Client Access Services

Question 1

What is a Bound Namespace?

Answer 1

• One namespace model that can be used with multiple datacenters.
• Each datacenter has its own namespace (Ex., mail-ny.company.com, and mail-sf.company.com)
• Used when there is a preference for users to connect to a specific datacenter
• Used in combination with Active/Passive DAGs.

Question 2

What is an Unbound Namespace?

Answer 2

• One namespace model that can be used with multiple datacenters.
• All datacenters use the same namespace
• Used when there is no preference for which datacenter users connect to
• Can be used in combination with Geo-DNS or Geo-loadbalancing, to direct users to closest datacenter, or DNS round robin for random distribution
• Doesn’t apply to Office Online Server namespace, which always needs a bound namespace since it requires persistence

Question 3

What are the SSL Certificate requirements?

Answer 3

• Certificate must be issued by a certificate authority that is trusted by both the server and the client
• The certificate name must match the server name (URL/namespace) the client is connecting to
• The certificate must still be within the validity period (has not expired)

Question 4

What are the recommendations for SSL Certificates?

Answer 4

• Use certificates issued by a trusted 3rd-Party CA, rather than by a private, internal CA.
• Use a SAN certificate
• Use the same, single certificate for all services (HTTPS, SMTP, IMAP, POP)
• Use the same, single certificate for all servers

Question 5

What is a SAN certificate?

Answer 5

• “Subject Alternative Name”
• A type of SSL cert, which allows for multiple names on a single cert.
• But, unlike a wildcard cert, the names must be specified when issuing the cert.

Question 6

What is a Unified Communications Certificate?

Answer 6

• Another name for a SAN certificate, a type of SSL certificate.
• Some providers refer to it as a Unified Communications Certificate.

Question 7

How should firewalls be configured to allow/deny traffic to and from Exchange servers?

Answer 7

• Exchange servers should not be firewalled from other Exchange servers or from domain controllers. If firewalled, use an Any-Any rule.
• Exchange should be firewalled from the public internet. Very few services need to be allowed in; HTTPS (TCP 443) is all that is required, plus ports for POP and IMAP if you are using them.

Question 8

What protocols and ports are required for all possible Client Access methods?

Answer 8

• HTTPS (TCP 443)
• POP3 (TCP 995/110)
• IMAP4 (TCP 993/143)

Question 9

What is OWA?

Answer 9

Outlook Web App

An old name for Outlook on the Web.

This acronym is still used in Shell commands to identify the service.

Question 10

What is Outlook on the Web?

Answer 10

The new name for Outlook Web App (OWA)

Question 11

What are the Shell commands for configuring Namespaces for HTTPS services?

Answer 11

For Outlook Anywhere:
• Set-OutlookAnywhere

For Autodiscover:
• Set-ClientAccessService

For all other services:
• Set-*VirtualDirectory

Question 12

What is different about the Autodiscover virtual directory?

Answer 12

Autodiscover has a Virtual Directory, and there is a Set-VirtualDirectory command to configure them.

However, the internal and external URLs configured there are ignored by Exchange.

Instead, the SCP is used, which you configure using Set-ClientAccessService.

Question 13

What is this:

SCP

Answer 13

Service Connection Point

Question 14

What is this:

CSR

Answer 14

Certificate Signing Request

A request for an SSL certificate that has been generated by the server that the certificate will be installed on.

Question 15

How can you install a single SSL certificate to multiple Exchange servers?

Answer 15

First install the cert on the server that generated the CSR.

Then, export the certificate, and import it to other servers.

(Multiple servers can be selected to import to at once.)

You will then have to go to each server to specify the same services to assign this certificate to.

Question 16

What Authentication options are available to Outlook on the Web?

Answer 16

• Basic Authentication
• Integrated Windows Authentication
• Forms-based Authentication

Question 17

How does Basic Authentication work?

Answer 17

• Username/password popup dialog
• Credentials transmitted in clear text, secured by HTTPS
• Not very user friendly

Question 18

How does Integrated Windows Authentication work?

Answer 18

• Requires the URL for Outlook on the Web to be in the Intranet or Trusted Sites zone in Internet Explorer
• User’s Windows login information is automatically used
• Hashed credentials are transmitted, secured by HTTPS
• If the automatic login does not work, there will be a popup asking credentials, which uses NTLM challenge/response or Kerberos

Question 19

How does Forms-based Authentication work?

Answer 19

• Presents a user-friendly login form
• Credentials are transmitted in clear text, secured by HTTPS
• Multiple login formats can be used:
• Domain\Username
• UPN
• Username only (with default logon domain pre-defined)

Question 20

What is this:

UPN

Answer 20

User Principle Name

Question 21

If using Forms-based Authentication and a UPN format, how will the username field be presented to the user?

Answer 21

• It will ask for Email address, even though it is looking for the UPN name.
• For this reason, you would want a user’s e-mail address to match their UPN.

Question 22

What is this, and what does it do?

ECP

Answer 22

Exchange Control Panel

Serves the “Options” user interface for Outlook on the Web.

Also serves the Exchange Admin Center for administrators.

Question 23

Where are authentication settings for Outlook on the Web and Exchange Control Panel configured?

Answer 23

In the corresponding Virtual Directory settings.

Question 24

How should the authentication options for OWA and ECP be set relative to each other?

Answer 24

They should be set to use the same authentication method.

Question 25

What is the recommended authentication method, and why?

Answer 25

Kerberos

It is faster than NTLM, and doesn’t have the potential for authentication bottlenecking that NTLM has.

Question 26

What does “frontend services” refer to?

Answer 26

Client Access Services are also known as Frontend Services

Question 27

What is a Virtual IP?

Answer 27

This is one of the terms for the IP address, or combination of IP address and port, that a load balancer hosts for clients to connect to.

Question 28

What is a Virtual Service?

Answer 28

This is one of the terms for the IP address, or combination of IP address and port, that a load balancer hosts for clients to connect to.

Question 29

What is a Virtual Server?

Answer 29

This is one of the terms for the IP address, or combination of IP address and port, that a load balancer hosts for clients to connect to.

Question 30

What methods can Load Balancers distribute traffic to member servers?

Answer 30

• Round robin
• Weighted round robin
• Least connections
• Various adaptive methods (server load, other metrics)

Question 31

Is Persistence required for load balancing Exchange 2016? Why or why not?

Answer 31

Persistence is not required when load balancing Exchange 2016, because all connections are proxied to the active database copy, regardless of which server provices their client access services.

Question 32

What do Outlook Web App Policies do?

Answer 32

They control access to features when using Outlook on the Web

Note, disabling the access via a policy here does not actually disable the feature for the mailbox itself.

Question 33

How can you prevent users from being able to remotely wipe their own mobile device from Outlook on the Web?

Answer 33

EAC > Permissions >
OWA policies > Edit policy > Features >
uncheck “Exchange ActiveSync.”

This will prevent users from having any management of their mobile devices from Outlook on the Web.

Be sure to go into the mailbox of the user and assign the OWA policy to it.

Question 34

How can you assign an OWA Policy to all users at once?

Answer 34

Assuming the policy name is “Default,”

get-mailbox
-ResultSize
unlimited
| set-casmailbox
-OwaMailboxPolicy
Default

Question 35

What is ActiveSync?

Answer 35

ActiveSync is the protocol that allows mobile devices and applications to synchronize data with Exchange mailboxes.

Question 36

What items can ActiveSync work with?

Answer 36

• Email items
• Calendar items
• Contact items
• Task items

Question 37

How does Push technology work for ActiveSync?

Answer 37

• The ActiveSYnc client sends a “ping” request to Exchange
• The client waits up to 15 minutes for a response. (This is sometimes called an “open connection” or a “hanging connection.”
• The Exchange server responds if a change occurs in a mailbox folder (such as new mail arriving), or after the time limit expires
• The client then sends a new “ping” request and waits again

This process allows mailbox changes to appear almost instantaneously on the client.

Question 38

What are Mobile Device Mailbox Policies? How do they work?

Answer 38

They provide policy options for controlling mobile device features, such as:

• Phone PIN/password lock policies
• Device encryption
• Camera
• Bluetooth
• Push notifications

Options available will vary depending on phone OS and make/model.

The policy is applied when the phone adds an ActiveSync account.

Question 39

What happens if a phone’s OS or model isn’t capable of meeting the requirements of the applied Mobile Device Mailbox Policy?

Answer 39

The policy has a setting for “Allow mobile devices that don’t fully support these policies to synchronize.”

This is enabled by default. While enabled, the phone will be allowed to connect and will only apply the parts of the policy that are supported, if any.

If disabled, the phone will not be allowed to connect if any single aspect of the policy isn’t supported.

Question 40

What is ABQ?

Answer 40

Allow/Block/Quarantine

The automated process which a mobile device is vetted through to determine if it will be allowed to connect to a mailbox, or be blocked or quarantined.

Question 41

What is the order of criteria processing in ABQ?

Answer 41

The device is checked on the following, in this processing order:

1. User Authentication
2. ActiveSync setting on Mailbox (enabled/disabled)
3. Mobile Device Mailbox Policy
4. Personal Exemption
5. Device Access Rules
6. Organization Default Access State

Question 42

For mobile devices:

What is a “Personal Exemption”?

How does it work?

Answer 42

It blocks or allows a specific Device ID for a specific mailbox user.

Device IDs are added to the block/allow list for a mailbox by:

• An admin choosing to block or allow a quarantine device
• An admin manually updating the block/allow list for a mailbox user

Question 43

What is an ActiveSync Device Access Rule?

How does it work?

Answer 43

Created by an admin in EAC or PowerShell

Can apply either an allow, block, or quarantine action, based on these device characteristics:

• DevicType (Family)
• DeviceModel
• DeviceOS
• UserAgent

Question 44

What are some caveats of ActiveSync Device Access Rules?

Answer 44

• Rule characteritcs are exactly specific: no wildcards or partial matches
• They apply organization-wide. They cannot be applied to a subset of users. (Users can effectively be exempted from them via Personal Exemption, which is processed before the Device Access rule).
• Device characteristics that can change, such as OS version, can cause the device to change from allowed to blocked/quarantined, or from quarantined to allowed. (But once a device is blocked, it will stay blocked until the rule is removed.)
• Even if a device is blocked, that only means it’s built-in OS mail app is blocked. Users can still use other apps, such as the Outlook app.

Question 45

If an iPhone 8 user uses the Outlook app to access their mail, how will their connection be evaluated by the Device Access Rule?

Answer 45

Rather than showing up as an iPhone, the device characteristics will be read as follows:

DeviceType: Outlook
DeviceModel: Outlook
DeviceOS: Outlook for iOS and Andriod 1.0
DeviceUserAgent: Outlook-iOS-Android/1.0

Question 46

What happens when a mobile device in the Quarantine is Allowed or Blocked by an administrator?

Answer 46

The device is added to its user’s Personal Exemption, as either Allowed or Blocked.

Question 47

What are some common reasons why a Remote Wipe request will not end up wiping the device?

Answer 47

• If the device never connects to the Exchange server, either due to not connecting to the internet or otherwise being blocked.
• If the user’s password is changed before the device can connect and authenticate.
• If the Pending request is cancelled by an admin.
• If the user was connecting to Exchange through an app, such as the Outlook app, instead of through the OS built-in Mail app. In that case, only the single App’s data is wiped, not the phone.

Question 48

What is the PowerShell command to remotely wipe a mobile device?

Answer 48

Clear-MobileDevice
-Identity
“”

Question 49

What is a Remote Wipe?

Answer 49

• Any mobile device that connects to Exchange using ActiveSync can be selected to be remotely wiped.
• If the device was using an OS built-in Mail app, then the entire device is wiped.
• For some mobile apps, the remote wipe is constrained to just the app data. (E.g., Outlook for iOS and Android.)
• The remote wipe is destructive an irreversible.
• It is not gauranteed to work in all situtations.

Question 50

What is OffCAT?

Answer 50

Microsoft Office Configuration Analyzer Tool

A tool to be run on a client machine, which will

• analyze the Office client configuration

and look for common issues such as

• Autodiscover problems,
• misconfigured registry items,
• and other issues that might cause clients to not connect.

Question 51

What is Log Parser?

Answer 51

A command-line tool used to quick analyze text-based log files.

Log Parser Studio is a graphical front-end for Log Parser, which provides several built-in reports. Point it at your log folders, and you can pull these reports to see statistics and errors.

Question 52

What is “Outlook Test E-Mail AutoConfiguration”?

Answer 52

A tool built in to Outlook

It runs through a complete Autodiscover test, and provides information and logs.

Question 53

How is the Outlook Test E-Mail AutoConfiguration tool accessed and run?

Answer 53

While Outlook is open, Hold the left Control key, and right-click the Outlook icon in the taskbar, and select “Test E-Mail AutoConfiguration…”

Question 54

What URLs can be used to access the Microsoft Remote Connectivity Analyzer?

Answer 54

testconnectivity.microsoft.com

Or,

exrca.com (this will automatically redirect you to the primary URL above)

Question 55

What is the Microsoft Remote Connectivity Analyzer?

Answer 55

A Microsoft web-hosted tool that tests external connections to your Exchange server.

It requires actual credentials to perform the test.

It will analyze and report on DNS, AutoDiscover, SSL certificates, ports, authentication, ActiveSync, IIS configuration, and other connection steps and errors.

Question 56

What sources of logs are there for troubleshooting Exchange?

Answer 56

• Windows Event Logs
• IIS Logs
• POP/IMAP Protocol Logs

Question 57

What does this HTTP status code mean?

200

Answer 57

OK / Good

Question 58

What does this HTTP status code mean?

401

and

40x

Answer 58

401: Unauthorized

any other 40x code typically points to an authentication problem

Question 59

What does this HTTP status code mean?

503

and

50x

Answer 59

503: Service Unavailable

other 50x codes typically point to a server problem, rather than a user problem

Question 60

Where are IIS log files located?

Answer 60

The default path is on the C volume:

C:inetpub\logs\LogFiles

In this folder, you’ll see a folder for each website that IIS hosts.

Question 61

How many websites does IIS host for Exchange on an Exchange server?

Answer 61

Exchange servers have two websites: the front-end (client access) website, and the back-end (administrative) website.

Question 62

What methods of client access will NOT generate IIS log files?

Answer 62

POP and IMAP are separate client access services that do not use IIS, so they do not generate IIS log files.

They have separate logs that must be manually enabled.

Question 63

Where are POP and IMAP logs stored by default?

Answer 63

They are disabled by default, but the default path is:

C:\Program Files\Microsoft\Exchange Server\V15\Logging

In this folder will be the following folders:
Pop3
Imap4

Question 64

What is Office Online Server?

Answer 64

It provides a web-based viewing and editing experience for Office documents.

Question 65

What can Office Online Server integrate with?

Answer 65

It integrates with Exchange 2016, SharePoint Server 2016, and Skype for Business 2015

Question 66

What can Office Online Server provide when integrated with Exchange 2016?

Answer 66

Office documents that are attached to e-mails can be viewed and edited within the Outlook on the Web interface.

Question 67

What ports will Office Online Server use on the server it’s installed onto?

And what are those ports used for?

Answer 67

80 (for HTTP)

443 (for HTTPS)

809 (for communication between Office Online Servers when more than one instance is deployed)

Question 68

What considerations are there for the server to have Office Online Server installed on?

Answer 68

• Use the same sizing guidance as SharePoint Server 2016
• Don’t install on web servers or servers with applications that use the same ports
• Don’t install Office applications on the Office Online Server
• Don’t run Office Online Server on a domain controller, Exchange server, SharePoint server, or Skype for Business server

Question 69

What Deployment Topologies are possible for Office Online Server, and what does each entail?

Answer 69

• Single server farm using HTTP
– Fine for testing, but not recommended to use non-HTTPS in production.
– Not compatible with Skype for Business Server 2015

• Single server farm using HTTPS
– all Office Online Servers are installed as a farm, even if you just have a single server

• Multiple server farm using HTTPS
– requires a load balancer
– Office Online Server is a stateful application, so the load balancer must provide persistence, so that users maintain a connection to the same server during their session.

Question 70

How do you integrate Office Online Server with Exchange 2016?

Answer 70

Once Office Online Server has been installed and configured:

• Configure Exchange with a Discovery Endpoint for Office Online Server.
○ This can be configured at the Organization Level, or the Mailbox Server Level.

• The OWA App Pools need to be recycled before the change will take affect.
○ This will happen automatically after a several hours, or can be done manually but will kick out all OWA users.

Question 71

When would you want to configure a Discovery Endpoint for Office Online Server at the Mailbox Server Level vs. at the Organization level?

Answer 71

Configuring it at the Organization level will affect all mailboxes.

Configuring it at the Mailbox server level will only affect mailboxes on that server.

You would use the Mailbox Server level if you have either:

• multiple Office Online server farms, and want to deploy a different farm for different regions of your network
• some 2013 versions of Exchange deployed alongside Exchange 2016

Question 72

What is the PowerShell command to configure a Discovery Endpoint in Exchange 2016 for Office Online Server?

Answer 72

Setting it at the Oranization level:

Set-OrganizationConfig
-WacDiscoveryEndpoint
“https://

/hosting/discovery”