نمایش نتایج: از شماره 1 تا 4 از مجموع 4

موضوع: Complete guide to configure multi-tenant hosting for Exchange 2007 with ISA 2006

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Complete guide to configure multi-tenant hosting for Exchange 2007 with ISA 2006

    کد:
    http://www.messagingtalk.org/complete-guide-to-configure-multitenant-hosting-for-exchange-200
    PART-1

    Overview
    Multi-tenant Hosting for Exchange is also referring as Shared Hosting for Exchange. There are many ways to achieve that and one of the most recommended solution by Microsoft is using Hosted Messaging Collaboration. It is a complete solution, not only for Exchange, but also for Sharepoint and Office Communication Server.
    However not every company has the budget to deploy such complex infrastructure. They might have limited resources, both hardware and professions, or they simply have some unique requirements that HMC can not fulfill.
    Therefore a more flexible but manual way of deployment is required. That is the purposes of this article.
    Solution Overview

    This illustration presented a typical multi-tenant setup which provides the major fundamental services, such as Outlook Web Access, Outlook Anywhere, Offline Address Book Web distribution and Auto-discover discover etc. Each of its tenant ( company ) should not be able to see other's Global Address List or extended its search or name resolving into others address book. In another words, they are suppose to see what they are allowed to see.
    Below is the infrastructure diagram of a typical setup and I will configure the multi-tenant using this type of setup

    You may realise that there isn't any edge server role and UM server role in this setup, simple because I want to make this tutorial short and simple. So that anyone will be able to understand the rationale behind the technique and deploy a P.O.C setup very quickly.
    Customer Background
    Let's assume Company A and Company B appoached my company and wish to sign up email services but do not want to pay higher price for dedicated servers. Company A and Company B do not know each other and they are compatitors. So as the engineer who will be deploy the setup have to ensure that they cant see each other and the contacts of both companies cant be seen by the other party.
    Pre-requisition

    1. OS installation need to be completed
    2. Exchange Server roles deployment need to be completed
    3. Administrator is able to send out and if possible recieve mails
    4. ISA server(s) installed with OS and application.

    Enviroment Setup
    1. Create OUs for root hosting directory and customers

    2. Add the customers' domain name into the UPN. This step is to allow your customer to login to the common OWA page using their own email address.

    You need to open up "Active Directory Domains and Trusts" management console and right click on the root level, click on "Properties" and you will see the options shown as above.
    3. Create a global security group for each of your customers under their own OU. Alternatively you can also create a distribution group that your customer will use for send to all function in the future( you should do it using Exchange Manangment Console to create distribution group in Exchange 2007)

    4. Add your customers' public internet domain into the Accepted Domain in your Exchange 2007 setup.

    Alternatively, you can achieve that by using the Exchange command shell listed below.
    New-AcceptedDomain -Name "Company A" -DomainName "coa.com" -DomainType "Authoritative"
    5. Create "Email Address Policy" for all the customers

    For my setup, I prefer to use "Company" attribute as the key to apply the policy. You may wish to use other attrubute(s) to define your policy


    This will be the place that you need to define how you want the email address format to be

    For my setup, I am using "Last name.first name" format.

    Select the domain from the list.


    Alternatively, you can achieve this by using the command shell
    New-EmailAddressPolicy "Company A EAP" -IncludedRecipients "AllRecipients" -ConditionalCompany "Company A" -Priority "1" -EnabledPrimarySMTPAddressTemplate "SMTP:%g.%1@coa.com"
    Here is the defination on smtp address format. %g = first name, %s = last name ,1 = initial(add before g or s and after %), %m = alias
    6. Create Address List for each of the customers




    Alternatively, you can achieve this by using the command shell,
    New-AddressList -Name "Company A Address List" -Container "\" -IncludedRecipients "AllRecipients" -ConditionalCompany "Company A"
    7. Creaet Global Address List for the customers
    In Exchange 2007, Global Address List can only be create and modified in command shell. Below is the example
    New-GlobalAddressList -Name "Company A GAL" -ConditionalCompany "Company A" -IncludedRecipients AllRecipients
    8. Create Offline Address Book for the customers





    The option to enable public folder distribution is for outlook client 2003, if your customers are using outlook 2007, the option can be disabled.


    Alternatively, you can achieve that by using the command shell
    New-OfflineAddressBook -Name "Company A Offline Address Book" -Server "HAWAII" -AddressLists "\Company A Address List" -PublicFolderDistributionEnabled $true -VirtualDirectories "ALASKA\OAB (Default Web Site)"
    In next article, we are going to do the actual configuration that will make the multi-tenant work flawlessly




    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.messagingtalk.org/complete-guide-to-configure-multitenant-hosting-for-exchange-20-0
    PART-2

    After completing the configuration of part 1, your enviroment is ready to procedure with mult-tenant configuration.
    As for now, any account that created in either OU are able to see each other. that is fine for now.
    You should create at least 2 users and groups for each company and check if the Email Address Policy, Address List, and Global Address List are configured correctly.
    If everything is fine, then let's procedure with multi-tenant configuration.
    1. Let the hidden attribute visible
    Due to the unique configuration and sepecial requirement for security, we need to enable a hidden directory attribute, called "List Object". This is to enable the Exchange Administrator to control what address lists or user or group that the particular user or group is allowed to see.
    To do that, you need to modify "dSHeuristics" property using ADSIEdit.msc. It can be found under "CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=yourdomain, DC=local". Right click on it and go to "Properties".



    Change the value to "001"

    Now you can see "List Object" attribute.
    2. Permission inheritance breaking and reassign
    Now you are ready to break the inheritance of several containers. This step is the most import step in the whole configuration. However, if at any point, you accidentially miss configured the permission, you can always inherit the permission back from the parent container. I have personally done that for several times before get the P.O.C setup working. :-)
    Follow the screen capture shown below.
    There are 3 main containers that you have to break the inheritance 1st. They are "All Address Lists", "All Global Address Lists" and "Offline Address Lists".
    You can them by using ADSIEdit and select Configuration partition.
    CN=Address Lists Container, CN=<your Organization>, CN=Microsoft Exchange, CN=Services, CN=Configuration



    Uncheck "Include inheritable permission from this object's parent" and you recieve these warming prompts, just click on the button circled.



    You should now return to the security tab of the container, simply remove the following 3 entries,
    Anonymous Logon, Everyone and Authenticated Users
    Click on "OK" to exit.
    Open up an Exchange Command Shell, and perform the following action. The commnad condition "-User" can be used for both user objectsd and group objects
    $container="CN=All Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC =com"
    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject
    $container="CN=All Global Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC =com"
    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject
    $container="CN=Offline Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC =com"
    Add-ADPermission -Identity $container -User "Authenticated Users" -AccessRights ListObject
    You have to break the permission inheritance for each individual customer's Address List, Global Address List and Offline Address List
    Once it is done, remember to remove "Authenticated Users" entry from the security tab of their properties.
    Then perform the follow command in the command shell console for all your customers,
    $container="CN=Company A Address List,CN=All Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC =com"
    Add-ADPermission $container -User "COA_S_All" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book
    $container="CN=Company A GAL,CN=All Global Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC =com"
    Add-ADPermission $container -User "COA_S_All" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book
    $container="CN=Company A Offline Address Book,CN=Offline Address Lists,CN=Address Lists Container,CN=UNITED,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=united,DC =com"
    Add-ADPermission $container -User "COA_S_All" -AccessRights GenericRead, ListChildren -ExtendedRights ms-Exch-Download-OAB
    3. Assign Offline Address Book
    Default Offline Address Book will be assigned to all mailbox user by default. However in our setup, we have specific Offline Address Book for mailbox user of each individual customer. There are various way to assign, eg. manually modify user object's AD attribute, use Exchange command shell and assign Offline Address Book at Mailstore Database level.
    I personally recommed to configure the setting at Mail Store Database level. The reason is simple, it will be easier for you to do backup and restoration for each individual customer if they have their own mailstore database.
    All you need to do is, using Exchange Management Console, under "Server Configuration", "Mailbox Servers", right click on the database and click on "Properties", click "Browse" button for "Offline address book" in "Client Settings" tab

    Now all settings are in place, you can perform a test by login as one of user of Company A and click on "Address Book" in outlook client and check if you can only see users in Company A. If not, re-inherite the permission and redo the permission breaking and assign.
    4. OWA Address List permission control and modification
    There is one more modification that usually been forget, that is OWA Address List permission control. Althrough the permission is denied to view Company B's users at outlook client level, the unique behavior of OWA will still allow them to see each other. In order to complete this setup, you need to perform the following tweak at user object level.
    Modify "msExchQueryBaseDN" attribute

    You need to set the value same as the "distinguishedName" of company's OU value.


    Now your multi-tenant should work perfectly fine.
    In next article, we are going to talk about how to use ISA as reverse proxy to publish OWA, Outlook Anywhere and most importantly Autodiscover for multi-tenant.





  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.messagingtalk.org/complete-guide-to-configure-multitenant-hosting-for-exchange-20-1
    PART-3

    In this article, I am going to go through the configuration of ISA to work with OWA and Outlook anywhere for Exchange 2007.
    On your ISA server, open up the management console and click "Publish Exchange Web Client Access"

    We create a rule for OWA 1st.

    In drop down box, select Exchange 2007 and check on "Outlook Web Access"



    There are 2 options in this screen, if your choose to publish a server farm then the step will appear as follow





    Select the monitoring method, it depends on how is your network been setup, usually the 1st option is good enough.


    Otherwise, it will come to this step. If the specific url can't be resolved by your ISA server, simply check on "Use a computer name or IP address to connect to the published server" option and specify the IP address of the url.


    You need to create a Web listener for both OWA rule and Outlook anywhere rule.




    You can select either "All IP.." option or "Specific IP.."

    The typical case will use single certification option.



    This step is optional.






    You should test the rule before apply it to your server. If there are errors, click on it to view reason and fix it.

    There are additional tweak you may want to do.
    Go to the properties of your listener, click on "Authentication" tab and click on "Configure Validation Servers"

    If your ISA server can't resolve your domain controller, here is the place to manually specify which servers to go.
    You can define multiple login express or take the default one.

    To verify if your OWA page is handled by ISA, simply go to your OWA page from public internet, and look at the login screen. You will notice a slight difference compare to the original OWA page.

    Now, we need to create rule for Outlook Anywhere

    Remember to check on "Publish additional folders.." option.




    use the same listener as OWA rule




    Now test your Outlook anywhere rule. If there is error, fix it before apply it.

    Now you can proceed to use outlook to test Outlook Anywhere. If you are not very sure if you are connected using RPC/HTTPS or directly to mailbox server. You can press & hold your Ctrl key and right click the outlook icon on windows system tray and click on "Connection Status"


    In next article, I am going to discuss about Autodiscover feature and how to achieve autodiscover for multi-tenant without the certification prompt by using one single certification.





  4. #4
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.messagingtalk.org/complete-guide-to-configure-multitenant-hosting-for-exchange-20-2
    PART-4

    In this article, I will be showing how do we make use of ISA 2006 to achieve Autodiscover function for multi-tenant infrastructure.
    What will happen if we do not do this?
    The outlook 2007 users will get security prompt about the certificate on the ISA server whenever they perform an auto profile configuration and offline address book download.
    This is kind of annoying and some users might not happy to see that.
    So steps below will show you how to get around that.
    Pre-requisition
    1. The certificate that installed on ISA must from public trusted CA.
    2. an additional dedicated IP address is required. This IP Address must not share with other SSL connection or tied with any other certificate.
    Some overview of autodiscover feature.
    Let me quote the line below from msexchangeteam.com
    "Outlook is hard coded to find the Autodiscover end point by looking up either https://company.com/Autodiscover/Autodiscover.xml or https://Autodiscover.company.com/Autodiscover/Autodiscover.xml (where company.com is the portion of the users SMTP address following the @ sign)"
    This simply explained how this feature works. In additional to this information, outlook will also try to look for the end point via non-secure protocol(http).
    To understand more about it, press & hold Ctrl and right click on the outlook icon in system tray.

    Click on "Test E-mail AutoConfiguration.."

    Fill up a valid email address and password, check only "Use AutoDiscover" and click on "Test"
    From the result output, you will have a clearer picture on how outlook finds the autodiscovery end point.
    Here we use CNAME in DNS to redirect the traffic to our ISA server.
    e.g autodiscover.coa.com CN autodiscover.united.com (ISA IP address)
    This time I am creating a "Publish Web Site" rule




    We will use the non-secure connection


    It is optional to fill up the path


    We need to create a new listener for autodiscover




    Use a separate IP Address








    There are additional configuration after create the rule.
    under properties of the rule

    You need to add the publish DNS name of autodiscover entry for each individual customer


    Specify the "Internal Path"



    Now you can give a try from outlook client and there should not have any security prompt about the certificate.





کلمات کلیدی در جستجوها:

autodiscover multi tenant tmg redirection

how to manually exchange 2010 multi-tenant

autodiscover and multitenant hosting

tmg redirect deny multitennant autodiscover

exchange 2007 autodiscover and multi-tenant hosting

exchange 2010 multi tenant autodiscover

http:www.messagingtalk.orgcomplete-guide-to-configure-multitenant-hosting-for-exchange-200

autodiscover multitenant redirect step by step

hosted exchange 2010 multi-tenant accepted domain

complete guide to configure multi-tenant hosting for exchange 2010

exchange 2007 autodiscover multi-tenant tmg reverse proxy

exchange 2007 autodiscover multit enant with tmg reverse proxy

isa 2006 autodiscover exchange 2007 download oab failure

how to remove the ms-exch-download-oab extended right from the root oab container

multi tenant autodiscover tmg

exchange 2007 multi tenant outlook anywhere

how to configure multi tenant exchange 2010 autodiscover

remove the ms-exch-download-oab extended right from the root oab container

ISA Test Rule reverse

autodiscover exchange 2007 tmg

exchange 2007 multi tenant autodiscover tmg proxy

outlook 2010 autodiscover certificate multitenant

exchange 2010 multi-tenant owa certificate

exchange 2007 mutli tenant autodiscover prompt for certificate

Complete guide to configure multi-tenant hosting for Exchange 2007 with ISA 2006

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •