Exchange News: July 2015

Friday, July 31, 2015

Subject Exchange: Weekend reading

from Exchange News Full Article

msexchange.org: Office Mobile apps for Windows 10 are here!

It’s a big day for Microsoft and we are excited to be part of it! Today, we’re pleased to announce the availability of the Office Mobile apps on Windows 10—bringing us one step closer to our vision of reinventing productivity. Customers can immediately download and install the apps from the new Windows Store in 190 countries.

from Exchange News Full Article

msexchange.org: Windows 10 updates for Office 365 admins

What capabilities in Windows 10 will benefit Office 365 admins? During the Microsoft Ignite conference in May, we invited Michael Niehaus—veteran Windows deployment and management expert—to present updates for managing Windows 10. Many of these updates accrue to and leverage the work people are doing to implement Office 365 and broader Microsoft Cloud services.

from Exchange News Full Article

MSExchange.org: Off-boarding email from Office 365 to Exchange 2013 (Part 2)

In the first part of this series we looked at our example organization, then after checking a few pre-requisites within the Office 365 tenant and on-premises, exported account information from the cloud. In this part of the series we’ll import that information in the local Active Directory and then install Azure Active Directory Sync.

from Exchange News Full Article

msexchange.org: Exchange TLS & SSL Best Practices

Whether you are running Exchange on-premises, in the cloud, or somewhere in between, we know that security is a top priority. Microsoft is committed to giving you the information needed to make informed decisions on how to properly secure your environment.

from Exchange News Full Article

Tony Redmond: Connecting to SharePoint Online with PowerShell

In my last post, I covered the basics of connecting to Exchange Online with PowerShell, including some optional modules to handle Azure Active Directory Rights Management and the Rights Management service.

Another module you might have to load allows you to manage SharePoint Online. I don’t use this very often because the PowerShell support for SharePoint Online (including OneDrive for Business) is a lot less functional (IMHO) than the Exchange equivalent. Thus, I find that most SharePoint management operations are directed towards the GUI.

The first thing to do is to download and install the SharePoint Online management shell. This package appears to assume that it will run on its own and not inside a PowerShell session where other tasks are performed. To get the SharePoint cmdlets to load, you need to include a line like this in your session (or PowerShell profile).
Import-Module “C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell”
Once that’s done, you can connect to SharePoint Online with a command like this:
Connect-SPOService –URL “http://ift.tt/1D6H9Kh” –Credential $O365Cred
Notice that I use the same variable containing my Office 365 credentials as I use to connect to Exchange Online and Microsoft Online Services (see the previous post).

A list of the SharePoint Online cmdlets is available in TechNet. Don’t get too excited now..

Follow Tony @12Knocksinna

from Exchange News Full Article

Exchange Team Blog: Exchange TLS & SSL Best Practices

It has been suggested by some external parties that customers need to disable TLS 1.0 support. One piece of guidance we are aware of suggests taking steps to prepare to disable TLS 1.0 in summer of 2016. Another piece of guidance suggests that TLS 1.0 should not be used with internal-only applications (we do not believe that Exchange is typically used in this manner, as it connects to the outside world via SMTP). While we believe the intentions of both proposals are good and will promote adoption of TLS 1.1 & 1.2, at this time, we do not yet recommend disabling TLS 1.0 on your Exchange Server(s).

Additionally, while TLS 1.1 & 1.2 are superior to TLS 1.0, the real world risks may be somewhat overstated at this point due to mitigations that have been taken across the industry. Of course, security is rarely a binary decision: disabling TLS 1.0 doesn’t suddenly turn something insecure into something secure. That said, we will continue to work towards the goal of making TLS 1.1 & 1.2 work fully with Exchange and a broad array of clients.

More importantly, many customers may not have taken initial steps towards following current best practices. We believe that the first step towards a more secure environment is to have a TLS organizational awareness. While disabling TLS 1.0 on Exchange is not advised at this time, there are definite steps which can be taken today. TLS 1.0 is not widely viewed as insecure when SSL 3.0 is disabled, machines are properly updated, and proper ciphers are used. The current recommendations, which will continue evolving, are as follows:

Deploy supported operating systems, clients, browsers, and Exchange versions
Test everything by disabling SSL 3.0 on Internet Explorer
Disable support for SSL 3.0 on the client
Disable support for SSL 3.0 on the server
Prioritize TLS 1.2 ciphers, and AES/3DES above others
Strongly consider disabling RC4 ciphers
Do NOT use MD5/MD2 certificate hashing anywhere in the chain
Use RSA-2048 when creating new certificate keys
When renewing or creating new requests, request SHA 256-bit or better
Know what your version of Exchange supports
Use tools to test and verify
Do NOT get confused by explicit TLS vs. implicit TLS
(For now) Wait to disable TLS 1.0 on the Exchange server

Let’s get started down the list!

Deploy supported operating systems, clients, browsers, and Exchange versions

Perhaps it goes without saying, but the first step to securing any environment is to make sure that all servers, devices, clients, applications, etc. are updated. Most issues that support sees after following recommendations on Exchange are easily fixed with updates already available from the vendor of the incompatible device (printers, firewalls, load balancers) or software (mailers, etc.).

For Exchange, this means test & apply your Windows & Exchange updates regularly. Two reasons for this – first, an environment is only as secure as the weakest link; second, older software typically won’t let you take advantage of the latest TLS versions and ciphers. Make sure firewalls, old Linux MTAs, load balancers, and mass mailer software are all updated. Make sure the multifunction printers have the latest firmware.

Test everything by disabling SSL 3.0 on Internet Explorer

Disabling SSL 3.0 in the browser is a good first step, because it insures that all your users remain safe, no matter where they may browse. Additionally, it easily allows you to test to make sure that websites and applications will continue to work or not. There’s still a small bit of the Internet that is still relying on SSL 3.0, but the time is overdue for it to be retired. To test your environment with Internet Explorer, follow KB3009008.

Disable support for SSL 3.0 on the client

After testing, you may also consider disabling it at the SCHANNEL layer for all clients. While you are viewing these settings, make sure that your clients have TLS 1.1 & 1.2 enabled. In most cases, the most recent version supported by both the client & server will be used. This is a good way to start moving towards a more secure environment. All supported versions of Windows have TLS 1.1 & 1.2 capabilities, but the older ones may not have them enabled by default.

Note that registry changes under SCHANNEL are only good for applications that use the SCHANNEL API. Some applications could utilize 3^rd party or open source security APIs (like OpenSSL) which may not look at these registry keys. Also, note that changes do not take effect until reboot.

Disable support for SSL 3.0 on the server

The next recommendation is to disable SSL 3.0 on all servers, Exchange included. Do this by following all recommendations in the original security bulletin. Since servers can be both clients and servers, it is recommended to follow all applicable steps. As before, while you are viewing these settings, make sure that your servers have TLS 1.1 & 1.2 enabled.

Note: Any of these registry changes require a reboot to take effect!

You can do this with confidence because TLS 1.0 will be the minimum which you support. Exchange and Windows have both supported TLS 1.0 for over a decade. TLS 1.0 itself is not considered vulnerable when SSL 3.0 is disabled on clients and servers. In fact, most Exchange sessions already have been using TLS 1.0 or even later, for years. You are simply disabling the ability for the session to be downgraded to SSL 3.0. Disabling SSL 3.0 is typically not too impactful except for clients and devices that are older than (roughly) 10 years old.

These recommendations should have already been carried out in your organization with haste. Even so, the POODLE vulnerability itself does require someone to intercept the traffic and sit between the client and server during the initial session negotiation. While this is not super difficult to accomplish, it is also not trivial. It is a much more severe problem for users who travel and for mobile devices which use hotspots. As many customers do support remote access to email, this is something for Exchange administrators to worry about. Since some mobile device vendors have not released ways to disable SSL 3.0, you can at least keep your Exchange resources safe by disabling SSL 3.0 on the server side.

In addition, enabling support for TLS v1.1 and v1.2 are highly recommended. But leaving TLS 1.0 enabled is a good thing for now. Clients and applications should always prefer the most secure option, provided that Windows, the application, and the client all support it.

Note: If you terminate SSL at load balancers, you’ll want to disable SSL 3.0 there as well (and perform subsequent steps there in addition). Check with your vendor to get their guidance. Also, be sure to check all Exchange servers which may be sharing a single VIP or DNS record.

Office 365 completed these changes, and you will find that SSL 3.0 is not possible for any protocol.

Prioritize TLS 1.2 ciphers, and AES/3DES above others

The next step we recommend is based on a step we took in Office 365 to prioritize the latest ciphers which are considered much more resilient to brute force attack. The thing with ciphers is that it isn’t just about enabling the most secure one and disabling the rest. You want to offer several choices for clients to allow maximum compatibility. You typically want to disable the ones which are the least secure, but leave others to provide choice. The negotiation of a particular cipher depends on:

The client passes an ordered list of ciphers which it supports
The server replies with the best cipher which it has selected (server gets final say)

Changing the order on the server can minimize the use of a less secure cipher, but you may want to go further and disable it completely. Cipher changes are made through this registry key, explained here.

Strongly consider disabling RC4 ciphers

Of course, there is risk of some clients not continuing to work if you disable too many ciphers. That said, Microsoft has been recommending that disabling RC4-suite of ciphers is a good best practice. It is considered to be a weak cipher. Disabling RC4 should be done with some care as it can introduce incompatibilities with older servers and clients, though problems should be minimal as supported versions of Windows have supported 3DES and AES alternatives for years. The rollout of this in Office 365 is in progress and should be completed shortly.

Do NOT use MD5/MD2 certificate hashing anywhere in the chain

Ciphers depend on the certificate chain being used - you can introduce problems when connecting to a host which has an insecure signature algorithm used in their chain. For example, we have seen that Office 365 SMTP transport is no longer able to connect to hosts with MD5 and MD2 hashing because they do not support modern ciphers. This applies to the certificate and any certificates in the chain. We see this with SMTP because Exchange is acting as a client, and because there are many older SMTP systems and firewalls still out there.

Use RSA-2048 when creating new certificate keys

Some things to watch out for when you renew or reissue certificates. First is that when creating your requests, use 2048-bit RSA. Anything less is not considered secure anymore.

When renewing or creating new requests, request SHA 256-bit or better

Second, when you renew, you should consider moving the signature algorithm from SHA1 to SHA2 if you haven’t already done so. This isn’t considered something that you need to worry about until renewal time, unless your certificate happens to be good for another couple of years – in which case, go ahead and take care of it now.

You can check your Exchange certificates with a browser (or in Certificate Manager MMC):

This example certificate was generated with Exchange 2013 on Windows 2012 R2. It has an RSA 2048-bit key and has an RSA SHA256 (SHA-2) signature algorithm.

Know what your version of Exchange supports

Some applications sometimes need to be re-compiled and tested to take advantage of these new protocols. So, every part of Exchange and Windows-based clients need to be examined and tested thoroughly. Currently, for Exchange Server, we are aware of the following limitations:

SMTP – key piece of Exchange server infrastructure – support for TLS 1.1 and 1.2 were added in Exchange Server 2013 CU8 and Exchange Server 2010 SP3 RU9. This means if you want to add support for the latest ciphers and TLS versions, you may need to apply an update.

IMPORTANT: SMTP is the main protocol used when communicating outside of your organization, something which is a key purpose of email. If you disable TLS 1.0, SMTP would no longer be able to use Opportunistic TLS with any external party which doesn’t support TLS 1.1 or 1.2. Emails will then be sent/received in the clear, which is certainly significantly less secure than TLS 1.0. That said, we have enabled new logging in the Exchange SMTP protocol logs to allow you to audit the impact of future changes on SMTP.

Additional Note: SMTP is notably a protocol where Exchange acts as both a client and a server. Some older server implementations have been observed to incorrectly implement version negotiation. In these cases, the remote servers terminate the connection when Exchange (acting as a client) offers a version newer than TLS 1.0. This results in a complete stoppage of email to these systems. Fortunately, these situations are becoming rare as time passes, but this is pointed out because the effects often are more impactful than a mail client which cannot connect.

POP/IMAP – not used as frequently in all environments, but if you do, beware that we only currently support TLS 1.1 and 1.2 on-premises in the Exchange Server 2016 Preview. We hope to make this available in a future CU, or you can make a request for it via proper channels so we can prioritize it. Office 365 already has this support.
HTTPS (OWA, Outlook, EWS, Remote PS, etc.) – The support for TLS 1.1 and 1.2 is based on the support in IIS itself. Windows 2008 R2 or later supports both TLS 1.1 and 1.2, though the specific version of Windows may have these disabled or enabled by default. There is another important caveat here: the HTTPS proxy between CAS and Mailbox requires TLS 1.0 in current versions of Exchange Server – so disabling TLS 1.0 between CAS and Mailbox causes the proxy to fail. This is also something we have addressed in the Exchange 2016 Preview. We hope to make this available in a future CU, or you can make a request for it via Support. If you have dedicated roles, you can technically disable TLS 1.0 between the client & CAS, but we still are not recommending this. Office 365 already supports TLS 1.1 & 1.2, if the client supports them.
Clients – TLS 1.0 is universal, with near 100% support. Though TLS 1.1 and 1.2 are growing more common, many Exchange clients still do not work with anything but TLS 1.0. For example, at this time, we are tracking multiple issues with Outlook running on Windows 8.0 or older. We are hoping to address these issues soon, but with Windows 7 commonly running in most customer environments, this is a really good reason to not disable TLS 1.0 yet. Comprehensive testing of other clients running without TLS 1.0 has not been completed by Microsoft at this time.

Note: Windows Remote Desktop may also have challenges, depending on your version of Windows. For servers which are managed remotely, be sure to test this first.

Use tools to test and verify

There are several tools and websites you can go to for testing your server(s) and clients. It is highly recommended to do so. Some offer a grading/scoring system. Others offer pass/fail. We’re inclined to recommend one with a scoring system, since security is about risks and tradeoffs. Don’t be surprised if one or more of these tools doesn’t fully test for POODLE and just thinks TLS 1.0 is bad. Use your newfound knowledge to read the results for what they are.

We prefer tools that let you check specific things (like cipher order, or individual TLS/SSL versions) in addition to the blanket “vulnerability tests”. There is also one fantastic (non-Microsoft) website called SSLLabs which simulates multiple clients and can warn you of compatibility issues with the clients which it knows about. For example, here we see that disabling TLS 1.0 would likely cause issues with older versions of Android clients:

In addition, you can see how you compare with the rest of the Internet. This is great for HTTPS. Most certificate vendors have test tools available as well, though they have differing coverage of what is tested.

Other tools are available which test additional protocols. Here is a test being run against IMAP on port 993 (referred to as the “SSL binding”; see below for explanation):

As you can see, even on port 993, TLS 1.0 is used with AES256.

Do NOT get confused by explicit TLS vs. implicit TLS

In the course of human events, shortcuts are taken. One unfortunate shortcut occurred when TLS 1.0 added optional support for a per-protocol implementation of STARTTLS, also known as “explicit TLS”. Prior to “explicit TLS”, if a server application level protocol wanted to implement SSL/TLS in addition to a non-secure option, it had to take up a separate port on the machine for each. This is “implicit TLS”. See the following chart:

Protocol	IANA port (Explicit TLS)	Protocol	IANA Port (Implicit TLS)
E-SMTP	25	SMTPS	465**
POP3	110	POPS	995
IMAP4	143	IMAPS	993
HTTP	80*	HTTPS	443

* HTTP doesn’t implement explicit TLS, because it is stateless and the overhead would not be worth it.
** Exchange specifically does not support SMTPS (implicit TLS).

The first protocol which implemented this verb was ESMTP. By doing so, SMTP could support clients & servers on the same port, and could also easily implement “opportunistic” TLS/SSL. In fact, Exchange has never supported SMTPS (465), although we do reuse that port by default in Exchange 2013 for one of the three transport roles. For POP and IMAP, Exchange supports both the explicit option and the implicit option.

What can be confusing is that because STARTTLS didn’t come about until TLS 1.0 – some people started confusing explicit TLS with “TLS” and some mail applications started using the terminology interchangeably. So, disabling port 995 & 993 does not turn off SSL 3.0 (you are disabling implicit POPS & IMAPS, but not SSL) – nor is enabling port 110 & 143 (explicit TLS) required for TLS 1.x. The terminology is confusing, but the concepts are mostly unrelated. This unfortunate optimization was brought into Exchange:

However, tinkering with ports and implicit/explicit should not be necessary as you are NOT disabling SSL 3.0 by doing so. Securing Exchange Server shouldn’t mean changing any of these settings – just the SCHANNEL registry settings discussed above.

(For now) Wait to disable TLS 1.0 on the Exchange server

In summary, as of July 2015, Exchange currently supports TLS 1.0, but can also support TLS 1.1 & 1.2 with the following minimum requirements met:

Protocol	TLS v1.1/1.2 Minimum Requirements
SMTP	Exchange 2013 CU8 or Exchange 2010 SP3 RU9
POP/IMAP	Exchange 2016 Preview
HTTP (server)	Windows 2008 R2; MAPI clients must run Windows 8.1 or later
HTTP (proxy to MBX)	Exchange 2016 Preview

As you can see, since Exchange Server 2016 isn’t released yet as an in-market product (it is for lab use only at this time), and since Windows 7 is still the most prevalent Windows version, it is quite impractical to fully disable TLS 1.0. Not only will POP/IMAP break (for lack of TLS 1.1 and 1.2 support), but you cannot disable TLS 1.0 on any Exchange server running the mailbox server role. Most importantly, disabling TLS 1.0 will result in compatibility issues with some common mobile devices, clients, and possibly interrupt some Internet email.

Don’t panic – if you have disabled SSL 3.0 and decided on a cipher order that your organization can agree on, you are likely quite secure, and you are not vulnerable to the POODLE attack. Microsoft is committed to adding full support for TLS 1.1 and 1.2. TLS v1.3 is still in draft, but stay tuned for more on that. In the meantime, don’t panic.

On a test Exchange lab with Exchange 2013 on Windows Server 2012 R2, we were able to achieve a top rating by simply disabling SSL 3.0 and removing RC4 ciphers. This is nearly as good as one can achieve at the time of this posting on released versions of Exchange without impacting common clients.

Additionally, this configuration should be highly compatible with nearly all clients and devices from the past decade or more, while utilizing the latest security with clients which do support it. Of course, security requires a watchful eye as new threats and vulnerabilities are discovered from time to time. As always, stay tuned to Security Bulletins and updates.

Scott Landry
Senior Program Manager, Exchange Supportability

from Exchange News Full Article

msexchange.org: Magic Quadrant for Secure Email Gateways - 2015

The latest Magic Quadrant for Secure Email Gateways from Gartner positioned Microsoft in the leaders quadrant.

from Exchange News Full Article

msexchange.org: Microsoft Exchange Server 2013 Management Pack v15.0.666.19

This management pack includes monitors and rules to effectively monitor Exchange Server 2013 on its performance, availability, and reliability of its server roles.

from Exchange News Full Article

Tuesday, July 28, 2015

MSExchange.org: Off-boarding email from Office 365 to Exchange 2013 (Part 2)

msexchange.org: Exchange TLS & SSL Best Practices

msexchange.org: Magic Quadrant for Secure Email Gateways - 2015

The latest Magic Quadrant for Secure Email Gateways from Gartner positioned Microsoft in the leaders quadrant.

from Exchange News Full Article

msexchange.org: Microsoft Exchange Server 2013 Management Pack v15.0.666.19

This management pack includes monitors and rules to effectively monitor Exchange Server 2013 on its performance, availability, and reliability of its server roles.

from Exchange News Full Article

msexchange.org: Microsoft Exchange Server 2016 - Preview

Last week Microsoft made available a preview version of Exchange Server 2016.

from Exchange News Full Article

msexchange.org: Office 365 Training: Get it done from anywhere

A training deck about Office 365 is available to download.

from Exchange News Full Article

Monday, July 27, 2015

Tony Redmond: Connecting to SharePoint Online with PowerShell

A list of the SharePoint Online cmdlets is available in TechNet. Don’t get too excited now..

Follow Tony @12Knocksinna

from Exchange News Full Article

Exchange Team Blog: Exchange TLS & SSL Best Practices

Deploy supported operating systems, clients, browsers, and Exchange versions
Test everything by disabling SSL 3.0 on Internet Explorer
Disable support for SSL 3.0 on the client
Disable support for SSL 3.0 on the server
Prioritize TLS 1.2 ciphers, and AES/3DES above others
Strongly consider disabling RC4 ciphers
Do NOT use MD5/MD2 certificate hashing anywhere in the chain
Use RSA-2048 when creating new certificate keys
When renewing or creating new requests, request SHA 256-bit or better
Know what your version of Exchange supports
Use tools to test and verify
Do NOT get confused by explicit TLS vs. implicit TLS
(For now) Wait to disable TLS 1.0 on the Exchange server

Let’s get started down the list!

Deploy supported operating systems, clients, browsers, and Exchange versions

Test everything by disabling SSL 3.0 on Internet Explorer

Disable support for SSL 3.0 on the client

Disable support for SSL 3.0 on the server

Note: Any of these registry changes require a reboot to take effect!

Office 365 completed these changes, and you will find that SSL 3.0 is not possible for any protocol.

Prioritize TLS 1.2 ciphers, and AES/3DES above others

The client passes an ordered list of ciphers which it supports
The server replies with the best cipher which it has selected (server gets final say)

Strongly consider disabling RC4 ciphers

Do NOT use MD5/MD2 certificate hashing anywhere in the chain

Use RSA-2048 when creating new certificate keys

Some things to watch out for when you renew or reissue certificates. First is that when creating your requests, use 2048-bit RSA. Anything less is not considered secure anymore.

When renewing or creating new requests, request SHA 256-bit or better

You can check your Exchange certificates with a browser (or in Certificate Manager MMC):

This example certificate was generated with Exchange 2013 on Windows 2012 R2. It has an RSA 2048-bit key and has an RSA SHA256 (SHA-2) signature algorithm.

Know what your version of Exchange supports

SMTP – key piece of Exchange server infrastructure – support for TLS 1.1 and 1.2 were added in Exchange Server 2013 CU8 and Exchange Server 2010 SP3 RU9. This means if you want to add support for the latest ciphers and TLS versions, you may need to apply an update.

IMPORTANT: SMTP is the main protocol used when communicating outside of your organization, something which is a key purpose of email. If you disable TLS 1.0, SMTP would no longer be able to use Opportunistic TLS with any external party which doesn’t support TLS 1.1 or 1.2. Emails will then be sent/received in the clear, which is certainly significantly less secure than TLS 1.0. That said, we have enabled new logging in the Exchange SMTP protocol logs to allow you to audit the impact of future changes on SMTP.

Additional Note: SMTP is notably a protocol where Exchange acts as both a client and a server. Some older server implementations have been observed to incorrectly implement version negotiation. In these cases, the remote servers terminate the connection when Exchange (acting as a client) offers a version newer than TLS 1.0. This results in a complete stoppage of email to these systems. Fortunately, these situations are becoming rare as time passes, but this is pointed out because the effects often are more impactful than a mail client which cannot connect.

POP/IMAP – not used as frequently in all environments, but if you do, beware that we only currently support TLS 1.1 and 1.2 on-premises in the Exchange Server 2016 Preview. We hope to make this available in a future CU, or you can make a request for it via proper channels so we can prioritize it. Office 365 already has this support.
HTTPS (OWA, Outlook, EWS, Remote PS, etc.) – The support for TLS 1.1 and 1.2 is based on the support in IIS itself. Windows 2008 R2 or later supports both TLS 1.1 and 1.2, though the specific version of Windows may have these disabled or enabled by default. There is another important caveat here: the HTTPS proxy between CAS and Mailbox requires TLS 1.0 in current versions of Exchange Server – so disabling TLS 1.0 between CAS and Mailbox causes the proxy to fail. This is also something we have addressed in the Exchange 2016 Preview. We hope to make this available in a future CU, or you can make a request for it via Support. If you have dedicated roles, you can technically disable TLS 1.0 between the client & CAS, but we still are not recommending this. Office 365 already supports TLS 1.1 & 1.2, if the client supports them.
Clients – TLS 1.0 is universal, with near 100% support. Though TLS 1.1 and 1.2 are growing more common, many Exchange clients still do not work with anything but TLS 1.0. For example, at this time, we are tracking multiple issues with Outlook running on Windows 8.0 or older. We are hoping to address these issues soon, but with Windows 7 commonly running in most customer environments, this is a really good reason to not disable TLS 1.0 yet. Comprehensive testing of other clients running without TLS 1.0 has not been completed by Microsoft at this time.

Note: Windows Remote Desktop may also have challenges, depending on your version of Windows. For servers which are managed remotely, be sure to test this first.

Use tools to test and verify

Other tools are available which test additional protocols. Here is a test being run against IMAP on port 993 (referred to as the “SSL binding”; see below for explanation):

As you can see, even on port 993, TLS 1.0 is used with AES256.

Do NOT get confused by explicit TLS vs. implicit TLS

Protocol	IANA port (Explicit TLS)	Protocol	IANA Port (Implicit TLS)
E-SMTP	25	SMTPS	465**
POP3	110	POPS	995
IMAP4	143	IMAPS	993
HTTP	80*	HTTPS	443

* HTTP doesn’t implement explicit TLS, because it is stateless and the overhead would not be worth it.
** Exchange specifically does not support SMTPS (implicit TLS).

(For now) Wait to disable TLS 1.0 on the Exchange server

In summary, as of July 2015, Exchange currently supports TLS 1.0, but can also support TLS 1.1 & 1.2 with the following minimum requirements met:

Protocol	TLS v1.1/1.2 Minimum Requirements
SMTP	Exchange 2013 CU8 or Exchange 2010 SP3 RU9
POP/IMAP	Exchange 2016 Preview
HTTP (server)	Windows 2008 R2; MAPI clients must run Windows 8.1 or later
HTTP (proxy to MBX)	Exchange 2016 Preview

Scott Landry
Senior Program Manager, Exchange Supportability

from Exchange News Full Article

Thursday, July 23, 2015

MSExchange.org: Managing SPF and reverse DNS in Exchange Server (Part 3)

Finishing the reverse DNS configuration and wrapping up with a Q&A section about SPF and reverse DNS in Exchange Server.

from Exchange News Full Article

msexchange.org: Azure Rights Management support comes to Office for iPad and iPhone

Earlier this year, we announced we are deeply committed to bringing encryption technologies on all platforms. At the core of encryption technologies is Azure Rights Management, which provides an easy way to protect data by assigning a policy to the data readily available in Office 2013, Office 2010 and Office for Mac. We are excited to announce that the same policy-driven protection is now available in Office for iPad and on iPhone devices. With this functionality, you are now able to view the rights protected Office documents natively on your iPad and iPhone devices.

from Exchange News Full Article

msexchange.org: Introducing Send—designed for in-and-out email

Sometimes you just need to send a quick, short note to your co-worker. Of course, you can use Outlook for this, but today we’re launching a new app through the Microsoft Garage that is built specifically for those brief, snappy communications—Send, designed for in-and-out email.

from Exchange News Full Article

msexchange.org: Exchange 2016 Preview - Additional Resources

In addition to the blog post (http://ift.tt/1Lu3W5P) that the Exchange team made yesterday, here are additional related as well as fresh content:

from Exchange News Full Article

msexchange.org: Announcing Exchange Server 2016 Preview!

We’re excited to announce that Exchange Server 2016 Preview is now available for download. At Ignite, we introduced Exchange Server 2016 and demonstrated some of its capabilities. Now you can install the bits yourself and get hands-on experience with the newest member of the Exchange family. We’re eager to hear your feedback as we progress toward a final release later this year.

from Exchange News Full Article

msexchange.org: Microsoft Exchange Server 2013 Management Pack has been updated

from Exchange News Full Article

Wednesday, July 22, 2015

EighTwOne: Exchange Server 2016 Preview is here!

And so it begins. Few moments ago, the Exchange team published the public preview of Exchange 2016. The build number of the preview version is 15.1.225.17.

The team’s post contains information on the changes and features introduced in Exchange 2016. Many of these were already announced at Ignite earlier this year. An earlier blog post on these announcements can be found here. Some important deviations from the Ignite announcements:

Minimum required Forest Functional Level (FFL) and Domain Functional Level (DFL) is Windows Server 2008, not Windows Server 2008 R2.

Meanwhile, the technical library on TechNet has been updated with information on Exchange 2016. Be advised that this documentation may be incomplete and subject to change, and in fact may even be not on par with the preview product.

Some links to get you started:

Needless to say, this is a preview. It’s great to play with in a lab, but don’t install it in your production environment unless you are part of the TAP program.

Filed under: Exchange 2016 Tagged: Beta, Exchange, Exchange2016, Preview

from Exchange News Full Article

Exchange Team Blog: Announcing Exchange Server 2016 Preview!

This version of Exchange is special because it was born in the cloud. From the depths of the mailbox store to the most visible parts of the Outlook web UI, the bits that make up Exchange 2016 are already in use across millions of mailboxes in Office 365. For the past several months we’ve been working to package up these capabilities and deliver them on-premises. This preview milestone is an important step in that process, and we’re excited to include the worldwide Exchange community in the journey.

Let’s begin by joining Greg Taylor and Jeremy Chapman for an episode of Office Mechanics that takes a closer look at what’s new in Exchange 2016, with a focus on IT-related features.

Here’s a sampling of some key improvements that you can explore as you try out this Preview release. All of these enhancements are driven by our experience running Exchange at scale in a highly available way in Office 365. We believe it is vital to bring innovation from our datacenter to yours.

Simplified architecture

The architecture of Exchange 2016 is an evolution of what was delivered in Exchange 2013, reflecting the best practices of the Exchange Preferred Architecture, and mirroring the way we deploy Exchange in Office 365. The Client Access and Mailbox server roles have been combined, providing a standard building block for building your Exchange environment. Coexistence with Exchange 2013 is simplified, and namespace planning is easier.

Improved reliability

Keeping email up and running is a high-visibility responsibility for IT, so we’ve made investments that help you run Exchange with greater reliability and less effort. Based on Office 365 learnings, we’ve already shipped hundreds of reliability and performance fixes and enhancements to Exchange 2013 customers via Cumulative Updates. Exchange 2016 includes all of those enhancements, of course, but it goes further.

Failovers in Exchange 2016 are 33 percent faster than Exchange Server 2013 due to the ability to read from the passive copy of the database. We’ve turned on Replay Lag Manager by default, which automatically plays down replication logs when insufficient database copies are available.

We’re building on previous investments in automated repair, adding database divergence detection to help proactively detect instances of database corruption so you can remediate them well before anyone notices a hiccup. To make operation of Exchange simpler, we introduced Get-MailboxServerRedundancy, a new PowerShell cmdlet that helps you prioritize hardware repairs and makes upgrades easier.

New Outlook web experience

As part of our continuing effort to provide users with a first class web experience, we’ve made significant updates to Outlook Web App, which will be known as “Outlook on the web” going forward. New features include: Sweep, Pin, Undo, inline reply, ability to propose new time for meeting invites, a new single-line inbox view, improved HTML rendering, better formatting controls, ability to paste inline images, new themes, and emojis, to name a few. We’ve also made numerous performance improvements and enhanced the mobile browse experience on phones and tablets.

Greater extensibility

The Add-In model for Outlook and Outlook on the web, which allows developers to build features right into the user's Outlook experience, continues to get more and more robust. Add-ins can now integrate with UI components in new ways: as highlighted text in the body of a message or meeting, in the right-hand task pane when composing or reading a message or meeting, and as a button or a dropdown option in the Outlook ribbon. Built-in Add-Ins such as My Templates get a user interface makeover. We’ve also introduced new ways of rolling out apps to users, including side-loading of app with a user-to-user sharing model and made it possible for users to install apps directly from the Office store or the Outlook ribbon. Additionally we have added richer JavaScript APIs for attachment handling, text selection, and much more.

Faster and more intuitive search

As the quantity of email in people’s inboxes continues to grow, it’s essential for them to search through all that email in faster and easier ways. By studying real-world data about how people search and analyzing the speed at which results are returned, we’ve implemented changes to the search architecture and user interface of Office 365, which are now coming on-premises.

The overall speed of server side search is significantly improved in Exchange 2016. But more importantly, the Outlook client now fully benefits from the power of server-side search. When a cached mode Outlook 2016 client is connected to Exchange, it performs search queries using the speed and robust index of the server, delivering faster and more complete results than desktop search.

We’ve also implemented a new, more intuitive search UI in Outlook 2016 and Outlook on the web. As you type, intuitive search suggestions appear, based on people you communicate with, your mailbox content and your query history.

In Outlook on the web, search refiners appear next to the search result set, helping users quickly hone in on exactly what they are looking for within results. And with calendar search, now you can search for events in your calendar and other people’s calendar.

Enhanced Data Loss Prevention (DLP)

Exchange 2013 included built-in DLP capabilities that help protect sensitive information from falling into the wrong hands, and these capabilities are being extended in Exchange 2016. We are adding 30 new sensitive information types to Exchange, including data types common in South America, Asia, and Europe. We are also updating several existing sensitive data types for improved accuracy.

In addition to enhancing these built-in capabilities, we now enable you to configure DLP and transport rules to trigger when content has been classified by a third-party classification system. You can also configure custom email notifications that are sent to recipients when messages sent to them are impacted by your rules.

Faster and more scalable eDiscovery

We’ve made eDiscovery search faster and more reliable by overhauling the search architecture to make it asynchronous and distributing the work across multiple servers with better fault tolerance. This means that we can return results more reliably and faster. Search scalability through the UI is also improved, and an unlimited number of mailboxes can be searched via cmdlet. You also asked for ability to perform eDiscovery searches on public folder content and place the data in public folders on hold to enable long-term archiving, so we’ve added those capabilities in this release.

Auto-expanding archives

To accommodate users who store extremely large amounts of data, Exchange 2016 now automatically provisions auxiliary archive mailboxes when the size of a user’s archive mailbox reaches 100 GB. Thereafter, additional auxiliary archives are automatically provisioned in 50 GB increments. This collection of archive mailboxes appears as a single archive to the user as well as to administrators, accommodating rapid growth of archive data from PST file imports or other intensive use.

Hybrid improvements

Hybrid capabilities allow you to extend your Exchange deployment to the cloud, for example to enable a smooth transition or accommodate mergers and acquisitions. We’re making the hybrid configuration wizard cloud-based, which makes it easier for us to keep it up to date with changes in Office 365.

Hybrid scenarios also enable you to leave all user mailboxes on-premises, while benefitting from cloud services that enhance your deployment – services like Exchange Online Protection; Exchange Online Archiving; Azure Rights Management; Office 365 Message Encryption, and cloud-based Data Loss Prevention. We recently added the Advanced Threat Protection security services to this list, and Equivio analytics for eDiscovery is next up in the queue.

More to come

That’s a quick look at some of the improvements that are part of Exchange Server 2016 Preview. Between preview and final release we’ll add additional features, such as updates to auditing architecture and audit log search. After SharePoint Server 2016 and the Office Web App Server ship their beta versions, you’ll also be able to try out new document collaboration features that help people work with attachments in smarter ways.

How to get started

There is still much to do between now and launch, but we’re excited to put this Preview in your hands. Remember that the Preview can only be used in non-production deployments, unless you are a member of our Technology Adoption Program (TAP). The Preview supports co-existence with Exchange Server 2010 SP3 RU10 and 2013 CU9, for non-production testing. For complete details about the Preview, check out the initial product documentation on the TechNet Exchange Server 2016 library. We’re excited to hear from you as you try out this release!

The Exchange Team

from Exchange News Full Article

msexchange.org: Explore the built-in Mobile Device Management (MDM) feature for Office 365

Earlier this year, we started the rollout of built-in Mobile Device Management (MDM) for Office 365, and now that it has been available for a while, we want to give you some tips on how to get the feature up and running in your organization.

from Exchange News Full Article

msexchange.org: Office 365 Channels are live on IFTTT

Today we are excited to announce the launch of the Office 365 Channels on IFTTT to coordinate information flow in an automated way. IFTTT enables people to link to the various Triggers that exist for Internet apps, and then complete Actions against other products or apps. For example, you could have the lights in your house turn on when you are minutes from your house.

from Exchange News Full Article

msexchange.org: Plan for multi-factor authentication for Office 365 Deployments

Good documentation that also covers the new modern authentication method.

from Exchange News Full Article

Tuesday, July 21, 2015

msexchange.org: Microsoft positioned as a Leader in Gartner’s 2015 Magic Quadrant for Secure Email Gateways

Gartner recently published the 2015 Magic Quadrant for Secure Email Gateways, positioning Microsoft in the Leaders Quadrant. The Magic Quadrant represents Gartner’s evaluation of our completeness of vision and ability to execute in the market. We believe this positioning is a reflection of the value we’re delivering to our customers and the strength of our product vision. Microsoft has a number of services that are evaluated in this report including: Exchange Online Protection (EOP), Exchange Online Advanced Threat Protection (ATP), Data Loss Prevention (DLP) and Office 365 Message Encryption, which are part of the Office 365 suite and include other security and compliance services as well.

from Exchange News Full Article

MSExchange.org: Deploying an Exchange 2013 Hybrid Lab Environment in Windows Azure (Part 31)

In this article we will take a behind the scenes look at what happens with a mailbox user when his mailbox is moved to Exchange Online. Furthermore, we will look at how you can bulk assign licenses to the users.

from Exchange News Full Article

Sunday, July 19, 2015

The EXPTA {blog}: EXPTA Gen6 Home Lab Server Builds and Parts Lists

Build your own blistering fast Windows Hyper-V lab server starting at $900!

I'm very pleased to provide you my EXPTA Gen6 home lab server builds. Advances in hardware and visualization technology have made it possible for IT Pros to build out sophisticated systems that host more VMs than ever before. My Home Lab Server Survey results show that while there is still tremendous interest in 32GB entry-level servers at around $1,000, there's also a lot of interest in 64GB servers at the $1,700 price point.

Based on your survey results and for the fist time ever, I'm providing three different server builds:

Intel Core i5 quad-core, 32GB RAM, SSD, small form-factor for $900. I can finally break the $1,000 barrier without sacrificing quality! This makes it super-easy for IT Pros to build a blistering fast Windows Hyper-V server that can run many VMs.
Intel Core i7 six-core, 64GB RAM, SSD, ATX form-factor for $1,725. This build is geared toward those who want double the VM density and outstanding performance.
Intel Xeon E5 six-core, 64GB RAM, SSD, ATX form-factor for $1,835. This build uses true server hardware for the ultimate in reliability and scalability.

Each of the three server builds use components from the vendors' hardware compatibility lists to ensure the utmost in reliability. They all will run Windows Server 2012 R2 and should be "future-proof" to run the upcoming Windows Server 2016 release.

Each build uses the same storage format -- a 256GB SSD for the OS, a 500GB or 1TB SSD for regularly running high performance VMs, and a 1TB traditional hard drive for storing ISOs, software applications, and base images. Each server utilizes SATA III 6Gb/s drives and USB 3.0 ports for the fastest I/O performance.

Most survey respondents indicated that they did not need step-by-step installation guides. If you need help, look back at my previous Gen4 and Gen5 server build articles for assistance.

As usual, I link to Amazon for components and prices. Amazon does a very good job of maintaining stock, has an excellent return policy, and most of these items are eligible for free two-day shipping via Amazon Prime. If you don't have Prime, you can sign up for a free trial here and cancel if you want after you order the equipment. Please note that it's normal for Amazon prices to fluctuate (usually down) over time.

Build #1 -- Intel Core i5 Quad-Core, 32GB RAM, SSD, Small Form-Factor, 191W for Around $900

Component	Description
	Intel Core i5-4690S Processor 3.9GHz Quad Core LGA 1150 - BX80646I54690S This is a 4th generation Intel Haswell-Refresh processor and includes Intel HD Graphics 4600, so no discrete video card is required. Runs at 3.9 GHz, but requires only 65W! Includes Intel aluminum heat sync and silent fan. 3 year limited warranty.
	Patriot Viper 3 Series Venom Red DDR3 16GB 1600MHz (PC3 12800) Memory Kit PV316G160C9KRD You'll need two of these. 1.5V 240-pin dual channel 1600MHz DDR3 SDRAM with built-in heat spreaders. Low 9-9-9-24 Cas Latency. Great RAM at a great price. Each package contains 2x 8GB DIMMs (16GB). Lifetime warranty.
	Gigabyte LGA 1150 Intel B85 HDMI SATA 6Gb/s USB 3.0 Micro ATX Intel Micro ATX DDR3 1600 Motherboards GA-B85M-DS3H-A I chose this LGA 1150 Micro ATX motherboard because it supports up to 32GB RAM and has 4x SATA III 6Gb/s and 2x SATA 3Gb/s connectors. It uses the Intel B85 Express chipset, has 1x PCI-E x16 slot, 2x PCI-E 2.0 slots, HDMI/DVI/VGA outputs, USB 3.0 and 2.0 ports, and a Realtek GbE LAN chip (not Intel, yeah! See below). It also has a great UEFI BIOS. 3 year limited warranty.
	Samsung 850 EVO 250GB 2.5-Inch SATA III Internal SSD (MZ-75E250B/AM) 256GB SATA III 6Gb/s SSD used for the Windows Server operating system. Legendary Samsung quality. Delivers up to 100,000 IOPS 4KB random read / 90,000 IOPS 4KB random write speed. 3 year warranty.
	Samsung 850 EVO 500GB 2.5-Inch SATA III Internal SSD (MZ-75E500B/AM) 500GB SATA III 6Gb/s SSD used for active VMs (the VMs I normally have running, like a Domain Controller, Exchange servers, Lync servers, etc.). Enabling Windows Server disk deduplication provides even more storage capacity! Delivers up to 98K IOPS 4KB random read / 90K IOPS 4KB random write speed. Mwahaha!! 3 year limited warranty.
	WD Blue 1 TB Desktop Hard Drive: 3.5 Inch, 7200 RPM, SATA 6 Gb/s, 64 MB Cache - WD10EZEX Best selling 1TB Western Digital Caviar Blue SATA III 6Gb/s drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after 10 minutes to save even more power. 2 year warranty.
	Samsung SH-224DB/RSBS 24X SATA DVD±RW Internal Drive Great quality 24x ±RW DVD burner. It's cheap, too. Even though it's SATA2, I connect this to one of the SATA3 ports on the motherboard for no particular reason. 1 year limited warranty.
	Sentey SS1-2423 Slim Micro ATX Computer Case Sleek Micro ATX case with full color LCD display and removable drive bay cage for easy access. 1x external 5.25" drive bay and 2x internal 3.5" drive bays. Includes front USB 3.0 and 2.0 and audio ports. Great build quality and cable management. 3 year limited warranty.
	FSP Group Mini ITX / Micro ATX / SFX 300W 80 Plus Certification Power Supply (FSP300-60GH) 300 Watt Micro ATX PSU with super quiet 80mm cooling fan system. 80 Plus Certified to reduce power consumption.
	StarTech 6in 4 Pin Molex to SATA Power Cable Adapter (SATAPOWADAP) The FSP 300W power supply has three SATA power connectors for drives, which is one short of what we need. Use this adapter to convert one of the two Molex power connectors to SATA.
	SABRENT 3.5-Inch to SSD / 2.5-Inch HDD Bay Drives Converter (BK-HDDH) Steel mounting bracket for 2.5" SSD drives. One mounting kit holds up to two SSD drives, stacked on top of each other.
	C&E CNE11445 SATA Data Cable (2pk.) We need 4x SATA cables for this build. The Gigabyte motherboard comes with two SATA cables, so we need two more. Flat (not L shaped) connectors work best for this build. FYI there's no technical difference between SATA2 and SATA3 cables.

Build #1 is pretty straight forward. Make sure you have everything you need and enough space to work. Most builds take about an hour and always seem to go smoother with a cold refreshing adult beverage nearby. Assemble the drive cage first, then install the PSU, motherboard, CPU and RAM to button it up. I always update the BIOS from the Internet before installing the OS. The Gigabyte BIOS allows you to do this directly from the BIOS. Nice! Once you install the OS, install and/or upgrade the drivers (especially the NIC) from the manufacturers' websites. Then install the Hyper-V role and you're off to the races!

You can host quite a few VMs on this system. As an example, my Gen5 32GB version of this server runs Windows Server 2012 R2 with the Exchange 2013 Edge Transport role and Hyper-V. This server has been running 24x7 for over a year with the following VMs:

1x Domain Controller (2GB dynamic RAM)
2x Exchange 2013 servers (4-6GB each)
1x Lync 2013 server (4GB)
1x Exchange 2010 server (4GB)
1x Application server (2GB)

I run these VMs off the 500GB SSD with Windows Server 2012 R2 disk deduplication enabled for Virtual Desktop Infrastructure (VDI). This allows me to put 669GB of data on this 500GB drive and I still have 145GB free space! See Windows Server 2012 Deduplication is Amazing! for information about configuring this.

Build #2 -- Intel Core i7 Hex-Core, 64GB RAM (8x8), SSD, ATX Form-Factor, 321W for Around $1,720

Component	Description
	Intel Core i7-5820K Processor 3.3GHz 0GT/s 15MB LGA 2011-v3 CPU w/o Fan, Retail (BX80648I75820K) 6-Core 22nm Haswell-E 140W CPU with 15MB L3 Cache and 6 x 256KB L2 Cache. Absolutely screams performance. It does run a bit hot, but we have a great CPU cooler and three quiet fans in the case. 3 year limited warranty.
	Cooler Master Hyper T4 CPU Cooler with 4 Direct Contact Heatpipes RR-T4-18PK-R1 Four Direct Contact heat pipes for seamless contact between the cooler and CPU. 120mm wide range PWM fan. RPM can be fine tuned for maximum airflow or whisper quiet operation. Snap-on fan brackets to quickly and easily install, remove, clean, or replace the fan or heat sink. Includes a syringe of thermal compound.
	Crucial 8GB Single DDR4 2133 MT/s (PC4-17000) CL15 DR x8 Unbuffered DIMM 288-Pin Desktop Memory CT8G4DFD8213 These are single DIMMS, so you'll need 8 of them for 64GB. 1.2V 288-pin dual channel 2133 MT/s DDR4 SDRAM. Cas Latency 15. Great RAM at a fantastic price. Each package contains 1x 8GB DIMM. 100% tested and comes with a lifetime warranty.
	ASRock ATX DDR4 Motherboard X99 EXTREME4 I chose this LGA 2011-v3 ATX motherboard because it has the Intel X99 chipset and supports up to 128GB RAM. It has 10x SATA III 6Gb/s connectors and 6x USB 3.0 Ports (4 rear, 2 via header); 8x USB 2.0 Ports (4 rear, 4 via headers). It has 3x PCI-Express 3.0 x16 Slots (one runs at x8), 1x PCI-Express 2.0 x16 Slot (runs at x4), and 1x PCI-Express 2.0 x1 Slot. It also has a great UEFI BIOS. Includes 4x SATA cables. 3 year limited warranty.
	GIGABYTE GeForce 210 Silent 1GB DDR3 DVI-I / D-Sub / HDMI Low Profile Graphics Card, GV-N210SL-1GI Unlike Core i5 CPUs, Intel Core i7 and Xeon CPUs do not feature integrated graphics. This fan-less 1GB GeForce 210 video card features DVI-I, D-Sub, and HDMI outputs. Perfect for servers.
	Samsung 850 EVO 250GB 2.5-Inch SATA III Internal SSD (MZ-75E250B/AM) 256GB SATA III 6Gb/s SSD used for the Windows Server operating system. Legendary Samsung quality. Delivers up to 100,000 IOPS 4KB random read / 90,000 IOPS 4KB random write speed. 3 year warranty.
	Samsung 850 EVO 1 TB 2.5-Inch SATA III Internal SSD (MZ-75E1T0B/AM) 1TB SATA III 6Gb/s SSD used for active VMs (the VMs I normally have running, like a Domain Controller, Exchange servers, Skype servers, etc.). Enabling Windows Server disk deduplication provides even more storage capacity! Delivers up to 98K IOPS 4KB random read / 90K IOPS 4KB random write speed. Mwahaha!! 3 year limited warranty.
	WD Blue 1 TB Desktop Hard Drive: 3.5 Inch, 7200 RPM, SATA 6 Gb/s, 64 MB Cache - WD10EZEX Best selling 1TB Western Digital Caviar Blue SATA III 6Gb/s drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after 10 minutes to save even more power. 2 year warranty.
	Samsung SATA 1.5 Gb-s Optical Drive, Black SH-224DB/BEBE Great quality 24x ±RW DVD burner. It's cheap, too. SATA 3 is backward compatible with SATA and SATA 2.
	Rosewill Black SECC Steel USB 3.0 Mid Tower Computer Case REDBONE U3 ATX mid tower case with 1 x Front 120mm Red LED Fan, 1 x Rear 120mm Fan, and 1 x Side 120mm Fan to keep everything nice and cool. 2 x USB 3.0 Ports, 1 x e-SATA, Audio In/Out (HD) ports, and Power / Reset buttons on top. PSU shock-proof pad. Great Rosewill quality and roomy enough to take that enormous Cooler Master CPU cooler.
	Corsair CX Series 430 Watt ATX/EPS Modular 80 PLUS Bronze ATX12V/EPS12V 384 Power Supply CX430M Modular cabling system lets you use only the cables you need. Universal AC input from 90-264V. Up to 85% energy efficiency means less heat generation and lower energy bills. Super quiet. A three year warranty and lifetime access to Corsair's legendary technical support and customer service.
	SABRENT 3.5-Inch to SSD / 2.5-Inch HDD Bay Drives Converter (BK-HDDH) Steel mounting bracket for 2.5" SSD drives. One mounting kit holds up to two SSD drives, stacked on top of each other.

This server Core i7 build was requested almost as much as Build #1. It offers screaming performance and double the RAM for double the VM capacity. As you can see, I've traded out the 500GB SSD for a 1TB SSD to use for active VMs. This was cost prohibitive just 6 months ago. FTW!

You'll notice that this motherboard is capable of supporting 128GB of RAM, but at the time these builds were written there are no 16GB DIMMS available on the market to support this configuration. If you really want to build a 128GB server you'll need to go with Build #3, which uses 4x16GB ECC registered RAM and can scale out to 8x16GB.

Important Note: Both the Intel Core i7 and Xeon E5 server builds use the ASRock X99 Extreme4 motherboard, which uses an integrated Intel 218V gigabit NIC. I love this motherboard, but unfortunately Intel cripples their NIC drivers so they cannot be used with Windows Server operating systems. I detailed how to overcome this in my Gen5 server build (look toward the end of the article), There's another very good article here that also covers it. You'll need to go through these steps to install and/or upgrade the Intel NIC drivers for Builds #2 or #3.

Build #2 -- Intel Xeon E5 Hexa-Core, 64GB RAM (4x16) Expandable to 128GB, SSD, ATX Form-Factor, 272W for Around $1,835

Component	Description
	Intel Xeon E5-2609 V3 Hexa-core [6 Core] 1.90 Ghz Processor 6-Core 22nm Haswell-E 140W CPU with 15MB L3 Cache and 6 x 256KB L2 Cache. Absolutely screams performance. 3 year limited warranty.
	ARCTIC Freezer i11 CPU Cooler for Intel, 150W Cooling Capacity, 3 Direct Touch Heatpipes, Vibration-Dampened Fan, 23dBA Noise Four Direct Contact heat pipes for seamless contact between the cooler and CPU. 120mm wide range PWM fan. RPM can be fine tuned for maximum airflow or whisper quiet operation. Snap-on fan brackets to quickly and easily install, remove, clean, or replace the fan or heat sink. Includes syringe of thermal compound.
	Crucial 64GB Kit (16GBx4) DDR4 2133 (PC4-2133) DR x4 ECC Registered 288-Pin Server Memory CT4K16G4RFD4213 / CT4C16G4RFD4213 1.2V 288-pin quad channel 2133 MT/s DDR4 SDRAM. Cas Latency 15. Great RAM at a fantastic price. Each package contains 1x 8GB DIMM. 100% tested and comes with a lifetime warranty.
	ASRock ATX DDR4 Motherboard X99 EXTREME4 I chose this LGA 2011-v3 ATX motherboard because it has the Intel X99 chipset and supports up to 128GB RAM. It has 10x SATA III 6Gb/s connectors and 6x USB 3.0 Ports (4 rear, 2 via header); 8x USB 2.0 Ports (4 rear, 4 via headers). It has 3x PCI-Express 3.0 x16 Slots (one runs at x8), 1x PCI-Express 2.0 x16 Slot (runs at x4), and 1x PCI-Express 2.0 x1 Slot. It also has a great UEFI BIOS. Includes 4x SATA cables. 3 year limited warranty.
	GIGABYTE GeForce 210 Silent 1GB DDR3 DVI-I / D-Sub / HDMI Low Profile Graphics Card, GV-N210SL-1GI Unlike Core i5 CPUs, Intel Core i7 and Xeon CPUs do not feature integrated graphics. This fan-less 1GB GeForce 210 video card features DVI-I, D-Sub, and HDMI outputs. Perfect for servers.
	Samsung 850 EVO 250GB 2.5-Inch SATA III Internal SSD (MZ-75E250B/AM) 256GB SATA III 6Gb/s SSD used for the Windows Server operating system. Legendary Samsung quality. Delivers up to 100,000 IOPS 4KB random read / 90,000 IOPS 4KB random write speed. 3 year warranty.
	Samsung 850 EVO 1 TB 2.5-Inch SATA III Internal SSD (MZ-75E1T0B/AM) 1TB SATA III 6Gb/s SSD used for active VMs (the VMs I normally have running, like a Domain Controller, Exchange servers, Skype servers, etc.). Enabling Windows Server disk deduplication provides even more storage capacity! Delivers up to 98K IOPS 4KB random read / 90K IOPS 4KB random write speed. Mwahaha!! 3 year limited warranty.
	WD Blue 1 TB Desktop Hard Drive: 3.5 Inch, 7200 RPM, SATA 6 Gb/s, 64 MB Cache - WD10EZEX Best selling 1TB Western Digital Caviar Blue SATA III 6Gb/s drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after 10 minutes to save even more power. 2 year warranty.
	Samsung SATA 1.5 Gb-s Optical Drive, Black SH-224DB/BEBE Great quality 24x ±RW DVD burner. It's cheap, too. SATA 3 is backward compatible with SATA and SATA 2.
	Rosewill Black SECC Steel USB 3.0 Mid Tower Computer Case REDBONE U3 ATX mid tower case with 1 x Front 120mm Red LED Fan, 1 x Rear 120mm Fan, and 1 x Side 120mm Fan to keep everything nice and cool. 2 x USB 3.0 Ports, 1 x e-SATA, Audio In/Out (HD) ports, and Power / Reset buttons on top. PSU shock-proof pad. Great Rosewill quality and roomy enough to take that enormous ARCTIC Freezer CPU cooler.
	Corsair CX Series 430 Watt ATX/EPS Modular 80 PLUS Bronze ATX12V/EPS12V 384 Power Supply CX430M Modular cabling system lets you use only the cables you need. Universal AC input from 90-264V. Up to 85% energy efficiency means less heat generation and lower energy bills. Super quiet. A three year warranty and lifetime access to Corsair's legendary technical support and customer service.
	SABRENT 3.5-Inch to SSD / 2.5-Inch HDD Bay Drives Converter (BK-HDDH) Steel mounting bracket for 2.5" SSD drives. One mounting kit holds up to two SSD drives, stacked on top of each other.

Build #3 delivers the ultimate in scalability and reliability. Since this server uses registered ECC RAM it can scale out to 128GB -- just buy two of the Crucial 4x16GB memory kits. Like Build #2, this server utilizes a 1TB drive for active VMs. With disk deduplication enabled I sincerely believe you can place all your active VMs there with no problem.

There are a number of options you can add to each of these builds:

Server Build Options

Component	Description
	TP-LINK TG-3468 10/100/1000Mbps Gigabit PCI Express Network Adapter This PCI-e NIC will work in any of the three builds. The best practice for Hyper-V servers is to use a dedicated NIC for server management. This inexpensive option lets you do just that. You may also decide to use this NIC instead of monkeying around with the Intel 218V drivers on builds #2 and #3.
	Samsung 850 Pro 256GB 2.5-Inch SATA III Internal SSD (MZ-7KE256BW) Upgrade your 256GB SATA III 6Gb/s SSD to the 850 Pro version with 3D VNAND technology. Delivers up to 100,000 IOPS 4KB random read / 90,000 IOPS 4KB random write speed. 10 year warranty.
	Samsung 850 Pro 1 TB 2.5-Inch SATA III Internal SSD (MZ-7KE1T0BW) Upgrade your 1TB SATA III 6Gb/s SSD used for active VMs to the 850 Pro. Delivers up to 90K IOPS 4KB random read / 100K IOPS 4KB random write speed. 10 year limited warranty.
	Sabrent 74-In-1 3.5-Inch Internal Flash Media Card Reader/writer with USB Port (CR-USNT) Adds another USB 2.0 port to the front of the server. Supports 74 different types of memory cards. The 6 card reader slots include all formats of the following flash media types: M2, XD, SD/SDHC/SDXC/MMC, Micro SD/SDHC/SDXC (T-flash) CF/MD, MS
	Rosewill RDCR-11003 74-In-1 USB 3.0 3.5-Inch Internal Card Reader with USB Port (RDCR-11003) This is the same type of card reader, but includes a USB 3.0 port instead of USB 2.0 and is better quality.
	Cable Matters SuperSpeed USB 3.0 Type A Male to Female Extension Cable in Black 10 Feet I strongly recommend getting one of these. Plug the male end into the back of the server and feed the female end up to your workspace for a super-convenient USB 3.0 port where you need it.

I hope these builds give you the confidence to build your own home lab server. I'm interested to hear your experiences in the comments section below. Happy building!

from Exchange News Full Article