Lesson 2: Conguring Federated Sharing CHAPTER 6 249 FIGURE 6-11 The New Organizational Relationship Wizard External Organization page 4. Click Next. On the New Organizational Relationship page of the wizard, shown in Figure 6-12, you can review the summary of the organizational relationship and then click New to create the organizational relationship. You can click Finish on the Completion page to close the wizard or click Back and review your settings if a problem occurred when creating the relationship. FIGURE 6-12 The New Organizational Relationship page 250 CHAPTER 6 Federated Sharing and Role Based Access Control To use the EMS to create an organization relationship, you must use the Get-FederationInformation cmdlet to identify the domain names provided for the external organization. This cmdlet accesses the Federated Organization Identier (OrgID), which denes which of the authoritative accepted domains congured in the Exchange organization are enabled for federation. You pipe the output from the Get-FederationInformation cmdlet into the New-OrganizationRelationship cmdlet, which attempts to automatically discover conguration information from the external organization and, if successful, creates the organizational relationship as specied. The following command creates an organization relationship with the Contoso organization, enabling free or busy information and specifying that the requesting organization receives free or busy, subject, and location information from the target organization: Get-FederationInformation -DomainName Contoso.com | New-OrganizationRelationship -Name "Contoso" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel -LimitedDetails When you have created an organizational relationship, you can use the Set-OrganizationRelationship cmdlet to change its settings. For example, the following command disables the organization relationship with Contoso: Set-OrganizationRelationship -Identity "Contoso" -Enabled $false You can discover information about an organizational relationship by using the Get-FederatedOrganizationIdentier EMS cmdlet to retrieve the Microsoft Exchange Server 2010 organization’s federated organization identier and related details, such as federated domains, organization contact, and status. You can obtain details about the status of federated domains from the Federation Gateway by including the IncludeExtendedDomainInfo parameter, such as the following: Get-FederatedOrganizationIdentifier –IncludeExtendedDomainInfo You can use the Set-FederatedOrganizationIdentier EMS cmdlet to congure federated organization identiers. You congure a federated organization identier to create an account namespace for your Exchange organization with the Federation Gateway and enable federation so that you can make use of the facilities that federation provides, such as sharing calendars or contacts and accessing free or busy information. Typically, an organization’s federated organization identier is created using the organization’s primary domain name. Additional domain names can be added and removed later by using the Add-FederatedDomain cmdlet (described earlier in this lesson) and the Remove-FederatedDomain cmdlet. For example, the following command congures and enables a federated organization identier for the Adatum.com Exchange organization: Set-FederatedOrganizationIdentifier -DelegationFederationTrust "Microsoft Federation Gateway" -AccountNamespace "Contoso.com" -Enabled $true Lesson 2: Conguring Federated Sharing CHAPTER 6 251 MORE INFO ORGANIZATIONAL RELATIONSHIP CMDLETS For more information about the Get-FederationInformation cmdlet, see http://technet .microsoft.com/en-us/library/dd351221.aspx. For more information about the New- OrganizationRelationship cmdlet, see http://technet.microsoft.com/en-us/library/ee332357 .aspx. For more information about the Set-OrganizationRelationship cmdlet, see http:// technet.microsoft.com/en-us/library/ee332326.aspx. For more information about the Get-FederatedOrganizationIdentier cmdlet, see http://technet.microsoft.com/en-us/ library/dd298149.aspx. For more information about the Set-FederatedOrganizationIdentier cmdlet, see http://technet.microsoft.com/en-us/library/dd351037.aspx. Conguring Sharing Policies Sharing policies dene which users in your organization can use the organizational relationships to share information with other organizations and what types of information those users can share. The default sharing policy is created when you install Exchange Server 2010. This policy enables sharing with all domains but enables only calendar sharing with free or busy information. It is assigned to no mailboxes. If you want to enable users to participate in federated sharing, you can add their mailboxes to the default sharing policy or create a new sharing policy. When you create a new sharing policy, you congure the domain name for the external domain and the sharing actions that are permitted under the policy. Sharing options include the following: n Calendar sharing with free or busy information only n Calendar sharing with free or busy information, subject, and location n Calendar sharing with free or busy information, subject, location, and body n Contacts sharing n Calendar sharing with free or busy information only and contacts sharing n Calendar sharing with free or busy information, subject, and location and contacts sharing n Calendar sharing with free or busy information, subject, location, and body and contacts sharing Conguring a sharing policy requires that a federation trust has been created between your Exchange 2010 organization and the Federation Gateway and that the federated organization identier is congured. Recipients from an external domain can access your users’ information only if they have an Exchange 2010 organization and their domain is federated. To use the EMC to congure sharing policies, carry out the following procedure: 1. Click Mailbox under Organization Conguration in the Console tree. 2. In the Result pane, click the Sharing Policies tab and then right-click the sharing policy you want to congure and click Properties. 252 CHAPTER 6 Federated Sharing and Role Based Access Control 3. On the General tab of the sharing policy Properties dialog box, shown in Figure 6-13, you can change the policy name, add one or more external domains, specify the sharing policy for each domain, and enable or disable the policy. FIGURE 6-13 The General tab of the sharing policy Properties dialog box 4. On the Mailboxes tab shown in Figure 6-14, you can add or remove the mailboxes in your organization to which this sharing policy applies. FIGURE 6-14 The Mailboxes tab of the sharing policy Properties dialog box 5. Click OK to apply your policy changes and close the dialog box. Lesson 2: Conguring Federated Sharing CHAPTER 6 253 NOTE CREATING A NEW SHARING POLICY The settings you specify when creating a new sharing policy are similar to the settings you can edit when conguring a sharing policy. In this case, click Mailbox under Organization Conguration in the Console tree and then click New Sharing Policy in the Result pane. NOTE APPLYING A SHARING POLICY TO A MAILBOX You can also apply a sharing policy to a specic mailbox by using the Mailbox Settings tab in the mailbox’s Properties dialog box. You can use the New-SharingPolicy cmdlet in the EMS to create a sharing policy and the Set-SharingPolicy cmdlet to modify a policy. For example, the following command creates a sharing policy called Blue Sky Airlines for the mail.BlueSkyAirlines.com domain, which is external to your organization. This policy allows users in the mail.BlueSkyAirlines.com domain to see detailed free or busy information and contacts. By default, the policy is enabled: New-SharingPolicy -Name "Blue Sky Airlines" -Domains 'mail.BlueSkyAirlines.com: CalendarSharingFreeBusyDetail, ContactsSharing' The following command modies a sharing policy named Contoso for the contoso.com domain, which is external to your organization, so that users in the Contoso domain can see your users’ availability (free or busy) information: Set-SharingPolicy -Identity Contoso -Domains 'contoso.com: CalendarSharingFreeBusySimple, Contacts' To get details about a sharing policy, you can use the Get-SharingPolicy EMS cmdlet. For example, the following command displays all the available information for the sharing policy Blue Sky Airlines: Get-SharingPolicy "Blue Sky Airlines" | FL If you no longer require a sharing policy, you can remove it using the Remove- SharingPolicy EMS cmdlet. Note that you cannot remove a sharing policy that has mailboxes assigned to it and that you need to assign them to another policy rst. The following command removes the sharing policy Blue Sky Airlines and suppresses the requirement that you enter Y to conrm that you want to remove the policy: Remove-SharingPolicy -Identity "Blue Sky Airlines" -Confirm:$false MORE INFO NEW-SHARINGPOLICY, SET-SHARINGPOLICY, AND GET-SHARINGPOLICY For more information about the New-SharingPolicy cmdlet, see http://technet.microsoft .com/en-us/library/dd298186.aspx. For more information about the Set-SharingPolicy cmdlet, see http://technet.microsoft.com/en-us/library/dd297931.aspx. For more information about the Get-SharingPolicy cmdlet, see http://technet.microsoft.com/en-us/library/ dd335081.aspx. For more information about the Remove-SharingPolicy cmdlet, see http:// technet.microsoft.com/en-us/library/dd351071.aspx. 254 CHAPTER 6 Federated Sharing and Role Based Access Control Conguring Mailboxes to Use Sharing Policies You can congure mailboxes to use sharing policies by using the Get-Mailbox and Set-Mailbox EMS cmdlets. A command based on the Get-Mailbox cmdlet obtains the mailbox or mailboxes to which you want to apply the sharing policy by using the criteria you dene (for example, all mailboxes that are associated with the Sales Department). You pipe the output from this command into a command based on the Set-Mailbox cmdlet, which applies the sharing policy. For example, the following command congures all mailboxes associated with the Marketing Department to use the Adatum Marketing federated sharing policy: Get-Mailbox –Filter {Department –eq "Marketing"} You can also use a command based on the Get-Mailbox cmdlet to list the mailboxes that use a specic sharing policy. To give a convenient display, you can pipe the result into the format-table function. For example, the following command returns all the mailboxes in an organization that are provisioned to use the Adatum Marketing sharing policy and lists them as email addresses: Get-Mailbox | Where {$._SharingPolicy –eq "Adatum Marketing" } | format-table Alias, EmailAddress