Category Archives: UC&C

Getting ready for MEC 2014

Wow, it’s been nearly a month since my last post here. In general I am not a believer in posting stuff on a regular schedule, preferring instead to wait until I have something to say. All of my “saying” lately has been on behalf of my employer though. I have barely even had time to fly. For another time: a detailed discussion of the ins and outs of shopping for an airplane. For now, though, I am making my final preparations to attend this year’s Microsoft Exchange Conference (MEC) in Austin! My suitcase is packed, all my devices are charged, my slides are done, and I am prepared to overindulge in knowledge sharing, BBQ eating, and socializing.

It is interesting to see the difference in flavor between Microsoft’s major enterprise-focused conferences. This year was my first trip to Lync Conference, which I would summarize as being a pretty even split between deeply technical sessions and marketing focused around the business and customer value of “universal communications”. In reviewing the session attendance and rating numbers, it was no surprise that the most-attended sessions and the highest-rated sessions tended to be 400-level technical sessions such as Brian Ricks’ excellent deep-dive on Lync client sign-in behavior. While I’ve never been to a SharePoint Conference, from what my fellow MVPs say about it, there was a great deal of effort expended by Microsoft on highlighting the social features of the SharePoint ecosystem, with a heavy focus on customization and somewhat less attention directed at SharePoint Online and Office 365. (Oh, and YAMMER YAMMER YAMMER YAMMER YAMMER.) Judging from reactions in social media, this focus was well-received but inevitably less technical given the newness of the technology.

That brings us to the 2014 edition of MEC. The event planners have done something unique by loading the schedule with “Unplugged” panel discussions, moderated by MVP and MCM/MCSM experts and consisting of Microsoft and industry experts in particular technologies. These panels provide an unparalleled opportunity to get, and give, very candid feedback around individual parts of Exchange and I plan on attending as many of them as I can. This is in no way meant to slight the many other excellent sessions and speakers that will be there. I’d planned to summarize specific sessions that I thought might be noteworthy, but Tony published an excellent post this morning that far outdoes what I had in mind, breaking down sessions by topic area and projected attendance. Give it a read.

I’m doing two sessions on Monday: Exchange Unified Messaging Deep Dive at 245p and Exchange ActiveSync: Management Challenges and Best Practices at 1145a. The latter is a vendor session with the folks from BoxTone, during which attendees both get lunch (yay) and the opportunity to see BoxTone’s products in action. They’re also doing a really interesting EAS health check, during which you provide CAS logs and they run them through a static analysis tool that, I can almost guarantee, will tell you things you didn’t know about your EAS environment. Drop by and say hello!

Leave a comment

Filed under UC&C

“Ceres” Search Foundation install error in Exchange 2013 SP1

When deploying the RTM build of Exchange 2013 SP1, I found that one of my servers was throwing an error I hadn’t seen before during installation. (The error message itself is below for reference,) I found few other reports, although KB article 2889663 reports a similar problem with CU1 and CU2, caused by a trailing space in the PSModulePath environment variable. That wasn’t the problem in my case. Brian Reid mentioned that he’d had the same problem a few times, and that re-running setup until it finished normally was how he fixed it. So I tried that, and sure enough, the install completed normally. In most cases I wouldn’t bother to post a blog article saying “this problem went away on its own,” but the error seemed sufficiently unusual that I thought it might be helpful to document it for future generations.

Warning:
An unexpected error has occurred and a Watson dump is being generated: The following error was generated when "$error.Clear();
            if ($RoleProductPlatform -eq "amd64")
            {
                $fastInstallConfigPath = Join-Path -Path $RoleBinPath -ChildPath "Search\Ceres\Installer";
                $command = Join-Path -Path $fastInstallConfigPath -ChildPath "InstallConfig.ps1";
                $dataFolderPath = Join-Path -Path $RoleBinPath -ChildPath "Search\Ceres\HostController\Data";

                # Remove previous SearchFoundation configuration
                &$command -action u -silent;
                try
                {
                    if ([System.IO.Directory]::Exists($dataFolderPath))
                    {
                        [System.IO.Directory]::Delete($dataFolderPath, $true);
                    }
                }
                catch
                {
                    $deleteErrorMsg = "Failure cleaning up SearchFoundation Data folder. - " + $dataFolderPath + " - " + $_.Exception.Message;
                    Write-ExchangeSetupLog -Error $deleteErrorMsg;
                }

                # Re-add the SearchFoundation configuration
                try
                {
                    # the BasePort value MUST be kept in sync with dev\Search\src\OperatorSchema\SearchConfig.cs
                    &$command -action i -baseport 3800 -dataFolder $dataFolderPath -silent;
                }
                catch
                {
                    $errorMsg = "Failure configuring SearchFoundation through installconfig.ps1 - " + $_.Exception.Message;
                    Write-ExchangeSetupLog -Error $errorMsg;

                    # Clean up the failed configuration attempt.
                    &$command -action u -silent;
                    try
                    {
                        if ([System.IO.Directory]::Exists($dataFolderPath))
                        {
                            [System.IO.Directory]::Delete($dataFolderPath, $true);
                        }
                    }
                    catch
                    {
                        $deleteErrorMsg = "Failure cleaning up SearchFoundation Data folder. - " + $dataFolderPath + " - " + $_.Exception.Message;
                        Write-ExchangeSetupLog -Error $deleteErrorMsg;
                    }
                }
            }
        " was run: "Error occurred while uninstalling Search Foundation for Exchange.System.Exception: Cannot determine the product name registry subkey, neither the 'RegistryProductName' application setting nor the 'CERES_REGISTRY_PRODUCT_NAME' environment variable was set
   at Microsoft.Ceres.Common.Utils.Registry.RegistryUtils.get_ProductKeyName()
   at Microsoft.Ceres.Exchange.PostSetup.DeploymentManager.DeleteDataDirectory()
   at Microsoft.Ceres.Exchange.PostSetup.DeploymentManager.Uninstall(String installDirectory, String logFile)
   at CallSite.Target(Closure , CallSite , Type , Object , Object )".

2 Comments

Filed under UC&C

Office 365 Personal Archives limited to 100GB

There’s a bit of misinformation, or lack of information, floating around about the use of Office 365 Personal Archives. This feature, which is included in the higher-end Office 365 service plans (including E3/E4 and the corresponding A3/A4 plans for academic organizations), is often cited as one of the major justifications for moving to Office 365. It’s attractive because of the potential savings from greatly reducing PST file use and eliminating (or at least sharply reducing) the use of on-premises archiving systems such as Enterprise Vault.

Some Microsoft folks have been spreading the good news that archives are unlimited (samples here and here), and so have many consultants, partners, and vendors– including me. In fact, I had a conversation with a large customer last week in which they expressed positive glee about being able to get their data out of on-prem archives and into the cloud.

The only problem? Saying the archives are unlimited isn’t quiiiiite true.

If you read the service description for Exchange Online (which we all should be doing regularly anyway, as it changes from time to time), you’ll see this:

Clip from Nov 2013 O365 service description

Clip from Nov 2013 O365 service description

See that little “3″? Here’s its text:

Each subscriber receives 50 GB of storage in the primary mailbox, plus unlimited storage in the archive mailbox. A default quota of 100 GB is set on the archive mailbox, which will generally accommodate reasonable use, including the import of one user’s historical email. In the unlikely event that a user reaches this quota, a call to Office 365 support is required. Administrators can’t increase or decrease this quota.

So as an official matter, there is no size limit. As a practical matter, the archive is soft-limited to 100GB, and if you want to store more data than that, you’ll have to call Microsoft support to ask for a quota increase. My current understanding is that 170GB is the real limit, as that is the maximum size to which the quota can currently be increased. I don’t know if Microsoft has stated this publicly anywhere yet but it’s certainly not in the service descriptions. That limit leads me to wonder what the maximum functional size of an Office 365 mailbox is– that is, if Microsoft didn’t have the existing 100GB quota limit in place, how big a mailbox could they comfortably support? (Note that this is not the same as asking what size mailbox Outlook can comfortably support, and I bet those two numbers wouldn’t match anyway.) I suppose that in future service updates we’ll find out, given that Microsoft is continuing to shovel mailbox space at users as part of its efforts to compete with Google.

Is this limit a big deal? Not really; the number of Office 365 customers who will need more than 100GB of archive space for individual user mailboxes is likely to be very small. The difference between “unlimited” and “so large that you’ll never encounter the limit” is primarily one of semantics. However, there’s always a danger that customers will react badly to poor semantics, perhaps because they believe that what they get isn’t what they were promised. While I would like to see more precision in the service descriptions, it’s probably more useful to focus on making sure that customers (especially those who are heavy users of on-premises archives or PST files) know that there’s currently a 100GB quota, which is why I wrote this post.

For another time: a discussion of how hard, or easy, it is to get large volumes of archive data into Office 365 in the first place. That’s one of the many topics I expect to see explored in great depth at MEC 2014, where we’ll get the Exchange team’s perspective, and then again at Exchange Connections 2014, where I suspect we’ll get a more nuanced view.

5 Comments

Filed under Office 365, UC&C

Getting ready for Lync Conference 2014 (bonus Thursday Trivia #106)

So, first: here’s the view from my second-floor home office:

PaulR  Dell 20140213 003

Actually, I had to walk across the street to get this particular shot, but it was worth it. We got about 4” or so of snow in my neighborhood; I got out of Raleigh just in time to miss their snowmageddon, which suits me fine. The boys and I had a good time about 10pm last night throwing snowballs and watching big, fat flakes fall. The roads are passable now and will get better as it warms, but tonight it’ll be cold again and they’ll probably refreeze.

I’m making my final preparations for Lync Conference 2014 next week. I’m presenting a total of four times:

  • VOICE401, “Deep Dive: Exchange 2013 and Lync 2013 Unified Messaging Integration”, is on Wednesday at 1pm in Copperleaf 10. This session will cover some of the internals of Exchange UM; it’s targeted at Lync admins who may not have much knowledge of Exchange but are already familiar with SIP signaling and the like.
  • SERV301, “Exchange 2013 and Lync 2013: ‘Better Together’ Demystified”, is on Tuesday at 2pm in Copperleaf 9, and there is a repeat scheduled for Wednesday at 430p (also in Copperleaf 9). This session covers all the places where Exchange and Lync tie together so that you get a bette experience when both are deployed.
  • On Tuesday at 430p, I’m taking part in an informal session on Exchange-y stuff at the Microsoft booth in the exhibit hall. This is super informal, so it’s probably the best place to drop by and say hello if you can.

Dell has a pretty heavy presence at the show; Michael Przytula is presenting a session covering the Lync device ecosystem (Wednesday, 230p, Bluehorn 1-3) that I think will be pretty neat, because who doesn’t love shiny devices? George Cordeiro and Doug Davis are both doing sessions around how to identify the actual ROI of a Lync deployment, which is something customers often ask about before deployment. Even if that doesn’t sound interesting, the Dell booth will be staffed by some of our hotshot Lync guys (including Louis Howard and Scott Moore), and we’re giving away a Venue 11 Pro and a bunch of very nice Jabra and Plantronics headsets.

Now, your trivia for the week:

Leave a comment

Filed under General Stuff, UC&C

Office 365 token disclosure flaw: patch your desktops now

Happy New Year! To start the year off right, let’s talk about security. More to the point, let’s talk about Office 365 security.

One of the ways I often talk about Office 365 to customers is this: any time you move to a hosted service, you’re placing a bet that your hosting provider can do something better or cheaper than you do. Maybe they’ll deliver better uptime than you can afford to provide, or they’ll offer global reach, or some feature or function that you don’t currently have. As with any other bet, you have to carefully evaluate the odds and your counterparty (the person offering the bet). One of the big arguments in favor of Office 365 has been its security: Microsoft has invested a huge amount of money in physical and logical security for Office 365. Tie this in with the huge investment (several billion dollars and counting) brought about by Trustworthy Computing and you can see why Microsoft is eager to tout the security of their products: they have made huge strides over the last ten years. (Sadly, many other vendors are still as bad as they were back in 2005… let that thought sink in for a few minutes.)

In December, Microsoft released a patch, MS13-104, which every organization using Office 365 should immediately deploy. Microsoft rated this bulletin as “important” using their severity scale. While I understand that the “critical” severity is usually reserved for flaws that could allow remote code execution, I think this is just as bad because it allows an attacker to silently steal every document you have in a SharePoint Online document library.

Wow.

Keep this tab open, then open a new tab and use it to start figuring out how to patch your clients ASAP if you’re using SharePoint Online. Then you can come back.

I won’t repeat the excellent analysis performed by Adallom Security, the folks who reported the flaw to Microsoft in May 2013. That’s right: they reported in May 2013, and the patch was issued in December 2013. That’s a minimum of 7 months of days-of-risk, which is bad enough without considering how long this flaw was being exploited before Adallom found it. However, I do want to make a couple of additional points.

First, they wrote their post before the recent spate of disclosures surrounding the NSA’s Targeted Access Operations (TAO) team and their catalog of exploits. There is of course no evidence that NSA developed or was using this particular exploit, but this is exactly the kind of silent, virtually undetectable attack that is the specialty of nation-states. The fact that Adallom’s customer is a large, high-profile enterprise is potentially bad news for Office 365 sales efforts, given that those customers are already a little leery of cloud services because of a perceived lack of security controls.

Second, this exploit apparently doesn’t work against Exchange Online or Lync Online, but that hasn’t been proven conclusively. Don’t hold off patching Office 2013 just because you aren’t using SharePoint Online.

Third, it seems to me that this kind of flaw is the natural consequence of breaking new ground. Seamlessly tying together on-premises and cloud services through a complex desktop suite is something that no other software company has even attempted: the major Office 365 competitors, such as Box.net and Google, don’t offer traditional desktop productivity apps, preferring instead to run inside the browser, where the design patterns and potential vulnerabilities of authentication are much better understood. So I don’t think of this as sloppiness necessarily on Microsoft’s part: sometimes in complex systems, people make mistakes. 210+ days-of-risk makes me a little nervous though.

My overall takeaway: if you have truly sensitive data that you want to protect, putting it in the cloud is not necessarily any more risky than keeping it on-premises. That may seem counterintuitive, but an entity that is determined to get your data has many potential avenues of attack, and my experience tells me that the vast majority of sites have a number of local vulnerabilities (such as poor patching practices, poor intrusion detection, or inattention to basic security practices) that put them at higher risk than a relatively esoteric, hard-to-exploit flaw like this one. if you don’t believe me, just look at the number of sites hit by Cryptolocker and various banking-related Trojans. Put another way, you don’t need to worry about defending yourself against NSA if you can’t even manage to defend yourself against script kiddies.

Now go forth and patch!

Leave a comment

Filed under Office 365, UC&C

Office 365 beta exams: a few thoughts

Last week I took the beta versions of the two MCSA exams for Office 365: 71-346 is Managing Office 365 Identities and Requirements and 71-347 is Enabling Office 365 Services. I thought it might be useful to write up a few NDA-safe notes on the exams and the topics they cover. Keep in mind that the questions on the beta exam are there because they’re being tested; the objective domains (ODs), or areas of knowledge being tested, won’t change but the specific questions probably will as the beta identifies “bad” questions (those that everyone gets right or everyone gets wrong are immediately suspect!) The Microsoft exam development process is really complicated; to summarize, by the time the exams hit beta, the knowledge areas to be tested are set in stone but the questions themselves can be modified, or thrown out, based on beta exam feedback.

First, be forewarned that there are no formal study materials for these exams. I hear that Office 365 Admin Inside Out from MS Press is decent, but haven’t read it yet. Be prepared to do a lot of binging to look up specific things that you want to know how to do.

Second, the absolute best way to prepare for the exam is to sign up for a trial Office 365 E3/E4 tenant and make sure that you know how to do everything mentioned in the exam objectives in both PowerShell and the GUI. This is baloney, and it has been a hot topic of debate in the MVP community. IMHO there is little value in asking an examinee to show that they know how to do something in PS which is trivial to do in the GUI, especially if it’s a one-time task like setting up Azure RMS. Nonetheless, that’s the requirement.

For 346, specific things you should probably know include:

  • How to add a new tenant, from scratch. This includes choosing a region (and what effect that has), setting the domain purpose, and confirming domain ownership.
  • How to configure DNS records and firewall settings: SRV, CNAME, and MX records, what they point to, etc.
  • How to design ADFS: how to size it, when to use SQL Server instead of WID, and so on. Note that actually doing HA or DR with ADFS is not one of the topics listed in the OD, but you’ll need to know how to do it anyway. The ADFS 2.0 documentation content map is very helpful here.
  • How to administer (parts of) ADFS, including installing it (prerequisites too) on both Windows 2008 and 2012 (but not R2), controlling filtering, and managing dirsync. I have heard that there are questions in the pool that cover ADFS 3.0 but don’t know if that’s true.
  • How you’d conduct a pilot, including how to use connected accounts and mail forwarding.
  • What the different administrative roles in 365 are for and what they can do, including how to manage delegated admins.
  • How to provision / license users through the 365 Admin Center.
  • Basic account management through PowerShell: creating users, modifying their properties, licensing them, etc. Nothing too exotic; I expect most Exchange and Lync admins can do these types of things now without difficulty.
  • How to provision, enable, and administer AD RMS, a surprisingly cool technology that Brian Reid has written about at length already.
  • What the mail flow/message hygiene reports are and what you can do with them
  • How to do daily admin tasks: checking service health, using the RSS feeds, opening service tickets, etc.
  • Troubleshooting using the Remote Connectivity Analyzer and MOSDAL

347 is a little more of a mixed bag because it contains both admin-level material similar to ODs in 346 plus a smorgasbord of other stuff. The most important thing to know here: you must know how to do stuff with SharePoint Online. Out of the 53 questions on my beta exam, 12 of them (22.6%) were related to SPO.  Given that about 0.5% of my actual knowledge relates to SPO, that was a problem. I don’t use it, and I haven’t worked on the SPO-related parts of any deployments for Dell customers, so I was unprepared. Don’t be like me. Be prepared to demonstrate that you know:

  • All about Click-to-Run, including how it differs from MSI installations, how you customize what gets installed, how the installs themselves work, etc.
  • All about Office Telemetry. Never heard of it? Neither had I. Its inclusion in these exams seems a bit odd, since I suspect you’d see people running it before deploying Office 2013 on-prem too. It’s been a while since I was directly involved in the world of desktop deployment, though, so maybe everyone but me knows about them.
  • How to manage SPO site collections, including how to share and unshared them, set quotas, etc.
  • How to provision (including how to license) Excel and Visio Services
  • How to manage proxy, reply-to/default addresses, resource mailboxes, external contacts, and groups in Exchange— standard stuff for working Exchange admins.
  • How to work with archiving policies on both Exchange and Lync, including integration with Exchange 2013’s in-place hold mechanism
  • How to set up Lync settings for external access, including visibility of presence and per-user access to PIC

Again, you need to know how to do these things in both PowerShell and the GUI, despite the fact that many of the tasks in the ODs will be things you do once (or maybe quarterly, at most).

Should you take the beta exams? It depends, I guess. They cost the same as the “real” exam, and they’re subject to the same “Second Shot” MS program that grants you one retake of a failed exam. So you could sign up and take the beta now for $150, then take the real exam for free if you don’t pass. Based on the state of the exam questions I saw, and the lack of structured training materials, I don’t recommend that you rush to take the exam, though; the real version goes live on 17 February. Until then, your time would probably be better spent setting up a scratch tenant that you can play with, then running through the list of ODs to make sure that you know how to do the things on the list.

I’d be interested in hearing from people who took the exam to see how well you think the exam actually matches up with what Office 365 admins and designers need to know in the real world.

1 Comment

Filed under Office 365, UC&C

MEC and Lync Conference 2014 session list (partly) released

The fine folks in charge of organizing the Microsoft Exchange Conference have released a partial list of the sessions that will be on offer, as well as a list of speakers (oddly enough, the speakers are in alphabetical order by first name… ooops). There are some surprises in the mix, and I expect a few more once the full list of sessions is released in the near future.

