15 Tips to Optimize an Exchange 2010 Infrastructure (Part 2)

If you would like to read the other parts of this article series please go to:

6.    Better Together: Outlook 2010, SharePoint 2010, Windows Server 2008 R2, Lync 2010

Outlook 2010

If you have any doubt that Outlook 2010 is the richest and best client for Exchange Server 2010, just look at the Outlook feature comparison table available at this Wiki article.

Figure 1: Outlook and Outlook Web Access (OWA) Versions and Features

There are some Outlook related tweaks that can be done to further improve general performance:

Force the use of Outlook cached mode:

  • Set-CasMailbox MailboxName –MAPIBlockOutlookNonCachedMode:$true

Prevent previous versions of Outlook from connecting, by modifying the Registry (KB288894) or by running the following cmdlet:

  • Set-RpcClientAccess -Server CAS01 -BlockedClientVersions “0.0.0-5.6535.6535;7.0.0;8.02.4-11.6535.6535”

Windows 2008 R2

Don’t waste too much time choosing the server OS for Exchange Server 2010, Windows Server 2008 R2 + SP1 is the right choice:

  • Less pre-requisites installation.

  • Windows 2008 R2 SP1 includes the hotfixes required to install Exchange 2010 SP1.

  • It was compared the performance of the Exchange 2010 Client Access role supporting Outlook Anywhere users on both Windows 2008 SP2 and Windows 2008 R2, and found that the improvements the Windows Team has made in R2 more than doubles the number of concurrent users a given server can support, assuming CPU is the limiting resource.

SharePoint Server 2010

Using SharePoint 2010 together with Exchange Server 2010 also has its benefits:

  • Having SharePoint integrated with incoming email through Exchange will assist in moving away from Public Folders. Messages can be sent to lists and libraries rather than Public Folders.

  • Having SharePoint integrated with outgoing email will allow the tracking of items (lists, libraries and documents) as well as assisting administrators with messages regarding storage limitations being exceeded and so on.

Lync Server 2010

Exchange Server and Microsoft Lync Server 2010 work together to provide a seamless communication experience. Here are some of the leveraged features:

  • Unified contact list

  • Integrated presence

  • IM chat in OWA

  • Unified Messaging integration: call answering, auto-attendant, Outlook Voice Access.

7.    The Art of Load Balancing

I’m not sure if load balancing, per se, is an art, but it sure is important, or it wouldn’t have an entire dedicated wiki page: Exchange 2010 Client Access Array and Load Balancing Resources (en-US).

When planning a high-availability solution with load balancing, keep this tips in mind:

  • Hardware load balancer is recommended, but NLB can still be used (unless the server is part of a DAG)

  • Important aspects are

    • Transparency

    • Routing

    • Persistence

  • Think about the Exchange workload. Use the following cheat sheet:


Preferred Session
Persistence Method


Outlook Web App

Client IP or Cookie

Exchange Control Panel

Client IP or Cookie

Exchange ActiveSync

Client IP or Authorization header

Exchange Web Services

Cookie, SSL ID or Client IP

Outlook Anywhere

Client IP or No affinity/persistence

Offline Address Book



No affinity/persistence

TCP Socket Oriented Workloads

RPC Client Access

Client IP

Exchange Address Book

Client IP

RPC Endpoint Mapper

Client IP

Post Office Protocol (POP3)

No affinity/persistence

Internet Message Access Protocol (IMAP4)

No affinity/persistence

Table 1

  • SSL offloading can improve CAS performance, as it offloads intensive processor utilization from Client Access Server. Please read How to Configure SSL Offloading in Exchange 2010.

  • Check with the vendor for setup and configuration guides.

  • When combining the Client Access server, Hub Transport, and Mailbox server roles on the same machine, if the Mailbox servers are members of a DAG, additional planning is required. The clustering component added to Mailbox servers that are members of a DAG prevents Network Load Balancing (NLB) from being installed on the server. In this case, there are two main options:

    • Purchase a hardware load balancing appliance.

    • Virtualize the Exchange server roles and isolate the Mailbox server role onto a separate virtual machine running on the same physical server as the virtual Client Access server. With this isolation, you can run NLB for Client Access servers and Mailbox servers that are members of a DAG on the same physical server.

8.    Security Best Practices

The topic of security by itself could provide material for several articles. First of all, read Exchange 2010 Security Guide. Second, since it’s impossible to condense here all the prescriptive guidance provided by that document, consider applying the following ones:

  • Block legacy Outlook clients. Based on your requirements, you can configure Outlook client blocking to block legacy Outlook client versions. For more information, see Configure Outlook Client Blocking.

  • If you deploy file-system antivirus software to protect your Exchange servers, consider the following:

    • You must exclude Exchange server directories where the Exchange mailbox and public folder databases are stored, from file system antivirus scanners. For details, see File-Level Antivirus Scanning on Exchange 2010.

    • File system antivirus scanners only protect files. To protect e-mail messages, you should also consider implementing Exchange-aware antivirus or messaging security products such as including Microsoft Forefront, or suitable partner or third-party products

  • Use Windows Firewall. Exchange 2010 is designed to run with the Windows Server Firewall with Advanced Security enabled. Exchange Setup creates the required firewall rules to allow Exchange services and processes to communicate. It creates only the rules required for the services and processes installed on a given server role.

  • For external client access mechanisms and protocols, such as Outlook Web App, POP3, IMAP4, Outlook Anywhere, and AutoDiscover, use certificates signed by a commercial certification authority (CA) that’s trusted by clients accessing those services.

  • Your Exchange servers rely on SSL certificates to encrypt data. Since SSL certificates expire, it’s a good idea to check regularly the expiration dates. If a certificate expires, then services like ActiveSync and OWA will fail. To check certificate usage, open the Exchange Management Shell (EMS) and enter the following command:
    Get-ExchangeCertificate | FL PsComputerName, IssuerName, Status, NotAfter

  • You no longer need to use the Security Configuration Wizard (SCW) or the Exchange templates for SCW. Exchange 2010 Setup installs only those services required for a given Exchange server role, and creates Windows Firewall with Advanced Security rules to open only the ports required for the services and processes for that server role

  • Some basic steps you can take to harden Windows Server 2008 R2 or Server 2008 include the following:

    • Design your organizational unit (OU) structure for role-based policies. For example, you can disable the POP or IMAP service for all Exchange servers but enable it for Client Access servers. For additional information on this topic, please read Designing OU Structures that Work.

    • Implement the security policies identified in the Enterprise Client (EC) settings or the Specialized Security – Limited Functionality (SSLF) settings.

    • Audit the security logs on your server.

  • Use Microsoft Update to update the OS, Exchange Server and the malware signatures.

  • Secure Exchange 2010 with Forefront TMG or Forefront UAG. Both options offer publishing wizards and security features to provide secure access to Exchange when it’s accessed from outside the safety of the corporate network. To choose which product to use, decide first what features you need or think you may need:

Exchange Related Deployment Scenario or Feature

Forefront TMG

Forefront UAG

Publish Microsoft Office Outlook Web App and the Exchange Control Panel (ECP) using forms-based authentication



Publish Outlook Anywhere using Basic or NTLM authentication



Publish Microsoft Exchange ActiveSync using Basic authentication



Provide load balancing for HTTP-based protocol accessing from the Internet



Support two-factor authentication for Outlook Web App



Support two-factor authentication for Exchange ActiveSync


Provide certificate-based authentication for Exchange ActiveSync, Outlook Web App, and ECP


Perform mail hygiene for Exchange with installation of the Edge Transport server role and Microsoft Forefront Protection 2010 for Exchange Server


Protect and filter Internet access for internal users from malware and other Web-based threats


Provide support for scaled up Outlook Anywhere deployments by using multiple source IP addresses


Check a client computer accessing Outlook Web App for presence of approved antivirus software, updates, etc.


