Recommendations for Rookies – Microsoft Project Professional 2010

These past couple of months I have been working with my fellow project manager, Dan, to configure and figure out Project Server. After playing with a lot of the settings, I found that the backbone of Project Server’s web application is really Microsoft Project Professional. So far, to us, Server is an interactive platform to do resource allocation and update projects via timesheets. In order for Project Server to behave the way we want, we need project plans that are properly constructed. You can create a basic project plan in the project web app but it is not going to have a lot of the features that our in-depth project plans need.

Through my tests and trials I noticed there is a specific order each column should be filled in that works best. I start with the task name and fill in every task and sub task in the project. Then I build my team and assign the resources required to complete each task. Next I set the order the tasks are to be completed in by noting the predecessors. The last thing I do is determine task type and enter my variables.

Project uses three variables to determine the timeline of a project-Duration, Units and Work. Duration is the overall amount of time it will take to accomplish a task, which is usually measured in days. Units depend on the resource and is the percentage of available time the resource gives to the task. The third, Work, is the amount of time in hours it actually takes to do the task. The underlying concept is that you tell project 2 of the variables, one of which is fixed as the task type, and the program populates the third. For example, if you enter a task with Work = 8 hours and Duration = 2 Days, project will calculate that 50% of the resource’s effort will go to that task on each day. People often overlook that the default task type in Project is Fixed Units. So given the scenario above, if you keep the task type set to Fixed Units and then you change duration, project will recalculate the amount of work. This can be a bit confusing so here is my recommendation for rookies:

The task type should be set to the variable that does not change. Enter that variable for each task in its associated column. Then enter the variable you would like to control in its column. Finally, hit “Calculate Project” and let the program determine the values for the third variable.

Heidi Christensen, PEI

The Advent of the Cloud

With Cloud computing being ‘all the rage’, I can’t help but equate the evolution of the IT sector with the demographic that tends to follow suite. Does anyone really remember “Time Sharing”? One job in…one job out.

If you’re under 45 years old, probably not.

Dumb terminals, probably IBM green screens, hard wired into monolithic mainframes; could be IBM’s, NCR’s, Burroughs, Digital Equipment Corp’s (DEC’s), Wang, Sperry Rand, Control Data (my former employer), Honeywell and yes………even General Electric.

This was the era of the baby boomer. Typically folks born between 1946 and 1964. Green stamps, posty notes, wide ties, milkmen, xx cents for a gallon of gas, hula hoops and Frisbees, drive-ins, silly putty, mood rings, lava lamps, 8 track players and pet rocks all come to mind.

Then Nerds starting showing up……..and creating companies that would forever change the way we live.

PC’s, Client Server, then Enterprise and Internet computing came into vogue and as a result time, sharing and ‘batch processing’ went through any number of transformations.

Application Service Provider (ASP) comes to mind where a vendor might house any number of ‘instances’ of an app and effectively ‘rent’ it to a customer. This is about the time the Gen X crowd (born early 60’s to late 70’s) would have hit the employment market.

Then SaaS (software-as-a-service), PaaS, and IaaS, started showing up. And low and behold……here comes Gen Y (born from the 70’s to 2000) to bring it to the marketplace.

And now “the cloud”…………..

Just wondering what they’ll call that generation. Gen Z?

Matt Teahan, PEI

Lync: Changing the Way We do Business

It was really great to participate in a live demonstration with a prospect and begin using these products at work and see the power of Microsoft’s Lync. I guess I’ve been a little old school and have always been the one to pick up the phone a ‘reach out and touch someone’. What a big step up the food-chain to see who is available to reach out to, how long they will be gone or just what their current status is. Even better, a quick Instant Message (IM) and I can get my quick question answers without having to wait for them to complete their current call. The coolest part is being able to ‘federate’ with people outside of the same company. Friends and colleagues from all over the world can have visibility into my status and know if I can talk to them now or in an hour.

It’s like Skpe on every desktop. And it’s Free, no minutes to worry about, all VOIP.

It does reinforce one basic point and one fundamental change for those of us that have grownup over the last 30 years in the computer revolution, proprietary PBXs, etc..…Telephony is just application on the net.

-Brent Cherry, PEI

Setting up Simultaneous Ring on Lync

Simultaneous ring is a great tool to have for Lync in case you are busy or briefly unavailable. Unlike call forwarding where your phone doesn’t ring, you can have your incoming calls simultaneously ring your office phone and another number or contact that you so choose. This setting is a great way to ensure that callers never get a busy signal and that an important call is never missed. What also makes this a great tool is that the caller will never know their call has been forwarded. It can be done like this:

1. On the bottom of the Lync there is a telephone symbol.  Click it.  Then, click Simultaneously ring, and then do one of the following:

• Click another of your numbers, such as your mobile phone.

• Click New Number, and then type a new number in the dialog box that appears.

• Click My Delegates, and then in the Delegates dialog box, add any contacts whom you want to answer calls for you. You can also specify that they be rung only after a certain period. Delegates can also make calls on your behalf.

2. Click My Team-Call Group, and then, in the Team-Call Group dialog box, add the contacts you want to receive your calls at the same time you do. You can also specify that they be rung only after a certain period of time.

For more information and a helpful video on how to set up simultaneous ring, go to http://bit.ly/xfDGqc

Adam Lee, PEI

Why won’t my XenApp server join the Farm?

You’ve decided that you need to add capacity to your Citrix XenApp 6.5 Farm. You’ve built the server, installed XenApp and have attempted to join your Farm, but it’s just not working: The XenApp server doesn’t behave like it’s part of a farm, and you see these errors in the System Event Log:

The servers farm data key does not match the farms current data key stored in the Data Store. IMA is shutting down.

And

Failed to load initial plugins with error IMA_RESULT_MAGIC_NUMBER_MISMATCH

Nothing went wrong during the install, what could be the problem?

In earlier versions, this could have been caused by corruption in the Farm’s database, but with XenApp 6.5 it’s important to remember the compatibility limitations. Citrix XenApp 6.5 Farms cannot support older versions of XenApp (including 6.0). These errors are your only indication of that version mismatch.

Try removing XenApp and installing version 6.5 or better to resolve this issue and join your existing Farm.

Shane Skriletz, PEI

Lync External Pool Name and Lync Mobility

Here is another tidbit that I came across recently while working with a client. When we setup Lync for them originally, they wanted their internal and external pool names to be exactly the same. At the time, there was no reason it couldn’t be from a technical reason so that is what they chose to do.

With the release of Lync Mobility, we now have a technical reason that the internal and external pool names cannot be the same. The Lync Mobile client is dependent on the web services to sign in and due to how Lync Mobility works, if your pool names are the same, it won’t properly utilize the external web services.

The reason we want to utilize the external web services is so that if you switch from an internal wireless to say a 3G connection, the Lync Mobile client will be able to stay connected. The Lync Mobile service is built with the idea that internal clients will actually use “hair-pinning” in order to sign in. That is, they will go out the firewall and come back in the same interface so that they are accessing Lync Mobility as if they were outside the corporate network.

If you are wanting to implement Lync Mobility, the lesson learned is make sure your internal and external pool names are different.

Adam Ball, PEI

Microsoft Project – Fixed Duration, Fixed Units and Fixed Work

One of the more difficult scheduling aspects in using Microsoft Project to schedule effort driven work is the concept of Fixed Duration, Fixed Units and Fixed Work. I have heard numerous colleagues including myself at times say “what’s wrong with Microsoft Project, its changing the schedule in crazy ways when resources are added or subtracted”. In fact, Microsoft Project is functioning correctly once one understands the way fundamental way it works.

Microsoft Project, when scheduling tasks based on effort driven schedules allows the project manager to work with three different variables. The project manager can only control two of these variables while Microsoft Project always automatically calculates the third. These variables are:

1. Fixed Units

2. Fixed Duration

3. Fixed Work

It is critical for a project manager to have a comprehensive understanding of the implications of each of these variables.

Fixed Units suggests that are the amount of capacity that a resource can devote to a task. An example of this is that you suggest to Microsoft Project that a resource can only work 50% of the time on a specific task. Microsoft Project will then automatically calculate the duration of the task with the resource only working 50% of the time.

Fixed Duration suggested that the task the task must be completed within a given duration. As you assign a single or multiple resources to the task, Microsoft Project will automatically calculate the appropriate resource allocation percentage to ensure the task is completed within the given duration.

