delete and archive
•
Accept and mark as a blocked sender
If a sender is included in the Microsoft Block List or IP Reputation Service, sender reputation
issues an immediate request to the Sender Filter agent to block the sender. To take advantage
of this functionality, you must enable and configure Microsoft Exchange Anti-spam Update
Service.
434
By default, the Edge Transport server sets a rating of 0 for senders that have not been
analyzed. After a sender has sent 20 or more messages, sender reputation calculates an SRL
that is based on the statistics listed earlier in this topic.
Use of the SRL
Sender Reputation acts on messages during two phases of the SMTP session:
• At the MAIL FROM: SMTP command Sender reputation acts on a message only if
the message was blocked or otherwise acted on by the Connection Filter agent, Sender
Filter agent, Recipient Filter agent, or Sender ID agent. In this case, sender reputation
retrieves the sender's current SRL rating from the sender profile that is persisted about that
sender in the Edge Transport database. After this rating is retrieved and evaluated, the
Edge Transport server configuration dictates the behavior that occurs at a particular
connection according to the block threshold.
• After the "end of data" SMTP command The end of data transfer (_EOD) SMTP
command is given when all the actual message data is sent. At this point in the SMTP
session, many of the anti-spam agents have processed the message. As a by-product of
anti-spam processing, the statistics that sender reputation relies on are updated. Therefore,
sender reputation has the data to calculate or recalculate an SRL rating for the sender.
For more information, see How to Configure Sender Reputation.
For More Information
For more information about anti-spam features in Outlook 2007, see the following topics:
•
Anti-Spam and Antivirus Functionality
•
Managing Anti-Spam and Antivirus Features
For more information about how to configure sender reputation, see the following topics:
•
Configuring Sender Reputation
•
How to Enable Sender Reputation
•
How to Set the Sender Reputation Level Block Threshold
•
How to Enable or Disable Open Proxy Server Detection for Sender Reputation
• How to Configure Outbound Access for Detection of Open Proxy Servers for Sender
Reputation
435
Safelist Aggregation
In Microsoft Exchange Server 2007, the term safelist aggregation refers to a set of anti-spam
functionality that is shared across Microsoft Office Outlook and Exchange. This functionality
collects data from the anti-spam Safe Recipients Lists or Safe Senders Lists and contact data
that Outlook users configure and makes this data available to the anti-spam agents on the
computer that has the Edge Transport server role installed. Safelist aggregation can help
reduce the instances of false-positives in anti-spam filtering that is performed by the Edge
Transport server.
When an Exchange administrator enables and correctly configures safelist aggregation, the
Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional
processing. E-mail messages that Outlook users receive from contacts that those users have
added to their Outlook Safe Recipients List or Safe Senders List or have trusted are identified
by the Content Filter agent as safe. An Outlook contact is a person, inside or outside the user's
organization, about whom the user can save several types of information, such as e-mail and
street addresses, telephone and fax numbers, and Web page URLs.
Safelist aggregation can help reduce the instances of false-positives in anti-spam filtering that
is performed by the Edge Transport server. A false-positive is a positive test or filter result that
is in a subject or body of data that does not possess the attribute for which the filter or test is
being conducted. In the context of spam filtering, a false-positive occurs when a spam filter
incorrectly identifies a message from a legitimate sender as spam.
For organizations that filter hundreds of thousands of messages from the Internet every day,
even a small percentage of false-positives means that users might not receive many messages
that were identified incorrectly as spam and therefore were quarantined or deleted.
Safelist aggregation is likely the most effective way to reduce false-positives. Outlook 2003 and
the next release of Outlook, which is included in Office 2007, let users create Safe Senders
Lists. Safe Senders Lists specify a list of domain names and e-mail addresses from which the
Outlook user wants to receive messages. By default, e-mail addresses in Outlook Contacts and
in the Exchange Server global address list are included in this list. By default, Outlook adds all
external contacts to which the user sends mail to the Safe Senders List.
Information Stored in the Outlook User's Safelist
Collection
A safelist collection is the combined data from the user's Safe Senders List, Safe Recipients
List, Blocked Senders List, and external contacts. This data is stored in Outlook and in the
Exchange mailbox.
The following types of information are stored in an Outlook user's safelist collection:
436
• Safe senders and safe recipients The From: message header indicates a sender.
The To: field of the e-mail message indicates a recipient. Safe senders and safe recipients
are represented by full Simple Mail Transfer Protocol (SMTP) addresses, such as
masato@contoso.com. Outlook users can add senders and recipients to their safe lists.
• Safe domain The domain is the part of an SMTP address that follows the @ symbol.
For example, contoso.com is the domain in the masato@contoso.com address. Outlook
users can add sending domains to their safe lists.
• External contacts Two types of external contacts can be included in the safelist
aggregation. The first type of external contact includes contacts to whom Outlook users
have sent mail. This class of contact is added to the Safe Senders List only if an Outlook
user selects the corresponding option in the Junk E-mail settings in Outlook 2003 or
Exchange 2007.
The second type of external contact includes the users' Outlook contacts. Users can add or
import these contacts into Outlook. This class of contact is added to the Safe Senders List
only if an Outlook user selects the corresponding option in the Junk E-mail Filter settings in
Outlook 2003 or Outlook 2007.
How Exchange Uses the Safelist Collection
The safelist collection is stored on the user's mailbox server. A user can have up to 1,024
unique entries in a safelist collection.
In earlier versions of Exchange Server, the user's mailbox server accessed the safelist
collection during spam filtering to allow e-mail from senders on the Safe Senders List to pass
through.
In Exchange 2007, the safelist collection is stored on the user's mailbox, but you can push it to
the Active Directory directory service, where the safelist collection is stored on each user
object. When the safelist collection is stored on the user object in Active Directory, the safelist
collection is aggregated with the anti-spam functionality of Exchange 2007 and is optimized for
minimized storage and replication so that the Edge Transport server can process the safelist
aggregation. The Content Filter agent on the Edge Transport server can access the safelist
collection for each recipient. The Microsoft Exchange EdgeSync service replicates the safelist
collection to the Active Directory Application Mode (ADAM) instance on the Edge Transport
server.
Hashing of Safelist Collection Entries
It's worth noting that the safelist collection entries are hashed (SHA-256) one way before they
are stored as array sets across two user object attributes, msExchangeSafeSenderHash and
msExchangeSafeRecipientHash, as a binary large object. When data is hashed, an output of
fixed length is produced; the output is also likely to be unique. For hashing of safelist collection
437
entries, a 4-byte hash is produced. When a message is received from the Internet,
Exchange Server hashes the sender address and compares it to the hashes that are stored on
behalf of the Outlook user to whom the message was sent. If an inbound hash matches, the
message bypasses content filtering.
One-way hashing of safelist collection entries performs the following important functions:
• It minimizes storage and replication space Most of the time, hashing reduces the
size of the data that is hashed. Therefore, saving and transmitting a hashed version of a
safelist collection entry conserves storage space and replication time. For example, a user
who has 200 entries in his or her safelist collection would create about 800 bytes of hashed
data that is stored and replicated in Active Directory.
• It renders user safelist collections unusable by malicious users Because oneway hash values are impossible to reverse-engineer into the original SMTP address or
domain, the safelist collections do not yield usable e-mail addresses for malicious users
who might compromise an Edge Transport server.
Enabling Safelist Aggregation
You can enable safelist aggregation by running the Exchange Management Shell UpdateSafeList cmdlet on a user's mailbox. The Update-SafeList cmdlet reads the safelist collection
from the user's mailbox, hashes each entry, sorts the entries for easy search, and then
converts the hash to a binary attribute. Finally, the Update-SafeList cmdlet compares the
binary attribute that was created to any value that is stored on the attribute. If the two values
are identical, the Update-SafeList cmdlet does not update the user attribute value with the
safelist aggregation data. If the two attribute values are different, the Update-SafeList cmdlet
updates the safelist aggregation value. This logic, where the binary values are compared
before updates, is intended to significantly minimize resource use on Active Directory
replication. Periodic updates make sure that the most up-to-date safelist aggregation is in
Active Directory. For more information about how to configure the Update-Safelist cmdlet to
run periodic updates, see How to Configure Safelist Aggregation.
To make the safelist aggregation data in Active Directory available to Edge Transport servers in
the perimeter network, you must install and configure the Microsoft Exchange EdgeSync
service so that the safelist aggregation data is replicated to ADAM.
For More Information
For more information, see the following topics:
•
How to Configure Safelist Aggregation
•
Using EdgeSync to Populate ADAM with Active Directory Data
438
Adjusting the Spam Confidence Level
Threshold
In Microsoft Exchange Server 2003, the spam confidence level (SCL) threshold defines when
the content filter feature takes a specific action on a specific message, such as rejecting a
message or deleting a message.
In Exchange Server 2007, we've improved the SCL threshold functionality so that you can
adjust the SCL to a more precise level. You can define three specific actions according to SCL
thresholds. For example, you can define different thresholds for rejecting, deleting, or
quarantining a message on a computer that has the Edge Transport server role installed.
