Manually Removing a Failed Edge Transport Role

 

Content Warning!!

Content of this post is not recommended to be used unless you do not have backup of your edge transport configuration. All steps below are tested in a specific environment and may not apply to your environment. Do it at your own risk!!

I would recommend you perform recovery of your edge transport servers Understanding Edge Transport Cloned Configuration and use Cloned Configuration method and this content must be used as a last resort.

While Exchange 2013 is out to the market and a lot of deployments are happening around, Edge Transport role of Exchange 2010 still deserves its own importance since Exchange Server 2013 does not have any Edge Transport Role of its own version.

Today, I was working on recovering an edge transport server role which did not go well with recovery. Finally, a call was made to remove this edge transport role. The only hurdle was we could not install a fresh OS on this box since the servers are located in a remote data center. The only option was to remove the edge transport role manually and clean up the OS so that it can be used to reinstall edge transport role

So here is how you do it:

Stop Exchange Services (Leave them in whatever state they are if they do not stop)

Remove Registry Entries (Note! You must perform registry backup every time you change anything in registry)

  • Open Registry Editor
  • Browse to HKLM\SOFTWARE\Microsoft
  • Locate registry key named ExchangeServer
  • Delete the key ExchangeServer
  • Browse to location HKLM\SYSTEM\CurrentControlSet\Services\
  • Locate registry keys starting with MSExchange e.g. MSExchange ADAccess
  • Remove all registry keys starting with MSExchange
  • Browse to your exchange installation location. Typically at C:\Program Files\Microsoft\
  • Delete the folder Exchange Server. If you are scared of deleting it, you can simply rename it to Exchange Server.OLD

Remove LDS Instance

  • Open Command prompt with elevated privileges
  • Browse to location C:\Windows\ADAM
  • Type ADAMUninstall /i:MSExchange and hit enter
  • Click Yes on both the dialog boxes appearing after you hit enter
  • Restart the server

While you reinstall the exchange edge transport role, you may receive some weird errors at the first time. This is expected to happen when you remove everything in a crude way.

  • Locate the registry key HKLM\SOFTWARE\Microsoft\ExchangeServer\V14\EdgeTransportRole
  • Delete the WaterMark string from the right hand side pane of registry editor
  • Browse back to location HKLM\SOFTWARE\Microsoft\ExchangeServer\V14\
  • Right click and create a new key named Transport
  • Create one more key named Pickup at HKLM\SOFTWARE\Microsoft\ExchangeServer\V14\
  • Re-run exchange edge transport setup

Your edge transport role should be back to operation and you can create a new edge subscription with Exchange 2013 mailbox or Exchange 2010 HT servers.

 

 

 

May 11, 2013   Posted in: Exchange 2010  No Comments

The Microsoft Exchange Administrator has made a change that requires you quit and restart Outlook

Yet another story of troubleshooting an interesting case which lead to a weird finding which is kind of a non-documented behavior of either versions of outlook with Exchange 2010 multi role installation using DAG and CAS array together. Indeed, you cannot use DAG and WNLB together but there are several organizations using hardware load balancers to configure DAG on multiple server roles on a single server yet have DAG and CAS array.

In one of these unique cases that took an abnormally long time to reach a resolution (workaround), this behavior was a major culprit. Let me come to the point.

One of the customers have a multi-server role DAG and CAS array architecture. They have two servers EX-01 and EX-02 with Mailbox, HT and CAS server roles installed on them. These servers are also the members of the only DAG they have. These servers implement a CAS array load balanced with the help of a Barracuda 340 appliance.

Diagrammatically, it looks pretty simple,

image

Everything seems to be alright. DAG *overs, CAS load balancing, mail flow, etc. works absolutely fantastic; except a haunting random pop on outlook clients that says”

“The Microsoft Exchange Administrator has made a change that requires you quit and restart Outlook”

After troubleshooting this whole case for more than a month, turns out to be a really weird finding. I don’t know whether this is something different than outlook is supposed to handle or it  can be a bug. Regardless the logic of Outlook to Exchange communication or it being a bug, it is surely interesting to know.

