exchange deployment planning services exchange server 2010 transport, routing, and ipc

Exchange Deployment Planning Services

Exchange Server 2010Transport, Routing, and IPC

Exchange 2010 Transport, Routing, and IPC Goals

The Exchange 2010 Transport and Routing module has the following goals: Understanding the Hub Transport role Identify information protection

requirements High level transport design and

recommendations

Ideal audience for this workshop Messaging SME Networking SME Security SME

Exchange 2010 Transport, Routing, and IPC Audience

Exchange 2010 Transport, Routing, and IPC

In this module focus on the following:Transport and routing

Exchange Server 2010 transport key design goalsCapacity planningHigh Availability and reliabilityInstrumentation and reportingTransport interoperabilityEdge

Information Leakage Protection and Control (IPC)

Transport content protectionConfidential communications

Exchange 2010 Transport, Routing, and IPC

After this module you should have: Basic planning knowledge for

Exchange 2010 Basic understanding of Exchange 2010

hub transport and routing

Exchange Server 2010 Transport Key Design Goals

• Lowering costs• Increased availability• Better administrative control• Operational excellence

Lowering Cost With Exchange Server 2010Transport40% of TCO is attributed to CapEx and 60% is attributed to OpEx**

• Lowering capital expenditure (CapEx)− Reduction in IOPS/msg through performance

improvements reduces number of servers required in deployment

− Enable non-redundant storage (RAID0) configurations without increased risk of data loss

• Lowering operations expenditure (OpEx)− Smaller server footprint, less power and A/C− “Disposable state” enables simple recovery actions

(restart process, restart server, rebuild database, reimage server)

− Key Health Indicators (KHI) provide notification when system needs attention

Capacity Planning Transport Performance - Improvements

• mail.que database improvements− Increased Extensible Storage Engine (ESE) page

size to 32 KB− ESE Database (DB) page compression− ESE version store maintenance− Better use of intrinsic low voltage storage− Increase DB cache size and checkpoint depth

• Decrease transport dumpster size through truncation feedback to improve cache efficiency

• Result: More than 50% reduction in IOPS (hub)

Capacity Planning Transport Performance

10mb 30mb 90mb 150mb 200mb 370mb0

50100150200250300350400450500

E2007E2010

Message Size

Vers

ion

Bu

ckets

VersionBucketsHighThreshold (200)

VersionBucketsMediumThreshold (120)

Reducing Version Bucket Resource Pressure

High Availability and Reliability• Overview• Stateless Hub Transport• Automated server recovery• Transport dumpster• Message Throttling

Stateless Hub TransportTransport Redundancy, Overview

Goals− Increased reliability without increased hardware

costs− Enabled by default − Shadow redundancy similar to transport

dumpster− Data retained on previous hop until delivered− When failure in next hop detected, previous hop

resubmits− SMTP extensions used (create little overhead)− Ellimination of RAID overhead− 50% IOP‘s reduction for 80% Write I/O‘s

How Does Transport Redundancy Work? (1)

Hub

Edge1

1

Foreign MTA

2

Edge2

1. Hub (shadow) delivers message to Edge1 (primary)Detects that Edge1 supports Transportredundancy through XSHADOW verbHub moves message to shadow queue and stamps Edge1 as current, primary owner

2. Edge1 (primary) receives message (becomes “primary owner”)Edge1 delivers message to next hop Edge1 updates discard status of the message indicating delivery complete to foreign MTA

How does Transport Redundancy Work? (2)

Hub

Edge1

1

Foreign MTA

2

Edge2

3. Success: Hub (shadow) queries Edge1 (primary) for expiry statusHub issues XQDISCARD command (next SMTP Session),Edge1 checks local discard status and responds with list of messages considered delivered Hub deletes messages from its shadow queue

4. Failure: Hub (shadow) queries Edge1 (primary) discard status and resubmitsHub opens SMTP session, issued XQDISCARD command (heartbeat)—if Hub can’t contact Edge1 within timeout, resubmits messages in shadow queue—resubmitted messages are delivered to Edge2 (go to #1)