The combination of this SCL threshold configuration on the Edge Transport server and the SCL
Junk E-mail folder configuration on the user mailbox helps you implement a more
comprehensive and precise anti-spam strategy. This more precise and detailed SCL threshold
adjustment functionality in Exchange 2007 can help you reduce the overall cost of deploying
and maintaining an anti-spam solution across your organization.
The SCL threshold configuration is used by the Content Filter agent, one of the default antispam agents that are included with Exchange 2007. The Content Filter agent uses Microsoft
SmartScreen technology to assess the contents of a message and to assign an SCL rating to
each message.
The Content Filter agent performs this function late in the anti-spam cycle, after other antispam agents have processed any inbound messages. Many of the other anti-spam agents that
process inbound messages before they are processed by the Content Filter agent are
deterministic in how they act on a message. For example, the Connection Filter agent rejects
any message that is sent from an IP address that is on a real-time block list (RBL). The Sender
Filter agent and Recipient Filtering agent process messages in a similarly deterministic manner.
In Exchange 2007, these deterministic anti-spam agents process messages first and therefore
greatly reduce the number of messages that must be processed by the Content Filter agent.
For more information about the order in which anti-spam agents process messages, see AntiSpam and Antivirus Functionality.
Because content filtering is not an exact, deterministic process, the ability to adjust the action
that the Content Filter agent performs on different SCL values is important. By carefully
adjusting the SCL threshold configuration, you can minimize the following:
•
The size of the spam quarantine storage
•
The number of legitimate e-mail messages that are mistakenly quarantined
• The number of legitimate e-mail messages that reach the Microsoft Office Outlook
user's Junk E-mail folder
• The number of offensive spam e-mail messages that reach the Outlook user's Inbox or
Junk E-mail folder
439
•
The number of spam e-mail messages that reach the Outlook user's Inbox
SCL Threshold Actions in Exchange 2007
In Exchange 2003, you configure a single action, such as delete or reject, for a single SCL
threshold value. In Exchange 2007, by adjusting SCL threshold actions, you can escalate the
content filtering action that is taken on messages that have a greater risk of being spam. To
understand this new functionality, it is helpful to understand the different SCL threshold actions
and how they are implemented.
• SCL delete threshold When the SCL value for a specific message is equal to or
higher than the SCL delete threshold, the Content Filter agent deletes the message. There
is no protocol-level communication that tells the sending system or sender that the
message was deleted. If the SCL value for a message is lower than the SCL delete
threshold value, the Content Filter agent does not delete the message. Instead, the
Content Filter agent compares the SCL value to the SCL reject threshold.
• SCL reject threshold When the SCL value for a specific message is equal to or
higher than the SCL reject threshold, the Content Filter agent deletes the message and
sends a rejection response to the sending system. You can customize the rejection
response. In some cases, a non-delivery report (NDR) is sent to the original sender of the
message. If the SCL value for a message is lower than the SCL delete and SCL reject
threshold values, the Content Filter agent does not delete or reject the message. Instead,
the Content Filter agent compares the SCL value to the SCL quarantine threshold.
• SCL quarantine threshold When the SCL value for a specific message is equal to or
higher than the SCL quarantine threshold, the Content Filter agent sends the message to a
quarantine mailbox. E-mail administrators must periodically review the quarantine mailbox.
For more information about how to manage the spam quarantine, see How to Configure
and Manage Spam Quarantine. If the SCL value for a message is lower than the SCL
delete, reject, and quarantine threshold values, the Content Filter agent does not delete,
reject, or quarantine the message. Instead, the Content Filter agent sends the message to
the appropriate Mailbox server, where the per-recipient SCL Junk E-mail folder threshold
value of the message is evaluated.
• SCL Junk E-mail folder threshold If the SCL value for a specific message exceeds
the SCL Junk E-mail folder threshold, the Mailbox server puts the message in the Outlook
user's Junk E-mail folder. If the SCL value for a message is lower than the SCL delete,
reject, quarantine, and Junk E-mail folder threshold values, the Mailbox server puts the
message in the user's Inbox.
For example, if you set the SCL delete threshold to 8, the SCL reject threshold to 7, the SCL
quarantine threshold to 6, and the SCL Junk E-mail folder threshold to 5, all e-mail with an SCL
of 4 or lower will be delivered to the user's Inbox.
440
To configure the SCL Junk E-mail folder threshold on individual user mailboxes, you must use
the Set-Mailbox command in the Exchange Management Shell. You can configure the SCL
delete, reject, and quarantine thresholds in two locations:
• On the content filter configuration (per-transport server SCL configuration) We
recommend that you set the organization-wide SCL thresholds on the content filter
configuration on the Edge Transport server. If you run anti-spam agents on the Hub
Transport server, set the organization-wide SCL thresholds on the Hub Transport server. By
applying the same SCL thresholds across all transport servers, you can establish a
consistent baseline level of SCL functionality across the organization. Over time, as you
analyze the spam functionality and metrics that are provided by the anti-spam logging and
reporting features, you can make additional adjustments to these SCL threshold
configurations as needed.
• On user mailboxes (per-recipient SCL configuration) You can use the SetMailbox command to set per-recipient SCL delete, reject, and quarantine thresholds on
individual user mailboxes. As mentioned earlier in this topic, you set the SCL Junk E-mail
folder threshold on individual user mailboxes by using the Set-Mailbox command. The perrecipient SCL delete, reject, and quarantine thresholds are stored in the Active Directory
directory service and are replicated to the Edge Transport servers by the Microsoft
Exchange EdgeSync service. The per-recipient SCL threshold configurations are used by
the Content Filter agent even if you have set per-transport server SCL configurations.
Therefore, if you have set per-recipient SCL thresholds, the Content Filter agent uses the
per-recipient SCL thresholds for specific users instead of the SCL configuration on the
Content Filter agent.
For more information about how to use the Set-Mailbox command, see Set-Mailbox.
Best Practice for Setting Up and Adjusting SCL
Thresholds
We recommend that you set up and adjust the SCL thresholds as follows:
1. Enable the SCL delete, reject, and quarantine thresholds on the content filter
configuration on each Edge Transport server. We recommend that you start with the default
values for these SCL thresholds. The default values were set by the Exchange Server team
according to real-world data from the Microsoft IT messaging department and from
Exchange 2007 early adopter feedback. The default values are optimized for large, global
enterprise deployments. For more information about how to set the SCL thresholds on the
content filter configurations, see How to Configure Content Filtering.
2. Enable and configure per-recipient SCL thresholds. At a minimum, you should enable
and set the SCL Junk E-mail folder threshold on each user's mailbox. You can also
configure the SCL delete, reject, and quarantine thresholds on a per-recipient
configuration. Also, you can set exceptions on each user's mailbox so that messages to
441
that mailbox bypass all anti-spam scanning on the Edge Transport server. For more
information, see How to Configure Anti-Spam Features on a Mailbox.
3. Monitor spam reports and logs closely for the first week after you enable the SCL
thresholds. If the data indicates that you must make immediate adjustments, reconfigure
the SCL thresholds. Otherwise, collect data and analyze the spam reporting to determine
whether adjustments are required.
For More Information
For more information, see the following topics:
•
Anti-Spam and Antivirus Functionality
•
How to Configure and Manage Spam Quarantine
•
How to Configure Content Filtering
•
How to Configure Anti-Spam Features on a Mailbox
•
Set-Mailbox
Spam Quarantine
Many organizations are bound by legal or regulatory requirements to preserve or deliver all
legitimate e-mail messages. In Microsoft Exchange Server 2007, spam quarantine is a feature
of the Content Filter agent that reduces the risk of losing legitimate messages. Spam
quarantine provides a temporary storage location for messages that are identified as spam and
that should not be delivered to a user mailbox inside the organization.
Messages that are identified by the Content Filter agent as spam are wrapped in a non-delivery
report (NDR) and are delivered to a spam quarantine mailbox inside the organization. You can
manage messages that are delivered to the spam quarantine mailbox and can take appropriate
actions. For example, you can delete messages or let messages that are flagged as false
positives in anti-spam filtering be routed to their intended recipients. In addition, you can
configure the spam quarantine mailbox to automatically delete messages after a designated
time period.
For more information about how the anti-spam agents filter inbound messages and the order in
which the agents are applied, see Anti-Spam and Antivirus Functionality.
Spam Confidence Level
When an external user sends e-mail messages to an Exchange server that runs the anti-spam
features, the anti-spam features cumulatively evaluate characteristics of the messages and act
as follows:
442
•
They filter out those messages that are suspected to be spam.
• They assign a rating to messages based on the probability that a message is spam.
This rating is stored with the message as a message property called the spam confidence
level (SCL) rating.
Spam quarantine uses the SCL rating to determine whether mail has a high-probability of being
spam. The SCL rating is a numeric value between 0 and 9, where 0 is considered less likely to
be spam, and 9 is considered most likely to be spam.
