Exchange Server Role Requirements Calculator 7.9

Exchange 2010 Mailbox Role Sizing Calculator 16.4The Exchange team published an update for the Exchange Server Role Requirements Calculator, the tool to aid you in properly sizing your Exchange Server 2013 or Exchange Server 2016 deployment. The new version number is 7.9, and it contains mainly bug fixes.

Functionality changes and bug fixes since version 7.8:

  • Added support for 1.8TB disk capacity
  • Added color formatting for when memory exceeds the maximum recommended value
  • Fixed calcNumDBCopyInSDC formula to take into account proper number of lagged copies
  • Fixed calcActDBPDCWorst formula to take into account non-HA deployments
  • Fixed an issue where ReplayLagManager calculated field did not take into account the user disabling JBOD
  • Fixed version mismatch and added Add-PartitionAccessPath in Diskpart.ps1 script
  • Fixed issue with export CreateDAG.ps1 script where it defined Alternate Witness in single datacenter deployments
  • Fixed diskpart.ps1 script to sleep 10s after creating partition but prior to formatting to minimize error condition
  • Fixed RetainDeletedItemsUntilBackup to be set to $false for NDP deployments

You can download the calculator here. For more information, please consult the list of changes here or Read Me here.

Exchange Updates – June 2016

Ex2013 LogoThe Exchange Team released the wave of Exchange updates for Exchange 2016 down to Exchange 2007.

Major changes in contained in these updates:

  • .NET 4.6.1 support for Exchange Server 2013 and 2016.
    • When upgrading Exchange, install the CU before upgrading to .NET Framework 4.6.1. For greenfield deployments, you should be able to install the .NET Framework 4.6.1 straightaway, prior to installing Exchange; however, no official statement on that yet.
    • When deploying .NET Framework 4.6.1, the following OS dependent fixes are required as well: KB3146716 for WS2008/WS2008R2, KB3146714 for WS2012, and KB3146715 for WS2012R2
  • BitLocker support for AutoReseed. More information here.
  • By default, SHA-2 certificates are generated. This includes the self-signed certificates as well.
  • Like Exchange 2016 CU1, Exchange 2016 CU2 is an uncompressed ISO file. If bandwidth is scarce where you will be deploying, be sure to download this 6GB file upfront.
  • Not mentioned in the KB’s list of fixes for Exchange 2016 CU2 and Exchange 2013 CU13 is the inclusion of KB3161916, Data loss may occur during public folder migration to Exchange 2013, Exchange 2016, or Exchange Online.

For a list of fixes in these updates, see below.

Exchange 2016 Cumulative Update 2 15.1.466.34 KB3135742 Download UML
Exchange 2013 Cumulative Update 13 15.0.1210.3 KB3135743 Download UML
Exchange 2010 Service Pack 3 Rollup 14 14.3.301.0 KB3151097 Download
Exchange 2007 Service Pack 3 Rollup 20 8.3.468.0 KB3151086 Download

Exchange 2016 CU2 fixes:

  • KB3171162 You cannot search emails in Outlook or Outlook Web App in an Exchange Server 2016 Cumulative Update 1 environment
  • KB3164346 Cannot connect to a mailbox when MAPI over HTTP protocol is used in an on-premises Exchange Server 2016 installation
  • KB3163039 Email message body is garbled when Simplified Chinese characters are included on BCC line in an Exchange Server environment
  • KB3162968 “Failed to load script” error when you log on to OWA and select a language
  • KB3126723 Retention policy doesn’t work on the In-Place Archive mailbox in Exchange Server

Exchange 2013 CU13 fixes:

  • KB3164701 Can’t create a new send connector in Exchange Control Panel in Exchange Server 2013
  • KB3164700 Write scope in EAC on a role group reverts to default scope in Exchange Server 2013
  • KB3164359 Stop error and restart triggered by ServerOneCopyInternalMonitorForceReboot responder in Exchange Server 2013
  • KB3163186 “Repair update” message after you send a meeting invitation to a distribution list in Exchange Server 2013
  • KB3163173 NDR after you accept or decline a meeting request in Exchange 2013
  • KB3163039 Email message body is garbled when Simplified Chinese characters are included on BCC line in an Exchange Server environment
  • KB3162964 Items are held unnecessarily in the DiscoveryHold folder in Exchange Server 2013
  • KB3162957 “Invalid search filter” error when you use the “UM Mailbox Policy” filter in Exchange Server 2013
  • KB3162934 Test-ExchangeSearch cmdlet fails without parameters or with the -MailboxDatabase parameter in Exchange Server 2013
  • KB3162933 Outlook client remains disconnected after the mailbox is migrated to Exchange Server 2013
  • KB3162772 Accepted or declined messages for a forwarded meeting are sent to the forwarder in Exchange Server 2013
  • KB3160935 Public folder forwarding rule doesn’t work after migration to Exchange Server 2013
  • KB3150799 IMAP with NTLM fails if a user’s UPN and primary SMTP address don’t match in Exchange Server 2013
  • KB3150036 The EdgeTransport process crashes on an Exchange Server 2013 server that has the Edge Server role installed
  • KB3149767 “System.FormatException” error is logged in Event Viewer when Exchange Server 2013 runs on a French operating system
  • KB3142157 Exchange Server Health Management Worker process restarts frequently in Exchange Server 2013
  • KB3140102 OWA application pool crashes with KeyNotFound exception in Exchange Server 2013
  • KB3129946 Update to support the AutoReseed feature in a DAG environment that’s BitLocker-enabled in Exchange Server 2013
  • KB3126723 Retention policy doesn’t work on the In-Place Archive mailbox in Exchange Server
  • KB2661294 Email address policy doesn’t generate addresses of recipients in Exchange Server 2010 or Exchange Server 2013

These Cumulative Updates for Exchange Server 2016 and 2013 as well as the Rollups for Exchange Server 2010 and 2007, fix the security issue described in Security Bulletin MS16-079. The Cumulative Updates for Exchange Server 2016 and 2013 also include DST changes.

Notes:

  • Exchange 2016 CU2 includes schema changes (version 15325), and Exchange 2013 CU12 may introduce RBAC changes in your environment. When applicable, make sure you run PrepareSchema /PrepareAD before deploying. To verify this step has been performed, consult the Exchange schema overview.
  • Exchange 2016 CU2 introduces activation preference changes for Database Availability Groups. You might want to consider reading the article upfront describing these changes here.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode.
  • The Windows Management Framework (WMF)/ PowerShell version 5 is not supported. Don’t install this on your Exchange servers.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.
  • Rollups are cumulative per service pack level, meaning you can apply the latest Rollup for Service Pack X to a Service Pack X installation.

Finally, as always for any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or TechNet forum for any issues.

 

 

The UC Architects Podcast Ep57

iTunes-Podcast-logo[1]Episode 57 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by Steve Goodman and Tom Arbuthnot. Editing was done by Andrew Price.

Topics discussed in this episode are:

  • Microsoft is rolling back the mailbox anchoring change for remote PowerShell that was introduced in 2013 CU11
  • Exchange 2013 and 2016 Exmon tool is now available
  • A friendly reminder that WMF (PowerShell) 5.0 is currently not supported with any version of #MSExchange
  • Exchange says no to .NET Framework 4.6.1
  • Hybrid Shared Mailbox access is now supported
  • Announcing the new Office 365 admin center
  • Office 365 Reporting web service and Windows PowerShell cmdlets
  • Office 365 Hybrid Configuration wizard for Exchange 2010
  • Bulk provisioning Office 365 licenses and services script
  • Mitel Networks (MITL) to Acquire Polycom (PLCM) in ~$1.96B Deal
  • Lync 2010 transitioning from mainstream to extended support
  • Skype for Business Cloud Connector Edition Released
  • Thomas Poet’s Office Cloud Connector Edition
  • Cloud Connector Edition Skype for Business Online Planning and Migration Guide
  • Microsofts Free StatsMan Released for Skype for Business and Lync
  • Configure OAuth between Skype for Business Server and Exchange Online
  • Microsoft’s Skype now works without plug-ins with Windows 10’s Edge browser
  • Skype for Business Hybrid–Additional Office 365 Domain
  • Announcing content viewing for Skype for Business on Android and updates to iOS
  • Skype for Business SDN Interface 2.4 Released with PowerShell Provisioning
  • Skype for Business Client Update Video Webcast: Announce Offline Messaging!
  • Skype for Business Server 2015, Capacity Calculator
  • CMS Changes in Skype for Business 2015
  • Quick Tip: SLA Errors – Just Ignore Them
  • Technical diagrams for Skype for Business Server 2015
  • Microsoft to eliminate Skype Managed Accounts feature by March’s end (Regular Skype, not Skype4B)
  • Displaying Network and Building Information in Call Quality Dashboard (CQD) Online
  • Lync 2013 Client Update Feb 2016 (KB3114732) 15.0.4797.1000.
  • Lync Server 2013 CU
  • Skype for Business Server 2015 CU2 (March)
  • Pat’s Get-CsUpdateVersion script
  • .NET Framework 4.6.1 and Skype for Business/Lync Server Compatibility
  • StatusKey for Skype for Business
  • Lync 2013 / Skype for Business Call Pickup Group Manager Version 2
  • UC Birmingham User Group  (5/11)
  • UC Day mailing list for more information about a dedicated UC and cloud conference happening on 24th October in the UK
  • IPExpoManchester (5/19)

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

Exchange Updates – March 2016

Ex2013 LogoToday, the Exchange Team released one big wave of Exchange updates for Exchange 2016 down to Exchange 2007.

Changes in contained in these updates:

  • Exchange 2016 CU1 is an uncompressed ISO file. If bandwidth is scarce where you will be deploying, be sure to download this 6GB file upfront.
  • Mailbox Anchoring, introduced with the previous CU for Exchange 2013 and Exchange 2016, is reverted.
  • Exchange 2010 supports stand-alone Exchange 2010 Hybrid wizard.
  • All updates will introduce updated OWA/Ootw S/MIME control.

For a list of fixes in these updates, see below.

Exchange 2016 Cumulative Update 1 15.1.396.30 KB3134844 Download UML
Exchange 2013 Cumulative Update 12 15.0.178.4 KB3108023 Download UML
Exchange 2010 Service Pack 3 Rollup 13 14.3.294.0 KB3141339 Download
Exchange 2007 Service Pack 3 Rollup 19 8.3.459.0 KB3141352 Download

Exchange 2016 CU1 fixes:

  • KB 3139730 Edge Transport service crashes when you view the properties of a poison message in Exchange Server 2016
  • KB 3135689 A custom SAP ODI URI is removed by ActiveSync from an email message in an Exchange Server environment
  • KB 3135688 Preserves the web.config file for Outlook Web App when you apply a cumulative update in Exchange Server 2016
  • KB 3135601 Cyrillic characters are displayed as question marks when you run the “Export-PublicFolderStatistics.ps1” script in an Exchange Server 2016 environment
  • KB 3124242 Mailbox quota is not validated during migration to Exchange Server 2013 or Exchange Server 2016

Exchange 2013 CU12 fixes:

  • KB 3143710 “Failed Search or Export” error occurs when an eDiscovery search in the Exchange Admin Center finishes
  • KB 3138644 Messages are stuck in the Submission queue until NDRs are returned or the server is restarted
  • KB 3137585 OAuth authentication fails in a proxy scenario between Exchange Server 2013 hybrid on-premises and Office 365
  • KB 3137581 An eDiscovery search of all mailboxes or some Distribution Groups fails when you use the Exchange Administration Center
  • KB 3137390 “DeviceId cannot contain hyphens” warning occurs when you use the Exchange Management Shell or the Exchange Administration Center to remove the associations in Exchange Server
  • KB 3137384 Error occurs when you remove an ActiveSync device in the Exchange Management Shell or from the Exchange Administration Center
  • KB 3137383 CafeLocalProbe fails if the Health Mailbox UPN doesn’t match its Active Directory domain name
  • KB 3137380 Both read receipts and Non-read receipts are generated when an email is read through IMAP or POP in Exchange Server 2013
  • KB 3137377 MSExchange FrontEnd Transport service crashes when email messages are processed that contain a null “X-OriginatorOrg” message header
  • KB 3136694 Calendar items are not synced correctly when you use Exchange ActiveSync on a mobile device
  • KB 3136404 Searching by Furigana in Outlook’s address book is unsuccessful in an Exchange Server 2013 environment
  • KB 3135689 A custom SAP ODI URI is removed by ActiveSync from an email message in an Exchange Server environment
  • KB 3135334 Cannot set Title in Exchange Admin Center (ECP) if it contains more than 64 characters
  • KB 3135269 Event ID 4999 with MSExchangerepl.exe and MSExchangeDagMgmt.exe crash in Exchange Server 2013 environment
  • KB 3135018 Cannot remove devices when the DeviceType property includes a forward slash
  • KB 3134952 EdgeTransport.exe crashes when you view details of messages in the poison message queue
  • KB 3134918 An IRM-protected message sent to an external contact isn’t returned in a search or discovery results when journaling is implemented in an Exchange Server 2013 environment
  • KB 3134894 The “Search-Mailbox” cmdlet together with the “Attachment” property keyword lists all items that contain the query string of “attachment”
  • KB 3128706 HttpProxy overloads a downlevel Client Access Server in an Exchange Server 2013 co-existence environment
  • KB 3124248 Managed Availability responders fail because of invalid WindowsService names in an Exchange Server 2013 environment
  • KB 3124242 Mailbox quota is not validated during migration to Exchange Server 2013 or Exchange Server 2016
  • KB 3124064 Event ID 1009 is logged and no Health Manager alerts on failed content indexes during migration in Exchange Server 2013
  • KB 3118902 Resource Booking Assistant doesn’t update the subject of a recurring meeting in Exchange Server 2013
  • KB 3109539 Exchange Management Shell doesn’t return the correct number of Exchange Server 2013 Enterprise CALs license
  • KB 3108415 Logon for POP3 client disconnects randomly in an Exchange Server 2013 environment
  • KB 3106236 The “Export-PublicFolderStatistics.ps1” cmdlet exports Russian (Cyrillic) characters as question marks
  • KB 3098561 “Error executing child request for /owa/auth/errorFE.aspx” when you browse to /ECP in Exchange Server 2013

Notes:

  • Exchange 2016 CU1 includes schema changes, and Exchange 2013 CU12 may introduce RBAC changes in your environment. When applicable, make sure you run PrepareSchema /PrepareAD before deploying. To verify this step has been performed, consult the Exchange schema overview.
  • If you have deployed KB3097966 on your Exchange server running on Windows Server 2012 R2, you may want to manually recompile the .NET assemblies before upgrading Exchange to significantly speed up the process. To accomplish this, run the following on every Exchange server on Windows Server 2012 R2:
    “%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update”
    Don’t get upset by the messy output and any error messages; if the result of this command shown in the output is ‘0’ you’re good to go.
  • Be advised .NET Framework 4.6.1 is still not supported; make sure you don’t install this .NET update on your Exchange servers.
  • The Windows Management Framework (WMF)/ PowerShell version 5 is not supported. Don’t install this on your Exchange servers.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.
  • Rollups are cumulative per service pack level, meaning you can apply the latest Rollup for Service Pack X to a Service Pack X installation.

Finally, as always for any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the original article or TechNet forum for any issues.

 

The UC Architects Podcast Ep56

iTunes-Podcast-logo[1]Episode 56 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by John Cook and Tom Arbuthnot. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • Exchange Unified Messaging Voicemails not being received in mailbox
  • VMWare vSphere Exchange 2016 Best Practices Guide
  • Cloud PBX / E5 Dec Launch
  • Wildcard certs and Lync/SfB
  • Nexthop is back
  • RT100 dead
  • Developing for Skype for Business in 30 days
  • Group Call Pickup can be configured via PowerShell instead of SEFAUtil
  • Add Skype Consumer or Skype for Business Server Audio Test Service Bot to a Cloud PBX User
  • Exchange UM Toll Fraud Risk, Don’t Weaken Your PIN Settings
  • Understanding Skype for Business Server and Online PSTN Conference ID Configuration
  • HDX RealTime Optimization Pack 2.0 for Skype for Business on Citrix XenApp and
  • XenDesktop VDI
  • UCBug 10 Feb
  • Microsoft UC User Group London 3rd March Polycom EEC London
  • UCExpo London, 19th – 20th April
  • Cloud PBX
  • Unified Communications Day 2016 – October 24th

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

Exchange 2013 Cumulative Update 11

Ex2013 LogoThe Exchange Team released Cumulative Update 11 for Exchange Server 2013 (KB3099522). This update raises Exchange 2013 version number to 15.0.1156.6.

  • KB 3120594 Appointment on the Outlook calendar isn’t updated to a meeting when attendees are added
  • KB 3108345 “The app couldn’t be downloaded” error occurs when you try to install an application from the Intranet in Exchange Server 2013
  • KB 3108011 Error message occurs in Outlook after you change a single instance of a recurring meeting by using an iOS device
  • KB 3107781 Exchange ActiveSync device doesn’t keep messages for 30 days as configured
  • KB 3107379 Noderunner.exe consumes excessive CPU resources by parsing an attached document in Exchange Server 2013
  • KB 3107337 Mailbox migration from Exchange Server 2007 to Exchange Server 2013 is very slow
  • KB 3107291 Exception occurs when you run the Invoke-MonitoringProbe cmdlets to set probes for IMAP and POP3 in Exchange Server 2013
  • KB 3107205 “Custom error module does not recognize this error” error when OWA web parts fail to load
  • KB 3107174 Pages that use the People pop-up URL don’t load in Chrome when you access OWA or the Exchange Server Administration Center
  • KB 3106613 Outlook Web App shows partial contacts in an Exchange Server 2013 environment
  • KB 3106475 POP3 and IMAP4 are not supported to use TLS protocol 1.1 or 1.2 in Exchange Server 2013
  • KB 3106421 Very long URLs in an email message do not open in OWA in Internet Explorer
  • KB 3105760 Exchange Server 2016 mailbox server can be added to an Exchange Server 2013 DAG
  • KB 3105690 Outlook clients that use MAPI over HTTP to connect to Microsoft Exchange Server 2013 mailboxes are intermittently disconnected
  • KB 3105685 The lsass.exe process leaks an amount of handles in Exchange Server 2013
  • KB 3105654 Cannot edit Inbox rules in Outlook Web App by using Chrome
  • KB 3105625 ActiveSync device downloads emails while it’s in quarantine in an Exchange Server 2013 environment
  • KB 3105389 WSMan-InvalidShellID error when you create remote PowerShell sessions in an Exchange Server 2013 environment
  • KB 3100519 No responses are sent from a room mailbox when a booked meeting extends beyond the date you set in Exchange Server 2013
  • KB 3093866 The number of search results can’t be more than 250 when you search email messages in Exchange Server 2013
  • KB 3088911 Inline attachments are sent as traditional when you smart forward an HTML email in an iOS device in Exchange Server 2013
  • KB 3088487 IOPS Write increase causes email delivery delays in an Exchange Server 2013 environment
  • KB 3076376 IMAP clients that use Kerberos authentication protocol are continually prompted for credentials in Exchange Server 2013
  • KB 3068470 “Something went wrong” error in Outlook Web App and ECP in Exchange Server 2013
  • KB 3048372 Exchange Calendar items are shifted incorrectly when some Windows DST updates are applied
  • KB 2968265 OWA cannot be accessed after you upgrade Exchange Server 2013

 

Notes:

  • This CU introduces an important change in the mechanism how Exchange Management Shell sessions will be initiated as of Exchange 2013 CU11 (and to be introduced in Exchange 2016, as well), called Mailbox Anchoring. More on this later in this article.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current (version N) or be one version behind (N-1).
  • Cumulative Update may include schema or Active Directory changes (e.g. Role-Based Access Control). Make sure you run PrepareSchema /PrepareAD.  If you want to speed up the Cumulative Update installation process, you can temporarily disable certificate revocation checking as described here.

Note that Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.

Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.

You can download Exchange 2013 Cumulative Update 11 here; UM Language Packs can be found here.

MAILBOX ANCHORING
This CU introduces an important change in the administrative model. In short, you need to home your administrative mailbox on the Exchange platform level you want to administer Exchange from (mailbox anchoring), as you will connect (or be proxied) to an Exchange Management Shell (EMS) session on that host. In other words, use an administrative account with a mailbox on Exchange 2013 to administer Exchange 2013, use an admin mailbox on Exchange 2016 for Exchange 2016. The logic behind this is to work around mixed-version environment issues, as newer Exchange versions may introduce changes, like new or enhanced cmdlets but also deprecated functionality. New general recommendation is to keep arbitration mailboxes as well as administrative mailboxes on the most current version.

If the admin has no mailbox, or if it’s unavailable, arbitration mailboxes – primarily SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} – are considered for hosting your EMS session. Also, that ‘Connected to <Server>’ message when you open up an EMS session will no longer always mean your EMS session is hosted on that server; it could mean your EMS session is being proxied through there, which can create challenges when you’re running multiple sites with low bandwidth links – you may need to move your admin mailbox around or create one for local administration to enjoy better response times. You can only discover which host your session runs on by inspecting the local environment, using elements like the env:COMPUTERNAME variable or [System.Net.Dns]::GetHostName().

Also, it might be wise to spread administrative mailboxes over different servers or databases, in case your arbitration mailboxes become unavailable together with that one administrative mailbox, as you need to recover one of those just so you can set up an EMS session. The last resort for running an EMS cmdlets – against all best practices and recommendations, as it bypasses Role-Based Access Control for example – is  to load the Exchange module using Add-PSSnapIn. But be advised, you may not have all required permissions, for example your admin account may not have direct Active Directory permissions (and which is one of the reasons you shouldn’t just load the snap-in under normal circumstances).

The Exchange Team put up a separate blog to explain this change in behavior here.

Exchange 2010 SP3 RU12 & Exchange 2007 SP3 RU18

Exchange 2010 LogoThe Exchange Team released Rollup 12 for Exchange Server 2010 Service Pack 3 (KB3096066) as well as Rollup 18 for Exchange Server 2007 Service Pack 3 (KB3078672). These update raise version numbers to 14.3.279.2 and 8.3.445.0 respectively.

Apart from a Daylight Savings Time update, documented here, these Rollups contain the following fixes:

Exchange 2010 SP3 Rollup 12:

  • KB 3048372 Exchange Calendar items are shifted incorrectly when some Windows DST updates are applied
  • KB 3096125 CryptographicException error when Edge Transport service crashes in an Exchange Server 2010 environment
  • KB 3097219 Organizer’s name isn’t displayed in the subject of the recurring meeting requests in Exchange Server 2010
  • KB 3106421 Very long URLs in an email message don’t open in OWA in Internet Explorer
  • KB 3115809 Mailboxes can be accessed when the DefaultNetworkCredentials option is selected when you use Exchange Web Services Managed API to connect to Exchange Server

Exchange Server 2007 SP3 Rollup 18:

  • KB 3106421 Very long URLs in an email message don’t open in OWA in Internet Explorer

Notes:

    • If you want to speed up the update process for systems without internet access, follow the procedure described here to disable publisher’s certificate revocation checking.
    • If you got an Exchange 2010 DAG, and want to properly update the DAG members, check the instructions here.
    • As for any Hotfix, Rollup, Service Pack or Cumulative Update, apply this update to a acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a certain period and monitor the comments on the release article or TechNet forum for any issues.

Rollups are cumulative per service pack level, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you can apply the latest Rollup after installing a fresh installation of RTM or SPx version, for that product level.

You can download Exchange 2010 SP3 Rollup 12 here and Exchange 2007 SP3 Rollup 18 here.

OWA vulnerable to backdoor hack?

fudLast Update: October 10th, 2015

Yesterday, news rose of a security vulnerability in Outlook Web Access (OWA). A company called Cybereason claimed to have discovered an OWA backdoor hack of which they published in a report, “Webmail Server APT: new persistent attack methodology targeting Microsoft Outlook Web Application (OWA)” (APT stands for Advanced Persistent Threat). Supposedly, an OWA backdoor in ‘OWA Server’, the term used for Exchange Server in the report, allows a hacker to collect clear text usernames and passwords.

News sites quickly picked up the story, with catchy headlines such as:

  • New Outlook mailserver attack steals massive number of passwords (Arstechnica)
  • Microsoft OWA falls victim to password-pinching APT attack (Inquirer)
  • Potent OWA backdoor scores 11000 corporate creds from single biz (The Register)
  • Hackers Breach Microsoft OWA Server, Steal 11,000 User Passwords (SoftPedia)
  • Researchers find credential-stealing webmail server APT attack (ComputerWeekly)

The news was copied a lot without fact checking, and Microsoft felt the need to publicly make a statement: “No new security vulnerability in Outlook Web Access (OWA)”. Unfortunately that doesn’t stop media from reporting, as they are driven by a model based on page views and clicks. And such headlines most certainly will attract viewers.

Looking closer at the report, I’m inclined to think the company wanted to push for business and free publicity by spreading FUD (Fear, Uncertainty and Doubt), not uncommon in the security world. The report states that it is required to have installed (report does not disclose how) a malicious ISAPI filter on the ‘OWA Server’, without details on how this was achieved. Most likely they have used (or are referring to) the OWAAuth ISAPI filter also mentioned in a threat report (TG-3390) from Dell, dated August, 2015. The OWAAuth.dll filter authenticates users through Forms-Based Authentication against Active Directory.  Capturing and decoding client traffic is what these ISAPI filters can do, so that’s not worrying. Unfortunately, Cybereason report does not state the version of the ‘OWA Server’ or operating system. Was it current, and fully patched?

Key question is how did this filter get on the Exchange server in the first place? A properly managed environment does not allow for this type of access. So, the problem is likely not with the ‘OWA Server’ or the operating system. In a response on a blog reporting on this issue, Cybereason clarified that, “The hackers managed to obtain access to this server using stolen credentials.” Well, there is the confirmation of the real issue at hand: This is not an ‘OWA Server’ issue. The person could in theory have done anything with those stolen credentials.

In their response, the Cybereason spokesperson also stated that:

“The problem is that this server was in a very unique position. On one hand it’s completely internet facing and on the other hand, it is a focal point for the full credentials of all employees in the organization. Companies should be wary of using this server without requiring VPN (although this is usually its biggest advantage) and at the very least, require 2FA (2 factor authentication).”

I agree on the multi-factor authentication statement, especially for administrative or high profile accounts. However, claiming that VPN would prevent the issue is strange, as with most typical organizations that same set of stolen credentials would allow for setting up a VPN connection, maybe requiring some guesswork on the endpoint, but in the end enabling access to the same environment and practicing the same malicious behavior. Also, it is best practice to use a  more regular account for e-mail and connectivity, requiring another set of credentials for administrative privileges.

So, while the report may be based on a real world scenario, always have a healthy dose of common sense when reading these ‘research reports’ from companies selling security products and services. Manage your Active Directory and Exchange environment properly, use MFA for privileged accounts and remote access, and life should be good.

Other Exchange fellows also debunked the report:

Update (Sep9): If you are nevertheless still concerned, and want to do a quick scan of the currently loaded ISAPI modules on your Exchange servers, you can run the cmdlet below (be advised it’s a one-liner!). You should be able to spot ISAPI modules loaded from unusual locations or reporting an unexpected version number:

Get-ExchangeServer | ForEach-Object { Invoke-Command -ComputerName $_.Name -ScriptBlock { Get-WmiObject -Namespace 'Ro
ot\MicrosoftIISv2' -Class IISFilterSetting -Authentication 6 | ForEach-Object { (Get-Item $_.FilterPath | Select -ExpandPropert
y VersionInfo) } } } | Sort-Object PSComputerName,FileName | Format-Table -AutoSize PSComputerName, ProductVersion, FileName

isapifilt1

Update (Sep10): Cybereason provided some more details through Twitter and will publish a FAQ next week. However, more details were already given in an interview with ThreatPost (by Kaspersky Lab), in which Cybereason states that:

  • The harvesting took place over a period of months.
  • Stolen credentials were used to load a malicious, unsigned ISAPI filter, OWAAuth.dll.
  • The malicious OWAAuth.dll was residing in a non-standard location.
  • The malicious OWAAuth.dll was persistently loaded by modifying the registry.
  • Other modules were loaded, amongst them PlugX which has been around for a while, and which is the actual backdoor providing remote control mechanisms.

There are lots of similarities with the Cybereason case and Dell CTU’s TG-3390 analysis (use of PlugX, OWAAuth.dll). Since the harvesting took place over a longer period, were administrators not aware of the theft or not paying attention. Could it be that there’s a sudden increase of organizations and administrators not properly dealing with stolen passwords and password policies in general?

Meanwhile, Cybereason also claims the report, “was a malware analysis report and never about an OWA exploit”. While they have no control over the media, wording like “Cybereason Labs Reports on OWA Backdoor Attack” implies something differently. They also state one of the main concerns is, “Corporate Microsoft OWA servers are high prevalence in financial institutions”, which seems odd statement. Possibly, it’s a clue on where they hope to push business from, but from my personal experience these organizations are the most likely to have implemented multi-factor authentication and provide limited – if any at all – remote access functionality.

2015 Microsoft MVP Award

I am proud and happy to announce I got re-awarded the Microsoft MVP Award for Exchange Server for the third year in a row:

mvp2015

MVP awards are given to individuals by Microsoft in recognition of their contributions to the technical community, such as this writing on blogs or books, presenting, forum contributions or The UC Architects podcast.

I’d like to take this opportunity to thank my readers, followers, fellow MVPs and of course the Microsoft employees that have encouraged, helped and supported me over years.

My MVP profile can be found here.

IT/Dev Connections 2015 App

IMG_0608A quick note that if you are attending IT/Dev Connections this year, you can now build your schedule using a mobile app. The app allows you to browse and pick from 190 sessions, view speaker bios, etc.

The app is available for:

For other devices, you can use the generic mobile website here.

Note: You can still register for the event. New registrations can use SPKRSOC15 when registering for a $400 off!