MORE INFO GET-MAILBOX AND SET-MAILBOX For more information about the Get-Mailbox cmdlet, see http://technet.microsoft.com/ en-us/library/bb123685.aspx. For more information about the Set-Mailbox cmdlet, see http://technet.microsoft.com/en-us/library/bb123981.aspx. Sharing Information with Users in an External Organization The sharing policies you congure determine what your users can share with users from another organization. The mailboxes to which you apply the sharing policy determine which users can share this information. Suppose, for example, that you create a sharing policy named Fabrikam01 with the external domain fabrikam.com, and this permits your users to share calendar free or busy information, subject, and location. You apply this policy to all the mailboxes belonging to users in the Marketing Department. Suppose you create a sharing policy named Fabrikam02 with the same external domain, and this permits your users to share calendar free or busy information only and contacts. You apply this policy to all the mailboxes belonging to users in the Sales Department. Don Hall, a user in the Marketing Department, can now send sharing invitations through his email client to users in the fabrikam.com domain. If these invitations are accepted, Don can share his calendar free and busy information, subject information, and location with these users. Lesson 2: Conguring Federated Sharing CHAPTER 6 255 Jeff Hay, a user in the Sales Department, can now send sharing invitations through his email client to users in the fabrikam.com domain. If these invitations are accepted, Jeff can share his calendar free and busy information and his contacts information with these users. Any of your users who do not have a specic sharing policy assigned to his or her mailbox might still be able to share information with users in a federated domain. This will depend on your organization’s default sharing policy. The details that the users in the fabrikam.com domain can, in turn, share with your users depend on the sharing policies the Fabrikam administrators have congured and applied to the mailboxes in their domain. Subject Alternative Name (SAN) Certicates I f you need to protect multiple host names with a single certicate, you can use a SAN certicate. This allows you to specify a list of host names and protect them with a single SSL certicate. SANs enable you to secure host names on different base domains with one certicate and to host multiple virtual SSL sites using a single IP address. Typically, hosting multiple SSL-enabled sites on a single server requires a unique IP address per site, but a SAN certicate, also known as a Unied Communications SSL certicate, can solve this problem. Both Microsoft Internet Information Services version 6 or later and Apache HTTP server are able to use SAN certicates to host virtual websites. SAN certicates can secure multiple fully qualied domain names with a single certicate. SAN certicates are used to secure Exchange Server 2010 sites where there is a need to secure multiple domains that resolve to a single IP address (such as in a shared hosting environment). Using a SAN certicate saves the time required to congure multiple IP addresses on an Exchange server and bind each IP address to a different certicate. When browsers connect to servers using HTTPS, they check to make sure the SSL certicate matches the host name in the address bar. Browsers nd a match in one of the following ways: n The host name in the address bar exactly matches the common name in the certicate’s Subject eld. n The host name matches a wildcard common name. For example, www.contoso .com matches the common name *.contoso.com. n The host name is listed in the Subject Alternative Name eld. Normally, a browser compares the server name it connects to with the common name in the Server certicate. However, if an SSL certicate has a SAN eld, then SSL clients typically ignore the common name value and seek a match in the SAN list. 256 CHAPTER 6 Federated Sharing and Role Based Access Control Microsoft Internet Explorer, Microsoft Windows Mobile 5, Firefox, Opera, Safari, and Netscape all support SAN certicates. However, some mobile devices do not support SAN certicates, although all of them support exact common name matching. Assigning the Federated Sharing Role Federated sharing is a built-in management role that enables you to manage cross-forest and cross-organization sharing. It is one of several roles that make up the RBAC permissions model discussed in Lesson 1, “Role Based Access Control.” This section applies the RBAC concept to the federated sharing management role. If you want the federated sharing management role to grant permissions, it must rst be assigned to a role assignee. This can be a role group, user, or universal security group. You may also need to apply either a custom or a built-in management scope to specify what recipient and server objects federated sharing role assignees can modify. If the federated sharing role is assigned to a role assignee but a management scope allows the role assignee to manage only certain objects based on a dened scope, the role assignee can use the permissions granted by the federated sharing role only on those specic objects. The federated sharing management role is assigned to one or more role groups by default. You can use the Get-ManagementRoleAssignment EMS cmdlet, discussed in Lesson 1, to list these groups. To see role details, including a list of groups, users, or universal security groups assigned to this role, enter the following command in the EMS: Get-ManagementRoleAssignment -Role "Federated Sharing" | FL Figure 6-15 shows part of the output of this command. FIGURE 6-15 Management assignment details for the federated sharing role You can also remove the federated sharing management role from built-in role groups or role groups you create and users and universal security groups. However, there must always be at least one delegating role assignment for this role granted to a role group or universal Lesson 2: Conguring Federated Sharing CHAPTER 6 257 security group. You cannot delete the last delegating role assignment. This limitation helps to prevent administrators from locking themselves out of the system. Delegating role assignments was discussed in Lesson 1. Adding the federated sharing management role to a role group gives administrators who are assigned to that management role group the ability to manage federated sharing. You can use the New-ManagementRoleAssignment cmdlet in the EMS, discussed in Lesson 1, to add the role to a role group. For example, the following command assigns the federated sharing management role to the Adatum Federation role group without dening a scope: New-ManagementRoleAssignment -Name "Federated Sharing Adatum Federation" -SecurityGroup "Adatum Federation" -Role "Federated Sharing" The following command assigns the federated sharing role to the Adatum Federation role group and applies the Organization predened scope: New-ManagementRoleAssignment -Name "Federated Sharing Adatum Federation" -SecurityGroup "Adatum Federation" -Role "Federated Sharing" -RecipientRelativeWriteScope Organization If a predened scope does not meet your needs, you can use a recipient lter to dene a scope. For example, the following command creates a scope that includes all mailboxes within the Federation Managers OU in the Adatum.com domain: New-ManagementScope -Name "Mailboxes in Federation Managers OU" -RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "Adatum .com/Federation Managers OU" The following command assigns the federated sharing role to the Adatum Federation role group and applies the Mailboxes in Federation Managers OU scope that you created using the previous command: New-ManagementRoleAssignment -Name "Federated Sharing Adatum Federation" -SecurityGroup "Adatum Federation" -Role "Federated Sharing" -CustomRecipientWriteScope "Mailboxes in Federation Managers OU" Removing the Federated Sharing Role from a Role Group If you do not want members of a management role group to have permissions to manage federated sharing, you can remove the role assignment between the management role group and the federated sharing management role that grants the permissions. All members of the role group lose the ability to manage federated sharing when you remove the role assignment. If you want to remove the permissions from one member only, you need instead to remove that member from the management role group. If you want to remove a management role assignment from a management role group, you rst need to nd the name of the management role assignment that assigns the role to the role group (unless you already know this). In the example given in this lesson, the role group is Adatum Federation. To nd the name of the management role assignment, you enter the following command in the EMS: Get-ManagementRoleAssignment –RoleAssignee "Adatum Federation" 258 CHAPTER 6 Federated Sharing and Role Based Access Control This command would in this instance return the management role assignment name “ Federated Sharing Adatum Federation”. You could remove this role assignment by entering the following command: Remove-ManagementRoleAssignment "Federated Sharing Adatum Federation" This removes the management role that enables administrators assigned the Adatum Federation role group to manage federated sharing. MORE INFO REMOVE-MANAGEMENTROLEASSIGNMENT AND GET-MANAGEMENTROLEASSIGNMENT For more information about the Remove-ManagementRoleAssignment cmdlet, see http:// technet.microsoft.com/en-us/library/dd351205.aspx. For more information about the Get-ManagementRoleAssignment cmdlet, see http://technet.microsoft.com/en-us/library/ dd351024.aspx (this link was given in Lesson 1 but is repeated here for convenience). Adding the Federated Sharing Role to a User or Universal Security Group You can use management role assignments to assign the federated sharing management role to a user or universal security group. By assigning a role to a user or universal security group, you enable the user or group members to perform tasks dependent on cmdlets or scripts related to the federated sharing management role. The commands to assign the federated sharing role to a universal security group are the same as those used to assign the role to a management role group except that the SecurityGroup parameter identies a universal security group rather than a role group. To assign the role to an individual user (not recommended), you use a command similar to the following: New-ManagementRoleAssignment -Name "Federated Sharing Don Hall" -User "Don Hall" -Role "Federated Sharing" To remove a role assignment from a user or universal security group, you follow the same procedure that you did for a management role group. If necessary, rst use the Get-ManagementRoleAssignment cmdlet to determine the name of the assignment and then use the Remove-ManagementRoleAssignment cmdlet to remove it. Lesson Summary n You can establish a federated sharing relationship with an external Exchange Server 2010 organization if both your organization and the external organization have established a federation trust with the Federation Gateway. n To establish a federation trust, you need a valid X.509 certicate issued by a third-party CA trusted by Windows Live Domain Services. The domain you use for [...]... Names, as shown in Figure 6-1 8 Click OK FIGURE 6-1 8  Adding Don Hall to the Recipient Management built-in role group 7 Click OK to close the Recipient Management Properties dialog box 8 If you are already logged on to the Exchange Server 2010 server VAN-EX1, log off 2 62 CHAPTER 6 Federated Sharing and Role Based Access Control 9 Log on to the Exchange Server 2010 server VAN-EX1 with the Don Hall account... Management role group 3 Log on to the Exchange Server 2010 server VAN-EX1 as Don Hall and open the EMS from the ­ icrosoft Exchange Server 2010 menu M 4 Enter the following command: New-PublicFolder –Name "Don Hall Public Folder" 2 64 CHAPTER 6 Federated Sharing and Role Based Access Control Check that Don Hall can create a new public folder, as shown in Figure 6-2 1 FIGURE 6-2 1  Don can create a public folder... VAN-DC1 and the Exchange Server 2010 server VAN-EX1 need to be running and connected E XERCISE  Create Sharing Policies and Apply Them to Mailboxes In this exercise, you use the EMS to create two sharing policies and apply them to two s ­ eparate mailboxes You then view the sharing policy information for one of these policies Carry out the following procedure: 1 Log on to the Exchange Server 2010 server. .. AND THE SET-TRANSPORTRULE CMDLET For more information about modifying a transport rule, see http://technet .microsoft. com/ en-us/library/aa998262.aspx For more information about the Set-TransportRule EMS c ­ mdlet, see http://technet .microsoft. com/en-us/library/bb1235 34. aspx Viewing Transport Rules You may want to list all the transport rules stored in Active Directory in an Exchange Server 2010 organization... numbers take the form xxx-xx-xxxx (for example, 12 3 -4 5-6 789) The transmission of such numbers in email messages is typically prohibited The following code, entered into the EMS, creates a t ­ ransport rule that prohibits the transmission of a U.S Social Security number: $Condition = Get-TransportRulePredicate SubjectMatches $Condition.Patterns = @("\d\d\d-\d\d-\d\d\d\d") $Action = Get-TransportRuleAction... the practice session in this chapter, you need to have done the following: n Installed the Windows Server 2008 R2 domain controller VAN-DC1 and the Windows Exchange 2010 Enterprise Mailbox, Hub Transport, and Client Access server VAN-EX1 as described in the Appendix, “Setup Instructions for Exchange Server 2010. ” n Created the Kim Akers account with the password Pa$$w0rd in the Adatum.com d ­ omain This... on all Hub Transport servers or an Edge Transport server by entering the following command: Get-TransportRule Figure 7-5 shows the output of this command on Hub Transport server VAN-EX1 You might have a different list on the same server on your test network The list of transport rules on a Hub Transport server in a production network is likely to be considerably longer FIGURE 7-5   Listing transport... various built-in role groups and discover the tasks that membership of these role groups enables Don to carry out If you are using virtual machines, the domain controller VAN-DC1 and the Exchange Server 2010 server VAN-EX1 need to be running and connected E XERCISE 1  Add Don Hall to the Recipient Management Role Group In this exercise, you add Don Hall to the Recipient Management built-in role group... predicates can be used only on Hub Transport servers, whereas others can be used on both Hub and Edge Transport servers You can obtain list of transport rule predicates by entering the following Exchange Management Shell (EMS) command: Get-TransportRulePredicate | FT Figure 7-1 shows some of the output from this command run on the Hub Transport server VAN-EX1 The output you obtain from the command depends... Exchange Server 2010 server VAN-EX1 using the Kim Akers account and the password Pa$$w0rd 2 Click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell 3 Create a sharing policy named Blue Sky Airlines01 that allows users in the B ­ lueSkyAirlines.com domain to see the detailed free or busy information and contacts Lesson 2: Configuring Federated Sharing CHAPTER . group. 3. Log on to the Exchange Server 2010 server VAN-EX1 as Don Hall and open the EMS from the Microsoft Exchange Server 2010 menu. 4. Enter the following command: New-PublicFolder –Name "Don. already logged on to the Exchange Server 2010 server VAN-EX1, log off. Lesson 2: Conguring Federated Sharing CHAPTER 6 263 9. Log on to the Exchange Server 2010 server VAN-EX1 with the Don Hall. Log on to the Exchange Server 2010 server VAN-EX1 using the Kim Akers account and the password Pa$$w0rd. 2. Click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management