Windows 7 and Direct Access: The Anywhere Experience

Over the past few weeks, Windows 7 Release Candidate has been widely downloaded, used, praised (including by some very vocal critics), and loved. It's easy to fall in love with the Windows 7 user experience, and I don't just mean the lovely wallpapers and themes that are in stark contrast to the kind of visual content that's been generally packaged with Microsoft products in the past. You can see the images in A Little Bit of Personality on the Engineering Windows 7 blog. The Wall Street Journal's Nick Wingfield calls them "some of the most visually arresting background images ever to ship with a piece of software". More in This is Your Windows on Drugs on wsj.com.

Last night, Brandon LeBlanc revealed box shots and details of Windows 7 packaging on the Windows blog. Head over to Check out the New Windows 7 Packaging.

One of the Windows 7 features I love is called Direct Access. It's like the Outlook Anywhere version of VPNs.

Outlook Anywhere, AutoDiscover, and Microsoft Communicator: A Seamless Unified Communications Experience
Outlook Anywhere allows Outlook 2007 + Exchange 2007 users to seamlessly access their mailbox from outside (and inside) the corporate network. Yes, part of it is of course RPC over HTTP(S)— available in Exchange 2003, but another important piece that makes this experience so transparent to the user is AutoDiscover.

You get out of work (or work remotely), turn on your laptop, and if you have Internet access Outlook 2007 just works as if you were in your office. No VPN connections to establish, no wondering if the required ports are open on the firewall, no additional authentication prompts, and full Outlook access! Although Outlook Web Access has increasingly become more like a full-fledged email client, for many folks there's simply no replacement for the full blown functionality of Microsoft Outlook. With Office Communications Server 2007 implemented right, you can have a similar experience with Microsoft Communicator - seamless access to Instant Messaging, presence information, and the all-important ability to connect to the "voice world".

Yes, the voice world, still an inseparable part of our work lives. The ability to click and talk to a Contact is handy, and found in many free IM and telephony services such as Skype. However, what's more impressive and important for many— you can dial phone numbers and receive inbound phone calls on your work phone number, regardless of your location. You can check voicemail, and also redirect calls to another phone number. The voice quality is good enough that it's hard to tell if one's using an ordinary phone or a VoIP phone.

Direct Access: Extending the Anywhere Experience
Windows 7's Direct Access feature extends this Anywhere Experience. It allows you to access network resources on your corporate network, without having to establish a VPN connection. Now you can turn on your laptop, and if you have Internet access, you can access file shares on your corporate network, use client/server apps, and use RDP to connect to servers/computers "on the other side".

DirectAccess uses IPv6-over-IPSec to encrypt communication, and supports multifactor authentication mechanisms such as smart cards.

Besides the initial "Wow!" moment, which inevitably follows the first experience with Direct Access, the combined Anywhere Experience boosts productivity, and improves satisfaction levels of remote/mobile workers.

Steve Riley explains why it's one of his favorite Windows 7 features:



More about Direct Access in DirectAccess enhances mobility and manageability, or download Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2 for a more in-depth technical look.

User Self-Service: Message Tracking from OWA

One of the things on top of my Exchange wish lists, and I'm sure on the Exchange wish lists of many Exchange folks, is allowing users to help themselves with common tasks such as managing Distribution Groups, and tracking the status of their own messages as I suggested in Message Tracking as part of OWA/Outlook (hard to believe this was posted in July 2005!).

Yes, Exchange has had Message Tracking for administrators, but this results in the waste of valuable IT resources when users call/e-mail/shoutout (depending on location and position... ) why a particular message they were supposed to receive hasn't yet made it, or why someone never received a message they sent.

Exchange 2010 allows users to track their own messages using the Exchange Control Panel (ECP). Head over to Spotlight on Exchange 2010: Delivery Reports on the Exchange team blog for more info.

I'll gladly admit the final implementation of this feature is a lot better than the way I thought it should work 4 years ago. Allowing users to perform common tasks using easy-to-use web-based self-service options, using functionality found out-of-the-box in Exchange Server, should help you reduce administration costs and resources.

What's your take on these self-service features?

Macs discover AutoDiscover: Exchange Server Support in Snow Leopard

Apple's iPhone and new Mac hardware announcements are certainly going to get a lot more airplay today, but there's something Exchange users (who use Macs) will welcome. Snow Leopard, Apple's forthcoming Mac OS upgrade adds Exchange Server support to the Mac.

From Phil Schiller's keynote at Apple's WWDC 2009, the following screenshot (courtesy Engadget) shows support for Exchange 2007's AutoDiscover web service, used to automatically configure Exchange clients such as Outlook 2007, and discover other Exchange services.



Recipients in the Global Address List (GAL) show up in the Address Book.



You can also drag a contact and drop in the Calendar to schedule a meeting. Of course, Windows/Outlook users have been used to this functionality for a while.



More details as they're made public, although if you don't want to wait for Snow Leopard to arrive, take a look at Exchange Server features supported by Entourage 2008, the equivalent of Microsoft Outlook for the Mac, and a part of Office 2008 for Mac.

Microsoft responds to VMWare's FUD

Much as I love blogging, I'm quite enjoying this unannounced break the past 3 weeks or so! A lot of interesting news, events (including TechEd 2009 in L.A.) and tidbits over the past weeks, and I'm sure you've kept up with it. (Incidentally, this also happened to be the first year in a long while when I actually took a break from TechEd!) What prompted me to end my unannounced break is the rather interesting turn the VMWare FUD has taken, with Microsoft's Jeff Woolsey, Principal Group Program Manager in the Windows Server Hyper-V team actually responding to VMWare on the Virtualization team blog.

Let's take a few steps back and look at the sequence of events.

Hyper-V Wows IT Pros and Critics Alike
It's no big secret that Microsoft's Hyper-V virtualization platform has wowed users and critics alike in its very first release. ZDNet's Mary-Jo Foley posted a review of the pre-release Hyper-V code (by Jason Perlow):

Even though Hyper-V is still pre-1.0 code, I think Microsoft has done a bang-up job with its hypervisor, and it may just turn this Linux freak a Windows 2008 junkie for running his own personal virtualization needs. While VMWare's ESX is still superior on a number of fronts, including its aforementioned VMotion technology and its more powerful cluster management tools, Microsoft has certainly sent a major warning shot across its bow and the bows of the respective Linux vendors, as well.

More in Review: Microsoft's Hyper-V puts VMWare and Linux on notice on ZDNet.com.

InfoWorld's Randall C. Kennedy, who can never be accused of writing a kind word for Microsoft by any stretch of the imagination, calls Hyper-V a "technically sound, well-performing hypervisor..." in Test Center reveiw: Microsoft's Hyper-V does the trick.

I've been using Hyper-V myself for a while now, and given how easy it is to deploy as a server role in Windows Server 2008, or as a standalone virtualization server using Hyper-V Server 2008, I'm admittedly a big fan and excited about where this train's headed.

Scott Drummonds' Video: VMWare FUD?
Back to the VMWare episode— On May 1, 2009, a video titled "Hyper-V Crashes in Consolidated Environments" is posted on YouTube by drummonds1974. The video, which seems to have been updated since then, leads with the following text :

On April 30, 2009, Microsoft TechNet and MSDN went down.
In 2008, Microsoft announced TechNet and MSDN migration to Hyper-V.
Are these two events related?

The video shows some VMs running on Hyper-V crashing, and the mystery voice-over informs you Hyper-V is running a workload "based on VMmark". VMmark, in case you aren't already familiar with it, is an "industry-standard" virtualization benchmark— developed by VMWare.

Of course, no technical details about the particular test or the scenario are provided in the video. Towards the end, drummonds1974 quips:

.. in one of our tests, we actually got the parent partition to crash, which brought down the entire server. Here's a bluescreen of that happening...

You can't be blamed for thinking "Perhaps a childish prank by a newbie sysadmin who just learnt a new trick or two?"

The final screen of the video boldly concludes: Consolidated workloads crash Hyper-V.

The video was posted by Scott Drummonds, Technical Marketing Manager at VMWare.

Microsoft responds
Jeff Woolsey responded to the video in Hyper-V Winning Daily/VMWare FUD Reaching New Heights. Excerpt:

The poster, who doesn't appear on the video, doesn't state what company he works for or provide any context. Gee, I wonder where he works.

and

On the Hyper-V team, we run thousands of stress tests per week and the stress tests we run are far more invasive than the test in this video. So, I consulted our Hyper-V Supportability Program Manager and dug deeper. I wanted to know if we've had any Hyper-V crashes reported. Here's what I found out.

Of the 750,000 downloads, we've had 3 reports of crashes under stress and with the same error code as seen in the video bugcheck (0x00020001). The solution in all three cases was to upgrade the server BIOS which solved the problem. This can happen as hypervisors interact very closely with hardware and BIOS updates generally inlcude updated microcode for processors ofteintimes to address errata.

In case you're wondering, VMWare has had similar crashes with older BIOSes as well. Here.

Round 2: Drummonds' non-response
May 15, 2009: (The timestamp can't be correct, because Woosley's response to this post is actually dated May 9th... !) Back at VMWare, Scott Drummonds responds with Video on Hyper-V Crashes. Scott states:

..The video and descriptive text have raised more questions than answers.

Now, like me, if you watched the entire video about 5 times in an attempt to get any answers, much as you would appreciate the conciseness of Drummond's video, it was devoid of any answers. Drummonds continues to bash Hyper-V in his response:

...the run rules were violated to make Hyper-V produce its best results...

Nice!

09 May 09 09:17: Over on the Virtualization team blog, Woolsey responds with Day Two of the Scott Drummonds VMWare FUD Fiasco. Rather than quote parts of it here, I'll let you read it and come to your own conclusion.

Of course, it doesn't end here!

Round 3: VMWare Responds, Again
May 14, 2009: VMWare's Bruce Herndon responds in Setting the Record Straight on the Hyper-V Video:

I am not exactly pleased to be writing on this particular subject in a public venue...

I can't help but comment here - Herndon is not exactly pleased about responding, but apparently, posting a public video on YouTube appears to be perfectly alright.

I had hoped that this whole kerfuffle would quickly die down, but it shows little sign of abating....

You hoped? Wihtout any details forthcoming for two weeks while a colleague from product marketing amateurishly bashes a competitor's product? As Woolsey points out,

In the meantime, VMware Sales Staff emails customers and would be customers to "check out this video" and VMware senior architects Twitter to "check out this video on You Tube"

Herndon ends his post with:

In the mean time, we intend to focus on helping to build amazing rock-solid products that our competitors can’t yet imagine.

Needless to say, I'm truly amazed by the attitude and tone of VMWare's posts!

Rather than reproducing Herndon's post and commenting on every bit, I'll let you head over to the Virtualization team's response from 17 May 09 10:01: VMware FUD Fiasco Part 3....

All I can say is— it's not the VMWare I know, and certainly not the many fine folks who work at its Palo Alto headquarters (I'm super-impressed with their new campus.. every bit as cool as Google's!). Perhaps the pressure of having real competition to deal with changes things? As Jason Perlow pointed out not too long ago:

Hyper-V represents the first stage of the mass-commodization of hypervisor technology, and if this beta release is any indication, it’s going to be a rough ride ahead for Microsoft’s competitors.

