In many organizations using Exchange 2016, you have a helpdesk with Tier 1 engineers all the way up to Tier 3 or Tier 4. Each has its own set of rights to manage Exchange 2016. You know that any changes made to the backend can only be done by a certain tier and if anything goes wrong, you know where to ask.
In other companies, everyone has full access to do anything Exchange-related — install updates, disable mailboxes, configure connectors, set permissions, you name it. You might even have it where they log in with the main administrator account for the domain, which means no accountability of what was done by whom.
What if you are a hosting company? Surely you would not want resellers or end-users logging into Exchange directly to make a change? Just consider the possibilities! “Oh my mailbox is full, let me quickly increase it to 100GB so I can have more space without paying” or you have a user in the company with malicious intent who grants themselves access to the CEO’s mailbox and can see everything going on. Or people granting themselves access to finance mailboxes.
Another layer for Exchange 2016
In that case, you need to look at another layer on top of Exchange 2016. There are a few out there, but I would like to chat about CloudBlue (Odin) as I have worked with it quite a bit. These are Linux servers that sit in your environment and are managed by a party overseas. Like with most third-party applications, you need to pay for X number of hours of support when you run into an issue or you want to upgrade to the newer version.
Let’s first take a look at some of the challenges before diving into what the product can do.
There are some challenges with this kind of setup, though. First, they do not support the latest greatest rollup (Exchange 2010) or cumulative update (CU) for Exchange. Their website will list what they support and they advise that if you want to upgrade, do so in a lab and then go to production. But you never know what kind of errors you can run into.
Their support is in a different time zone so if you are in the U.S. or Canada, you have to either wait till the early hours of the morning or late in the evening to get support or pay for that emergency support.
The next challenge you can face is if you have a task that is stuck or you remove a node then nothing wants to work because you cannot access certain areas of the control panel without the help of the support team. Sometimes it is just a simple case of having a Domain Controller not accept requests and a reboot fixes it all. Most of the information is written to the logs and in the KB articles.
What it can do for you
Now let’s head over to what it can do for you. First, you can create different groups, resellers, etc. and you can list which resources each of them has. For example, you have a customer that has 100 users and they want to have 100GB mailboxes. You then do client provisioning (CP), and Odin creates tasks that initiate on Exchange/Active Directory to create the user and the mailbox with the correct size and their send/receive limits. Once the resources are allocated, there may be none left so an admin cannot just go and add space to a mailbox or provision a SharePoint site, because it has to go through a billing stage and the quote needs to be accepted before continuing.
This also allows you to control what you can do on the CP. The reseller can add users to distribution groups or grant access to mailboxes but everything they do is audited. Every item changed or updated has a task that is sent to Exchange/Active Directory.
All admins on the CP, from the super admin to the reseller admin, are audited. Some companies request these audit logs when they, in turn, are audited to show that everything is being monitored.
The hosting company will load all their Domain Controllers, mailbox servers, and hub servers and they can see where all mailboxes are stored, which database availability group it is on, and perform mailbox moves. Mailbox moves can occur when you are moving to different platforms and build new servers for example on VMware or Hyper-V or you are migrating to a different Exchange version. Odin does the mailbox moves request and you can see this in the move request pane in the Exchange management console or using PowerShell. However, you won’t go and clear the move request as Odin does this automatically once it has done the move.
Resellers, however, don’t have that sort of permission, so you won’t have a situation where something is moved for whatever reason. One reseller cannot change something on another one’s CP to cause an issue as each has their own login.
Odin has a billing and operations side of things. You can navigate to CloudBlue for more information on that as we are dealing more with the technical side of things.
Think about Odin like the authoritative source. If you make a change to certain areas of Exchange, Odin will put it back to what it has been set to. An admin can go from the CP and change the flow of mail for a domain to internal relay, for example, if the mailboxes are no longer hosted by the hosting company.
A change that won’t be put back is mailbox sizes. Odin will set the size initially, but you can go onto the backend and change it, although Odin won’t see the change.
That is a high-level overview of what you can do with CloudBlue. You have control over your environment and, yes, the third party has access to your systems but you can also control that with them logging into servers. You can grant them the rights to do work and then take it away so they cannot log in and do things without you knowing about it.
Featured image: Shutterstock