Swedish Windows Security User Group

BRANCHCACHE for Exchange 2010 OAB Download How-To:

Requirements for BranchCache

Following is a list of operating systems that support BranchCache content server or BranchCache client computer functionality. To successfully deploy BranchCache in a test lab environment, you must use operating systems that support BranchCache.

General Requirements to Server and Client

Server and Clients must be able to communicate to each other. Clients must be in the same Subnet (otherwise Discovery of Cached Content will not work). All Machines must be able to resolvable in DNS or WINS.

Operating systems for BranchCache client computer functionality

To perform the steps in this guide, you must have three physical or virtual client computers that are running one of the following operating systems:

• Windows® 7 Enterprise
• Windows® 7 Ultimate

Operating systems for BranchCache content server functionality

To perform the steps in this guide, you must have one physical or virtual server computer to be used as a BranchCache content Web server that is running one of the Windows Server® 2008 R2 family of operating systems, with the following exceptions:

• In Windows Server® 2008 R2 Enterprise Core Install with Hyper-V, BranchCache is not supported.
• In Windows Server® 2008 R2 Datacenter Core Install with Hyper-V, BranchCache is not supported.

Necessary Installation and Configuration Steps for Content-Server:

In our Lab Environment the Content Server should deliver the Exchange OAB. In this case the
existing CAS-Server is responsible for the Content we want to get, so the CAS-Server will be our Content-server. As prerequisite for CAS the IIS-Server is in place so we don’t need to change anything at this point.

The first neccassary Step is to install the Branchcache Feature from Roles and Features.

After this is done install the B.I.T.S. feature with IIS Extension Subfeature.

At the Server this should be the needed configuration Steps.

Additionaly to verify the functionality you can use Perfmon to Monitor the Branchcache related traffic information.

 Configure BranchCache performance counters on the content server
 

1. 1.   On CAS with Branchcache installed, click Start, click Search programs and files, and type perfmon. In Search results, in Programs, click perfmon.exe. Windows Performance Monitor opens.
2. 2.   In Monitoring Tools click Performance Monitor to view the Performance Monitor graph. To change the performance monitor graph to report view, click the graph toolbar icon that displays an arrow to reveal the drop-down list, and then click Report.
3. 3.   To add BranchCache counters, click the graph toolbar icon that is a green plus sign (+). The Add Counters dialog box opens. In the left pane, scroll to BranchCache Kernel Mode, and click to expand the list of BranchCache Kernel Mode counters. Click Client Cache Miss Bytes, hold down the Ctrl key, and then click Server Cache Miss Bytes, Hash Bytes, and Projected Server Bytes Without Caching.
4. 4.   Click Add, and then click OK.

  Perfmon Content-Server with working Branchcache

 

 To reset the Branchcache functionallity and the performance counters on the content server use:

 

        Netsh branchcache reset

 

 After the Branchcache reset the Perfmon Counters are reset as well.

 Client computer configuration: 
 Neccessary Installation and Configuration Steps for Client Computers to enable BranchCache distributed cache mode using network shell commands

 

1.   On the BranchCache client computer that you want to configure, click Start, click Search programs and files, and then type command. In search results, under Programs, right-click Command Prompt, and then click Run as Administrator. The command prompt opens with the elevated privileges that are required to run netsh commands.

2.   Run the following command: netsh branchcache set service mode=DISTRIBUTED

Suggestion:

Running the netsh branchcache set service command both configures the client computer for distributed cache mode and automatically configures the client computer firewall with the following inbound exceptions for distributed cache mode: TCP port 80 and UDP port 3702.

3.   To verify that BranchCache distributed cache mode is correctly configured on the client computer, run the following command: netsh branchcache show status. The BranchCache Service Status is displayed in the command prompt window with the following values: Service Mode: Distributed Caching; Serve peers on battery power: Disabled; and Current Status= Running.

  

To configure BranchCache performance counters on the Client Computers
 

4.   On Client with Branchcache installed, click Start, click Search programs and files, and type perfmon. In Search results, in Programs, click perfmon.exe. Windows Performance Monitor opens.

5.   In Monitoring Tools click Performance Monitor to view the Performance Monitor graph. To change the performance monitor graph to report view, click the graph toolbar icon that displays an arrow to reveal the drop-down list, and then click Report.

6.   To add BranchCache counters, click the graph toolbar icon that is a green plus sign (+). The Add Counters dialog box opens. In the left pane, scroll to BranchCache, and select all underlying counters.

7.   Click Add, and then click OK.

 

  First Windows 7 Client got Data from Server                                                                                              Other Windows 7 Clients got Hashes from Server but Data from Cache of First Client

                                      

 

To reset the Branchcache functionallity and the performance counters on the Client machines use:

 

      netsh branchcache reset

 

and after that

 

       netsh branchcache set service mode=DISTRIBUTED

These are the steps to make OAB Download over Branchcache possible.

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

With Microsoft Exchange Server 2010 SP1 there is a built-in multi-tenant support feature available that replaces many features of HMC. A good overview about the features, limitations, installation and configuration is available at Technet article:

Multi-Tenant Support

http://technet.microsoft.com/en-us/library/ff923272.aspx 

The hosting solution available for Exchange 2010 SP1 includes most of the features and functionality available in Exchange 2010 SP1 Enterprise deployments, but also includes features and functionality that will allow you to create and manage tenant organizations. Microsoft Exchange Server 2010 SP1 will form part of the suite of multi-tenant capable products that will replace the Hosted Messaging and Collaboration 4.5 solution. 

The account provisioning rollout of new Accounts and new mailboxes works via the new-mailbox cmd:
============================================================================

New-Mailbox -Database “Mailbox Database name” -Name “name” -LinkedDomainController “DCName” -LinkedMasterAccount domain\name -UserPrincipalName name@domain.com linkedCredential:(Get-Credential domain\Administrator) -Organization “tenant or organization name” 

The new-mailbox procedure only covers the creation of new accounts and new mailboxes by assigning the appropriate tenant for the particular AD Account.

The –Organization switch is responsible to match the correct tenant. In many customer environments, migrating to Exchange 2010, there already exist the AD accounts that need to be linked to a new mailbox in the appropriate tenant.

To match an existing AD account to a new mailbox we need the Enable-mailbox cmd. Unfortunately the Enable-mailbox cmd syntax options do not include the –Organization option.

This way we cannot connect an existing AD account to a new mailbox in the appropriate tenant.

Solution:
=======   

If you want to enable an existing AD user for a mailbox at a specific organization, you can still use Enable-Mailbox cmdlet. There is some extra work to stamp a few attributes correctly in the AD user before running the cmdlet (here as a sample domain name.test.microsoft.com):

===========================================================================

1. msExchCU: CN=Configuration, CN=<tenant name>, CN=ConfigurationUnits,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=name  DC=test, DC=microsoft, DC=com
2. msExchOURoot: OU=<tenant name>, OU=Microsoft Exchange Hosted Organizations, DC=name  DC=test, DC=microsoft, DC=com
3. userPrincipalName: Usually it is <user name>@<tenant domain name> 

After stamping these attributes the Enable-mailbox cmd automatically links the AD accounts to a mailbox in the appropriate tenant or organization.

Hi, my name is Scott Floman, and I’m a technical writer in the Forefront Server Protection group. Every few months or so, we update our existing “legacy” documentation on our TechNet Web site, and this post is to make you aware of our recent August 2010 update. (p.s. By “legacy” content I mean products that are already supported in production environments, such as Forefront Protection 2010 for Exchange Server (FPE), Forefront Protection 2010 for SharePoint (FPSP), and our Forefront Server Security Version 10 and Antigen Version 9 products).

 

Some of the topics we added or provided updated information about are:

 

·         FPE capacity planning: http://technet.microsoft.com/en-us/library/ff921060.aspx

·         Supported operating systems and Exchange Server versions: http://technet.microsoft.com/en-us/library/ff921059.aspx

·         Best practices for configuring FPE operations: http://technet.microsoft.com/en-us/library/ff716689.aspx

·         Managing performance and health. We added recommended resolutions for when your health monitors are not green (“healthy”).

·         FPE: http://technet.microsoft.com/en-us/library/ee358897.aspx

·         FPSP: http://technet.microsoft.com/en-us/library/ee358924.aspx

·         Submitting malware to Microsoft for analysis. The documentation was revised because customers are advised to use the Microsoft Malware Protection Center Portal to submit malware for analysis.

·         FPE: http://technet.microsoft.com/en-us/library/dd639384.aspx

·         FPSP: http://technet.microsoft.com/en-us/library/dd639465.aspx

·         Maximizing FPSP scan engine performance: http://technet.microsoft.com/en-us/library/ff729711.aspx

 

These are just some of the updates we made. We also made smaller-scale updates in many areas, for example we updated the Forefront Server Security Management Console (FSSMC) system requirements, the FPSP Performance Monitor topic, and the FPE cluster documentation.

In addition, the Table Of Contents (TOC) on TechNet has recently undergone a reorganization, and we are also continuing to seek out ways to optimize search results so that our customers can more easily find the information that they are looking for. 

Also, our team has been busy in creating videos that we hope you will find useful in learning about our products. Here are some recent FPE videos: 

• Installing Forefront Protection 2010 for Exchange Server
• Verifying your Forefront Protection 2010 for Exchange Server installation
• Forefront Protection 2010 for Exchange Server Overview (part 1)
• Forefront Protection 2010 for Exchange Server Overview (part 2)
• Using PowerShell to export and import FPE configuration settings
• Using filtering in FPE
• Spam filtering in Forefront Protection 2010 for Exchange Server

 

So, that’s that, I just wanted to say a few words about our latest TechNet update, the TechNet TOC reorg, and our increased use of the video format. Please used the feedback feature on TechNet, because we do attempt to address all feedback received.

 

Also, another good resource for information is the Forefront Server Security Forum (http://social.technet.microsoft.com/Forums/en-us/category/forefront) where you can read and answer questions about our products. A passport account is needed to access the Forum.

There are other Microsoft forums, blogs, and online technology sites that might prove useful as well; for more information, read this blog article:

http://blogs.technet.com/fss/archive/2009/03/10/other-blogs-and-content-of-interest-for-fss-users.aspx

 

Finally, I want to call your attention to the TechNet wiki, which you can access at the following URL: http://social.technet.microsoft.com/wiki/

 

This is a new community where Forefront employees and customers can post technical articles and interact with one another, much like how wikipedia works. We’re excited about the possibilities of this wiki, which we feel will be a great resource of information, so please stop by and check it out. I recently posted the following wiki articles which I hope will help customers configure our products in multi-server environments (there are also videos for these topics if you want to see a visual demonstration):

• Using Windows PowerShell commands to export and import Forefront Protection 2010 for SharePoint configuration settings in a multi-server environment
• Using Windows PowerShell commands to export and import Forefront Protection 2010 for Exchange Server configuration settings in a multi-server environment

Again, thanks for your time, and feel free to e-mail me with any feedback.

Scott Floman
scfloman@microsoft.com

Hello,

 

We get quite a few calls from administrators who ask if they can manually update their Forefront Protection 2010 for Exchange Server (FPE) and Forefront Protection 2010 for SharePoint scan engines.

 Well, the short answer is yes, but the long answer is a bit longer, so in order to provide guidance to those of you who wish to manually update the FPE/FPSP scan engines and definitions as part of your Forefront Protection defense strategies, Microsoft has provided a comprehensive set of instructions via the following Knowledge Base article:

 http://support.microsoft.com/kb/2292741

 So, whatever your reason for not using automatic updating, you can follow the steps outlined in the KB to manually update Forefront Protection’s scan engines.

 Included in the KB is a sample PowerShell script that you can customize to synch with your specific network parameters and adjust to your environmental needs.

 Regards,

Robert McCarthy

Support Engineer – Microsoft Security

Problem was that an event ID 1040 was logged which says, a server based rule
(configured in Outlook) was stopped, but without mentioning the reason or more details.

Event ID: 1040
Level:    Error
Provider: MSExchangeIS Mailbox Store
Message:  The rule “rulename”” with the sequence number 20 was disabled due to the error -2147467259 that was encountered  while applying the rule.

The problem was absolute sporadic.

So the plan was to configure diagnostic logging and to create an extra trace.
This extra trace can be sent in to Microsoft for further analysis.
The extra trace should run all the time and should be stopped after the problem happens.
The challenge here was how to stop the trace, at the time the problem happens, so that the
log file, would not get overwritten.

Here is what you can do if the operating system on which Exchange 2007 runs on is windows 2008:
The steps are:

1.
Set diagnostic logging (in this case diagnostic logging for private rules)

On the Exchange server open the powershell:
Set-EventLogLevel “MSExchangeIS\9000 Private\Rules” -level high

2.
a) Start tracing:

Go to c:\program files\microsoft\Exchangeserver\bin
From there start the extra.exe

Select a task
Trace control; OK
Select trace file location: Enter the path where the file should be saved
Select trace file name: Enter the file name
Enter max trace file size (MB): Enter 250
Select trace file behavior: Circular logging

Select manual trace tags:
– Trace Types: Select all except performance
– Components to Trace: On the left site click on: Store
– Trace Tags: On the right site select:

tagDisableRules
tagPrivateRulesErrors
tagrulelocks
tagRulesMiscellaneous
tagRulesSync
tagRulesTable
tagTriggerRules
tagvrules

Then check the checkbox “show only enabled components” and the checkbox: “Show only enabled tags”.
If other components or tags are enabled then the ones we selected please uncheck them

Click on start tracing. Then let the GUI stay as it is.

b) Configure to stop the tracing based on event 1040:

Attach to the event 1040 in event viewer:
Go to start, run: eventvwr.exe
In event viewer go to Windows Logs, Application, right click on the event 1040 and click on
“attach task to this event”
Give it a name and a description, click on the next button 2 times

Select “Start a program” 
program: c:\windows\system32\logman.exe
Arguments: stop -ets -n ExchangeDebugTraces
click on next and click on finish

c) check if the trace is running:

Start perfmon.exe and check if the session is running:
Go to start, run: perfmon
Data Collector Sets
Event Trace Sessions
There you should see a session called “ExchangeDebugTraces”
It should be shown as running.

d) After the log file is created

After the event occurred in the event log the trace should be stopped.
In perfmon you should no longer see the “ExchangeDebugTraces” session .
The you can close the GUI from extra.exe

To clear the task from the task scheduler:
Start, Programs, Administrative Tools, Task Scheduler
In the Task Scheduler, go to Task Scheduler Library, Event Viewer Tasks and delete the tasks you created earlier.

You can set the diagnostic logging back to none:
Set-EventLogLevel “MSExchangeIS\9000 Private\Rules” -level lowest