Windows 7's Windows XP Mode: Removing Application Compatiblity From The Equation

Earlier yesterday, Paul Thurrott and Rafael Rivera revealed a secret new feature in Windows 7— Windows XP Mode (XPM). XPM allows you to run Windows XP in a virtualized session, and includes a license for Windows XP SP3. As Thurrott & Rivera's blog post says:

Windows XP Mode dramatically changes the compatibility story for Windows 7 and, we believe, has serious implications for Windows development going forward.

Interestingly, XPM does not require you to run a separate desktop with Windows XP. Applications installed in the virtual environment are published to the Windows 7 host and shortcuts placed in the host's Start menu. Users can run Windows XP applications (installed in XPM) directly and transparently in Windows 7 desktop!

All I can say is— this is super cool! And although I haven't had a chance to try it out yet, it seems application compatibility is quickly headed to be a non-issue with Windows 7.

More details in Secret No More: Revealing Windows XP Mode for Windows 7 on Thurrott's SuperSite for Windows, and screenshots in Windows XP Mode for Windows 7 Screens.

Scott Woodgate confirmed it later in Coming Soon: Windows XP Mode and Windows Virtual PC on the Windows Blog.

Using Outlook's Instant Search on Windows Server 2008

If you have Microsoft Outlook 2007 installed on Windows Server 2008 (perhaps because you're also using a lab server as your workstation, or require Outlook for testing), when you start Outlook it complains about Windows Search service not being installed and that Outlook cannot provide fast search results when using the Instant Search feature.


Figure 1: Microsoft Outlook 2007 prompt indicating Windows Search service is not installed

Outlook also displays a clickable notification under the Instant Search box.


Figure 2: Microsoft Outlook 2007 notification to enable Instant Search

Clicking on the notification brings up the same dialog box shown in Figure 1.

In Online mode, Outlook 2007 uses Exchange Search for searching the mailbox - the mailbox is not cached locally.

In Cached Mode, it uses Windows Search service to index messages in the cached copy of your mailbox. Windows Vista includes Windows Desktop Search (WDS) out-of-the-box. Windows Server 2008 and Windows XP do not.

Of course, you can disable the prompt to enable Instant Search in Outlook by going to Tools | Options | Other tab | Advanced Options, and unchecking Show prompts to enable Instant Search. But if you live in a high-volume email environment and have a fairly large mailbox to show for it, Search is an invaluable tool!


Figure 3: Disabling the prompt to enable Instant Search in Outlook 2007

Install Windows Search service
To install the Windows Search service on Windows Server 2008, use the following command:

ServerManagerCmd -i FS-Search-Service

Or install it using the Server Manager console using the following procedure:

1. Start Server Manager
   
2. Click Roles in the navigation tree on the left
   
3. Select Add Role in the Roles Summary section
   
4. Select the File Services role and click next
   
5. Select the Windows Search role service
   

After Windows Search is installed, when you click the notification in Outlook, it acknowledges Windows Desktop Search has been installed, and prompts you to restart Outlook to enable Instant Search.

Meanwhile, Windows Search indexes your email and documents in the background. If you use Instant Search before indexing is complete, it returns results from the messages it has already indexed, and notifies you of number of items still to be indexed.

Released: Exchange 2010 Beta

The word is out— the product hitherto known as E14 has hit the streets as Exchange 2010 beta! Download it here (Note: 64-bit only).

As Exchange CVP Rajesh Jha points out on the Exchange team blog (read 'Presenting Exchange 2010'), the latest and greatest version of Exchange Server is built from the ground up with Software + Services in mind, and is already being used by 5 million Outlook Live users! In case you missed it, Outlook Live is the free email service available to universities, formerly known as Exchange Labs.

The reviews are already pouring in:

• InfoWorld: Exchange 2010 beta shines
  
• eWeek: Microsoft Exchange 2010 Beta Looks Solid from Core to Cloud
  
• Slideshow: Microsoft Exchange Server 2010 Includes Welcome Improvements, where you can see some screenshots.

ASN1 Bad Tag Error Installing an SSL Certificate in IIS 7

You've installed SSL certificates on previous versions of IIS more times than you care to remember. It's no rocket science - you create a certificate request, request the certificate from a Certification Authority, get the certificate and complete your certificate request.

Then there's IIS 7. Modularized. Optimized. Secure. You follow the same procedure as you did with previous versions of IIS. Create a certificate request, check. Get the certificate from a CA, check. Install the certificate, and that's where the familiarity ends. Instead of installing the certificate, IIS 7 throws up a cryptic error: There was an error while performing this operation. Details: CertEnroll::CX509Encrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267).


Figure 1: IIS 7's cryptic error when trying to install an SSL certificate

If you fire up the Certificates console (start a new MMC console | add Certificates snap-in | select the computer account), you'll see the certificate is indeed installed.

By default, IIS does not create a binding for HTTPS.


Figure 2: IIS 7's default site bindings

Add a binding for HTTPS

1. In the Site Bindings window, click Add
   
2. In the Add Site Binding window, select https from the Type: drop-down.
   
3. Select an IP address (or optionally, leave All Unassigned selected if you want the site to bind to the specified SSL port on all IP addresses
   
4. From the SSL certificate: drop-down, select the certificate you want to use for the binding/web site.
   
   [Optional] You can click the View button to view the certificate and ensure you're selecting the right one.
   
   Figure 3: Creating a binding for https in IIS 7
   
5. Click OK to close the Add Site Binding window.

Close the Site Bindings, start a browser, and test the web site using https.

Exchange Server Remote Connectivity Analyzer: Test Exchange from outside the firewall

Exchange 2007 brought with it a number of Exchange shell cmdlets that let you test Exchange functionality (scroll down to the end of this post for a list of the test cmdlets). But how do you test Exchange services are actually available and usable from the Internet?

Have you longed for an Exchange cmdlet like Test-ExchangeConnectivity which could test your Exchange services such as Outlook Anywhere, AutoDiscover, Exchange ActiveSync, and SMTP from outside your firewall?



Now there is! Exchange Remote Connectivity Analyzer is a web-based service that lets you test Exchange functionality and availability from the Internet. Best of all— it's free!

Exchange Remote Connectivity Analyzer answers your Exchange operations questions, such as:

1. Can my Exchange server receive inbound Internet/SMTP email?
   
2. Can my Outlook Anywhere (aka "RPC over HTTP" in Exchange 2003) clients connect from outside the firewall?
   
3. Can my mobile users connect using Exchange ActiveSync phones/devices?
   
4. Does AutoDiscover work for Outlook 2007 clients?
   
5. Does AutoDiscover work for Exchange ActiveSync clients?
   
6. Are the certificates used for these services valid?

Head over to Exchange Remote Connectivity Analyzer at testexchangeconnectivity.com. More details, and a great video, in Announcing the release of Exchange Server Remote Connectivity Analyzer on the Exchange team blog.

Exchange 2007's Built-In Test Cmdlets
Here's a list of Exchange 2007 Test Cmdlets. Although these test cmdlets aren't intended to replace full-fledged monitoring software or diagnostics systems, they do allow you to test a lot of Exchange functionality quickly and easily, without having to fire up a console or browser!

1. Test-ActiveSyncConnectivity: Lets you test ActiveSync synchronization
   
2. Test-EdgeSynchronization: Test EdgeSync status of subscribed Edge Transport servers, including whether a specified recipient is synchronized
   
3. Test-ExchangeSearch: Test Exchange Search status/health for a specified server or individual mailbox.
   
4. Test-ImapConnectivity: Test IMAP functionality on a Client Access Server
   
5. Test-IPAllowListProvider: Test if an IP address is listed in an IP Allow List Provider (a DNS-based list, think of it as the opposite of an IP Block List Provider or RBL)
   
6. Test-IPBlockListProvider: Test whether an IP address is listed in an IP Block List Provider (aka RBL)
   
7. Test-Mailflow: Test mailflow, including mail submission, transport, and delivery, from the System Mailbox on an Exchange Server to another Exchange Server or specified email address
   
8. Test-MAPIConnectivity: Test MAPI connectivity to an Exchange server or a specified mailbox. A MAPI logon is performed. This test will also create a mailbox in the MDB for those freshly created/enabled mailboxes that haven't been logged on to.
   
9. Test-OutlookWebServices: Test AutoDiscover configuration for Outlook 2007.
   
10. Test-OwaConnectivity: Test connectivity to Outlook Web Access, including certificate validation.
    
11. Test-PopConnectivity: Test POP3 connectivity for a specified Client Access Server
    
12. Test-ReplicationHealth: Test the health of Continuous Replication
    
13. Test-SenderId: Test SenderID status for a specified IP Address (the sending host) and domain.
    
14. Test-ServiceHealth: Test the status of services set to start automatically.
    
15. Test-SystemHealth:
    
16. Test-WebServicesConnectivity:

Internet Explorer 8 and OWA: Where Are The Images?

Internet Explorer 8 was released last week at MIX09. It's likely many users may already be running either the RTM version or one of the earlier betas.

IE 8 is more secure than previous versions (see Stay Safer Online for a list of IE8's security features), including some of the default settings. Here's one of those changes and how it may impact your OWA users (and potentially result in a helpdesk call).

A user gets an HTML message with images. When viewing the message in OWA, the user sees missing images, as shown below:


Figure 1: An HTML message rendered in OWA with missing images

Instead of this:


Figure 2: HTML message with images rendered in OWA

Is that the web beacon and form filtering feature of OWA 2007 at work?

OWA 2007: Web beacon and form filtering

Web beacons (aka "web bugs") are very small, transparent image files in web pages and HTML email. These 'invisible' images are commonly used by web sites to track visitors, along with cookies. When you inadvertently download such an image in an HTML email message, it calls home and tells Mr. Spammer: "I made it! The email address is valid, and someone even viewed the message!"

In Exchange 2007, OWA blocks web beacons, and displays the following prompt inline in the information bar (where header information such as subject, sender, recipient, and timestamp are displayed).


Figure 3: The web beacon and form filtering feature displays a prompt in the information bar to allow user to unblock content

If users determine the message is from a trusted sender and safe to open, they can unblock the blocked content by clicking on the "Click here" link in the information bar (highlighted in Figure 3 above).

Web beacon and HTML form filtering behavior can be controlled for an OWA virtual directory. Use the Set-OwaVirtualDirectory cmdlet to toggle the FilterWebBeaconsAndHtmlForms property, as shown in How to Control Web Beacon and HTML Form Filtering for Outlook Web Access.

But you don't see the familiar click here link in the message!

The Tale of The Two Prompts
You're accessing OWA (or any other web page for that matter) over a secure HTTPS session. The page has images or other unsecure content (not unsecure as in malicious content, but the content is accessed using HTTP) it wants the browser to display. The first time the browser faces this scenario, it sends alarm bells ringing. It warns you, the user almighty, and asks you what you wish to do.

You may even remember the IE prompt— even if vaguely so. Yes, the one you dismissed by clicking the "Yes" button, without giving it any thought? Afterall, what harm could a lowly web page do to your highly secure computer?

In IE8, the prompt has been reworded, and the choices reordered. Here's what the shiny new prompt looks like.


Figure 4: Security warning in Internet Explorer 8, clearly informing users about blocked content, and the potential security impact of displaying such content

As you can see, users instinctively clicking the "Yes" button continue to be protected by Internet Explorer 8. They do not end up in an insecure state! Moreover, the dialog is clearer and more informative, compared to the one found in previous versions of IE. Here's the dialog from IE 7:


Figure 5: The 'Security Information' prompt in Internet Explorer 7, prompting users about nonsecure items