Fixed Work suggests that a task has a specific numbers of hours work associated with it. In this scenario, we know that the task is going to take ten hours to complete. We have the ability to schedule the tasks overall duration for five days with fixed work of ten hours. Assuming a single resource is responsible for completing the task, Microsoft Project will schedule the resource to work two hours a day for the five day duration.

There are several advanced scheduling scenarios that can influence what is discussed above including front, middle and back loading of resources which aren’t addressed in this blog. For more information on this topic, I recommend the following from the Microsoft Website: http://office.microsoft.com/en-us/project-help/using-task-types-RZ001077906.aspx?section=6

Dan Thompson, PEI

Support Your Investments

More often than not, when presented with a quote for either hardware or software, there is a maintenance/support quote provided as well. Many people don’t understand why they need to pay additional for this or don’t know what exactly they get with each support contract they purchase. Because of that, I thought I would outline a very short list of the support we recommend with a few of the products we at PEI work with, and provide links to find out more.

1. HP CarePack: Hardware and software support, installation services, education services, and premium support options. An addition to the standard HP warranties. Here is what HP has to say about their CarePack services:

a. “Through HP Care Pack Services we get new systems and services up and running sooner. We help IT professionals use hardware and software effectively. We provide proactive support to help prevent system downtime. And when failures do occur, we provide the level of response you need to meet the needs of your business—whenever and wherever you need it.”

http://www8.hp.com/us/en/business-services/it-services.html?compURI=1077422

2. Microsoft Software Assurance: Provides many benefits in addition to Microsoft software. It also makes renewing/upgrading your Microsoft products easier. Here’s a brief description from Microsoft:

a. “With its distinctive set of benefits, the Microsoft Software Assurance program is truly unique. It offers new software versions, deployment planning services, 24×7 phone and Web support, end-user training, exclusive desktop technologies and more – all designed to help you get the most from your organization’s Volume Licensing purchases.”

b. “These benefits can vary by volume licensing program (such as an Enterprise Agreement or Open Value Agreement), and the number of qualifying licenses you have enrolled in Software Assurance. Use the resources and tools below to learn more about the Software Assurance benefits available to your organization.”

http://www.microsoft.com/licensing/software-assurance/check-your-benefits.aspx

3. Cisco SMARTnet: With multiple service levels (24×7, 8×5, software support) Cisco SMARTnet support helps you resolve critical network issues. Here’s Cisco’s take on their own product:

a. “Cisco SMARTnet Provides:

i. Global 24 hour access to Cisco Technical Assistance Center (TAC)

ii. Access to online knowledge base, communities and tools

iii. Hardware replacement options, including 2-hour, 4-hour, and next business day

iv. Operating system software updates

v. Smart, proactive diagnostics and real-time alerts on devices enabled with Smart Call Home”

http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/serv_group_home.html

Erika Larson, PEI

New CSAIL Research Could Help Secure the Cloud

Cloud computing has become completely ubiquitous, spawning hundreds of new web based services, platforms for building applications, and new types of businesses and companies. However, the freedom, fluidity and dynamic platform that cloud computing provides, also makes it particularly vulnerable to cyber-attacks. And because the cloud is a shared infrastructure, the consequences of such attacks can be extremely serious.

Now, with funding from the Defense Advanced Research Projects Agency (DARPA), researchers from the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) aim to develop a new system that would help the cloud identify and recover from an attack almost instantaneously.

Typically, cyber-attacks force the shutdown of the entire infiltrated system, regardless of whether the attack is on a personal computer, a business website or an entire network. While the shutdown prevents the virus from spreading, it effectively disables the underlying infrastructure until cleanup is complete.

Professor Martin Rinard, a principal investigator at CSAIL and leader of the Cloud Intrusion Detection and Repair project, and his team of researchers aim to develop a smart, self-healing cloud computing infrastructure that would be able to identify the nature of an attack and then, essentially, fix itself.

The scope of their work is based on examining the normal operations of the cloud to create guidelines for how it should look and function, then drawing upon this model so that the cloud can identify when an attack is underway and return to normal as quickly as possible.

“Much like the human body has a monitoring system that can detect when everything is running normally, our hypothesis is that a successful attack appears as an anomaly in the normal operating activity of the system,” said Rinard. “By observing the execution of a ‘normal’ cloud system we’re going to the heart of what we want to preserve about the system, which should hopefully keep the cloud safe from attack.”

Rinard believes that a major problem with today’s cloud computing infrastructures is the lack of a thorough understanding of how they operate. His research aims to identify systemic effects of different behavior on cloud computing systems for clues about how to prevent future attacks.

“Our goal is to observe and understand the normal operation of the cloud, then when something out of the ordinary happens, take actions that

steer the cloud back into its normal operating mode,” said Rinard. “Our expectation is that if we can do this, the cloud will survive the attack and keep operating without a problem.”

By closely examining the operations of the entire cloud and using that model to prevent attacks, Rinard’s system should allow the cloud to independently detect and recover from new attacks, an operation that is impossible for current systems.

“By monitoring for behavioral deviations that are indicative of malicious activity rather than existing signatures, our system can detect and recover from previously unknown attacks,” said Dr. Stelios Sidiroglou-Douskos, a research scientist at CSAIL.

For more information, see: http://groups.csail.mit.edu/pac/crs/.

REF:

http://www.csail.mit.edu/node/1681

• Article published: February 27, 2012

FOR IMMEDIATE RELEASE

Contact: Abby Abazorius,

MIT Computer Science & Artificial Intelligence Lab

T. 617.324.9135; abbya@csail.mit.edu

 

Roger Archuleta, PEI

 

Microsoft Exchange 2010 – Using Proxying and Redirection (Part 2)

Cross-Site Silent Redirection

Exchange 2010 SP2 lets administrators configure cross-site silent redirection. When this feature is enabled, a user with a mailbox in Active Directory site A who accesses the Outlook Web App URL in Active Directory site B will be silently redirected to the Outlook Web App URL for Active Directory A.

To configure cross-site silent redirection, the administrator must use the new CrossSiteRedirectType parameter that’s been added to the Set-OWAVirtualDirectory cmdlet. The parameter has two possible settings. The default setting is Manual.

• Silent When this setting is configured, a user’s web browser is automatically redirected whenever a Client Access server must redirect an Outlook Web App request to Client Access server or server array located in another Active Directory site. If you’re using forms-based authentication, SSL is required. For redirection to occur, the target Client Access server Outlook Web App virtual directory must have an ExternalURL value configured.

• Manual When this setting is configured, users will receive a notification that they’re accessing the wrong URL and that they must click a link to access the correct Outlook Web App URL for their mailbox. This notification only occurs when a Client Access server determines that it must redirect an Outlook Web App request to Client Access server or server array located in another Active Directory site. For redirection to occur, the target Client Access server Outlook Web App virtual directory must have an ExternalURL value configured.

Cross-site silent redirection prevents users from having to learn a secondary Outlook Web App URL. If the authentication method for the Outlook Web App virtual directory on both the source and target Client Access servers is set to forms-based authentication, the user will only have to enter their credentials once. If the authentication methods differ on the source and target Client Access severs, the users may have to enter their credentials a second time. When using forms-based authentication, you must require SSL on both the source and target Outlook Web App virtual directories.

Proxying and Redirection for Exchange ActiveSync

The following series of steps shows how incoming requests are handled for a user who connects to an Exchange 2010 Client Access server named CAS-01 using a mobile phone.

1. The Client Access server queries Active Directory to determine the location of the user’s mailbox and the version of Microsoft Exchange installed on the Mailbox server.

2. If the user’s mailbox is on an Exchange 2003 server, the incoming request is proxied directly to the Exchange 2003 server that hosts the user’s mailbox and the Exchange ActiveSync virtual directory. By default, in Exchange 2003, the Exchange ActiveSync virtual directory was installed on all mailbox servers. The Active Directory site of the user’s mailbox isn’t applicable in this case because Exchange 2003 doesn’t use Active Directory sites to determine location. The connection is always made directly from the Exchange 2010 Client Access server to the Exchange 2003 mailbox server.

3. If the user’s mailbox is on an Exchange 2007 Mailbox server, CAS-01 locates an Exchange 2007 Client Access server in the same Active Directory site as the user’s Mailbox server. This may be the same Active Directory site as CAS-01. CAS-01 determines whether the Exchange 2007 Client Access server has the ExternalURL property configured on the Exchange ActiveSync virtual directory. If so, CAS-01 issues the client an HTTP error code 451 that contains the ExternalURL value and instructs the client to redirect to the location specified in the ExternalURL property. If no ExternalURL value is set, the connection will be proxied to the Client Access server using the FQDN specified by the InternalURL property, specifically to the /Proxy virtual directory, This virtual directory is located beneath the Exchange ActiveSync virtual directory in IIS and, by default, has Integrated Windows authentication enabled on it.

