Special Edition, Using Microsoft BackOffice, Ch. 16

16 - Exchange Server Advanced Topics

by Don Benage

  • How to install advanced security for Exchange Server - Find out how to install the Key Manager service and set up advanced security administrators. Learn how to enable a mailbox for advanced security.

  • How to use Exchange Server's Advanced Security features - Learn how Exchange Server uses public key technology and sophisticated encryption to digitally "sign" and "seal" your electronic messages.

  • How to connect Exchange Server to Microsoft Mail (PC) systems - Learn how to configure the Microsoft Mail (PC) Connector so that you can exchange mail with existing users and Post Offices. Learn how to use the Microsoft Exchange Migration wizard to automatically move mailboxes and messages from an existing Microsoft Mail Post Office to an Exchange Server.

  • How to connect Exchange Server to the Internet - Learn how to connect your Exchange Server system to the rest of the world using the Internet Mail Connector. Discover how to configure the Internet Mail Connector so that your Exchange Server system can communicate with the Internet community.


In this chapter, you learn how to install and use the advanced security features that complement the security already provided by Windows NT. Although the security built into Windows NT Server helps prevent unauthorized use of the computer equipment in your organization and control access to shared resources, additional measures are needed when messages are sent across the country or around the world. Even in a local environment, if the nature of your information is highly sensitive, these advanced features of Exchange Server play an important part in keeping your information confidential.

Through the use of public key protocols you can attach a digital signature to your message verifying that it could only have been sent by you. You can also employ sophisticated encryption algorithms to encode a message so that it cannot be intercepted and read. Furthermore, you can even apply techniques that will detect any tampering or substitution of bogus information. Additional information on public key systems and other security-related issues is provided in Chapter 28, "Implementing Real-World Security."

You learned how to set up a site connector in Chapter 15, "Managing Information with Exchange Server." In this chapter, you learn how to install and use two additional connectors so that you can send and receive messages with Microsoft Mail (PC) users and the vast community attached to the Internet. You also learn how to migrate mailboxes from a Microsoft Mail system in a manner somewhat similar to the automated extraction of Windows NT account information and subsequent creation of mailboxes that you learned in Chapter 13, "Implementing Exchange Server."

Using Exchange Server Advanced Security

With the increased use of electronic messaging, and especially with the explosion of the Internet, there is a growing concern for privacy and security. Imagine for a moment that the only type of letter you could send through the traditional mail system was a postcard. This would certainly limit the kind of information you would transmit through the mail and greatly impact its usefulness. Although the situation with electronic messaging isn't quite that bad, perhaps, in some ways this is an apt analogy.

Due to the public nature of much of the infrastructure that makes up the Internet, and the mechanisms employed to transmit network packets, it is very possible for people who are not the intended recipient of a message to gain access to its contents. This is also true on most corporate and organizational networks, unless stringent precautions and considerable expense have been employed to prevent such an eventuality. The growing availability of network protocol analyzers, at ever-decreasing costs, has put the necessary tools within reach of average citizens. In addition, the informal community of computer "hackers" continue to develop and use ingenious, or at least shrewd, methods to gain unauthorized access to information.

It is worthwhile, therefore, to expend time and energy to learn how to safeguard your information. An important point to bear in mind when learning about these techniques, however, is the old adage that a chain is only as strong as its weakest link. The literature on computer security and crime is filled with stories of organizations that went to great lengths to secure their systems and then threw the operations manual in the (unguarded) dumpster at the back of the building. The hacker community has even coined the phrase "dumpster diving" to describe looking for information that will lead to access to systems. This is just one example of a weak link that might be overlooked and lead to disaster. The lesson: No system will help secure your information if your password is written on a Post-It note stuck to the bottom of your desk drawer.

See "Data Security," (Chapter 28)

Installing Exchange Server's Advanced Security

Public key systems, like the one used by Exchange Server, depend on the use of keys to "lock" and "unlock" encrypted information. A key in the context of computer-based encryption systems is nothing more than a string of characters. The strength of the encryption, and its capability to withstand attempts to break it, are directly proportional to the quality and length of the key that is chosen. A long, highly random key provides very good protection. Because long strings of random (or pseudo-random) characters are difficult for humans to remember and inconvenient to enter on a keyboard, most commercial encryption software provides a key management component that aids the process of generating, storing, and managing the keys being used. Exchange Server provides such a component called the Key Management server.

To use the security features of Exchange Server, you must first install the Key Management server (KM server) software. You should use one, and only one, server for this purpose. Users needing advanced security features communicate with the KM server through e-mail and can therefore leverage the features of this component even if it is located in a different site through a connection that does not support Remote Procedure Calls (RPCs). However, you will need an RPC-capable link to the KM server to install and administer advanced security because the Exchange Administrator is the tool you use to do so, and it requires RPC support.

There are two passwords that an administrator will have occasion to use in connection with the KM server. The first is a password that allows you to start the KM service on the Exchange Server computer where it is located. This password is generated during the Setup process, cannot be changed, and can either be stored on a floppy disk for easy entry during startup, or it can be written down and typed in when you start KM server.


Although it is generally a bad idea to write down a password, this one is required to start the KM server. If you lose this password, you must reinstall the KM server software. Therefore, you should record this password on paper and/or diskette, and store it in a secure location such as a safe. You will need the password (or diskette) whenever you start the KM server, so it must be accessible for this operation (which may only be required a few times per year for maintenance, troubleshooting, and so on). Possession of this password does not imply an unauthorized user can easily read encrypted messages, but it may provide assistance to a sophisticated attacker.

The other password is used by an advanced security administrator and must be entered each time an advanced security task is performed. You can assign the role of advanced security administrator to more than one person, and each will have his or her own password. The initial password created by the Setup program is password. Procedures to assign additional advanced security administrators and change their passwords are as follows:

To install advanced security and create your KM server, follow these steps:

  1. Log on to the computer that will act as your KM server with an account. The account you use should be a member of the local Administrators group for the computer. The account must also have administrative permissions for the Configuration object on the Exchange Server. Insert the Exchange Server CD into the CD-ROM drive.

  2. The Key Manager software is located in the EXCHKM subdirectory. This can be found in the subdirectory for your CPU architecture (I386, ALPHA, or MIPS) under the Setup subdirectory. Find the appropriate directory for your computer and launch the Setup program.

  3. After the Welcome screen, the Key Management Server Setup dialog box appears. You can change the installation directory if you want using the Change Folder button. Then, click the Typical button, the only option available, to install the KM server with all options. After copying files to your computer's disk drive, the Setup program eventually prompts you with another Key Management Server Setup dialog box (see fig 16.1).

    Fig. 16.1 - This dialog box is used to indicate the Country Code for the country in which you reside, and whether you want Exchange Server Setup to create a KM Server startup floppy disk.

  4. This dialog asks for your Country Code and whether you want a floppy disk created that will store the password used to start the KM server. This is a recommended option, but not required. If you create the floppy, a KMSPWD.INI file will be saved containing the clear text (non-encrypted) password. If you do not create a floppy, the password will be displayed on the screen for you to record. Whether you use a floppy disk, a written record, or both (recommended) to maintain this password, it must be kept secure. Click OK. Insert a floppy disk or record the password and click OK again.


    You will not be able to start the KM server without this password! If you lose this password, you will need to reinstall the KM server software.

  5. After a short period of time, you see a dialog box indicating that the KM server software has been successfully installed. Click OK.

You should now start the KM server for the first time and change the default administrator's password. To start the KM server, follow these steps:

  1. Open the Control Panel on the KM server computer. Double-click the Services icon. In the Services dialog box, scroll down the list until you find the Microsoft Exchange Key Manager service.

  2. Click the Startup button. The Service dialog box will appear.

  3. In the Log On As box at the bottom of the dialog box, select the This Account option button and then enter the Exchange service account name, or use the ellipsis button to browse for the account.

  4. Enter and confirm the password for the Exchange service account (not the startup password) in the appropriate boxes. Click OK to return to the Services dialog box (see fig. 16.2).

    Fig. 16.2 - This dialog box is used to set startup options for the KM server and to start the service. If you have not created a startup floppy disk, you must type the password generated during setup into the Startup Parameters box before clicking Start.

  5. Either insert the startup floppy disk into drive A:, or type the startup password into the Startup Parameters box. Make sure that the Microsoft Exchange Key Manager service is still highlighted, and click the Start button. The service will start.

It is important to change the default password for advanced security administrators without delay. You should change the password and assign at least one additional advanced security administrator at this time (in case of an emergency situation or accident). To change the password and add another advanced security administrator, follow this procedure:

  1. Start the Exchange Administrator.

  2. In the container area (the left pane) of the display, find the site containing the KM server. Click the plus sign to the left of the site name to expand the display if it is not already open. Click the plus sign to the left of the Configuration object to expand its display.

  3. Highlight the Configuration object. In the contents area, double-click the Encryption object. The dialog box for the Encryption object appears.

  4. The General tab only allows you to change the display name of the object, which you can do if you want. The Permissions tab is used just as other permissions tabs you have already learned about. You can add permissions for one or more accounts if the inherited permissions aren't sufficient. The most important permissions are those granted on the Security tab. Click the Security tab (see fig. 16.3).

    Fig. 16.3 - This tab of the Encryption object's dialog box is used to select the encryption algorithm (the method used to encode information) for North American sites and all others. Use the button at the bottom of the dialog box to set up advanced security administrators.

  5. The Security tab allows you to select the method used for encrypting information. In North America, you can select CAST-64, CAST-40, and the Data Encryption Standard (DES). Outside of North America you can use only CAST-40 because of restrictions that prohibit the export of "strong" encryption technology from the United States. The Key Management server location information cannot be changed.


    Strong encryption
    is a relative term used in the field of cryptography to describe the use of algorithms and key lengths that make decryption theoretically impossible. Many encryption algorithms allow you to select a key of varying length to use as a part of the encryption process. In general, the longer the key that is selected, the more difficult the task of decrypting the message. This is not a formal definition, but is accurate enough to be suitable for this discussion. For more information on encryption and the entire field of cryptography, see Applied Cryptography, Second Edition, by Bruce Schneier.

  6. Click the Key Management Server Administrators button. The Key Management Server Password dialog box appears (see fig. 16.4).

    Fig. 16.4 - Enter your personal security administration password in this dialog box.

  7. Enter your own password for advanced security administration. If you have not already changed it, the default is password. Click the check box if you would like the Exchange Administrator to Remember This Password for up to Five Minutes while you complete additional security administration tasks. If you do not check this box, you will be prompted for your password before each task can complete.


    If you finish performing advanced security tasks before five minutes have elapsed, most advanced security dialog boxes have a Forget Password button that causes the Exchange Administrator program to require the password again for any additional tasks. This is recommended to help avoid a situation in which you would leave your workstation, perhaps in an emergency, while logged in with advanced security permissions.

  8. Click OK to continue. The Key Management Server Administrators dialog box appears (see fig. 16.5).

    Fig. 16.5 - This dialog box is used to add or remove advanced security administrators or change their passwords.

  9. Click Change Password. A dialog box labeled Change the Password for the Key Management Server appears. Enter your existing password and a new password, and then verify your new password by entering it again. The password must be at least six characters in length and is case-sensitive. Click OK to return to the Key Management Server Administrators dialog box.

  10. Click OK to return to the Encryption Properties dialog box and then click OK once more to close the dialog box.

Adding Advanced Security Administrators

You should grant permissions for one or more additional accounts to perform advanced security tasks such as enabling and revoking the use of advanced security, to act as a backup in the event of some catastrophic accident. If the only person who has this privilege is unable to perform these tasks, the organization is in serious jeopardy of eventual loss of information. While the currently active keys will continue to function, no one will be able to grant new mailboxes this capability, making the system less effective. Eventually, you will need to reinstall the Key Manager, which could lead to information loss.

To create an additional advanced security administrator, follow this procedure:

  1. Start the Exchange Administrator.

  2. In the container area (the left pane) of the display, find the site containing the KM server. Click the plus sign to the left of the site name to expand the display if it is not already open. Click the plus sign to the left of the Configuration object to expand its display.

  3. Highlight the Configuration object. In the contents area, double-click the Encryption object. The dialog box for the Encryption object appears.

  4. Click the Security tab.

  5. Click the Key Management Server Administrators button. The Key Management Server Password dialog box appears.

  6. Enter your own password for advanced security administration. Click the check box if you would like the Exchange Administrator to remember the password for up to five minutes while you complete additional security administration tasks. Click OK to continue. The Key Management Server Administrators dialog box appears.

  7. Click Add Administrators, and the Add Users dialog box appears.

  8. Select the account that should have the capability to enable or revoke advanced security privileges for mailboxes from the Add Users dialog box. Click OK.


    For the account selected to perform advanced security functions, the following additional permissions must already exist or be added. The account must be able to access a computer that can run the Exchange Administrator program. If this is a Windows NT Server, the Log on Locally right must be assigned to the account using the User Manager if the account is not a member of a local group with that privilege. The account does not need to be a Windows NT administrator, server operator, or accounts operator. The account must also be given the View Only Admin role (at a minimum) for the site object using the Exchange Administrator. Also, the account must be granted the Admin role for the Encryption object. If the account in question has inherited permissions already, these need not be added.

  9. You cannot change the advanced security password for an account without logging on using the account whose password you want to change. Regardless of which account is selected in the list box, if you click the Change Password button, you will be changing the password for the currently logged on account. Therefore, the new advanced security administrator should be advised to change his or her password from its default (password) as quickly as possible because you can't do it for them. Click Done to return to the Encryption Properties dialog box; then click OK.

Enabling Advanced Security for Mailboxes

Now you are ready to enable a mailbox for using advanced security and to send a test message to try the new capabilities. A good first mailbox to enable is your own. If you want to enable mailboxes on other sites, you must install the Key Management software on that site. You should not set up another Key Manager service. Allow time for the directory information for the site with the new Key Manager to propagate to other sites. At that time, the Certification Authority (CA) object will appear in the contents area of the Configuration object for the site. If this object is not visible, do not install the KM server software in this additional site. Investigate why the directory information has not yet replicated (perhaps not enough time has elapsed, or perhaps there is a problem) and wait until the CA object appears.


For directory information to propagate to other sites, a messaging connector of some type, such as a site connector or X.400 connector, must be established between the two sites. In addition, a directory replication connector must be created and configured.

See "Setting Up a Site Connector," (Chapter 15)

See "Setting Up Bridgehead Replication Servers," (Chapter 15)

After these steps have been performed, enabling mailboxes on home servers in remote sites to use advanced security is handled in the same manner as that used for mailboxes in the same site as the KM server. However, because the Exchange Administrator program must connect to the KM server to generate temporary security keys to enable a mailbox, this task must be performed on the site with the KM server. Therefore, a procedure must be developed describing the human interactions that occur for this process. In general, the administrator who generates the advanced security token (see the following procedure described) should provide this token directly to the mailbox owner and should require some reliable proof of identity before doing so.


You cannot enable advanced security for a distribution list or custom recipient. A mailbox is the only recipient type for which a Security tab is available on the dialog box. You can, however, generate security tokens (see the following procedure) in groups to streamline the process of enabling advanced security for a large group. This process is described in the Administrator's Guide provided with Exchange Server. You should still distribute the tokens very carefully and individually using a secure channel or method. Exactly how to accomplish this is beyond the scope of this book, but if you want the encryption you are setting up to be worth anything, you should go to some trouble to be sure that this information is truly kept secret.

To enable a mailbox for advanced security, follow these steps:

  1. Start the Exchange Administrator.

  2. Highlight the recipients container containing the mailbox in which you are interested. In the contents area, double-click the mailbox object. Click the Security tab (see fig. 16.6).

    Fig. 16.6 - The Security tab of a mailbox's dialog box is used to enable advanced security features.

  3. The Current Status for this mailbox should be listed as Undefined. Click Enable Advanced Security. After a brief pause for the generation of a new temporary security token, a Microsoft Exchange Administrator dialog box appears (see fig. 16.7).

    Fig. 16.7 - This dialog box displays the new token generated for this mailbox. This token should be supplied to the mailbox owner through some secure means after receiving proof of identity.

  4. Record the token and store it in a secure location. Click OK. The mailbox owner now completes the process using this token in the Exchange Client, as described in the next procedure.

To activate advanced security using a temporary security token, follow this procedure:

  1. Start the Exchange Client. Make sure that you have logged on with the Windows NT account that has permissions to use the mailbox you want to activate. This will only be an issue for administrators because normal users have only one account and one mailbox.

  2. Choose Tools, Options. The Options dialog box appears. Click the Security tab.

  3. Click Set Up Advanced Security, and a dialog box appears (see fig. 16.8).

    Fig. 16.8 - The Security tab of the Options dialog box for a mailbox is used to set up advanced security using the temporary token generated by an administrator. You enter your token into the Setup Advanced Security dialog box.

  4. Enter the token provided by the advanced security administrator. Complete the name for your security file. It should retain an EPF extension. If you want, you can change the location of this file. You will be able to use advanced security on any computer that contains a copy of your security file. It contains encrypted information that allows you to use advanced security features.

  5. At the bottom of the dialog box, enter and confirm a password that you will need every time you want to digitally sign your messages, seal them using encryption, or read messages sent to you using advanced security features. The password must be at least six characters and is case-sensitive. If you forget this password, sometimes referred to as your remembered password, an advanced security administrator can reissue your security key so that you can perform this process again. Click OK to complete the process and close the dialog box. This sends your security request to the KM server. When your credentials have been authenticated, you will receive a message from the System Attendant on the KM server indicating that your mailbox has successfully been security enabled.

