Monitoring Exchange Server 2010 : Debugging Network Connectivity (part 3)

6. Testing Messaging Application Programming Interface (MAPI) Connectivity

MAPI is a messaging architecture and Component Object Model designed by Microsoft and based on the Application Programming Interface for Microsoft Windows. It allows client programs to become email messaging enabled or aware by calling MAPI subsystem routines that interface with messaging servers. While MAPI is designed to be protocol independent, it is usually used with the RPC protocol. MAPI/RPC is the proprietary protocol that Microsoft Outlook uses to communicate with Microsoft Exchange and is usually termed the MAPI protocol. MAPI uses a negotiated dynamic port (above 1024). RPC uses port 135.

The MAPI version that ships with Exchange Server 2010 and Microsoft Office Outlook is sometimes known as Extended MAPI. It allows complete control over the messaging system on the client computer, creation and management of messages, management of the client mailbox, and so on. Extended MAPI includes facilities to access message transports, message stores, and directories.

You can use commands based on the Test-MapiConnectivity EMS cmdlet to test MAPI connectivity and verify server functionality. You use the Identity parameter to specify a logon mailbox. The SystemMailbox is used if you do not include the Identity parameter. The cmdlet retrieves a list of items in the Inbox. Logging on to the mailbox tests two protocols used when a client connects to a Mailbox server: MAPI and Lightweight Directory Application Protocol. During authentication, the Test-MapiConnectivity cmdlet verifies that the MAPI server, Exchange store, and Directory Service Access (DSAccess) service are working.

Commands based on the Test-MapiConnectivity cmdlet log on to the specified mailbox using the credentials of the account with which you are logged on to the local computer. After successful authentication, the command accesses the mailbox to verify that the database is working. Note that you do not run the Test-MapiConnectivity cmdlet against the Client Access server. This cmdlet must be run against the Mailbox server.

The Test-MapiConnectivity cmdlet supports the Database parameter. This parameter specifies a mailbox database identity so that the command can test whether it is possible to log on to the system mailbox on the specified database. The cmdlet also supports the Identity parameter, which specifies a mailbox identity so that the command can test whether it is possible to log on to a specific mailbox. The Server parameter specifies a server identity and tests whether it is possible to log on to each system mailbox on the specified server.

For example, the following command tests MAPI connectivity to the system mailboxes in each mailbox database on the Mailbox server VAN-EX1 and returns detailed results:

Test-MapiConnectivity -Server VAN-EX1 | FL

Figure 4 shows the output of this command.

The following command tests MAPI connectivity to the system mailbox in the mailbox database Research and returns detailed results:

Test-MapiConnectivity -Database Research | FL

The following command tests MAPI connectivity to the Don Hall mailbox in the Adatum.com domain and returns detailed results:

Test-MapiConnectivity -Identity "adatum\Don Hall" | FL

7. Testing EWS and Outlook Anywhere

The EWS-managed API provides a managed interface for developing client applications that use EWS. This API communicates with the Exchange Client Access server by means of EWS Simple Object Access Protocol (SOAP) messages.

EWS uses standard industry protocols that provide interoperability between servers and client applications. SOAP XML messages provide the communication between the computer that is running Exchange Server 2010 and web services client applications. The following changes and enhancements are included in Exchange Server 2010 EWS:

• Distribution Lists are renamed Contact Groups.

• The FindItems interface is redesigned.

• The Autodiscover implementation supports DNS SRV record lookup.

• The notifications interface is redesigned.

• New methods have been added for getting and setting free or busy information.

Note:

EWS is a developer tool. As such, it is unlikely to be tested in the 70-662 examination. You should, however, know how to verify EWS functionality as described in this section.

Outlook Anywhere enables Microsoft Office Outlook clients to connect to their Exchange servers over the Internet by using the RPC-over-HTTP networking component. It integrates RPCs with an HTTP layer and allows email traffic to traverse network firewalls without requiring RPC ports to be opened. To deploy Outlook Anywhere in your Exchange messaging environment, you need to enable at least one Client Access server by using the Enable Outlook Anywhere Wizard.

You can use the Enable Outlook Anywhere Wizard on an Exchange Server 2010 Client Access server to allow a user to connect to his or her Exchange mailbox from the Internet. Outlook Anywhere eliminates the need for mobile users or users in remote offices or to use a virtual private network to connect to Exchange servers.

Outlook Anywhere is enabled on your Client Access server after a configuration period of approximately 15 minutes. To verify that Outlook Anywhere has been enabled, you can check the application event log on the Client Access server. Before you can use Outlook Anywhere, you need to do the following:

• Install a valid SSL certificate from a certification authority trusted by the client.

• Install the Microsoft Windows RPC-over-HTTP Proxy component (if this not installed by default).
  

• Enable Outlook Anywhere on the Client Access server.

THE DEFAULT SSL CERTIFICATE IS NOT SUFFICIENT FOR OUTLOOK ANYWHERE

When you install Exchange Server 2010, you can install a default SSL certificate created by Exchange Setup. However, this certificate is not trusted by the client. To use Outlook Anywhere, you must install an SSL certificate that is trusted by the client.

If you use Outlook Anywhere, you must allow port 443 through your firewall because Outlook Anywhere requests use HTTP-over-SSL. If you already use Outlook Web App (OWA) with SSL or Exchange ActiveSync with SSL, you do not need to open any additional ports from the Internet. By default, when you enable Outlook Anywhere on a Client Access server, all users who have mailboxes on Mailbox servers are enabled for Outlook Anywhere.

• GetFolder

• CreateItem

• DeleteItem

• SyncFolderItems

However, if you specify the LightMode parameter in the command, only the GetFolder operation is tested.

By default, the test runs on the Client Access server on which the command is entered. However, you can use the ClientAccessServer parameter to specify a remote Client Access server in the same Exchange organization. As with other test cmdlets described earlier in this lesson, you can use the MailboxServer and MailboxCredential parameters to test connectivity to a specific Mailbox server or to a specific user mailbox. The MonitoringContext parameter specifies whether the test result is passed to System Center Operations Manager 2007. If this parameter is set to a value of $false, the test result appears only on the command line.

The Timeout parameter specifies the amount of time, in seconds, allowed for the test operation to finish. The default value for the Timeout parameter is 300 seconds. The time-out value you specify must be greater than 0 seconds. Microsoft recommends configuring this parameter with a value of 5 seconds or greater.

The ResetTestAccountCredentials parameter resets the password for the test account used to run Test-WebServicesConnectivity commands. This is typically reset every seven days. When the ResetTestAccountCredential parameter is used, a password reset is forced any time it is required for security reasons. You can specify whether a secure SSL channel is required or whether the test can run over an unsecured channel by using the AllowUnsecureAccess switch parameter. If the test runs over a secure channel, the TrustAnySSLCertificate parameter allows it to use any SSL certificate available.

The UseAutodiscoverForClientAccessServer parameter specifies whether the test uses the Autodiscover service to locate the Client Access server. The Autodiscover service configures client computers that are running Outlook 2007 or Outlook 2010. The service can also configure supported mobile devices. It provides access to Exchange Server 2010 features for Outlook clients that are connected to the Exchange Server 2010 messaging environment. The service enables clients to automatically connect to features, such as the Outlook Address Book (OAB), the Availability service, and Unified Messaging (UM). The service uses the user’s email address and password to provide profile settings to Outlook clients and supported mobile devices. If the Outlook client is joined to the domain, the user’s domain account credentials are used.

The following command tests Web services continuity for the Getfolder operation between the Client Access server on which it is entered and all mailboxes in the same Exchange organization. The test operates over a secure channel authenticated by any available SSL certificate; if a secure channel cannot be established, the command attempts to test connectivity over an insecure channel:

Test-WebServicesConnectivity -LightMode:$true -TrustAnySSLCertificate:$true
-AllowUnsecureAccess:$true | FL

Figure 5 shows the output from this command.

                                                                                              Figure 5. Testing web services connectivity

You can use commands based on the Test-OutlookWebServices EMS cmdlet to verify that the Autodiscover settings for Microsoft Outlook are configured correctly. This cmdlet supports an Identity parameter that can specify any valid email address in the forest, and this address is used to test the Outlook provider. It is typically an SMTP address, but you can specify the domain and user name or an Active Directory GUID, and the command resolves this information to an SMTP address. The TargetAddress parameter specifies the recipient used to test whether Availability service data can be retrieved.

Typically, commands based on this cmdlet run against the Client Access server on which they are entered, but, as with previously described cmdlets, you can use the ClientAccessServer parameter to specify the Client Access server that the client accesses. The MonitoringContext parameter specifies whether the results of the command include monitoring events and performance counters. If you specify this parameter with the value $true, the test results include monitoring events and performance counters in addition to information about the MAPI transaction.

The following command verifies the service information returned to the Outlook client from the Autodiscover service for the user DonHall@adatum.com:

Test-OutlookWebServices -Identity:DonHall@adatum.com -MonitoringContext:$true | FL

					  

The above command tests the following:

• The Availability service

• Outlook Anywhere

• The OAB

• UM

Figure 6 shows the output from this command.