Mailbox/

Remote PowerShell Edge Subscriptions

PowerShell and Management
Client Access
Client Access Server Client Access Protocols
Exchange Integration with Unified Messaging, Lync and SharePoint A thin, stateless front end server that provides a unified Exchange Web Services • Exchange Server 2013 takes advantage of Windows Run once to establish and then
automatically configure Send and
namespace, authentication, and network security as well Outlook Connectivity Management Framework 3.0, which includes PowerShell v3.0 Active
• Exchange Web Services (EWS) provides the functionality to and Windows Remote Management Receive connectors to route email to Directory
as proxy and redirection logic. Transport is provided by In Exchange 2013, RPC/TCP has been removed and Outlook Role (What): Defines what can be
implement client applications that access and manipulate and from the Exchange organization
AutoDiscover: Helps external applications discover the Front End Transport service which provides mailbox connections take place via Outlook Anywhere (RPC over HTTP). done by a set of cmdlets and • All Exchange management tools are built on Remote
Exchange store items and the Internet.
RTP/SRTP for media
Exchange Client Access server endpoints locator services. This provides several benefits: parameters that can be run. PowerShell
• EWS provides programmatic access to the data stored
SIP/SIP Secured • Simplifies the protocol stack Scope (Where): Defines the objects • Remote PowerShell extends PowerShell from servers to client
AutoDiscover Authentication: OAuth authentication used In addition, the Client Access Server: within Exchange
• Provides a reliable and stable connectivity model Scope in Active Directory that the Role can computers so commands can be executed remotely The Microsoft Exchange
LDAP eDiscovery and to authenticate trusted applications and • EWS clients can integrate Exchange information into act on. • Remote PowerShell enables administrators to run Exchange EdgeSync service pushes
Hold using EWS impersonate users • Houses the logic to proxy or redirect a specific • Maintains the RPC session on the Mailbox server that hosts line-of-business (LOB) applications (Where) Edge Transport
TDM
the active copy of the user’s mailbox, there by eliminating the Role Assignee (Who): A user, USG, cmdlets on computers without needing to install Exchange information from Active
protocol request from a client to the correct Mailbox • SOAP provides the messaging framework for messages sent
Mediation Server Lync Server need for the RPC Client Access Array and its namespace role assignment policy, or role group management tools Directory to the AD LDS
OAuth Authentication server between the client application and the Exchange server to which a role and scope are Receive instance on the Edge
MAPI over HTTP is a new communication protocol available in
• Is designed to work with TCP affinity (Layer 4)—does • The Managed API provides an easy way to use the Microsoft applied. Connector Transport server using
AutoDiscover Exchange 2013 SP1 and Outlook 2013 SP1 and later. It improves
.NET interface with EWS
Role Send AD LDS instance
not require session affinity (Layer 7) Connector secure LDAP.
Outlook Web App
AutoDiscover
the reliability and stability of Outlook and Exchange Assignment Role Based Access Control
TCP: 389 eDiscovery and • Provides an SMTP Front End proxy and a UM call connections by removing the dependency on RPC. This allows a Outlook Web App Role Based Access Control (RBAC) enables you to control, at
Hold using EWS router higher level of visibility of errors and enhanced recoverability
• Redesigned for Exchange 2013 both broad and precise levels, what administrators and users can
REST API sync Site SharePoint due to the overall reduction in complexity. Additional Role Role Assignee do. RBAC also enables you to more closely align roles you assign
• Handles all inbound and outbound external SMTP • New user interface that focuses on content
Mailbox updates SharePoint eDiscovery Center
traffic via Front End Transport Service and provides a
functionality includes support for explicit pause-and-resume, (What) (Who) users and administrators with the actual roles they hold within
Active Directory which enables supported clients to change networks or resume • Supports all major Web browsers
Phone client endpoint for SMTP Traffic your organization. RBAC is built into all management tools.
