DSProxy for Exchange

In this tip from "15 tips in 15 minutes: Managing recipients and distribution lists," you'll discover everything you need to know about the DSProxy service and how it relates to the NSPI (Name Server Provider Interface) in Exchange 2003.

In a modern Exchange system, the Global Catalog servers handle requests for the GAL or a custom address list. They do so using a special service called the Name Server Provider Interface, or NSPI.

As shown in Figure 5.26, the DSProxy service on an Exchange server decides how to handle Outlook clients who need a place to send their NSPI requests. Figure 26
Figure 5.26 Diagram of DSProxy operation. (Click image for enlarged view.)

You are reading tip #6 from "15 tips in 15 minutes: Managing recipients and distribution lists," excerpted from Chapter 5 of the book Learning Exchange Server 2003, published by Addison-Wesley Professional.
Name Service Provider Interface (NSPI) service

Outlook versions older than Outlook 98 service release 2 send their NSPI requests directly to the home Exchange server of the user. The DSProxy service exposes an NSPI interface to handle these requests. The original Exchange client uses MAPI to do name service lookups. DSProxy handles these requests, as well.

When an Exchange server receives an NSPI request from a legacy client, it passes the request to a Global Catalog server for processing. The Global Catalog server determines the content of the address list and returns the first few items to the Exchange server, which forwards the reply to the legacy Outlook client.

For reasons of security and performance, the Exchange server does not open or modify either the client's NSPI requests or the Global Catalog server's replies.

Referral (RFR)

Modern Outlook clients, Outlook 2000 SR2 and higher, know that Global Catalog servers can handle NSPI requests. These clients connect to the user's home Exchange server and send a request to the RFR service, hosted by DSProxy.

RFR works with DSAccess to determine the name of a qualified Global Catalog server and returns that name to the Outlook client. The Outlook client sends its NSPI requests directly to that Global Catalog server.

Under normal circumstances, the Global Catalog server selected by DSAccess resides in the same site as the Exchange server. But the Outlook client might reside in another location, so the DSAccess choice forces the Outlook client to send its NSPI request across the WAN.

You can set a Registry entry at the desktop running the Outlook client that tells Outlook to use a Global Catalog server in the local site and to ignore the referral from the Exchange server:

Key: HKCU | Software | Microsoft | Exchange | Exchange Provider 
Value: Closest GC
Data: 1 (REG_DWORD)

You can also hardcode the FQDN of a Global Catalog in the Exchange Provider key. The Value name is DS Server with a REG_SZ data type. You would not ordinarily want to make this entry except for testing.

To confirm that the Closest GC (or DS Server) Registry entry worked in Outlook 2003, hold the Ctrl key, right-click the Outlook icon in the Notification Area, and select Connection Status from the flyout menu. This opens a Connection Status window that lists the Directory servers selected by the client. To confirm that the entry worked in earlier versions of Outlook, follow these menu items and windows: Tools -> Address Book -> Tools -> Options -> Global Address List -> Properties. This opens a properties window that lists the Global Catalog used by Outlook.

Static DSProxy port mappings

If you have a firewall between your Outlook clients and a domain controller, the clients cannot send their NSPI requests directly to a Global Catalog server. You can force the clients to use the Proxy services of DSProxy rather than getting a referral to a Global Catalog server by setting a Registry entry at the Exchange server to disable referrals:

Key: HKLM\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value: No RFR Service
Data: 0x1 (REG_DWORD)

For this to work, you'll need to open a conduit in the firewall to allow the Exchange server to query a Global Catalog server. This requires locking down the NSPI and RFR services to use specific ports. Use the following Registry entries to assign the ports. Work with your Network Services colleagues to select the ports. You might want to use port numbers in the stratosphere of the allowable number space to avoid conflicts. Port numbers from 1024 to 65535 are allowed.

RFR

Key: HKLM | System | CurrentControlSet | Services | MSExchangeSA Â| Parameters
Value: TCP/IP Port
Data: <port_number> (REG_DWORD)

NSPI

Key: HKLM | System | CurrentControlSet | Services | MSExchangeSA Â| Parameters
Value: TCP/IP NSPI Port
Data: <port_number> (REG_DWORD)

Information Store

Key: HKLM | System | CurrentControlSet | Services | MSExchangeIS Â| Parameters
Value: TCP/IP Port
Data: <port_number> (REG_DWORD)


15 tips in 15 minutes: Managing recipients and distribution lists

 Home: Introduction
 Tip 1: Exchange security groups
 Tip 2: Group membership expansion
 Tip 3: Managing Exchange group email properties
 Tip 4: Exchange 2003 Query-Based Distribution Groups
 Tip 5: DSAccess for Exchange
 Tip 6: DSProxy for Exchange
 Tip 7: Managing Exchange recipient policies
 Tip 8: Exchange Recipient Update Service and proxy addresses
 Tip 9: Restricting mail storage on an Exchange server
 Tip 10: The Exchange server mailbox management service
 Tip 11: Blocking a user's email access
 Tip 12: Accessing another user's mailbox in Outlook
 Tip 13: Exchange mail retention
 Tip 14: Managing recipients with system policies
 Tip 15: Managing recipients with Global Settings

This chapter excerpt from Learning Exchange Server 2003 by William Boswell is printed with permission from Addison-Wesley Professional, Copyright 2004. Click here for the chapter download or to purchase the book.

Dig deeper on Microsoft Exchange Server Mailbox Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close