Shared Hosting with Exchange 2007 (Part 3)
If you missed the first part in this article series please read
As mentioned previously, the following article series details a configuration which is not officially supported by Microsoft. You can read the official documentation at the following link: Configuring Virtual Organizations and Address List Segregation in Exchange 2007.
Although Microsoft is discouraging the use of Public Folders, you might want to offer this service to your hosted companies. At the time of writing Service Pack 1 of Exchange Server 2007 hasn't been released, so the only way to manage Public Folders is by using the Exchange Management Shell.
Similar to what we've done with the address lists, we also want to hide public folders from each hosted organization, so once again, the solution is to modify the security permissions.
Here is the sequence of PowerShell commands to create and assign the proper permissions to a top-level public folder:
New-PublicFolder -Name CONTROL
Remove-PublicFolderClientPermission -Identity "\CONTROL" -User "Anonymous" -AccessRight CreateItems
Remove-PublicFolderClientPermission -Identity "\CONTROL" -User "Default" -AccessRight Author
Add-PublicFolderClientPermission -Identity "\CONTROL" -User "CONTROL Agents" -AccessRight PublishingAuthor
If you prefer a graphical interface to do the job and you can't wait for SP1, PFDAVAdmin is the answer. After connecting to our server (Figure 1), we can modify permissions by right clicking the folder and selecting Folder permissions (Figure 2).
Did you notice the public folder distribution of our OABs in Figure 1?
External DNS Host Names
In our simplistic scenario, we're just using one DNS name space for all hosted organizations, which is the hosting company DNS: mydomain.local.
We could make it a little bit more complex, allowing each hosted organization to use its own domain name (e.g. kaos.org and control.org). The problem with this type of configuration has to do with external access and SSL certificates. Although it is not the objective of this article to go through the external configuration procedure, let me just give you a slight overview of what you can expect.
In a corporate environment, Microsoft Office Outlook 2007 clients locate an Autodiscover service running on a Client Access Server by directly querying the Active Directory and locating relevant Service Connection Points (Figure 3).
For Internet users, Outlook 2007 will attempt to locate and connect to an Autodiscover service based on the e-mail domain of the user. For example, for the user [email protected], Outlook 2007 will automatically try to connect to the following URLs in turn:
To actually retrieve Autodiscover settings from one of these URLs, SSL is required, and therefore, each hosted domain would require a unique SSL certificate and set up a unique, new Web site which is impractical.
So, what are the workarounds that hosting companies have today?
1 SSL Certificate that is valid for multiple DNS names (or Subject Alternative Names)
2 single-name SSL Certificates (one specifically for autodiscover).
1 single-name SSL Certificate with a second HTTP redirection website.
Fortunately, Microsoft released a hotfix that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service. This new method requires only 1 website and 1 public IP, is very simple to configure and only requires 1 single-name SSL certificate.
For more information, read the following Knowledge Base articles:
- KB 939184 - Description of the update rollup for Outlook 2007
- KB 940881 - A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
Testing the Solution
I decided to test using both Outlook 2007 and Outlook 2003.
Let's start the tests by running Microsoft Outlook 2007 and downloading the Offline Address Book. Click Tools | Send/Receive | Download Address Book. For Maxwell Smart, the only address book available will be CONTROL AL (Figure 4).
Then I ran Outlook 2003 with the Groovy Guru credentials. As you can see in Figure 5, the user experience is pretty much the same.
After a successful download, if we click the Address Book button and we open the drop down list, we'll see only the address books for which this particular secret agent has permission (Figure 6). The first CONTROL AL on the list is really the Offline Address Book.
Figure 7 depicts the Outlook 2003 experience for a KAOS secret agent.
Remember that, although the user experience for Outlook 2003 and Outlook 2007 is very similar, the OAB distribution method is completely different. While Outlook 2007 uses web distribution, Outlook 2003 still depends on public folder distribution.
Let's now check Public Folders. By expanding Public Folders and then All Public Folders, we confirm that the only folder visible is CONTROL (Figure 8), since we are using Maxwell Smart credentials.
What about the connection methods? Well, if this is a true hosting environment, probably the users won't be connected to the hosting domain, so in order to connect to Exchange Server 2007, users must use:
- Outlook Web Access
- Outlook Anywhere (RPC over HTTPS)
To test OWA is pretty easy. Just open a browser, type the URL (https://e2k7.mydomain.local/owa), enter the user credentials and voila! Figure 9 and Figure 10 show the OWA experience for one of our KAOS spy.
To prove that the msExchQueryBaseDN tweak that limits access to address lists really works, I present you Figure 11 that shows only the KAOS GAL.
The Outlook Anywhere experience is pretty much the same as an online experience. Figure 12 is a screenshot of the Outlook 2003 connection status, where you can see that we're connected through HTTPS.
Microsoft Solution for Hosted Messaging and Collaboration
I hope you enjoyed this article so far, but as I told you previously, the procedures I've been describing aren't supported by Microsoft. If you really want to start your hosting business, you should use the Microsoft Solution for Hosted Messaging and Collaboration (HMC) 4.0.
HMC 4.0 offers hosting service providers with tools, tested best practices, scripts, and code samples designed to efficiently deploy messaging and collaboration services on multi-tenant servers. The solution provides both automated and manual procedures for deploying, running and operating a hosted environment.
The solution uses Microsoft technologies, such as:
- Exchange Server 2007
- Windows SharePoint Services version 3.0
- Windows Server 2003 R2
- Internet Security and Acceleration (ISA) Server 2006
- SQL Server 2005 with SP1
- Microsoft Operations Manager (MOM) 2005
- Microsoft Provisioning System
I couldn't possible describe HMC in the context of this article. I just want to give you an overview of the platform, so that you know there is a robust solution from Microsoft specifically for hosting companies.
Besides other components, HMC has its own provisioning system, so you won't need all the tweaking we did along this series of articles. But remember that most of the stuff that HMC automates and Microsoft supports is really what has been described here.
Figure 13 depicts the network reference architecture of the whole solution. It's a little more complex than our single server scenario, isn't it? 🙂
At the end of this article you'll find links where you can find additional information about HMC.
This article is meant to be a proof-of-concept that a simple Exchange Server 2007 can be used to provide hosting services. The official Microsoft platform for hosted services is Hosted Messaging and Collaboration (HMC) 4.0.
Since this solution can really be overkill for some simpler scenarios, such as a merge or acquisition involving only 2 companies, I hope that this 3-part article pointed you the right direction on how to set up your environment.
- The Microsoft Solution for Hosted Messaging and Collaboration version 4.0 Help File
- Hosted Messaging and Collaboration version 4.0
- Exchange 2007 Autodiscover and certificates
- Outlook 2007 can now use DNS SRV records to find the location of the Exchange Autodiscover Service
If you missed the first part in this article series please read