In the Daily Drill Down “Understanding Exchange 2000 Server instant messaging,” I gave you an overview of Microsoft’s instant messaging technology, which allows users to perform real-time, text-based chat with one another. Instant messaging (IM) is a component of Exchange 2000 Server. In this Daily Drill Down, I’ll give you a detailed look at deploying and configuring IM under Exchange 2000 Server.
There are several steps to install and configure an IM server. For this article, I’ll assume that you have already determined the number and type of servers required, where they will be located in your network, and what other services (such as firewall and proxy services) you’ll need to adjust in light of your IM deployment. For a little more information about what to consider before deploying IM, see the Daily Feature “Planning to deploy instant messaging on Exchange 2000.”
Setting up DNS for IM
For clients to locate IM servers both from inside your domain and from the Internet, you need to create records in your domain’s DNS zone. There is nothing particularly difficult in this step, but you do need to ensure that you create the appropriate records.
I’m assuming that you are hosting your own DNS servers. If that isn’t the case, contact the system administrator in charge of the DNS servers to have the appropriate records created.
First, create a host (A) record for each IM server, whether it’s a routing server or home server, in the zone for your domain. Next, decide how to present your routing servers, if any, to the Internet or to your enterprise. Although you can essentially use any host name for the routing server, Microsoft’s recommendation—and a sound practice—is to use the host name im for the routing servers. This lets outside users guess the appropriate address for a user in your domain if for some reason they are unable to resolve the address from the form email@example.com. So, create a host record using im as the host name and the IP address of the routing server. If you have multiple routing servers, create multiple host records with the same host name that point to the different IP addresses of the servers.
Then, create the SRV record necessary to support the RVP protocol. In the DNS console, right-click the domain and choose Other New Records. Select Service Location from the record type list, and then click Create Record. In the New Resource Record dialog box, enter _rvp in the Service field, _tcp in the Protocol field, and 80 in the Port Number field. Then, type the FQDN of the IM routing server (such as im.techrepublic.com) in the Host Offering This Service text box. If you are using multiple IM routers, you don’t need to create multiple SRV records because the multiple host records for the im host and round robin take care of balancing the load to those servers.
You can install IM when you install Exchange 2000 Server or add it to an existing Exchange 2000 Server installation. You can install Exchange 2000 Server on a domain controller, but it’s a better practice to install it on a member server for performance reasons. This is particularly true if the server supports a large number of users.
To add IM, simply insert the Exchange 2000 Server CD and select Exchange Server Setup from the Setup dialog box. If the CD doesn’t automatically play, open the CD drive in Explorer and run the Launch application. After Setup initializes, click Next in the Installation wizard. Select the options you want to install. At a minimum, you must install Microsoft Exchange Messaging And Collaboration Services, Microsoft Exchange System Management Tools, and Microsoft Exchange Instant Messaging Service. If Exchange 2000 Server is already installed and you are adding the IM service, select Change from the drop-down list (beside Microsoft Exchange 2000 at the top of the component list) and then select Install from the drop-down list beside the IM service. Click Next and follow the wizard’s prompts to complete the installation process.
Setting up the virtual IM server
After you complete the Exchange 2000 Server setup process, you can start building your IM servers. Just adding the IM service to Exchange 2000 Server doesn’t create the virtual servers required to support IM, so the next step is to create them. You can create a virtual home server or virtual routing server, according to your needs. You can even create both types of virtual servers on one physical server, although it is not a common practice to use a single server as both a routing server and home server.
The only difference between the processes for creating a home server or a virtual server is a single check box in the New Instant Messaging Virtual Server Wizard. To create a server, follow these steps:
- Open the Exchange System Manager and then open the administrative group where the server resides.
- Expand the server and then expand the Protocols branch under the server.
- Right-click Instant Messaging (RVP) and choose New | Instant Messaging Virtual Server.
- Click Next and then use the pages in the wizard to provide the following information:
- Display Name—This is the name by which you want the virtual server to appear in the Exchange System Manager. The name has no bearing on the virtual server’s DNS name. For example, you might use Home Server 1 as the name if this is your first home server.
- IIS Web Site—Select the IIS Web site that will host the virtual directory for the IM server. In most cases, you should select the default Web site, but you can select any existing Web site according to your IIS configuration and number of sites hosted on the server.
- DNS Domain Name—Indicate the FQDN by which you want the server known in DNS. For a routing server, specify the DNS name you have specified in the SRV DNS record, such as im.techrepublic.com.
- Allow This Server To Host User Accounts—Select this option to set up a home server. Leave this option unselected to set up a routing server.
Configuring security and authentication
Exchange 2000 Server IM by default uses Integrated Windows Authentication (IWA), formerly known as NTLM authentication. This allows users to automatically authenticate with their Windows logon credentials without having to reenter a user name or password for IM. IAW works for both intranet- and Internet-based IM sessions.
If you need to authenticate users through a proxy server or have clients who use non-Windows operating systems such as UNIX, you can configure the server to use HTTP Digest Authentication instead of—or in addition to—IWA. Digest authentication is a challenge/response authentication mechanism that uses HTTP to perform the authentication and works across proxy servers. By default, IIS configures the InstMsg virtual directory for both IWA and digest authentication. If you’ve changed that default configuration and need to restore digest authentication, right-click the InstMsg virtual directory, choose Properties, and then click the Directory Security tab. In the Anonymous Access And Authentication Control group, click Edit. Select Digest Authentication For Windows Domain Servers in the Authentication Methods dialog box and click OK. Then, close the property sheet for the virtual directory.
If you do choose to use digest authentication, you must make a change to the way Windows 2000 Server stores user passwords in Active Directory. For digest authentication to work, IM must be able to retrieve unencrypted passwords from Active Directory. For that reason, you must set the password policy to store the passwords in Active Directory using reversible encryption.
To configure the password policy, open the Active Directory Users And Computers console. Right-click the domain and choose Properties. Click the Group Policy tab, select the Default Domain Policy, and click Edit. Open Computer Configuration | Windows Settings | Security Settings | Account Policies | Password policy. Double-click the policy Store Password Using Reversible Encryption For All Users In The Domain, select Enabled, and click OK. If you have already created accounts, you’ll have to reset the passwords for those accounts to change the way the passwords are stored in AD. You can reset the passwords yourself or configure the accounts to require the user to change the password at the next log in.
Configuring firewall and proxy server settings
If your network is protected by a firewall or if you use a proxy server, you’ll need to configure the firewall and proxy settings for IM. Because IM uses port 80, it’s unlikely you’ll need to change your firewall itself unless you currently don’t allow port-80 traffic to pass through the firewall.
To configure firewall and proxy settings, open the Exchange System Manager and expand the Global Settings branch. Right-click Instant Messaging Settings, choose Properties, and then click the Firewall Topology page. If you have a firewall in place, select the option This Network Is Protected By A Firewall, click Add, and then add the IP address range(s) protected by the firewall. If your network uses an HTTP proxy server, select the option Use A Proxy Server For Outbound Requests, then enter the address and port number for the proxy server, and click OK.
Configuring connection limits and logging
One of the few configuration tasks you perform for IM through the IIS console rather than the Exchange System Manager is setting connection limits and configuring log settings. If you have plenty of bandwidth and don’t host a large number of users, you probably don’t need to concern yourself with connection limits. If you host a large number of users, however, or you need to balance the bandwidth used by IM with bandwidth used by other services, you should impose a limit on the number of concurrent connections.
To set a connection limit, open the IIS console from the Administrative Tools folder. Right-click the Web site that is hosting the InstMsg virtual directory, choose Properties, and then click the Web Site tab. In the Connections group, select the Limited To option, and then specify the maximum number of concurrent connections you want to allow.
If you want to enable and configure log settings, select Enable Logging on the Web Site tab and select the log format from the drop-down list. You can choose one of four log formats, depending on how you will be viewing and processing the logs. Choose the ODBC format if you want to log to a database, but keep in mind that you’ll have to create an ODBC Data Source Name (DSN) for the log through the Data Sources (ODBC) object in the Administrative Tools folder prior to configuring the log properties. After you select a log format, click Properties to configure the log settings. Only the W3C Extended Log File Format allows you to specify extended logging options. When you finish configuring connection limits and log settings, click OK on the Web Site property sheet.
Taking a server down for maintenance
It’s a good practice to take the IM virtual server offline if you’re making changes to the server, such as changing authentication methods. You don’t stop any Exchange services to take the IM server offline, but instead stop the Web site that hosts the virtual server’s directory. To stop the Web site, open the IIS console, click the Web site, and click the Stop button on the toolbar. Make the necessary changes on the server, and then restart the site by clicking the Start button on the toolbar.
IM is one of those services that, when you install it, takes more work than just running setup. It has such an impact on your network that you must also check and make changes to other things, as well. However, once you know what to change and how to do it, it’s not a bad experience at all.