One moment please...
 
 
Exact Synergy Enterprise   
 

Revised Checklist for Background Job Exact.Jobs.SysExchange.x64.dll

Introduction

Exact.Jobs.SysExchange.x64.dll replaces Exact.Jobs.SysExchange.dll in a 64-bit environment (for example, D:\Synergy\bin\Exact.Process.exe"  /DBCONFIG:Synergytest /ASSEMBLY:Exact.Jobs.SysExchange.x64 /CLASS:SysExchange_x64 /E:TEST-EXCH2), as CDO is not supported in that environment. While the functionalities of Exact.Jobs.SysExchange.x64.dll have been kept as close as possible to Exact.Jobs.SysExchange.dll, changes have been made to the following prerequisites and features:

  • CDO is no longer used. WebDAV is used as the interface to connect to the Exchange server.
  • Microsoft .Net 2 Framework is required, as the library is coded in VB.Net.
  • Ability to connect to the Exchange server over SSL or HTTP.

This document attempts to list out the extra configurations needed on top of what has already been listed in Checklist Background job SynergyExchange.exe.

Note: Form Based Authentication is not supported.

Description

a) WebDAV

Please check and ensure that WebDAV is enabled in IIS and Microsoft Exchange Server. WebDAV is installed automatically with IIS5.0, but you would have to install it manually with IIS6.0 and IIS7.0.

To check if WebDAV has been installed on IIS5.0 and IIS6.0:

    1.    Go to Microsoft Windows Start button, click Settings, and then click Control Panel. Select Add or Remove Programs, and then select Add/Remove Windows Components.

    2.    Click Application Server, and then click Details.

    3.    Click Internet Information Services (IIS), and then click Details.

    4.    Click World Wide Web Service, and then click Details. WebDAV is installed if the WebDAV Publishing check box is selected.

An extension is needed if you want to install WebDAV on IIS7.0. For more information, see http://learn.iis.net/page.aspx/350/installing-and-configuring-webdav-on-iis-70. In case the given site is not available, see Appendix 1.

b) Send As Rights

Please note that Exact.Process.Exe requires the Send As right to be granted to the person running the job.

For more information on the steps to grant the Send As right in Microsoft Exchange Server 2007, see http://crosbysite.blogspot.com/2007/10/granting-as-rights-in-exchange-2007.html. In case the given site is not available, see Appendix 2.

For more information on the steps to grant the Send As right in Microsoft Exchange Server 2000 and Microsoft Exchange Server 2003, see http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm. In case the given site is not available, see Appendix 3. For more information, see Checklist background job SynergyExchange.exe.

c) SSL

i) Enabling SSL in Microsoft Exchange

To connect with Microsoft Exchange Server over SSL, check that the WebDAV interface to Microsoft Exchange uses SSL. This setting depends on two sites automatically installed in the Exchange server, which are "Exchange" and "public".

If you are using Windows Server 2008:

    1.    Go to Microsoft Windows Start button, click Settings, Control Panel, Administrative Tools, Internet Information Services, [Server Name], Sites, Exchange.

    2.    Then, click SSL Settings under the Security tab. Ensure that the Require SSL check box is selected.

    3.    Make sure that you have selected Ignore at Client certificates.

    4.    Finally, repeat steps 1 to 3 for the ‘public’ site.

If you are using Windows Server 2003:

    1.    Go to Microsoft Windows Start button, Settings, and then click Control Panel. Select Administrative Tools, and then Internet Information Services, [Server Name], Web Sites, Exchange.

    2.    Next, click Action, Properties, and then click the Directory Security tab. In the Secure Communications section, click Edit. Ensure that the Require secure channel (SSL) check box is selected.

    3.    Make sure the Ignore client certificates check box is selected.

    4.    Finally, repeat steps 1 to 3 for the "public" site.

ii) Export Certificate

In order to use SSL, the computer where you will be running Exact.Process.Exe must have the Exchange server’s certificate installed as a "Trusted Root Certification Authority". This must be installed even if you are running Exact.Process.Exe on the Exchange server itself.

Only an Exchange Administrator has the rights to perform the installation. See the following steps for more information on the installation:

    1.    To check which certificate Exchange is using, go to Microsoft Windows Start button, click Settings, and then click Control Panel. Select Administrative Tools, and then Internet Information Services, [Server name], Select Server Certificates. Find the certificate named Microsoft Exchange.

    2.    Run mmc.exe, File, Add/ Remove Snap-in, Add the Certificates snap-in.

    3.    Then, locate the certificate you found in step 1, click Action, click All Tasks, and then click Export. Be sure not to include the private key in Export.

    4.    Copy the exported certificate to the computer where you will run Exact.Process.Exe, and then install the certificate under "Trusted Root Certification Authorities".

Note:
i. There are many ways of exporting the certificate, and it does not matter how you export the certificate as long as it is the correct one. The most important step is installing the certificate on the Job server, which is explained in step 4.
ii. If the cert was issued to 'webmail.Exact.nl', and it is different from the Exchange name (the E param that use in background job) for instant 'Exact-dta', please follow step bellow to adjust your host file :

Routing in hosts, if contact exchange from an internal address with a certificate
- In Jobserver
- Change the param 'E' in the background job to 'webmail.Exact.nl' (depend the name of  'issued to' in the certificate)
- Open Hosts file with notepad (C:\WINDOWS\system32\drivers\etc) or (C:\WINNT\system32\drivers\etc )
- Add in 111.111.111.111 (Exchange server IP address) with 'webmail.Exact.nl' at the bottom, Example:
-------------------------------
127.0.0.1       localhost
111.111.111.111 webmail.Exact.nl
-------------------------------
- Save, and close the host file

d) Special Characters in Internet Information Services (IIS) 7.0

Internet Information Services (IIS) 7.0 changes the default behaviour of allowing double escape sequences in URLs (it is now denied by default). When this option is set to Deny, appointments created in Exchange with two or more consecutive special characters (!,@,#,$,%, etc) in the Subject field will not be synched, as the appointment is not accessible by WebDAV (it returns a 404.11 error). To change this behaviour:

    1.    Locate the following directory: %windir%\System32\inetsrv\config.

    2.    Open applicationHost.config with Notepad. Locate the following code:

    <section name="requestFiltering" overrideModeDefault="Deny" />

    under Exchange, and replace it with:

    <section name="requestFiltering" overrideModeDefault="Allow" />

    3.    Then, add:

    <requestFiltering allowDoubleEscaping="True" />

    under Exchange within the <security> tag.

    4.    Save and run iisreset.exe.

Note: This is a security change. Please understand the scope of the change, and discuss it with your internal IT/ Infrastructure team before implementing this change.
 
 
 

Appendix 1: Installing WebDAV on IIS 7.0

Excerpt taken from http://learn.iis.net/page.aspx/350/installing-and-configuring-webdav-on-iis-70.

Prerequisites

The following items are required to complete the procedures in this article:

·         IIS 7.0 must be installed on your server, and the following must be configured:

o    The Default Web Site that is created by the IIS 7.0 installation must still exist.

o    The Internet Information Services Manager must be installed.

o    At least one authentication method must be installed.

Note: If you choose to use Basic Authentication with the WebDAV redirector, you must connect to your server using HTTPS.

·         The WebDAV Redirector must be installed:

o    You must use Server Manager to install the Desktop Experience feature before you can use the WebDAV redirector.

Downloading the Right Version for Your Server

There are two separate downloadable packages for the new WebDAV extension module. You need to download the appropriate package for your version of Windows Server 2008:

·         32-bit Installation Package: WebDAV for IIS 7.0 (x86)

·         64-bit Installation Package: WebDAV for IIS 7.0 (x64)

Launching the Installation Package

You must run the installation package as an administrator. This can be accomplished by one of the following methods:

·         Logging in to your server using the actual account named "Administrator", then browsing to the download pages listed above or double-clicking the download package if you have saved it to your server.

·         Logging on using an account with administrator privileges and opening a command-prompt by right-clicking the Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting "Run as administrator", then typing the appropriate command listed below for your version of Windows to run the installation:

o    32-bit Windows Versions: msiexec /i webdav_x86_rtw.msi

o    64-bit Windows Versions: msiexec /i webdav_x64_rtw.msi

Walking through the installation process:

    1.    When the installation package opens, you will see the following screen:

     

    2.    If you agree to the license terms, select the I accept the terms in the License Agreement check box, then click Install.

    3.    The progress indicator will reflect the status of the installation as it proceeds. See the following screen as an example:

     

    4.    After the installation has completed, click Finish.

     

    5.    The WebDAV extension module is now installed.

     

Appendix 2: Granting Send As Right in Exchange 2007

Excerpt taken from: http://crosbysite.blogspot.com/2007/10/granting-as-rights-in-exchange-2007.html.

To grant the required permissions, see the following steps:

    1.    At the command prompt, type “ADSIedit.msc”. This requires the Windows Server 2003 Support Tools.

    2.    In the Action menu, select Connect to….

    3.    Next, select Select a well known Naming Context.

    4.    Select Configuration from the drop-down list.

    5.    By default, the Default (Domain or server that you logged in to) option is selected. Leave this button selected if the machine you are logged in to is in the same domain as the Exchange 2007 organization. If the machine you are logged in to is in a different domain, select Select or type a domain or server and enter the domain controller name.

    6.    Click OK to return to the ADSI Edit window.

    7.    Select the Configuration node that contains the name of the domain controller that holds your Exchange 2007 organization. Navigate to CN=Services | CN = Microsoft Exchange |
    CN=”Your Exchange Organization”.

    8.    Right-click the organization node and select Properties.

    9.    Then, under the Security tab, click Advanced.

    10. Click Add, and select the appropriate user or group.

    11. In the Permission Entry window, ensure that Apply Onto is set to this object and all child objects.

    12. Under the Allow column, select the Full Control check box.

    13. Click OK to add the entry, and click OK again to exit.

    14. Finally, close ADSIedit.

Be very sure that the accounts you use are not also in any groups which are denied the Send As right, or you will still be denied.  By default, the Domain Admins, Enterprise Admins, and Exchange Organization Administrators groups are denied the Send As right and should be kept that way.

Appendix 3: Granting Send As Right in Exchange 2000 & Exchange 2003

Excerpt taken from: http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm.

In Microsoft Exchange Server 5.5, when you grant Service Account Admin privileges on the Site container to a Microsoft Windows account, you grant that account unrestricted access to all mailboxes. Because Exchange 2000 and Exchange Server 2003 do not use a service account, even accounts with Enterprise Administrators rights are denied the right to access all mailboxes, by default.

This means that Exchange Full Administrators do not have the right to open any mailbox found on any server within the Exchange organization.

In fact, if your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins group, then you are explicitly denied access to all mailboxes other than your own, even if you have full administrative rights over the Exchange system.

However, unlike Exchange Server 5.5, all Exchange 2000/2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mails.

This default restriction can be overridden in several ways, but doing so should be in accordance with your organization's security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.

To grant rights to an Exchange 2000 or an Exchange 2003 mailbox:

Note: You must have the appropriate Exchange administrative permissions to do so.

    1.    Start Active Directory Users and Computers.

    2.    On the View menu, ensure that the Advanced Features check box is selected.

    Note: This is not necessary on Exchange Server 2003 because of the fact that the Exchange Advanced tab is exposed by default.

    3.    Right-click the user whose mailbox you want to give permissions to and select Properties.

    4.    Under the Exchange Advanced tab, click Mailbox Rights. Notice that the Domain Admins and Enterprise Admins have both been denied access to Full Mailbox.

    5.    Next, click Add, click the user or group to whom you want to give the access to this mailbox, and then click OK. Be sure that the user or group is selected in the Name box.

    6.    In the Permissions list, click Allow at Full Mailbox Access, and then click OK.

    7.    Click OK until you finish the set up.

Warning: If the Group or User name list is empty and you only see one line with the name of SELF, seeSELF Permission on Exchange Mailboxes before you modify the permission settings.

Note: If the purpose of granting such access is to permit the usage of the EXMERGE utility (for an example of such requirement, see How do I use EXMERGE to delete specific messages from Exchange 2000/2003 mailboxes?), grant the Receive As permission. You can also grant the Full Control permission for a complete access.

To grant rights to Exchange 2000 or an Exchange 2003 mailbox located within a specific mailbox store:

Note: You must have the appropriate Exchange administrative permissions to perform this.

    1.    Start Exchange System Manager.

    2.    Drill down to your server object within the appropriate Administrative Group. Expand the server object and find the required mailbox store within the appropriate Storage Group. Right-click it and select Properties.

    3.    Then, go to the Security tab.

    4.    Click Add, click the user or group to whom you want to give the access to the mailbox, and then click OK. Be sure that the user or group is selected in the Name box.

    5.    In the Permissions list, click Allow at Full Control, and then click OK.

    Note: Make sure that the Deny check box next to the Send As and Receive As permissions is not selected.

    6.    Click OK until you finish the set up.

To grant rights to Exchange 2000 or an Exchange 2003 mailbox found on a specific server:

Note: You must have the appropriate Exchange administrative permissions to perform this.

    1.    Start Exchange System Manager.

    2.    Drill down to your server object within the appropriate Administrative Group. Right-click it and select Properties.

    3.    Then, go to the Security tab.

    4.    Click Add, click the user or group to whom you want to give the access to the mailbox, and then click OK. Be sure that the user or group is selected in the Name box.

    5.    In the Permissions list, click Allow at Full Control, and then click OK.

    Note: Make sure that the Deny check box next to the Send As and Receive As permissions is not selected.

    6.    Click OK until you finish the set up.

Note: It might take some time before the changes you have made will take effect. The amount of time needed is influenced by the number of domain controllers, Global Catalogs, and site replication schedules and intervals. On one domain with one site containing multiple domain controllers, it might take up to 15 minutes before you can begin using these new permissions. On single servers that are also DCs, you can speed up the process by restarting the Information Store service.

Related document

     
 Main Category: Support Product Know How  Document Type: Online help main
 Category: On-line help files  Security  level: All - 0
 Sub category: General  Document ID: 17.242.122
 Assortment:  Date: 10-03-2015
 Release:  Attachment:
 Disclaimer