43

13 Microsoft Confidential

Shadow Redundancy in Action ehlo hub1.contoso.com 250-hub2.contoso.com Hello [192.168.1.102], 250-Size 250-Pipelining... 250-XSHADOW...... XSHADOW 2oXJTlaork+WHKoTaVBg5g== 250 tFNe8ke2k0mWPKAuQLsFHQ==... MAIL FROM:<[email protected]> SIZE=6004 XSHADOW=43d35a45-69ba-4838-95a4-1c05e83b5e1a... XQDISCARD 50 251 OK, no discard events... XQDISCARD 50 250 43d35a45-69ba-4838-95a4-1c05e83b5e1a

Other Scenarios• Delayed acknowledgement after end of data

− SMTP submission from Exchange Server 2003/2007, − 3rd party MTA / MUA, UM, POP, and IMAP− 250 response delayed up to 30 seconds (default)− If transport server fails before ack, client resubmits

• Mailbox Submission redundancy relies on copy of message in sender’s “Sent Items” folder− Mail Submission Service resubmits copy when hub doesn’t

acknowledge successful delivery of message

• System generated (Journal Report, NDR) are considered “side effects” of original message submission, tracked as part of original delivery status

Shadow RedundancyConfiguration

[PS] D:\>get-TransportConfig | FL Shadow*

ShadowRedundancyEnabled : TrueShadowHeartbeatTimeoutInterval : 00:05:00ShadowHeartbeatRetryCount : 3ShadowMessageAutoDiscardInterval : 2.00:00:00

[PS] D:\>get-receiveconnector | ft server,name,MaxAcknowledgementDelay -a

Server Name MaxAcknowledgementDelay------ ---- -----------------------HP64PIZZA50 Default HP64PIZZA50 00:00:30HP64PIZZA50 Client HP64PIZZA50 00:00:30

Global Shadow Redundancy Configuration:

Delayed Acknowledgement Timer Configuration:

Delayed Acknowledgement disabled on a receive connector by setting MaxAcknowledgementDelay to 00:00:00

Shadow RedundancyQueue

Automated Service Recovery• Exchange Server 2007 memory resource

pressure results in decreased service availability− Exchange 2010 implemented signal to generate

Dr. Watson report (determine cause of failure) and restarts

− Exchange 2010 Alert can send to System Center to further analyze resource pressure

• Exchange Server 2007 queue database corruption results in downtime until administrator can perform manual recovery− With Exchange 2010, transport will detect queue

database corruption, move/delete DB, and continue operation

− Shadow redundancy provides data resiliency

Transport Dumpster 2007Issues with Exchange 2007

• Up to 200% increase in IOPS/msg on hub transport role when using transport dumpster in Active Directory® Domain Services (AD DS) site with many storage groups− 18 MB quota per storage group using CCR results in

inefficient JET database cache

• Redelivery request from mailbox role after lossy failover results in resubmission of entire quota− Analysis has shown that most are detected as duplicates

unless significant log replication lag exists

• Cannot recover data that exceeds dumpster quota (default 18 MB) regardless of how many logs lost in DB failover− Increased quota results in decreased cache efficiency

Transport Dumpster 2010Improvements

• Eliminate extra IOPS due to transport dumpster• Database replication feedback from mailbox role

allows dumpster truncation on hub role− LastLogInspected time for each database copy retrieved from

active manager at regular interval− Timestamp of “worst” database copy in DAG used as the

dumpster watermark for each database− Items older than dumpster watermark are removed based on

scheduled feedback

• Content of transport dumpster queue based on log replication latency and frequency of feedback− Still does not exceed the “configured size”

• Redelivery requests result in resubmission of messages newer than dumpster watermark

• Redelivery requests to Hub servers in all AD DS sites

Transport Dumpster Statistics

PS] D:\>get-date;Get-MailboxServer | for each {get-databasecopystatus -MailboxServer $_.identity -DumpsterStatistics | ? {$_.SummaryCopyStatus -ne 'Mounted'}} | foreach {$_.DumpsterStatistics}

Monday, June 16, 2008 11:07:02 PM

Server : HP64PIZZA50OldestItem : 6/16/2008 11:06:11 PMQueueSize : 3645NumberOfItems : 63

Server : HP64PIZZA50OldestItem : 6/16/2008 11:06:14 PMQueueSize : 827NumberOfItems : 43

How many items are in the dumpster for each database ?How much space is the dumpster consuming for each database?

Message Throttling• Throttling of MAPI and SMTP client submissions

− Prevent mail storms due to accidental misuse, misbehaving software and malware

• Manage using *-ThrottlingPolicy cmdlets− Throttling policies are applied per-user− Transport settings in Default Throttling policy are disabled by default

• MessageRateLimit throttles rate of message submission from authenticated user or anonymous IP address− Evaluated per-server over 1 minute period − SMTP returns transient errors when rate exceeded− Mail Submission Service defers messages in outbox once rate has been

exceeded, retries submission periodically

• RecipientRateLimit throttles number of messages submitted− Evaluated over 24 hour period− Error returned to client for all submission attempts once quota exceeded

Instrumentation and Reporting• Key Health Indicators• SLA instrumentation

− Measuring delivery latency− End-to-end latency− Server component latency− Historical reporting and trends− Transport scorecard− Transport dashboard

Key Health Indicators • Exchange Server 2007 Health

− Service availability: measurement of process uptime− Error events: large number of error conditions that

may cause service disruption if left undetected• Exchange 2010 KHIs used to determine when user

experience impacted:− Delivery Latency to determine if delivered messages

are meeting SLA objectives− Submission Availability to determine if server is

available to accept new messages− DSN Generation to determine if server is failing to

deliver messages− Delivery Completion to determine if server is unable

to complete delivery

Measuring Delivery LatencySLA

• Measures latency of every component involved with delivering message end-to-end

• Intra-organizational delivery latency is measured from point of entry into organization to mailbox delivery or transfer to external mail system

• Servers in route between org entry and exit contribute to the end-to-end latency

• Components on each server contribute to the latency on each server

• Reporting through message tracking log and PerfMon instrumentation

Measuring Delivery LatencyProcess

• First Exchange 2010 (H1) Server loops over received headers for InternalSMTPServers (H1 -> P2 -> P1):− Add Latency header for P2’s and P1’s received header− Add OriginalArrivalTime header for P1− Add InProgress header for H1

• Server (H3): Loop over Received headers until we reach the previous Exchange 2010 server (H3 -> H2 -> H1):− Add Latency header for H2’s received header− Convert H1’s InProgress header to latency header− Add InProgress header for H3

Measuring Delivery Latency Message Tracking Log[PS] C:\>get-messagetrackinglog –server:df-mlt-01 -messageid: <[email protected]>" | ConvertTo-MessageLatency.ps1 | FT -a ComponentServerFqdn,ComponentCode,ComponentName,ComponentLatency

ComponentServerFqdn ComponentCode ComponentName ComponentLatency------------------- ------------- ------------- ----------------msw-sfw-r03.redmond.corp.microsoft.com TOTAL Total Server Latency 00:00:03tk5-exsmh-c102.redmond.corp.microsoft.com TOTAL Total Server Latency 00:00:23tk5-exhub-c103.redmond.corp.microsoft.com TOTAL Total Server Latency00:00:08TK5EX14MLTC101.redmond.corp.microsoft.com TOTAL Total Server Latency 00:00:00df-h14-01.exchange.corp.microsoft.com TOTAL Total Server Latency 00:00:00DF-MLT-01.exchange.corp.microsoft.com TOTAL Total Server Latency00:00:00

Hop 1: 3rd Party Application MTA (Previous Hop Latency)

Hops 2,3: Exchange Server 2007 (Previous Hop Latency)

Hops 4,5,6: Exchange Server 2010 (Latency Tracker)End-to-End

Delivery Latency of

~34 seconds

27

Server Component Latency Message Tracking Log

[PS] D:\>get-messagetrackinglog -server:fesmoke2 -eventid:deliver | where {$_.MessageLatencyType -eq "EndtoEnd" -and $_.MessageLatency.TotalSeconds -gt 20} | convertTo-messageLatency | where {$_.Latency -gt "00:00:20" -and $_.ComponentCode -notlike "total"} InternalMessageId : 1MessageId : <f8bee984-LB18.BXWLWF-dom.com>MessageLatency : 00:00:25.7500000MessageLatencyType : EndToEndServerFqdn : 3859R7-LB18.BXWLWF-dom.extest.microsoft.comComponentCode : SMRComponentName : SMTP ReceiveLatency : 00:00:22 InternalMessageId : 3MessageId : <32623cfb-LB18.BXWLWF-dom.com>MessageLatency : 00:00:26.6180000MessageLatencyType : EndToEndServerFqdn : 3859R7-LB18.BXWLWF-dom.extest.microsoft.comComponentCode : SMRComponentName : SMTP ReceiveLatency : 00:00:24

Why did messages take longer than 20 seconds to deliver end to end?

Server Component Latency PerfMon Object

Measuring Transport Service Levels• Server statistics log, containing traffic

summary:

ServerStatisticsLogMaxAge : 30.00:00:00ServerStatisticsLogMaxDirectorySize : 250 MB (262,144,000 bytes)ServerStatisticsLogMaxFileSize : 10 MB (10,485,760 bytes)ServerStatisticsLogPath : C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ServerStats

• Active user statistics log, containing summary of user usage:

ActiveUserStatisticsLogMaxAge : 30.00:00:00ActiveUserStatisticsLogMaxDirectorySize : 250 MB (262,144,000 bytes)ActiveUserStatisticsLogMaxFileSize : 10 MB (10,485,760 bytes)ActiveUserStatisticsLogPath : C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ActiveUsersStats

Transport Statistics (1)

Transport Statistics (2)

Transport Interoperability• Routing version boundary change:

− Exchange 2010 Mailbox servers can only submit to Exchange 2010 Hub Transport servers

− Exchange 2010 Hub Transport servers can only deliver to Exchange 2010 Mailbox servers

− Exchange Server 2007 Mailbox servers can only submit to Exchange Server 2007 Hub Transport servers

− Exchange Server 2007 Hub Transport servers can only deliver to Exchange Server 2007 Mailbox servers

• Exchange 2010 Hub Transport servers can communicate with Exchange Server 2007 Hub Transport servers via SMTP (and vice versa)

• Inter-site routing has no version preference− Hub role will load-balance inter-site traffic to all hubs in target site

• Subscribed Edge servers:− Have no version preference when routing inbound/outbound

traffic− Exchange 2010 Hub Transport will become authoritative for

Edgesync

Transport RolesEdge Transport Improvements

• Better Performance for EdgeSync via Deltasync Mode− Under this mode, each time EdgeSync service

only reads the delta change since last sync and updates the target accordingly

• Support for safe senders and blocked senders − Configurable Safe List quotas− Administrator defined blocked senders− Automatic update of Safe Sender list

propagation into Active Directory

Transport RolesEdge Transport Improvements

• Exchange 2010 builds upon the success of Safe Senders by providing positive differentiation of Safe Recipients.

• Users’ blocked senders are stored as part of their junk e-mail rule in the mailbox.

• Users’ blocked senders are respected on Edge as follows:− Junk E-mail Options Assistant propagates blocked senders

lists from mailboxes to AD DS− EdgeSync pushes blocked senders from AD to AD LDS on

Edges− On Edge, the Sender Filtering agent blocks mail from

blocked senders

EdgeFaster synch of safe/blocked senders

E2007: Full AD Synch to Edge = up to 4 hours

E2007: Manual Upload = up to 4 hours

E2010: AUTO UPLOAD = 30 seconds

E2007: Safe

Senders+

E2010: Blocked Senders

E2010: EDGE SYNCH = 30 SECONDS

Both Safe Sender and Blocked Sender lists now synched to the Edge in seconds

Mailbox Server

EdgeServer

Active Directory

Hub Server

Edge • Enhanced EdgeSync Configuration and

Troubleshooting− Exposed Configuration Settings to Powershell− Added new log file to track EdgeSync activity