4. If the user’s mailbox is on an Exchange 2010 Mailbox server in the same Active Directory site as CAS-01, CAS-01 provides access to the mailbox. If the user’s mailbox is on an Exchange 2010 Mailbox server in a different Active Directory site, CAS-01 locates a Client Access server in the same Active Directory site as the user’s Mailbox server. CAS-01 determines whether any Exchange 2010 Client Access server in that Active Directory site has the ExternalURL property configured on the Exchange ActiveSync virtual directory. If so, CAS-01 issues the client an HTTP error code 451 that contains the ExternalURL value and instructs the client to redirect to that location. If no ExternalURL value is set, the connection will be proxied to the Client Access server using the FQDN specified by the InternalURL property, specifically to the /Proxy virtual directory. This virtual directory is located beneath the Exchange ActiveSync virtual directory in IIS and, by default, has Integrated Windows authentication enabled on it.

Important:

Proxying isn’t possible between virtual directories that use Basic authentication. For client communications to be proxied between Exchange ActiveSync virtual directories on different servers, the /Proxy virtual directory must use Integrated Windows authentication.

Proxying and Redirection for Outlook Web App

The following series of steps shows how incoming requests are handled for a user who connects to an Exchange 2010 Client Access server named CAS-01 using Outlook Web App.

1. The Client Access server queries Active Directory to determine the location of the user’s mailbox and the version of Microsoft Exchange installed on the Mailbox server.

2. If the user’s mailbox is on an Exchange 2003 server and the user tries to access Outlook Web App using https://domain name/owa, they’ll receive an error because an Exchange 2010 Client Access server can’t directly provide Outlook Web App access to an Exchange 2003 mailbox. However, if the administrator configured redirection from Exchange 2010 to Exchange 2003, which would be usual during a migration from Exchange 2003 to Exchange 2010, the Exchange2003URL property of the Outlook Web App virtual directory was set to the value of an Exchange 2003 server facing the Internet.

3. If the user’s mailbox is on an Exchange 2007 mailbox server, CAS-01 locates a Client Access server in the same Active Directory site as the user’s mailbox server. If the Exchange 2007 Mailbox server is in the same Active Directory site as CAS-01, one of four possible actions will result.

o CAS-01 will look for an Exchange 2007 ExternalURL property that has an ExternalAuthenticationMethods setting that’s identical to the InternalAuthenticationMethods setting on the Exchange 2010 Client Access server. If the settings match, CAS-01 will redirect to this external URL. If forms-based authentication is enabled, this will result in a single sign-on redirection, which is transparent to the user.

o If a matching ExternalURL setting isn’t found, CAS-01 will look for an Exchange 2007 Client Access server that has the ExternalURL property configured, regardless of matching. If one is found, CAS-01 will redirect to this external URL. This will result in the user being prompted for authentication.

o If no matching ExternalURL setting is found, CAS-01 will look for an Exchange 2007 Client Access server with an InternalURL property that has an InternalAuthenticationMethods setting identical to the InternalAuthenticationMethods setting on the Exchange 2010 Client Access server. If one is found, CAS-01 will redirect to this InternalURL. If forms-based authentication is enabled, this will result in a single sign-on redirection.

o If no matching InternalURL is found, CAS-01 will look for an Exchange 2007 Client Access server with an InternalURL configured, regardless of matching. If one is found, CAS-01 will redirect to this InternalURL. This will result in the user being prompted for authentication.

If the Exchange 2007 Mailbox server is in a different Active Directory site, CAS-01 determines whether the ExternalURL property is set in that Active Directory site. If it is, and cross-site silent redirection hasn’t been enabled, the user is provided with a clickable link that redirects them to the specified URL. If cross-site silent redirection has been enabled, the user will be automatically redirected to the specified URL. If the ExternalURL property isn’t present, and the authentication method on the /OWA virtual directory is set to Integrated Windows authentication, CAS-01 will proxy the user’s request to the Client Access server that’s specified by the InternalURL property.

