Granikos Technology Blog

The use of certificate-based email encryption is still a challenging task for administrators. When you store end-user certificates stored locally on computers, you accept the risk of the user certificates being deleted or overwritten unintentionally.

The use of smart cards helps to mitigate the risks associated with locally stored certificates. But smart cards are too complicated for large and agile companies. The use of smart cards with mobile devices is even more complicated, if not impossible.

Gateway Encryption

A simple and reliable solution is to use encryption and decryption capabilities at the company email gateway(s). This approach allows for:

• Central management of user and domain certificates or keys
  • S/MIME
  • PGP
• Central management of digital signage and encryption parameters for email communication with partner companies
• Encryption of any outgoing email communication regardless of the client used to compose the message:
  • Outlook
  • OWA
  • Outlook on the web
  • Mobile phone
  • Tablet Application
• Usage of internal eDiscovery solutions as internally stored email communication is still searchable
• No lost user certificates anymore

Besides the option to import certificates manually, the real benefit is provided by automatic certificate provisioning. By using a certificate authority company account the gateway solution handles certificate requests automatically.

The supported S/MIME certificate authorities are:

• D-TRUST
• GlobalSign
• SwissSign

NoSpamProxy by Net at Work is a gateway solution proving this set of features for on-premise SMTP messaging infrastructures.

Office 365

The advantages provided by NoSpamProxy can be used with Office 365 as well. There is no need to have an Exchange Hybrid configuration ins place to benefit from the NoSpamProxy features. The NoSpamProxy gateway can be configured for the use with Office 365 cloud-only tenants.

The following picture illustrates how NoSpamProxy gateway is integrated into such a scenario.

External emails are received by the local NoSpamProxy Gateway server and not by Exchange Online (1). The NoSpamProxy gateway handles the messages and sends the messages to Office 365 using an Office 365 connector (2). Outgoing messages to external recipients are sent to the on-premise NoSpamProxy gateway using a dedicated Office 365 Send Connector (3). The NoSpamProxy gateway handles the messages and sends the messages to the external recipients.

Multiple NoSpamProxy gateway servers can be deployed for a redundant setup.

NoSpamProxy

The NoSpamProxy gateway solution provides more than just S/MIME or PGP encryption capabilities. NoSpamProxy is a robust fully-fledged anti-spam solution that rejects spam emails legally compliant. Each message that is not fully received by the company does not need to be archived.

NoSpamProxy features:

• Legally compliant spam protection
• Legally compliant email communication using digital signage
• Protected email communication using password-protected PDF attachments
• Large attachment support by using a dedicated we portal
• Geographically dispersed gateways with central management

Want to know more about all NoSpamProxy features?
Not yet an Office 365 customer, but keen to know more about gateway-based encryption and a reliable anti-spam solution?

Get to know more about NoSpamProxy here.

Skype for Business (formerly called Lync) is a helpful tool for enabling seamless communication among an organization. As an admin, preventable downtime is simply unacceptable, especially with mission-critical technology like Skype for Business.

However, because Skype for Business is often rolled out in phases, the certificates needed for it to remain operational will have varying expiration dates, which can become difficult to manage between routine maintenance. Even allowing an expired certificate to persist one minute can cause front-end servers to go down - meaning users can’t connect to the server, receive messages or make video calls.

In this scenario, watch how Uniscope - ENow’s monitoring and reporting solution for Skype for Business - quickly and easily helps you identify expired certificates and avoid costly downtime.

Learn more about Uniscope and start a free trial.

On July 28st 2015 Elastica, Inc., will host a cloud security webcast about

Nitin Kumar, Service Deployment Manager, Cisco Cloud Web Security and Kapil Raina, Cloud Security Expert at Elastica, talk about

• What base level security Google Drive provides (and what it doesn’t)
• Examples of companies that are facing these issues and how they are solving them
• Best practices in identifying sensitive, shared content that may violate compliance policies (PCI, PHI, PII, etc.)
• Best practices in using data science to uncover risky or anomalous behavior
• •How to automate protection against Google Drive data breaches

When

• Date: July 28st 2015
• Time: 10am PDT / 1pm EDT / 7pm CEST

More about this webcast

Links

• Elastica CloudSOC™ Platform
• Learn more about Shadow IT

Interested in how to secure your Cloud apps and services? Contact uns at info@granikos.eu for a free SaaS audit to identify all the Cloud Apps already in use in your organization. Find the Shadow ITdeployed by your employees.

Problem

While trying to synchronize a new device with an Exchange mailbox, you receive an error with your new mobile phone partnership.

The Exchange Server 2010 Default Throttling Policy is configured to accept 10 ActiveSync devices per mailbox only.

You can validate this setting by using EMS

Get-ThrottlingPolicy def* | Select Name,EASMaxDevices

Solution

Use a scheduled PowerShell script to delete old ActiveSync Device partnerships that have not been used for a defined period of time.

Script

Find the most recent version on TechNet Gallery and Github, following the links provided in the Links section.

Modifiy the script path variables to fit your requirements. The variables are configured in the ### BEGIN Variables section.

Steps being executed:

1. Fetch all user mailboxes
2. Iterate through each user mailbox and determines the number of ActiveSync devices and the number of devices which have not synchronized since 150 days
3. Delete ActiveSync device registration, if a user has more than 4 devices in total and a minimum of 1 device that have not synced within 150 days

<#
    .SYNOPSIS
    Remove Exchange Server 2010 ActiveSync Device Partnerships 
   
   	Sebastian Rubertus / Thomas Stensitzki
	
	THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE 
	RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.

    Send comments and remars to: support@granikos.eu
	
	Version 1.0, 2015-04-09
 
    .LINK  
    More information can be found at http://www.rubertus.net/Blog/tabid/85/EntryId/41/Scripted-removing-of-ActiveSync-Device-Partnerships.aspx 
	
    .DESCRIPTION

    THis script removes ActiveSync device association from user mailboxes
    that have been inactive for more than 150 days.

    .NOTES 
    Requirements 
    - Exchange Server 2010
    - Windows Server 2008 R2 SP1, Windows Server 2012 or Windows Server 2012 R2  

    Revision History 
    -------------------------------------------------------------------------------- 
    1.0     Initial community release 
    
    .EXAMPLE
    Remove-ActiveSyncDevicePartnership
    	
    #>

### BEGIN SnapIns -------------------------------------------------------------

# Add Exchange SnapIn if not already loaded
if ( (Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue) -eq $null )
{
    Add-PsSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue
   
    if ( (Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue) -eq $null )
    {
        Write-Host "Microsoft.Exchange.Management.PowerShell.Admin could NOT be loaded!" -ForegroundColor Red
        Write-Host "Verify that the Exchange 2010 Management is installed on this computer!" -ForegroundColor Red
    }
}

### END SnapIns ---------------------------------------------------------------

### BEGIN Variables | EDIT ACCORDING TO YOUR NEEDS ----------------------------

# ScriptPath
$scriptPath = "C:\Scripts\Remove-ActiveSync-Devices\"

# Logfile
$logfile = "C:\Scripts\Remove-ActiveSync-Devices\Logs\$(get-date -format yyyy-MM-dd___HH-mm-ss)___Logname.log"

### END Variables -------------------------------------------------------------


### BEGIN Functions -----------------------------------------------------------

Function Log
{
   Param ([string]$logstring)
   Add-content $logfile -value "$(get-date -format yyyy-MM-dd___HH-mm-ss) $logstring "
}

### END Functions -------------------------------------------------------------

### BEGIN Main ----------------------------------------------------------------

# Create a new log file
Write-Host
Write-Host "Script started, creating Log File."
Log "Script started."
Write-Host

# Query User Mailboxes and Device Statistics
Write-Host "Querying User Mailboxes, please wait a few seconds..." -ForeGroundColor green
Log "Querying User Mailboxes."
Write-Host
$Mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited -WarningAction SilentlyContinue
$NumberOfMailboxes = $Mailboxes.count
Write-Host "Number of Mailboxes: $NumberOfMailboxes "
Log "Number of Mailboxes: $NumberOfMailboxes "
Write-Host

# Iterate each User Mailbox
ForEach ($Mailbox in $Mailboxes)
{
    $MailboxAlias = $Mailbox.Alias
    Write-Host
    Write-Host "================================================================================="
    Write-Host
    Write-Host "Getting ActiveSync Devices from user $MailboxAlias..."
    Log "Getting ActiveSync Devices from user $MailboxAlias. "
    $AllDevicesFromSpecificUser = Get-ActiveSyncDevice -Mailbox $MailboxAlias -Result Unlimited  -WarningAction SilentlyContinue | Get-ActiveSyncDeviceStatistics -WarningAction SilentlyContinue
    $AllDevicesFromSpecificUserNotSynchronizedSince150Days = Get-ActiveSyncDevice -Mailbox $MailboxAlias -Result Unlimited  -WarningAction SilentlyContinue | Get-ActiveSyncDeviceStatistics  -WarningAction SilentlyContinue | Where {$_.LastSuccessSync -le (Get-Date).AddDays("-150")}
    Write-Host
    $CountAllDevicesFromSpecificUser = $AllDevicesFromSpecificUser.Count
    $CountAllDevicesFromSpecificUserNotSynchronizedSince150Days = $AllDevicesFromSpecificUserNotSynchronizedSince150Days.Count
   
    If ($CountAllDevicesFromSpecificUser -lt 5)
    {
        Write-Host "User $MailboxAlias has only $CountAllDevicesFromSpecificUser ActiveSync Devices. Nothing to delete!" -ForegroundColor Green
        Log "User $MailboxAlias has only $CountAllDevicesFromSpecificUser ActiveSync Devices. Nothing to delete!"
    }
   
    If (($CountAllDevicesFromSpecificUser -gt 4) -and ($CountAllDevicesFromSpecificUserNotSynchronizedSince150Days -gt 1))
    {
        Write-Host "User $MailboxAlias has $CountAllDevicesFromSpecificUser devices. $CountAllDevicesFromSpecificUserNotSynchronizedSince150Days have not synced for more than 150 days." -ForegroundColor Red
        Log "User $MailboxAlias has $CountAllDevicesFromSpecificUser devices. $CountAllDevicesFromSpecificUserNotSynchronizedSince150Days have not synced for more than 150 days."
       
        ForEach ($Device in $AllDevicesFromSpecificUserNotSynchronizedSince150Days)
        {
            $DeviceType = $Device.DeviceType
            $DeviceFriendly = $Device.FriendlyName
            $DeviceID = $Device.DeviceID
            $DeviceFirstSyncTime = $Device.FirstSyncTime
            $DeviceLastSuccessSync = $Device.LastSuccessSync
            Write-Host
            Write-Host "ActiveSync Device 2 delete Properties: "
            Write-Host "-------------------------------------- "
            Write-Host "Type         : $DeviceType "           
            Write-Host "Friendly Name: $DeviceFriendly "
            Write-Host "ID           : $DeviceID "
            Write-Host "Last Sync    : $DeviceLastSuccessSync " -ForegroundColor Red
            Log "Removing Device $DeviceType with ID $DeviceID ..."
            Write-Host
            Write-Host "Removing Device $DeviceID ..." -ForegroundColor Red
            $Device | Remove-ActiveSyncDevice -WarningAction SilentlyContinue
        }
    }
}

# Script finished
Write-Host
Write-Host "Script finished!"
Write-Host
Log "Script finished!"

### END Main ------------------------------------------------------------------

Links

• Remove-ActiveSyncDevicePartnership Script at TechNet Gallery
• Remove-ActiveSyncDevicePartnership Script at GitHub

You need assistance with your Exchange Server setup? You have questions about your Exchange Server infrastructure and going hybrid with Office 365? Contact us at office365@granikos.eu or visit our website http://www.granikos.eu.

ENow has released version 7.0 of the ENow Management System (EMS).

Besides a major facelift of the OneView Dashboard new functionality has been added to the successful monitoring and reporting solution:

• New look to the One-look Dashboard
  Complete redesign of our interface background and menu options. New colors and styles with the same One-Look functionality
   
• New ENow Admin Console
  The new cutting edge look afforded to our EAC makes navigation a breeze, with the intuitive buttons and easy to read options configuring the product has never been easier.
   
• DAG Enhancements for Exchange 2013
  Added a new DAG Status indicator to the Namespace page for one-stop monitoring of all DAG Servers, the user no longer has to drill under the functionality of each PAM to see their status. The new indicator now shows all DAG Statuses under a single page for quick access.
   
• Remote Installation of New Agents
  With the addition of the new ENow Remote Installer the user never has to leave the webserver to install new agents. The user can now use this new GUI interface to select servers and roles and automatically push out new agent installs.
   
• New Enhanced Logfile Collector
  If you have an issue or general question and the Support team needs your log files, no more going to each server compressing the files and then emailing them to the team. This new GUI interface allows you to remotely grab the requested log files and automatically upload them to our FTP server for you.
   
• Revamp of whole Mailscape 365 Product Layout
  With the addition of so many new and enhanced Mailscape 365 features, we had to redo the whole layout of the indicators for an easier to navigate look and feel. It gives the admin the ability to troubleshoot that much quicker by correlating test show under specific indicators that show any breakdown in the tenant systematically.
   
• Remote Office 365 enhanced testing
  We have changed our remote monitoring to be more robust and mimic the normal tenant monitoring. This service allows the Admin to not only test his tenant from within the network but also utilize our Azure server to test the tenant remotely.
   
• Added Lync Online DNS monitoring
  As part of our push into the cloud, we are starting our Uniscope 356 monitoring with a simple Lync Online DNS test. Just configure the Domains you wish to test the DNS records of and we will verify the DNS records that are vital to your team.
   
• New Mailscape 365 reports
  We have added more admin related reports to allow the customer a more in-depth look into their tenant and the users they are administering.

Request your free 21-day trail today: http://www.granikos.eu/en/mailscape