You can configure mail that has a certain SCL rating to be deleted, rejected, or quarantined.
The rating that triggers any of these actions is referred to as the SCL quarantine threshold.
Within content filtering, you can configure the Content Filter agent to base its actions on the
SCL quarantine threshold. For example, if you set the following conditions for the SCL
thresholds:
•
The SCL delete threshold is set to 8.
•
The SCL reject threshold is set to 7.
•
The SCL quarantine threshold is set to 6.
•
The SCL Junk E-mail folder threshold to 5.
Then all e-mail with an SCL of 6 will be delivered to the spam quarantine mailbox.
For more information, see How to Enable and Configure the Spam Confidence Level
Thresholds.
Using Spam Quarantine
When messages are received by the Edge Transport server and all default anti-spam filters are
enabled, the anti-spam agents apply their filters. Then the content filter is applied as follows:
• If the SCL rating is greater than or equal to the SCL quarantine threshold but less than
either the SCL delete threshold or SCL reject threshold, the message goes to the spam
quarantine mailbox.
• If the SCL rating is lower than the spam quarantine threshold, it is delivered to the
recipient's Inbox.
The message administrator uses Microsoft Office Outlook 2007 to monitor the spam quarantine
mailbox for false positives. If a false positive is found, the administrator can send the message
to the recipient's mailbox.
The message administrator can review the anti-spam stamps if either of the following
conditions is true:
•
Too many false positives are filtered into the spam quarantine mailbox.
•
Not enough spam is being rejected or deleted.
443
For more information, see Anti-Spam Stamps.
The administrator can then adjust the SCL settings to more accurately filter the spam that is
coming into the organization. For more information, see Adjusting the Spam Confidence Level
Threshold.
Using Exchange Hosted Services
Spam filtering and quarantine functionality is enhanced by or is also available as a service from
Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted
services:
• Hosted Filtering, which helps organizations protect themselves from e-mail-borne
malware
•
Hosted Archive, which helps them satisfy retention requirements for compliance
•
Hosted Encryption, which helps them encrypt data to preserve confidentiality
• Hosted Continuity, which helps them preserve access to e-mail during and after
emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or
Hosted Exchange e-mail services that are offered through service providers. For more
information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
For More Information
For more information about spam quarantine, see Configuring and Managing Spam
Quarantine.
For more information about content filtering and anti-spam features in Exchange 2007, see the
following topics:
•
Anti-Spam and Antivirus Functionality
•
Content Filtering
•
Configuring Content Filtering
Understanding Anti-Spam and Antivirus
Mail Flow
When an external user sends e-mail messages to a Microsoft Exchange server that runs the
anti-spam features, the anti-spam features cumulatively evaluate characteristics of inbound
messages and either filter out messages that are suspected to be spam or assign messages a
444
rating based on the probability that the message is spam. This rating is stored with the
message as a message property that is called the spam confidence level (SCL) rating. This
rating is persisted with the message when the message is sent to other Exchange servers.
Figure 77 shows the order in which the default anti-spam features and Microsoft Forefront
Security for Exchange Server filter inbound messages from the Internet. By default, the antispam and antivirus features are arranged in this order with the filters that use the least
resources filtering first, and then the filters with that use the greatest resources filtering last.
Note:
Additional anti-spam features may become available in the future. As new anti-spam
features are developed, they will be included in the overall mail flow. Additionally, the
following figure and explanation assume that the Exchange Server 2007 Edge
Transport server is the first Simple Mail Transfer Protocol (SMTP) server to accept
inbound messages. In some organizations, the Edge Transport server may be
deployed behind a third-party SMTP server. When the Exchange 2007 Edge Transport
server is deployed behind a third-party SMTP gateway server, the Exchange 2007
Edge Transport server requires additional configuration. Specifically, you must make
sure that all SMTP gateway servers are listed in the InternalSMTPServer property of
the TransportConfig object. For more information, see Set-TransportConfig.
445
Figure 77 Default anti-spam features with antivirus filtering of inbound messages from
the Internet
446
447
As shown in Figure 1, filters are applied in the following order when the Edge Transport server
is Internet-facing:
•
A SMTP server connects to Exchange 2007 and initiates an SMTP session.
•
Connection filtering
•
Sender filtering
•
Recipient filtering
•
Sender ID filtering
•
Content filtering
•
Attachment filtering
•
Antivirus scanning
Note:
Although this detail is not shown in Figure 1, connection filtering gathers information
during two different events. The first event where connection filtering gathers
information is shown in Figure 1, where connection filtering gathers IP address
information from the connection. The second time connection filtering gathers
information is shown in Figure 3 when the Sender Filter agent parses the message
headers to determine the first external IP address. Agents may monitor multiple events.
Figure 1 shows a high-level view of the rough order that agents are applied, when all
agents are enabled, for the purposes of illustrating message flow. For more information
about specific events and which agents monitor which events, see Overview of
Transport Agents.
Connection Filtering
During the SMTP session, Exchange 2007 applies connection filtering by using the following
criteria as shown in Figure 78.
448
Figure 78 Connection filtering mail flow
1. The Connection filter agent examines the administrator-defined IP Allow list. If the IP
address of the sending server is on the administrator-defined IP Allow list, the message is
then process by Sender Filtering.
2. The Connection filter agent examines the local IP Block list. If the IP address of the
sending server is found on the local IP Block list, the message is automatically rejected,
and no other filters are applied.
3. The Connection filter agent examines the list of allowed IP addresses that any IP Allow
List providers that you have. If the IP address of the sending server is on the list of allowed
IP addresses from IP Allow List providers, the message is then processed by Sender
Filtering.
4. The Connection filter agent examines the real-time block lists (RBL) of any IP Block
List providers that you have configured. If the sending server's IP address is found on a
RBL, the message is rejected, and no other filters are applied.
For more information, see Configuring Connection Filtering.
Note:
If the Connection filter agent is deployed on a computer that is behind another server
that faces the Internet, other filters, such as sender filtering and recipient filtering, are
invoked before the Connection Filter agent.
449
Sender Filtering
After connection filtering has been applied, Exchange 2007 examines the sender e-mail
address against the list of blocked senders that you configure in sender filtering as shown in
Figure 79.
Figure 79 Sender filtering mail flow
The Sender Filter agent then checks the sender's e-mail address that is contained in the From:
header fields in the message envelope and the message header. If either From: header field
matches the address in the Blocked Sender list, Exchange 2007 rejects the message at the
protocol level, and no other filters are applied.
Note:
Even if recipients in your organization have put senders on their
Microsoft Office Outlook Safe Senders List, sender filtering on the Edge Transport
server will override the recipient's Outlook setting and reject the messages.
For more information about sender filtering, see Configuring Sender Filtering.
For more information about message envelopes and message headers, see Managing the
Replay Directory.
Recipient Filtering
If sender filtering does not reject the message, Exchange runs connection filtering again.
Exchange then applies the Recipient Filter agent as shown in Figure 80.
450
Figure 80 Recipient filtering mail flow
The Recipient Filter agent examines the recipient against the Recipient Block list that you
configure in the recipient filter agent settings. If the intended recipient matches an e-mail
address on your Recipient Block list, Exchange 2007 rejects the message for that particular
recipient. In addition, the Recipient Filter agent checks to see whether the recipient is present
in the organization. If the recipient is not present in the organization, Exchange rejects the
message for that particular recipient.
If multiple recipients are listed on the message and all the recipients are not on the Recipient
Block list, the message will continue to process. Otherwise, if the message is bound for only a
single blocked recipient, no other filters are applied.
When a message with blocked recipients is processed, the set of blocked recipients are
removed from the message, and the message continues into the organization. Protocol-level
SMTP rejection responses are sent to the sender for each blocked recipient. The Sender
Reputation agent monitors the OnReject event to calculate sender reputation level.
For more information, see Configuring Recipient Filtering.
Sender ID Filtering
If the message still contains valid recipients after recipient filtering has been applied,
Exchange 2007 runs Sender ID as shown in Figure 81.
451
Figure 81 Sender ID filtering mail flow
First, the Sender ID agent determines the Purported Responsible Address (PRA) of the
message using the algorithm described in RFC 4407. This step is required to accurately identify
the message's sender. The PRA is an SMTP address, such as kim@contoso.com. The Sender
ID agent then performs a domain name service (DNS) lookup against the domain part of the
PRA. If that domain has published a sender policy framework (SPF) record, the agent uses the
SPF record to evaluate the message according to the specification for RFC 4408. The result of
the evaluation is stamped on the message in the anti-spam stamp. If that domain does not
have a published SPF record, the Sender ID agent stamps a Sender ID result of "None" on the
message. For more information about the types of stamps used for Sender ID filtering, see
Anti-Spam Stamps.
If the sender's DNS is from a blocked domain or a blocked address, the following actions may
be taken depending on your configuration of Sender ID actions:
• Reject message If the Sender ID action is set to Reject Message, Exchange rejects
the message and sends an SMTP error response to the sending server. The SMTP error
response is a 5xx level protocol response with text that corresponds to the Sender ID
status.
• Delete message If the Sender ID action is set to Delete Message, Exchange deletes
the message without informing the sending server of the deletion. In fact, the computer that
has the Edge Transport server role installed sends a fake "OK" SMTP command to the
sending server and then deletes the message. Because the sending server assumes that
the message was sent, the sending server will not retry sending the message in the same
session.
• Stamp message with Sender ID result and continue processing Exchange
stamps the message with the Sender ID result and continues processing the message.
This metadata is evaluated by the Content Filter agent when a SCL is calculated.
452
Additionally, sender reputation uses the message metadata when it calculates a sender
reputation level for the sender of the message.
For more information, see Configuring Sender ID.
Content Filtering
Before Exchange content filtering calls the Exchange Intelligent Message Filter, it applies
sender filtering again. The Exchange server then applies the Content Filter agent as shown in
Figure 82.
Figure 82 Content filtering message flow
The Content Filter agent checks the following conditions in the message. If any of the
conditions are true, the message bypasses content filtering and attachment filtering. These
messages then go on to antivirus scanning for processing.
•
The sender's IP address is on the IP Allow list for connection filtering.
•
All recipients are on the exceptions list for content filtering.
• The AntiSpamBypassEnabled parameter is set to $True on all the recipients'
mailboxes.
• All the recipients have added this sender to their Outlook Safe Sender list, which is
updated to the Edge Transport server by using safelist aggregation.
453
• The sender is a trusted partner and on the organization's list of senders that are not
filtered.
In addition to the conditions listed here, if the SMTP session has been authenticated as a
trusted partner, and if the administrator has granted the Bypass Anti-Spam (Ms-Exch-BypassAnti-Spam) permission to partners, the anti-spam agents will be disabled for messages during
that session. The Bypass Anti-Spam permission is not granted to partners by default and must
be assigned by an administrator.
If a message does not meet any of the conditions described here, content filtering is applied.
Content filtering assigns a SCL rating to the message. Based on the SCL rating, one of the
following actions occurs:
• If the SCL rating on the message is equal to or greater than the SCL delete threshold
and the SCL delete threshold is enabled, the Content Filter agent deletes the message.
There is no protocol-level communication that tells the sending system or sender that the
message was deleted. If the SCL rating is lower than the SCL delete threshold value, the
Content Filter agent does not delete the message. Instead, the Content Filter agent
compares the SCL value to the SCL reject threshold.
• If the SCL rating on the message is equal to or greater than the SCL reject threshold
and the SCL reject threshold is enabled, the Content Filter agent rejects the message and
sends a rejection response to the sending system. You can customize the rejection
response. In some cases, a non-delivery report (NDR) is sent to the original sender of the
message. If the SCL rating is lower than the SCL reject threshold value, the Content Filter
agent does not reject the message. Instead, the Content Filter agent compares the SCL
value to the SCL quarantine threshold.
• If the SCL rating on the message is equal to or greater than the SCL quarantine
threshold and the SCL quarantine threshold is enabled, the Content Filter agent sends the
message to the spam quarantine mailbox. For more information about how to manage the
spam quarantine, see Configuring and Managing Spam Quarantine. The message then
continues to attachment filtering.
For more information, see the following topics:
•
How to Configure Safelist Aggregation
•
Configuring Content Filtering
Attachment Filtering
After content filtering has been applied, Exchange applies attachment filtering as shown in
Figure 83.
454
Figure 83 Attachment filtering mail flow
You can configure attachment filtering to block attachments based on their MIME content type,
file name, or file name extension. If attachment filtering detects a content type of file name that
has been blocked, one of the following actions will occur based on your attachment filtering
settings:
• Reject If action setting is set to Reject, both the e-mail message and attachment are
prevented from being delivered to the recipient and the system generates a DSN failure
message to the sender. You can customize your rejection response.
• Silent Delete If the action setting is set to Silent Delete, both the e-mail message and
attachment are prevented from being delivered to the recipient. A notification that the e-mail
message and attachment were blocked is not returned to the sender.
• Strip If the action setting is set to Strip, the attachment is stripped from the e-mail
message. This value allows the message and other attachments that do not match an entry
on the attachment block list to be delivered to the recipient. A notification that the
attachment was blocked is added to the recipient's e-mail message.
If the message was not rejected or deleted, or attachment filtering did not detect blocked
attachment types, the message is then scanned for viruses.
For more information, see How to Configure Attachment Filtering.
Antivirus Scanning
After attachment filtering has been applied, or if the recipients were bypassed in content
filtering, Forefront Security for Exchange Server antivirus scanning is applied as shown in
Figure 84.
455
Figure 84 Forefront Security for Exchange Server antivirus scanning mail flow
Forefront Security for Exchange Server is an antivirus software package that is tightly
integrated with Exchange 2007 and offers additional antivirus protection for your Exchange
environment. When Forefront Security for Exchange Server detects messages that seem to
contain a virus, the system deletes the message, generates a notification message, and sends
the notification to the recipient’s mailbox.
For more information about Forefront Security for Exchange Server, see Microsoft Forefront
Security for Exchange Server User Guide.
Outlook Junk E-mail Filtering
After all the filters are applied and the message has been scanned for viruses, the message is
sent to the intended recipient's mailbox and the Junk E-mail filtering is applied as shown in
Figure 85.
Figure 85 Outlook Junk E-mail filtering mail flow
If the SCL rating for the message is equal to or greater than the SCL Junk E-mail folder
threshold and the SCL Junk E-mail folder threshold is enabled, the Mailbox server puts the
message in the Outlook user's Junk E-mail folder. If the SCL value for a message is lower than
the values for the SCL delete, reject, quarantine, and Junk E-mail folder thresholds, the Mailbox
server puts the message in the user's Inbox. For more information about the SCL thresholds,
see Adjusting the Spam Confidence Level Threshold.
456
For More Information
For more information about anti-spam and antivirus features, see the following topics:
•
Attachment Filtering
•
Connection Filtering
•
Content Filtering
•
Recipient Filtering
•
Sender Filtering
•
Sender ID
•
Sender Reputation
•
Safelist Aggregation
•
Microsoft Forefront Security for Exchange Server User Guide
Configuring Anti-Spam Features to Reduce
the Volume of Spam
You can use the Exchange Management Console or the Exchange Management Shell to
configure each default anti-spam feature individually.
When the Content Filter agent assigns a spam confidence level (SCL) rating to a message, it
considers any assigned data from other filters in the SCL calculation. The SCL rating is a
number between 0 and 9. A higher SCL rating indicates that a message is more likely to be
spam. The SCL threshold is a set of configurations that you set on the Edge Transport server
and on the e-mail server. In Microsoft Exchange Server 2003, the SCL threshold defines when
the content filtering feature takes a specific action on a specific message, such as when it
rejects a message or deletes a message. In Exchange Server 2007, we've improved the SCL
threshold functionality so that you can adjust the SCL to a more precise level. You can now
define three specific actions according to SCL thresholds. For example, in Exchange 2007, you
can define different thresholds that determine whether a message on the Edge Transport
server will be rejected, deleted, or quarantined.
For more information, see Adjusting the Spam Confidence Level Threshold.
Strategy
Your strategy for how to configure the anti-spam features and establish the aggressiveness of
your anti-spam agent settings requires that you plan and calculate carefully. If you set all antispam features filters to their most aggressive levels and configure all anti-spam features to
457
reject all suspicious messages, you are more likely to reject messages that are not spam. On
the other hand, if you do not set the anti-spam filters at a sufficiently aggressive level and do
not set the SCL threshold low enough, you probably won't see a reduction in the spam that
enters your organization.
It is a best practice to reject a message when Exchange detects a bad message through
the Connection Filter agent, Recipient Filter agent, or Sender Filter agent. This approach is
better than quarantining such messages or assigning metadata, such as anti-spam stamps, to
such messages. Therefore, the connection filter agent and recipient filter agent automatically
block messages that are identified by the respective filters. The Sender Filter agent is
configurable.
This best practice is recommended because the spam confidence level that underlies
connection filtering, recipient filtering, or sender filtering is relatively high. For example, with
sender filtering, where the administrator has configured specific senders to block, there is no
reason to assign the sender filtering data to such messages and to continue to process them.
In most organizations, blocked messages should be rejected. If the administrator did not want
them rejected, the administrator would not have put them on the Blocked Senders list.
The same logic applies to real-time block list (RBL) services and recipient filtering, although the
underlying confidence is not as high as the IP Block list. You should be aware that the further
along the mail flow path a message travels, the greater the probability of false positives,
because the anti-spam features are evaluating more variables. Therefore, you may find that if
you configure the first several anti-spam features in the anti-spam chain more aggressively, you
can reduce the bulk of your spam. Therefore you will save processing, bandwidth, and disk
resources to process more ambiguous messages.
Ultimately, you must plan to monitor the overall effectiveness of the anti-spam features. If you
monitor carefully, you can continue to adjust the anti-spam features to work well together for
your environment. With this approach, you should plan on a fairly non-aggressive configuration
of the anti-spam features when you start. This approach lets you minimize the number of false
positives. As you monitor and adjust the anti-spam features, you can become more aggressive
about the type of spam and spam attacks that your organization experiences.
For more information about how Microsoft planned and deployed the first generation of antispam features in Exchange Server 2003, see Messaging Hygiene at Microsoft: How Microsoft
IT Defends Against Spam, Viruses, and E-Mail Attacks.
For More Information
For more information about anti-spam and antivirus features in Exchange 2007, see the
following topics:
•
Anti-Spam Stamps
•
Attachment Filtering
•
Connection Filtering
458
•
Content Filtering
•
Recipient Filtering
•
Safelist Aggregation
•
Spam Quarantine
•
Sender Filtering
•
Sender ID
•
Sender Reputation
Anti-Spam Updates
Microsoft Exchange Server 2007 includes many anti-spam features that depend on
downloaded data to determine whether a message can be delivered with confidence that it is
not spam.
The following data must be kept up-to-date for the anti-spam features to operate optimally:
• Content filter updates These updates contain updated data about phishing Web
sites, Microsoft SmartScreen spam heuristics, and other Intelligent Message Filter updates.
Content filter updates generally contain about 6 MB of data that is useful for longer periods
of time than other anti-spam update data.
• Microsoft IP Reputation Service data The Microsoft IP Reputation Service is an IP
Block list service that is offered exclusively to Exchange 2007 customers. Administrators
can decide to implement and use the Microsoft IP Reputation Service in addition to other
real-time block list services.
• Spam signature data Spam signatures identify the latest spam campaigns. The
spam is hashed into a message digest, or spam signature. This data is used by content
filtering to assign a higher spam confidence level (SCL) to known spam. The spam
signature files are small. A collection of spam signatures is only a few KB. The spam
signatures are also time-sensitive.
Note:
Antivirus functionality typically requires that you update antivirus signature files
regularly. Antivirus signature files currently are not included in the anti-spam Automatic
Updates functionality.
Anti-spam updates contain data only. They do not contain updated binaries or libraries. Antispam updates do not require mail flow interruption or service restarts.
459
Manual Updates
By default, with manual updates, anti-spam updates are not automatic. Instead, the
administrator must visit Microsoft Update to download and install the content filter updates. The
content filter update data is updated and available for download every two weeks.
Manual updates from Microsoft Update do not include the Microsoft IP Reputation Service or
spam signature data. The Microsoft IP Reputation Service and spam signature data is only
available with Automatic Updates. This is a premium feature that requires either an Exchange
Enterprise Client Access License (CAL) for each user mailbox, or a Microsoft Forefront Security
for Exchange Server license.
For more information, see How to Manually Update Content Filtering using Microsoft Update.
Automatic Updates
Automatic Updates is enabled when you run the Enable Anti-spam Updates wizard or when
you run the Enable-AntispamUpdates cmdlet. When you run the Enable Anti-spam Updates
wizard, you opt in to use Microsoft Update to help keep the computer that is
running Microsoft Exchange up-to-date with anti-spam updates. If you opt in to Automatic
Updates, you must have an Exchange Enterprise CAL for each user mailbox or a Forefront
Security for Exchange Server license.
For information about how to enable Automatic Updates, see How to Configure Anti-spam
Automatic Updates.
For More Information
For more information about update services for IT professionals, see Windows Update,
Microsoft Update, and Automatic Updates for IT Professionals.
For more information about how to configure anti-spam Automatic Updates, see How to
Configure Anti-spam Automatic Updates.
For more information about how to manually update the underlying content filter data, see How
to Manually Update Content Filtering using Microsoft Update.
Planning Antivirus Deployment
Viruses and worms transmitted by e-mail systems are a destructive reality faced by many
Microsoft Exchange administrators. Therefore, you must develop a defensive antivirus
deployment for all messaging systems. This topic provides best practice recommendations
based on the deployment at Microsoft of Microsoft Exchange Server 2007 and
Microsoft Office Outlook 2007.
460
You should pay extra attention to two important changes in Exchange 2007 when you select an
antivirus software vendor:
•
Exchange 2007 is based on a 64-bit architecture.
• As described in more detail later in this topic, Exchange 2007 includes new transport
agent functionality.
These two changes mean that antivirus vendors must provide Exchange 2007–specific
software. Antivirus software that is written for earlier versions of Exchange Server is unlikely to
operate correctly with Exchange 2007.
At Microsoft, the Microsoft IT organization has determined that deploying antivirus software that
is designed for messaging at the SMTP gateway and bridgehead servers, together with filelevel antivirus scanners on all computers, provides the optimal balance between cost and risk.
Running Antivirus Software on Edge Transport
and Hub Transport Servers
Perhaps the most important place to run messaging antivirus software is at the first line of
defense in your organization. In Exchange 2007, the first line of defense is at the network
perimeter on the Edge Transport server.
To better guard against virus outbreaks from inside the organization or as a second line of
defense, we recommend that you run transport-based antivirus software on the Hub Transport
server.
In Exchange 2007, agents act on transport events, much like event sinks in earlier versions of
Microsoft Exchange. Third-party developers can write customized agents to take advantage of
the underlying Exchange MIME-parsing engine for robust transport-level antivirus scanning.
Many third-party software vendors provide Exchange 2007–specific agents that take advantage
of the Exchange transport MIME-parsing engine. Contact your antivirus vendor for more
information.
In addition, Microsoft Forefront Security for Exchange Server also includes a transport antivirus
agent for Exchange 2007. For more information about how to install and configure the Forefront
Security for Exchange Server antivirus agent, see Microsoft Forefront Security for Exchange
Server User Guide.
Running Antivirus Software on Other Computers
in the Organization
The Microsoft IT organization runs file-level virus scanning on the following two classes of
computers:
•
User desktops
461
•
Servers
Desktop Virus Scanning
When Exchange 2007 released to manufacture, all corporate users at Microsoft were running
Outlook 2007. If you run outdated e-mail clients on the desktop, you take a serious risk
because of the object model and attachment-handling behavior in older e-mail clients. By
default, therefore, Outlook 2003 and Outlook 2007 are the only MAPI clients from
which Exchange 2007 accepts connections. For more information about the risks associated
with running older versions of e-mail clients, see Taking Steps to Secure Outlook.
After you have upgraded to Outlook 2003 or Outlook 2007, verify that you have installed a filelevel antivirus software product on all desktop computers. In addition, take the following steps:
• Develop a plan to make sure that antivirus signature files are automatically updated on
all desktops.
• Make sure that you develop and maintain an end-to-end update management solution
in your organization to battle viruses.
Server Virus Scanning
The Microsoft IT organization has a general policy to run file-level scanning on all desktop and
server computers in the corporation. Therefore, all Exchange Server computers have some
form of file-level antivirus scanning running on them. For the Mailbox server role, you must
perform additional configuration to file-level scanning so that some directories are not scanned.
Specifically, we don't recommend that you run desktop or file server antivirus software against
the Exchange store databases.
Important:
When Exchange 2007 released to manufacture, the Microsoft IT organization was not
running antivirus software that relies on the Microsoft Virus Scanning API (VSAPI) in
the corporate e-mail environment. We have not had a widespread security outbreak
with this deployment model. Therefore, currently we do not recommend that you
run antivirus software that uses Microsoft VSAPI unless either of the following
conditions is true:
• Your organization does not have complete and reliable desktop antivirus scanning
products deployed.
•
Your organization wants the additional protection that store scanning can provide.
462
Using Exchange Hosted Services
Spam and virus filtering is enhanced by or is also available as a service from
Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted
services:
• Hosted Filtering, which helps organizations protect themselves from e-mail-borne
malware
•
Hosted Archive, which helps them satisfy retention requirements for compliance
•
Hosted Encryption, which helps them encrypt data to preserve confidentiality
• Hosted Continuity, which helps them preserve access to e-mail during and after
emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or
Hosted Exchange e-mail services that are offered through service providers. For more
information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
Transport Policy and Compliance Agents
Many organizations are obligated by legal, regulatory, or business process requirements to
process, filter, modify, and store e-mail messages that are transferred to and from the
organization and the Internet, in addition to internal communications between individuals in the
organization. The Transport Policy and Compliance infrastructure of
Microsoft Exchange Server 2007 provides a set of rules that govern how e-mail messages are
stored and processed based on a set of requirements. The following important features help
you comply with these legal, regulatory, and business process requirements more easily:
• Transport rules agents There are two transport rules agents in Exchange 2007. The
Transport Rules agent runs on Hub Transport servers and helps you meet regulatory and
corporate policy requirements. The Edge Rules agent runs on the Edge Transport server
and helps you protect your organization from unsolicited commercial e-mail, or spam, and
viruses. For more information about the transport rules agents and specific scenarios
where they might be used, see the following topics:
•
Overview of Transport Rules
• Understanding How Transport Rules Are Applied in an Exchange 2007
Organization
•
Understanding Ethical Walls
•
Understanding Attorney/Client Privileged Communication
• Journaling agent The Journaling agent helps you configure how Exchange enforces
e-mail retention policies on messages that are sent or received by departments or
463
individuals in your organization, to and from recipients outside your organization, or both.