So here is what happens:

If you observe the above diagram carefully, only a single among two boxes in DAG + CAS array have the PF database store on them.

When Outlook clients connect to an Exchange 2010 server, they would connect directly to a mailbox server hosting PF replica. If outlook connects to a CAS array member that also has PF store hosted on it, it converges all connections and Public and Private logons as a single connection. When the client connects to a CAS array member which does not host a PF store, then Exchange issues a wrongServer response to the client and suggests a new server name for public logon. Somehow, outlook is unable to handle this response and thinks that it has to reconfigure the profile.

If you have ever been haunted by this kind of problem you can easily figure out this whole logic with the help of RCA logs on the CAS servers if you look at the RCA logs thoroughly, you will see something like below:

2013-04-04T13:53:07.585Z,17918,1,/o=Customer/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=User E345f,,OUTLOOK.EXE,11.0.8200.0,Cached,,,ncacn_ip_tcp,,PublicLogon,1144 (rop::WrongServer),00:00:00,"Logon: Public,  in database 36d89041-6f58-4bcb-a7af-fd38d9994b94 last mounted on EX-02.Customer at 04-04-2013 12:30:12, currently Mounted; Redirected: not a user’s home public server, suggested new server: /o=Customer/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EX-02",RopHandler: Logon:

 

I am sure I can’t call it a resolution but below are couple ways to handle this:

1. Block access to public folder store on the servers. – This might be impractical for a lot organizations since PFs are still used by a lot of companies for collaboration purposes.

2. Move the PF database to another server which is not a part of a CAS array.

3. Create one more replica of PF store on another member of the CAS array. (Note: Due to some situations I could not test this scenario in labs before publishing. I would suggest having a check in the labs before doing this in production)

April 28, 2013   Posted in: Uncategorized  6 Comments

System Attendant Fails to Start with Event ID 33, Source SideBySide

Today was the day when someone was upgrading their exchange server 2010 SP2 servers to SP3. Everything went well unless one of the servers that got new update did not want to start Microsoft Exchange System Attendant Service.

While trying to start the service it threw an error at every time it failed.

Log Name:      Application
Source:        SideBySide
Date:          21-04-2013 14:52:41
Event ID:      33
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      A1SR-EX1.company
Description:
Activation context generation failed for "C:\Program Files\Microsoft\Exchange Server\V14\bin\mad.exe". Dependent Assembly Microsoft.VC90.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found. Please use sxstrace.exe for detailed diagnosis.

 

System Attendant startup related issues are usually due to something wrong in AD or the service failing to connect any domain controller during start up. This particular case was not related to AD although.

 

The fix was very simple.

Download and install Microsoft Visual C++ 2008 Redistributable Package (x64) and start the System Attendant.

 

.

April 21, 2013   Posted in: Exchange 2010  One Comment

NDR 550 5.5.3 RESOLVER.ADR.RecipLimit; too many recipients

 

At a customer, we were troubleshooting a case of non delivery reports and came across this funny thing. They have restricted the delivery to all the distribution groups and the organization level maximum recipient setting to 25. Only one user who has permissions to send emails to some of the distribution groups and has already been allowed to send emails to more than 200 recipients was experiencing this issue.

Get-TransportConfig shows that the org level transport configuration restricts more than 25 recipients in any email

image

User mailbox settings are configured to allow sending to more than 25 recipients (200)

image

According to the way transport in Exchange should function, user level limit should override the limits set at org level. In this case, exchange somehow denied accepting it’s own way of working. The most weird thing was; it was happening with only a single user and not everyone. Rest of the senders with similar configuration were working absolutely fine.

When the user sent an email to a distribution group which has several other nested distribution groups as well, he received below NDR.

This message wasn’t delivered to anyone because there are too many recipients. The limit is 25. This message has 95 recipients.

Everyone in Company Ops (everyoneincompanyops@company.com)
This message has too many recipients. Please try to resend with fewer recipients.

After running out of all known ways of troubleshooting we decided to take some help from ExTRA for tracing the Transport components and getting the .etl file converted to readable language with the help of MS PSS. ExTRA returned below error in the entire log.

"163","00000000","Debug ","1601/01/03-08:58:04.588","24064","57828","Transport","Resolver","Lookup result for recipient IMCEAEX-_O=Exchange_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FYDIBOHF23SPDLT+29_CN=RECIPIENTS_CN=E902df71-79d72599-65257491-2575b4@exchange.COM is Microsoft.Exchange.Data.Directory.Recipient.NonUniqueLegacyExchangeDNError"
"164","00000000","Error ","1601/01/03-08:58:04.588","24064","57828","Transport","Resolver","ambiguous address"

With reference to above findings we investigated further and found a member of the distribution group which did not have a mailbox associated with it. Now that we could understand what is happening,

1. Removed the member that did not have a mailbox associated.

2. Update the sender’s legacyExchangeDN attribute to end with his alias.

3. Deleted name cache of the user using Outlook 2010 Nickname Cache – An insider Story

4. Ensured the outlook profile is freshly configured

 

Bingo! the next attempt to send an email was successful.

Weird thing is, although the NDR message and the actual problem had no relevance to each other, it finally turned to be a misleading NDR. I do not know whether to call it a bug but it does seem like one.

January 24, 2013   Posted in: Exchange 2010, Transport  4 Comments

Script – Find Empty Distribution Groups in Exchange 2010

During or after migration activities, a lot of distribution groups become unused since they do not contain any members in it. Administrators working for large organizations must have gone through such requirement several times.

I was asked to find such distribution groups at one of our customers. Only a few lines of code can do this listing for you. Codes available on internet right now use pipelining and fail to give desired results if you are using remoting. So, here is that small piece of code:

$dls = Get-DistributionGroup -ResultSize Unlimited

Foreach ($dl in $dls) { if ((Get-DistributionGroupMember -Identity $dl.’DistinguishedName’).Count -lt 1) { Write-Host $dl.DisplayName "," $dl.PrimarySmtpAddress}}

January 7, 2013   Posted in: Exchange 2010  5 Comments

Overview of Exchange 2013 Public Folders Part – I

Please Note: This is a prerelease post and information in this post may not be applicable to the product when it is launched.

EDIT: Exchange Team has published a detailed post over here http://blogs.technet.com/b/exchange/archive/2012/11/08/public-folders-in-the-new-office.aspx . 

 

Despite of Microsoft’s thought of deprecating public folders from Exchange Server 2007 and later version; they stayed as a part of the product. Although, there has been no graphical user interface to manage public folders in Exchange 2007 and onwards, PowerShell has always been a good alternate way around to it. Public Folders are normally looked at as a great single place of collaboration for employees of any organization. I personally know some very huge software companies which use public folders for their project related work instead of using SharePoint team sites; even though they have a decent SharePoint 2010 deployment. What makes Public Folders a favorite choice for a lot of users is their accessibility within outlook. One does not need to logon to a different place just to collaborate with different teams or within the same team but members sitting at different locations. They can simply change their mouse cursor position from emails to public folders and they can view collaboration data within outlook.

Due to many reasons MS has been trying to deprecate the use of public folders but they somehow do not seem to be going away. Above one was just one of the examples of why they may still exist J

To know what has changed with public folders in Exchange 2013, one must know how it worked in legacy versions of exchange. I am sure these are some basics but I think they must be revisited once again before trying to learn new way.

Until Exchange 2010

Although there is a huge change in the way public folders were managed in Exchange 20003 compared to Exchange 2007 and Exchange 2010, basic architecture of the public folders did not change. Public Folder database is a little differentiated architecture of exchange database that can hold only public folders hierarchies and public folder contents.

A separate table within the database used to maintain the security permissions on folders and contents. This table would determine who has access to what content and what the level of access is.

Replication

In Exchange 2003 it was directly handled by the mailbox servers; in exchange 2007 and later it was handled by hub transport role in conjunction with mailbox server role which hosted a public folder database and participated in replication. One of the major advantages of this model is to avoid unnecessary client connectivity traffic going across an active directory site. For example: in an environment with multiple exchange servers deployed across multiple active directory sites, users in any particular active directory site can get their public folder data easily available within that site if the mailbox server within that site is configured with a public folder database and required public folders are replicated to it. This model does pose a limitation in consistency of data availability in public folders in case of a site level failure or a planned DR drill. An administrator has to manual changes for making the public folder database available to end users in an event of site level or complete server level failure.

 

Every administrator who has dealt with public folders and multiple copies of public folders have experienced the public folder replication issues. This replication is purely based on a SMTP traffic channel between source and destination. Although, SMTP is one of the native protocols that exchange supports by default; troubleshooting public folder replication can be a really time consuming and painful job.

 

Connectivity

In Exchange 2003 and Exchange 2007 an outlook client would connect to a public folder database using direct RPC connection to the public folder database name it discovered from the mailbox database properties of database where connecting user’s mailbox is.

Exchange Server 2010 introduced two new concepts called DAG and CAS Array. These two concepts changed the way outlook connects to a mailbox. To maintain the high availability and to decrease end user service disruption, Exchange 2010 CAS servers and mailbox servers use RPC Endpoints between clients, mailbox servers and mailbox database copies. Outlook uses these RPC endpoints on Client Access Server to connect to a mailbox but uses a direct RPC connection to a public folder database, which it discovered from the mailbox database properties.

 

You must have noticed the trend in public folder architecture by now. Exchange 2013 takes it even further and introduces few more changes those make public folders look a little weird and hard to understand. A lot of experienced administrators also looked little confused about this. Also, Microsoft does not have a very good documentation about public folders yet. I will try to post my findings based on my own research on public folders in my labs J

In next post, I will write more about what has changed; how it works and definitely; how it adds value over existing public folder architecture. So, stay tuned and do let me know in case someone might want read something specific about public folders.

 

October 10, 2012   Posted in: Uncategorized  Comments Closed

Exchange 2013 Preview Installation on Windows Sever 2008 R2 SP1

With a lot of this missing and that missing, Exchange 2013 installation got through after good 3 hours of installation time. I am not sure why it took so long to complete though. May be my hypervisor isn’t performing too well Smile with tongue out

This post is going to run through a quick look at Exchange 2013 Preview installation on Windows Server 2008 R2. Below are the lab details:

E15DC – Domain Conroller

E15MBX – Mailbox Server Role

E15CAS – CAS Server Role.

Domain Name: e15.exchange.local (No it is not a child domain. The root domain itself is named like that!)

Prerequisites For Windows Server 2008 R2 SP1

Exchange 2013 Preview supports below server operating systems only

  • Windows Server 2008 R2 SP1
  • Windows Server 2012

Since I used Windows Server 2008 R2 SP1 for this installation below are the prerequisites that I needed to install:

OS Components

Windows Server Roles and Features

Mailbox Server Role

Import-Module ServerManager

Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI –Restart

CAS Server Role

Import-Module ServerManager

Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI â€“Restart

Once you have installed all the OS prerequisites on the server where Exchange 2013 will be installed, and have completed the reboot; make sure to uninstall Visual C++ 11 Beta Redistributable (x64) – 11.0.50531

If you leave Visual C++ 11 Beta Redistributable (x64) – 11.0.50531 uninstalled setup will ask you to remove it during the readiness check.

Note: You may need to reboot the servers many times before the installation could be started.

 

Active Directory

Schema Master Windows Server 2003 SP2 or later x86 / x64
Global Catalog Windows 2008 or later. On safer side, I recommend using Windows 2008 SP2 or later
Domain Controller Windows 2008 or later. On safer side, I recommend using Windows 2008 SP2 or later
Permissions
  • Enterprise Admins
  • Schema Admins
Domain Functional Level Windows Server 2003 Native or above
Forest Functional Level Windows Server 2005 or above
RODCs Exchange cannot work with RODCs. So NO RODCs in the site where you are trying to install exchange 2013 Preview.

 

In short, you must have at least one DC and GC running Windows Server 2008 or later. Schema master role can be owned by a domain controller that is Windows 2003 SP2.

After finishing all prerequisite checks and installations. We are good to go for first Exchange 2013 preview server role installation. Microsoft says there is no specific order of installation however mailbox server role and then CAS server installation is recommended.

As usual there are two ways to install Exchange 2013. The CLI way and the GUI way. You may notice some differences compared to legacy versions (Exchange 2007 and 2010) though.

Installing Exchange 2013 using CLI

Exchange 2013 preview seems to have replaced setup.com to setup.exe and offers below switches for installation.

Setup.exe [/Mode:<setup mode>] [/IAcceptExchangeServerLicenseTerms]
[/Roles:<server roles to install>] [/InstallWindowsComponents]
[/OrganizationName:<name for the new Exchange organization>]
[/TargetDir:<target directory>] [/SourceDir:<source directory>]
[/UpdatesDir:<directory from which to install updates>]
[/DomainController:<FQDN of domain controller>]
[/AnswerFile:<filename>] [/DoNotStartTransport] [/LegacyRoutingServer]
[/EnableErrorReporting] [/NoSelfSignedCertificates]
[/AddUmLanguagePack:<UM language pack name>]
[/RemoveUmLanguagePack:<UM language pack name>] [/NewProvisionedServer:<server>]
[/RemoveProvisionedServer:<server>] [/ExternalCASServerDomain:<domain>]
[/MdbName:<mailbox database name>] [/DbFilePath:<Edb file path>]
[/LogFolderPath:<log folder path>] [/Upgrade]

For example below command will install Exchange 2013 preview at the default installation location on C:\Program Files\Microsoft

Setup.exe /mode:Install /role:ClientAccess,Mailbox /OrganizationName:Exchange Geek /IAcceptExchangeServerLicenseTerms

Installing Exchange 2013 using GUI

The same setup.exe file located at the root of the installation media or installation source directory launches the GUI setup. You just need to double click it.

image

And this is the first page of the setup wizard. You may notice that the setup wizard follows the non glossy and non 3D window look. May be inspired by the Windows Phone interfaces?

On the very first page setup wizard asked if I wanted to check for the updates on internet. Since my virtual machines were not connected to internet I did not choose to let it do so and simply moved on to the next screen which copies the file.

image

 

Next is the introduction page which has links to the learning resources on Microsoft Technet.

image

This screen lets you select the server role to be installed. You can choose to install the server role you are planning to install here.

 

image

You can specify the location of exchange binaries on the Installation Space and Location page of the wizard.

 

image

After clicking next on the previous page Exchange Organization page appears asking you to enter the organization name. You can also select whether to apply the Active Directory Split Permissions model.

 

image

You will see this screen only if you are installing a mailbox server role. Exchange 2013 preview bundles the anti malware protection with mailbox server role. You can select to enable or disable the anti malware protection. Read more about Anti Malware Protection here

 

Similarly, if you are installing Exchange 2013 CAS role you will be asked whether the server you are installing is an internet facing server and if yes then to specify the FQDN for the external access.

Next few pages will let you select the options for error reporting, and CIEP. I am skipping those pages just to avoid the unnecessary length of this post.

 

That’s all! You have your exchange server 2013 Preview lab ready for testing and learning. Enjoy!

July 18, 2012   Posted in: Exchange 2013  3 Comments

Exchange Server 2013 Preview Release – at a glance

Microsoft announced its IT Pro review version of Microsoft Exchange; named Microsoft Exchange 2013. Just like other previous releases of the products; Microsoft seems to have maintained the consistency in drastic architectural changes to make the product more scalable and more efficient. Let us take a look at the high level changes that you will see in Exchange 2013 Preview.

Roles:

Oops! I don’t see anything called Hub Transport, Unified Messaging and Edge Transport Server roles. Yes! You guessed it correct. There are no HT, UM and ET roles. Only two roles at the moment viz. MBX and CAS.

Mailbox Server role will handle the mailbox and unified messaging roles together with a improvements to the way mailboxes and information store databases are managed.

Client connectivity does not use RPC anymore. It will HTTPS traffic to and fro the CAS role.

Transport is an integrated component of the CAS role.  That means NO HUB TRANSPORT. A figure below that is copied over from Microsoft Website shows how it works.

image

Mailbox server role has a lot of improvements done too.

 

Management:

Microsoft Exchange 2013 Preview release uses a completely new GUI based management interface now called EAC. EAC known as Exchange Administration Center replaces the MMC based Exchange Management Console.

Another component of management interfaces, Exchange Management Shell now uses the WinRM 3.0 as a base to run the exchange server management snap in.

Public Folders:

Although Microsoft kept insisting on moving your public folder data to a sharepoint based website, they seem to have been continuing the support for public folders. Surprisingly, instead of deprecating the support for PFs MS has introduced few more changes to the PF database architecture that can support the HA. You may notice a significant difference between the legacy way of public folders and the way they are handled by Exchange 2013.

Storage Engine:

If you are an ESE lover, there is a good news for you. Exchange 2013 still sticks to the ESE as a database engine.

High Availability:

Mailbox Server High Availability = DAG has become and almost unwritten equation in industry by now. Exchange 2013 continues with the two very well known terms called DAG and CAS Array. DAG and CAS Array have been improved to support stringent RTO/RPOs of the organizations.

I personally liked Windows Server 2012 RC and hope Exchange 2013 along with it can do some magic to reduce administrative burdens and TCO for many organizations.

 

This is the first post on my blog about Exchange 2013. Stay tuned for the geeky insight of the product. It has just started, a long way to go ;)

 

Finally, here are few links that can help you:

Download: http://technet.microsoft.com/en-us/exchange/fp179701

CHM Help: http://www.microsoft.com/en-us/download/details.aspx?id=30338

July 17, 2012   Posted in: Exchange 2013  7 Comments

Script: Remove Orphaned ActiveSync Devices

One of the customers is running cleanup of EAS devices. There goal is to remove all devices those haven’t synced with the server for more than 30 days. Approach is like below:

  1. Identify the users who’s activesync devices have not synced over last 30 days.
  2. Notify them about the removal and they should also know what devices are associated with their mailbox those will be removed.
  3. Remove the device after a notification is sent
  4. Log what was removed and who’s mailbox was processed

It is little tedious to do it manually since the initial number of users will be more than 1000, and yes that calls for an automated way to do it. Another reason of automating the process it to avoid any miss of schedule. Humans normally get busy with the things and they forget :) . So, I wrote something that will do all mentioned jobs automatically and it goes hereimage

 

What you just need to do is change following information in the script at each of line number mentioned below:

105 – Company Policy Link
148 – Internal Phone Number
150 – External Phone Number
155 – Helpdesk Email Address
176 – Remove -WhatIf parameter
180 – Change the name of Hub Transport Server
143 – Change the name of Hub Transport Server

 

An output email that is sent out looks like below.

 

image

 

Hope you find it useful.

May 10, 2012   Posted in: Uncategorized  8 Comments

GFI MailEssentials Online Reviewed

GFI MailEssentials Online Reviewed

Introduction

GFI MailEssentials Complete Online (MEO) is a cloud-based anti-spam, anti-malware, and anti-phishing service that provides outsourced services for messaging hygiene, as well as additional capabilities. Email admins can add MEO to an existing messaging infrastructure without significant changes or costs, and pay for the service as an annual per-user subscription.

Requirements and Setup

MEO is designed to make implementation quick and easy. Once you have set up an account on the service, you need to perform four additional steps:

1. Provision your users in the system

2. Configure where the service should deliver clean mail

3. Create MX records for your domain(s) that point to the service

4. Optionally, configure your email system to route outbound mail through the service.

 

With the ability to import users or sync via LDAP or SQL, you can be up and running in a matter of minutes – this is not a service that takes many hours or days to set up. S

Sending your outbound email through an anti-spam service may seem strange, but there are several advantages to doing this. In addition to screening your outbound messages for malware or anything that might look like spam, there are additional benefits we’ll go over below.

clip_image002

For ease of setup, we give this a score of 5/5.

Out of the box configuration

Once mail is flowing through the system, your users are protected from malware, and to a lesser extent, spam. By one configuration, all messages detected as spam will continue to be delivered to users, though the subject line will be prepended with SPAM. You will probably want to change that default to “Redirected to the recipient’s junk mail quarantine” but this lets you get a feel for what MEO will do without actually changing the mail flow to start.

clip_image004

You can also adjust the aggressiveness of the filtering, and choose whether or not to use greylisting, which can reply to unrecognized servers with a deferral message. With greylisting enabled, legitimate mail servers will receive the initial deferral and then retry the message delivery, while most spam systems will simply receive the deferral message and give up.

You can also implement scheduled summary messages (“digests”), which will notify each user of all messages sent to them which were blocked as spam, and enable them to release any false positive messages without having to open a helpdesk ticket, contact an administrator, or even access the control panel.

As an anti-spam service, we’d expect it to quarantine spam by default rather than flag and forward it, so we give this a 4/5.

Management Interface

As you can see from the screen shots above, the management interface is clean and well designed, with an easy-to-follow logic and tab-based approach. The interface works well on practically any browser and operating system we tested, except for mobile devices.

As heavy iPhone users, we’d give higher marks to any service that we can use with our mobile devices, but it’s hard to find fault with such a clean and intuitive setup. 4/5.

Customization

Every customer will want to be able to customize the service, and MEO offers several options to tailor the service to better suit your needs. Whitelists and blacklists can be created based on FROM Address, TO Address, subject and source IP, you can block or allow based on character sets and attachment types, and also completely block things like egregious spam, viruses, and NDRs.

clip_image005

One thing we found missing was keywords. The service lets you white/blacklist by subject, but not by words in the body. It might be nit-picking, but we missed that option. Still, with all the options available, this still earns 4/5.

Performance and Accuracy

MEO performs exceptionally well, with a high degree of accuracy. During our trial we saw no spam get through the filters, and no appreciable delay in either inbound or outbound message flow. With only a couple of false positives, which were easily released, we have to give MEO 5/5 here.

Extras

We mentioned additional benefits above, and here’s what we were talking about. With all your inbound and outbound mail flowing through MEO, you can enable optional archiving to keep a record of all your email. Archiving is becoming a requirement for more and more companies, and being able to deploy it without any additional hardware or software is a great value-add. But that’s not all.

MEO allows users to log in to the portal to check for, and release, their own quarantined messages. Instead of opening countless helpdesk tickets, they can take care of themselves.

Perhaps most importantly, the service includes built-in “email continuity”. This means that any time your mail server is off-line, for maintenance or any other reason, users can simply log on to the MEO console and can use the service to send and receive emails while the production mail system is down. Given how much organizations depend on email these days, this is a very valuable feature.

With all this extra capability, we give this 5/5.

Conclusion

GFI MailEssentials Complete Online is a great service for email hygiene with several valuable bonus features for customers. The ease with which it can be implemented, its effectiveness, and its accuracy make for a very powerful protection for your users. Averaging 4.5/5, we consider this a great product.

April 29, 2012   Posted in: General  Comments Closed


%d bloggers like this: