Implementing Client Access and Hub Transport Servers : Understanding the Client Access Server (part 2)

4/27/2011 5:56:29 PM

Exchange Control Panel

The Exchange Control Panel (ECP) is hosted on the CAS server role and is an exciting new tool in Exchange Server 2010. The ECP is a browser-based Management client for end users, administrators, and specialists. This provides a new way to administer a subset of Exchange Server features and is completely RBAC integrated.

This new ECP web utility provides a great self-provisioning portal for administrators and a simplified user experience for common management tasks. It is accessible directly via URL, Outlook Web App (OWA), and Outlook Server 2010. Figure 5 shows the start page of the interface from an administrator role.

Figure 5. Exchange Control Panel.

The ECP is AJAX-based, is deployed as a part of the Client Access server role, and shares some code with OWA. However, the two are separate applications and sites.

The Exchange Control Panel can be used in a variety of scenarios. Administrators can delegate to permissions in role to support a variety of administrators, specialists, and users. These include the following types of scenarios:

  • Administrators

  • Helpdesk Specialists

  • Auditors

  • End Users

  • Customers in a Hosted Environment

The scenarios are configured in the RBAC interface, which is itself based in the Exchange Control Panel.

Administrators would launch the ECP tool directly from the ECP link (https://<servername>/ecp) where <servername> is an Exchange Server 2010 CAS. End users would access the ECP tool from within OWA, which launches from the Options link. Although it launches from the OWA web page (https://<servername>/owa), the link is to the ECP web page (https://<servername>/ecp). The security is completely integrated, enabling the end-user experience to be completely seamless.

The browser support for the ECP is the same as for OWA premium. Supported browsers are as follows:

  • Internet Explorer (IE)

  • Firefox

  • Safari


Exchange ActiveSync is a synchronization protocol that allows mobile devices to synchronize the user’s Exchange Server mailbox, including email, calendar, contacts, and tasks. It is based on HTTP and Extensible Markup Language (XML). ActiveSync supports the following devices:

  • Windows Mobile 6.x and 5.0

  • Pocket PC 2003

  • Pocket PC 2002

Unlike Exchange Server 2003, in Exchange Server 2010, the ActiveSync feature is enabled by default. The Exchange Server 2010 ActiveSync has a number of new features and improved features over the Exchange Server 2003 version, including the following:

  • Support for HTML messages

  • Support for follow-up flags

  • Support for fast message retrieval

  • Meeting attendee information

  • Enhanced Exchange Search

  • Windows SharePoint Services and Universal Naming Convention (UNC) document access

  • PIN reset

  • Autodiscover for over-the-air provisioning

  • Support for Out of Office configuration

  • Support for tasks synchronization

  • Support for Direct Push

Some of the new features, such as Direct Push and Autodiscover, require Windows Mobile 5.0 with the Messaging and Security Feature Pack (MSFP) or Windows Mobile 6.x installed on the device to function.

Exchange Server 2010 ActiveSync also has a number of new security features, including the following:

  • Exchange ActiveSync mailbox policies

  • Device password policies

  • Remote Device Wipe

These new security features allow Exchange Server 2010 administrators to effectively manage the security of their mobile devices. Settings like allowing the use of Bluetooth (a frequent security risk), the camera, and other new settings enable the Exchange Server 2010 administrator much more control over the devices. The settings available in the ActiveSync mailbox policy are listed here:

The General policy settings control overall policy settings, such as the policy refresh interval. General security policy settings include the following:

  • Allow Nonprovisionable Devices— Specifies whether older devices that might not support application of all policy settings are allowed to connect to Exchange Server 2010 by using Exchange ActiveSync.

  • Refresh Interval (Hours)— Defines how frequently the device updates the Exchange ActiveSync policy from the server.

  • Windows File Shares— Enables access to files that are stored on Windows file share (UNC) shares.

  • Windows SharePoint Services— Enables access to files that are stored in Microsoft Windows SharePoint Services document libraries.

Password policy settings control the password requirements for the mobile devices. Password policy settings include the following:

  • Require Password— Enables the device password.

  • Required Alphanumeric Password— Requires that a password contains numeric and nonnumeric characters.

  • Enable Password Recovery— When this setting is enabled, the device generates a recovery password that’s sent to the server. If the user forgets their device password, the recovery password can be used to unlock the device and enable the user to create a new device password.

  • Require Encryption on Device— Specifies whether device encryption is required. If checked, the device must support and implement encryption to synchronize with the server.

  • Require Encryption on Storage Card— Specifies whether the storage card must be encrypted. Not all mobile phone operating systems support storage card encryption. For more information, see your device and mobile operating system for more information.

  • Allow Simple Password— Enables or disables the ability to use a simple password such as 1234. This option is checked by default.

  • Number of Failed Password Attempts Allowed— Specifies how many times an incorrect password can be entered before the device performs a wipe of all data.

  • Minimum Password Length— Specifies the minimum password length.

  • Time Without User Input Before Password Must Be Re-Entered (in Minutes)— Specifies the length of time that a device can go without user input before it locks.

  • Password Expiration (Days)— Enables the administrator to configure a length of time after which a device password must be changed.

  • Enforce Password History— Prevents the user from reusing the past number of passwords specified when changing passwords on the device.

The Sync Setting policy settings control the synchronization behavior of the mobile devices. Sync Settings policies include the following:

  • Include Past Calendar Items— Specifies the maximum range of calendar days that can be synchronized to the device. The default is All.

  • Include Past Email Items— Specifies the maximum number of days’ worth of email items to synchronize to the device. The default is All.

  • Limit Email Size to (KB)— Specifies the size beyond which email messages are truncated when they are synchronized to the device. The value is specified in kilobytes (KB).

  • Allow Direct Push When Roaming— Specifies whether the device must synchronize manually while roaming. Allowing automatic synchronization while roaming can frequently lead to larger-than-expected data costs for the mobile phone plan.

  • Allow HTML-Formatted Email— Specifies whether email synchronized to the device can be in HTML format. If this setting is unchecked, all email is converted to plain text.

  • Allow Attachments to Be Downloaded to Device— Enables attachments to be downloaded to the mobile phone.

  • Maximum Attachment Size (KB)— Specifies the maximum size of attachments that are automatically downloaded to the device.

The Device policy settings control what device features are enabled by the organization. These features can be a source of consternation for security professionals, including cameras used to capture inappropriate information or Bluetooth-enabled devices hacked in coffee shops. The device policy settings enable Exchange Server 2010 administrators to disable device features as needed. Device policy settings include the following:

  • Allow Removable Storage— Specifies whether the mobile phone can access information that is stored on a storage card.

  • Allow Camera— Specifies whether the mobile phone camera can be used.

  • Allow Wi-Fi— Specifies whether wireless Internet access is allowed on the device.

  • Allow Infrared— Specifies whether infrared connections are allowed to and from the mobile phone.

  • Allow Internet Sharing from Device— Specifies whether the mobile phone can be used as a modem for a desktop or portable computer.

  • Allow Remote Desktop from Device— Specifies whether the mobile phone can initiate a remote desktop connection.

  • Allow Desktop Synchronization— Specifies whether the mobile phone can synchronize with a computer through a cable, Bluetooth, or IrDA connection.

  • Allow Bluetooth— Specifies whether a mobile phone enables Bluetooth connections. The available options are Disable, HandsFree Only, and Allow.


The Device policy settings are premium Exchange ActiveSync features and require an Exchange Enterprise Client Access License for each device covered by the policy in which these are enabled.

The Device Application settings control how the devices use applications. These policies include the following:

  • Allow Browser— Specifies whether Pocket Internet Explorer is enabled on the mobile phone. This setting doesn’t affect third-party browsers installed on the device.

  • Allow Consumer Mail— Specifies whether the mobile phone user can configure a personal email account (either POP3 or IMAP4) on the device.

  • Allow Unsigned Applications— Specifies whether unsigned applications can be installed on the device.

  • Allow Unsigned Installation Packages— Specifies whether an unsigned installation package can be run on the device.


The Device Applications policy settings are premium Exchange ActiveSync features and require an Exchange Enterprise Client Access License for each device covered by the policy where these are enabled.

The policies under the Other tab control allowed and blocked applications. Specifically, those policies follow:

  • Approved Applications— Stores a list of approved applications that can be run on the device.

  • Blocked Applications— Specifies a list of applications that cannot be run on the device.


The Other policy settings are premium Exchange ActiveSync features and require an Exchange Enterprise Client Access License for each device covered by the policy in which these are enabled.

These policies are much more comprehensive than in previous versions of Exchange Server and address concerns of many organizations about the twin demons of proliferation and lack of control of mobile devices. Exchange Server 2010 give administrators the policy tools they need to control what the devices can do and enforce the organizations written security policies.

To use the password policy features and the Remote Device Wipe, you need to create and associate the user with an Exchange ActiveSync mailbox policy. By default, all users are associated with the Default policy that is created at install.

Different policies can be created to meet the needs of different user communities. For example, an organization might have one general user ActiveSync mailbox policy with default password settings that require a minimum of four characters. A second ActiveSync mailbox policy for executives with higher security requirements and more secure password settings might require a minimum of 10-character passwords. These policies would be assigned to the appropriate mailboxes. During CAS installation, a Default ActiveSync mailbox policy is created. This policy enables most of the features of ActiveSync devices, so it is not restrictive at all. The policy can be adjusted or new policies created.

To create a new ActiveSync mailbox policy, execute the following steps:

Expand the Organization Configuration folder.

Select the Client Access folder.

In the actions pane, select New Exchange ActiveSync Mailbox Policy.

Enter the policy name, such as Default Exchange ActiveSync Mailbox Policy.

Click New to create the policy.

Click Finish to close the wizard.

To associate a user with an Exchange ActiveSync mailbox policy, execute the following steps:

Expand the Recipient Configuration folder.

Select the Mailbox folder.

Select the mailbox.

Select Properties in the actions pane.

Select the Mailbox Features tab.

Select Exchange ActiveSync and click Properties.

Click Browse and select a policy, such as the Default Exchange ActiveSync Mailbox Policy created earlier.

Click OK three times to save the settings.

Now, the user’s mobile device will have the policies applied and can be managed remotely, as is evidenced by the Manage Mobile Device selection in the mailbox actions pane.

ActiveSync Remote Wipe

The ActiveSync Remote Wipe function deletes the data off the device. Applications and other program data remain on the system, only the data is removed. To administratively remote wipe a device:

The Exchange Management Console can be used to wipe a device. This would typically be done by an administrator after a device has been lost. To use the EMC to perform a remote device wipe, go through the following steps:

Open the Exchange Management Console.

Under Recipient Configuration, select Mailbox.

Select the user from the Mailbox window.

In the action pane, click Manage mobile device, or right-click the user’s mailbox, and then click Manage mobile device.

Select the mobile device you want to clear all data from.

In the Actions section, click Clear.

Click Clear again.

The device will be wiped the next time it synchronizes. There might be an ActiveSync warning dialog box on the mobile device saying "Exchange Server must enforce security policies on your device to continue synchronizing. Do you want to continue?" The user must select OK or Cancel. If the user selects OK, the device restarts and comes up in a clean default Windows Mobile 6.x state. If the user selects Cancel, the device does not synchronize any new data. However, the user can still continue to look at the information already there.


After the wipe is successful, the device needs to be removed from the list of user devices. If this is not done, the device continues to wipe every time it synchronizes.

The Outlook Web App client can also be used to wipe a device remotely. This would typically be done by the user rather than the administrator. To use Outlook Web App to perform a remote device wipe, run the following steps:

Open Outlook Web App.

Log on to the device owner’s mailbox.

Click Options.

In the Navigation pane, select Mobile Devices.

Select the ID of the device that you want to wipe and remove from the list.

Click Wipe all data from device.

Click OK.

Click Remove Device from List (after the status changes to successful).

Note that the status changes to pending wipe. After the device synchronizes, the status changes to wipe successful. Once again, the device needs to be removed from the users list if it will be used again.


Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) are legacy messaging protocols that are used mostly by home users and some third-party applications.

Exchange Server 2010 supports them for backward compatibility and the services are disabled by default. To use these protocols, the services must be started on the CAS.

Client Throttling

Client Throttling policies control the performance of the Exchange Server infrastructure by controlling the connection bandwidth. The feature does this on a component-by-component basis, allowing fine-grained control of the impact that clients have on the infrastructure.

Clients controlled by the policies are the following:

  • Microsoft Exchange ActiveSync

  • Exchange Web Services

  • Outlook Web App

  • IMAP4

  • POP3

  • PowerShell

  • Unified Messaging (UM)

At installation time, a default throttling policy is created. The default policy can be adjusted and new polices can be created. Policies are set on a user-by-user basis. If no policy is explicitly set on the user, they are implicitly assigned the default throttling policy.

There are a set of new cmdlets to create, modify, and remove throttling policies. These new cmdlets are as follows:

  • New-ThrottlingPolicy— Creates a new throttling policy.

  • Remove-ThrottlingPolicy— Removes a throttling policy.

  • Get-ThrottlingPolicy— Lets you view the settings of a throttling policy.

  • Set-ThrottlingPolicy— Modifies all available settings for a throttling policy.

The parameters for the throttling policy cmdlets are less than straightforward. This is because each client can be controlled independently and the cmdlets use acronyms to specify which client is adjusted. The parameters for controlling client access follow:

  • <XXX>MaxConcurrency– This is the maximum number of concurrent connections that the user can have for the specified service.

  • <XXX>PercentTimeInCAS– This is the percentage of a minute that a user can spend executing CAS code. This is a combined set of PercentTimeInAD and PercentTimeInMailboxRPC.

  • <XXX>PercentTimeInAD– This the percentage of a minute that a user can spend executing LDAP requests.

  • <XXX>PercentTimeInMailboxRPC– This the percentage of a minute that a user can spend executing mailbox RPC requests.

Where <XXX> is the acronym of the service being throttled. The service acronyms are the following:

  • EAS— Exchange ActiveSync Users

  • EWS— Exchange Web Services Users

  • OWA— Outlook Web App Users

  • POP— POP3 Users

  • UM— Unified Messaging Users

  • IMAP— IMAP4 Users

The PercentTimeInCAS is the sum of PercentTimeInAD and PercentTimeInMailboxRPC plus time executing on the CAS. It is possible for the percent times to be higher than 100 due to concurrent connections. For example, if a user running an OWA session consumes 42 seconds out of a minute, their OWAPercentTimeInCAS would be 70%. If they open a second OWA session on another system that consumes 30 seconds out of a minute, their total OWAPercentTimeInCAS would be 70% + 50% or 120%.

Interestingly, PowerShell has its own set of throttling parameters, as follows:

  • PowerShellMaxConcurrency— This is the number of remote PowerShell sessions that a user can have open at the same time.

  • PowerShellMaxCmdlets— This specifies the number of cmdlets that the user can execute in the time period specified by the PowerShellMaxCmdletsTimePeriod parameter. The two should be set at the same time.

  • PowerShellMaxCmdletsTimePeriod— The time period in seconds for which the PowerShellMaxCmdlets parameter is enforced.

  • PowerShellMaxCmdletQueueDepth— This is the number of operations allowed to be executed by the user. This should be set to at least three times the value of PowerShellMaxConcurrency.

The default policy values for some of the key parameters are given in Table 3. These default values can be adjusted by either adjusting the default policy using the Set-ThrottlingPolicy cmdlet or by creating a new throttling policy with the New-ThrottlingPolicy cmdlet and then assigning it to a user with the Set-ThrottlingPolicy cmdlet.

Table 3. Key Default Throttling Policy Values
ParameterDefault Values

Throttling policy is assigned using the Set-Mailbox cmdlet. For example, to assign a throttling policy named ThrottlingPolicy1 to a user chrisa, run the following commands:

$tp = Get-ThrottlingPolicy ThrottlingPolicy1;
Set-Mailbox -Identity chrisa -ThrottlingPolicy $tp;

To reset a user’s policy to the default policy, you have to explicitly set the user’s throttling policy to the default policy. The commands to do this for the user chrisa are as follows:

$defaultpolicy = Get-ThrottlingPolicy | where-object {$_.IsDefault -eq $true}
Set-Mailbox -Identity chrisa -ThrottlingPolicy $defaultpolicy;

The user chrisa now has the default throttling policy assigned to her account. The effect of an implicitly assigned default throttling policy and an explicitly assigned default throttling policy is the same.

  •  SharePoint 2010 : Implementing and Managing In Place Records
  •  Understanding Exchange Policy Enforcement Security : Creating Messaging Records Management Policies
  •  Understanding Exchange Policy Enforcement Security : Implementing Transport Agent Policies on the Edge
  •  Safeguarding Confidential Data in SharePoint 2010 : Using Active Directory Rights Management Services (AD RMS) for SharePoint Document Libraries
  •  Safeguarding Confidential Data in SharePoint 2010 : Enabling TDE for SharePoint Content Databases
  •  Safeguarding Confidential Data in SharePoint 2010 : Using SQL Transparent Data Encryption (TDE)
  •  Safeguarding Confidential Data in SharePoint 2010 : Enabling SQL Database Mirroring
  •  Safeguarding Confidential Data in SharePoint 2010 : Outlining Database Mirroring Requirements
  •  Remote Administration of Exchange Server 2010 Servers : RDP with Exchange Server 2010 (part 2)
  •  Remote Administration of Exchange Server 2010 Servers : RDP with Exchange Server 2010 (part 1) - Planning and Using Remote Desktop for Administration
  •  Remote Administration of Exchange Server 2010 Servers : Using the ECP Remotely
  •  Safeguarding Confidential Data in SharePoint 2010 : Examining Supported Topologies
  •  SharePoint 2010 : SQL Server Database Mirroring for SharePoint Farms
  •  Remote Administration of Exchange Server 2010 Servers : Using the Remote Exchange Management Shell
  •  Remote Administration of Exchange Server 2010 Servers : Certificates, Trust, and Remote Administration
  •  Enabling Presence Information in SharePoint with Microsoft Communications Server 2010
  •  Integrating Exchange 2010 with SharePoint 2010
  •  Documenting an Exchange Server 2010 Environment : Exchange Server 2010 Project Documentation
  •  Documenting an Exchange Server 2010 Environment : Benefits of Documentation
  •  Getting the Most Out of the Microsoft Outlook Client : Using Cached Exchange Mode for Offline Functionality
    Top 10
    Nikon 1 J2 With Stylish Design And Dependable Image And Video Quality
    Canon Powershot D20 - Super-Durable Waterproof Camera
    Fujifilm Finepix F800EXR – Another Excellent EXR
    Sony NEX-6 – The Best Compact Camera
    Teufel Cubycon 2 – An Excellent All-In-One For Films
    Dell S2740L - A Beautifully Crafted 27-inch IPS Monitor
    Philips 55PFL6007T With Fantastic Picture Quality
    Philips Gioco 278G4 – An Excellent 27-inch Screen
    Sony VPL-HW50ES – Sony’s Best Home Cinema Projector
    Windows Vista : Installing and Running Applications - Launching Applications
    Most View
    Bamboo Splash - Powerful Specs And Friendly Interface
    Powered By Windows (Part 2) - Toshiba Satellite U840 Series, Philips E248C3 MODA Lightframe Monitor & HP Envy Spectre 14
    MSI X79A-GD65 8D - Power without the Cost
    Canon EOS M With Wonderful Touchscreen Interface (Part 1)
    Windows Server 2003 : Building an Active Directory Structure (part 1) - The First Domain
    Personalize Your iPhone Case
    Speed ​​up browsing with a faster DNS
    Using and Configuring Public Folder Sharing
    Extending the Real-Time Communications Functionality of Exchange Server 2007 : Installing OCS 2007 (part 1)
    Google, privacy & you (Part 1)
    iPhone Application Development : Making Multivalue Choices with Pickers - Understanding Pickers
    Microsoft Surface With Windows RT - Truly A Unique Tablet
    Network Configuration & Troubleshooting (Part 1)
    Panasonic Lumix GH3 – The Fastest Touchscreen-Camera (Part 2)
    Programming Microsoft SQL Server 2005 : FOR XML Commands (part 3) - OPENXML Enhancements in SQL Server 2005
    Exchange Server 2010 : Track Exchange Performance (part 2) - Test the Performance Limitations in a Lab
    Extra Network Hardware Round-Up (Part 2) - NAS Drives, Media Center Extenders & Games Consoles
    Windows Server 2003 : Planning a Host Name Resolution Strategy - Understanding Name Resolution Requirements
    Google’s Data Liberation Front (Part 2)
    Datacolor SpyderLensCal (Part 1)