Outlook Anywhere versus MAPI over HTTP

Outlook Anywhere has been around for a very long time now. Back when it was young nobody was really thinking seriously about the future routes from which a desktop client might access Exchange, such as from a cellular phone network or while flying across the Atlantic.

So, Microsoft have done some thinking, resulting in a revamped version of Outlook Anywhere for Exchange 2013 SP1 and Outlook 2013 SP1.

Here’s the good news:

  • That annoying ‘Connecting to…’ message from when you first open Outlook should be significantly reduced. In Microsoft’s tests, a 70% improvement was achieved for monitored clients. That could translate to a 30 second wait on your slow mobile-data connection instead of the 90 seconds it might take now.
  • When resuming from hibernation, or reconnecting, you can expect to shave ten seconds off the usual forty or so.
  • There is better (and simpler) server-side monitoring, via less complex network encapsulation and more useful data in HTTP header information.
  • You can expect an improved Autodiscover response. MAPI/HTTP has no need for us to advertise authentication settings – all you need from the server is the protocol version and the endpoint URLs, which can be used without modification. The authentication settings are requested via a standard anonymous HTTP request, just like other web protocols, so no special configuration (or reconfiguration) is needed when they’re updated.
  • There are fewer concurrent TCP connections required between client and server (and there’s faster renegotiation in the event of a connectivity blip, with sessions kept open for 15 minutes rather than needing to be re-established).
  • The simplification allows multifactor authentication to be more easily added in the future (it’s on the roadmap for later this year).

At the moment Nexus’ system runs Exchange 2010 SP3 so we can only gaze admiringly at these new features until we too get the green light to upgrade to Exchange 2013. When we do, we’ll go straight to SP1 and turn all of this on…

In the meantime, though, let’s deal with some of the inevitable questions.

How have they done this?

Outlook Anywhere has historically relied on a  heavily-disguised MAPI request, encapsulated in an RPC packet, which is in turn wrapped up in an HTTP request. It’s this double-wrapping that Microsoft have been striving to remove.

Nexus’ current Outlook Anywhere set-up requires two long-lived TCP connections to be held open for each session between Outlook and Exchange. This is done via an RPC_DATA_IN and an RPC_DATA_OUT connection, with both required for each client’s RPC/HTTP session. If these are dropped, or lost, they need to be completely re-established from scratch, with all the associated overhead you’d expect. In terms of network overhead, traffic, cost and logic, this represents an overly complex way to do things, with knock-on impacts to perhaps thousands of users simultaneously. Switching from Outlook Anywhere to MAPI/HTTP means that your sessions are retained for 15 minutes; in the event of a blip the client can simply reconnect and continue where it left off, without needing to re-establish the session first.

This new MAPI/HTTP connection supplements Outlook Anywhere with a completely different way of doing things: the TCP connection established between the client and server only needs one long-lived connection and a secondary ad hoc connection. By also removing the additional RPC encapsulation overhead from within the HTTP packets (it’s now just MAPI and HTTP) the entire process is simplified, made faster, and as a further bonus it means that the HTTP headers will contain more meaningful data.

If you’re on a very slow, or low quality, network this is undeniably a good thing. It’s also good for us as administrators: we won’t see a surge of quite so many RPC/HTTP connections all being re-established at once. Less server overhead at times like that equals a faster recovery for Nexus users after, say, a short-lived network issue.

mapihttpmapihttp2

 

 

What do we need to do at Oxford IT Services to get this?

  • All of Nexus’ Client Access Servers will need to be upgraded to Exchange 2013 (and have SP1 deployed to them, since that’s what adds this functionality). Incidentally this new function is disabled by default so that it doesn’t introduce unexpected behaviour for anyone just doing a Service Pack upgrade.
  • End users will need a client that is MAPI/HTTP aware. Today this means you need Office 2013, also updated to run Service Pack 1, as nothing else is yet MAPI/HTTP aware.

 

Any pitfalls?

  • The increase in short-lived HTTP connections will require additional CPU resources on Client Access Servers. This is an issue for anyone who designed their server environment around Exchange 2013’s original RTM requirements, potentially needing 50% more CPU resource. This isn’t an issue for us, however. Exchange 2010 – our current version – has yet-higher CPU requirements so, for us, an upgrade to Exchange 2013 arguably leaves us with over-specified hardware.
  • .Net 4.5.1 will be required on Exchange servers since it fixes issues which would otherwise cause longer wait times for end-users.
  • On a perfect network, with no dropped connections, there is a slight increase in network overhead, of an average 1.2% for 50KB average packets. For larger transers over 10MB this increase could be up to 10%. However on  slow low-quality networks the simplification of the overall packets, and the ability to resume a dropped connection, will more than offset this increase.
  • MAPI/HTTP is a new CAS endpoint, so needs to be factored into namespace design (including certificate handling).
  • MAPI/HTTP is an organisation-wide option and not intended to be a server-specific one (although a registry key can be used to disable it on individual servers,  where required).
  • Unified Access Gateway doesn’t yet support MAPI/HTTP (although support is planned via an update)

 

 

 

 

 

 

 

 

Posted in Uncategorized | Leave a comment

Sharepoint Access Denied

We’ve had problems reported with some SharePoint sites recently where folks have been invited to view documents in a library and provide feedback.  The complaint is that lots of people simply get “Access Denied” messages.

A quick check of the permissions isn’t always the answer – sometimes it’s SharePoint doing exactly what it was told to do when the site was first set-up, even if that’s not immediately apparent.

In this latest case the ‘access denied’ messages were being generated because, when the site was designed, it had been decided that only a particular Project Team (with ‘Contribute’ access) should see interim versions of documents.  This seems very reasonable, doesn’t it?

Here’s what was happening:

Imagine you’ve started working on the next draft of your Communications Plan – the version may be 1.1 or 1.2.  To keep things simple for site visitors you set-up the site to only let them see the last major version. This makes your v1.2 document an interim version. Being an interim release it may perhaps have pending unapproved edits or spelling mistakes.

However this setting also means that your visitors, those who only have ‘read’ permission (or ‘restricted read’), will only be presented with the last major version – 1.0 in this case.

Here’s the gotcha:

If you have never actually produced a major version – you’re still working on versions  0.1 or 0.2 – then your visitors don’t get to see the document – it’s not a major version, after all.  What has confounded some who investigate this issue is that your close colleagues in the project team can see all the  files. The relevant permissions seem to be in place for the visitors too.

How does this happen?

When you set up your library you may have gone to Library -> Library Settings -> Versioning Settings and set it up like this:

sp

Note the part which says ‘Who should see draft items?’. In this example it is ‘Only users who can edit items‘, not users who can only VIEW said items.

So, if a version of a document is still at 0.2, anyone with Read or Restricted Read access-permissions simply can’t see your document – by design.  If you’d produced documents beyond that crucial v1.0 milestone things would be a little better. You might be working on v1.2 but at least your read-only users will see something – in this case version 1.0.

This may well be what you wanted when you first set up the library but, if this is not borne in mind, has the potential to cause much visitor (and support staff) confusion.

Posted in Uncategorized | 1 Comment

SharePoint 2010 versus 64bit Office 2013

Earlier today my needed to reset a long list of items in a SharePoint list. This task is best achieved in ‘data-sheet view’, since the alternative is to manually edit each entry. Not my idea of fun.

Now I had the ‘Datasheet’ button but it wasn’t prepared to play:

The list cannot be displayed in Datasheet view for one or more of the following reasons: - A datasheet component compatible with Microsoft SharePoint Foundation is not installed. - Your web browser does not support ActiveX controls. - A component is not properly configured for 32-bit or 64-bit support.

 

 

 

 

 

 

 

 

 

SharePoint 2010 does have some well-documented foibles with 64-bit installations and having recently also been looking into a problem accessing Nexus with Internet Explorer 11 (and getting the ‘light’ version of Outlook Web App) I was inclined to assume that this would likely be down to something similar*.

In this case though, the problem wasn’t IE-specific – it applied equally to Opera, Chrome and Firefox  – which wasn’t a huge surprise, given that ActiveX compatibility was cited as one of the potential reasons.

So, what was the issue?

I run a 64-bit version of Windows 8.1, also with a 64-bit version of Office 2013. For reasons best known to themselves, Microsoft have decided that the latest version of Office shouldn’t come by default with the Data Connectivity Components required to use SharePoint 2010’s data sheet editor. Effectively Office 2013 was missing a load of ActiveX DLLs.

Fortunately there is a solution. As a user of Office 2013 the version number on this fix made me wince a little but it does work: what you need in this situation is the Office 2007 System Driver: Data Connectivity Components.

http://www.microsoft.com/en-us/download/details.aspx?id=23734.

Make sure that you are using the 32-bit version of Internet Explorer once this is installed and your datasheet view should be reinstated.

 

 

* For reference, the issue causing Outlook Web App to load the ‘light’ version with IE11 relates to Microsoft’s (belated) attempts to embrace compatibility standards. The ‘MSIE’ token has been removed from that browser’s user-agent identifier string, to ensure that the old CSS hacks and workarounds required on some sites – to support IE6, 7 and 8 – aren’t inadvertently sent to IE11, now that they are no longer needed.

Posted in Uncategorized | Leave a comment

Outlook 2013 and ‘slow connections’

I’ve been playing with Microsoft’s new OFFCAT tool, which analyses your Office configuration and recommends improvements or corrections.

The results were mostly what you’d expect – there were a couple of newly-released Office-specific patches I was missing which don’t appear on WSUS, for example.

But I was surprised to see that my Outlook says I have a ‘slow network connection’. Initially I assumed this was based on some server-connectivity test but, no, it’s not. At least not according to Microsoft’s documentation:

Outlook is configured to determine a user’s connection speed by checking the network adapter speed on the user’s computer, as supplied by the operating system. If the reported network adapter speed is 128 KB or lower, the connection is defined as a slow connection.

This is odd. My Operating System reports that I have a 100Mbps connection. Hmmm. More investigation needed, methinks. Searching online suggests that I’m not the only one trying to get more information on how this assessment is made.

Posted in Uncategorized | Leave a comment

Turing Test commenting

Some recent comments on my posts which, sadly, will defeat their advertising purposes by not being attributed:

“I wish to voice my gratitude for your generosity for those individuals that have the need for help on your topic. Your special dedication to getting the message along had become surprisingly powerful and have constantly enabled ladies much like me to reach their objectives. Your entire useful tips and hints denotes this much to me and especially to my peers. Thanks a lot; from each one of us.”

“Thanks so much for giving everyone remarkably marvellous opportunity to read from this site. It can be so lovely and also packed with amusement for me personally and my office peers to visit your blog the equivalent of three times a week to read the fresh issues you have got. Not to mention, we are usually astounded with your surprising guidelines you serve. Some 3 facts on this page are certainly the most suitable we’ve had.”

“Great information to share and hope it will be very helpful in future. For handling higher level of corruption & typical issues i took help of: <link redacted>

“Hey there awesome blog site!! Person .. Stunning .. Remarkable .. I will take a note of your website and make nourishes additionally…I am happy to find a great deal of valuable information in the actual post, we require figure out much more approaches to this particular regard, appreciate your discussing. . . . . .”

“This is finding a extra very subjective, but I significantly choose the Zune Market place. The particular user interface can be vibrant, features much more sparkle, and a few great characteristics similar to Mixview’ that allow you to quickly observe connected photos, songs, or another users associated with what you’re playing. Simply clicking one particular may focus on in which merchandise, and yet another list of “neighbors” should come in to see, enabling you to understand around looking at by similar musicians, tracks, or perhaps users. While we’re talking about people, the Zune “Social” can also be extreme fun, enabling you to find other individuals using shared tastes and achieving buddies using them. Then you definitely may tune in to any playlist made depending on an amalgamation of the your pals are generally listening to, and this is pleasant. Individuals interested in personal privacy is going to be relieved to know you are able to stop the open public through discovering your personal tuning in practices if you consequently choose.”

 

“Sources a great astonishingly common occasion could possibly be wholesale jerseys from china, in general energetic surroundings favorable simply is not appropriate, your reason could be nicely, Ensure that your current networks additionally limits fixed during the entire little bit of lazio jersey”

Posted in Uncategorized | Leave a comment

Mobiles re-revisited

It was July 2012 when I last reported on the University’s mobile users so it seems like a good time to see what’s changed.

So, last summer we had 11,461 ActiveSync devices which connected to the Nexus service. Today that figure has more than doubled, to 24,492. But that’s not necessarily 24,492 different people: the number with more than one ActiveSync device has rocketed too. That figure has gone from 3,031 to 11,151.

Yet another factor to bear in mind is that not all of these devices are mobile ones  – Windows Mail uses ActiveSync but is a feature of Windows 8’s touch interface, widely known as TIFKAM.

As before I’ve not recorded devices which have fewer than twenty users.

Device Number % of total
Android 7623 31.1%
BlackBerry 37 0.2%
iPad 4162 17.0%
iPhone 11049 45.1%
iPod 587 2.4%
Nokia Email 74 0.3%
Palm 20 0.1%
Playbook 48 0.2%
Windows Mail 342 1.4%
Windows Phone 429 1.7%

That means that nearly a quarter of Nexus users are making regular connections via ActiveSync devices. Apple still dominate but Android is also a significant force. The graph below shows the change over time.

usage

Windows Phone shows the largest percentage increase over the last two years, but behind that impressive growth figure is the rather more down-to-Earth one that they only represent 1.7% of the total. Who knows, another year and Windows Phone could overtake the iPod!

Interestingly BlackBerry’s Playbook has leaped from ten devices last year to 48 today. But the tiny number of BlackBerry phones (even if I were to add those 360 BlackBerries using our BlackBerry Enterprise Server – not listed here) shows that their technology is very much in fourth place behind Windows Phone, Android and Apple.

I will finish off with a few final items which caught my eye – Palm lost two users over the last year and are now in a precarious position, just barely scraping onto the table by maintaining twenty active users.

I’d also like to say a big ‘hello’ to the two people who’ve bought Surface RT tablets in the last year. Maybe they’re the same two people who gave up their Palm devices?  🙂

Posted in Uncategorized | Leave a comment

Mail merging

 

This isn’t something I’ve had to do for quite a while so, mostly for my own reference, here are some of the more common pitfalls after you’ve done the mail-merging legwork.

MAPI32.DLL

If you have the Exchange admin tools installed this DLL gets replaced. It’s usually found in c:\WINDOWS\SYSTEM32. But if you place a copy of the correct MAPI32.DLL file version into the same folder as Outlook (usually C:\Program Files\Microsoft Office\Office<version number>) Outlook will find that one first.

This eliminates the nasty MAPI error messages and still allows your admin tools to work.

Security Settings 

At the final hurdle, just as your mail merge is ready to go, you get the ‘Do you want to allow this?’ message. This is then followed by a succession of ‘allow/deny’ dialogue boxes – one per message  – which can get a bit wearing if you’re emailing hundreds of people…

  The fix (if you don’t want to resort to third-party software, such as ‘ClickYes’) is to install the Office 2007 group policy template from Microsoft.  Having downloaded that, launch the group policy editor MMC snap-in. Under ‘User Configuration’ select ‘Administrative Templates’. Right-click, select ‘Add/Remove templates’ and browse to the Outlook ADM file (ADM\en-us\OUTLK12.ADM).

You now have additional settings for Outlook 2007. Under ‘Security’ change ‘Programmatic Access Security’ to ‘enabled’ with ‘Never warn me about suspicious activity’ selected. Don’t forget to reset this afterwards!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Posted in Uncategorized | Leave a comment

“Stop, thief! My data is on that…”

We were recently contacted by one of the university’s departments to discuss their concerns about client-side data security. Their worry was that confidential material from their users’ mailboxes would be cached in Outlook’s offline store. This represented a possible data vulnerability in the event that a computer were to be stolen. The department had proposed, as a solution, that Outlook’s caching should be disabled. Users would work online, minimal confidential data would be stored on the hard disk and all would be well…

Now it is true that the locally cached copy of a user’s email  represents a possible target for the malicious. But tackling a perceived data vulnerability issue via Outlook’s offline store is to overlook countless other areas of equal or greater concern. From my team’s perspective a large number of Outlook clients failing to use caching represents higher server load. These users would have poorer Outlook performance and lose offline access to their email when away from a network.

Disabling Outlook’s caching is not a great idea for performance, server or client. It also doesn’t really address the data vulnerability issue anyway. Even if we were able to force the whole university to use Outlook on their desktops1 there is still a vast array of users’ own devices to which data might be transferred.

If you have content that needs to be secured, my experience is that the end-user represents the weakest part of any security environment: servers are very likely to be fully patched, in a secure datacentre, audited, monitored and protected by strong security policies with ‘least privilege’ access. End users, on the other hand, tend to resent and resist security, only complying where it is impossible to avoid or where non-compliance has sanctions attached.

There are countless security options available but by far the most powerful is to require a strong password: naturally the university does this already. But in a form of arms race the end user can respond to this with software which caches this password for them.  The best solutions to the problem are, in my view, ones that are unavoidable by users. Avoiding any additional user inconvenience at the same time is a bonus. However finding that kind of solution needs a more detailed understanding of the problem.

In the case of our department’s query, a bit of probing eventually revealed that the concern related solely to the possible theft of a departmental computer.  The aim was to provide a security enhancement that should ensure that a casual thief would be unable to recover content from a stolen machine’s hard drive.

Preventing Outlook from duplicating mailbox content locally does, sort of, achieve that aim but overlooks the very real possibility that users may still be putting classified material onto their local computers. Saved attachments, PST files, and MSG files represent just a few of the email-related possibilities. But confidential data doesn’t just move around via email. Plugging one possible route doesn’t affect others.

The ideal situation would therefore seem to be something that doesn’t require user interaction or effort yet secures whatever data our users might care to store on their computer’s hard disk. Fortunately technology comes to the rescue – most of the university’s current crop of desktops have a TPM chip which offers a very simple way to secure hard disks. A brief foray into the BIOS might be needed to activate TPM functions but then Windows can do the remaining heavy lifting. The Enterprise / Ultimate versions of Vista, Windows 7 and Windows 8 all include Bitlocker. This is a hard drive encryption technology that doesn’t generally require any user interaction – they may not even be aware of it.

Bitlocker’s decryption key is held within the computer’s TPM module so, as long as the TPM chip sees unmodified boot files, the operating system will power up normally. From that point onwards of course we do still have to depend on the user having sensible security settings. It is therefore while a computer is turned off that Bitlocker offers a reasonable defence against data loss. It would be foolish to deny that routes still exist to attempt data theft, but those routes need someone who is both highly technical and extremely determined. TPM’s vulnerability relies on a cold-boot attack, extracting the decryption key from the memory of a recently-shut down machine. This is hardly something a casual thief is likely to undertake. Password phishing  probably represents less effort for greater gain…

In the case of computers without a TPM chip, Bitlocker will require the user to supply a USB key or provide a PIN in order to power on. Although this represents a hassle for the regular user, and lacks the transparency of TPM’s approach, it can be even more secure: it makes cold-boot attacks from a really determined hacker that little bit harder.

In my view Bitlocker represents one of those features that, if it’s available to you, you should use it. It’s not perfect by any means but, with a TPM-enabled computer, is completely transparent to the end user. It offers full disk encryption that will make most, if not all, data theft uneconomic.

1 Good luck with that idea.

Posted in Uncategorized | Leave a comment

Kies, Samsung firmware and bricks

 

I recently opened up Samsung’s Kies software, to synchronise some of the content that doesn’t get updated over the air, and was given a popup notification of a new firmware version. Having done similar upgrades through Kies before I didn’t think twice: new equals shiny equals better, right?

To cut a long story short, this time the update didn’t work. My phone was stuck in limbo and Kies couldn’t get the process to finish. My only hope seemed to be ’emergency firmware recovery’ via a recovery code that Kies presented to me. But even this option didn’t resurrect my slumbering Galaxy S2.

Rather than assume my half-upgraded phone was now a brick I considered my options.  Even if Kies can’t do the upgrade it can at least download the correct firmware for you.  I found that Kies downloads its firmware updates into the TEMP folder. The file’s name is in the format ‘tmp<4 hexadecimal characters>.tmp.

You have to be quick to find it though. Kies decompresses the file into a folder called ‘tmp <4 hexadecimal characters> .tmp.zipfolder’  and almost immediately afterwards begins the firmware upgrading process. Once it gets to 100% these files are removed sharpish – grab a copy while you can! Putting ‘%TEMP%’ into the ‘run’ dialogue box makes this easier to find.

Since Kies couldn’t do the job I finally resorted to the rooter’s favourite: Odin. This little program, armed with the firmware I’d grabbed from Kies’ temp folder, was thankfully able to bring my phone back to life.

As a further bonus, and unlike those who go down the rooting process proper, Kies will still happily talk to my phone for synchronisation and backups. One final point to note – the recovery didn’t work until I had tried using a different USB cable (I switched from my no-name eBay purchase to an official Samsung one) and also plugged straight into a USB port, rather than via a powered hub.

Hopefully this may help someone else who finds themselves stuck in a similar position.

 

 

 

Posted in Uncategorized | 5 Comments

BlackBerry Enterprise server versions

Mostly for my own reference here’s how the BlackBerry bundle numbers you see in ‘Add/Remove programs’ correspond to the various maintenance releases and hotfixes:

Updated 13th April 2014

Version Bundle
5.0 223
5.0 MR1 236
5.0 MR2 244
5.0 MR3 255
5.0 MR4 267
5.0.1 (Service Pack 1) 70
5.0.1 MR1 82
5.0.1 MR2 117
5.0.1 MR3 139
5.0.2 (Service Pack 2) 36
5.0.2 MR1 51
5.0.2 MR2 96
5.0.2 MR3 119
5.0.2 MR4 133
5.0.2 MR5 146
5.0.3 (Service Pack 3) 33
5.0.3 33
5.0.3 MR1 41
5.0.3 MR2 53
5.0.3 MR3 93
5.0.3 MR4 107
5.0.3 MR5 143
5.0.3 MR6 163
5.0.3 MR7 227
5.0.3 MR8 256
5.0.4 (Service Pack 4) 38
5.0.4 MR1 52
5.0.4 MR2 70
5.0.4 MR3 86
5.0.4 MR4 100
5.0.4 MR5 116
5.0.4 MR6 128
5.0.4 MR7 160

Service Pack 4 Maintenance Release 7 is dated 9th April 2014. The minimum requirement to install this remains the same: the server must be running at least v 5.0.4 (bundle 38).

Posted in Uncategorized | Leave a comment