Nexus365 and iOS support

Apple have never been as clear as Microsoft regarding the timeline over which their software will be officially supported. However as a general rule the current version of the operating system, and the one immediately preceding it, can be considered officially supported. When dealing with Microsoft Office apps on iOS Microsoft are now following that premise.

Word, Excel, PowerPoint and OneNote are no longer supported for Office app updates on devices running iOS 10 (or earlier versions of iOS). In November support for Outlook will also cease for those versions of iOS.

These Office apps will continue to work, albeit officially unsupported and without further updates. Once the device is updated to iOS 11 (or later), Office apps will then resume receiving updates and patches. Users should be made aware that, if no action is taken to keep their operating system current, Outlook for iOS will eventually stop synchronising email and calendar data. Furthermore all Office apps will stop receiving feature and security upgrades.

Best advice is always to ensure your operating system is current to minimise exposure to security vulnerabilities. This will also ensure your Office programs continue to work securely too.

Posted in Uncategorized | Leave a comment

Nexus365 and TLS – update to TLS1.2!

Microsoft are planning to discontinue support for the older 1.0 and 1.1 versions of Transport Layer Security (TLS) in Microsoft Office 365 from the end of October 2018.

TLS is the successor to the (now deprecated) Secure Sockets Layer  protocol which was designed to provide secure communications over a network. The protocol’s job is to provide reliable privacy and data integrity between client and server- so it is important that Nexus365 only implements current fully-supported versions.

The TLS protocol builds on Netscape’s original SSL specifications from the mid 1990s, which added HTTPS support to Netscape Navigator. TLS was first defined in 1999 with the specification updated in 2008 (RFC5246) and again in 2011 to ensure TLS was used in preference to SSL (RFC6176).

TLS 1.0 originally  included an option to downgrade to SSL3, weakening security and potentially allowing known attack vectors to be exploited. The revised TLS 1.1 dates from early 2006, and was again revised in the summer of 2008 with TLS 1.2 becoming a standard. Dropping support for versions of TLS older than v1.2 will thefore be mandating use of a protocol that has been around for a decade. Only the oldest, least regularly updated client software, should be unable to connect using TLS 1.2. In fact some browsers already support TLS 1.3, currently a draft standard, dating from March 2018.

The October 2018 deadline for dropping TLS 1.0 and 1.1 support already represents a postponement of Microsoft’s original planned date, so is unlikely to be extended further.

To ensure you can still use secure connections to Nexus365 after the end of October 2018 all client and browser software used to access Nexus365 must therefore be using TLS 1.2 or later. This may mean you need to update, or replace, your software in order to connect securely. Any TLS-related connectivity issues logged in support tickets relating to Nexus365 will require an update to TLS 1.2 as part of the resolution.

Examples of software known to use old versions of TLS:

  • Android 4.3 (and earlier)
  • Firefox version 5.0 (and earlier – and any related forks of it)
  • Internet Explorer 8-10 on Windows 7 (and earlier)
  • Internet Explorer 10 on Windows Phone 8.0
  • Safari 6.0.4/OS X10.8.4 (and earlier)

Analysis shows that, as a proportion of all traffic, very little of it is TLS 1.0 and 1.1 usage. Please note that we are not mandating that you cease using older versions of TLS for other functions. If you are still using TLS for other purposes you can leave it enabled for those functions – however TLS 1.2 should be enabled for secure connections to Nexus365 in addition to those.  This should ensure that you avoid future TLS connectivity issues when accessing Nexus365.

Posted in Uncategorized | Leave a comment

Outlook 2016 slow when connecting to Nexus Exchange

We’ve had reports from some Nexus users that Outlook 2016 can appear to hang while trying to make a connection to our Exchange servers. The reported delay is between thirty and forty seconds, after which the connection is established and normal service resumes.

People who have stayed on Outlook 2013 don’t generally encounter this issue, but if they do they can easily resolve it by tweaking settings.

Here is what’s going on: the Exchange 2010 Autodiscover service tells the client to try a regular RPC/TCP connection before resorting to a RPC/HTTP connection. 

In Outlook 2013 there is an option in the program’s settings: ‘On fast networks, connect using HTTP first, then connect using TCP/IP’. This setting resolves the issue (and these days ‘fast network’ means any connection that’s faster than dial-up).

But if you’ve updated to Outlook 2016 that option has disappeared. Essentially you’re looking at a mismatch of versions – Microsoft are assuming that Outlook 2016 will be connecting to Exchange 2016. Once we’ve migrated to Nexus365 we will be but, currently, we’re still on Exchange 2010 on-premises. In other words, even with our best-practice server configuration, newer versions of client software are creating ‘gotchas’ for us…

What can the Nexus Team do about this?

There is an option of mandating all Nexus client connections to use HTTP first. This is a server-side setting we can apply. However this has an adverse effect for everyone who doesn’t use Outlook. For us, that’s a lot of people. We have had to rule out that solution.

The longer-term solution is to migrate our users to Nexus365, since that will effectively bring the servers you are connecting to bang up to date. Pilot migrations begin next month.

What can I do about this?

The recommendation for University IT Support Staff is to use Group Policy to resolve this wherever possible – the policy settings that are equivalent to Outlook 2013’s tickboxes still exist. Microsoft may have removed the interface to see them in Outlook 2016 but the configuration can still be made, albeit via a circuitous route.

The setting you want to change is:

User Configuration\Administrative Templates\Microsoft Outlook 2016\Account Settings\Exchange

Enabling ‘flag 4’ is equivalent to ticking the checkbox in Outlook 2013 for using HTTP first.

Self-managing Outlook 2016 users can edit their registry to achieve the same effect. You need to create (or modify) this key:


Add a DWORD value of ‘ProxyServerFlags’ with a decimal value of 47.

Note that because this is a current-user setting you will also need to apply it for other users of the same PC.

If the problems persist, for multiple users, please verify that your DNS settings are correct for autodiscover to successfully resolve your unit’s subdomain. Even after all these years since Nexus went into service we still find occasional pockets of users putting up with slower-than-needed lookups and configuration challenges which are avoidable with autodiscover set correctly.

Posted in Uncategorized | Leave a comment

OnTheHub renewals…

When the University first signed up for the OnTheHub service plenty of University members went there to obtain free or discounted software. When asked to register, they used their official email address – after all, why wouldn’t you?

Some time later, as Nexus’ migration to Office 365 project kicked off, it became apparent that this couldn’t continue: we needed to reserve all of the University’s email domains/suffixes for use in our official Office 365 tenancy. Users who were using their University email addresses for any other interaction with Microsoft were creating a ‘viral tenancy’ with no administrative control, while simultaneously preventing us from adding that domain name to the official tenancy. And without the ability to add that domain name to ‘Nexus365’ that college or department would be stuck for all eternity on a tiny in-house Nexus mailbox.

It was around a year ago we identified this problem and asked Kivutu, who administer OnTheHub, to stop accepting registrations from University email addresses. Now users of OnTheHub are asked to register with an email address in the format Our help text was also updated to reflect that change.

A year on from that we now have a new problem. OnTheHub users are asked to periodically renew their licence, to prove that they are still members of the University and thus entitled to continue using that software.  It’s been a year, so University OnTheHub users are starting to relicence their software, as requested.

To verify entitlement, users are asked to log in…
The problem is that after all this time many users have forgotten about that address – many of them have been trying to log in with their official University email address. Because we’ve been adding all of those email domains to the official Nexus365 tenancy, and we’ve federated it via Shibboleth to use single-sign-on addresses, Microsoft’s logon page sees an address that belongs to us and ‘helpfully’ sends the request in our direction.

Your end user sees a standard SSO logon, knows what to do with that, so logs in. However what they get is not OnTheHub. What they’re seeing is, in effect, a sneak preview of Nexus365. But it’s not usable in any meaningful sense as what they’re seeing is a not-yet-migrated and not-yet-licensed example of Nexus365. All of the new exciting toys are visible but none of them are usable until we are able to start migrating folk across.

It would therefore be a great help to us, and a useful reduction of the support burden on the helpdesk, if you could advise your OnTheHub users to look up their alias and use that to re-licence their Microsoft software downloads. It will have been sent to their official University email address so should be searchable within their mailbox. Finding and using that address will  ensure that a greater number of people can continue using their software without delay or (additional) confusion by re-licensing at their first attempt.




