Upload
cordelia-lester
View
230
Download
0
Embed Size (px)
Citation preview
Exchange Deployment Planning Services
Exchange Server 2010Transport, Routing, and IPC
Exchange 2010 Transport, Routing, and IPC Goals
The Exchange 2010 Transport and Routing module has the following goals: Understanding the Hub Transport role Identify information protection
requirements High level transport design and
recommendations
Ideal audience for this workshop Messaging SME Networking SME Security SME
Exchange 2010 Transport, Routing, and IPC Audience
Exchange 2010 Transport, Routing, and IPC
In this module focus on the following:Transport and routing
Exchange Server 2010 transport key design goalsCapacity planningHigh Availability and reliabilityInstrumentation and reportingTransport interoperabilityEdge
Information Leakage Protection and Control (IPC)
Transport content protectionConfidential communications
Exchange 2010 Transport, Routing, and IPC
After this module you should have: Basic planning knowledge for
Exchange 2010 Basic understanding of Exchange 2010
hub transport and routing
Exchange Server 2010 Transport Key Design Goals
• Lowering costs• Increased availability• Better administrative control• Operational excellence
Lowering Cost With Exchange Server 2010Transport40% of TCO is attributed to CapEx and 60% is attributed to OpEx**
• Lowering capital expenditure (CapEx)− Reduction in IOPS/msg through performance
improvements reduces number of servers required in deployment
− Enable non-redundant storage (RAID0) configurations without increased risk of data loss
• Lowering operations expenditure (OpEx)− Smaller server footprint, less power and A/C− “Disposable state” enables simple recovery actions
(restart process, restart server, rebuild database, reimage server)
− Key Health Indicators (KHI) provide notification when system needs attention
Capacity Planning Transport Performance - Improvements
• mail.que database improvements− Increased Extensible Storage Engine (ESE) page
size to 32 KB− ESE Database (DB) page compression− ESE version store maintenance− Better use of intrinsic low voltage storage− Increase DB cache size and checkpoint depth
• Decrease transport dumpster size through truncation feedback to improve cache efficiency
• Result: More than 50% reduction in IOPS (hub)
Capacity Planning Transport Performance
10mb 30mb 90mb 150mb 200mb 370mb0
50100150200250300350400450500
E2007E2010
Message Size
Vers
ion
Bu
ckets
VersionBucketsHighThreshold (200)
VersionBucketsMediumThreshold (120)
Reducing Version Bucket Resource Pressure
High Availability and Reliability• Overview• Stateless Hub Transport• Automated server recovery• Transport dumpster• Message Throttling
Stateless Hub TransportTransport Redundancy, Overview
Goals− Increased reliability without increased hardware
costs− Enabled by default − Shadow redundancy similar to transport
dumpster− Data retained on previous hop until delivered− When failure in next hop detected, previous hop
resubmits− SMTP extensions used (create little overhead)− Ellimination of RAID overhead− 50% IOP‘s reduction for 80% Write I/O‘s
How Does Transport Redundancy Work? (1)
Hub
Edge1
1
Foreign MTA
2
Edge2
1. Hub (shadow) delivers message to Edge1 (primary)Detects that Edge1 supports Transportredundancy through XSHADOW verbHub moves message to shadow queue and stamps Edge1 as current, primary owner
2. Edge1 (primary) receives message (becomes “primary owner”)Edge1 delivers message to next hop Edge1 updates discard status of the message indicating delivery complete to foreign MTA
How does Transport Redundancy Work? (2)
Hub
Edge1
1
Foreign MTA
2
Edge2
3. Success: Hub (shadow) queries Edge1 (primary) for expiry statusHub issues XQDISCARD command (next SMTP Session),Edge1 checks local discard status and responds with list of messages considered delivered Hub deletes messages from its shadow queue
4. Failure: Hub (shadow) queries Edge1 (primary) discard status and resubmitsHub opens SMTP session, issued XQDISCARD command (heartbeat)—if Hub can’t contact Edge1 within timeout, resubmits messages in shadow queue—resubmitted messages are delivered to Edge2 (go to #1)
43
13 Microsoft Confidential
Shadow Redundancy in Action ehlo hub1.contoso.com 250-hub2.contoso.com Hello [192.168.1.102], 250-Size 250-Pipelining... 250-XSHADOW...... XSHADOW 2oXJTlaork+WHKoTaVBg5g== 250 tFNe8ke2k0mWPKAuQLsFHQ==... MAIL FROM:<[email protected]> SIZE=6004 XSHADOW=43d35a45-69ba-4838-95a4-1c05e83b5e1a... XQDISCARD 50 251 OK, no discard events... XQDISCARD 50 250 43d35a45-69ba-4838-95a4-1c05e83b5e1a
Other Scenarios• Delayed acknowledgement after end of data
− SMTP submission from Exchange Server 2003/2007, − 3rd party MTA / MUA, UM, POP, and IMAP− 250 response delayed up to 30 seconds (default)− If transport server fails before ack, client resubmits
• Mailbox Submission redundancy relies on copy of message in sender’s “Sent Items” folder− Mail Submission Service resubmits copy when hub doesn’t
acknowledge successful delivery of message
• System generated (Journal Report, NDR) are considered “side effects” of original message submission, tracked as part of original delivery status
Shadow RedundancyConfiguration
[PS] D:\>get-TransportConfig | FL Shadow*
ShadowRedundancyEnabled : TrueShadowHeartbeatTimeoutInterval : 00:05:00ShadowHeartbeatRetryCount : 3ShadowMessageAutoDiscardInterval : 2.00:00:00
[PS] D:\>get-receiveconnector | ft server,name,MaxAcknowledgementDelay -a
Server Name MaxAcknowledgementDelay------ ---- -----------------------HP64PIZZA50 Default HP64PIZZA50 00:00:30HP64PIZZA50 Client HP64PIZZA50 00:00:30
Global Shadow Redundancy Configuration:
Delayed Acknowledgement Timer Configuration:
Delayed Acknowledgement disabled on a receive connector by setting MaxAcknowledgementDelay to 00:00:00
Shadow RedundancyQueue
Automated Service Recovery• Exchange Server 2007 memory resource
pressure results in decreased service availability− Exchange 2010 implemented signal to generate
Dr. Watson report (determine cause of failure) and restarts
− Exchange 2010 Alert can send to System Center to further analyze resource pressure
• Exchange Server 2007 queue database corruption results in downtime until administrator can perform manual recovery− With Exchange 2010, transport will detect queue
database corruption, move/delete DB, and continue operation
− Shadow redundancy provides data resiliency
Transport Dumpster 2007Issues with Exchange 2007
• Up to 200% increase in IOPS/msg on hub transport role when using transport dumpster in Active Directory® Domain Services (AD DS) site with many storage groups− 18 MB quota per storage group using CCR results in
inefficient JET database cache
• Redelivery request from mailbox role after lossy failover results in resubmission of entire quota− Analysis has shown that most are detected as duplicates
unless significant log replication lag exists
• Cannot recover data that exceeds dumpster quota (default 18 MB) regardless of how many logs lost in DB failover− Increased quota results in decreased cache efficiency
Transport Dumpster 2010Improvements
• Eliminate extra IOPS due to transport dumpster• Database replication feedback from mailbox role
allows dumpster truncation on hub role− LastLogInspected time for each database copy retrieved from
active manager at regular interval− Timestamp of “worst” database copy in DAG used as the
dumpster watermark for each database− Items older than dumpster watermark are removed based on
scheduled feedback
• Content of transport dumpster queue based on log replication latency and frequency of feedback− Still does not exceed the “configured size”
• Redelivery requests result in resubmission of messages newer than dumpster watermark
• Redelivery requests to Hub servers in all AD DS sites
Transport Dumpster Statistics
PS] D:\>get-date;Get-MailboxServer | for each {get-databasecopystatus -MailboxServer $_.identity -DumpsterStatistics | ? {$_.SummaryCopyStatus -ne 'Mounted'}} | foreach {$_.DumpsterStatistics}
Monday, June 16, 2008 11:07:02 PM
Server : HP64PIZZA50OldestItem : 6/16/2008 11:06:11 PMQueueSize : 3645NumberOfItems : 63
Server : HP64PIZZA50OldestItem : 6/16/2008 11:06:14 PMQueueSize : 827NumberOfItems : 43
How many items are in the dumpster for each database ?How much space is the dumpster consuming for each database?
Message Throttling• Throttling of MAPI and SMTP client submissions
− Prevent mail storms due to accidental misuse, misbehaving software and malware
• Manage using *-ThrottlingPolicy cmdlets− Throttling policies are applied per-user− Transport settings in Default Throttling policy are disabled by default
• MessageRateLimit throttles rate of message submission from authenticated user or anonymous IP address− Evaluated per-server over 1 minute period − SMTP returns transient errors when rate exceeded− Mail Submission Service defers messages in outbox once rate has been
exceeded, retries submission periodically
• RecipientRateLimit throttles number of messages submitted− Evaluated over 24 hour period− Error returned to client for all submission attempts once quota exceeded
Instrumentation and Reporting• Key Health Indicators• SLA instrumentation
− Measuring delivery latency− End-to-end latency− Server component latency− Historical reporting and trends− Transport scorecard− Transport dashboard
Key Health Indicators • Exchange Server 2007 Health
− Service availability: measurement of process uptime− Error events: large number of error conditions that
may cause service disruption if left undetected• Exchange 2010 KHIs used to determine when user
experience impacted:− Delivery Latency to determine if delivered messages
are meeting SLA objectives− Submission Availability to determine if server is
available to accept new messages− DSN Generation to determine if server is failing to
deliver messages− Delivery Completion to determine if server is unable
to complete delivery
Measuring Delivery LatencySLA
• Measures latency of every component involved with delivering message end-to-end
• Intra-organizational delivery latency is measured from point of entry into organization to mailbox delivery or transfer to external mail system
• Servers in route between org entry and exit contribute to the end-to-end latency
• Components on each server contribute to the latency on each server
• Reporting through message tracking log and PerfMon instrumentation
Measuring Delivery LatencyProcess
• First Exchange 2010 (H1) Server loops over received headers for InternalSMTPServers (H1 -> P2 -> P1):− Add Latency header for P2’s and P1’s received header− Add OriginalArrivalTime header for P1− Add InProgress header for H1
• Server (H3): Loop over Received headers until we reach the previous Exchange 2010 server (H3 -> H2 -> H1):− Add Latency header for H2’s received header− Convert H1’s InProgress header to latency header− Add InProgress header for H3
Measuring Delivery Latency Message Tracking Log[PS] C:\>get-messagetrackinglog –server:df-mlt-01 -messageid: <[email protected]>" | ConvertTo-MessageLatency.ps1 | FT -a ComponentServerFqdn,ComponentCode,ComponentName,ComponentLatency
ComponentServerFqdn ComponentCode ComponentName ComponentLatency------------------- ------------- ------------- ----------------msw-sfw-r03.redmond.corp.microsoft.com TOTAL Total Server Latency 00:00:03tk5-exsmh-c102.redmond.corp.microsoft.com TOTAL Total Server Latency 00:00:23tk5-exhub-c103.redmond.corp.microsoft.com TOTAL Total Server Latency00:00:08TK5EX14MLTC101.redmond.corp.microsoft.com TOTAL Total Server Latency 00:00:00df-h14-01.exchange.corp.microsoft.com TOTAL Total Server Latency 00:00:00DF-MLT-01.exchange.corp.microsoft.com TOTAL Total Server Latency00:00:00
Hop 1: 3rd Party Application MTA (Previous Hop Latency)
Hops 2,3: Exchange Server 2007 (Previous Hop Latency)
Hops 4,5,6: Exchange Server 2010 (Latency Tracker)End-to-End
Delivery Latency of
~34 seconds
27
Server Component Latency Message Tracking Log
[PS] D:\>get-messagetrackinglog -server:fesmoke2 -eventid:deliver | where {$_.MessageLatencyType -eq "EndtoEnd" -and $_.MessageLatency.TotalSeconds -gt 20} | convertTo-messageLatency | where {$_.Latency -gt "00:00:20" -and $_.ComponentCode -notlike "total"} InternalMessageId : 1MessageId : <f8bee984-LB18.BXWLWF-dom.com>MessageLatency : 00:00:25.7500000MessageLatencyType : EndToEndServerFqdn : 3859R7-LB18.BXWLWF-dom.extest.microsoft.comComponentCode : SMRComponentName : SMTP ReceiveLatency : 00:00:22 InternalMessageId : 3MessageId : <32623cfb-LB18.BXWLWF-dom.com>MessageLatency : 00:00:26.6180000MessageLatencyType : EndToEndServerFqdn : 3859R7-LB18.BXWLWF-dom.extest.microsoft.comComponentCode : SMRComponentName : SMTP ReceiveLatency : 00:00:24
Why did messages take longer than 20 seconds to deliver end to end?
Server Component Latency PerfMon Object
Measuring Transport Service Levels• Server statistics log, containing traffic
summary:
ServerStatisticsLogMaxAge : 30.00:00:00ServerStatisticsLogMaxDirectorySize : 250 MB (262,144,000 bytes)ServerStatisticsLogMaxFileSize : 10 MB (10,485,760 bytes)ServerStatisticsLogPath : C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ServerStats
• Active user statistics log, containing summary of user usage:
ActiveUserStatisticsLogMaxAge : 30.00:00:00ActiveUserStatisticsLogMaxDirectorySize : 250 MB (262,144,000 bytes)ActiveUserStatisticsLogMaxFileSize : 10 MB (10,485,760 bytes)ActiveUserStatisticsLogPath : C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ActiveUsersStats
Transport Statistics (1)
Transport Statistics (2)
Transport Interoperability• Routing version boundary change:
− Exchange 2010 Mailbox servers can only submit to Exchange 2010 Hub Transport servers
− Exchange 2010 Hub Transport servers can only deliver to Exchange 2010 Mailbox servers
− Exchange Server 2007 Mailbox servers can only submit to Exchange Server 2007 Hub Transport servers
− Exchange Server 2007 Hub Transport servers can only deliver to Exchange Server 2007 Mailbox servers
• Exchange 2010 Hub Transport servers can communicate with Exchange Server 2007 Hub Transport servers via SMTP (and vice versa)
• Inter-site routing has no version preference− Hub role will load-balance inter-site traffic to all hubs in target site
• Subscribed Edge servers:− Have no version preference when routing inbound/outbound
traffic− Exchange 2010 Hub Transport will become authoritative for
Edgesync
Transport RolesEdge Transport Improvements
• Better Performance for EdgeSync via Deltasync Mode− Under this mode, each time EdgeSync service
only reads the delta change since last sync and updates the target accordingly
• Support for safe senders and blocked senders − Configurable Safe List quotas− Administrator defined blocked senders− Automatic update of Safe Sender list
propagation into Active Directory
Transport RolesEdge Transport Improvements
• Exchange 2010 builds upon the success of Safe Senders by providing positive differentiation of Safe Recipients.
• Users’ blocked senders are stored as part of their junk e-mail rule in the mailbox.
• Users’ blocked senders are respected on Edge as follows:− Junk E-mail Options Assistant propagates blocked senders
lists from mailboxes to AD DS− EdgeSync pushes blocked senders from AD to AD LDS on
Edges− On Edge, the Sender Filtering agent blocks mail from
blocked senders
EdgeFaster synch of safe/blocked senders
E2007: Full AD Synch to Edge = up to 4 hours
E2007: Manual Upload = up to 4 hours
E2010: AUTO UPLOAD = 30 seconds
E2007: Safe
Senders+
E2010: Blocked Senders
E2010: EDGE SYNCH = 30 SECONDS
Both Safe Sender and Blocked Sender lists now synched to the Edge in seconds
Mailbox Server
EdgeServer
Active Directory
Hub Server
Edge • Enhanced EdgeSync Configuration and
Troubleshooting− Exposed Configuration Settings to Powershell− Added new log file to track EdgeSync activity
Further Transport Improvements• Exchange 2010 allows to disable TLS
for wide-area network (WAN) Accelerators− For use in geographically dispersed locations− Routing Topology must be considered − Use -UseDownGradedExchangeServerAuth setting
on Hub Server Role
• Journaling improvements − Reconciliation with Long Term Archive verifying that
journal messages have been received/processed by offsite archiving vendors
− Identify BCC recipients in journal reports, distinguish recipient type to identify BCC recipients
− Improvements for Archiving messages that resulted in NDR
− Allow to journal voice mail
SMTP Failover and Load Balancing Improvements• Enhanced DNS is used to evenly load
balance when all servers are healthy, but things become uneven when a server is unhealthy
• SP1 introduces new behavior that detects and tracks unhealthy servers− For example, Hub1 needs to route several
messages to another site which contains Hub2, Hub3, and Hub4. If Hub1 knows that Hub3 is unavailable, it'll remove that server from the list of possible targets and only route to Hub2 and Hub4, evenly load balancing across them
Improvements in SP1
• MailTips− Control the types of MailTips that are
shared and even designate a specific group of users for which to return MailTips
− New capabilities include changes to event log entries, alerts, and performance monitor counters
Improvements in SP1
• Message Tracking− Improved error messages for delivery reports
for situations where a user attempts to access delivery reports for a specific message but is unable to view the report (e.g., immediately after sending it, but before the tracking information is inserted into the logs). Messages displayed to the users have been greatly improved, providing explanations as to why the information isn't available
− New event log entries, alerts, and performance monitor counters
− You can now request complete logs of every operation that was executed by a Client Access server processing a delivery report request
Improvements in SP1
• Throttling Enhancements− Transport servers now maintain a running average
delivery cost of messages sent by individual senders. If a user keeps sending costly messages (e.g., those addressed to large audiences or with large attachments), Transport servers start to give priority to other messages with lower cost before processing messages from that sender. For example, if a user is sending multiple messages with 10MB attachments, Transport will start processing other messages without attachments first before handling further messages from this particular sender.
− Transport also keeps track of the RPC utilization of Mailbox servers. If a Hub Transport server detects that a Mailbox server is under RPC resource pressure, it'll scale back the RPC sessions it opens to that Mailbox server. This way, interactive client connections to the Mailbox server take precedence over message delivery when it comes to utilizing RPC resources on a Mailbox server.
Improvements in SP1
• Shadow Redundancy Improvements− To address potential timeout issues, a
new feature called shadow redundancy promotion is introduced in Exchange 2010 SP1. When faced with a scenario where Transport issued acknowledgement without delivery confirmation, instead of issuing an acknowledgment without delivery confirmation, a Transport server now routes the message to any other Transport server within the site so that the message is protected by shadow redundancy
Improvements in SP1
• SMTP Failover and Load Balancing Improvements− Enhanced DNS is used to evenly load
balance when all servers are healthy, but things become uneven when a server is unhealthy
− SP1 introduces new behavior that detects and tracks unhealthy servers− For example, Hub1 needs to route several
messages to another site which contains Hub2, Hub3, and Hub4. If Hub1 knows that Hub3 is unavailable, it'll remove that server from the list of possible targets and only route to Hub2 and Hub4, evenly load balancing across them
Improvements in SP1
• Send Connectors over Reliable Connections− Several new features were added to the Send connectors.
Most changes are to support coexistence with Exchange Online
− You can have dedicated Send connectors that are responsible for transmitting messages over well-defined communication channels that are expected to always be available, such as a Send connector dedicated to send messages to Exchange Online. On such connections, many of the typical errors that are possible on ordinary destinations on the Internet aren't expected. In this scenario, you may want to treat any communication errors as transient as opposed to issuing NDRs. With SP1, you can configure a Send connector to downgrade authentication and name resolution errors, which would normally result in an NDR, to transient errors. In these cases, Exchange will attempt delivery again instead of issuing an NDR.
Information Leakage and Control
Agenda
Transport Content ProtectionWhat’s new in Microsoft® Exchange 2010?
Confidential communicationsAutomatic content-based privacyTransport Pipeline decryptionIRM in Outlook® and OWAOutlook Protection RulesB2B RMS communication
What's New?• Exchange Server 2007 introduced
− Secure intranet e-mail by default− Opportunistic TLS− RMS pre-Licensing
• Exchange 2010 goes beyond− Automatic detection and protection of
sensitive content using RMS− Provides centralized control of e-mail
protection− Enable transport agents to be "RMS
aware"− Secure business communication using
RMS
Information LeakageCan Be Costly On Multiple Fronts
Legal, Regulatory and Financial impactsCost of digital leakage per year is measured in $BillionsIncreasing number and complexity of regulations (e.g. GLBA, SOX, CA SB 1386) Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more
Damage to Image and CredibilityDamage to public image and credibility with customersFinancial impact on companyLeaked e-mails or memos can be embarrassing
Loss of Competitive AdvantageDisclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalizationLoss of research, analytical data, and other intellectual capital
Traditional Solutions Protect Initial Access
Access Control List Perimeter
No
Yes
Firewall Perimeter
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
…but not ongoing usage.
Enforcement tools are required—content protection should be automated.
Message Confidentiality?
Exchange 2010 and RMS Overview
• Automatic Protection• Streamlined User Experience• Enable IT Infrastructure• B2B RMS
What is Rights Management Services?• Windows platform information protection
technology• Granular protection that travels with the data• Persistent protection
− Protects your sensitive information no matter where it goes
− Usage rights locked within the document itself− Protects online and offline, inside, and outside of the
firewall
• Granular control− Users apply IRM protection directly within an e-mail − Users can define who can open, modify, print, and forward
an e-mail − Organizations can create custom usage policy templates
such as "Confidential—Read Only"− Limit attachment access to only authorized users
RMS Protection is applied both to the message itself and to the attachments.
Saved attachments retain the relevant protection (e.g. rights to view, print or copy content).
Protected Content in Outlook
Automatic Content-Based PrivacyEliminate Reliance On End-User
• Protect message in transit via Transport Rules action
• Protect messages by default at Outlook Client
• Private Voice message automatically protected by UM
Automatic Content-Based Privacy
Automatic Content-based Privacy:•Transport Rule action to apply RMS template to e-mail message• Transport Rules support Regex scanning of attachments in Exchange 2010 (including content)• Internet Confidential and Do Not Forward Policies available out of box
Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages.
Protection via Transport Rules• New Transport rule action to “RMS
protect”• Transport Rules support regular
expression scanning of attachments in Exchange 2010
• “Do Not Forward” policy available out of the box
• Office 2003, Office 2007, Office 2010, and XML Paper Specification (XPS) documents are supported for attachment protection
Protection via Transport Rules
Apply “Do Not Forward” or custom RMS templates
Apply RMS policies automatically using Transport Rules
How does it work?Transport Rules:
1. Mail marked for protection.
2. On first use, Exchange does an SCP lookup for the RMS server.
3. Exchange requests a RAC and CLC for the “shared identity” account. These are saved and re-used.
* Super user not required.
4. Message is protected using the CLC. The owner of the message is the original sender.
5. Message is delivered to the recipient with RMS protection applied.
Hub Transport
Active Directory® Domain Services (AD
DS) AD DS RMS
Outlook Protection Rules• Allows an Exchange administrator to define
client-side rules that will protect sensitive content in Outlook automatically− Rules can be mandatory or optional depending
on requirements
• Rules look at the following predicates:− Sender’s department (HR, R&D, etc.)− Recipient’s identity (specific user or distribution
list)− Recipient’s scope (all within the organization,
outside, etc.)
• Rules are automatically retrieved from Exchange using Autodiscover and Exchange Web Services
Outlook Protection Rules• Allows an Exchange administrator to define
client-side rules that will protect sensitive content in Outlook automatically− Rules can be mandatory or optional depending
on requirements
• Rules look at the following predicates:− Sender’s department (HR, R&D, etc.)− Recipient’s identity (specific user or distribution
list)− Recipient’s scope (all within the organization,
outside, etc.)
• Rules are automatically retrieved from Exchange using Autodiscover and EWS
Outlook Protection Rules• IRM Protection will be applied by
Outlook− IRM protected e-mail can be shown in
OWA− IRM protected e-mail can be indexed by
the content indexing engine on the mailbox server
− Mail can be journaled in the clear to internal or 3rd party archives
− E-discovery is able to access or retrieve these messages within Exchange
Outlook Protection RulesIRM protection automatically triggered based on sender/receiver attributes
Supported attachments are also protected
Windows Desktop Search will index headers and subject
Authorized users can turn off protection
Protection is applied at the client level
Can be used to prevent e-mail service provider from accessing your e-mail
How does it work?Outlook Protection Rules
1. Administrator defines a set of Outlook Protection Rules. These are exposed via a web service to clients.
2. When the user connects to Exchange via CAS, the rules are automatically downloaded. They are then frequently updated on the client based on administrator changes.
Client Access (OWA)
3. The first time a rule triggers the user is asked to get a RAC and CLC from RMS.
4. The message is protected before the user sends.
User can override (if rule allows).
AD DS RMS
Rights Management Services Integration in Unified Messaging• UM administrators can allow incoming
voice mail messages to be marked as “private”
• Private voice mail can be protected using “Do Not Forward”, preventing forwarding or copying content
• Private voice mail is supported in Outlook 2010 and OWA 2010
Protected Voice Mail(Do Not Forward)
Voice mail and transcript are protected using AD RMS Protectors
Do Not Forward template
Permissions applied by sender or required by administrative policy
How does it work?Protected Voice Mail
1. Voice mail marked as “Private.”
2. On first use, Exchange does an SCP lookup for the RMS server.
3. Exchange requests a RAC and CLC for the “shared identity” account. These are saved and re-used.
* Super user not required.
4. Message is protected using the CLC. The owner of the message is the caller (if resolved).
5. Voice mail is delivered to the recipient with RMS protection applied.
Unified Messaging
AD DS AD DS RMS
Exchange 2010 and RMS Overview
• Automatic Protection• Streamlined User Experience• Enable IT Infrastructure• B2B RMS
Streamlined End-User ExperiencePrevent RMS Protection from getting in user’s way• Pre-licensing enables offline and
mobile access to RMS protected messages
• IRM Feature Parity between Outlook and OWA
• Conduct full-text search on RMS protected messages in OWA
• Built-in ability to create/consume RMS protected messages with Windows Mobile® 6.x
Rights Management Services Integration in Outlook Web Access• Create/consume RMS protected
messages natively, just like Outlook• No client download or installation
required• Supports:
− Mozilla Firefox™, Safari ®, Macintosh® and Windows ®
− Conversation View, Preview pane− Full-text search on RMS protected
messages
Rights Management Services Integration in Outlook Web Application
How does it work?Outlook Web App
1. RMS protected mail passes through Hub Transport.
2. Exchange requests a Pre-License for the recipient on the message. Exchange also requests a Server License. Both are saved on the message.
5. User attempts to open an IRM message in OWA. Using the RAC on the machine and the Server License, the content is decrypted.
The user’s rights are computed using the Pre-License.
Hub Transport
Client Access (OWA)
3. On first use, Exchange CAS does an SCP lookup for the RMS server.
4. Exchange requests a RAC and CLC for the “shared identity” account. These are saved and re-used.
The RAC is a super-user RAC.
AD DS AD DS RMS
Exchange 2010 and RMS Overview
• Automatic Protection• Streamlined User Experience• Enable IT Infrastructure• B2B RMS
Transport Pipeline Decryption• Enables Hub Transport agents to scan/modify
RMS protected messages− Required for Antivirus scanning, Transport Rules or
3rd party agents
• Decryption Agent − Decrypts message and attachments, using RMS
super-user privileges− Only decrypts once per forest, on the first Hub, to
improve performance− Option to NDR messages that cannot be decrypted
• Encryption Agent− Re-encrypts messages, message forks and NDRs with
original Publishing License
Server Decryption agent:• Attaches clear-text copies of RMS protected messages and attachments to journal mailbox• Requires super-user privileges, off by default• Stamps x-Org header to prevent future decrypt attempts
Archive/Journal
Journal Report Decryption
How does it work?Transport Decryption
1. Mail marked for protection or an already protected mail item.
2. On first use, Exchange does an SCP lookup for the RMS server.
3. Exchange requests a RAC and CLC for the “shared identity” account. These are saved and re-used. The RAC is a super-user RAC.