Important:

An Exchange 2010 Client Access server will never proxy Outlook Web App requests to an Exchange 2007 Client Access server in the same Active Directory site. All requests within the same Active Directory site are redirected to an Exchange 2007 Client Access server, using either the InternalURL or ExternalURL properties for Client Access server, depending on which properties are configured.

4. If the user’s mailbox is on an Exchange 2010 Mailbox server in the same Active Directory site as CAS-01, CAS-01 provides access to the mailbox. If the user’s mailbox is on an Exchange 2010 Mailbox server in a different Active Directory site, CAS-01 locates a Client Access server in the same Active Directory site as the user’s Mailbox server. When one is found, Exchange 2010 determines whether the Client Access server has the ExternalURL property set in that Active Directory site. If it is, and cross-site silent redirection hasn’t been enabled, the user is provided with a clickable link that redirects them to the specified URL. If cross-site silent redirection has been enabled, the user will be automatically redirected to the specified URL. If the ExternalURL isn’t set and the authentication method on the virtual directory is set to Integrated Windows authentication, CAS-01 will proxy the user’s request to the Client Access server that’s specified by the InternalURL property.

Proxying for the Exchange Control Panel

Exchange 2010 provides a Web-based interface for both users and organization administrators to configure settings for their mailbox or for the organization. The Exchange Control Panel (ECP) is accessed either through the Options menu in Outlook Web App or, in Outlook 2010, by choosing the Voice Mail options, requesting message tracking information, or configuring mobile notifications. Selecting any of these options within Outlook launches a Web browser session.

The destination of the session depends on the current connection state of the Outlook client. If the Outlook client is connected using RPC over TCP, the client connects to the InternalURL value of the ECP virtual directory. If the client is connected using Outlook Anywhere, the Outlook client will launch a browser session. The browser session will try to connect to the ExternalURL value of the ECP virtual directory. The URLs are provided to the Outlook client via the Autodiscover service.

When an internal client is connected through TCP, the ECP session will always connect to a Client Access server in the same Active Directory site as the user’s mailbox. Proxying isn’t used in this scenario. When a client outside the corporate network uses Outlook Anywhere to connect, the client opens a browser session to the external URL of the ECP virtual directory or to the external URL of an Internet-facing Active Directory site if the user’s mailbox is located in a non-Internet-facing site.

The proxying logic for the ECP is the same as for Outlook Web App. If the user’s mailbox is on an Exchange 2010 Mailbox server in the same Active Directory site as the Client Access server receiving the request, that Client Access server provides access to the mailbox. If the user’s mailbox is on an Exchange 2010 Mailbox server in a different Active Directory site, the Client Access server locates a Client Access server in the same Active Directory site as the user’s Mailbox server. The original Client Access server will proxy the user’s request to that Client Access server.

The ECP does perform redirection, but unless the user explicitly enters the URL to access the ECP, it’s rarely performed. If a user accesses the ECP from Outlook Web App, Outlook Web App is responsible for making sure the user is using the correct URL. If the user is using Outlook 2010, Outlook and the Autodiscover service are responsible for making sure the user uses the correct URL for the ECP.

Proxying for Exchange Web Services

Exchange Web Services provides an XML messaging interface that enables you to manage Exchange store items and access Exchange server functionality from client applications. From a proxy, redirection, and client perspective this functionality is usually used in the context of one of the following:

• Availability service requests

• Autodiscover requests

• Setting and checking Automatic Replies (OOF) status

An application written using Exchange Web Services can use proxying behavior for such tasks as setting an automatic-reply (Out of Office) message, which will be proxied between Active Directory sites, if required.

The following steps show how incoming requests are handled for a user who makes an Availability service request to an Exchange 2010 Client Access server named CAS-01. The user is using Outlook Web App to check the availability of another user in the same Exchange organization.

1. CAS-01 queries Active Directory to determine the location of the user’s mailbox and the version of Microsoft Exchange installed on the Mailbox server.

2. If the user’s mailbox is on an Exchange 2003 server, Outlook Web App makes an HTTP connection to the /Public virtual directory of the Exchange 2003 server and retrieves the requested information from the Free/Busy system folder.

3. If the user’s mailbox is on an Exchange 2007 Mailbox server, an error is returned to the user. In any Exchange organization that contains mailboxes on an Exchange 2007 Mailbox server, there must be an externally accessible Exchange 2007 Client Access server. The Autodiscover service is responsible for returning the correct Exchange Web Services URL to the client. This URL must match the version of the Mailbox server that the user’s mailbox is on.

4. If the user’s mailbox is on an Exchange 2010 Mailbox server in the same Active Directory site as CAS-01, CAS-01 accesses the mailbox itself to retrieve the requested information. If the user’s mailbox is on an Exchange 2010 Mailbox server in a different Active Directory site, CAS-01 proxies to a Client Access server in that Active Directory site by using the FQDN specified by the InternalURL property of the /EWS virtual directory.

Exchange Web Services itself doesn’t provide redirection functionality, because the Autodiscover service, which is used to provide URLs to an application, provides the URLs required to access a specific mailbox. For example, when a mailbox is moved between Active Directory sites, Outlook receives the updated Active Directory site-specific URLs from the Autodiscover service when it next issues a query. This can sometimes result in a client making Availability service requests to a Client Access server in an Active Directory site other than the one that their mailbox is in. But, because the Availability service will still process the requests and proxy them as necessary, there’s no impact on the user.

Important:

In any Exchange organization that contains mailboxes on an Exchange 2007 Mailbox server, there must be an externally accessible Exchange 2007 Client Access server. When the Autodiscover service returns the correct Exchange Web Services URL to a requesting client, this URL matches the version of server that the user’s mailbox is on. For any Exchange organization that contains mailboxes on both Exchange 2007 Mailbox servers and Exchange 2010 Mailbox servers, two external URL’s must be configured for Exchange Web Services, one for each installed version of Exchange.

Proxying for POP3 and IMAP4

Exchange 2010 can proxy POP3 and IMAP4 sessions between Client Access servers and Active Directory sites.

The following steps show how incoming requests are handled for a user who makes a request to an Exchange 2010 Client Access server named CAS-01 using a POP3 client.

1. CAS-01 queries Active Directory to determine the location of the user’s mailbox and the version of Microsoft Exchange installed on the Mailbox server.

2. If the user’s mailbox is on an Exchange 2003 server, CAS-01 proxies the connection to the POP3 service running on the Exchange 2003 server that’s hosting the user’s mailbox.

3. If the user’s mailbox is on an Exchange 2007 Mailbox server, CAS-01 locates an Exchange 2007 Client Access server in the same Active Directory site as the user’s Mailbox server, which may be in the same Active Directory site as CAS-01. CAS-01 proxies the request to the Client Access server.

4. If the user’s mailbox is on an Exchange 2010 Mailbox server in the same Active Directory site as CAS-01, CAS-01 accesses the mailbox itself. If the user’s mailbox is on an Exchange 2010 Mailbox server in a different Active Directory site, CAS-01 proxies to a Client Access server using the FQDN specified by the InternalConnectionSettings property of the POP configuration for that server.

In a Microsoft Exchange Server 2010 organization, a Client Access server can act as a proxy for other Client Access servers within the organization. This is useful when multiple Client Access servers are present in different Active Directory sites in an organization and at least one of those sites isn’t exposed to the Internet.

A Client Access server can also perform redirection for Microsoft Office Outlook Web App URLs and for Exchange ActiveSync devices. Redirection is useful when a user connects to a Client Access server that isn’t in their local Active Directory site or if a mailbox has moved between Active Directory sites. It’s also useful if the user should be using a better URL, for example, one that’s closer to the Active Directory site their mailbox resides in.

Although the Client Access server’s response can vary by protocol, when a Client Access server receives a request for a user whose mailbox is in an Active Directory site other than the one the Client Access server belongs to, it looks for the presence of an ExternalURL property on the relevant virtual directory on a Client Access server that’s in the same Active Directory site as the user’s mailbox. If the ExternalURL property exists, and the client type supports redirection (for example, Outlook Web App or Exchange ActiveSync), the Client Access server will issue a redirect to that client. If there’s no ExternalURL property present, or if the client type doesn’t support redirection (for example, POP3 or IMAP4), the Client Access server will try to proxy the connection to the target Active Directory site.

This topic explains proxying and redirection, when each is used, and how to configure your Client Access servers for each scenario.

Overview of Proxying

In Microsoft Exchange Server 2003, the front-end server communicates with the back-end server over HTTP. In Exchange Server 2007 and Exchange 2010, the Client Access server communicates with an Exchange Mailbox server over RPC. You must have an Exchange 2010 Client Access server in every Active Directory site that contains an Exchange 2010 Mailbox server. Proxying occurs when one Client Access server sends traffic to another Client Access server. An Exchange 2010 Client Access server can proxy requests in the following situations:

• Between Exchange 2010 Client Access servers Proxying requests between two Exchange 2010 Client Access servers enables organizations that have multiple Active Directory sites to designate one Client Access server as an Internet-facing server and have that server proxy requests to Client Access servers in sites that have no Internet presence. The Internet-facing Client Access server then proxies the request to the Client Access server closest to the user’s mailbox.

• Between an Exchange 2010 Client Access server and Exchange 2007 Client Access servers Proxying requests between an Exchange 2010 Client Access server and an Exchange 2007 Client Access server within one Active Directory site or between Active Directory sites enables Exchange 2010 and Exchange 2007 to coexist in the same organization.

Proxying is supported for clients that use Outlook Web App, Exchange ActiveSync, the Exchange Control Panel (ECP), POP3, IMAP4, and Exchange Web Services. Proxying is supported from one Client Access server to another Client Access server when the destination Client Access server is running the same version of Microsoft Exchange as, or an earlier version of Microsoft Exchange than, the source Client Access server.

Client Access proxying

In the previous figure, the mailbox of User 1 is located on Mailbox server 1. The mailbox of User 2 is located on Mailbox server 2, and the mailbox of User 3 is located on Mailbox server 3. Each Mailbox server is in a different Active Directory site. User 1 can access their mailbox through Client Access server 1 without using proxying, and User 2 can access their mailbox through Client Access server 2. If User 3 tries to access their mailbox through Client Access server 1 or 2, either server will proxy their request to Client Access server 3. Client Access server 3 isn’t Internet facing but can receive requests from other servers inside the firewall. Proxying isn’t visible to the user. Overview of Redirection

Overview of Redirection

Outlook Web App users who access an Internet-facing Client Access server in a different Active Directory site than the site that contains their mailbox can be redirected to the Client Access server in the same site as their Mailbox server if that Client Access server is Internet facing. When an Outlook Web App user tries to connect to a Client Access server outside the Active Directory site that contains their Mailbox server, they’ll see a Web page that contains a link to the correct Client Access server for their mailbox. This is known as manual redirection. In Exchange 2010 SP2, administrators can configure cross-site silent redirection to enable this redirection process to happen without the user’s knowledge. For more information, see Cross-Site Silent Redirection later in this topic.

Exchange ActiveSync users who access an Internet-facing Client Access server in a different Active Directory site than the site that contains their mailbox can be redirected to the Client Access server in the same site as their Mailbox server if that Client Access server is Internet facing and if the client mobile phone or device has correctly implemented the redirection logic built in to the protocol that’s used when communicating with Exchange 2007 and Exchange 2010. The redirection for Exchange ActiveSync users is achieved by sending the device an HTTP 451 error code that contains the URL the device should be using. The device then reconfigures itself to use the new URL.

The following figure shows how redirection works in an organization that has multiple Client Access servers in multiple Active Directory sites.

Redirection for Exchange ActiveSync and Outlook Web App in Exchange 2010

In the previous figure, User 1 usually accesses their mailbox in Active Directory site 1 using their mobile phone. The administrator then moves their mailbox to Mailbox server 2 in Active Directory site 2. The next time the device tries to synchronize, the server responds with an HTTP 451 status error. This contains the URL the device should now use for that user. In step 3 of the sequence, the device reconfigures itself and connects to the specified URL. User 2, whose mailbox is in Active Directory site 2, tries to open their mailbox using Outlook Web App by connecting to Client Access server 1 over the Internet. With manual redirection, as soon as the user authenticates, Client Access server 1 presents a page to the user, with a link to the Outlook Web App URL for the Client Access server in Active Directory site 2. The user clicks the link, is taken to Active Directory site 2, and signs in again to access their mailbox.With silent redirection, when the user authenticates, they’re silently redirected to the Outlook Web App URL for the Client Access server in Active Directory site 2.

Jacob Eker, PEI