PSTN from hibernation while maintaining the same server context. • Enhanced contacts and calendaring functionality including Configuration is done using Exchange management tools, with DNS MX Record
TCP: 5060/5061 The Client Access server provides network security Agenda view dozens of default roles pre-configured and easily customizable.
functionality such as Secure Sockets Layer (SSL) and Exchange ActiveSync
• New Offline Mode Edge Transport Server
client authentication, and manages client connections • Allow/Block Quarantine List Three ways of assigning permissions:
• Three views for Outlook Web App in the browser: Edge Transport servers minimize the attack surface by handling all
through redirection and proxy functionality. The Client • Approved device list (by device type or by user) • Management Role Groups Internet-facing mail flow, which provides SMTP (Simple Mail
Access server authenticates client connections and, in o Phone view (1-column touch UI) Transfer Protocol) relay and smart host services for your Exchange
most cases, will proxy a request to the Mailbox server
• Block an unsupported device Set-AddressList • Management Role Assignment Policies
Client Access Server SharePoint Site o Tablet view (2-column touch UI) organization. Edge Transport servers are installed in a perimeter
Users add or that houses the currently active copy of the database • Quarantine and notify Command Results • Direct User Role Assignment
update photos o Traditional Desktop view (3-column mouse-based UI) network, and are never a member of your organization's internal
that contains the user's mailbox. In some cases, the Client • Configure multiple mobile device mailbox policies Active Directory forest. However, the Edge Transport server requires
Access server might redirect the request to a more • Inline reply for Desktop view Set-AddressList
• PIN policies and local device wipe data that resides in Active Directory. This data is synchronized to
Outlook Web App suitable Client Access server, either in a different location • Extensibility Improvements Apps, such as the Bing Maps apps the Edge Transport server by the Microsoft Exchange EdgeSync
• Remote device wipe
or running a more recent version of Exchange Server. for Outlook add features to the overall experience service (EdgeSync). EdgeSync is a collection of processes on an
PBX IP Gateway Lync Client
TCP: 5062/5063
Exchange 2013 Mailbox server to establish one-way replication of
TCP: 5062/5063 recipient and configuration information from Active Directory to
the Active Directory Lightweight Directory Services (AD LDS)
instance on the Edge Transport server. EdgeSync performs
User Photos scheduled updates so the information in AD LDS remains current.
• SharePoint 2013, Lync 2013 client, Transport Architecture
and Outlook 2013 use the Outlook
IP-PBX
Hi-res Web App Options page to add or Front End Transport service Front End Transport Service
Mailbox Server User Photo update user photos Outlook Web App Outlook Exchange ActiveSync Exchange Admin Center POP | IMAP SMTP SBC | SIP PowerShell The Front End Transport service on the Client Access server proxies
• High-resolution user photos stored External External incoming and outgoing SMTP message traffic. The Front End
Integrating Voice in Your Exchange Organization UM-enabled in Exchange 2013 mailbox; Low- SMTP SMTP Transport service quickly selects a single healthy Mailbox server to
Mailbox resolution user photos stored in receive an incoming SMTP message transmission regardless of the
There are three types of voice integration with
Load Balancer
Active Directory
Load Balancer
Unified Messaging: Site Mailboxes Client Access Server number, type, or location of the message recipients.
• User photos accessed by Outlook
• With a legacy PBX and VoIP gateway. VoIP gateway translates TDM protocols to VoIP • Functionally comprised of SharePoint 2013 site Message transmissions between the Transport service on different
Web App, Outlook, SharePoint 2013, Protocol Agents
protocols membership (owners and members), shared Mailbox servers occur when the Mailbox servers are in different
and Lync 2013 MA – Managed Availability
storage through an Exchange 2013 mailbox for delivery groups. A delivery group is a way to generalize mail routing
• With an IP enabled PBX (IP PBX). The IP PBX translates the TDM protocols to VoIP protocols Mailbox Server
email messages and a SharePoint 2013 site for to help improve efficiency and attempt to deliver a message as
Selector
• With Lync Server. An advanced IP gateway and Mediation server translate the TDM protocols documents, and a management interface that SMTP Send close to its destination as possible. A delivery group could be:
addresses provisioning and lifecycle needs Lync Archiving SMTP Receive
into VoIP protocols • A database availability group
• AutoDiscover to determine CAS endpoints • Archives Lync 2013 conversations and External: TCP25, TCP587
meetings in Exchange 2013 From Mailbox Server: TCP717 Front End Transport Pipeline • An Active Directory site
SharePoint eDiscovery Center • OAuth authentication (service and user mailboxes • A connector source server
• Perform eDiscovery searches across SharePoint 2013 sites, documents, and file shares; impersonation)
Exchange Server 2013 mailboxes; and Lync 2013 archived conversations and meetings stored in • OAuth authentication • A distribution group expansion server
• Site Mailboxes provisioned and managed from
Exchange 2013 SharePoint 2013 • Archive conversations using EWS
A Send connector on the Mailbox server is specifically configured to
• Place an In-Place Hold on Exchange 2013 mailboxes and SharePoint 2013 sites • SharePoint Team Site documents displayed in • Compliance management (Hold and route outbound mail through the Client Access server.
