Aug 20 2008 6:19PM GMT
Posted by: Troy Tate
administration,
tools,
Microsoft Windows,
web,
CIO,
DataCenter,
DataManagement,
WWW,
CA,
spam,
certificate authority,
digital signatures,
email,
RSS,
wiki,
Exchange 2007,
Outlook Web Access,
Policy,
Exchange,
design,
OWA,
website,
anti-virus,
Performance,
Powershell,
howto,
policy enforcement,
awareness,
blog,
toolkit
Maybe you have already read my post about implementing new Exchange 2007 mailboxes for over 2000 users. If not… look here. So, as you see from this event, ongoing support for these global users on a new messaging system is going to be a real challenge.
I found a great blog posting with links to some excellent Exchange resources. Keep this in your toolkit for those times you just can’t find the answer elsewhere to those nagging Exchange problems. I see lots of other IT people struggling with this system and looking for support here at IT KnowledgeExchange.
Some other Exchange resources I recommend are:
Microsoft Exchange Server Resource Site
E-mail archiving
Seven ways to organize your e-mail
MessagingTalk.org - Portal for Microsoft Exchange Messaging & Collaboration
Thanks for your time. Let’s be good network citizens together & practice safe networking!
Jul 25 2008 12:58PM GMT
Posted by: Troy Tate
administration,
Security,
Microsoft Windows,
Database,
Development,
Browsers,
reporting,
internet,
DataCenter,
DataManagement,
WWW,
email,
wiki,
Exchange 2007,
Policy,
Exchange,
blogging,
design,
website,
troubleshooting,
howto,
online identity,
research,
policy enforcement,
awareness,
subscriptions
If you read my previous post then you know we recently went through a major e-mail system migration. Part of that e-mail migration included moving from various naming conventions ( firstname at domain.com, firstname.lastname at domain.com, FirstInitialLastName at domain.com, etc.) to a single naming convention of firstname.lastname at domain.com. Of course this was a huge undertaking and also a political move. One thing I am sure of is that the users will never understand the discussions taking place behind the scenes and will continue to take place about names of other non-user specific mailboxes like a project engineering team or an application mailbox.
Another thing which struck me during this process is that we netizens are identified by our e-mail address in many places on the web. Have you ever looked to see how many places you are identified by your e-mail address? I had to take some time and go out and change my e-mail address wherever the old one was in use. That is not a easy task let me tell you! First of all I went through the mailing lists I subscribe to. I went to their websites and tried to find the area to change my profile’s e-mail address. There are some sites where I could never find this and/or could not change it. So, webmasters & publishers…. please make it easier for your subscribers to modify their e-mail address or credentials! There is this need for companies that may get purchased or change names. There is the need for the users who change names when getting married or divorced…. this should not be as difficult as I found it to be.
In the end, I’m not sure what I will be missing out on when we go back and clean out all of the non-standard names which we will likely do by the end of the year.
Thanks for your time. Let’s be good network citizens together & practice safe networking!
Jul 25 2008 12:41PM GMT
Posted by: Troy Tate
administration,
Networking,
tools,
Microsoft Windows,
internet,
CIO,
DataCenter,
DataManagement,
CA,
antivirus,
certificate authority,
digital signatures,
email,
Exchange 2007,
Outlook Web Access,
Exchange,
design,
OWA,
Microsoft,
troubleshooting,
Powershell
Well, we did it! We implemented new mailboxes on Microsoft Exchange 2007 for over 2000 users in one weekend. Of course it took lots of planning, testing and blood, sweat, tears during the process, but we are now on one e-mail platform where there were at least 5 before. We had more domains than we needed and now the company is on one domain. We had to plan and provide for inbound messages still to the old domains.
The implementation was not without a couple of minor glitches and learning how users use the application. One glitch was a mistyped IP address. This prevented e-mail flow for a short period of time, however that is not a huge issue since SMTP servers will continue to retry sending messages. Another issue that was encountered was administrative rights to “shared” mailboxes like customer service or supply buyers. This has now been resolved and users are getting full use from the system.
We still have some work to be done on things like:
- proactive system monitoring to detect issues before the users do;
- alternatives to sending large attachments (our attachment limit is 15MB);
- running Outlook Anywhere so a mobile user can attach to their mailbox without having to use VPN;
- supporting mobile devices like smartphones (our focus is on Windows Mobile v6 and up);
- user certificates using private PKI to allow for digital signatures and encryption.
So, as you see, work in IT never finishes… it just continues to grow as more services and systems are implemented and change happens. Please feel free to leave a comment if you would like more information about our implementation process and decisions we made along the way.
Thanks for your time. Let’s be good network citizens together & practice safe networking!
Jun 17 2008 2:28PM GMT
Posted by: Troy Tate
Security,
Verisign,
certificate authority,
digital signatures,
Exchange 2007,
Outlook Web Access,
OWA,
Network Admission Control,
Thawte
We are currently going through design and implementation of an Exchange 2007 environment in my organization. Our current e-mail architecture is varied and does not have any version of mail services newer than 6 years old. So, we are learning a lot about Exchange and how it can fit our environment of over 2,200 users globally.
Part of our requirements includes providing access to downlevel clients (Windows 2000 and below) as well as access to remote users. This will be easily accomplished through Outlook Web Access (OWA). As you know, OWA login is usually done on a page with an https or secure sockets layer (SSL) address. The SSL encryption is provided by a certificate hosted on that server. The certificate can be self-signed by the server, signed by an authorized certificate authority (CA) in the organization or by a trusted third-party provider like Verisign or Thawte.
If the certificate is self-signed by the server or by an organizational CA, then somehow the clients need to know about the trusted root or they need to accept the warning that the browser gives when they login to the website. You want the users to understand what trust means or take the question out all together. I vote for the latter. Remove doubt that the certificate is from a trusted source.
For the external OWA connections, we are purchasing certificates from a recognized third-party. I have gone through several iterations of getting certificates though since this is my first time getting these for an Exchange environment. There is a particular “flavor” of certificate known as a subject alternative name (SAN) or unified communications certificate. A great article on this can be found here. (Take note of the root website here. It is one of the best and most readable Exchange resources you will find since it comes from the Microsoft Exchange product team.)
So, I am now in the process of getting these SAN certificates and will be implementing them this week so the errors will go away when users login to these portals since they know and trust the root certificate authority.
The next challenge is to address this same issue on internal private OWA servers. We will be implementing a two-tier enterprise CA architecture using an offline root and a single enterprise CA. We will be publishing this through Active Directory so the clients recognize this as an internal trusted root. We are then positioned to use this CA for other uses: digital signatures, S/MIME, 802.1x, device authentication and other uses.
As you can tell, this has been a lot of education and work for my company. We have had some help in these efforts since this is entirely new to us and we have to implement it successfully the first time. I will let you know how things go.
Thanks for your time. Let’s be good network citizens together & practice safe networking!
