Friday, July 27, 2007

Upcoming OCS 2007 training

 Microsoft's Oscar Trimboli points out some upcoming Office Communication Server (OCS) training. If you want to find out more visit the Microsoft events page and register for the next round of OCS training.

Microsoft Office Communication Server Home Page
Event Number 893229

This technical 2 day deep dive will skill you on Microsoft Office Communicator Server (OCS).

OCS helps organisations be more productive by enabling them to communicate easily with

others using a range of communication options, including instant messaging (IM), voice, and

video. By delivering streamlined communications your users can easily find and communicate

with the right person, at the right time, from the applications they use most.

By deploying Office Communications Server your organization can deliver the benefits on an

extensible VoIP foundation without expensive infrastructure and network upgrades. The

enhanced capabilities of Office Communications Server extends your existing Exchange and

Active Directory infrastructure.

Microsoft's Office Communications Server Readiness training equips you for the next

exciting wave of office collaboration.

During this training you will learn how to

* Develop an Overview of Microsoft's Unified Communications Vision

* Deploy an Office Communications Server 2007 Infrastructure

* Understand the Rich Presence Model in OCS 2007

* Experience the On-Premise Web Conferencing Capabilities of OCS 2007

* Configure and Test the Voice and Telephony Features of OCS 2007

Instructor : Nigel Jones

Price : Price: $790 ex GST

Tuesday, July 24, 2007

Why Appear Offline is Disabled in MOC 2007 Client

The ability to appear offline is disabled by default in Microsoft Office Communicator 2007 Client.  Microsoft's Tom Laciano gives two good reasons why this should be so. 

...the product team believes it is the right thing to disable this feature for the following reasons:

  1. It reduces the value of presence if everyone is lurking/hiding as “Appear Offline” (e.g. imagine if everyone in the company did it).  Within working hours there is no reason to use “Appear Offline” as opposed to DnD
  2. Once you go beyond OC as an IM client and think about OC as a phone it doesn’t make much sense to use “Appear Offline” as that will cause all phone calls and such to go to voicemail.  It is also not a very good way to hide anymore given than everyone is expected to have a phone and so you won’t see very many people as offline anymore (i.e. there is no reason to see someone as offline as their phone should always be connected so at worst they should be away)

I had not given it much thought but the reasons above - especially the second - make a lot of sense.

Friday, July 20, 2007

Mobility and UC

Marty Parker over at has a good article about the convergence of mobility and unified communications.  He provides a good overview of some of the developments and acquisitions that have taken place lately and draws some interesting conclusions.

What does all this mean? In the UC world, more and more voice and video communications will be launched from and connected to a mobile wireless device. And calls increasingly will be launched by clicking a directory entry, an email address, an IM presence indication or a transaction button in an enterprise application portal.

This makes sense - mobility has long since stopped being about email on your phone.  Mobility is about extending the reach of your enterprises content and applications out to your people, who are increasingly not in the office.

As new applications rise in popularity in the enterprise it will no longer be a question of if that application is mobilized.  It will be a question of how...

Check out Marty's article. You need to register, but it is a good read.

Saturday, July 14, 2007

How to use Smart Cards with OWA - But Why?

There is an interesting article on TechNet that outlines how you configure ISA 2006 and Exchange 2003 to support smart card authentication for Outlook Web Access

Technically it is a well written article and it explains the concepts behind the authentication process well.  The article also explains the benefits of using two factor authentication.

Rather than relying on a single method—a password—to enable access, two-factor authentication enforces the use of additional authentication methods, including a username/password combination, a physical device such as a smart card, or a biometric identifier such as a fingerprint.

I absolutely agree with that - but while the article does a great job of how you configure this scenario, it does not delve into why you would do this, what the other alternatives are or what the pros and cons are.

You see OWA is only one option available to provide remote access to Exchange information. Other options include Exchange ActiveSync, Exchange Anywhere (nee RPC over HTTPS) and application virtualisation technologies such as Terminal Services or Citrix Secure Gateway with Citrix Presentation Server.

Similarly smart cards are only one option to provide multi-factor authentication.  Other options include one time passwords (OTP), Time based tokens such as RSA SecurID, biometrics, or computer certificates.

In addition to this authentication of the user and/or device is only part of the story.  That protects access to the data, but data also needs to be protected when it is in transit and when it is at rest.  For this post I'll assume that you are going to encrypt any data transmitted over public networks (right?!?!) so I'll ignore protecting data in transit for this post.  However protecting data at rest is an important consideration for remote Exchange access.  If your users are using OWA, for instance, from machines that you do not know or trust then it is possible that they are saving attachments to that machine and that they are not protected.