Using Advanced Security Features When Sending E-Mail

Now that you know how to install and enable the advanced security features of Exchange Server, the only thing left to learn is how to use them. The ease of use you will discover when you exercise these capabilities belies the powerful technology being employed to protect your privacy. You may wonder whether your information is, in fact, actually protected. Only the test of time will provide the final answer to that question, but the Entrust Security Technology that Microsoft has licensed from Northern Telecom Limited, employs methods that have stood up to intense scrutiny and attack in the cryptographic community. Unless your security needs to withstand the best efforts of government agencies, it will probably be more than adequate.

To send a message using the advanced security features of Exchange Server, follow these steps:

  1. Start the Exchange Client.

  2. Compose your message in the usual manner.

  3. To encrypt the message, thereby "sealing" it electronically so that no one else can read it, click the Seal Message with Encryption toolbar button (see fig. 16.9). There will be no change to the message display, but it will be encrypted before being sent to the recipients list, and if it is somehow captured on its electronic journey, it will be almost impossible to read.

    Fig. 16.9 - Use the two toolbar buttons at the far right of the toolbar to activate Exchange Server's advanced security features.

  4. To add a digital signature to your message, thereby "signing" it electronically, click the Digitally Sign Message toolbar button. The message does not change its appearance on your screen. You learn how to verify that a message has been digitally signed, and who signed it, in the next procedure.

  5. You can also choose File, Properties. Using the Security tab on the Properties dialog box for a message, you can select the option buttons to sign and seal your message without using the toolbar buttons.

  6. Click the Send toolbar button to send the message. If some of the recipients have not been enabled to use advanced security, you will not be able to send them an encrypted message. If this happens, a dialog box similar to the one shown in figure 16.10 appears. In addition, you can use digital signatures with such recipients, but they will not be able to verify that signature.

Fig. 16.10 - This Microsoft Exchange Security dialog box informs you if one or more of the recipients on the To line of a message are unable to receive encrypted messages.

To read a message using the advanced security features of Exchange Server, follow these steps:

  1. Start the Exchange Client.

  2. Messages with advanced security attributes (encryption or digital signatures) are opened in the same manner as ordinary messages. For example, you can simply double-click the message. When you open a message that has advanced security attributes, you are prompted to enter your advanced security password. After entering the password, you will be able to read the message normally.


    Messages that have been encrypted, with or without digital signatures, will appear in your Inbox with a padlock on top of the envelope icon in the Item Type column. Messages that have just been digitally signed will appear with an icon depicting the tip of a fountain pen over an envelope in the Item Type column.

  3. To check the security properties of the message and verify the digital signature (if any) on the message, choose File, Properties.

  4. You are prompted to enter your password again, unless you selected the option to remember your password for the duration of this Exchange Client session. On the Security tab of the Properties dialog box for the message, you can see which security features were used. If it was digitally signed, you can verify the digital signature.

  5. You can also use the Read Digital Signature toolbar button to verify a digital signature (see fig. 16.11). It may be worth noting that after a message is open on your desktop, you can modify the message without the change being reflected in this dialog box. If security is important to you, you should store your messages in a personal folder file with password protection and encryption on a disk drive that is physically secure. You should also not use the convenient option button that remembers your password and automatically enters it on subsequent Microsoft Exchange logons.

Fig. 16.11 - The Verify Digital Signature dialog box shows you the identity of the person who signed the message and verifies that the contents of the document were not altered between the time it was sent and the time you received the message.

You should now be able to employ the advanced security features of Exchange Server to keep your private information private. It is important to have at least a rudimentary training session for users of advanced security to stress the importance of protecting their private password and selecting a good password in the first place. Using this technology, you should be safe from all but the most dedicated attacks from major governments, and perhaps even from those. When you have implemented these features of Exchange Server, and your people are using it properly, you have taken a big step toward safeguarding your information.

In the remainder of this chapter, you learn about two additional connectors - the Microsoft Mail (PC) Connector and the Internet Mail Connector. These gateways allow your Exchange Server system to communicate with other mail systems. The first creates a connection between Exchange Server and a Microsoft Mail for PC Networks version 3.x mail system. You can also configure a connector to Microsoft Mail for AppleTalk Networks, but that is not covered in this book. The second connector you learn about is the Internet Mail Connector. This gateway is used to exchange messages with the Internet community.

Configuring the Microsoft Mail (PC) Connector

Setting up a connection to MS Mail for PC networks is a process that involves a number of steps. These steps should be taken in the order described. There are several elements involved in this connector, and they depend on each other. It is important, therefore, that you complete one part of the process before moving on to the next.

When installing the Microsoft Mail (PC) Connector, you will create a special post office that is compatible with MS Mail. This is called the Microsoft Mail Connector post office or the shadow post office and serves as a temporary repository for messages being sent to or received from MS Mail. A Windows NT service called the Microsoft Mail Connector Interchange handles the transfer of messages between Exchange Server and the shadow post office. It also converts the messages to MS Mail format. Another service, the Microsoft Mail Connector (PC) message transfer agent (MTA) transfers messages between the shadow post office and the MS Mail post office.

If you are familiar with MS Mail you know about its original MTA, the MS-DOS-based program EXTERNAL, and its more recent replacement, the Multitasking MTA. The Connector (PC) MTA performs many of the same functions as these utilities. For example, it will deliver mail to MS Mail post offices over a LAN link without the use of the Multitasking MTA or EXTERNAL. However, if you want to connect to a remote post office over an asynchronous dial-up connection or X.25 connection, you must employ one of the older MTAs at the remote site.

The steps for configuring the MS Mail Connector that appear in the following five sections are for a simple connection between Exchange Server and MS Mail. If you have a large MS Mail system, with many post offices and gateways, you must take additional steps to enable message routing to post offices beyond the directly connected post office. You may also want to make new Exchange Server connectors available to the community of MS Mail users. This can be enabled by installing an access component so that the MS Mail post office can use the new connector in much the same way you would configure access to an older MS-DOS-based gateway. Exchange Server users may also take advantage of existing MS-DOS-based gateway products you have already installed. The procedures for these advanced configurations are beyond the scope of this book and are not covered. Refer to Chapter 9 in the Exchange Server Administrator's Guide for additional information.

The following steps are necessary to set up the MS Mail (PC) Connector. Each one is covered in detail in the following sections.

  1. Configure the MS Mail Connector Interchange.

  2. Configure a LAN Connection to MS Mail.

  3. Configure the Connector MTA.

  4. Configure the MS Mail Post office.

  5. Test the MS Mail (PC) Connector.

Configuring the MS Mail Connector Interchange

The first step is to configure the Interchange, the component that transfers messages from Exchange Server to the shadow post office and converts them to MS Mail format. To configure the MS Mail Connector Interchange, follow these steps:

  1. Start the Exchange Administrator.

  2. In the container area (the left pane) of the display, find the site that will contain the MS Mail Connector. Click the plus sign to the left of the site name to expand the display if it is not already open. Click the plus sign to the left of the Configuration object to expand its display.

  3. Highlight the Connections object. In the contents area, double-click the MS Mail Connector object. The dialog box for the MS Mail Connector appears. Click the Interchange tab (see fig. 16.12).

    Fig. 16.12 - The dialog box for the MS Mail Connector can be used to configure a gateway between Exchange Server and MS Mail for PC Networks. This figure depicts the Interchange tab, the first step in configuring the gateway.

  4. You must select an administrator's mailbox to receive status messages. You cannot leave this blank. Click Change and select a recipient from the Address Book. If you have not already established an administrator's mailbox for Exchange Server, consider creating one immediately following this procedure. You can change this selection later if you want.


    A person acting as an Exchange Server administrator will typically still want his or her own private mailbox. If you are in this position, you can create a profile for the Exchange Client that will open an administrator's mailbox for which you have permissions in addition to your own mailbox. In this way, it is convenient to check both mailboxes and to send messages on behalf of "the administrator." Using this technique, you avoid having to close one mailbox and open another several times per day.

  5. Select the primary language you will be using. If the user community makes use of embedded OLE objects, you should leave the Maximize MS Mail 3.x Compatibility check box selected. This increases the size of messages with OLE objects sent through the connector, but users of both systems will be able to view and save these objects. If you clear this check box, MS Mail users will not be able to see embedded objects sent from Microsoft Exchange clients. If you want to enable message tracking, a useful troubleshooting tool, click the check box.

  6. Click the General tab. You cannot change the computer name on this tab. It is listed here for viewing only. You can use this tab to set a message size limit for messages that will pass through the MS Mail (PC) Connector.


    Changing the name of the computer is done using the Network icon in the Control Panel, and should be approached carefully as it can sometimes disrupt services.

  7. You have now configured the Interchange and set limits for message size. You are ready to continue with the next procedure, configuring a LAN connection to MS Mail.

See "Creating an Administrator's Mailbox," (Chapter 13)

Configuring a LAN Connection to MS Mail

The next procedure shows you how to connect to an existing MS Mail post office over the LAN. When you have connected, the network and post office names are extracted for you. You only provide the network path, in the form of a Universal Naming Convention (UNC) name. This is the same path to which your MS Mail clients have usually (by convention) mapped the drive letter M: to connect to the post office.

To configure the LAN connection to the MS Mail post office, follow this procedure:

  1. Be sure that you have finished the preceding procedure, Configuring the MS Mail Connector Interchange, before continuing. You should have the dialog box for the MS Mail Connector object (from the Connections container in the site object) open in the Exchange Administrator program. Click the Connections tab.

  2. You should see your Exchange Server site's MS Mail address (in Network/Post office format) in the Connections list. Click the Create button, and the Create Connection dialog box appears (see fig. 16.13).

    Fig. 16.13 - The Create Connection dialog box is used to define a connection, in this case a LAN connection, to the MS Mail post office.

  3. Click Change. Enter the network path in the Postoffice Path text box using a UNC name (\\server\sharename).

  4. If you are connecting to a post office on a non-trusted Windows NT domain or a Novell NetWare network, or your Exchange service account is not a valid user on the post office server, enter an account and password that is a valid user. Click OK to return to the Create Connection dialog box.

  5. The Network name and Postoffice name will be filled in automatically. Click OK.

  6. An Apply Changes Now dialog box appears giving you a chance to confirm your changes. If you do not want to see this dialog box in the future, clear the check box labeled Confirm Before Connection Changes Are Applied on the Connections tab. The Connections tab should now show the connection between the Exchange Server site and the MS Mail post office in the list box.

You have defined the network connection needed to attach to the MS Mail post office. Now you are ready for the next procedure, Configuring the Connector MTA.

Configuring the Connector MTA

You can configure multiple MTAs to service this connector. Each MTA is capable of servicing one or more MS Mail post offices, and each is configured to use a particular type of connection. All MTAs are capable of using LAN connectivity. You can also configure an MTA to use Asynchronous connectivity, or to use an X.25 connection. For efficiency and manageability, it is recommended that each MTA be configured to service only one particular type of connection even though an X.25 MTA, for example, can also handle LAN connectivity.

To configure a connector MTA, follow this procedure:

  1. Be sure that you have finished the preceding procedure, Configuring a LAN Connection to MS Mail, before continuing. You should have the dialog box for the MS Mail Connector object (from the Connections container in the site object) open in the Exchange Administrator program. Click the Connector MTAs tab. Click the New button. A New MS Mail Connector (PC) MTA Service dialog box appears (see fig. 16.14).

    Fig. 16.14 - This dialog box is used to define the properties of a Windows NT service that will act as an MTA for one or more MS Mail post offices. It will transfer mail to and from the MS Mail Connector post office (the shadow post office).

  2. Enter a name for the service. The name can be up to 30 characters and can include spaces and some special characters (which should probably be avoided). A descriptive name is better than a creative name.


    If the name for the new service you are creating begins with "MS Mail," it will appear in the services list adjacent to the MS Mail Connector Interchange. Because these work in tandem to provide message transfer between the two systems (Exchange Server and MS Mail) they are almost always started and stopped together. Having them appear together in the list can help you remember to use them as a pair.

  3. Set your preferences for logging using the check boxes. You can turn logging on later if you have problems, or you may want to log messages for an initial shakedown period. You should not need to change the polling frequency although you can if you want. Do not click the Options button. Click OK to finish this task before setting options.

  4. Highlight the newly defined MTA service and click the Configure button. Then click Options. The MS Mail Connector (PC) MTA Options dialog box appears (see fig. 16.15).

    Fig. 16.15 - This dialog box is used to set message size limits, storage limits, and options for the MTA service.

  5. Enter any message size and storage limits you want to enforce. You can also select check boxes to Disable Mailer and Disable Mail Dispatch functions of the MTA if you want. This prevents the MTA from delivering and distributing messages to LAN-connected post offices and users. In general, these should not be checked. The mailer capability is similar to the mailer functionality of the External program. Select your Startup options and click OK to return to the dialog box named Configure the MS Mail Connector (PC) MTA Service. Then click OK again to return to the Connector MTAs tab of the MS Mail Connector (PC) Properties dialog box.

  6. You will now identify those post offices that will be serviced by this MTA. Click the List button. The Serviced LAN Postoffices dialog box appears (see fig. 16.16).

    Fig. 16.16 - This dialog box is used to select the post offices that will be serviced by the MTA being configured.

  7. Select any post office that you want this MTA to service in the Available LAN Postoffices list box. Click Add to move them to the Serviced LAN Postoffices list box.

  8. When you have added all the post offices appropriate for this MTA, click OK.

  9. Click the Local Postoffice tab to get the information you will need for the next step. Record the Network name and the Postoffice name. The serial number used as a sign-on ID and the password are only needed when configuring an external MS Mail post office that has been specified as direct route type connecting with an asynchronous or X.25 connection. Click OK to finish.

  10. To use the connector, you must start the services you have defined. This can be done with either the Control Panel on the local computer, or the Server Manager either locally or from a LAN or RAS connected computer. Open the Services dialog box and start the MS Mail Connector Interchange service and the connector MTA service you just defined.

You have configured the connector MTA. Now you are ready for the next procedure, configuring the MS Mail Postoffice.

Configuring the MS Mail Postoffice

Next, you will use the MS Mail 3.x ADMIN program to define the MS Mail Connector post office as an External post office for your existing MS Mail system. You can perform this task on any system capable of connecting to the post office and running the MS-DOS-based ADMIN program. To configure the MS Mail post office, follow these steps:

  1. Start the MS Mail 3.x ADMIN program. This typically involves connecting drive letter M: to the shared directory containing the post office and launching ADMIN.EXE.

  2. Select External-Admin from the main menu, then select Create. Enter the information you recorded from the Local Postoffice tab in step 7 of the preceding procedure. For a LAN connection, select Direct route type and MS-DOS Drive for Direct Connection Via (see fig. 16.17).

    Fig. 16.17 - The MS Mail 3.x ADMIN program being used to configure an MS Mail External post office address for the Exchange Server's MS Mail Connector post office (the shadow post office).

  3. Select Yes to confirm the creation of the External post office address.

You should also define at least one address for an Exchange Server recipient in the MS Mail Postoffice Address List. Use the same network and post office name along with the alias name for the recipient in the Exchange Server system. This will be used to test the connection from an MS Mail client in the next procedure.

Testing the MS Mail (PC) Connector

The connector is now defined, and the services have been started. You are almost ready to test the connection. In the last step of the preceding procedure, you defined an address for an Exchange Server mailbox in the MS Mail Postoffice Address List. You now need to create a custom recipient in Exchange Server for at least one user in the MS Mail system so that an Exchange Server client can address a message to an MS Mail user. As you have already learned, the custom recipient can be defined by an administrator on the server, or added to a Personal Address Book by a user.

If you have convenient client workstations to use for the test, use them. If not, you can define two profiles for the Exchange Client to attach to each system and test the connection from a single desktop. Configuring profiles for the Exchange Client to use Exchange Server services has already been discussed. This procedure outlines the process for defining a profile to attach to an MS Mail post office.

See "Setting Up Custom Recipients," (Chapter 13)

See "Creating a User Profile," (Chapter 14)

To create a profile for the Exchange Client to use MS Mail, follow these steps:

  1. Open the Control Panel. Double-click the Mail and Fax icon. Click the Show Profiles button in the resulting dialog box.

  2. Click Add. The Microsoft Exchange Setup wizard starts. Click the option button to Manually Configure Information Services and click Next.

  3. Enter a name for your profile. If you use multiple profiles, you may want to indicate that this is an MS Mail profile in the name to help distinguish them. Click the Next button. A blank properties dialog box appears. Click the Add button. Select Microsoft Mail from the Available Information Services list box and click OK. The Microsoft Mail dialog box appears (see fig. 16.18).

    {bmc trouble.bmp} When the Add button is clicked, MS Mail does not appear in the Available Information Services list box. The Microsoft Exchange Client Setup program does not install this service by default. If you do not see the MS Mail service in the list, you must cancel the profile definition and run the Exchange Client Setup program. Select the Add/Remove button, and make sure that the MS Mail service is included in the Information Services that are installed.

    Fig. 16.18 - The Microsoft Mail dialog box is used to configure the Exchange Client to use an MS Mail post office.

  4. Enter the path to your post office. If you are using a Windows NT or Windows 95 client, you can enter a UNC name of the form \\server\sharename. This is the same name you used in step 3 of the procedure for configuring a LAN connection to MS Mail earlier. Click the Logon tab.

  5. Enter the mailbox name and password you will use with this profile. You can set other options if you want, but they are not typically necessary for this simple test procedure. Click OK.

  6. Click Add. Select Personal Folders and enter a path and file name or select a location in the Create/Open Personal Folders File dialog box. Click OK to return to the properties dialog box for this profile. Click the Delivery tab.

  7. Enter or verify the post office and mailbox names, and enter your password. Click OK.

  8. There will be a short pause while the Exchange Client attempts to connect to the mailbox you entered. When it connects, select your personal folder file in the Deliver New Mail to the Following Location drop-down list box. Click OK. Click Next and then click Finish to complete the wizard.