For more information about the Journaling agent, journal reports, and journaling in a mixed
Exchange Server 2003 and Exchange Server 2007 organization, see the following topics:
•
Overview of Journaling
•
Understanding Journal Reports
•
Protecting Journal Reports
•
Understanding How to Manage Journal Reports
• Understanding Journaling in a Mixed Exchange Server 2003 and Exchange Server
2007 Environment
Using Exchange Hosted Services
Policy and compliance features are enhanced by or are also available as services from
Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted
services:
• Hosted Filtering, which helps organizations protect themselves from e-mail-borne
malware
•
Hosted Archive, which helps them satisfy retention requirements for compliance
•
Hosted Encryption, which helps them encrypt data to preserve confidentiality
• Hosted Continuity, which helps them preserve access to e-mail during and after
emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or
Hosted Exchange e-mail services that are offered through service providers. For more
information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
Understanding How Transport Rules Are
Applied in an Exchange 2007
Organization
This topic explains how transport rules are applied across a Microsoft Exchange Server 2007
organization. For more information about transport rules, see Overview of Transport Rules.
464
Transport Rule Scope
You can configure transport rules to use with the Transport Rules agents that are configured on
computers that have the Hub Transport server role or the Edge Transport server role installed.
The procedures that are used to configure transport rules on each server role are the same, but
the scope of the transport rules on each server role is very different.
The transport rules that you configure on one Hub Transport server are applied via the
Active Directory directory service to all other Hub Transport servers in the Exchange 2007
organization. This means that each Hub Transport server in the organization applies the same
set of transport rules, and the same transport rules are applied to all e-mail messages that are
sent or received in the organization. Transport rules on Hub Transport servers evaluate all
messages that meet the following criteria:
• Meeting requests, regular messages, encrypted messages, and rights-protected
messages that are sent between authenticated users.
• All e-mail messages that are sent anonymously, regardless of message type, sender or
recipient.
Note:
Exchange 2007 relies on Active Directory to replicate transport rules across the
organization. For more information, see "Transport Rule Replication" later in this
document.
The transport rules that you configure on an Edge Transport server are applied only to e-mail
messages that pass through that specific Edge Transport server. The Transport Rule agents
that run on each Edge Transport server do not interact with other Transport Rule agents on
other Edge Transport servers. Therefore, you can configure Edge Transport servers to apply
distinct transport rules depending on the e-mail messaging traffic that they manage. Transport
rules on Edge Transport servers evaluate all messages that they encounter.
Transport Rule Replication
Transport rules that are configured on a Hub Transport server are applied to the whole
Exchange 2007 organization, except Edge Transport servers. When a new transport rule is
created or an existing transport rule is modified or deleted on a Hub Transport server, the
change is replicated to all Active Directory servers in the organization. All the Hub Transport
servers in the organization then read the new configuration from the Active Directory servers
and apply the new or modified transport rules to e-mail messages that pass through the Hub
Transport server. By replicating all the transport rules across the organization, Exchange 2007
enables you to provide a consistent set of transport rules across the organization. All e-mail
messages that pass in or through your Exchange 2007 organization are subject to the same
transport rules.
465
Important:
Replication of transport rules across an organization is dependant on Active Directory
replication. Replication time between Active Directory domain controllers varies
depending on the number of sites in the organization, slow links, and other factors
outside the control of Exchange. When you configure transport rules in your
organization, make sure that you consider replication delays. For more information
about Active Directory replication, see Active Directory Replication Technologies.
Important:
Each Hub Transport server maintains a recipient cache that is used to look up recipient
and distribution list information. The recipient cache reduces the number of requests
that each Hub Transport server must make to an Active Directory domain controller. By
default, the recipient cache updates every four hours. As a result, changes to transport
rule recipients, such as the addition or removal of distribution list members, may not be
applied to transport rules until the recipient cache is updated.
Note:
Each time the Hub Transport server retrieves a new transport rule configuration, an
event is logged in the Security log in Event Viewer.
Transport rules that are configured on Edge Transport servers are applied only to the local
server on which the transport rule was created. New transport rules and changes to existing
transport rules affect only e-mail messages that pass through that specific Edge Transport
server. If you have more than one Edge Transport server and you want to apply a consistent
set of rules across all Edge Transport servers, you must either manually configure each server
or export the transport rules from one server and import them into all other Edge Transport
servers.
Predicates
Predicates are used by conditions and exceptions to define what part of an e-mail message the
conditions and exceptions examine to determine whether the transport rule should be applied
to that message. Some predicates examine the To: or From: fields of a message, whereas
other predicates examine the subject, body, or attachment size. To determine whether a
transport rule should be applied to a message, most predicates require that you specify a value
that the predicates use to test against the message.
Conditions
Transport rule conditions are used to indicate which e-mail message attributes, headers,
recipients, senders, or other parts of the message are used to identify the e-mail messages to
which a transport rule action should be applied. Most conditions accept a value that the
condition should look for in the message. If the data in the section of the e-mail message that
466
the condition is inspecting matches the value of the condition, the message matches that
condition.
You can configure multiple conditions on a transport rule to narrow the scope of the transport
rule so that it applies actions only to messages that have very specific criteria. Alternatively, you
may decide not to apply any conditions. If you don't include any conditions on a transport rule,
the transport rule is applied to all messages that the transport rule encounters. The number of
conditions that you can apply to a single transport rule is unlimited. However, when you apply
more conditions, the number of e-mail messages that meet each specified condition is reduced.
Important:
• If you configure multiple conditions on the same transport rule, all the conditions
must be met for the transport rule to apply the configured action to a particular e-mail
message.
• When you specify multiple values on a single condition, if one or more of the
values are matched, the condition is satisfied. For example, if an e-mail message has
the subject Stock price information, and the SubjectContains condition on a
transport rule is configured to match the words Contoso and stock, the condition is
satisfied because the subject contains at least one of the values of the condition.
Although conditions are used to determine which e-mail messages to include when a transport
rule applies an action, transport rules also use exceptions to determine which e-mail messages
to exclude from having an action applied, even though the message matches all the conditions.
For more information about exceptions, see "Exceptions" later in this document.
To view a list of predicates that you can use to configure transport rule conditions, see
Transport Rule Predicates.
Exceptions
Transport rule exceptions are based on the same predicates that are used to create transport
rule conditions. However, unlike transport rule conditions, exceptions identify the e-mail
messages to which a transport rule action should not be applied. Transport rule exceptions
override conditions and prevent a transport rule action from being applied to an e-mail
message, even if the message matches all configured transport rule conditions.
Most exceptions accept a value that the exception should look for in the message. If the data in
the section of the e-mail message that the exception is inspecting matches the value of the
exception, the message matches that exception.
You can configure multiple exceptions on a transport rule to expand the criteria that is used to
identify e-mail messages to which a transport rule action should not be applied. Alternatively,
you may decide not to apply any exceptions. If you don't include any exceptions on a transport
rule, the transport rule applies the rule based on whether the message matches all the
configured transport rule conditions. The number of exceptions that you can apply to a single
transport rule is unlimited.
467
Important:
• If you configure multiple exceptions on the same transport rule, only one exception
must be matched for the transport rule action to be excluded from being applied to an
e-mail message.
• When you specify multiple values on a single exception, if one or more of the
values are matched, the exception is satisfied. For example, if an e-mail message has
the subject Stock price information, and a transport rule uses the SubjectContains
exception, which is configured to match the words Contoso and stock, the exception is
satisfied because the subject contains at least one of the values of the exception.
To view a list of predicates that you can use to configure transport rule exceptions, see
Transport Rule Predicates.
Actions
Actions are applied to e-mail messages that match the conditions and none of the exceptions
that are present on transport rules that are configured on Transport Rules agents. Each action
affects e-mail messages in a different way, from redirecting the e-mail message to another
address, to dropping the message.
After you select the actions that you want to use, you can then assign a value to those actions.
The value of the action modifies how a particular action behaves when it is applied to an e-mail
message.
To view a list of predicates that you can use to configure transport rule actions, see Transport
Rule Actions.
Understanding Ethical Walls
An ethical wall is a zone of non-communication between distinct departments of a business or
organization to prevent conflicts of interest that might result in the inappropriate release of
sensitive information. For more information about how Exchange 2007 helps you configure
ethical walls, see Understanding Ethical Walls.
Understanding Attorney-Client Privileged
Communication
The attorney-client privilege is a legal doctrine that is intended to protect the confidentiality of
communications between an attorney and his or her client. For more information about how you
can use Exchange 2007 to configure message classifications and e-mail message-handling
468
rules to meet your organization's requirements, see Understanding Attorney-Client Privileged
Communication.
Understanding Journal Reports
This topic describes the structure of journal reports in Microsoft Exchange Server 2007 and
how to interpret the information in these reports.
What is a Journal Report?
A journal report is the message that Microsoft Exchange generates when a message matches
a journal rule and is to be submitted to the journaling mailbox. The original message that
matches the journal rule is included unaltered as an attachment to the journal report.
The information that is contained in the journal report is organized so that every value in each
header field has its own line in the journal report. This enables you to easily parse the reports
manually or by using an automated process, depending on your requirements.
When the Journaling agent journals a message, the Journaling agent tries to capture as much
detail as possible about the original message. This information is very important in determining
the intent of the message, its recipients, and its senders. For example, whether the recipients
that are identified on the message are directly addressed on the To field, the Cc field or are
included as part of a distribution list may determine how the recipient is involved in the
discussion in the message.
Depending on the situation, Exchange 2007 may generate more than one journal report for a
single message. Whether a single message generates one journal report or multiple journal
reports depends on several reasons, such as bifurcation or whether there are distribution
groups that have been expanded.
Journal reports can contain very sensitive information and must be protected so that they can't
be viewed by unauthorized individuals. For more information about how you can protect journal
reports, see Protecting Journal Reports.
For more information about journaling and journal reports, see the following topics:
•
Understanding How to Manage Journal Reports
•
Overview of Journaling
Journal Report Fields
The following sections describe each field that is contained within journal reports that are
generated by Exchange 2007. These fields are separated into the basic fields and the
extended fields that are shown in the following table.
469
Table 39 Basic and extended journal report fields
Basic journal report fields
Extended journal report fields
Sender
To
Subject
Cc
Message-ID
Bcc
Recipient
On-Behalf-Of
Whether extended journal report fields are populated depends on the following circumstances:
• MAPI submission to a Hub Transport server Recipient addressing can be
determined when a message is submitted to a Hub Transport server that uses MAPI from a
client such as Microsoft Office Outlook 2007 or Outlook on a mobile device.
• Authenticated SMTP submission to a Hub Transport server Recipient addressing
can also be determined when a message is submitted to a Hub Transport server by using
authenticated Simple Mail Transfer Protocol (SMTP). The sender must not have Send-AsAnyone permissions as this indicates that the sender was a server.
If recipient addressing can be determined for a particular recipient, the recipient e-mail address
is inserted into the appropriate extended To, Cc, or Bcc field, which are described in the
"Extended journal report fields" table later in this document. The recipient e-mail address is not
inserted into the basic Recipient field, which is described in the "Basic journal report fields"
table later in this document.
If a message is submitted to a Hub Transport server by using any other method, such as
anonymous submission from an Edge Transport server or submission from a server that is
running Exchange Server 2003, Exchange cannot verify that the recipient addressing has not
been tampered with. If recipient addressing cannot be verified, the recipient e-mail address is
inserted in the basic Recipient field and not into an extended To, Cc, or Bcc field.
For each recipient addressed on a message, one recipient journal report field is added. No
recipient field contains more than one recipient e-mail address, except as follows:
• Recipient fields that contain recipients that have been expanded from a distribution
group
• Recipient fields that contain recipients that have received a message forwarded from
another mailbox
For expanded or forwarded messages, the e-mail address of the recipient that received final
delivery of the message and the e-mail address of the distribution group or mailbox that was
originally addressed are included.
470
Basic Journal Report Fields
Basic fields in Exchange 2007 journal reports include the sender, subject, and Message-ID of
the original message. All journal reports include this information if it is present in the original
message.
The fourth basic field is the Recipient field. Exchange 2007 only classifies information that it
knows is correct. If Exchange can't determine whether a recipient was included in the To, Cc, or
Bcc recipient fields, the recipient is put into the Recipient field in the journal report.
The following table lists the basic fields that are included in the body of journal reports.
Table 40 Basic journal report fields
Field name
Description
Sender
The Sender field displays the SMTP address
of the sender of the e-mail message that is
specified in the message's From header field
or, if the message is sent on behalf of another
mailbox, the Sender header field.
Subject
The Subjectfield displays the MIME subject
header value.
Message-ID
The Message-ID field displays the internal
Exchange Message-ID. This matches the
same Message-ID that is found in the
message tracking log files.
Recipient
The Recipient field displays the SMTP address
of a recipient that is included on an e-mail
message if Exchange cannot determine the
recipient addressing of that message. This
includes messages that originated from legacy
Exchange servers and messages from the
Internet.
Extended Journal Report Fields
Extended fields in Exchange 2007 journal reports provide a more detailed level of recipient
detail when that detail is available. The To, Cc, and Bcc fields in the journal report let you view
how recipients are addressed in the original message.
The On-Behalf-Of field is populated if the SMTP headers of a message contain both the From:
and Sender: header fields, regardless of whether the message was submitted directly to a Hub
471
Transport server. The SMTP address contained in the From: header field is value that
populated in the On-Behalf-Of field.
The following table lists the extended fields that may be included in the body of journal reports.
Table 41 Extended journal report fields
Field name
Description
On-Behalf-Of
The On-Behalf-Of field displays the SMTP
address of the mailbox from which the
message appears if the Send On Behalf Of
feature is specified by the sender.
To
The To field displays the SMTP address of a
recipient that is included in the message
envelope and in the To header field of the
message.
The recipient address can be included either
directly by the sender, or indirectly through
distribution list expansion or if the message
was forwarded to the recipient by another
mailbox. To indicate whether the message
went through distribution list expansion or was
forwarded, the To field may also contain one
Expanded field or one Forwarded field,
separated with commas. For more information
about these fields, see the Expanded and
Forwarded entries later in this table.
Cc
The Cc field displays the SMTP address of a
recipient that is included in the message
envelope and in the Cc header field of the
message.
The recipient address can be included either
directly by the sender, or indirectly through
distribution list expansion or if the message
was forwarded to the recipient by another
mailbox. To indicate whether the message
went through distribution list expansion or was
forwarded, the Cc field may also contain one
Expanded field or one Forwarded field,
separated with commas. These fields are
discussed later in this table.
472
Bcc
The Bcc field displays the SMTP address of a
recipient that is included in the message
envelope and in the Bcc header field of the
message.
The recipient address can be included either
directly by the sender, or indirectly through
distribution list expansion or if the message
was forwarded to the recipient by another
mailbox. To indicate whether the message
went through distribution list expansion or was
forwarded, the Bcc field may also contain one
Expanded field or one Forwarded field,
separated with commas. These fields are
discussed later in this topic.
Expanded and Forwarded Fields
The Expanded and Forwarded fields are included as sub-fields on Recipient, To, Cc, or Bcc
fields when that recipient has either been expanded from a distribution group or has had the
message forwarded from another mailbox. The following table describes the Expanded and
Forwarded extended fields.
Table 42 Expanded and Forwarded fields
Field
Description
Expanded
The Expanded field is displayed as a sub-field
of the To, Cc, and Bcc fields that are described
earlier in this table. The Expanded field is
preceded by a comma. The SMTP address
that is displayed in the Expanded field is the
address of the distribution list that contains
either the recipient that is specified in the To,
Cc, or Bcc field or the nested distribution lists
that contain the specified recipient. The
address that is displayed in this field is always
the first distribution list to be expanded,
regardless of how many nested distribution
lists may be between the original parent
distribution list and the expanded final recipient
that is specified in the To, Cc, or Bcc field.
473
Forwarded
The Forwarded field is displayed as a sub-field
of the To, Cc, and Bcc fields that are described
earlier in this table. The Forwarded field is
preceded by a comma. Usually, the Forwarded
field displays the e-mail address of a mailbox
that is configured to forward e-mail messages
to the account that is specified in the To, Cc, or
Bcc field. However, you can configure a chain
of forwarding mailboxes so that each mailbox
forwards to the next one. If a chain of
forwarding mailboxes is configured, the first
forwarding mailbox is displayed in this field,
and the SMTP address of the final, nonforwarding mailbox in the chain is displayed in
the To, Cc, or Bcc field.
Examples of Journal Reports
The first figure in this section shows an example of a journal report that was generated when a
message was sent from an Exchange 2007 mailbox to a Hub Transport server. The recipients
of the original message were addressed as follows:
• The To field contains the Sales Group distribution group. The following are the four
members of the Sales Group distribution group: Brian Smith, David Simpson, Maria
Cameron, and Ray Chow.
• The Cc field contains the recipient Christine Hughes. The mailbox for Christine Hughes
is configured to automatically forward messages to the mailbox for Katie Jordan.
•
The Bcc field contains the recipient Blaine Dockter.
Three journal reports were created when the original message was sent. The journal report
shown in the following figure lists only the recipients expanded from the Sales Group
distribution group.