Decry
pti
on
En
cry
pti
on
Tran
sp
ort
R
ule
s
Jou
rnalin
g
Fore
fron
t S
ecu
rity
fo
r Exch
an
ge
3rd
Part
y
Ag
en
ts
4. Incoming IRM mail is decrypted so all agents have access to the decrypted content.
5. At the end of the agent pipeline the message is re-encrypted, including any changes made by agents.
6. Process message is sent to next hop or delivered to the recipient.
Hub Transport
AD DS AD DS RMS
Journal Report Decryption
Exchange 2010 and RMS Overview
• Automatic Protection• Streamlined User Experience• Enable IT Infrastructure• B2B RMS
Business to Business RMSSecurely Communicate With Partners
Available in SP1
Customers can communicate using RMS between organizations by deploying ADFS and setting up trusts
ADFS requires a separate trust between each partner
ADFS isn’t supported by Exchange
In Exchange 2010, customers can federate with the Microsoft Federation Gateway instead of each partner
A single federation point replaces individual trusts
Allows Exchange to act on-behalf-of users for decryption
Business to Business RMS
Business to Business RMS1 Organizations
federate Exchange and RMS with the
Microsoft Federation Gateway
Create a federated trust with Microsoft Federation Gateway
using wizard
contoso.com
Exchange 2010
AD DS RMS 2008
fabrikam.com
Exchange 2010
Create a federated trust with Microsoft Federation Gateway
using wizard
Microsoft Federation Gateway
Business to Business RMS1 Organizations
federate Exchange and RMS with the
Microsoft Federation Gateway
2User in Contoso sends an RMS
protected message to a recipient in
Fabrikam
contoso.com
Exchange 2010
AD DS RMS 2008
fabrikam.com
Microsoft Federation Gateway
Message is protected against Contoso AD DS
RMS server
Exchange 2010
Business to Business RMS1 Organizations
federate Exchange and RMS with the
Microsoft Federation Gateway
2User in Contoso sends an RMS
protected message to a recipient in
Fabrikam
3Fabrikam’s Exchange server requests a
delegation SAML token from Federation
Gateway for Contoso’s RMS server
contoso.com
AD DS RMS 2008
fabrikam.com
Microsoft Federation Gateway
Fabrikam requests a delegation SAML token from the
Federation Gateway
Delegation SAML token is used to authenticate on-
behalf-of the recipient to Northwind
Traders’s RMS server
Exchange 2010 Exchange 2010
Business to Business RMS1 Organizations
federate Exchange and RMS with the
Microsoft Federation Gateway
2User in Contoso sends an RMS
protected message to a recipient in
Fabrikam
3Fabrikam’s Exchange server requests a
delegation SAML token from Federation
Gateway for Contoso’s RMS server
4Contoso returns license to Fabrikam to
decrypt mail in OWA for recipient
contoso.com
AD DS RMS 2008
fabrikam.comMicrosoft
Federation Gateway
Contoso validates the signature on the
delegation SAML token and ensures that the recipient has rights to
the message
Northwind Traders returns a license to
Fabrikam which can be used to decrypt the
message in OWA and enforce rights
Exchange 2010Exchange 2010
Business to Business RMSSecurely Communicate With Partners
Senders can control how their data is accessed by 3rd parties
By using federation, RMS can allow organizations and applications to access data on-behalf-of individuals
They can specify whether recipient organizations can archive e-mails in the clear
RMS administrator can control which 3rd parties can access data using federated authentication (allow/block list)
Recipient organization can decrypt RMS protected messages for OWA, Journal Report Decryption, and Transport Pipeline decryption
Dependencies
• Exchange 2010 − Supported on Windows Server® 2008 SP2
and R2
• RMS integration features require:− RMS on Windows Server 2008 SP2− RMS on Windows Server 2008 R2
• B2B RMS requires:− Windows Server 2008 R2 RMS− Exchange 2010 SP1
Improvements in SP1
• WebReady Document Viewing of IRM-protected attachments in OWA− View IRM-protected attachments without having
to download them. Preview IRM-protected documents on computers that don't have Microsoft Office installed. Along with the cross-browser and cross-platform support in Outlook Web App, this functionality extends the reach of IRM to various browsers and operating systems
• IRM Logging− Enable logging of IRM features on the Mailbox,
Hub Transport, Client Access, and Unified Messaging server roles. IRM logs contain detailed transaction and error information, allowing administrators to easily monitor and troubleshoot IRM features
Improvements in SP1
• IRM in Exchange ActiveSync− IRM in Exchange ActiveSync allows users
with supported devices to access IRM-protected messages without first having to activate the device for IRM by tethering the device to a computer – IRM available for all supported EAS devices
• Cross-organization support− IRM features supported in cross-
organization topologies for easier collaboration between two organizations via OWA
End of Exchange 2010 Transport, Routing, and IPC Module
Architectural Design Session
Design Session
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.