First, there’s clearly a heavy emphasis on panel-style discussions: there are no fewer than 8 “Experts Unplugged” sessions featuring product managers from the Exchange team. I’m moderating the UM panel session, which should be a good opportunity for people to have their in-depth UM questions answered by the PMs who own the features in UM. In addition, the support team has a session called “Experts Unplugged: Exchange Top Issues – What are they and does anyone care or listen?” that I can almost guarantee will be worth your time. Amir, Jennifer, Scott, Shawn, Tim, and Nino did a very similar panel at the MVP summit and it was extremely informative— plus they’re a fun bunch to talk to. I expect the other panels to be of equal quality, and the fact that there’s one per track is a good sign that the Exchange team is interested in getting two-way feedback from the community.

Second, there’s a nice mix of topics covered: a number of sessions promise to compare or contrast the on-premises and service environments (I’m particularly looking forward to “Engineers vs Mechanics”), and there seems to be a balance between architectural-focused sessions that explain design principles and sessions focused more narrowly on how to administer, manage, or use features such as RBAC (presented by Bhargav Shukla, who taught RBAC for the late lamented MCM program) and archiving. This balance between explaining why features work a particular way and how to use them was a hallmark of MEC last year, and I’m pleased to see it continuing in the sessions this year.

There are a couple of sessions whose abstracts are missing or incomplete. For example, the “Enterprise Social” session promises to “discuss Social experiences in the MSFT suite beyond e-mail.” I’d bet $5 that this is a code phrase for “talking about Yammer,” but we’ll see. As we get closer to MEC, expect to see more detailed abstracts, as well as additional sessions.

Turning abruptly to Microsoft’s other major unified communications conference: I’m speaking for the first time at Lync Conference (which lacks a catchy acronym so far: I suggest “LyC”, pronounced “like”). The session list is worth a careful review; I don’t know if there are more sessions forthcoming, but the ones that are there focus much more heavily on on-premises topics than the MEC sessions do, and there’s an entire track titled “Business Value” dedicated to helping attendees identify areas where Lync can add value to their environments and then squeeze that value out as rapidly as possible. There is also a “Lync Online” track shown in the track selection pulldown but it shows no sessions right now— I’m sure they’ll appear in the near future. It looks like the content for the developer-focused track will be super technical; it will be interesting to see how the level of detail in those sessions compares to the developer-track session at MEC. I get the sense that there will be more admins-who-are-interested-in-development at MEC and more developers-who-write-code-every-day at LyC, but I could be wrong.

My Lync Conference session is a 300-level look at integration between Exchange 2013 and Lync 2013. It’s nicely complemented by Jens Trier Rasmussen’s 400-level session on the same topic; we’ll be working together to coordinate topics. The Lync Conference also features sessions presented by sponsors; Dell (or, more precisely, Michael Przytula, my boss) will be presenting one. I’ll have more to say about its contents when we get closer to showtime.

I’m looking forward to both shows— meeting with the community is always really energizing, and both shows have a great session lineup. If you haven’t already registered for one or both, you should strongly consider it while early registration is still ongoing. What you learn in a single session can easily save you (or make you) enough money to make the entire trip worthwhile, and the social and community benefits of attending are icing on the cake. See you there!

Leave a comment

Filed under General Stuff, UC&C

Android 4.4/KitKat Exchange ActiveSync problems; fixed in 4.4.1?

Apple’s iOS has gotten a deservedly bad reputation for its Exchange ActiveSync implementation. But, to their credit, things seem to be fairly stable with the latest iOS 7.0.4 update. On the other hand, Google seems to have largely gotten a free pass on the quality of its EAS implementation; in fact, for quite some time Android didn’t include EAS functionality, although some individual vendors did. The latest release, 4.4 (or “KitKat”, a particularly nasty type of candy, at least in the US), includes EAS as part of the core OS, but it appears to have some bugs, including at least one that I am still trying to get a good understanding of.

First, there appears to be a problem with client certificate authentication, i.e. it doesn’t work. To Google’s credit, they maintain a public bug-tracking system where everyone can see the bug report and status, at least of this particular bug. Imagine a world where Microsoft and Apple were similarly transparent about bugs in their major products… OK, back to reality; Google of course doesn’t do the same for their proprietary products, just for open-source efforts such as Android. On the other hand, this kind of public reporting lets people show their ignorance; check out this thread, where a couple of engineers for a competing product show that they haven’t read the protocol specs in detail (hint: see this discussion of WindowSize to spot the flaw in their argument).

Anyway, Tony pointed out this particular problem to the Exchange community just before Thanksgiving. Recently I was contacted by a customer who was seeing another widespread KitKat issue: devices persistently pounding the server with EAS Sync commands, over and over and over and… well, you get the idea. Although I haven’t seen a clear cause identified, Google claims to have fixed this problem in the 4.4.1 update (see the reply by Ersher in page 24 of this thread), so the question becomes whether all the users claiming to be affected by this bug have upgraded.

Actually, the question becomes at what point Exchange administrators begin to proactively block new mobile device OS releases! While I’m not quite ready to declare a fatwa on all new device releases, it is beginning to look at though organizations with diverse BYOD populations might be well served to establish some kind of criteria for staging support of new releases. Apple, Microsoft, and Google all offer developer access to new OS releases, often months in advance, so one possibility is to establish a pool of test devices for new OS releases— something which many sites already do with new desktop OS releases. The logistics of working out such a program might be challenging, but I think the effort might be well worth it if it prevents unpleasant surprises caused by device-side EAS misbehavior.

There’s another, perhaps less palatable, option on the horizon. Now that we have OWA for Devices (known colloquially as Mobile OWA, or MOWA, within Microsoft), if you were so inclined you could block all iOS device access and require your users to use MOWA. Since there’s no MOWA version for Android yet (and there may never be; Microsoft hasn’t given any hints), this wouldn’t be a comprehensive solution, and it would likely aggravate users to a high degree… but as improvements in MOWA performance and capability roll out, it might become a more viable option.

(side note: speaking of aggravation, it’s amazing how aggravated Google’s customers get when they don’t receive an official answer from Google in the time frame they expect. At least Google gives official answers in their support forums, something you are unlikely to see happen much in the support fora offered for iOS and Windows Phone!)

One thing I’d like to see emerge is something akin to collaborative spam filtering— when I report a message as spam to my filtering service, that message is filtered for other subscribers too. It seems like BoxTone or another company might be able to offer a subscription service to customers that gives them early alerts to wide-scale problems reported by other customers, such as regional outages in a carrier network or a pattern of sync misbehavior for a specific device family. I know I’d be happy to pay money for a service that would give me early warning of apparent problems with new device software releases— what about you?

17 Comments

Filed under UC&C

Microsoft, encryption, and Office 365

So the gloves are starting to come off: Microsoft general counsel Brad Smith wrote a long blog post this morning discussing how Microsoft plans to protect its customers’ data from unlawful interception by “unauthorized government access”. He never specifically mentions NSA, GCHQ, et al, but clearly the Five Eyes partners are who he’s talking about. Many other news outlets have dissected Smith’s post in detail, so I wanted to focus on a couple of lesser-known aspects.

First is that Microsoft is promising to use perfect forward secrecy (PFS) when it encrypts communications links. Most link-encryption protocols, including IPsec and SSL, use a key exchange algorithm known as Diffie-Hellman to allow  the two endpoints can agree on a temporary session key by using their longer-term private/public key pairs. The session key is usually  be renegotiated for each conversation. If Eve the eavesdropper or Mallet the man-in-the-middle intercept the communications, they may be able to decrypt it if they can guess or obtain the session key. Without PFS, an attacker who can intercept and record a communication stream now and can guess or obtain the private key of either endpoint can decrypt the stream. Think of this like finding a message in a bottle written in an unknown language, then next year seeing Rosetta Stone begin to offer a course in the language. PFS protects an encrypted communication stream now from future attack by changing the way the session keys are generated and shared. Twitter, Google, and a number of other cloud companies have already deployed PFS (Google, in fact, started in 2011) so it is great to see Microsoft joining in this trend. (A topic for another day: under what conditions can on-premises Exchange and Lync use PFS? Paging Mark Smith…)

Second is that Microsoft is acknowledging that they use data-at-rest encryption, and will be using it more often. Probably more than any other vendor, Microsoft is responsible for democratizing disk encryption by including BitLocker in Windows Vista and its successors, then steadily improving it. (Yes, I know that TrueCrypt and PGP predated BitLocker, but their installed bases are tiny by comparison.) Back in 2011 I wrote about some of the tradeoffs in using BitLocker with Exchange, and I suspected that Microsoft was using BitLocker in their Office 365 data centers, a suspicion that was confirmed recently during a presentation by some of the Office 365 engineering team and, now, by Smith’s post. Having said that, data-at-rest encryption isn’t that wonderful in the context of Office 365 because the risk of an attacker (or even an insider) stealing data by stealing/copying physical disks from an Office 365 data center is already low. There are many layers of physical and procedural security that help keep this risk low, so encrypting the stored data on disk is of relatively low value compared to encrypting the links over which that data travels.

The third aspect is actually something that’s missing from Smith’s post, expressed as one word: Skype. Outlook.com, Office 365, SkyDrive, and Azure are all mentioned specifically as targets for improved encryption, but nothing about Skype? That seems like a telling omission, especially given Microsoft’s lack of prior transparency about interception of Skype communications. Given the PR benefits that the company undoubtedly expects from announcing how they’re going to strengthen security, the fact that Smith was silent on Skype indicates, at least to suspicious folks like me, that for  now they aren’t making any changes. Perhaps the newly-announced transparency centers will provide neutral third parties an opportunity to inspect the Skype source code to verify its integrity.

Finally, keep in mind that nothing discussed in Smith’s post addresses targeted operations where the attacker (or government agency, take your pick) mounts man-in-the-middle attacks (QUANTUM/FOXACID)  or infiltrates malware onto a specific target’s computer. That’s not necessarily a problem that Microsoft can solve on its own.

Leave a comment

Filed under Office 365, UC&C

Exchange 2013 Cumulative Update 3 released

I thought it might be fun to write an annotated version of the Exchange team blog post announcing the availability of CU3 for Exchange Server 2013. So here goes…

The Exchange team is announcing today the availability of our most recent quarterly servicing update to Exchange Server 2013.  Cumulative Update 3  for Exchange Server 2013 and updated UM Language Packs are now available on the Microsoft Download Center.  Cumulative Update 3 includes fixes for customer reported issues, minor product enhancements and previously released security bulletins.   A complete list of customer reported issues resolved in Exchange Server 2013 Cumulative Update 3 can be found in Knowledge Base Article KB2892464.

Translation: “We’re getting the hang of this cumulative update model. Notice that we gave you a list of bug fixes in this release, just like y’all asked for last time, although we’re not saying that this is a comprehensive list of every bug fixed in the CU.

We would like to call attention to an important fix in Exchange Server 2013 Cumulative Update 3 which impacts customers who rely upon Backup and Recovery mechanisms to protect Exchange data.  Cumulative Update 3 includes a fix for an issue which may randomly prevent a backup dataset taken from Exchange Server 2013 from restoring correctly.  Customers who rely on Backup and Recovery in their day-to-day operations are encouraged to deploy Cumulative Update 3 and initiate backups of their data to ensure that data contained in backups may be restored correctly.  More information on this fix is available in KB2888315.

Translation: “Backups are sooooo 2005. Why are you even doing them instead of using Exchange native data protection? DAGs and JBOD, baby. Just make sure you have at least 3 database copies. But if you are, well, take another backup right quick to make sure you can restore later.” [ Note that I am manfully resisting the urge to ask how this issue slipped through testing. --PR]

In addition to the customer reported fixes in Cumulative Update 3, the following new enhancements and improvements to existing functionality have also been added for Exchange Server 2013 customers:

  • Usability improvements when adding members to new and existing groups in the Exchange Administration Console
  • Online RMS available for use by non-cloud based Exchange eployments
  • Improved admin audit log experience
  • Windows 8.1/IE11 no longer require the use of OWA Light

Translation: “Who doesn’t like new features?  We promised to deliver new features on-premises, and we did, so yay us! However, notice how we avoided saying ‘on-premises’, instead using the clumsy ‘non-cloud based’ term instead.

More information on these topics can be found in our What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet. Cumulative Update 3 includes Exchange related updates to Active Directory schema and configuration.  For information on extending schema and configuring the active directory please review the appropriate TechNet documentation.   Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed.  To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded.  If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Translation: “Because we love you and want you to be happy, we’ve included a schema update to keep your Active Directory looking shiny and fresh. Remember, we can push schema updates in CUs now. Sorry if this means your organizational change control process means you have to delay installing the CU for months while you wait for the change to be assessed and approved.

Our next update for Exchange Server 2013, Cumulative Update 4, will be released as Exchange Server 2013 Service Pack 1.  Customers who are accustomed to deploying Cumulative Updates should consider Service Pack 1 to be equivalent to Cumulative Update 4 and deploy as normal.

Translation: “CU4 will be so awesome that it’s really a service pack, if you like service packs, but if you don’t, then it’s not. Because every CU can include both features and fixes now, we have lots of flexibility to choose when to deploy features. Part of the reason we changed the servicing model was to get people away from the ‘wait for SP1′ attitude, so if SP1 is really just CU4, that helps show there’s no reason to wait.

Reminder:  Customers in hybrid deployments where Exchange is deployed in-house and in the cloud, or who are using Exchange Online Archiving with their in-house Exchange deployment are required to maintain currency on Cumulative Update releases.

Translation: “Surprise! Since you can’t control what release your Office 365 tenant is running, if you’re in hybrid mode (or want to be), you now must commit to remaining on the current CU. If that’s a problem because of schema changes, well, good luck with that. I suppose if enough people complain we might start pre-announcing which CUs will contain schema changes so you can plan ahead.

Overall, I’m looking forward to seeing CU3 be widely deployed. It seems to be a stable and solid release based on my experience with it. The new features will be welcome, and I am heartened to see the team continuing to hit their release cadence.

Leave a comment

Filed under UC&C

Exchange 2013 SP1 coming in early 2014

Microsoft today announced that Service Pack 1 for Exchange 2013 is coming in “early 2014”. The announcement has a few interesting nuances:

  • The Edge Server role is coming back. Not by popular demand, as far as I can tell; I presume this is being introduced to pacify a few large, noisy customers who are using Edge, because I haven’t seen any signs that customers are demanding it. I would not expect to see significant feature improvements or investments in this role, either in SP1 or going forward.
  • S/MIME for OWA support is coming. This has been known for some time; as yet we don’t know the specific details of which browsers will be supported.
  • SP1 will require a schema update. I will have more to say about this in the very near future.

Interestingly, SP1 is essentially CU4: it is applied in the same way as other CUs, and if you skip SP1 and install CU5 later on, you’ll get all the fixes and features included in SP1. The Lync team is doing the same thing with their CUs; the old rule that only service packs could include new features is dead and buried.

1 Comment

Filed under UC&C

iOS 7 Exchange ActiveSync problems revisited

Back in September I posted an article about a problem that occurred when synchronizing iOS 7 devices against Exchange 2010 SP2. The wheels of justice grind slowly, but Microsoft has released a KB article and accompanying hotfix that describe the symptoms precisely.

I also got an odd report from a large enterprise customer; they had several hundred iOS 7.0.2 devices, all on Verizon in one specific region, that were having synchronization problems. The issue here turned out to be a network configuration issue on Verizon’s network that required some action from them to fix.

Now you’re probably starting to see the value in solutions like those from BoxTone

 

 

 

3 Comments

Filed under UC&C

The future of importing large quantities of Exchange data to Office 365?

It wouldn’t be accurate to say “you can’t”, but Microsoft doesn’t make it easy.

Whether you’re moving mailboxes or PST data to Office 365, your imports are throttled; that is, Microsoft imposes a limit on how fast you can move information into their data centers. The exact speed of your import process will vary according to a variety of factors, including what protocol (IMAP4, MAPI, or EWS) you’re using, what migration tool you’re using, and how many concurrent threads it can spin up, how busy the data center you’re importing into is, and the mix of item sizes in the mailboxes or PSTs you’re importing.

The problem with this throttling is that it’s largely opaque. Although Microsoft publishes “observed data,” my own observations have shown that migration throughput can vary widely based on these factors and a bunch of others besides, possibly including the phase of the moon and whether you have recently said anything disparaging about Microsoft anywhere on the Internet.

Recently I had a customer who wanted to migrate 30TB of PST data to Exchange Online Personal Archives. While this might sound ridiculous, it makes perfect sense given that Office 365 E4 plans include an unlimited-size Personal Archive for each mailbox. That’s a hard deal to beat… if you can figure out how to get the data in. At one point, in a fit of frustration we asked Microsoft whether we could just send them a bunch of disk drives containing the PSTs. “Of course not,” they said (with “silly boy” being the unspoken coda to that phrase). But it turns out that Azure is now providing bulk import of data by sending disks to them: the Windows Azure Import/Export Service is now in preview. With any luck, we’ll see a similar service from Office 365 in the not-too-distant future. And when it happens, remember, Andy Tanenbaum had the idea first.

3 Comments

Filed under Office 365, UC&C

2-factor Lync authentication and missing Exchange features

Two-factor authentication (or just 2FA) is increasingly important as a means of controlling access to a variety of systems. I’m delighted that SMS-based authentication  (which I wrote about in 2008), has become a de facto standard for many banks and online services. Microsoft bought PhoneFactor and offers its SMS-based system as part of multi-factor authentication for Azure, which makes it even easier to deploy 2FA in your own applications.

Customers have been demanding 2FA for Lync, Exchange, and other on-premises applications for a while now. Exchange supports the use of smart cards for authentication with Outlook Anywhere and OWA, and various third parties such as RSA have shipped authentication solutions that support other authentication factors, such as one-time codes or tokens. Lync, however, has been a little later to the party. With the July 2013 release of Lync Server 2013 CU2, Lync supports the use of smart cards (whether physical or virtual) as an authentication mechanism. Recently I became aware that there are some Lync features that aren’t available when the client authenticates with a smart card– that’s because the client authenticates to two different endpoints. It authenticates to Lync using two-factor authentication, but the Lync client can’t currently authenticate to Exchange using the same smart card, so services based on access through Exchange Web Services (EWS) won’t work. The docs say that this is “by design,” which I hope means “we didn’t have time to get to it yet.”

The result of this limitation means that Lync 2013 clients using 2FA cannot use several features, including

  • the Unified Contact Store. You’ll need to use Invoke-CsUcsRollback to disable Lync 2FA users’ UCS access if you’ve enabled it.
  • the ability to automatically set presence based on the user’s calendar state, i.e. the Lync client will no longer set your presence to “out of office”, “in a meeting,” etc. based on what’s on your calendar. Presence that indicates call states such as “in a conference call” still works.
  • integration with the Exchange-based Conversation History folder. If you’ve configured the use of Exchange 2013 as an archive for Lync on the server side, that still works.
  • Access to high-definition user photos
  • The ability to see and access Exchange UM voicemail messages from the Lync client

These limitations weren’t fixed in CU3, but I am hopeful that a not-too-distant future version of the client will enable full 2FA use. In the meantime, if you’re planning on using 2FA, keep these limitations in mind.

1 Comment

Filed under General Tech Stuff, UC&C

Need Windows licensing help? Better call Paul

No, I’m not giving it. That would be like me giving advice on how to do a pencil drawing, or what wine goes with In-N-Out Burger.

A year or so ago, I had a very complex Windows licensing questions that Microsoft was unable to answer. More to the point, no two Microsoft people were able to give me the same answer. I did a little digging and found Paul DeGroot of Pica Communications, author of the only book on Microsoft licensing that I know of. Paul quickly and clearly answered my question, and a couple of rounds of follow-up questions after that. Armed with his information, I was able to solve the particular problem I was having in a less expensive, less painful way than just buying all the licenses. As I was cleaning out my inbox, I found our discussion and remembered, guiltily, that I meant to mention Paul’s services earlier. Under the banner “better late than never” consider this a belated, and strong, recommendation.

Leave a comment

Filed under General Tech Stuff, UC&C