You have set up all the connector components and identified existing client workstations, or set up new ones, which can connect to each of the two messaging systems (MS Mail and Exchange Server). To test the MS Mail (PC) Connector, follow these steps:

  1. Start the Exchange Client using a profile that uses Exchange Server. Compose a message and address it to the custom recipient you defined for the MS Mail mailbox (see fig. 16.19). Click the Send toolbar button, the first button at the far left of the toolbar depicting a moving envelope. Exit from the Exchange Client.

    Fig. 16.19 - The Exchange Client, connected to Exchange Server, with a message addressed to an MS Mail recipient. This message will be routed to MS Mail through the MS Mail (PC) Connector.

  2. Restart the Exchange Client using the profile you just created for an MS Mail mailbox. If you have set the option to select the profile when you start the Exchange Client, an excellent option for administrators, you see a Choose Profile dialog box like the one shown in figure 16.20.

    Fig. 16.20 - You can select a profile as you start the Exchange Client by choosing Tools, Options from the menu inside the Exchange Client and using the General tab. A profile defined for an MS Mail mailbox is being selected in this figure.

  3. Within a short period of time, the new message should appear. You can choose Tools, Deliver Now if you want. Double-click the message to open it.

  4. Click the Reply toolbar button and enter a reply. If you want, you can confirm who your return message is addressed to by double-clicking the name in the To list. A Properties dialog box similar to the one in figure 16.21 appears.

  5. Click OK to close the Properties dialog box. Click the Send toolbar button to send your message. Exit the Exchange Client.

    Fig. 16.21 - This figure depicts the Exchange Client, attached to an MS Mail mailbox, receiving and replying to a message from an Exchange Server recipient. This verifies that the MS Mail Connector is transferring mail from Exchange Server to MS Mail.

  6. Finally, restart the Exchange Client with the Exchange Server profile and confirm that you received the reply. Open the reply and double-click the name in the From list. You should see the properties page for the custom recipient you created earlier (see fig. 16.22).

Fig. 16.22 - A message from an MS Mail user with the properties page displaying the custom recipient definition for the sender.

You have now successfully created, configured, and tested the Microsoft Mail (PC) Connector. In the next section, you learn how to configure the Internet Mail Connector.

Configuring the Internet Mail Connector

The Internet Mail Connector (IMC) is a gateway capable of connecting Exchange Server sites to the Internet or any system that supports Simple Mail Transfer Protocol (SMTP). For successful operation, it depends on the use of Transmission Control Protocol/Internet Protocol (TCP/IP), which must be installed and configured before you configure the IMC. For most organizations, you will also need information about the Internet service provider you are using. In particular, you will need the IP address of the SMTP host that will service the IMC. If you are not familiar with your organization's TCP/IP configuration and the Internet service provider you are using, seek assistance from an administrator who is familiar with this subject matter before you continue.

Like the MS Mail (PC) Connector you just learned about, the Internet Connector requires a number of steps for proper installation. To ensure success, you should perform the steps in the order they are given. A complete discussion of the IMC and all its options is beyond the scope of this book. This section presents a basic configuration scenario suitable for small- to medium-sized organizations. If you require advanced configuration information, consult Chapter 11, "Using the Internet Mail Connector," in the Exchange Server Administrator's Guide.

The following steps are necessary to set up the Internet Mail Connector. Each one is covered in detail in the following sections.

  1. Gather information about the IP addressing used for your network. Find out if you use a Domain Name Service (DNS) to resolve IP addresses to their host names. Obtain the IP address(es) of any DNS servers. If you are not using DNS, find out who creates and controls the location and distribution of HOSTS files. Find out the domain name and host name for the computer on which you will create the IMC.

  2. Gather information about SMTP addressing and hosts. What is the SMTP address for your site? What are the IP address(es) of any SMTP hosts that will service the IMC?

  3. If it has not already been done, install and configure TCP/IP on the Windows NT server that will be used for the IMC and any additional servers on which it may be required.

  4. Add the IMC computer to the DNS or to the HOSTS file(s) if a DNS is not being used.

  5. Configure the IMC using its dialog box in the Exchange Administrator.

  6. Start the IMC service and test its operation.

See "Using the TCP/IP with Windows NT Server," (Chapter 8)

See "Choosing an Internet Service Provider," (Chapter 10)

Update the DNS or HOSTS Files

When you have collected the necessary information regarding addressing, protocols, and hosts, you are ready to begin. If you are installing and using TCP/IP for the first time, see Chapter 8, "Using TCP/IP with Windows NT Server," for procedures to install and configure TCP/IP. Make sure that you have successfully configured your computers and that the method you have selected for IP address/name resolution is functioning. You should be able to use the TCP/IP diagnostic utility PING to bounce a packet off the SMTP host at your Internet service provider and your DNS servers (if any). You should be able to PING by IP address or host name.

If you use one or more DNS servers, you need to add the computer you will use for the IMC to the DNS servers. There are a variety of implementations for DNS. All of them are similar, but can contain slight variations. Consult a local expert or the administrator's guide for the DNS in use at your site to verify the exact syntax and options available. The following steps will serve as a guide and should work for most DNS servers. If your DNS is operated by your Internet service provider, discuss with them the appropriate information to update their DNS.

To add the server you will use for the IMC to your DNS, follow these steps (if you do not use DNS, see the later procedure for adding the IMC computer to your HOSTS files):

  1. Add an A (address) record that contains the IP address and Fully Qualified Domain Name of the IMC computer. For example, using a host name of infosrv2, a domain name of gasullivan.com, and a (sample) IP address of 111.11.11.11, the A record for a typical DNS would look something like this:

    infosrv2.gasullivan.com  IN  A  111.11.11.11
    111.11.11.IN_Addr  IN  PTR infosrv2.gasullivan.com
  2. Add an MX (mail exchanger) record to specify each computer that will process mail for the site. This entry will contain the SMTP address for your site, as well as the IMC computer. If the SMTP address for the site is external2.gasullivan.com, the entry for a typical DNS would look something like this:

    external2.gasullivan.com. IN  MX  10  
        infosrv2.gasullivan.com.
  3. If your entire organization uses the same IMC computer, the MX record would look like this:

    gasullivan.com. IN  MX  10  
        infosrv2.gasullivan.com.
  4. Add an entry with the host and domain name and the IP address of the IMC computer.

To add the server you will use for the IMC to your HOSTS files, follow these steps (this is not necessary if you use DNS servers):

  1. A sample HOSTS file is included in the \WINNT\SYSTEM32\DRIVERS\ETC directory. You can update this file directly. It should be left in this location to function properly. It can be edited with Notepad or any text editor capable of editing standard text files.

  2. Add an entry with the host and domain name and the IP address of the IMC computer. For example, using a host name of infosrv2, a domain name of gasullivan.com, and a (sample) IP address of 111.11.11.11 the entry would look like this:

    111.11.11.11  infosrv2.gasullivan.com

You should now be able to PING the computer you will use as your IMC server by IP address or host name.

Configuring the Internet Mail Connector

If the Internet Mail Connector has not been installed on your server, run the Setup program to add it. The Internet Mail Connector is installed by default when using the Enterprise Edition of Exchange Server, but the service is set to Manual startup, and it is not started. In this section, you learn how to configure the IMC so that it is ready to use.

To configure the IMC, follow these steps:

  1. Start the Exchange Administrator.

  2. In the container area (the left pane) of the display, find the site that will contain the MS Mail Connector. Click the plus sign to the left of the site name to expand the display if it is not already open. Click the plus sign to the left of the Configuration object to expand its display.

  3. Highlight the Connections object. In the contents area, double-click the Internet Mail Connector object. The dialog box for the Internet Mail Connector will be displayed. Click the Internet Mail tab if it is not already displayed (see fig. 16.23).

    Fig. 16.23 - The Internet Mail tab of the dialog box for the IMC is used to select an administrator's mailbox for non-delivery report (NDR) notifications and to set message content options.

  4. Click Change and select a recipient to use for the administrator's mailbox. This mailbox will receive NDR notifications based on the options you set. Click OK to return to the Internet Mail tab. To set NDR notification options, click the Notifications button. The Notifications dialog box appears (see fig. 16.24).

    Fig. 16.24 - This dialog box is used to specify the types of NDR notifications you want to receive. For a new installation, you may want to select the always send notifications option during the initial shakedown period.

  5. Select the method the IMC should use to format the contents, or message bodies, of messages containing special formatting such as bold or italics, colors, fonts, attachments, or embedded OLE objects. These messages require 8-bit character data, often referred to as a binary file, rather than the 7-bit character data used by ASCII text files. Such files do not generally travel through the Internet undamaged. Some of the components making up the Internet were not designed to process 8-bit data.


    The IMC supports both MIME and UUEncode. Multipurpose Internet Mail Extensions (MIME) is the current standard for sending rich message types on the Internet. UUEncode (and UUDecode) are utilities designed originally for UNIX systems to prepare messages for transmission by converting them entirely to 7-bit data. The IMC and Exchange Server can automatically convert outgoing messages to either format and decode either format for incoming messages. You should probably use MIME as your default encoding scheme unless your organization exchanges messages primarily with other systems using UUEncode/UUDecode. Whatever option you select, it can be changed on a per-message basis by choosing
    File, Send Options from the menu after composing a message.

  6. Click the Connections tab (see fig. 16.25). In the Message Delivery box, you can specify whether outbound messages should be routed using DNS for resolution, or if all messages should be routed to the same host. If you are using an Internet service provider and all outbound SMTP addresses will be routed through a single host at your provider, select the option labeled Forward All Messages to Host and enter the IP address of the SMTP host in the text box.

    Fig. 16.25 - The Connections tab is used to define the connections between the IMC and other SMTP hosts.

  7. Click the Address Space tab (see fig. 16.26). Create address space entries for all e-mail addresses that will be routed through this connector. For example, if all SMTP messages will be routed through this connector, click the New Internet button and define an address containing a single asterisk (*), the multicharacter wildcard in address space names. This causes all messages addressed to SMTP recipients to be routed through this connector.

  8. Click OK to return to the Address Space tab. Then click OK again to save your selections and configure the IMC.

  9. A dialog box appears reminding you that you may not be completely done (see fig. 16.26). Before the IMC will receive messages, one or more SMTP hosts must be updated to forward mail to the IMC when it is addressed to recipients in your site or organization. One or more DNS servers may also need to be updated, as was discussed earlier. If you are using an Internet service provider, they will need to update configuration information at their site before you will receive incoming mail.

Fig. 16.26 - This informational dialog box appears after you define address space entries for the Internet Mail Connector.

Testing the Internet Mail Connector

Now you are ready to test the IMC. You will need the SMTP address of at least one recipient with Internet mail capabilities. This should not be a problem. With the explosion of interest in the Internet, many people now have their Internet addresses on their business cards. You must create a custom recipient in the directory using the Exchange Administrator or create an entry in your Personal Address Book.

Start the Exchange Client. Compose a message addressed to the new custom recipient and click the Send button. Now all you have to do is wait. You should either receive a reply or an NDR notification. If you receive an NDR, use the information provided to help diagnose what is not working properly. Look for the easy things first. Are you sure that the address was entered correctly? You can also enable the extensive logging and message tracking capabilities of Exchange Server to make sure that the appropriate routing is occurring within your organization. You might also consider using a link monitor to make sure that the connection between your site and your Internet service provider is remaining active.

See "Setting Up Custom Recipients," (Chapter 13)

See "Monitoring Your Site," (Chapter 15)

From Here...

In this chapter, you learned how to install, configure, and use Exchange Server's advanced security. You learned how to use the sophisticated security features of Exchange Server to safeguard sensitive information and ensure the integrity of your messages. You also learned how to connect your Exchange Server system to Microsoft Mail (PC) systems and the Internet.


Table of Contents

15 - Managing Information with Exchange Server

17 - Understanding SQL Server