Outlook has been around for a long time, and there are many versions with different features and varying levels of security fixes. It’s not always desirable to let any version of Outlook connect to Exchange Server as you may require your clients to utilize a specific feature set, such as Messaging Records Management, or to have certain security fixes. You may also have corporate policy which dictates that a particular version or versions of Outlook are used.
Fortunately Exchange has the ability to restrict which versions of Outlook can connect by blocking MAPI client versions, a feature which was introduced in Exchange 2000 Service Pack 1. In Exchange 2007 MAPI client blocking can be implemented on a per-server basis using a registry change, or on a per-mailbox basis using the Exchange Command Shell.
Additionally, Microsoft recommends implementing Outlook client blocking as a best practice, and if you run the Exchange Best Practices Analyzer against a server which does not have client blocking enabled it will suggest that you configure it.
Determining Which Client Versions are in use
Before implementing client version blocking it’s a good idea to know versions are in use. With this information you can tell which clients need to be upgraded to a newer version before blocking is implemented, or simply which clients will no longer be able to connect after it is implemented. In Exchange 2007 client version information is retrieved using the Get-LogonStatistics cmdlet.
Get-LogonStatistics accepts a mailbox, a mailbox database, or a server name as input and returns statistics including user name, logon time, last access time, client name, and client version.
For example, to list the client versions used to access a single mailbox, the command is:
|
1 |
Get-LogonStatistics JSmith | ft UserName,ClientVersion,LogonTime |
To list the client versions for all clients connecting to a specific server:
|
1 |
Get-LogonStatistics -Server SERVER01 | ft UserName,ClientVersion,LogonTime |
To list the client versions for all clients on all mailbox servers, and export the results to a CSV file:
|
1 2 3 |
Get-MailboxServer | Get-LogonStatistics | ` Select UserName,ClientName,ClientVersion,LogonTime | ` Export-Csv -Path ExchangeClientVersions.csv |
Once you have identified the clients in use in your organisation and taken any remedial action necessary you can move on to blocking any further access by unwanted clients.
Determining Which Client Versions to Block
The client version is determined by the version of Emsmdb32.dll on the client. This is not necessarily the same as the Outlook version, or the version of any other DLL or executable files. This table shows the version of Emsmdb32.dll for major releases or updates of Outlook since the release of Office XP.
|
Release |
Emsmdb32.dll Version |
|
Office XP RTM |
10.0.2627.1 |
|
Office XP SP1 |
10.0.3416.0 |
|
Office XP SP2 |
10.0.4115.0 |
|
Office XP SP3 |
10.0.6515.0 |
|
Office 2003 RTM |
11.0.5604.0 |
|
Office 2003 SP1 |
11.0.6352.0 |
|
Office 2003 SP2 |
11.0.6555.0 |
|
Office 2003 SP3 |
11.0.8161.0 |
|
Office 2007 RTM |
12.0.4518.1014 |
|
Office 2007 SP1 |
12.0.6211.1000 |
|
Office 2007 SP2 |
12.0.6423.1000 |
Table 1 – Emsmdb32.dll version by Office release
There are some important points to note:
-
The MAPI client version numbers listed in Table 1, and those in the results of the
Get-LogonStatistics cmdlet,are in the format x.0.y.z. When specifying MAPI versions to be blocked you must use the format x.y.z. For example, the version number for Outlook 2003 RTM becomes 11.5604.0. -
When setting per-server restrictions it is very important to avoid restricting clients with version numbers 6.y.z as Exchange Server makes use of MAPI for server-side component connections and uses MAPI versions within the 6.y.z range (with the version number potentially varying by Exchange component and patch level). This does not apply to per-mailbox restrictions.
-
Microsoft recommends that at a minimum you block all MAPI clients with version numbers equal to or earlier than 5.3164.0.0.
Single versions are blocked by specifying the version in the format <version>, an open-ended range is blocked by using the format -<version1> or <version2>-, and a specific inclusive range is blocked by using the format <version3>-<version4>. Multiple sets of client versions can be disabled using a comma or semi-colon separated list.
|
Range Type |
Example |
Effect |
|
<version> |
11.5604.0 |
Block the specified MAPI version. |
|
-<version> |
-11.0.0 |
Block the specified version number, and all previous versions. |
|
<version>- |
11.0.0- |
Block the specified version number, and all newer versions. |
|
<version>-<version> |
11.0.0-11.9.9 |
Block the specified version numbers, and all clients between the specified versions. |
Table 2 – Example client version blocking syntax
Some example blocking settings to use:
|
Blocking Setting |
Effect |
|
11.5604.0 |
Block Outlook 2003 RTM |
|
-5.9.9;7.0.0-11.9.9 |
Block all clients older than Outlook 2007 |
|
12.0.0- |
Block all versions of Outlook starting with Outlook 2007 and including all future versions |
|
-5.3164.0 |
Block Microsoft recommended Outlook versions |
|
-5.99;7.0.0- |
Block all MAPI clients, except for Exchange Server components |
Table 3 – Example client version blocking settings
Implementing the Blocking Settings
As mentioned earlier, restrictions can be implemented per-server or per-mailbox. Per-server restrictions are implemented via a registry change, and per-mailbox restrictions are implemented via the Exchange Management Shell – it is not possible to use the Exchange Management Console.
If both server and mailbox restrictions are used the most restrictive combination of both settings applies, additionally a server restriction cannot be overridden by a mailbox setting.
For example:
|
Server Restriction |
Mailbox Restriction |
Net Effect |
|
-5.3164.0 |
-11.9.9 |
Mailbox can only be accessed using Outlook 2007 |
|
-5.9.9;7.0.0- |
11.0.0-11.9.9 |
Mailbox cannot be accessed by any MAPI client (which is not executing on the Exchange server) |
Table 4 – Cumulative effect of restrictions
To implement a per-server restriction
Note – Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
You need to be a local administrator on the Exchange server in order to edit the registry.
-
Start the registry editor on your Exchange 2007 Mailbox server
-
Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem registry key.
-
Right-click ParametersSystem, select New, and then select String value.
-
Name the new string value “Disable MAPI Clients”.
-
Right-click Disable MAPI Clients, and then click Modify.
-
Enter the restriction setting, for example -5.9.9;7.0.0-11.9.9
-
Close the registry editor
The change will be effective within 15 minutes, or to make it effective immediately you can restart the Microsoft Exchange Information Store service. Once the change takes effect any existing client connections which do not meet the version requirements will be terminated.
To implement a per-mailbox restriction
The Set-CASMailbox cmdlet is used to implement per-mailbox restrictions. To use the Set-CASMailbox cmdlet you must be delegated the Exchange Recipient Administrator role.
To prevent a mailbox from using Outlook clients prior to Outlook 2007 the command is:
|
1 |
Set-CASMailbox JSmith -MAPIBlockOutlookVersions "-11.9.9" |
To remove a restriction for a mailbox:
|
1 |
Set-CASMailbox JSmith -MAPIBlockOutlookVersions $null |
To prevent all mailboxes in a particular database from using clients other than Outlook 2007 RTM:
|
1 2 |
Get-Mailbox -Database "SERVER01\SG1\Database 1" | ` Set-CASMailbox -MAPIBlockOutlookVersions "-12.4518.1013;12.4518.1015-" |
When an Outlook 2003 or Outlook 2007 user tries to connect with a restricted client version they will receive the message “Your Exchange Server administrator has blocked the version of Outlook that you are using. Contact your administrator for assistance.”
Users of older clients will receive the message “Cannot start Microsoft Outlook. The attempt to log on to the Microsoft Exchange Server computer has failed.”
More information on Get-LogonStatistics and Set-CASMailbox can be found in TechNet:
- Get-LogonStatistics – http://technet.microsoft.com/en-us/library/bb124415.aspx
- Set-CASMailbox – http://technet.microsoft.com/en-us/library/bb124415.aspx
Load comments