Shared Hosting with Exchange 2003 (Part 2)
If you would like to read Shared Hosting with Exchange (Part 1), please click here!
Exchange 2003 provides a compelling environment for hosting messaging services. Improvements in access using the Internet both using Internet Explorer and Exchange 2003 as well as built-in mobile services can provide state-of-the art service for customers who want to explore working on the Internet. This can be useful for companies where users work at home, move around a lot or just don't want to have an internal mail server.
The first part of this article explained how to host a few companies on the same server where users get their e-mail address by using group membership and each company gets its own address list. This part will focus on the means for hiding the companies from each other. This means that on the client side users will only be able to see other users from their own company, effectively creating an Exchange virtual organization, also sometimes referred to as "Provisioning".
Exchange 2003 and Active Directory do not have built-in wizards or other mechanisms to achieve this. Implementing this kind of solution requires some knowledge of the inner workings of Exchange Active Directory and preferably programming since creating an virtual Exchange organization can be tedious, especially if you need to create a lot of users at the same time.
To fully implement hosting with Exchange 2003 you would need Windows 2003, Exchange 2003 SP1, Outlook 2003 and Windows XP SP2. This allows clients to connect using RPC over HTTP to the hosted environment. Originally I had tried to write this article early in 2004 when the latest service packs of Exchange 2003 and Windows XP were not yet out and some features did not work. I unofficially confirmed this with Microsoft.
You can use ISA server to protect the hosted environment while allowing customers to connect using regular MAPI that is not encapsulated using HTTP. This means clients do not have to upgrade their operating systems and Outlook applications. However, please note that on most WAN connections RPC based MAPI is slow and suffers from time outs which can cause connections to fail. In any case Outlook 2003 is recommended seeing that it compresses information when working with Exchange 2003 and employs a useful Cache mode that works offline and synchronizes in the background with the server, better utilizing WAN lines.
If you're just hosting Outlook Web Access your clients should have at least Internet Explorer 5.5 though Internet Explorer 6.0 SP1 is recommended.
The Exchange hiding game is done mostly by implementing permissions. Outlook will use the first Global Address List and Offline Address list that the user has permissions for. As for "regular" address lists they can be hidden too but to simplify matters I've deleted the address lists from my server.
The first step for ensuring that each company gets its own Global Address List is removing the permissions from All Global Address Lists container for the Authenticated Users and Everyone groups. Since Global Address Lists (GALs) which Outlook clients use to resolve e-mail addresses inherit their permissions from the All Global Address Lists container this might save you some work since you now don't have to delete these groups from every GAL that you create.
The All Global Address Lists container inherits its security so Inheritance must be disabled before removing permissions.
All kinds of warning messages are a part of messing with security in a Windows 2003 environment.
In the Security tab, remove the Anonymous Logon, Everyone and Authenticated Users.
Then re-add Authenticated Users and grant them List object so they can access the folders below containing their own GAL.
The same needs to be done to the All Address Lists and the Offline Address Lists container. However, security for the latter can only be altered using the Support Tools' ADSIEdit tool to edit it.
To ensure users don't access other users' properties, access also has to be denied to Active Directory OUs. To do so open the property pages of the Hosting OU created in Part 1 of the series and remove permissions for the Per-Windows 2000 Compatible Access and leave only "list" permission for Authenticated Users.
Adding permissions to a company address list or GAL is a similar process except you need to add security for the appropriate Universal Security Group.
Now is the time to create a virtual Exchange organization that has the following components: , Organizational Unit, Universal Security Group, Recipient Policy, Global Address List, Address List, Offline Address List and Users.
You will find screen shots for all of these in the first part of the series. However, here is a quick re-cap, with some added steps to ensure companies are completely separate:
- Create OU for the company in Active Directory.
- Using ADSIEdit set the uPNSuffixes property with the company's Internet domain name. This will be used by users to logon using their UPN logon name, for example: [email protected]
- Create a Universal Security Group for the company in the company OU. Manually add an e-mail to the Group that has the company's suffix, for example: [email protected]
- Using Exchange System Manager, Create a recipient policy that sets two e-mail suffixes for each user: The hosting general address used to access OWA and the company's e-mail suffix set as default. The recipient policy uses a custom Filter based on group membership, for example: (&(&(ObjectCategory=*)(memberOf=CN=Dogfood Employees,OU=Dogfood,OU=DC=hosting,DC=farm)))
- Create a company address list and a global address list with a custom search based on mail suffix, for example: (&(&(objectCategory=*)(email@example.com)))
- On the security tab of the address lists just created add the company's Universal Security Group and allow the "Read" permission.
- Create users in the company OU
- Using ADSIEdit, for each user set the msExchQueryBaseDN property to be equal to the distinguishedName value of the OU, to limit Outlook Web Access search.
- Add users to the company Universal Security Group.
Offline Address List
The Offline Address List is created based on the company's Address List. Using ADSIEdit, On the security tab of the Offline Address List just created add the company's Universal Security Group and allow the "Read" permission.
To complete this you need, using ADSIEdit, to set the msExchUseOAB property for each user to equal the distingushedName of the relevant Offline Address Book. This tells Outlook which Offline Address Book to use.
Having done all that you are now ready to connect.
Clients should logon using their Active Directory style login name, originally introduced with Windows 2000 which looks a lot like an e-mail address. This ensures that even if you host a lot of users you will have fewer problems with duplicate usernames also hides the hosting Active Directory name.
Please note that Outlook 2003 installed on Windows XP with no SP2 installed cannot login to Exchange using this type of logon name. It is actually a Windows XP bug and has been unofficially confirmed with my Microsoft sources. As far as I know there is no patch for Windows XP SP1 that resolves this.
When you open the Global Address List, this is what you get:
Please note that the Administrator user does not appear in the GAL seeing that it is not an employee of Dogfood.
Microsoft Provisioning System
Microsoft provides a custom solution for this called Microsoft Provisioning System. This is not just an Exchange solution but also provides services for other Microsoft services and is extendable. The services is available to companies which deal with hosting and have a special SPLA agreement with Microsoft which allows for licensing Microsoft applications on a monthly basis.
This article shows the foundation for providing hosted Exchange services. Even if you have customized Microsoft of any other commercial solution, knowing what happens behind the scenes can be useful for diagnosing and troubleshooting problems and perhaps sometimes going one step further then a customized solution might offer. Understanding how Outlook clients access the GAL and how Address Lists are created and used can help you do more and cater to unforeseen demands.