If you would like to read the other parts of this article series please go to:
- 15 Tips to Optimize an Exchange 2010 Infrastructure (Part 1)
- 15 Tips to Optimize an Exchange 2010 Infrastructure (Part 3)
6. Better Together: Outlook 2010, SharePoint 2010, Windows Server 2008 R2, Lync 2010
Outlook 2010
If you have any doubt that Outlook 2010 is the richest and best client for Exchange Server 2010, just look at the Outlook feature comparison table available at this Wiki article.
Figure 1: Outlook and Outlook Web Access (OWA) Versions and Features
There are some Outlook related tweaks that can be done to further improve general performance:
Force the use of Outlook cached mode:
-
Set-CasMailbox MailboxName –MAPIBlockOutlookNonCachedMode:$true
Prevent previous versions of Outlook from connecting, by modifying the Registry (KB288894) or by running the following cmdlet:
-
Set-RpcClientAccess -Server CAS01 -BlockedClientVersions “0.0.0-5.6535.6535;7.0.0;8.02.4-11.6535.6535”
Windows 2008 R2
Don’t waste too much time choosing the server OS for Exchange Server 2010, Windows Server 2008 R2 + SP1 is the right choice:
-
Less pre-requisites installation.
-
Windows 2008 R2 SP1 includes the hotfixes required to install Exchange 2010 SP1.
-
It was compared the performance of the Exchange 2010 Client Access role supporting Outlook Anywhere users on both Windows 2008 SP2 and Windows 2008 R2, and found that the improvements the Windows Team has made in R2 more than doubles the number of concurrent users a given server can support, assuming CPU is the limiting resource.
SharePoint Server 2010
Using SharePoint 2010 together with Exchange Server 2010 also has its benefits:
-
Having SharePoint integrated with incoming email through Exchange will assist in moving away from Public Folders. Messages can be sent to lists and libraries rather than Public Folders.
-
Having SharePoint integrated with outgoing email will allow the tracking of items (lists, libraries and documents) as well as assisting administrators with messages regarding storage limitations being exceeded and so on.
Lync Server 2010
Exchange Server and Microsoft Lync Server 2010 work together to provide a seamless communication experience. Here are some of the leveraged features:
-
Unified contact list
-
Integrated presence
-
IM chat in OWA
-
Unified Messaging integration: call answering, auto-attendant, Outlook Voice Access.
7. The Art of Load Balancing
I’m not sure if load balancing, per se, is an art, but it sure is important, or it wouldn’t have an entire dedicated wiki page: Exchange 2010 Client Access Array and Load Balancing Resources (en-US).
When planning a high-availability solution with load balancing, keep this tips in mind:
-
Hardware load balancer is recommended, but NLB can still be used (unless the server is part of a DAG)
-
Important aspects are
-
Transparency
-
Routing
-
Persistence
-
Workload |
Preferred Session |
|
HTTP-Based |
Outlook Web App |
Client IP or Cookie |
Exchange Control Panel |
Client IP or Cookie |
|
Exchange ActiveSync |
Client IP or Authorization header |
|
Exchange Web Services |
Cookie, SSL ID or Client IP |
|
Outlook Anywhere |
Client IP or No affinity/persistence |
|
Offline Address Book |
None |
|
Autodiscover |
No affinity/persistence |
|
TCP Socket Oriented Workloads |
RPC Client Access |
Client IP |
Exchange Address Book |
Client IP |
|
RPC Endpoint Mapper |
Client IP |
|
Post Office Protocol (POP3) |
No affinity/persistence |
|
Internet Message Access Protocol (IMAP4) |
No affinity/persistence |
-
SSL offloading can improve CAS performance, as it offloads intensive processor utilization from Client Access Server. Please read How to Configure SSL Offloading in Exchange 2010.
-
Use MAPI static ports (Configure Static RPC Ports on an Exchange 2010 Client Access Server).
-
Check with the vendor for setup and configuration guides.
-
When combining the Client Access server, Hub Transport, and Mailbox server roles on the same machine, if the Mailbox servers are members of a DAG, additional planning is required. The clustering component added to Mailbox servers that are members of a DAG prevents Network Load Balancing (NLB) from being installed on the server. In this case, there are two main options:
-
Purchase a hardware load balancing appliance.
-
Virtualize the Exchange server roles and isolate the Mailbox server role onto a separate virtual machine running on the same physical server as the virtual Client Access server. With this isolation, you can run NLB for Client Access servers and Mailbox servers that are members of a DAG on the same physical server.
-
8. Security Best Practices
The topic of security by itself could provide material for several articles. First of all, read Exchange 2010 Security Guide. Second, since it’s impossible to condense here all the prescriptive guidance provided by that document, consider applying the following ones:
-
Block legacy Outlook clients. Based on your requirements, you can configure Outlook client blocking to block legacy Outlook client versions. For more information, see Configure Outlook Client Blocking.
-
If you deploy file-system antivirus software to protect your Exchange servers, consider the following:
-
You must exclude Exchange server directories where the Exchange mailbox and public folder databases are stored, from file system antivirus scanners. For details, see File-Level Antivirus Scanning on Exchange 2010.
-
File system antivirus scanners only protect files. To protect e-mail messages, you should also consider implementing Exchange-aware antivirus or messaging security products such as including Microsoft Forefront, or suitable partner or third-party products
-
Get-ExchangeCertificate | FL PsComputerName, IssuerName, Status, NotAfter
-
Design your organizational unit (OU) structure for role-based policies. For example, you can disable the POP or IMAP service for all Exchange servers but enable it for Client Access servers. For additional information on this topic, please read Designing OU Structures that Work.
-
Implement the security policies identified in the Enterprise Client (EC) settings or the Specialized Security – Limited Functionality (SSLF) settings.
-
Audit the security logs on your server.
Exchange Related Deployment Scenario or Feature |
Forefront TMG |
Forefront UAG |
Publish Microsoft Office Outlook Web App and the Exchange Control Panel (ECP) using forms-based authentication |
þ |
þ |
Publish Outlook Anywhere using Basic or NTLM authentication |
þ |
þ |
Publish Microsoft Exchange ActiveSync using Basic authentication |
þ |
þ |
Provide load balancing for HTTP-based protocol accessing from the Internet |
þ |
þ |
Support two-factor authentication for Outlook Web App |
þ |
þ |
Support two-factor authentication for Exchange ActiveSync |
þ |
|
Provide certificate-based authentication for Exchange ActiveSync, Outlook Web App, and ECP |
þ |
|
Perform mail hygiene for Exchange with installation of the Edge Transport server role and Microsoft Forefront Protection 2010 for Exchange Server |
þ |
|
Protect and filter Internet access for internal users from malware and other Web-based threats |
þ |
|
Provide support for scaled up Outlook Anywhere deployments by using multiple source IP addresses |
þ |
|
Check a client computer accessing Outlook Web App for presence of approved antivirus software, updates, etc. |
þ |
|
Thoroughly clean up the client following an Outlook Web App session with settings configurable by the admin |
þ |
Table 2: Features available with TMG and UAG when publishing Exchange Server 2010
9. Mobility (Android, iPhone, Windows Phone)
Mobility is no longer a trend, it’s now critical for most businesses around the world. Gone are the days of the early implementations of Exchange Server 2003 SP2’s Direct Push, since then the world has standardized around Microsoft’s ActiveSync protocol. But even though ActiveSync is the de facto standard, different implementations of the protocol mean sometimes different features, so please be aware of the differences. Microsoft has recently launched the Exchange ActiveSync Logo Program to establish baseline for EAS functionality in mobile email devices.
For more information on the topic, please read Understanding Mobile Phones.
This is the list of issues you should be aware of:
-
2711053 – High CPU usage when you synchronize a mobile device to an Exchange Server CAS
-
2711181 – Duplicate contacts are created when you synchronize a mobile device by using Exchange ActiveSync
-
2714118 – Calendar items that are copied are missing in Exchange Server 2007
10. Outlook Performance
When working within Outlook, you may experience some performance issues that have nothing to do with your Exchange backend servers. Instead these are expected behaviors that can be mitigated by following some best practices:
-
Large OST size – Now that it’s common to have big mailboxes, the local cache file (.OST) can be the cause of some slow performance, especially if you are not using an SSD disk. There is a very good KB article on the subject (KB 940226). Basically, try to follow these guidelines (for Outlook 2007 SP1 or higher):
-
Up to 5 gigabytes (GB): This size should provide a good user experience on most hardware.
-
Between 5 GB and 10 GB: This size is typically hardware dependent. Slower hard drives, such as drives that are typically found on portable computers or early generation solid state drives (SSDs), experience some application pauses when the drives respond.
-
More than 10 GB: This size is where short pauses begin to occur on most hardware.
-
Very large, such as 25 GB or larger: This size increases the frequency of the short pauses, especially while you are downloading new e-mail. As described above, you can use Send/Receive groups to manually sync your mail.
-
Figure 2: Download shared folders
-
Messages stuck in Outbox with Outlook Anywhere – Newer network devices have more aggressive timeouts. These timeouts can manifest as problems when using Outlook Anywhere; specifically, messages stuck in the Outbox. To resolve this issue, change the timeout for the RPC Proxy component to 120 seconds:
HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout -
Enable Logging for RPC Client Access Throttling – By default, no RPC Client Access throttling activity is logged. To enable PerfMon counters, to see how often throttling is occurring, modify the Microsoft.Exchange.RpcClientAccess.Service.exe.config file in \Program Files\Microsoft\Exchange Server\V14\Bin. Add Throttling to the LoggingTag comma separated string, then restart the RPC Client Access service.
<add key=”LoggingTag” value=”ConnectDisconnect, Logon, Failures, ApplicationData, Warnings, Throttling ” /> -
Disable Mailbox Auto-Mapping in Outlook – Outlook 2007/2010 can map to any mailbox to which a user has Full Access and, through Autodiscover, automatically loads all mailboxes to which the user has Full Access. If the user has Full Access to a large number of mailboxes, performance suffers when starting Outlook. SP2 enables admin to disable this behavior by setting new Automapping parameter for Add-MailboxPermission to False. Follow these steps: Disable Outlook Auto-Mapping with Full Access Mailboxes.
Summary
With 10 tips already covered, we still have 5 more to come in the last part of this series. Virtualization and DAG optimizations are just some of the hot topics that will be covered in part 3.
If you would like to read the other parts of this article series please go to: