2. Ilse Van Criekinge
• Technology Advisor Core UC
• Microsoft Belux
http://blogs.technet.com/ilvancri
ilvancri@microsoft.com
@ivcrieki
3. Agenda
Introduction
Out of the Box
Exchange + RMS
Exchange + SharePoint
Exchange + Lync
Lync + SharePoint
On Premises - Online
4. Future of Communications
Communications Today
Instant Video Web E-mail and Audio
Messaging (IM) Voice Mail Conferencing Telephony Conferencing Calendaring Conferencing
Telephony Instant
Unified Messaging
and
Voice Mail E-mail and Conferencing:
Calendaring Audio, Video,
Web
Authenticatio Authenticatio
Authenticatio Authenticatio
n n
n n
Administratio Administratio
Administratio Administratio
n n
n n
Storage Storage
Storage Authentication Storage
Authentication Authentication
Authentication
Administration Administration
Administration
Storage Administration
Storage
Storage
Storage
Compliance
On-Premises Hybrid In the Cloud
5. Agenda
Introduction
Out of the Box
Exchange + RMS
Exchange + SharePoint
Exchange + Lync
Lync + SharePoint
On Premises - Online
6. Setting the Scene
DC01 = Windows 2008 R2
EX01 = Windows 2008 R2 + Exchange 2010 Sp2
LYNC01 = Lync 2010
SP01 = SharePoint 2010
7. Out Of The Box
Presence integration =
embedded presence
and click-to-
communicate in
SharePoint sites
8. Out Of The Box, But...
Users must have Office 2010, Office
2007, or Microsoft Office 2003 with the
latest service pack installed to view
extended presence information on a
SharePoint Server page!
The name.dll file is an ActiveX® control
that calls the Lync API directly to request
and display presence status within
SharePoint site collections.
9. Agenda
Introduction
Out of the Box
Exchange + RMS
Exchange + SharePoint
Exchange + Lync
Lync + SharePoint
On Premises - Online
10. Information Protection and
Control
Exchange Server 2010 helps prevent the unauthorized transmission of
sensitive information with tools that can automatically:
MONITOR e-mail for specific content, recipients and other
attributes
CONTROL distribution with automated, granular polices
PROTECT access to data wherever it travels using rights
management
PREVENT
Violations of corporate policy and best practices
Non-compliance with government and industry regulations
Loss of intellectual property and proprietary information
High-profile leaks of private information and customer records
Damage to corporate brand image and reputation
11. Benefits of Automated Controls
Reduce User Error
• Majority of data loss incidents are accidental
• Users forget policies or apply incorrect policy
Enable More Consistent Policy
• Automation facilitates rapid policy changes across the
organization
• Critical for internal/external governance and compliance
Improve Efficiency
• Offload complex data polices from users
• Enable centralized policy creation, execution and
management
12. Benefits of Granular Controls
Mailtips Transport Rules (Exchange/FOPE/EHE)
Alert Modify Protect Redirect
―Allow delivery ―Allow ―Allow ―Block
but add a delivery delivery but delivery
warning.‖ but modify prevent and
message.‖ forwarding.‖ redirect.‖
LESS RESTRICTIVE MORE RESTRICTIVE
Classify Append Review Block
―Allow ―Allow ―Block ―Do not
delivery but delivery but delivery deliver.‖
apply add a until
classification.‖ disclaimer.‖ reviewed.‖
Message Transport Moderated Transport
Classification Rules Mailbox Rules
13. Information Rights
Management
Persistent protection
Protects your sensitive information no matter where it is sent
Usage rights locked within the document itself
Protects online and offline, inside and outside of the firewall
Granular control
Users apply IRM protection directly within an e-mail
Organizations can create custom usage policy templates such as
"Confidential—Read Only"
Limit file access to only authorized users
Information Rights Management (IRM) provides
persistent protection to control who can
access, forward, print, or copy sensitive data within an
14. IRM Decryption
Enable scanning, filtering, journaling
Infected messages
and spam can be
Protected messages filtered
sent to transport server
Messages are re-
encrypted and
delivered
Messages and attachments
decrypted to enable Journaled messages
content filtering, transport include decrypted
rules clear-text copy
15. AD RMS Workflow
Database Server AD RMS Cluster Active Directory
7
Publishing Consuming
8
1 6
3 9
2
4 5
Information Author Information Recipient
16. Configuring AD RMS for
Exchange
Default Do Not Forward
Give Exchange servers the ability to access AD
RMS by setting appropriate permissions on the AD
RMS certification pipeline
Give Exchange servers the ability to decrypt
protected messages and attachments by
configuring the AD RMS super users group
27. Hybrid = Trusted Publishing
Domains
MsBelux.Be MicrosoftBelux.OnMicrosoft.Com
1. MsBelux.Be 2. Office365
exports imports
private key private key
and SLC and SLC
5. Office 365 4. Ilse sends PL
uses and RAC with
imported request for UL
private key to from O365
decrypt PL
and issues UL
3. Koen sends IRM-
Protected message to Ilse
28. MsBelux.Be MicrosoftBelux.OnMicrosoft.Com
1. MsBelux.Be
exports
private key
and SLC
29.
30.
31.
32. Step 2: Office365 Imports
Private Key and SLC
MsBelux.Be MicrosoftBelux.OnMicrosoft.Com
1. MsBelux.Be 2. Office365
exports imports
private key private key
and SLC and SLC
33.
34.
35.
36.
37.
38.
39. Step 3: Send a Mail
MsBelux.Be MicrosoftBelux.OnMicrosoft.Com
1. MsBelux.Be 2. Office365
exports imports
private key private key
and SLC and SLC
3. Koen sends IRM-
Protected message to Ilse
40.
41. Step 4 + 5: Read Mail
MsBelux.Be MicrosoftBelux.OnMicrosoft.Com
1. MsBelux.Be 2. Office365
exports imports
private key private key
and SLC and SLC
5. Office 365 4. Ilse sends PL
uses and RAC with
imported request for UL
private key to from O365
decrypt PL
and issues UL
3. Koen sends IRM-
Protected message to Ilse
42.
43. Agenda
Introduction
Out of the Box
Exchange + RMS
Exchange + SharePoint
Exchange + Lync
Lync + SharePoint
On Premises - Online
44. Exchange - SharePoint
My Picture
Outlook Integration
Indexing Public Folders
Web Parts
46. Lync 2010 and My Picture
Lync can display photo
ADDS: thumbnailPhoto (SharePoint/Exchange)
URL (JPEG & publically readable)
thumbnailPhoto
Introduced in Active Directory 2000
Default size is 100Kb (EMS limits to 10Kb)
Requires Outlook 2010 and a forest schema extended to the 2008
version or later
Replicate to Global Catalog
47. Lync 2010 and My Picture
Controlling = CsClientPolicy
DisplayPhoto
MaxPhotoSizeKB (default = 30Kb)
Not stored in GalContacts.db
Lync uses Address Book Web Query
PhotoHash
PhotoRelPath
PhotoSize
Cached client side & server side
49. Populate Picture
Using Exchange Using SharePoint
Import- Upload the user’s picture
RecipientDataProperty on ―My Site‖
Configure SharePoint
2010 to replicate the
picture from the user
profile to AD
Perform the Full User
Profile Synchronization
54. Indexing Public Folders
SharePoint’s search engine can index (crawl)
Exchange Public Folders
Supported in SharePoint Server but not in
SharePoint Foundation
Can use Search Server Express 2010 for SPF
Fast Search can index (crawl) Exchange Public
Folders as well
61. Outlook Web App Web
Parts
Access OWA content directly from a URL
Entered in browser
Embedded in application like SharePoint
Min. Permissions required = Reviewer
62. Agenda
Introduction
Out of the Box
Exchange + RMS
Exchange + SharePoint
Exchange + Lync
Lync + SharePoint
On Premises - Online
63. Exchange + Lync
MAPI or EWS
OWA integration
UM integration
Play On Phone
65. Exchange and Lync: MAPI
or EWS
Access conversation history and voice mail
Play back voice mail message
Display free/busy information and working hours
Display meeting subject, time, and location
Display Out of Office status and note
Exchange contact sync
Search Outlook personal contacts
118. Small Note Collocation
Exchange CAS + UM Collocated
OWA Integration Configured
Solution
Safe to ignore
Remove the CsTrustedApplication representing
Exchange OWA (be careful when no longer
collocating)
133. Agenda
Introduction
Out of the Box
Exchange + RMS
Exchange + SharePoint
Exchange + Lync
Lync + SharePoint
On Premises - Online
134. Lync and SharePoint
Skill Search
Access MySite from Lync – Options
On a SharePoint Server page, view a user’s Lync
presence indicator and its associated menu or
contact card
135. Skill Search in Lync 2010
Requires SharePoint 2007 or later with maintained
MySites
SharePoint search center URL is provisioned via in-
band settings
SharePoint must be published to the internet
Requires full version of SharePoint (WSS is not
sufficient)
141. Agenda
Introduction
Out of the Box
Exchange + RMS
Exchange + SharePoint
Exchange + Lync
Lync + SharePoint
On Premises - Online
142.
143. Integration Possibilities
Exchange Server (on-
Exchange Online
premises)
• Lync client presence integration • Lync client presence
• IM/Presence in OWA integration
Lync Online
• Lync client presence integration • Lync client presence
• IM/Presence in OWA integration
Lync Server on-
• Exchange Voice mail integration • IM/Presence in OWA
premises • Exchange Voice mail
integration
Presence integration = OOF messages in Lync, calendar-based presence status, embedded
presence in Outlook and Office
SharePoint Server (on-
SharePoint Online
premises)
• Lync client presence integration • Lync client presence
integration
Lync Online
• Lync client presence integration • Lync client presence
Lync Server on- integration
• Skill search in Lync client
premises
Presence integration = embedded presence and click-to-communicate in SharePoint sites
144. Agenda
Introduction
Out of the Box
Exchange + RMS
Exchange + SharePoint
Exchange + Lync
Lync + SharePoint
On Premises - Online
145. Ilse Van Criekinge
• Technology Advisor Core UC
• Microsoft Belux
http://blogs.technet.com/ilvancri
ilvancri@microsoft.com
@ivcrieki
Thank You!
Notes de l'éditeur
SharePoint Presence InternalsSharePoint presence status is displayed through a client-side setting by using a dynamic link library called name.dll. This file is installed with Microsoft Office 2010. Office 2007, and Office 2003 and is located in the Office installation directory (C:\\Program Files\\Microsoft Office\\Office 14). The name.dll file is an ActiveX® control that calls the Lync API directly to request and display presence status within SharePoint site collections. Presence is enabled in SharePoint by default; there are no configuration steps for the SharePoint administrator to perform. Each SharePoint page includes Microsoft JScript® code, which enables presence for that site. JScript uses name.dll to call the Lync API and pull presence for users names who appear on the site. JScript uses the users’ SIP URI to pull presence for names that are listed on the site. The following JScript code is an example of presence being pulled for a user named Bob Kelly, whose SIP URI is bobkelly@contoso.net. The SIP URI is added by using variables to the JScript when the script is loaded and presence is being pulled. <a href='jscript:;' onclick='IMNImageOnClick(event);return false;' class='ms-imnlink'><img name='imnmark' class='ms-imnImg' title='' border='0' height='12' width='12' src='/_layouts/images/blank.gif' alt='No presence information' sip='bobkelly@contoso.net' id='imn_74,type=smtp'/></a><a onclick="GoToLink(this);return false;" </a>
SituationJust as IRM protection can impede search, it can also breaks essential parts of organizational infrastructure such as Transport rules,antivirus and anti-spam scanning and indexing and searching of journaled messages. Slide objectiveDiscuss benefits of IRM decryption agent and how it can enable essential systems to process protected messages. Talking points[BUILD 1]IRM-protected messages are sent to transport server [BUILD 2]IRM decryption in Exchange 2010 enables organizations to grant Transport Agents content access rights to the messages protected against their own RMS servers.This enables Transport Agents to perform actions such as content filtering and application of transport rules Transport decryption will decrypt both the message and the supported attachments(MS Office 2003, 2007 and 14) as long as attachments were protected along with the message.[BUILD 3]Messages are then re-encrypted and deliveredInfected messages/spam can be filtered IRM Decryption can also be used with journaling to ensure that journal reports sent to journal mailboxes or third-party archives will contain a decrypted (clear-text) copy of IRM-protected messages. This allows for indexing and searching of IRM-protected messages for legal discovery and regulatory purposes.
Lync 2010 queries Lync Server 2010 by using the Address Book Web Query (ABWQ) to retrieve photos. The queries include three attributes:PhotoHash contains a hashed value of the photo binary data and is used to determine if the current photo has changed. PhotoRelPath contains the relative path to the actual photo stored on the server. PhotoSize is the size of the photo in bytes.Lync 2010 then checks the PhotoSize returned against the MaxPhotoSizeKB it obtained from in-band provisioning. If the PhotoSize multiplied by 1024 is less or equal to MaxPhotoSizeKB, the client will retrieve the photo by using an HTTP GET request using the URL https://<absInternalServerUrl>"/"<PhotoRelPath> or https://<absExternalServerUrl>"/"<PhotoRelPath>, where the base URLs, https://<absInternalServerUrl> and https://<absExternalUrl>, are obtained through in-band provisioning.The client then caches the photo of the signed-in user locally. It also stores the PhotoRelPath, PhotoSize, and PhotoHash in the cached Address Book Service (ABS) entry for the user. It also stores a timestamp that indicates when the photo was downloaded from the Lync Server. This cached data is located in %userprofile%\\AppData\\Local\\Microsoft\\Communicator\\sip_<SIP URI>\\ABS_<SIP URI>.cache.To avoid downloading the photo every time, Lync uses the photo from its cache. After 24 hours from the time Lync caches the photo, the client sends a request to the server to find out whether the photo has changed by comparing the PhotoHash value sent by the server to its local value. If the photo has changed, Lync updates its cache with the new photo and resets the timestamp.
On the server side, the Address Book Service (ABS) is responsible for handling photos. The component responsible for this functionality is in ABWQ and is exposed through the Distribution List Expansion (DLX) web service. The server uses a cache to limit the load on the Active Directory global catalog servers when requesting photos read from the thumbnailPhoto attribute.When the ABS receives a request for a photo from a client, it first checks if it already has the photo in its cache. The photos are cached in the same folder as the address book files, <Lync Server filestore>\\<WebServer Service Id>\\ABFiles\\<GUID>\\<GUID>. It is the folder with all zeroes in the GUID. The photos are stored as individual files with filenames in the format: <ContactId>.<PhotoHash>.photo (see Figure 2).The client sends the ContactId and the PhotoHash value of the photo in the search request to the server. If this PhotoHash value matches the hash value in the filename, <ContactId>.<PhotoHash>.photo, ABS returns the PhotoRelPath value to the file, <ContactId>.<PhotoHash>.photo, because the picture hasn't changed.If this PhotoHash value does not match the hash value in the corresponding filename or the photo has not yet been cached, the ABS will get the photo from the local Active Directory global catalog. ABS then computes the hash, stores the photo in the cache, and returns the values of PhotoHash, PhotoRelPath, and PhotoSize to the client.ABS deletes all cached photos in the nightly maintenance window. Check event 21056 in the event log and look for "Number of cached photos deleted". This means that it can take up to 24 hours before changed photos appear in the photo cache. To expedite this process you can delete the cached photo for the given user or issue the PowerShell command Update-CsAddressBook.Photos Referenced in Presence InformationThe presence information about a photo also contains as hash value. Lync 2010 uses that hash value to determine if it needs to get a new photo for a given user. If the hash value is the same and the photo is stored in the cache, it Lync 2010 use the cached version. If the hash value is different than the stored one, it will fetch a new photo.The difference between a photo referenced in presence information and photo stored in Active Directory is that Lync 2010 is automatically notified of changes to the photo configuration through the presence information.