Exchange-Genie

Updated 8/18/2010

One of the major changes with Exchange 2010 is related to the mapi end point. In all previous versions of Exchange the Outlook client (using mapi) would connect directly to an Exchange mailbox server, with Exchange 2010 the Outlook client will connect to an Exchange server running the CAS role as its mapi end point for all connection except public folder access which will go direct to the mailbox server.

As you will discover later in this blog a common issue that user experience if they are running Outlook 2003 is related to the default configuration requiring encryption to be enabled on the Outlook client or connections will fail. I will go into more detail later on this topic.

When a user opens Outlook today a number of items occur but the main one I am going to talk about is the connection from the client directly to the mailbox server to retrieve their mail via mapi-rpc. 

How clients connected pre Exchange 2010

 

Some of the issues with this configuration even when using an SCC or CCR cluster is during a failover the client connection point will be disrupted even if only for a few moments. This also means that clients are making a direct connection to the server which is limited to 60k connections to the information store. This does not mean 60k users, as client makes a number of connections to the system.

As the Exchange team looked at how they can better scale Exchange 2010 one of the new techniques was to move the client connection endpoint to the CAS server instead of the mailbox server. This allows for a number of things to happen.

1. During a database move/failover the client end point does not go down and makes the move seamless to the user
2. If you reach the 60k port limit you just add an additional CAS server to the rpc array

 

Let’s take a look at our Exchange settings….

How do I know what my mapi end point is?

At first thought you may think this is configured per user however that is not the case. To find out what your rpc client end point is you need to run the following command get-mailboxdatabase “yourdatabase” | fl  name,rpc* the output of this command will show you each  RpcClientAccessServer associated with each database.

By default there is no rpc array configured, the name of a random CAS server in the same AD site will be directly associated with each database.

Let’s run our command and see what settings we have  get-mailboxdatabase | fl  name,rpc*

You can see that our  RpcClientAccessServer points to my CAS server

Let’s create a new mailbox database in EMC:

Open EMC -> Organization Configuration -> mailbox

 

Right click and select New Mailbox database

I am going to call my database rpcservercheck and specify the server as E14Ex1

Specify the logs and database path

C:\db\db and c:\db\logs

**note I dont recommend these location but this is just a lab **

Click New to complete the database

Now that we create the new database lets run our command again:

You can see the new database also shows the CAS server, since I only have one CAS in this environment they are configured the same.

Outlook Profile

After setting up an Outlook profile let’s take a look at see that our mapi end point is now the CAS server

With Outlook 2007 click Tools – Accounts Settings

Select the profile and click Change

We can see that our Microsoft Exchange Server information points to the CAS  fqdn and not our mailbox server

If we hold down CTR and right click the Outlook system tray icon we can bring up our connection status

You can see that all Directory and mail connections are now going to the CAS server with 1 exception, public folders. Yes, public folders calls are still direct connections from the client to the mailbox server hosting the public folder.

WireShark

If we use a network sniffer  to capture traffic from our client 192.168.1.59 we can see that NSPI and MAPI requests from Outlook are all directed to the CAS

How does this work?

On each CAS server there is a new service that runs called the MSExchangeRPC which runs as  Microsoft.Exchange.RpcClientAccess.Service.exe and listens on port 6001 for HTTP connection and uses dynamic ports by default for tcp/ip connections

By default when you install Exchange 2010 the files that makeup this service will be located in  C:\Program Files\Microsoft\Exchange Server\V14\Bin

When connections are made to the CAS server by the mapi client, the CAS server then creates a channel to the mailbox server to retrieve the mailbox data.  The CAS server will create a maximum of 100 Rpc connections to the mailbox server

Encryption

As I briefly mentioned in the introduction by default Exchange requires the client to connect with encryption enabled.  This is not set on each database but on each rpc server and can be found with the following command  Get-RpcClientAccess | fl server,encrypt*

 [PS] C:\>Get-RpcClientAccess | fl server,encrypt*

Server             : E14-EX1

EncryptionRequired : True

Server             : E14-EX2

EncryptionRequired : True

 Server             : E14CAS1

EncryptionRequired : True

After running the command you can see that each CAS and Mailbox server has this configuration. You may ask why would the mailbox server require this is all the client connections are direct to the CAS? You may recall that I stated above that the clients still connects direct to the mailbox server  for public folder access.

How do I know if my Outlook client is setup to use encryption?

Let’s look in our Outlook client to see this setting:

Using the same steps as before open your Outlook settings -> click More Settings

 

Select the Security Tab

 

We can see that Outlook 2007+ defaults to having encryption enabled however Outlook 2003 does not

 If you have a large number of Outlook 2003 users you have a few options:

1. Use Group Policy to enable this setting
2. Disable this settings on the Exchange Server with the  Get-RpcClientAccess | Set-RpcClientAccess -EncryptionRequired:$false

**Recommended configuration is to keep encryption enabled**

1. Have users manually enable this setting
2. script

**Note this will also affect Outlook Anywhere users (formerly Rpc.https) **

Configuring an Rpc Array

Now that we have a basic understanding of how MOMT is used lets configure our first Rpc Array. You can use NLB or a hardware Load Balancer like F5 for the rpc array as either is supported however you cannot use NLB if your server is multi roled and a member of a DAG.

The dns entry for the array should not use a public dns name and only needs to be resolvable to the internal network.

Lets start with the Get-ClientAccessArray command just to show that we do not currently have an array

1. Create a DNS entry for your array name (I am going to use Site1Array.ExchangeGenie.local)

a. Open the DNS administration tool

b. Select the appropriate DNS Zone (for me .ExchangeGenie.local)

c. Right click and create a new host record (a cname would work as well)

d. Input the name and Ip for the record

e. Click Add Host

F. Click Done

G. Validate the record had been created

 H. Lets use Nslookup to validate the record is seen

Create an RPC Array

From an EMS window we will use the new-clientaccessarray command if you use the help …. get-help new-clientaccessarray, we can see the command takes in 2 require parameters FQDN and Site

If you dont know your AD site information you can use the get-ADSite command to get that information

As you can see I have renamed my default site to GenieSite1

New-ClientAccessArray -Name Site1Array.ExchangeGenie.Local -fqdn Site1Array.ExchangeGenie.Local -Site GenieSite1

As you can see we now have a new array called Site1Array.ExchangeGenie.Local

**Note the memeber paramenter will show every Exchange 2010 CAS in the AD site of the Array, which CAS server actually participate are based on the NLB nodes **

Does this mean you are done?

No,  creating an array but its self does nothing we have 2 additional steps 1. create the NLB for the Array and 2. associate the array to our database.

Creating an NLB for our Array

I am going to use WNLB for this blog which is a viable option however for large organization a hardware load balancer is advised.

If NLB is not installed on your CAS server you will need to do that first.

1. Open Server Manager

2.  Select Features

3.  Select Network Load Balancing

4. Click Next

5. Click Install

 6. Click close after the installation completes successfully

7. Launch NLB Manager

8.  From the file menu click Cluster -> New

9. Input the IP address or hostname of the CAS server and click Connect

10.  Select Next

11. Select Next unless you need to add an additional dedicated ip to the server

12. Click Add to add the VIP for the cluster ** this should match the ip that we used to create our dns record for the array**

13.  Enter the IP asscociated with the array and click OK

14.  Click Next

15.  Enter an FQDN that will be associated with the NLB, I have selected Mulicast for my cluster mode however please select the method that best fits your environment.

16.  Click Next

17. Click Remove to delete the default listening ports

 You can choose to listen on all ports however lets use the minimum required for the array which we will later scope down even lower. The minimum ports required will be 135, 1024-65535

a.   Click Add

b.  Remove the check box “All” so that we can scope which IP the ports listens on

c.  Add port 135 – 135 TCP and click OK

d. Report for port 1024 -65535 TCP and click OK

18.  Click Finish to complete building the NLB

Validate the NLB has been created properly

 Associating the Array with databases

 The final step for us is to associate the client array with our existing databases.  Any new databases will be automatically associated with the array in that site.

Lets open our Outlook client so we can see our current settings

Let’s use the following command to set our new array on all the current databases we have created 

Get-MailboxDatabase | Set-MailboxDatabase -RpcClientAccessServer site1array.exchangegenie.local

**Please note the above command would do all databases you can use the –server switch to scope the databases returned you can use something like this to scope the site

C:\>Get-ExchangeServer | where {$_.isMailboxServer -eq $true -and $_.Site -eq ‘ExchangeGenie.Local/Configuration/Sites/GenieSite1′} | Get-MailboxDatabase **

We can validate the array association with the following command  Get-MailboxDatabase | fl rp*

***Please note it could take a few minute for this information to get updated for clients do to the store cache**

If we look at our client setting, they will get updated with autodiscover if the client is Outlook 2007+, for Outlook 2003 the client should be redirected after connecting to the current configured server.

 

You can see that all communication (except pf) is now connecting to our new client array

 

Scoping the Mapi Ports

By default when you open your Outlook client it attempts to make a connection to the rpc port ( 135) on the server andnegotiate a dynamic port above 1024 for usage.  If there are no firewalls between the clients and servers then you dont mind all the traffic however in many scenarios there are firewalls between the client network and servers.  To keep from the requirement of open port 135 and 1024 – 65535 you can make a few simple modifications to your CAS server to reduce the number of ports that are required to be open on the firewall.

There are 3 modifications you must make 1. Mapi which is a registry key change 2. Addres Book (NSPI) which is modifed in the config file and 3. Referral Service (RFR) modified in the config file.

We can restrict Rpc Client Access Array to a single port for each of the following settings Mapi,Address Book, and Referral Service let’s take a look at the default configuration below:

Key:HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC\ParametersSystem

Value:TCP/IP Port

Type:DWORD

*Note you will need to modify the same registry key on mailbox servers that host the public folder role

Earlier you saw the network wireshark data with the server making connections to the CAS on radom high number ports, in this section we are going to scope the port range down to 3 ports of our choosing.  Please note the client will still need access to port 135 for the initial connection.

Scoping the CAS server ports

1. Open the regsitry editor (start -> run -> regedit

2. browse to HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC

3. Create a new key ParametersSystem (Right click new-> key)

4. Create a new Dword TCP/IP Port

5. Input a port I have selected 50000

6. Restart the Microsoft Exchange RPC Client Access Service

7.  Open a command window and run NetStat -na

We can see that we are connecting the CAS server on port 50,000 and 135

**You will need to repeat these steps for any mailbox server this is hosting a public folder database**

8.  Open Microsoft.Exchange.AddressBook.Service.Exe.config  with notepad (default location is C:\Program Files\Microsoft\Exchange Server\V14\Bin)

*** This option has changed in  Exchange 2010 SP1 and is now configured via a registry key

• Address book Registry change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeAB\Parameters\ RpcTcpPort

9.  Modify the section “RpcTcpPort” to the port you desire, I am going to use 50,001 since I used 50,000 for the mapi port

10. Restart the Microsoft Exchange Active Directory Topology Service (note this will stop all the Exchange services)

11. Open a command window and run NetStat -na

You can see we are now listeing on port 50,000 for map and port 50,001 for Address Book

If we open Outlook again and run a netstat -na from our client we can see that we are connecting to the CAS server on port 50,001 and 50,001 and to our mailbox on port 50,000

CAS IP 192.168.1.60 and Mailbox 192.168.1.57 and CAS Array 192.168.1.61