Managing Office 365 mail with PowerShell

Like: Now you can add resource mailboxes through the new Office 365 UI

Dislike: They seem to have removed the ability to manage secondary proxy addresses through the UI.

So. To setup the connection to manage mailboxes through PowerShell, do the following:

  • $cred= Get-Credential (Enter your organizational account details in the dialog box)
  • $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication basic -AllowRedirection
  • Import-PSSession $s

There we go, cmdlets available. Now, to set addresses, do:

  • Set-Mailbox <email> -EmailAddresses,,

(Uppercase SMTP denotes a primary address)

To allow a user to access this mailbox, do:

  • Add-MailboxPermission -Identity <mailbox> -User <user to access mailbox> -AccessRights FullAccess

To allow a user to send from a mailbox:

  • Add-RecipientPermission <mailbox> -AccessRightsSendAs -Trustee <user>

(This is the same as the on-prem Add-ADPermission <mbx> -User <user> -ExtendedRights SendAs)

(Thanks to Peter Schmidt @

Posted in Aide memoire, Email, Powershell | Tagged , , | Leave a comment

Need an Edge server for email? SECURE Email Gateway’s worth a look…

Here’s a disclaimer: I am currently contracting at Clearswift as a Test Engineer, and am therefore somewhat biased. I genuinely think this is a pretty good product, but bear that in mind when you read this blog.

Here’s another: The views of the author do not represent the views of Clearswift, or necessarily that of Llama IT. (I say that for legal purposes, although as the Director of Llama IT, and not knowing anything about law, I suspect the second part of that statement is useless. The first part is definitely true though.)

So, in short, Microsoft don’t look like they are releasing a 2013 version of the Edge server role (essentially a transport server that doesn’t require the Windows platform it runs on to be in a domain and doesn’t contain user information). Also, Microsoft have dropped their Forefront Protection for Exchange product (the one that used to be Sybari for you old folk).

So, what do you do? Keep your old Edge servers if you have them? Use Microsoft’s Forefront Online Protection for Exchange (a.k.a. FOPE (“fopee”) but probably called something else now Microsoft have dropped the Forefront for Exchange product, may it rest in peace)? Use some other cloud service like MessageLabs? All viable options, but ladies and gentlemen, may I suggest you also have a wee look at Clearswift’s SECURE Email Gateway product?

SECURE Email Gateway is effectively the successor to their MIMEsweeper for SMTP product – at least for mail going in and out of your company. MIMEsweeper was well-liked by customers for it’s powerful content-scanning capabilities, but (in my personal experience) less so for its less than intuitive UI. Having said that, many customers still have one knocking around in the DMZ somewhere, and Clearswift still sell it, so I shouldn’t be too negative, otherwise I won’t have a job for long. So back to the Email gateway…

Essentially, it uses the same policy engine as MIMEsweeper, but much updated (and more great updates coming soon, but I’ll save that for another time), It is built on a Clearswift version of Linux and is administered through a web UI – Windows admins fear-not – you should never have to touch the Linux command line. Think of it like your Sky box – it’s Linux underneath, but who cares…

I’m not going to go into the features – there’s loads and I’ve got work to do, but have a look at Clearswift’s website and download the datasheet. It does Anti-SPAM, (sender reputation, black-lists, white-lists, RBLs etc), and it does Anti-virus (Sophos and Kaspersky). It also has multiple policy routes, so you can control what you do with messages depending on who they are from/to etc.

But the ‘what you do’ is the impressive stuff – there’s all sorts of content rules you can apply to a route, like lexical-scanning analysis (profanity, confidentiality etc., fully customisable), image analysis, annotations depending upon route, and filetype/size blocking, as well as other cool stuff like checking for credit card data in your emails and attachments. Good stuff, and way more powerful than Edge + Forefront used to be in my opinion. Go on, take a look…



BTW, they also do a SECURE Web Gateway which is pretty cool as well – basically a proxy server, but with cool stuff like scanning stuff your users put up on Facebook, Twitter, Dropbox, SkyDrive etc. Updates to both products and more new stuff is coming soon, but I recommend evaluating these versions now, then you’ll really appreciate the new stuff when that comes along…

[Standard disclaimer: This post implies no warranties, your mileage may vary etc. etc.]

Tim Coveney, Messaging Consultant, Llama IT.

Posted in Email, Hygiene | Leave a comment

RIP email corollary

Well, it’s been a while since I’ve blogged… well that’s social media for you; I’ve been way too busy posting pictures on the local cygnets on Facebook to do anything useful.

Anyhoo, that old story of email being dead still rumbles on – Towers Watson’s report states that “only 56% of companies are using [social media] to communicate with employees on topics such as organizational structure, team building or innovation.”

Well, by Tim’s made-up-on-the-spot figures clearly show that 99% of companies still use email for this task, so I think the reports of the death of email are definitely largely exaggerated.

In the meanwhile since my last post, Microsoft have of course bought Yammer, and I’ve seen Jive first hand. Both useful tools, as are SharePoint and IM (is that really social media?), but I don’t think email has much to worry about right now. As an email consultant, Microsoft’s push towards Office 365 and lack of attention until recently to on-premise is more concerning, but that’s a personal problem. GMail are revamping to come back at Microsoft, so maybe cloud will win in the end, but I think in any case on-prem email solutions are always going to be around, and always be a pain in the butt to deploy/migrate/manage – hopefully anyway; my work depends upon it 😉

(There are other enterprise social networking products/services, but I don’t anything about know them – seems to be the one most people talk about, but again I have no knowledge)

Posted in Email, ESN | Tagged , , , | Leave a comment


So I’ve done a (very) little more research on this ‘life without email’ stuff – it seems to me that the main proponents of this are an IBM man (well if I had to use Notes, I too might give up email) and the CEO of Atos.

I have read a few of Mr Suarez’s blogs and I must admit I don’t subscribe to his point of view in most cases. In particular his piece about life work balance is tedious in the extreme. And could it be that he is simply trying to plug LotusLive? Mr Breton,CEO of Atos, is a former politician, which puts him in a negative light in my eyes, but in looking into the detail of  what Atos are actually doing, it seems that IM is one of the big winners in replacing email. Eh?  Certainly a lot of email can be moved to IM – or even better to the phone or walking round to someones desk – but it’s not a replacement for email… one’s mostly realtime and the other not… But if that’s where the buzz is in IT, I’d best dust off my Lync Server training notes… yes, Atos are using Office Communicator, which just so happens to integrate beautifully with an Outlook/Exchange/OWA combo.

I think Dave Coplin of Microsoft’s Envisioneers team has a better viewpoint (see here), but I still think he’s not envisioning enough. He is quoted as envisioning “We will have this universal communications platform that means if I’m talking to you via Facebook, Twitter, email or whatever their replacements are, it will all be presented as a common thread, so you couldn’t kind of care less what channel they’re on, what platform they’re using, communication will flow.”

I understand your envisioning Dave, and I’ve seen this demo’d on Windows Phone 7.5 (sorry I’m an iPhone user) and it looks cool, but I’m not sure how this works in practice. Linking your MSN chat, Facebook, Twitter and LinkedIn statuses has proved to be a nightmare in the main, as they are viewed by very different groups of people. If Windows 8 turns out how it’s looking it might, and we’re all carrying round laptops that look like big Windows mobile phones, I just know that there’ll be a posting photos of last nights dinner and a video of how my legs went wobbly at the Purple Turtle that time, on LinkedIn,  and that just isn’t right. Actually neither are right in any medium, but that’s a different grumble.

Envisioneers Team! No, really! I want to be an Envisioneer when I grow up. I’ll sit in my corner office in Redmond, staring out the window, feet on desk, idly tossing my squeaky lobster against the wall, cooler king style, envisioneering. ‘DO NOT DISTURB -ENVISONING IN PROGRESS!’ Ah, that’s the life…

In the interest of balance, I must include this link for a little poke at Mr Breton from the Examiner.

Posted in Uncategorized | Tagged , , , | Leave a comment

RIP email?

Is it true? Is email a thing of the past?

According to the buzz that comes through my inbox, many people would like us to believe so – Luis Suarez from IBM being the most oft-quoted example. Or is that just because less people are using Notes these days and IBM are sulking?

I’m a big Microsoft supporter – I make no apologies for that; Exchange Server has been a large part of my working life these last 15 years – but I can see the case for something different. For example, I like Facebook as I only get messages from people or companies I’ve said I ‘like’ or I’ve confirmed are my ‘friends’. No spam, but spam is less of a problem for me in email these days thanks to Exchange and Forefront. The main junk in my personal inbox is from companies I opted in to; one in a hundred mails from Starbucks may actually be of interest to me. Maybe one of Jobsites alerts may actually have an interesting contract that I haven’t already been phoned by an agent about. And maybe I had actually missed the fact that there was a £37m jackpot fund on the lottery tonight. Sure, like was simpler when no-one knew my external SMTP address, but then I didn’t know when my favourite bike shop was giving 10% weekend discounts either, unless they sent me a card through the post and I hate that even more.

But if Facebook was to become my universal inbox and I start ‘liking’ more and more companies to get free stuff, competition entries, discounts and baubles, and I not just shifting the problem? In fact I am the problem; the author of my own destruction, drowning in unnecessary marketing rubbish. I am led to believe that young people use BBM for messages for similar reasons (I’ve hit middle age – I don’t like BB devices, and everywhere I’ve worked the feature’s been disabled by policy). But presumably if this is popular enough, a company could entice someone to add them to their BBM list and… well, same, same but different, no?

On the enterprise side, joining distribution groups has always been my downfall. Sure it might be important that I know that Mike from the SQL team needs Dave and Siobhan to approve his storage PO, but as I mostly don’t, I will either waste a few secs checking the relevance, or have a rule to file messages sent to that DL in a folder I never read. Lync GroupChat is one option for moving that stuff elsewhere, but as of today that’s another client.

I’ve been on inbox management courses. I know I should batch process mail, I just don’t, same as most people, so I miss some stuff. You can read all of the mail some of the time, or some of the mail all of the time, but you can’t read etc. etc (sorry Abe)… but now I’m starting to miss stuff on Facebook as well. And if Stephen Fry or Sport Relief have been particularly active on Twitter, there’s no way on earth I’ll see that hidden gem on EHLO that will radically affect my day.

So, clearly email isn’t dead. But these social sites do have some enticing features to spend more of my time in them, and less in Outlook. Easily embedded video, ‘likes’. comments, retweets, subscriptions etc etc. There surely is a case for corporate equivalents, and I don’t doubt such products exist, I just don’t know about them – so is there a new big thing I should be working with instead of Exchange? Is there a Facebook style product with serious corporate credentials already out there?

Or could the next version of Outlook or its competitors (?) be the one that intuitively handles my email like a good PA, tells me my friend has just posted a YouTube video, lists colleagues present and past who I might like to link to, launch me into a multiparty videoconference, give me a small calendar toaster pop up to remind me Starbucks have 10% off this weekend, and still let me do a full days work?

Phew that turned into a lot longer ramble than I was expecting. Good job no one actually reads this stuff 😉 But if you did, and have some comments let me know. I always have more questions than answers…

Disclaimer: the views expressed in this post are personal and do not necessarily represent the views of Llama IT.

Posted in Uncategorized | Tagged , , , | Leave a comment

Installing and Configuring FPSMC Part 2

In Part 1, we installed the Forefront Protection Management Console on a Windows 2008 R2 Server, using databases on a remote SQL 2008 instance, as a primary. Typically the next step would be to install a secondary or backup server, but for the moment we’ll skip that step and go straight to configuring FPE (Forefront Protection for Exchange.). The full operations guide is at

The first thing I’m going to do is secure the site with SSL – see for details.

Once that is done, open up FPSMC in a browser (probably easier from a workstation than the server due to the browser being locked down) by browsing to https://servername/fpsmconsole

If you used the previous version of this console it will look familiar… let’s hope this is better than that version though, eh? Let’s have a look through.

User management

Users who are allowed to administer the console are listed under user management. The account used to install FPSMC already has rights, but is not listed here. You may find old documentation saying some different things about permissions, groups that need to be created and needing local administrators permissions – these are most likely from beta documentation – this install is the RTM version (11.1.1614.0). I’ve added a couple of accounts so I can still get in when I try revoking some of my SQL permissions later.

Group Management

In order to manage like servers (e.g. Mailbox Servers) it is advisable to create groups (a.k.a. product deployment groups) – these are not AD groups, just simple collections of servers for the purposes of management through FPSMC. To do this look at Administration à Server Group Management à Add Server Group

Once the group is created, when you add servers (Server Management à Add Servers) you can specify the server as a member of this group.

In the Add servers page you can search your domain for Exchange and Sharepoint servers with Forefront installed, or add individual servers by FQDN (for example Edge servers that are in a workgroup or untrusted forest).

Note: Microsoft publish the following ports used by FPMSC – you will need to allow these in/out of your firewall in order to deploy the agent to the server and for the agent to communicate with the FPSMC console.

Port Function
80/443 HTTP/S ports. Web browser à FPSMC, FPSMC àinternet.
445 FPSMC agent deployment(FPSMC server –> managed computer)
8815 Agent listens on this port to receive commands from the FPSMC(FPSMC server –> managed computer)
8816 The push installer listens on this port on managed servers(FPSMC server –> managed computer)
8817 The NotificationService on the FPSMC server listens on this port to receive data (such as quarantine and stats) from the managed servers.(Managed computer –> FPSMC)

In order for FPSMC to manage these servers, you must deploy an agent. To do this, under Server Management, select the servers required and click Deploy Agent. Enter credentials, then click OK, and the Agent Deployment will commence immediately.

Click the Notification Logs or Deployment Status links to view the status

Clicking back to Server Management will also show the status. In this example one server was unavailable to reports an error in the FPSMC.

So that’s the servers to manage – but we haven’t configured anything here really yet. Before we do, we can just configure the Global Configuration – an SMTP server for notifications to be sent (specify a valid SMTP address), Quarantine settings (default = poll servers every 15 minutes and purge data after 5 days). Also you can specify a download location for engine and definition updates – FPSMC can act as a redistribution server.

Also, we can now already view the status of engines already deployed on the managed servers by clicking Reports à Engine and Definition Versions.

Configuring Packages and Jobs

As with the previous version, FPSMC doesn’t have a UI for configuring Forefront. Instead it works by redistributing settings already configured on one of your servers. So you need to configure at least one server first, export the settings, then import to FPSMC as a package. This package can then be redistributed to other servers, which will configure all servers the package is sent to with the same settings, so the best way to do this is configure server groups of similar servers – for example group together:

– Edge servers configured as a redistribution server (i.e. other servers get updates from these servers – although you could (and probably should) now use the FPSMC as your redistribution server instead)

– Edge servers not configured as redistribution servers

– Hub transport servers configured as redistribution servers

– Hub transport servers not configured as redistribution servers

– Mailbox servers

FPE settings are not going to be covered here – have a look at for information on that.

Looks like there are some oddities about where r how sections are managed – from Microsoft’s website at time of publishing I see the following:

“Not all Forefront Protection settings directly correspond to the policy sections on this page. For example, some settings found on the Global Settings – Scan Options dialog box in Forefront Protection for Exchange, such as Inbound Target Types, are represented by the Antimalware Settings policy section in the console.”

To export settings from an already configured Exchange server, open Forefront Management Shell on that computer and export the settings using the following cmdlet:

– Export-FseSettings -path export.xml

This will then create an export.xml file wherever you specified (by default in ‘C:Program Files (x86)Microsoft Forefront Protection for Exchange Server’ on the Exchange server. You can then create a package from the FPSMC UI by choosing Job Management à Packages à Create Package and importing the XML file.

Select the policy options which will be included in the package. Typically this will be all settings – click the top box to select all.

If this is not a redistribution server, or it is but you need to enter proxy credentials, do that here. If the FOPE gateway is deployed to your Exchange servers, you can enter credentials here. (You can still connect to FOPE from within the FPMSC console without setting this here). Click OK to create the package.

Now the package has been created this can be deployed to all servers. To do this, create a job under Job Management à Jobs à Deployment Jobs

Click Run Now

Click Notification Logs to view status – click Apply to refresh.

That’s pretty much it for the moment. I will update with findings once I’ve had a play, deployed to edge servers, redistributed packages, looked at FOPE options etc. A whistle-stop tour, but hopefully it’ll be useful to somebody, somewhere.



Tim Coveney | LlamaIT | w:

This posting is provided in good faith, “as is” with no warranties and confers no rights.

Posted in Exchange 2010, Forefront 2010 | Leave a comment

Installing and configuring FPSMC Part 1

Just completed a run-through of my first installation of FPSMC – Forefront Protection Server Management Console. Blogging this as other installs all use SQL Express, which in big organisations (the ones who need the console to manage FPE (Forefront Protection for Exchange) is going to be quite commonly the case I should imagine. (FPSMC also supports Sharepoint apparently). I’m no SQL guru, and permissions could probably be more locked down, but I didn’t have much success when I tried.

1. Create 2 SQL databases on a clustered or standalone instance of SQL 2008 named ‘FPSMCData’ and ‘FPSMCReport’, granting the installer owner permissions.

2. Create a SQL login for the installer, and grant them sysadmin and dbcreator roles.

NOTE: Sysadmin seems excessive rights – it is documented this way at, and fails if you just have dbcreator. Other, more liberal roles were not tested. It is also documented that the user needs local admin permissions on the SQL box, but this has not been found to be true so far. Microsoft have confirmed to me that some of the documentation for this product refers to beta versions of the product and are no longer accurate.

3. Download FPSMC from

4. Install MS Chart Controls for.Net framework 3.5SP1 from on a Windows 2008 x64 machine (see system requirements at

5. Run FPSMC_setup.exe. Click Yes to install

6. Click Next

7. Choose Primary server and a password for replication between primary and backup (to be installed on another server against another SQL instance with the same DBs created)

8. Click Check prerequisites

9. If chart controls were not installed previously this warning will appear. Install from and click retry.

10. Choose your SQL instance and enter credentials, click Test Logon

11. Without dbcreator permissions you will probably get the following error. Go to the properties of the login in SQL Management Studio and tick dbcreator (and sysadmin it seems). Or get your DBA to do this for you which is more commonly going to be the case.

12. If login is OK, click Next

13. Choose Microsoft update option then click Next

14. If SQL Server Agent isn’t started, you will get the following error – start the service on the SQL box through service.msc or SQL Management Studio. Also, if you don’t have sysadmin permissions you will probably get this error as well. Go to the properties of the login in SQL Management Studio and tick sysadmin. Or get your DBA to do this for you which is more commonly going to be the case.

15. Click Yes or No to prompt

16. Accept license agreement

17. Accept or amend install location

18. Click Install

19. Click Finish

20. Go to http://servername/fpsmconsole to view the console.

Next steps – lockdown to SSL not http:80, deploy agents, configure packages etc… part 2 coming soon…

Tim Coveney | LlamaIT

Posted in Exchange 2010, Forefront 2010 | Leave a comment