474
Figure 86 Journal report that displays extended recipient fields
Two additional journal reports were generated from the previous example message. The journal
reports for the Cc and Bcc recipients are identical to the preceding figure, except instead of the
To journal report fields, the following fields are present in each journal report respectively:
•
Cc: katie@adatum.com, Forwarded: christine@adatum.com
•
Bcc: blaine@adatum.com
The following figure shows an example of a journal report that was generated when a message
that originated from the Internet was processed by a Hub Transport server. The recipients in
this message were addressed the same as the recipients in the previous example. However, in
the journal report in this figure, the recipients are put in the Recipient field because the original
message was sent from the Internet. Because the message originated from the Internet,
Exchange cannot verify that the recipient addressing has not been tampered with. As with the
first example, three journal reports were created for the single message. The following figure
shows only the recipients that were expanded from the Sales Group distribution list.
475
Figure 87 Journal report that displays basic recipient fields
Two additional journal reports were generated from the second example message. The journal
reports for the Cc and Bcc recipients are identical to the "Journal report that displays basic
recipient fields" figure, except each journal report contains the remaining recipients addressed
in the second example message:
•
Recipient: katie@adatum.com, Forwarded: christine@adatum.com
•
Recipient: blaine@adatum.com
Protecting Journal Reports
This topic explains how Microsoft Exchange Server 2007 can help you protect journal reports
from being viewed by unauthorized people and also describes the redirection of journal reports
to an alternate journaling mailbox.
For more information about journaling and journal reports, see the following topics:
•
Understanding Journal Reports
•
Understanding How to Manage Journal Reports
•
Overview of Journaling
476
Protecting Journal Reports Sent Inside an
Exchange 2007 Organization
When a journal report is generated, Exchange 2007 sends the journal report to the journaling
mailbox. Exchange 2007 helps prevent tampering with the journal reports that are submitted to
the journaling mailbox by performing the following tasks:
• It uses secure links between Hub Transport servers and Mailbox servers in the
Exchange 2007 organization.
• It sends the journal report as Microsoft Exchange and authenticates the session
between the Hub Transport server and the Mailbox server.
• It accepts only secure, authenticated connections when journal reports are sent
between Hub Transport servers and Mailbox servers in the same Exchange 2007
organization.
Caution:
Exchange 2007 generates a journal report for every e-mail message that matches the
criteria that are configured on a journal rule. Depending on your organization and how
you configure your journal rules, Exchange 2007 may generate a significant number of
journal reports. Carefully consider your topology, network links, and journaling
requirements before you implement journal rules.
Caution:
Improperly secured communication links, journaling mailboxes, or servers can expose
sensitive data.
Protecting Journal Reports Sent to Third-Party
Solution Providers
Journal reports contain sensitive information that should not be exposed to unauthorized
people. As explained earlier in this topic, Exchange 2007 tries to encrypt the connections
between the Hub Transport server and the Mailbox server where the journaling mailbox resides
and requires that the submitting system authenticate before the Mailbox server accepts the
journal report. However, you can configure Exchange 2007 to send journal reports to a
recipient that does not reside on a Mailbox server in the same Exchange 2007 organization as
the Hub Transport server. You can use such a configuration to send journal reports to thirdparty providers of archival or other consolidated journaling solutions that are not
Exchange 2007–based.
In configurations where the source server and destination server are not both Exchange 2007
and are not both in the same organization, the connections between the two servers may not
be automatically encrypted. However, even in these configurations, you can use
477
Exchange 2007 to help you protect the journal reports that are sent to the third-party solution
providers. Exchange lets you use the following solutions to help you protect the communication
between the Exchange server and the third-party solution providers:
•
Configure Transport Layer Security (TLS) between the two systems.
•
Require authentication on the receiving system.
• Accept only e-mail messages from the Simple Mail Transfer Protocol (SMTP) address
of the Microsoft Exchange contact.
• Configure a mail-enabled contact that sends e-mail messages to the SMTP address of
the third-party solution and configure Exchange 2007 to send journal reports to that
contact. Then configure the contact to accept journal reports only from Microsoft Exchange
contact created in your Exchange 2007 organization.
Caution:
Improperly secured communication links, journaling mailboxes, or servers can expose
sensitive data.
TLS is a standard protocol that is used to provide secure communications on the Internet or
intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients.
It also provides a security channel by encrypting communications. TLS is the latest, and a more
secure, version of the Secure Sockets Layer (SSL) protocol.
Important:
TLS encrypts the communication only between two servers. If you configure TLS to
protect journal messages, and the destination server that will store the journal reports
is not directly available to the Exchange server, you must configure TLS between each
server through which the journal report travels.
Understanding How to Manage Journal
Reports
This topic discusses several factors that you have to consider when you use
Microsoft Exchange Server 2007 to deploy journaling. The following factors can affect the
delivery and availability of journal reports that are generated when a recipient or sender
receives or sends messages that are journaled:
• Journaling mailbox size How high should you set the mailbox quota on journaling
mailboxes?
• Alternate journaling mailbox How does configuring an alternate journaling mailbox
affect journal report delivery?
For more information, see Overview of Journaling.
478
Journaling Mailbox Size
When you configure a journaling mailbox to accept journal reports, you have to determine the
maximum size of the journaling mailbox. As with any other mailbox, the maximum size depends
on the data to be stored in the mailbox, the hardware resources that are available to you, and
the disaster recovery capabilities for the server that contains the journaling mailbox. In addition
to these considerations, you must also consider what will occur if a journaling mailbox exceeds
the configured mailbox quota.
When you configure the Prohibit send and receive at (KB) storage quota on a journaling
mailbox, the journaling mailbox accepts journal reports until the journaling mailbox reaches the
configured storage quota. When the prohibit send and receive storage quota is exceeded, the
journaling mailbox stops accepting journaling reports.
Microsoft Exchange doesn't return journaling reports to the original sender as it does with
regular messages. Instead, Microsoft Exchange holds the undelivered journal reports in a mail
queue and tries to redeliver the journal report until delivery is successful. Although this enables
Microsoft Exchange to eventually deliver all the journal reports that are generated, it can be
problematic in organizations that generate many journal reports because the mail queues on
the affected servers can grow quickly.
To reduce the possibility that your journaling mailbox will reject journal reports because it has
reached the configured storage quota, we recommend that you configure your journaling
mailbox prohibit send and receive storage quota to the maximum size that your hardware
resources and disaster recovery capabilities allow for.
Important:
If you remove storage quotas from journaling mailboxes, configure sufficient monitoring
to make sure that you do not exceed your available hardware resources or disaster
recovery capabilities.
If you must configure a prohibit send and receive storage quota on a journaling mailbox and
expect that the configured storage quota might be exceeded, you can configure an alternate
journaling mailbox. For more information about alternate journaling mailboxes, see the
"Alternate Journaling Mailbox" section later in this document. Also, when a journal report is
rejected by a journaling mailbox, Event ID 8010 is logged in the Application event log. By
monitoring the Application event log for this event, you can be alerted to a potential problem
with the journaling mailbox and resolve the situation quickly.
For information about how to configure storage quotas on a journal mailbox, see How to
Configure Storage Quotas for a Mailbox.
Alternate Journaling Mailbox
You might not want to allow rejected journal reports to collect in an e-mail queue when the
journal mailbox is unavailable. Instead, you can configure an alternate journaling mailbox to
479
collect those journal reports. The alternate journaling mailbox receives the non-delivery reports
(NDRs) that are generated when the journaling mailbox or the server that contains the
journaling mailbox refuses delivery of the journal report. When the journaling mailbox becomes
available again, you can use the Send Again feature of Microsoft Office Outlook to re-submit
the journal reports for delivery to the journaling mailbox.
When you configure an alternate journaling mailbox, this mailbox is used to collect all the
journal reports that are rejected across your whole Exchange 2007 organization. If any
journaling mailbox rejects journal reports, those journal reports are sent to the single alternate
journaling mailbox. Therefore, it's important to make sure that the alternate journaling mailbox
and the mailbox server where it's located can support many journal reports.
Caution:
If you configure an alternate journaling mailbox, you must monitor the mailbox to make
sure that it does not become unavailable. If the alternate journaling mailbox becomes
unavailable and rejects journal reports, the rejected journal reports are lost and cannot
be retrieved. Remember this when you decide whether to use an alternate journaling
mailbox and how to configure the alternate journaling mailbox.
Only journal reports that are submitted for delivery to an unavailable journaling mailbox after an
alternate journaling mailbox is configured will be redirected to the alternate journaling mailbox.
Journal reports that have already failed delivery when an alternate journaling mailbox is
enabled are not redirected.
If you configure an alternate journaling mailbox, you can reduce the load on your Hub Transport
servers and Mailbox servers. Exchange will not continually try to deliver the journal reports to
an unavailable journal mailbox. Instead, Exchange will redirect the journal reports to the
alternate journal mailbox where the journal reports can remain until you are ready to resubmit
them to the journal mailbox.
However, because the alternate journaling mailbox collects all the rejected journal reports for
the whole Exchange 2007 organization, you must make sure that this doesn't violate any laws
or regulations that apply to your organization. If laws or regulations prohibit your or