Posted in Uncategorized | Leave a comment


The Nexus team are trying things out. My mailbox is now just a tad larger than it was yesterday.

Isn’t this number a lovely sight? 🙂

Posted in Uncategorized | Leave a comment

BlackBerry decline continues

The Nexus Blackberry Enterprise server is licensed for 378 BlackBerry devices. And, back in 2010, we needed every last one of those licences. Today things are very different. After a lengthy process contacting users and removing those who had given up their BlackBerries, there are now only 27 people still registered on the server. Of those, only 25 have made contact during the last month. This means that active usage has more than halved just since July 2016, when we counted sixty active users.

Nexus’ BlackBerry server software does not support the current range of BlackBerry handsets. In order to support these newer devices our server software would have to be upgraded. More importantly the version change requires users’ devices to be re-licensed (at cost). The expense and effort required to do this does not make good financial sense for a system hosting so few users. The service requires two BlackBerry Enterprise Servers, for redundancy, and a back-end SQL database. All of these need monitoring, updating, backup, and general fettling. For 25 people this routine upkeep doesn’t represent a good return on the effort required. The department would struggle to justify provision of any new service from which fewer than thirty University members would benefit and which only supports obsolete devices.

The intention is that Nexus’ BES service will be retired ahead of the migration to Office 365. All current BlackBerry server users (i.e. anyone who bought a licence and has gone through the server activation process) should plan to replace those devices as soon as possible. New Blackberry handsets can still be used to connect to Nexus but should be configured to connect only via the ActiveSync protocol. If you are a BlackBerry user who use BIS, or ActiveSync, to connect to Nexus you will be unaffected regardless of whether we maintain a Nexus BlackBerry Enterprise Service.


  • 81% are using a device that’s over five years old.
  • The other 19% have 9720 devices (which were first introduced in the summer of 2013).
  • The oldest devices in use – an 8310 and an 8800 model – date from 2007.
Posted in Uncategorized | Leave a comment

Nexus’ BlackBerry Enterprise Server

Early last week an email was sent to all Nexus BlackBerry users whose devices had not made contact for at least three months. The responses (or non-delivery reports!) from those people have allowed a further clean-up of inactive users.

Following this work the number of users remaining on Nexus’ BlackBerry Enterprise Server is now down to 33. A further four names look eligible for removal, since those users’ BlackBerries haven’t made any connection to our servers during February. For now, however, they remain listed as active users.

Maintaining two BlackBerry Enterprise Servers, and a SQL database,  for such a small number of users does not represent a good return on the effort required. The department would struggle to justify provision of a new service from which fewer than thirty University members would benefit.

Nexus’ BES service will therefore be retired ahead of the migration to Office 365. Current BlackBerry users should not replace old devices with new Blackberry handsets unless they propose to connect them to Nexus only via the ActiveSync protocol.

Posted in Uncategorized | Leave a comment

Office 365, viral tenancies, and side effects

All of the University’s domain names have to be added to Office 365 in order to use them with the service. This process has been hampered both by the sheer number of domains in use here and Microsoft’s decision to allow users to self-register for the service.

Self-registration is described in the documentation as making life easier for the administrator. And if all you’re worried about is ensuring that your users can access Office software as easily as possible then that aim is achieved. However domains with self-registered users become, in Microsoft’s parlance, a ‘viral tenancy’ – anarchic and uncontrolled. To bring them back under central control one must first prove ownership of the domain. This requires:

  • A valid email address within that domain
  • Following a link in a confirmatory email sent to you.
  • Filling in a registration form.
  • Skipping the ‘invite other users’ message.
  • Answering the ‘become the admin’ invitation and collecting a verification text string.
  • Adding the text string into DNS.
  • Cancelling the ‘provide admin contact details’ message.
  • Verifying that the string found in a DNS query matches the one they provided.

