Exchange Control Panel
The
Exchange Control Panel (ECP) is hosted on the CAS server role and is an
exciting new tool in Exchange Server 2010. The ECP is a browser-based
Management client for end users, administrators, and specialists. This
provides a new way to administer a subset of Exchange Server features
and is completely RBAC integrated.
This new ECP web utility
provides a great self-provisioning portal for administrators and a
simplified user experience for common management tasks. It is accessible
directly via URL, Outlook Web App (OWA), and Outlook Server 2010. Figure 5 shows the start page of the interface from an administrator role.
The ECP is AJAX-based,
is deployed as a part of the Client Access server role, and shares some
code with OWA. However, the two are separate applications and sites.
The Exchange Control Panel
can be used in a variety of scenarios. Administrators can delegate to
permissions in role to support a variety of administrators, specialists,
and users. These include the following types of scenarios:
The scenarios are configured in the RBAC interface, which is itself based in the Exchange Control Panel.
Administrators would
launch the ECP tool directly from the ECP link
(https://<servername>/ecp) where <servername> is an Exchange
Server 2010 CAS. End users would access the ECP tool from within OWA,
which launches from the Options link. Although it launches from the OWA
web page (https://<servername>/owa), the link is to the ECP web
page (https://<servername>/ecp). The security is completely
integrated, enabling the end-user experience to be completely seamless.
The browser support for the ECP is the same as for OWA premium. Supported browsers are as follows:
Internet Explorer (IE)
Firefox
Safari
ActiveSync
Exchange
ActiveSync is a synchronization protocol that allows mobile devices to
synchronize the user’s Exchange Server mailbox, including email,
calendar, contacts, and tasks. It is based on HTTP and Extensible Markup
Language (XML). ActiveSync supports the following devices:
Unlike Exchange
Server 2003, in Exchange Server 2010, the ActiveSync feature is enabled
by default. The Exchange Server 2010 ActiveSync has a number of new
features and improved features over the Exchange Server 2003 version,
including the following:
Support for HTML messages
Support for follow-up flags
Support for fast message retrieval
Meeting attendee information
Enhanced Exchange Search
Windows SharePoint Services and Universal Naming Convention (UNC) document access
PIN reset
Autodiscover for over-the-air provisioning
Support for Out of Office configuration
Support for tasks synchronization
Support for Direct Push
Some of the new features,
such as Direct Push and Autodiscover, require Windows Mobile 5.0 with
the Messaging and Security Feature Pack (MSFP) or Windows Mobile 6.x
installed on the device to function.
Exchange Server 2010 ActiveSync also has a number of new security features, including the following:
These new security
features allow Exchange Server 2010 administrators to effectively manage
the security of their mobile devices. Settings like allowing the use of
Bluetooth (a frequent security risk), the camera, and other new
settings enable the Exchange Server 2010 administrator much more control
over the devices. The settings available in the ActiveSync mailbox
policy are listed here:
The General
policy settings control overall policy settings, such as the policy
refresh interval. General security policy settings include the
following:
Allow Nonprovisionable Devices—
Specifies whether older devices that might not support application of
all policy settings are allowed to connect to Exchange Server 2010 by
using Exchange ActiveSync.
Refresh Interval (Hours)— Defines how frequently the device updates the Exchange ActiveSync policy from the server.
Windows File Shares— Enables access to files that are stored on Windows file share (UNC) shares.
Windows SharePoint Services— Enables access to files that are stored in Microsoft Windows SharePoint Services document libraries.
Password policy
settings control the password requirements for the mobile devices.
Password policy settings include the following:
Require Password— Enables the device password.
Required Alphanumeric Password— Requires that a password contains numeric and nonnumeric characters.
Enable Password Recovery—
When this setting is enabled, the device generates a recovery password
that’s sent to the server. If the user forgets their device password,
the recovery password can be used to unlock the device and enable the
user to create a new device password.
Require Encryption on Device— Specifies
whether device encryption is required. If checked, the device must
support and implement encryption to synchronize with the server.
Require Encryption on Storage Card—
Specifies whether the storage card must be encrypted. Not all mobile
phone operating systems support storage card encryption. For more
information, see your device and mobile operating system for more
information.
Allow Simple Password— Enables or disables the ability to use a simple password such as 1234. This option is checked by default.
Number of Failed Password Attempts Allowed— Specifies how many times an incorrect password can be entered before the device performs a wipe of all data.
Minimum Password Length— Specifies the minimum password length.
Time Without User Input Before Password Must Be Re-Entered (in Minutes)— Specifies the length of time that a device can go without user input before it locks.
Password Expiration (Days)— Enables the administrator to configure a length of time after which a device password must be changed.
Enforce Password History— Prevents the user from reusing the past number of passwords specified when changing passwords on the device.
The Sync Setting
policy settings control the synchronization behavior of the mobile
devices. Sync Settings policies include the following:
Include Past Calendar Items— Specifies the maximum range of calendar days that can be synchronized to the device. The default is All.
Include Past Email Items— Specifies the maximum number of days’ worth of email items to synchronize to the device. The default is All.
Limit Email Size to (KB)—
Specifies the size beyond which email messages are truncated when they
are synchronized to the device. The value is specified in kilobytes
(KB).
Allow Direct Push When Roaming—
Specifies whether the device must synchronize manually while roaming.
Allowing automatic synchronization while roaming can frequently lead to
larger-than-expected data costs for the mobile phone plan.
Allow HTML-Formatted Email—
Specifies whether email synchronized to the device can be in HTML
format. If this setting is unchecked, all email is converted to plain
text.
Allow Attachments to Be Downloaded to Device— Enables attachments to be downloaded to the mobile phone.
Maximum Attachment Size (KB)— Specifies the maximum size of attachments that are automatically downloaded to the device.
The
Device policy settings control what device features are enabled by the
organization. These features can be a source of consternation for
security professionals, including cameras used to capture inappropriate
information or Bluetooth-enabled devices hacked in coffee shops. The
device policy settings enable Exchange Server 2010 administrators to
disable device features as needed. Device policy settings include the
following:
Allow Removable Storage— Specifies whether the mobile phone can access information that is stored on a storage card.
Allow Camera— Specifies whether the mobile phone camera can be used.
Allow Wi-Fi— Specifies whether wireless Internet access is allowed on the device.
Allow Infrared— Specifies whether infrared connections are allowed to and from the mobile phone.
Allow Internet Sharing from Device— Specifies whether the mobile phone can be used as a modem for a desktop or portable computer.
Allow Remote Desktop from Device— Specifies whether the mobile phone can initiate a remote desktop connection.
Allow Desktop Synchronization— Specifies whether the mobile phone can synchronize with a computer through a cable, Bluetooth, or IrDA connection.
Allow Bluetooth— Specifies whether a mobile phone enables Bluetooth connections. The available options are Disable, HandsFree Only, and Allow.
Note
The Device policy
settings are premium Exchange ActiveSync features and require an
Exchange Enterprise Client Access License for each device covered by the
policy in which these are enabled.
The Device Application settings control how the devices use applications. These policies include the following:
Allow Browser—
Specifies whether Pocket Internet Explorer is enabled on the mobile
phone. This setting doesn’t affect third-party browsers installed on the
device.
Allow Consumer Mail— Specifies whether the mobile phone user can configure a personal email account (either POP3 or IMAP4) on the device.
Allow Unsigned Applications— Specifies whether unsigned applications can be installed on the device.
Allow Unsigned Installation Packages— Specifies whether an unsigned installation package can be run on the device.
Note
The Device
Applications policy settings are premium Exchange ActiveSync features
and require an Exchange Enterprise Client Access License for each device
covered by the policy where these are enabled.
The policies under the Other tab control allowed and blocked applications. Specifically, those policies follow:
Note
The Other policy
settings are premium Exchange ActiveSync features and require an
Exchange Enterprise Client Access License for each device covered by the
policy in which these are enabled.
These policies are
much more comprehensive than in previous versions of Exchange Server and
address concerns of many organizations about the twin demons of
proliferation and lack of control of mobile devices. Exchange Server
2010 give administrators the policy tools they need to control what the
devices can do and enforce the organizations written security policies.
To use the password policy
features and the Remote Device Wipe, you need to create and associate
the user with an Exchange ActiveSync mailbox policy. By default, all
users are associated with the Default policy that is created at install.
Different policies can
be created to meet the needs of different user communities. For example,
an organization might have one general user ActiveSync mailbox policy
with default password settings that require a minimum of four
characters. A second ActiveSync mailbox policy for executives with
higher security requirements and more secure password settings might
require a minimum of 10-character passwords. These policies would be
assigned to the appropriate mailboxes. During CAS installation, a
Default ActiveSync mailbox policy is created. This policy enables most
of the features of ActiveSync devices, so it is not restrictive at all.
The policy can be adjusted or new policies created.
To create a new ActiveSync mailbox policy, execute the following steps:
1. | Expand the Organization Configuration folder.
|
2. | Select the Client Access folder.
|
3. | In the actions pane, select New Exchange ActiveSync Mailbox Policy.
|
4. | Enter the policy name, such as Default Exchange ActiveSync Mailbox Policy.
|
5. | Click New to create the policy.
|
6. | Click Finish to close the wizard.
|
To associate a user with an Exchange ActiveSync mailbox policy, execute the following steps:
1. | Expand the Recipient Configuration folder.
|
2. | Select the Mailbox folder.
|
3. | Select the mailbox.
|
4. | Select Properties in the actions pane.
|
5. | Select the Mailbox Features tab.
|
6. | Select Exchange ActiveSync and click Properties.
|
7. | Click Browse and select a policy, such as the Default Exchange ActiveSync Mailbox Policy created earlier.
|
8. | Click OK three times to save the settings.
|
Now, the user’s mobile
device will have the policies applied and can be managed remotely, as is
evidenced by the Manage Mobile Device selection in the mailbox actions
pane.
ActiveSync Remote Wipe
The ActiveSync Remote Wipe
function deletes the data off the device. Applications and other
program data remain on the system, only the data is removed. To
administratively remote wipe a device:
The Exchange Management
Console can be used to wipe a device. This would typically be done by an
administrator after a device has been lost. To use the EMC to perform a
remote device wipe, go through the following steps:
1. | Open the Exchange Management Console.
|
2. | Under Recipient Configuration, select Mailbox.
|
3. | Select the user from the Mailbox window.
|
4. | In the action pane, click Manage mobile device, or right-click the user’s mailbox, and then click Manage mobile device.
|
5. | Select the mobile device you want to clear all data from.
|
6. | In the Actions section, click Clear.
|
7. | Click Clear again.
|
The device will be wiped
the next time it synchronizes. There might be an ActiveSync warning
dialog box on the mobile device saying "Exchange Server must enforce security policies on your device to continue synchronizing. Do you want to continue?"
The user must select OK or Cancel. If the user selects OK, the device
restarts and comes up in a clean default Windows Mobile 6.x state. If
the user selects Cancel, the device does not synchronize any new data. However, the user can still continue to look at the information already there.
Note
After the wipe is
successful, the device needs to be removed from the list of user
devices. If this is not done, the device continues to wipe every time it
synchronizes.
The Outlook Web App
client can also be used to wipe a device remotely. This would typically
be done by the user rather than the administrator. To use Outlook Web
App to perform a remote device wipe, run the following steps:
1. | Open Outlook Web App.
|
2. | Log on to the device owner’s mailbox.
|
3. | Click Options.
|
4. | In the Navigation pane, select Mobile Devices.
|
5. | Select the ID of the device that you want to wipe and remove from the list.
|
6. | Click Wipe all data from device.
|
7. | Click OK.
|
8. | Click Remove Device from List (after the status changes to successful).
|
Note that the status
changes to pending wipe. After the device synchronizes, the status
changes to wipe successful. Once again, the device needs to be removed
from the users list if it will be used again.
POP and IMAP
Post Office
Protocol (POP) and Internet Message Access Protocol (IMAP) are legacy
messaging protocols that are used mostly by home users and some
third-party applications.
Exchange Server 2010
supports them for backward compatibility and the services are disabled
by default. To use these protocols, the services must be started on the
CAS.
Client Throttling
Client Throttling policies
control the performance of the Exchange Server infrastructure by
controlling the connection bandwidth. The feature does this on a
component-by-component basis, allowing fine-grained control of the
impact that clients have on the infrastructure.
Clients controlled by the policies are the following:
At installation
time, a default throttling policy is created. The default policy can be
adjusted and new polices can be created. Policies are set on a
user-by-user basis. If no policy is explicitly set on the user, they are
implicitly assigned the default throttling policy.
There are a set of new cmdlets to create, modify, and remove throttling policies. These new cmdlets are as follows:
New-ThrottlingPolicy— Creates a new throttling policy.
Remove-ThrottlingPolicy— Removes a throttling policy.
Get-ThrottlingPolicy— Lets you view the settings of a throttling policy.
Set-ThrottlingPolicy— Modifies all available settings for a throttling policy.
The parameters
for the throttling policy cmdlets are less than straightforward. This is
because each client can be controlled independently and the cmdlets use
acronyms to specify which client is adjusted. The parameters for
controlling client access follow:
<XXX>MaxConcurrency– This is the maximum number of concurrent connections that the user can have for the specified service.
<XXX>PercentTimeInCAS–
This is the percentage of a minute that a user can spend executing CAS
code. This is a combined set of PercentTimeInAD and
PercentTimeInMailboxRPC.
<XXX>PercentTimeInAD– This the percentage of a minute that a user can spend executing LDAP requests.
<XXX>PercentTimeInMailboxRPC– This the percentage of a minute that a user can spend executing mailbox RPC requests.
Where <XXX> is the acronym of the service being throttled. The service acronyms are the following:
EAS— Exchange ActiveSync Users
EWS— Exchange Web Services Users
OWA— Outlook Web App Users
POP— POP3 Users
UM— Unified Messaging Users
IMAP— IMAP4 Users
The
PercentTimeInCAS is the sum of PercentTimeInAD and
PercentTimeInMailboxRPC plus time executing on the CAS. It is possible
for the percent times to be higher than 100 due to concurrent
connections. For example, if a user running an OWA session consumes 42
seconds out of a minute, their OWAPercentTimeInCAS would be 70%. If they
open a second OWA session on another system that consumes 30 seconds
out of a minute, their total OWAPercentTimeInCAS would be 70% + 50% or
120%.
Interestingly, PowerShell has its own set of throttling parameters, as follows:
PowerShellMaxConcurrency— This is the number of remote PowerShell sessions that a user can have open at the same time.
PowerShellMaxCmdlets—
This specifies the number of cmdlets that the user can execute in the
time period specified by the PowerShellMaxCmdletsTimePeriod parameter.
The two should be set at the same time.
PowerShellMaxCmdletsTimePeriod— The time period in seconds for which the PowerShellMaxCmdlets parameter is enforced.
PowerShellMaxCmdletQueueDepth—
This is the number of operations allowed to be executed by the user.
This should be set to at least three times the value of
PowerShellMaxConcurrency.
The default policy values for some of the key parameters are given in Table 3. These default values can be adjusted by either adjusting the default policy using the Set-ThrottlingPolicy cmdlet or by creating a new throttling policy with the New-ThrottlingPolicy cmdlet and then assigning it to a user with the Set-ThrottlingPolicy cmdlet.
Table 3. Key Default Throttling Policy Values
| Parameter | Default Values |
|---|
| EASMaxConcurrency | 5 |
| EASPercentTimeInCAS | 75 |
| EWSMaxConcurrency | 10 |
| EWSPercentTimeInCAS | 90 |
| IMAPMaxConcurrency | 20 |
| IMAPPercentTimeInCAS | 150 |
| OWAMaxConcurrency | 5 |
| OWAPercentTimeInCAS | 150 |
| POPMaxConcurrency | 20 |
| POPPercentTimeInCAS | 150 |
| PowerShellMaxConcurrency | 18 |
| PowerShellMaxCmdlets | |
Throttling policy is assigned using the Set-Mailbox cmdlet. For example, to assign a throttling policy named ThrottlingPolicy1 to a user chrisa, run the following commands:
$tp = Get-ThrottlingPolicy ThrottlingPolicy1;
Set-Mailbox -Identity chrisa -ThrottlingPolicy $tp;
To reset a user’s policy
to the default policy, you have to explicitly set the user’s throttling
policy to the default policy. The commands to do this for the user
chrisa are as follows:
$defaultpolicy = Get-ThrottlingPolicy | where-object {$_.IsDefault -eq $true}
Set-Mailbox -Identity chrisa -ThrottlingPolicy $defaultpolicy;
The user chrisa now has
the default throttling policy assigned to her account. The effect of an
implicitly assigned default throttling policy and an explicitly assigned
default throttling policy is the same.