Further Transport Improvements• Exchange 2010 allows to disable TLS

for wide-area network (WAN) Accelerators− For use in geographically dispersed locations− Routing Topology must be considered − Use -UseDownGradedExchangeServerAuth setting

on Hub Server Role

• Journaling improvements − Reconciliation with Long Term Archive verifying that

journal messages have been received/processed by offsite archiving vendors

− Identify BCC recipients in journal reports, distinguish recipient type to identify BCC recipients

− Improvements for Archiving messages that resulted in NDR

− Allow to journal voice mail

SMTP Failover and Load Balancing Improvements• Enhanced DNS is used to evenly load

balance when all servers are healthy, but things become uneven when a server is unhealthy

• SP1 introduces new behavior that detects and tracks unhealthy servers− For example, Hub1 needs to route several

messages to another site which contains Hub2, Hub3, and Hub4. If Hub1 knows that Hub3 is unavailable, it'll remove that server from the list of possible targets and only route to Hub2 and Hub4, evenly load balancing across them

Improvements in SP1

• MailTips− Control the types of MailTips that are

shared and even designate a specific group of users for which to return MailTips

− New capabilities include changes to event log entries, alerts, and performance monitor counters

Improvements in SP1

• Message Tracking− Improved error messages for delivery reports

for situations where a user attempts to access delivery reports for a specific message but is unable to view the report (e.g., immediately after sending it, but before the tracking information is inserted into the logs). Messages displayed to the users have been greatly improved, providing explanations as to why the information isn't available

− New event log entries, alerts, and performance monitor counters

− You can now request complete logs of every operation that was executed by a Client Access server processing a delivery report request

Improvements in SP1

• Throttling Enhancements− Transport servers now maintain a running average

delivery cost of messages sent by individual senders. If a user keeps sending costly messages (e.g., those addressed to large audiences or with large attachments), Transport servers start to give priority to other messages with lower cost before processing messages from that sender. For example, if a user is sending multiple messages with 10MB attachments, Transport will start processing other messages without attachments first before handling further messages from this particular sender.

− Transport also keeps track of the RPC utilization of Mailbox servers. If a Hub Transport server detects that a Mailbox server is under RPC resource pressure, it'll scale back the RPC sessions it opens to that Mailbox server. This way, interactive client connections to the Mailbox server take precedence over message delivery when it comes to utilizing RPC resources on a Mailbox server.

Improvements in SP1

• Shadow Redundancy Improvements− To address potential timeout issues, a

new feature called shadow redundancy promotion is introduced in Exchange 2010 SP1. When faced with a scenario where Transport issued acknowledgement without delivery confirmation, instead of issuing an acknowledgment without delivery confirmation, a Transport server now routes the message to any other Transport server within the site so that the message is protected by shadow redundancy

Improvements in SP1

• SMTP Failover and Load Balancing Improvements− Enhanced DNS is used to evenly load

balance when all servers are healthy, but things become uneven when a server is unhealthy

− SP1 introduces new behavior that detects and tracks unhealthy servers− For example, Hub1 needs to route several

messages to another site which contains Hub2, Hub3, and Hub4. If Hub1 knows that Hub3 is unavailable, it'll remove that server from the list of possible targets and only route to Hub2 and Hub4, evenly load balancing across them

Improvements in SP1

• Send Connectors over Reliable Connections− Several new features were added to the Send connectors.

Most changes are to support coexistence with Exchange Online

− You can have dedicated Send connectors that are responsible for transmitting messages over well-defined communication channels that are expected to always be available, such as a Send connector dedicated to send messages to Exchange Online. On such connections, many of the typical errors that are possible on ordinary destinations on the Internet aren't expected. In this scenario, you may want to treat any communication errors as transient as opposed to issuing NDRs. With SP1, you can configure a Send connector to downgrade authentication and name resolution errors, which would normally result in an NDR, to transient errors. In these cases, Exchange will attempt delivery again instead of issuing an NDR.

Information Leakage and Control

Agenda

Transport Content ProtectionWhat’s new in Microsoft® Exchange 2010?