The technologies used to deliver, authenticate and secure remote Exchange access should be chosen based on the security policy of the organisation.  So what would the corporate policy need to look in order to want to use SmartCards to secure OWA?  What about other combinations - when should they be used?

Putting Exchange ActiveSync aside for a minute - that is another post I think - the remaining three strategies I have covered each have different characteristics.

  • OWA - Least configuration on the client.  Requires an active connection to read or compose email, there is no offline capability.  May want to prohibit downloads of attachments to prevent data being left at rest on unprotected machines.
  • RPC/HTTPS - This option requires Outlook to be installed on the client.  If used in conjunction with cached Exchange mode it could leave a significant amount of data at rest on the endpoint machine.  Because data can be synchronised to the local machine, email can be read and composed while offline.
  • Virtualisation - Application virtualisation technologies such a Citrix Presentation server virtualise the applicaiton by running the application - e.g. Outlook - on a server and presenting the screen view to the user.  Mouse movements and keystrokes are sent back up the wire to the server.  The application being virtualised does not run on the client.  This requires a client on the endpoint machine, but there are ActiveX and Java clients available, so many public machines can be used.  Easily configurable policies can prevent data being left at rest on the end point.  Requires an active connection to read or compose email.

The table below provides a high level overview of some of the outcomes of the options.  The intent is to help people pick the right combination of technologies to meet the requirements of their security policy.

  OWA RPC/HTTPS Virtualisation
Username & Password (single factor) Provides access from any Internet connected machine, which is very convenient.  Could be susceptible to key logging if accessed from an untrusted machine. Also provides access from any Internet connected machine if the user has enough knowledge to configure the Outlook profile.   Also susceptible to key logging. Provides access from most Internet connected machine - the client machine needs to support at least one type of Citrix client.  Susceptable to key logging.  .
Smart Cards (two factor) Needs to be accessed from an endpoint that has a smart card reader.  This implies that you know the endpoint.  Protected from key logging as the smart card + PIN constitute two factors of authentication (something you have and something you know).  More secure, but not as convenient as above. Needs to be accessed from an endpoint that has a smart card reader and has the Outlook client.  This could still be a client that you don't trust if the user had the knowledge required to configure Outlook.  Protected from key logging and provides online and offline access. Again - requires a smart card reader on the client in addition to either having the Citrix client or support for one of the web clients.  Protected from key logging. 
Computer Certificates (two factor) Requires that you not only know the client, but that you have configured a client certificate.  This provides two factors in that you have to have something - a computer with a certificate - and you have to know something - the user credentials. Requires a certificate on the client.  This prevents the users from configuring any client to use RPC over HTTPS.  This ensures that data at rest on the client will be protected by corporate policies applied to the client.  For example - if you have Vista and are using bit locker you can be assured the data will be encrypted. Allows access to Exchange data from a Citrix client you know and trust.  Ensures that data cannot even be viewed unless an authenticated person using a known device connects.  No data at rest on the client.
SecurID Extremely convenient.  Can access Outlook from any client, but credentials are protected from key logging by using a pin + token code in place of the password. Not as seamless as computer certificates and does not prevent the use of unknown hardware.  But it does protect from key logging and provide strong authentication. Strong authentication and fairly convenient.  A good choice for user who will have a business need to use untrusted machines.

So when would configuring OWA to use smart card authentication be the appropriate choice?  One scenario that seems likely to me is if you want to enable specific users to access OWA from home, but for what ever reason you don't want to provide them with a mobile PC.  Another way to meet this need would be to use Citrix.  That provides additional protection in that you can prevent data being left on the machine, but carries additional licensing costs.

Thursday, July 12, 2007

Good overview of Standby Continuous Replication in E2k7 SP1

 The Exchange Team Blog has quite a good overview of the new Standby Continuous Replication (SCR) feature in Exchange 2007 SP1.

Standby continuous replication (SCR) is a new feature being introduced in Service Pack 1 for Microsoft Exchange Server 2007. As its name implies, SCR is designed for scenarios that use standby recovery servers. SCR extends the existing continuous replication features and enables new data availability scenarios for Exchange 2007 Mailbox servers. SCR uses the same log shipping and replay technology as local continuous replication (LCR) and cluster continuous replication (CCR) to provide added deployment options and configurations.

Check out the full post for some great info.