• OAuth authentication (service and user impersonation) Site Mailboxes in Outlook 2013 eDiscovery)
of Lync content using Exchange 2013
Client Access Server
If the Client Access and Mailbox server roles are not co-located,
• Uses Exchange 2013 Role-Based Access Control (RBAC) permissions for eDiscovery searches • Inbox messages can be read from SharePoint
• Unified Contacts Store, with Lync Edge Transport servers bypass the Client Access server and
from SharePoint 2013 2013
2013 contacts stored in Exchange IIS Front End Unified communicate directly with the Transport service on the Mailbox
• Multi-Mailbox Search API to search mailbox content • REST (Representation State Transfer) API used to 2013 mailbox POP/IMAP server.
• Preview search results synchronize updates from SharePoint to Site HTTP Proxy Transport Messaging
Mailbox over HTTPS

Client Access Server Client Access Server Client Access Server Client Access Server
• Export eDiscovery search results (from Exchange) to PST file(s) with appropriate metadata
stored in EDRM XML

Mailbox Server

Mailbox databases, and the components previously associated with other Exchange Server 2007/2010 server Transport Service
roles (Unified Messaging, Client Access, Hub Transport) are hosted on the Mailbox server. All processing for a
Mailbox Server The Transport Service on the Mailbox server is
specific mailbox happens on the Mailbox server that hosts the active copy of the user’s mailbox. Client Outlook Web App responsible for all mail flow inside the organization. It’s
Exchange ActiveSync
connectivity takes place through the Client Access server. Client Remote also where DLP rules, transport rules, journaling
Transport RPCProxy Exchange Web Services
Access PowerShell Exchange Admin Center Unified policies, and Information Rights Management policies
In-Place Archive Recoverable Items Folder Offline Address Book POP/IMAP Transport
Messaging are applied.
• Provides users with an alternate storage These folders are not visible to the user. They Internet Information Services
location to store historical messaging data include the Audits sub-folders, which contain Anti-Malware: The Malware Agent is enabled by
• Appears below the user’s primary mailbox in mailbox audit and calendar logging entries. Unified Messaging
RPC Client default in the Transport service on Mailbox servers to
Outlook or Outlook Web App Database Exchange
• Deletions: Items soft-deleted from Deleted Access help protect the organization from malware and other
• Search across primary and archive mailboxes Managed Store Search
Items folder. Accessed through Outlook unwanted content.
in Outlook and Outlook Web App Extensible Exchange Search
“Recover Deleted Items”
• Sets archive quota separately from primary Storage Engine Anti-Spam Agents in Transport: All built-in anti-
• Versions: Original and modified copies of items
mailbox spam agents are disabled by default, but they can be
when either In-Place Hold or Single Item

Mailbox Server
• Exchange Online Archiving provides a cloud-
Mailbox Server Mailbox Server Mailbox Server
Mailbox
Recovery are enabled Database enabled by running a PowerShell script. The following
based archive for on-premises mailboxes anti-spam agents are available in the Transport service
• Purges: Hard-deleted items when either In- User mailboxes
In-Place Hold and Litigation Hold Place Hold or Single Item Recovery are enabled on a Mailbox server:
Archive mailboxes
• Query-based In-Place Hold on specific items • Discovery Holds: Data that matches the • Content Filter agent
Public Folder mailboxes
in a mailbox-based query (keywords) In-Place Hold criteria is saved to this folder .. .
• Sender ID agent
• Time-based In-Place Hold retains items for a • Sender Filter agent
Types of Mailboxes
specified duration
There are several types of mailboxes
Mailbox Server Role Components Active Passive Lagged
• Protocol Analysis agent for sender reputation
• Litigation Hold can also be used to place an Transport service Categorizer filtering
in Exchange 2013: Note: The Connection Filtering agent, the Attachment
indefinite or time-based hold on the user’s Agent Processing
mailbox • Arbitration: Used for handling moderated Managed Store Submitted Messages Filtering agent and the Recipient Filter agent are
recipients and distribution group membership The Managed Store is the name of the newly rewritten Information Store available on Edge Transport servers.
In-Place eDiscovery processes in Exchange 2013. The new Managed Store is written in C# and
approval Recipient Resolution
• Enables use of the NEAR operator, allowing tightly integrated with the Microsoft Exchange Replication service
• Archive: Used as a secondary mailbox for users Protocol Agents Mailbox Server Mailbox Transport Service
you to search for a word or phrase that’s in (MSExchangeRepl.exe). It leverages the worker process model and a static
• Discovery Search: Used to store results from The Mailbox Transport Service on the Mailbox server is
proximity to another word or phrase database caching algorithm to provide higher availability through improved DB1 DB1 DB1 DB1 SMTP Receive Routing
an In-Place eDiscovery search Delivery Queue SMTP Send the broker between the Transport service and the
• Enhanced management experience and resiliency. TCP25 or TCP2525
• Equipment: Used for resources that are not mailbox databases. The Mailbox Transport service
search query improvement DB2 DB2 DB2 DB2
location specific, such as a portable computer, Exchange Search DB1 Content Conversion
communicates directly with local mailbox databases
• Preserves the results of the query which Log 1 DB1 DB1 DB1 Routing Agents
projector, microphone, or a company car Exchange Search is different from full-text indexing available in previous DB1 using RPC, and with the Transport service on local and
allows for scoped immutability across DB3 DB3 Log 1 DB3 Log 1 DB3 Log 1
• Room: Used with room-based solutions, such versions of Exchange Server. Exchange Search includes numerous Log 2 DB1 DB1 DB1 Categorizer Agent Processing remote Mailbox servers using SMTP.
mailboxes Log 2 Log 2 Log 2 Submission Queue Routed Messages
as Lync Room Systems innovations in performance, content indexing, and search. New items are DB1 Delivery Agents
• Federated discovery using the SharePoint DB4 DAS Log 3 DB4 DAS DB4 DAS DB4 DAS
• Linked: Used for users in a separate, trusted indexed in the transport pipeline or almost immediately after they're created for other
eDiscovery Center allows you to search and
forest or delivered to the mailbox, providing users with a fast, stable, and more protocols Message Packaging
preserve data across Exchange, SharePoint,
• Public Folder: Used for public folders and
Pickup/Replay
and Lync reliable way of searching mailbox data. Content indexing is enabled by Delivery Queue
public folder content default, and there's no initial setup or configuration required.
• Using Exchange 2013 only, you can create a
• User: User for typical user to send, receive and Transport Pipeline
discovery search using the Exchange Admin store messages, appointments, tasks, notes, and The underlying content indexing engine has been replaced with Microsoft
Categorizer
Multiple Databases Per Volume and Continuous Replication
Center or the Exchange Management Shell documents Search Foundation, which provides performance and functionality
• Primary and Archive mailboxes are searched, improvements and serves as the common underlying content indexing
Mailbox Transport service The Categorizer processes all email messages and determines what rules
including items in the Recoverable Items and policies need to be applied based on the final recipient of the message.
engine in Exchange 2013 and SharePoint 2013.
folder Transport Agents applied at “Agent Processing Submitted Messages” stage:
SMTP Send SMTP Receive
TCP475 • RMS Decryption agent: Decrypt Active Directory Rights Management
Multiple Databases Per Volume High Availability Message Flow Services (AD RMS) protected messages
Exchange 2013 is optimized so that it can use large disks 1. A Mailbox server receives a message from any SMTP server Mailbox Server • Malware agent: Provides built-in anti-malware protection
Managed Availability multi-terabyte disks in a JBOD configuration more that's outside the Transport high availability boundary. The Selector • Journaling agent: Generates a journal report when a message matches
Sampling Detection Recovery efficiently. With multiple databases per disk, you can Transport high availability boundary is a DAG or an Active a journal rule
Both Exchange 2013 server roles include a new monitoring and high availability feature have the same size disks storing multiple database Directory site in non-DAG environments.
known as Managed Availability. copies, including lagged copies. The goal is to drive the Mailbox MBX Submit
Probe Engine 2. Before acknowledging receipt of the primary message, the Mailbox
distribution of users across the number of volumes that primary Mailbox server initiates a new SMTP session to a Assistants Agents Deliver Agents Transport Agents applied at “Recipient Resolution” stage:
Managed Availability includes three main asynchronous components that are constantly
Probe Definition Monitor Definition Responder Definition exist, providing you with a symmetric design where shadow Mailbox server within the Transport high availability • Transport Rule agent: Apply transport rules and DLP policies to
doing work. Administrators remain in control with the ability to configure server-specific Store Driver Submit Store Driver Deliver
during normal operations each DAG member hosts a boundary and makes a shadow copy of the message. In DAG messages, based on the specified conditions
and global overrides.
combination of active, passive, and optional lagged environments, a shadow server in a remote Active Directory Mailbox Transport Submission Mailbox Transport Delivery
Probe Monitor Responder copies on the same volumes. Another benefit of using
Probe Engine: Responsible for taking measurements on the server and collecting the data; Results Results Results site is preferred. Transport Agents applied at “Content Conversion” and “Agent Processing
results of those measurements flow into the monitor. multiple databases per disk is that it reduces the amount
(Samples) (Alerts) (Responses) 3. The primary server processes the primary message and Routed Messages” stages:
of time to restore data protection in the event of a failure MAPI MAPI • Journal Report Decryption agent: Decrypt journal reports that contain
delivers it to users within the Transport high availability
Monitor: Contains business logic used by the system to determine whether something is Monitor States that necessitates a reseed (for example, disk failure).
boundary or relays it to the next hop. The primary server RMS-protected messages
healthy, based on the data that is collected and the patterns that emerge from all collected • RMS Encryption agent: Applies Information Rights Management
queues a discard status for the shadow server that indicates
measurements. AutoReseed protection to messages flagged by the Transport Rules agent and re-
the primary message was successfully delivered, and the
AutoReseed is designed to automatically restore
Healthy primary server moves the primary message into the local encrypts transport-decrypted messages
Responder Engine: Responsible for recovery actions. When something is unhealthy, the database redundancy after a disk failure by using spare Mailbox Store
Primary Safety Net. • Prelicensing agent: Requests an AD RMS Usage License on behalf
first action is to attempt to recover that component via multi-stage recovery actions that disks that have been provisioned on the system. In the
4. The shadow server periodically polls the primary server for the of the recipient
can include: 00:00:00 T1 Restart Service Responder event of a disk failure where the disk is no longer
discard status of the primary message. • Journaling agent: The Journaling agent is also applied here so
Notification Item available to the operating system, or is no longer
• Restarting an application pool modified messages can't bypass the Journaling agent
00:00:10 writable, a spare volume is allocated by the system, and 5. When the shadow server determines the primary server
T2 Failover Responder Principles of Transport High Availability
• Restarting a service the affected database copies are reseeded automatically. successfully delivered the primary message or relayed it to the • Messages in transit are redundantly persisted before their receipt is acknowledged to the sending SMTP
Bugchecker Responder
Offline Responder next hop, the shadow server moves the shadow message into server
• Restarting a server; and the local Shadow Safety Net.
DAGs without Administrative Access Points • Redundant copies of messages processed by Transport are kept in Safety Net for resubmission in the event
• Removing a server from service 00:00:30 T3 Escalate Responder Exchange 2013 SP1 supports creating a DAG without a 6. The message is retained in the Primary Safety Net and the of a mailbox failover, and Safety Net itself is made redundant on another server
cluster administrative access point as a new optional Shadow Safety Net until the message expires. • Message resubmissions due to queue database loss or mailbox database failover are fully automatic and
If recovery actions are unsuccessful, Managed Availability escalates the issue to a human configuration. Creating a DAG without an AAP reduces do not require any manual intervention
through event log notifications. Copyright © 2014 Microsoft Corporation - All Rights Reserved
the complexity of your DAG and simplifies DAG
Poster Feedback: eapf@microsoft.com
management. Not all listed features are compatible with legacy versions of Exchange, SharePoint or Lync