Confidential communicationsAutomatic content-based privacyTransport Pipeline decryptionIRM in Outlook® and OWAOutlook Protection RulesB2B RMS communication

What's New?• Exchange Server 2007 introduced

− Secure intranet e-mail by default− Opportunistic TLS− RMS pre-Licensing

• Exchange 2010 goes beyond− Automatic detection and protection of

sensitive content using RMS− Provides centralized control of e-mail

protection− Enable transport agents to be "RMS

aware"− Secure business communication using

RMS

Information LeakageCan Be Costly On Multiple Fronts

Legal, Regulatory and Financial impactsCost of digital leakage per year is measured in $BillionsIncreasing number and complexity of regulations (e.g. GLBA, SOX, CA SB 1386) Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more

Damage to Image and CredibilityDamage to public image and credibility with customersFinancial impact on companyLeaked e-mails or memos can be embarrassing

Loss of Competitive AdvantageDisclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalizationLoss of research, analytical data, and other intellectual capital

Traditional Solutions Protect Initial Access

Access Control List Perimeter

No

Yes

Firewall Perimeter

Authorized Users

Unauthorized Users

Information Leakage

Unauthorized Users

…but not ongoing usage.

Enforcement tools are required—content protection should be automated.

Message Confidentiality?

Exchange 2010 and RMS Overview

• Automatic Protection• Streamlined User Experience• Enable IT Infrastructure• B2B RMS

What is Rights Management Services?• Windows platform information protection

technology• Granular protection that travels with the data• Persistent protection

− Protects your sensitive information no matter where it goes

− Usage rights locked within the document itself− Protects online and offline, inside, and outside of the

firewall

• Granular control− Users apply IRM protection directly within an e-mail − Users can define who can open, modify, print, and forward

an e-mail − Organizations can create custom usage policy templates

such as "Confidential—Read Only"− Limit attachment access to only authorized users

RMS Protection is applied both to the message itself and to the attachments.

Saved attachments retain the relevant protection (e.g. rights to view, print or copy content).

Protected Content in Outlook

Automatic Content-Based PrivacyEliminate Reliance On End-User

• Protect message in transit via Transport Rules action

• Protect messages by default at Outlook Client

• Private Voice message automatically protected by UM

Automatic Content-Based Privacy

Automatic Content-based Privacy:•Transport Rule action to apply RMS template to e-mail message• Transport Rules support Regex scanning of attachments in Exchange 2010 (including content)• Internet Confidential and Do Not Forward Policies available out of box

Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages.

Protection via Transport Rules• New Transport rule action to “RMS

protect”• Transport Rules support regular

expression scanning of attachments in Exchange 2010

• “Do Not Forward” policy available out of the box

• Office 2003, Office 2007, Office 2010, and XML Paper Specification (XPS) documents are supported for attachment protection

Protection via Transport Rules

Apply “Do Not Forward” or custom RMS templates

Apply RMS policies automatically using Transport Rules

How does it work?Transport Rules:

1. Mail marked for protection.

2. On first use, Exchange does an SCP lookup for the RMS server.

3. Exchange requests a RAC and CLC for the “shared identity” account. These are saved and re-used.

* Super user not required.

4. Message is protected using the CLC. The owner of the message is the original sender.

5. Message is delivered to the recipient with RMS protection applied.

Hub Transport

Active Directory® Domain Services (AD

DS) AD DS RMS

Outlook Protection Rules• Allows an Exchange administrator to define

client-side rules that will protect sensitive content in Outlook automatically− Rules can be mandatory or optional depending

on requirements

• Rules look at the following predicates:− Sender’s department (HR, R&D, etc.)− Recipient’s identity (specific user or distribution

list)− Recipient’s scope (all within the organization,

outside, etc.)

• Rules are automatically retrieved from Exchange using Autodiscover and Exchange Web Services

Outlook Protection Rules• Allows an Exchange administrator to define

client-side rules that will protect sensitive content in Outlook automatically− Rules can be mandatory or optional depending

on requirements

• Rules look at the following predicates:− Sender’s department (HR, R&D, etc.)− Recipient’s identity (specific user or distribution

list)− Recipient’s scope (all within the organization,

outside, etc.)

• Rules are automatically retrieved from Exchange using Autodiscover and EWS

Outlook Protection Rules• IRM Protection will be applied by

Outlook− IRM protected e-mail can be shown in

OWA− IRM protected e-mail can be indexed by

the content indexing engine on the mailbox server

− Mail can be journaled in the clear to internal or 3rd party archives

− E-discovery is able to access or retrieve these messages within Exchange

Outlook Protection RulesIRM protection automatically triggered based on sender/receiver attributes

Supported attachments are also protected

Windows Desktop Search will index headers and subject

Authorized users can turn off protection

Protection is applied at the client level

Can be used to prevent e-mail service provider from accessing your e-mail

How does it work?Outlook Protection Rules

1. Administrator defines a set of Outlook Protection Rules. These are exposed via a web service to clients.

2. When the user connects to Exchange via CAS, the rules are automatically downloaded. They are then frequently updated on the client based on administrator changes.

Client Access (OWA)

3. The first time a rule triggers the user is asked to get a RAC and CLC from RMS.

4. The message is protected before the user sends.

User can override (if rule allows).

AD DS RMS

Rights Management Services Integration in Unified Messaging• UM administrators can allow incoming

voice mail messages to be marked as “private”

• Private voice mail can be protected using “Do Not Forward”, preventing forwarding or copying content

• Private voice mail is supported in Outlook 2010 and OWA 2010

Protected Voice Mail(Do Not Forward)

Voice mail and transcript are protected using AD RMS Protectors

Do Not Forward template

Permissions applied by sender or required by administrative policy

How does it work?Protected Voice Mail

1. Voice mail marked as “Private.”



* Super user not required.

4. Message is protected using the CLC. The owner of the message is the caller (if resolved).

5. Voice mail is delivered to the recipient with RMS protection applied.

Unified Messaging

AD DS AD DS RMS

Streamlined End-User ExperiencePrevent RMS Protection from getting in user’s way• Pre-licensing enables offline and

mobile access to RMS protected messages

• IRM Feature Parity between Outlook and OWA

• Conduct full-text search on RMS protected messages in OWA

• Built-in ability to create/consume RMS protected messages with Windows Mobile® 6.x

Rights Management Services Integration in Outlook Web Access• Create/consume RMS protected

messages natively, just like Outlook• No client download or installation

required• Supports:

− Mozilla Firefox™, Safari ®, Macintosh® and Windows ®

− Conversation View, Preview pane− Full-text search on RMS protected

messages

Rights Management Services Integration in Outlook Web Application

How does it work?Outlook Web App

1. RMS protected mail passes through Hub Transport.

2. Exchange requests a Pre-License for the recipient on the message. Exchange also requests a Server License. Both are saved on the message.

5. User attempts to open an IRM message in OWA. Using the RAC on the machine and the Server License, the content is decrypted.

The user’s rights are computed using the Pre-License.

Hub Transport

Client Access (OWA)

3. On first use, Exchange CAS does an SCP lookup for the RMS server.


The RAC is a super-user RAC.

AD DS AD DS RMS

Transport Pipeline Decryption• Enables Hub Transport agents to scan/modify

RMS protected messages− Required for Antivirus scanning, Transport Rules or

3rd party agents

• Decryption Agent − Decrypts message and attachments, using RMS

super-user privileges− Only decrypts once per forest, on the first Hub, to

improve performance− Option to NDR messages that cannot be decrypted

• Encryption Agent− Re-encrypts messages, message forks and NDRs with

original Publishing License

Server Decryption agent:• Attaches clear-text copies of RMS protected messages and attachments to journal mailbox• Requires super-user privileges, off by default• Stamps x-Org header to prevent future decrypt attempts

Archive/Journal

Journal Report Decryption

How does it work?Transport Decryption

1. Mail marked for protection or an already protected mail item.


3. Exchange requests a RAC and CLC for the “shared identity” account. These are saved and re-used. The RAC is a super-user RAC.

Decry

pti

on

En

cry

pti

on

Tran

sp

ort

R

ule

s

Jou

rnalin

g

Fore

fron

t S

ecu

rity

fo

r Exch

an

ge

3rd

Part

y

Ag

en

ts

4. Incoming IRM mail is decrypted so all agents have access to the decrypted content.

5. At the end of the agent pipeline the message is re-encrypted, including any changes made by agents.

6. Process message is sent to next hop or delivered to the recipient.

Hub Transport

AD DS AD DS RMS

Journal Report Decryption

Business to Business RMSSecurely Communicate With Partners

Available in SP1

Customers can communicate using RMS between organizations by deploying ADFS and setting up trusts

ADFS requires a separate trust between each partner

ADFS isn’t supported by Exchange

In Exchange 2010, customers can federate with the Microsoft Federation Gateway instead of each partner

A single federation point replaces individual trusts

Allows Exchange to act on-behalf-of users for decryption

Business to Business RMS

Business to Business RMS1 Organizations

federate Exchange and RMS with the

Microsoft Federation Gateway

Create a federated trust with Microsoft Federation Gateway

using wizard

contoso.com

Exchange 2010

AD DS RMS 2008

fabrikam.com

Exchange 2010

Create a federated trust with Microsoft Federation Gateway

using wizard





2User in Contoso sends an RMS

protected message to a recipient in

Fabrikam

contoso.com

Exchange 2010

AD DS RMS 2008

fabrikam.com


Message is protected against Contoso AD DS

RMS server

Exchange 2010






Fabrikam

3Fabrikam’s Exchange server requests a

delegation SAML token from Federation

Gateway for Contoso’s RMS server

contoso.com

AD DS RMS 2008

fabrikam.com


Fabrikam requests a delegation SAML token from the

Federation Gateway

Delegation SAML token is used to authenticate on-

behalf-of the recipient to Northwind

Traders’s RMS server

Exchange 2010 Exchange 2010






Fabrikam

3Fabrikam’s Exchange server requests a

delegation SAML token from Federation

Gateway for Contoso’s RMS server

4Contoso returns license to Fabrikam to

decrypt mail in OWA for recipient

contoso.com

AD DS RMS 2008

fabrikam.comMicrosoft

Federation Gateway

Contoso validates the signature on the

delegation SAML token and ensures that the recipient has rights to

the message

Northwind Traders returns a license to

Fabrikam which can be used to decrypt the

message in OWA and enforce rights

Exchange 2010Exchange 2010

Business to Business RMSSecurely Communicate With Partners

Senders can control how their data is accessed by 3rd parties

By using federation, RMS can allow organizations and applications to access data on-behalf-of individuals

They can specify whether recipient organizations can archive e-mails in the clear

RMS administrator can control which 3rd parties can access data using federated authentication (allow/block list)

Recipient organization can decrypt RMS protected messages for OWA, Journal Report Decryption, and Transport Pipeline decryption

Dependencies

• Exchange 2010 − Supported on Windows Server® 2008 SP2

and R2

• RMS integration features require:− RMS on Windows Server 2008 SP2− RMS on Windows Server 2008 R2

• B2B RMS requires:− Windows Server 2008 R2 RMS− Exchange 2010 SP1

Improvements in SP1

• WebReady Document Viewing of IRM-protected attachments in OWA− View IRM-protected attachments without having

to download them. Preview IRM-protected documents on computers that don't have Microsoft Office installed. Along with the cross-browser and cross-platform support in Outlook Web App, this functionality extends the reach of IRM to various browsers and operating systems

• IRM Logging− Enable logging of IRM features on the Mailbox,

Hub Transport, Client Access, and Unified Messaging server roles. IRM logs contain detailed transaction and error information, allowing administrators to easily monitor and troubleshoot IRM features

Improvements in SP1

• IRM in Exchange ActiveSync− IRM in Exchange ActiveSync allows users

with supported devices to access IRM-protected messages without first having to activate the device for IRM by tethering the device to a computer – IRM available for all supported EAS devices

• Cross-organization support− IRM features supported in cross-

organization topologies for easier collaboration between two organizations via OWA

End of Exchange 2010 Transport, Routing, and IPC Module

Architectural Design Session

Design Session

For More Information

• Links to follow…

http://technet.microsoft.com/en-us/library/cc261834.aspx

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

exchange deployment planning services exchange server 2010 transport, routing, and ipc

Documents