Thoroughly clean up the client following an Outlook Web App session with settings configurable by the admin


Table 2: Features available with TMG and UAG when publishing Exchange Server 2010

9.    Mobility (Android, iPhone, Windows Phone)

Mobility is no longer a trend, it’s now critical for most businesses around the world. Gone are the days of the early implementations of Exchange Server 2003 SP2’s Direct Push, since then the world has standardized around Microsoft’s ActiveSync protocol. But even though ActiveSync is the de facto standard, different implementations of the protocol mean sometimes different features, so please be aware of the differences. Microsoft has recently launched the Exchange ActiveSync Logo Program to establish baseline for EAS functionality in mobile email devices.

For more information on the topic, please read Understanding Mobile Phones.

This is the list of issues you should be aware of:

10.  Outlook Performance

When working within Outlook, you may experience some performance issues that have nothing to do with your Exchange backend servers. Instead these are expected behaviors that can be mitigated by following some best practices:

  • Large OST size – Now that it’s common to have big mailboxes, the local cache file (.OST) can be the cause of some slow performance, especially if you are not using an SSD disk. There is a very good KB article on the subject (KB 940226). Basically, try to follow these guidelines (for Outlook 2007 SP1 or higher):

    • Up to 5 gigabytes (GB): This size should provide a good user experience on most hardware.

    • Between 5 GB and 10 GB: This size is typically hardware dependent. Slower hard drives, such as drives that are typically found on portable computers or early generation solid state drives (SSDs), experience some application pauses when the drives respond.

    • More than 10 GB: This size is where short pauses begin to occur on most hardware.

    • Very large, such as 25 GB or larger: This size increases the frequency of the short pauses, especially while you are downloading new e-mail. As described above, you can use Send/Receive groups to manually sync your mail.

  • Overstuffed folders – When an Outlook user works with items in a folder that contains many items. Outlook must perform several operations against the Exchange server to retrieve the contents of a folder. Therefore, when there are many items in a folder, additional processing is required to respond to the Outlook requests. Maintain a maximum of 2,500 to 5,000 items in a folder and create more top folders to organize your messages. For further information on the topic, see KB 905803.

  • Shared folders caching – By default, if a Microsoft Outlook 2010 profile is configured in Cached mode and you add another user’s mailbox or shared folder to your profile, all items in all the folders to which you have access in the shared mailbox are downloaded to your local cache. As you can imagine, this can slow things down a little bit. To prevent this behavior, you have to go to Account Settings in Outlook, select the mail profile, click Change, More Settings and then Advanced. Make sure that Download shared folders is not selected (Figure 2).

Figure 2: Download shared folders

  • Messages stuck in Outbox with Outlook Anywhere – Newer network devices have more aggressive timeouts. These timeouts can manifest as problems when using Outlook Anywhere; specifically, messages stuck in the Outbox. To resolve this issue, change the timeout for the RPC Proxy component to 120 seconds:

    HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout

  • Enable Logging for RPC Client Access Throttling – By default, no RPC Client Access throttling activity is logged. To enable PerfMon counters, to see how often throttling is occurring, modify the Microsoft.Exchange.RpcClientAccess.Service.exe.config file in \Program Files\Microsoft\Exchange Server\V14\Bin. Add Throttling to the LoggingTag comma separated string, then restart the RPC Client Access service.
    <add key=”LoggingTag” value=”ConnectDisconnect, Logon, Failures, ApplicationData, Warnings, Throttling ” />

  • Disable Mailbox Auto-Mapping in Outlook – Outlook 2007/2010 can map to any mailbox to which a user has Full Access and, through Autodiscover, automatically loads all mailboxes to which the user has Full Access. If the user has Full Access to a large number of mailboxes, performance suffers when starting Outlook. SP2 enables admin to disable this behavior by setting new Automapping parameter for Add-MailboxPermission to False. Follow these steps: Disable Outlook Auto-Mapping with Full Access Mailboxes.


With 10 tips already covered, we still have 5 more to come in the last part of this series. Virtualization and DAG optimizations are just some of the hot topics that will be covered in part 3.

If you would like to read the other parts of this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top