Real-time collaboration solution
Unless you’ve been hiding under a rock somewhere, you’ve no doubt heard of Instant Messaging. AOL, Yahoo!, and Microsoft have all done their part to bring Instant Messaging capability to all users with an Internet connection. Lately, there have even been some open source projects that produced IM clients capable of signing into more than one service on behalf of a client and populating their “buddy” list with users from multiple services.
The Instant Messaging feature is new to Exchange 2000 Server and provides for real-time text based communication between two or more users in the same fashion as the Windows Messenger uses across the Internet. Instant Messaging messages are not saved anywhere however, so when the session is closed, the message is gone. Instant Messaging makes use of standard HTTP 1.1 on TCP port 80. Although Instant Messaging can be installed separately from the rest of Exchange 2000 Servers components, Exchange 2000 Server is required to be running on the network.
There are three basic parts to an Instant Messaging solution:
- The client – Your client computers that have the Instant Messaging client installed on them. This client would preferably be the latest version of the Windows Messenger or the Instant Messaging client provided on the Exchange 2000 Server CD-ROM.
- Instant Messaging home server – This is a server that is responsible for hosting and tracking user accounts and contact lists. Additionally, the home server is responsible for maintaining each user’s presence (online status) information and propagating this around the network as requested. An IM server can support a maximum of 10,000 online users, although it is not recommended that you try to push the limit!
- Instant Messaging router – The IM router routes incoming client requests to their respective home server. IM routers should be placed near fast connections to the Internet for best results. Each IM router can support 50,000 online users, so you don’t need to maintain a 1:1 ration of IM routers to IM home servers. The single biggest advantage of IM routers is that allow an organization to establish and maintain a single IM namespace for all IM clients, regardless of which server is their home server—this results in a simplified management situation.
In addition to the three core parts of the Instant Messaging solution outlined previously, Windows 2000 Domain Controllers play an important role in the IM process. Instant Messaging uses the NTLM protocol and digest authentication to allow user access to the IM service. Windows 2000 Domain Controllers perform this authentication. If you are running in a mixed-mode setup, you can still leverage the power of the Exchange 2000 Server Instant Messaging service as long as the Exchange Active Directory Connector is installed.
Under the hood
Before we go any further into configuring and using the Instant Messaging service, it would be beneficial to understand what is going on in the background to make it all work.
- Exchange Interprocess Communication (EXIPC) – This layer acts as a sort of “glue” between IIS 5 and Exchange 2000. Since Exchange 2000 Server relies on IIS 5 for all the standard protocols (SMTP, IMAP4, etc.) there needs to be something in place to tie them together—enter EXIPC.
- Rendezvous Protocol (RCP) – This protocol maintains each user’s presence—their online status. There are standards in development by the IETF for this, but the Exchange 2000 Server protocol is not interoperable yet.
- Firewall Topology Module (FTM) – The FTM is responsible for keeping track of the location of messaging servers in relation to firewalls, determining if a proxy is required and if special IP addressing is required to get messages through a firewall. The FTM is multi-purpose in that it can acts as a gateway server, a reference server (redirecting connection requests to the servers which can handle them) or as a means to refuse a client connection request.
- Node Database – This is created by the Exchange Store Engine (ESE) to handle all subscription information.
- Locator – Notifies the home server of a subscriber (a user who is online and participating in an IM session) that a message has passed through a bridgehead server.
The Firewall Topology Module, Node Database and Locator function together as the Server Application Layer. The Server Application Layer uses Exchange Interprocess Communication to talk to IIS. Clients use the Rendezvous Protocol to talk to the IM system.
Instant Messaging is actually one of the simpler services to deploy across Windows 2000, but there are a few things you should keep in mind
- Instant Messaging servers should be placed near large groups of users and also near groups of users that are separated by slow or expensive WAN links.
- You can break your Instant Messaging deployment up into domains to match your SMTP domains if desired.
- Once you place an Instant Messaging server into a specific administrative group, you will not be able to move it—so plan wisely.
- If you determine that you will need access to the Instant Messaging service from outside the internal network, then you will have to make additional preparations to accommodate this need. In this case you will want to look into HTTP Reverse Proxy Servers and HTTP Proxy Servers.
- If you will be using the ADC to connect to an Exchange 5.5 Server implementation, the target server of the ADC must be running at SP1 or later of Exchange 5.5 Server.
- Although Instant Messaging can only be deployed on a Windows 2000 Server running Exchange 2000 Server, you can place the ADC on this same machine in small networks.
- If you deploy more than Instant Messaging home server, you will be required to put the Instant Messaging router on a separate server.
- Instant Messaging information is, by default, not published outside of the firewall isolating the Instant Messaging domain. You will need to configure the firewall to allow the Instant Messaging traffic and also configure the Instant Messaging settings for the Firewall Topology by right-clicking on Instant Messaging Settings (in the Global Settings node) and selecting Properties, then changing to the Firewall Topology tab, as shown in Figure 1.
- If you are using an Instant Messaging router, you will need to create a SRV entry in the forward lookup zone of your DNS server for it. A completed SRV record is shown in Figure 2.
Figure 1 – Configuring the Instant Messaging Firewall Topology settings.
Figure 2 – SRV entry for an Instant Messaging router.
The latest version of the Instant Messaging client that will work with both the .NET service and the Exchange 2000 Server service can be found on a special download page here.
You can have both .NET contacts and Exchange 2000 Instant Messaging contacts within your messenger configuration, as shown in Figure 3. You will just need to supply the relevant account information to sign into each service. Figure 4 shows the error window received (in Messenger 4.5) when you cannot connect to the Exchange Instant Messaging service. The most common causes will be that user has not been instant messaging enabled or an incorrect email address has been supplied for logon. The logon email address must be the same as shown in the Instant Messaging window (shown in Figure 5) for that user, and is typically in the form of firstname.lastname@example.org.
Figure 3 – Messenger in action with both Internet .NET contacts and internal Exchange contacts.
Figure 4 – A problem exists signing into the Exchange Instant Messaging service.
Figure 5 – The email configuration we will need to use to get signed in to the Exchange service.
A couple more points about Instant Messaging before we move on to installing and configuring it
- You will need to create the Virtual Servers from the IIS snap-in before you try to create any Instant Messaging servers or routers.
- If you will be running an Instant Messaging router and an Instant Messaging server on the same server, then you should prepend the Instant Messaging server’s domain name with IM, such as im.mydomain.com. (In my example, I had no Instant Messaging router in operation and just the one Instant Messaging server.) Additionally, you will need to make the required DNS entries to enable the Instant Messaging server to be located.
- Participation in Exchange 2000 Server Instant Messaging is not automatic. Two things must be in place for a user to be able to use Instant Messaging: the user must have a client installed on their system and the user must have been enabled for Instant Messaging from the Active Directory Users and Computers snap-in.
Configuring the Instant Messaging Service
The process to configure the Instant Messaging Service is fairly simple, but requires some planning and time. There are three basic steps to the process: creating a home server, configuring users for access, and installing the client software and connecting users.
Creating an Instant Messaging home server:
- In the Protocols node, which is under the server node, right-click on the Instant Messaging (RVP) item, click New > Instant Messaging Virtual Server, which will bring up the window shown in Figure 6.
- Enter the required information:
- Display Name – Displayed name for the Instant Messaging server.
- IIS Web Site – Virtual Server this Instant Messaging server will be hosted on. You will need to have this Virtual Server in place before beginning the process.
- DNS Domain Name – If the home server is going to be the only Instant Messaging server in your implementation (it will also be performing routing functions for the Instant Messaging system), then the domain name should be changed to something such as im.mydomain.com. Note that you should specify this domain name as the host header name in the Virtual Server. If there will be more than one Instant Messaging server in your network, you can most likely get away with using the default provided DNS domain name.
- Place a check in the box next to Allow this server to host user accounts.
- Click Next and then click Finish to complete the Wizard.
- Create host records in DNS if the DNS domain name you selected for the Instant Messaging server is not DNS-resolvable.
Figure 6 – Configuring a new Instant Messaging home server.
Enabling user access to the Instant Messaging Service:
- From the Active Directory Users and Computers snap-in, find the user account that you wish to work with.
- Right-click the user and select Exchange Tasks… which will present you with the window as shown in Figure 7 (note that I have selected the option to always dismiss the opening screen, so you may need to click Next.) If the user does not already have an Exchange mailbox, you will need to create one as follows:
- From the Exchange Task Wizard, select Create Mailbox and click Next.
- Select the predefined options for alias, server and mailbox store. In most cases, the default options will be suitable. Click Next to continue.
- Click Finish to close the Wizard.
- Once the user has been configured to have an Exchange mailbox, configure the user for Instant Messaging as follows:
- From the Exchange Task Wizard, select Enable Instant Messaging and click Next.
- From the next page, click Browse next to Instant Messaging Home Server and locate the server to use. Click OK to select the server.
- Select the Instant Messaging Domain from the drop-down list if you have not configured a SRV resource record in DNS and then click Next. If you have already configured a SRV resource record, then you do not need to worry about making a selection for the Instant Messaging Domain.
- From the Task Summary page make note of the Instant Messaging address that the user has been assigned—this is the email address the user will need to login to the Exchange Instant Messaging Service. Click Finish to close the Wizard.
- Remember that if you are using Digest authentication and you did not set the password policy before creating the users account was created (and they are using a non-Windows Operating System), then you must now reset the users password. The user will not be able to login to the Exchange Instant Messaging Service until their passwords have been changed. This only applies if you are using Digest authentication—not Integrated Windows authentication.
Figure 7 – Enabling a user to use the Exchange Instant Messaging Service.
Installing the client software and connecting users:
Remember that you will need a different version of the Windows Messenger client software than you can download from the Windows Update web site in order for it to work with you Exchange Instant Messaging Server. The latest version of the Instant Messaging client that will work with both the .NET service and the Exchange 2000 Server service can be found on a special download page here.
- Install the client software, either from the download page above or from the Exchange 2000 Server CD-ROM in the \Instmsg\I386\Client directory.
- Users logging into the service for the first time will need to specify an Exchange Instant Messaging logon name, as shown in Figure 8.
Figure 8 – Specifying the Exchange Instant Messaging logon name.
- If applicable, users can specify a .NET Passport logon name and password to access the .NET Instant Messaging infrastructure, as shown in Figure 9. If the option to add a .NET Passport account is not available, it can be configured later by clicking (within Messenger) Tools > Options…. > Accounts tab, as shown in Figure 10. From here you control which services you sign into and in what order.
Figure 9 – Specifying the .NET Passport logon information.
Figure 10 – Configuring Account information for Instant Messaging.
In this article, I’ve covered the background and basics of the Exchange 2000 Server Instant Messaging Service. You can have contacts from both the Microsoft .NET Messenger service and also from your Exchange Instant Messaging Service. The Instant Messaging Service is a great asset to a company and be used for any number of purposes, including (but, of course, not limited to): help desk support or immediate employee communication that does not require permanency (such as email or paper communication).
Lest you should think that Instant Messaging is all good, remember that with its built-in capability to transfer and share files across the connection, you are bound to run into problems. Tom Shinder has written an excellent article on just this issue entitled How to Block Dangerous Instant Messengers Using ISA Server, and it may well be worth your time to have a look.