Only once all of that has been done can you login to Azure via Powershell and disable any further self-registrations from taking place:

Set-MsolCompanySettings -AllowAdHocSubscriptions $false

In an organisation with, say, two domain names this isn’t too onerous a task. But when you have several hundred domains the lack of an automated way to do this becomes a trifle wearing. Each of these reclaimed domains can then be added into the official tenancy but this too requires a DNS text string to be generated, added, and verified for each one. It is the manual and repetitive aspects of this process which are taking time but we hope to have all University domain names under the central Office 365 tenancy by the end of October 2016.

Unintended Consequences

This process has also produced some other unexpected side-effects – many Nexus users will have used their University email address for things like XBox Live or Visual Studio accounts. Once the domain name has been formally ‘claimed’ for use in Office 365 it is no longer available for ad-hoc registrations for these other services.

"You can't sign up here with a work or school email address. User a personal email..."

Sign-up denied


We therefore recommend that all Nexus users ensure that they always use a personal email address when registering for a non-University service.


Posted in Uncategorized | Leave a comment

RDP: “The connection has been lost.”

This message was appearing a little too often for my liking:


“The connection has been lost. Attempting to reconnect to your session… “

In many cases this problem is caused by a feature known as Auto-Tuning. This is supposed to continually adjust TCP/IP receive window size based on the network conditions at any given moment. But on a less-than-perfect network this can cause time-out issues.

The TCP receive window size is the maximum amount of incoming data that can be buffered at once on the receiving side of a connection. The sending host can send only that amount of data before waiting for an acknowledgement and then a “receive window” update from the receiving host.

The TCP/IP stack nowadays tunes itself with larger default window sizes than it used to. Instead of using a hard-coded default value, TCP automatically adjusts the window size – beneficial during bulk data transmission by reducing the number of segments sent with large amounts of data.

Auto-Tuning continually determines the optimal receive window size by measuring bandwidth delays and the application’s retrieve rate. In an ideal world this means excellent performance even with changing network conditions. In the real world this means occasional timeout errors…

This doesn’t just affect Remote Desktop – some older version of Outlook used to get error 0x800CCC0F (“The connection to the server was interrupted. If this problem continues, contact your server administrator or Internet service provider (ISP).”) for the same reason.

What can be done?

To tweak your auto-tune settings:

Run CMD as an administrator and enter this command:

netsh interface tcp set global autotuninglevel=restricted

If you later wish to reverse this setting:

netsh interface tcp set global autotuninglevel=normal

To see what you’ve got right now:

netsh interface tcp show global

The permited values for the AutoTuningLevel parameter are:

Sets the receive window at the default value.
Lets the receive window grow beyond the default value, but does so very conservatively.
Lets the receive window grow beyond the default value, but limits such growth in some scenarios.
Lets the receive window grow to accommodate most scenarios.
Lets the receive window grow to accommodate extreme scenarios.

N.B.  The experimental value may decrease performance and should only be used for testing.


Posted in Uncategorized | Leave a comment

RIP Smartscreen

Microsoft have included spam-filtering in Exchange for many years, under the SmartScreen name. But from 1st November that will change: there’ll be no more updates and the feature won’t be included in new versions of Exchange Server.

Updates for SmartScreen client-side spam-filtering for Outlook on Windows will also be ending, although SmartScreen will remain current in Microsoft’s web browsers. Despite sharing the name the in-browser feature protects against malicious websites.

If you’re using SmartScreen now the existing definitions you have will still be there, and will still work, but there won’t be any more updates to them after 1st November.

The motivation for this seems to be twofold – the blunt instrument of applying a spam-confidence level to an email isn’t very effective, and Microsoft’s online protection offering does a far better job. Realtime filters can react faster to spoofed email, hijacked accounts, and user feedback. Coincidentally Exchange Online Protection is chargeable for on-premises users, perhaps as a further incentive to move to Office 365.

There is no net effect on Nexus from this change (Oxmail does the job of spam-scoring for the University) but, as many of you know, messages categorised as legitimate can still end up in ‘junk’ because of Outlook applying filters – it’s why we’ve always advised that users set spam filtering via the SCL and not via Outlook’s SmartScreen. The absence of future updates mean that client-side spam filtering will only become less effective over time.

In the longer term Nexus’ move to Office 365 should ensure that Exchange Online Protection has an opportunity to take over spam-filtering responsibilities.

Posted in Uncategorized | Leave a comment