Webcast: Implementing Messaging Security for Exchange Clients – Q&A Log from 1-30-06

Earlier today, I presented a webcast titled "Implementing Messaging Security for Exchange Clients" from 10 AM - 11:30 AM (MST) with my team mates Chris Avis and John Baker helping with Q&A [Thanks Chris and John].

Below is the Question and Answer log from today's session.  I have included a few of my own comments enclosed in brackets within the log.  Please let me know if you have any questions from today or otherwise.  Thanks!

Harold Wong

Questions and Answer Log:

Question: How does this solution compare with PGP Universal Server solutions?

Answer: PGP Universal is designed to provide a much wider range of security and encryption for messaging and files. The solutions Harold is discussing are zero-cost solutions based on using Windows Certificate Authorities. You can use this same solution with 3rd party certs as well. The key here is our solution is integrated into the product.


Question: how can I check what service pack is running on my exchange

Answer: Open the Exchange System Manager --> Locate your Server Name in the Hierarchy --> Properties of the Server --> This will tell you Exchange Build and SP number


Question: Does the key size used have a significant impact on client performance?

Answer: Normally, no. What you find is if you use the Windows Certificate Services to generate certificates, the higher the bits used, the longer it will take to generate the key.


Question: How does message archival and encryption work? If the message is encrypted and archived as well, how can on requirement, some one else open the message from archival?

Answer: They will have to have access to the key.


Question: Why we need to consider Offline address book when digital certificate included?

Answer: I do not understand this question. Please clarify and repost.  [Harold] When Publishing Digital Certificates to AD, these are then included as part of the User Object.  This attribute is included in the Offline Address Book (OAB) which then leads to a larger OAB.  For an organization such as Microsoft, this can lead to a significant increase in the OAB size.


Question: Can you give me a link where I can download MOM; I downloaded MOM sp1 and not able to install it on server2003 sp1; It keep asking for windows 3.1 installer; Window 3.1 installed is already installed, it is part of windows 2003 sp1.

Answer: First - You can't just download MOM. It is a licensed, retail product so you will have to purchase and install it before you can install the MOM SP1 to it.


Question: What is the normal amount of latency in opening an S/MIME e-mail relative to an unencrypted e-mail? I ask because in my S/MIME pilot, I have seen Outlook "freeze" for anywhere from 5 to 45 seconds while opening an S/MIME e-mail.

Answer: I would look at name resolution and network connectivity. You should not see a 45 second delay. There is some overhead while the connections and verifications are made but not 45 seconds in a normal setup.


Question: I have an urgent problem and must leave. Can I download this session later for offline viewing?

Answer: All Webcasts are recorded. Check at http://www.microsoft.com/webcasts in 24-48 hours. It will be posted there. Harold may also post info to his blog at http://blogs.technet.com/haroldwong.


Question: Is IRM only available with an Exchange server and Outlook?

Answer: There are no IRM plugins from Microsoft for 3rd party mail programs. Outlook and OWA adhere to IRM protocols.  [Harold] However, 3rd parties can create their own plug in components using the SDK provided.


Question: for encrypting messages, do both clients need a user certificate from the same trusted CA?

Answer: No. Clients can have their certificates assigned from different CA's if they wish.


Question: However, the different CAs must be publicly accessible - correct?

Answer: Yes.


Question: Is there a utility to back up the certs, automatically?

Answer: You can likely write a script/batch file. A full O/S backup will backup the certificate stores well.


Question: So, would it be safe to say that anyone that wants to do anything with certificates should seriously consider setting up their own PKI infrastructure?

Answer: If you wish to maintain the PKI infrastructure yourself, then yes. This could also reduce your costs because 3rd party companies sell certificates. In a large organization this could be very costly.


Question: What is the alternative to placing the Exchange Server in the DMZ if you do not have an ISA server deployed?

Answer: You can also use another software or even a hardware based firewall and set port-forwarding. However, there are some features that ISA + Exchange deliver that you can not recreate with 3rd party hardware/software.


Question: Once you configure a laptop to use RCP over HTTPs will it use RCP when it is internally connected to the domain or just when it is external and if everyone is basically using laptops will this put much of an added load on the server or the network?

Answer: Outlook defaults to using MAPI when on the local LAN. Outlook will attempt RPC/HTTP when it can not make a direct connection to the Exchange Server. if you have a large number of remote users utilizing RPC/HTTP there could be more network activity since they are coming in from the outside world and (depending on your network setup) you may have to redirect clients to Exchange. Overall, the additional overhead is negligible.  [Harold] You have some control over this in the RPC over HTTPS configuration page in Outlook.  You can specify whether RCP over HTTPS is attempted first when on a fast network versus on a slow network.


Question: is there any webcast on cert services deployment and architecture?

Answer: Do a search for Archived Webcasts (by technology) at http://www.microsoft.com/webcasts.


Question: For Exchange ActiveSync, does SP2 for Exchange 2003 allow UPN logon? Or is PreWindows 2000 still required?

Answer: I don't believe so. I just tested with my device using a UPN and it fails.


Question: is being in non cached mode is required always? Disabling this may not be an option for all the clients right?

Answer: You can allow users to choose the mode or you can use Group Policy to force a cached mode/non-cached mode setting.


Question: Clients using WinXP with Outlook 11 with exchange 2000 server , received a try again always when they open Outlook, this segment is separated by firewall, I need open additional ports???

Answer: Can the clients connect to the Exchange Server at all? If not, you need to test Name resolution, and verify that.  This article details the ports used by Exchange 2000 -- http://support.microsoft.com/kb/278339/en-us -- However, since you are saying the clients do connect on the second try, I would not think it is a port blocking issue.


Question: could you explain this bit detail, about why to disable cached mode for security settings? Do I have to disable and enable for all my clients? Is it required to install security settings on all individual PC's?

Answer: With Cached mode, a copy of the mailbox is stored on the local machine in a .OST (Offline Store) file. For security, you may not want to have copies of company email on the client machines/laptops. An individual user can deselect the option for cached mode or you can use Group Policy to make the setting. Using Group Policy you can set this for individual users (with some extra effort) or across all or a portion of your organization. This setting is a part of the Office ADM template you would have to load to Group Policy on the server.


Question: Assuming the org. has their own CA, is it possible for an IT department to populate accounts with certificates instead of the user requesting their own?

Answer: You can use Group Policy to deploy certificates. Harold just showed a screen shot briefly. I will ask him to post some resources to his blog on this.  [Harold] Please look at this article for more details around Certificate Auto Enrollment: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx.


Question: can you point me to where I can find info on securing OWA via SSL?

Answer: This article is a good starting point -- http://support.microsoft.com/kb/320291/en-us - This is an Exchange 200 article but the steps are the same for Exchange 2003.  [Harold] Here is the link for configuring OWA via ISA 2004: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx.


Question: Can you implement SSL with a self signed certificate or do you need a Verisign or other certificate?

Answer: You can use a certificate from a local private CA (one you run internally) or you can use a 3rd party certificate.


Question: is there any way to synchronize between OWA folders and outlook folders? for example a mail sent from OWA does not appear in outlook sent items folder

Answer: I just sent a message from OWA (connected to an Exchange 2003 server) and it does appear in the sent items folder (inside OWA and inside my Outlook 2003 Client). There should be no additional steps needed for this to synch up.


Question: with the built-in SMIME solution, how do you provide additional decryption keys to decrypt previously encrypted messages by an internal user for litigation/discovery requests?

Answer: If this is an environment that is integrated with AD, then the keys are stored in AD. The Certificate Administrator (usually the EA as well) can grab these keys and decrypt the information. Worse case, you can also change the user's password and login as them to access the user's key.


Question: Can you answer this question; Is technet Virtual experiencing connectinivity issues; I am unable to use the virtual lab since November

Answer: I have received numerous emails about this and have escalated.


Question: OWA seems to always ask for a new logon even if I check the remember password box. What have I done wrong?

Answer: Why would you want to have the password remembered? This is not a secure configuration.  [Harold] In re-reading my answer, I realized it sounds a bit arrogant.  I apologize as this was not my intent.  This is my sarcastic humor coming out.  I would not recommend saving passwords like this as it is a security risk. 


Comments (2)

  1. Vitalie Ciobanu says:

    1. Would it be a message notification or smth when the yesterday’s offline webcast will be available for download?

    2. Did you know that the phishing filter from IE 7 for XP said that this site might be a phishing one?

    Thanks, Vitalie Ciobanu.

  2. Harold Wong says:

    You will receive a follow up email within 24 – 48 hours of the webcast with links to download the additional "stuff".

    Interesting that we are notching our own blogging site as a possible phishing one. Hmmm..

Skip to main content