Inside Entourage by Amir

Parts of Hyperlink After Ampersand Sign Are Stripped in Entourage 2008

Here is another known issue we are working to fix these days.

Issue
Entourage 2008 users are reporting that it is stripping parts of hyperlinks (URLs) in messages they receive from other users. It always strips parts of those hyperlinks right after '&', including the ampersand sign. This is only being reported by those users who have recently upgraded to Office 2008 for Mac Service Pack 1 (SP1). Examples of stripped URLs are:

Original Link:
https://www.contoso.com/dept/sales/abc.php?ABCD=0987654321&UID=987612345

Stripped Link:
https://www.contoso.com/dept/sales/abc.php?ABCD=0987654321=987612345

Note that '&UID' has been stripped

Original Link:
https://www.litwareinc.com/EntApp/ViewMsg.asp?MsgID=897&SaveID=7843~2945

Stripped Link:
https://www.litwareinc.com/EntApp/ViewMsg.asp?MsgID=897=7843~2945

Note that '&SaveCaseID' has been stripped

Cause
This happens as '&' is not properly encoded as '&amp' in the message source

Resolution
Microsoft is working to release a fix for this issue in an update for Entourage 2008 but a final release date is not available yet. I plan to update this post with new information in this regard when it becomes available.

SSL Warning Issue in Entourage 2008

In this post I wanted to quickly provide an update on an ongoing issue with some specifics to make sure our customers are well informed on its current status.

Issue
After installing Office 2008 for Mac Service Pack 1 (SP1) when Entourage 2008 users connect to their mailbox on an Exchange 2007 Server, they may see an error like this (you can substitute 'contoso' in the screenshot below with your own root domain):

If you click on 'OK', Entourage will continue to work and you won't see this error message again until the end of that session when you close Entourage. Clicking on 'Cancel' you may end up in 'Not Connected' state with your Exchange account. This error may also come up when:

1. You try to configure your Exchange account using 'Account Setup Assistant' which now uses Autodiscover Service on Exchange 2007 to automatically configure your account or

2. You use any 'Exchange Web Services' based feature in Entourage 2008, like OOF Assistant, Free/Busy Info pull-up, etc. as they also utilize Autodiscover feature or

3. Entourage tries to talk to Autodiscover Service while its running connected to your mailbox to see if any updates were made to Autodiscover Service on server side by your Exchange Administrator, this happens automatically in the background based on a pre-set interval which cannot be modified by user

Cause
This happens as Entourage 2008 tries to establish a secured connection to the first of the 2 default addresses (URLs) in its attempt to contact the Autodiscover Service on your Exchange 2007 Server. This is explained in the Autodiscover Whitepaper, see 'How the Autodiscover Service Works with Clients' section. Most organizations using Exchange 2007 do not publish Autodiscover Service thru the first URL mentioned over there, i.e. 'https://contoso.com/autodiscover/autodiscover.xml', rather they use the other URL, i.e. 'https://autodiscover.contoso.com/autodiscover/autodiscover.xml'. When Entourage finds an error (mostly its 'Common Name' mismatch) with the certificate published at the root of your domain (if there is one, many organizations do, but 'Common Name' on that certificate is 'www.contoso.com', not just 'contoso.com' and Autodiscover Service is not published thru that URL), it displays the above error. It does not move silently to try the other possible URL. Clicking 'OK' on above error makes it exactly do that and thus it finds the Autodiscover Service responding on the other URL and everything then works fine from there.

This issue can also happen in Entourage 2008 if Autodiscover Service is not configured properly as per the guidelines in Autodiscover Whitepaper. See 'Note' below on how to quickly check to see if Autodiscover Service is properly configured and published for users.

Resolution
Microsoft is working to release a fix for this issue in an update for Entourage 2008 but a final release date is not available yet. I plan to update this post with new information in this regard when it becomes available.

Note
We need to make sure that when Entourage looks for Autodiscover Service, the related URL as mentioned above in 'Cause' section is configured and published to respond to those requests. A quick way is to look up the A Record (a type of DNS record which is used to map a hostname or URL to the IP Address of the host) which you will have to register with your DNS provider.

A Working Example:
For Microsoft, the Autodiscover Service is configured and published at 'https://autodiscover.microsoft.com/autodiscover/autodiscover.xml', you can look it up using this URL in your browser:

http://codeflux.com/exec/tools/?method=nslookup&query=autodiscover.microsoft.com&type=A

You will see an IP Address is mapped to the URL for Autodiscover Service to respond to incoming requests.

Now, if I go and hit the URL for Autodiscover Service in my browser, i.e. 'https://autodiscover.microsoft.com/autodiscover/autodiscover.xml'

I will get a window to enter my user credentials (domain\username & password) and after that I will see the following lines in the main browser window:

<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="10:29:57.7332076" Id="59171512">
    <ErrorCode>600</ErrorCode>
    <Message>Invalid Request</Message>
    <DebugData />
</Error>
</Response>
</Autodiscover>

The response above says 'Error 600, Invalid Request' as the Autodiscover Service URL is not supposed to be accessed thru a browser. This is an expected response in this scenario and confirms the proper configuration and publishing of Autodiscover Service.

A Non-Working Example:
Let's use Contoso as a non-working example, the Autodisover Service should be configured and published at 'https://autodiscover.contoso.com/autodiscover/autodiscover.xml', if you look it up using this URL in your browser:

http://codeflux.com/exec/tools/?method=nslookup&query=autodiscover.contoso.com&type=A

You won't find an IP Address mapped to the URL for Autodiscover Service, instead you will see an error there saying 'server can't find autodiscover.contoso.com'.

Client Certificate-based Authentication in Entourage 2008

Recently Microsoft released Service Pack 1 (SP1) for Office 2008 for Mac. There are some new features in SP1 for Entourage 2008 users, one of them is 'Client Certificate-based Authentication'. In this post we will walk thru the setup on server & client sides so that it will be helpful to those who want to use this feature in Entourage.

Introduction
Entourage connects to an Exchange mailbox thru 'Exchange' virtual directory under 'Default Website' in IIS (Internet Information Server) installed on an Exchange Server. IIS provides several authentication methods and they are all discussed here & here. One of them is 'Client Certificate-based Authentication' (CCA) which works thru 'Client Certificate Mapping' on server side. Most conventional ways of authentication require the provision of username, domain & password (3-tier credentials) but CCA does not require users to provide their domain credentials. It works thru a mapping of user certificates to their accounts in Windows Active Directory. It is used where high level of security is required and domain password policies are very strict or administrators simply do not want their users to remember/enter their domain credentials for any kind of access. In those environments 'Two Factor Authentication' (RSA, Smart Card) is also used & CCA helps in its implementation. Now with the new support for CCA in Entourage, you can have your Entourage users utilize 'Two Factor Authentication' when they connect to their Exchange mailbox. Let's see how we can set it up.

Setup Details
To keep things simple, I have a single box server with Windows 2003 SP2 & Exchange 2003 SP2 (most common versions out there). It also has 'Certificate Services' (a Windows component) installed on it to act as my 'Private Root Certification Authority' (one can go with Public Root CAs like VeriSign, etc.). You can install an 'Enterprise Root CA' or a 'Standalone Root CA' (steps with screenshots), if you want to read more before installation, go here.

I installed an 'Enterprise Root CA' on my server. I used it to issue an identity certificate to IIS (Default Website) so that secured connections (SSL) can be established over port 443 by Entourage clients when they connect to 'Exchange' virtual directory to get access to their Exchange mailbox. This is a pre-requisite for CCA, steps are here.

I also used it to issue client certificates to individual Entourage users so that they can use it for CCA when connecting to their Exchange mailbox (more details later in 'Client Side Setup' section below).

Server Side Setup
There are several ways to set 'Client Certificate Mapping' on IIS, they are all discussed here. I used the 'Windows Directory Service Mapper' for my setup, as its most popular & simple to setup. I followed the steps listed here.

Note: I tested this feature successfully with '1-to-1 Mapping' as well, no issues, however I didn't test it with 'Many-to-1 Mapping', I assume that scenario will also work without any issues.

After that I went to 'Exchange' virtual directory and enabled the requirement of client certificates for authentication. To do that:

1. Go to IIS Manager : Default Website : Exchange : Properties : Directory Security : Secure Communications : Edit : Check the 2 boxes for 'Require secure channel (SSL)' & 'Require 128 bit encryption'
2. On the same window, under 'Client certificates' section, select 'Require client certificates'
3. Also check the box for 'Enable client certificate mapping'
4. The final configuration will look like this

That's it, click OK twice to get back to IIS Manager.

Now when we are set to use CCA for authentication on 'Exchange' virtual directory, we can go and turn off all other authentication methods. To do that, go to IIS : Default Website : Exchange : Properties : Directory Security : Authentication & Access Control : Edit : Uncheck all boxes here (screenshot), click OK twice to get back to IIS Manager.

Repeat the above steps now for 'Public' virtual directory which is used by Entourage to access public folders on Exchange Server.

Client Side Setup
To begin with Entourage users should follow these steps for obtaining and installing a user certificate on their Mac. I used a Mac with Tiger (Mac OS 10.4.11) and Entourage 2008 SP1 installed on it.

1. Launch Safari browser and go to http://<server-name>/certsrv (where 'server-name' is the name of the server where 'Private Root CA' is installed) (screenshot)
2. Enter your username and password when prompted (screenshot)
3. On the 'Welcome' page of your Root CA Server, click on 'Request a certificate' link (screenshot)
4. On the 'Request a certificate' page, click on 'User Certificate' link (screenshot)
5. On the 'User Certificate – Identifying Information' page, keep the 'Key Strength' field set to '2048 (High Grade)', click on 'Submit' button (screenshot)
6. On the 'Certificate Issued' page, click on 'Install this certificate' link (screenshot)
7. You will see the 'Downloads' window from Safari and a file by the name of 'certnew.cer' will be downloaded to your desktop (screenshot)
8. Double click on the 'certnew.cer' file on your desktop (screenshot)
9. The 'Keychain Access' application will launch and you will see the 'Add Certificates' window, keep the 'Keychain' field set to 'login' and click 'OK' (screenshot)
10. The user certificate will then be imported in the Keychain (screenshot)
11. You can double click on it to view the user certificate (screenshot)
12. You can also launch 'Microsoft Cert Manager' application (from Mac Hard Drive : Applications : Microsoft Office 2008 : Office) to view the certificate in 'Digital Identities' container. This is a good indication that the user certificate will work fine with CCA or digital signing and encryption of outgoing mail.

Quick Admin Check: Now in order to make sure that Entourage user account is setup properly in Windows Active Directory, take a look at its properties (thru 'Active Directory Users & Computers' or 'ADUC'), you should see the user certificate there under 'Published Certificates' tab (screenshot). If not then you can also import it (use the 'cer' file from user's Mac, see Step 7 above) using the 'Add from file' button there. Another way to add & map user certificate is to do a right click on user object in ADUC, choose 'Name Mappings', then add the user certificate there under 'X.509 Certificates' tab (screenshot).

Now let's configure Exchange account settings in Entourage, this screenshot depicts how 'Account Settings' tab should look like. Note that you do not need to provide user's domain credentials, i.e. username, domain & password. The 'Advanced' tab is where you need to select user certificate under 'Client Certificate-based Authentication' section. Clicking on 'Select' button there will provide you with the 'Choose an Identity' window which will list the user certificate there. That's it, you are done.

After that Entourage will try to connect to Exchange mailbox utilizing 'Client Certificate-based Authentication', user will see a prompt 'Confirm Access to Keychain', choose 'Always Allow' on that. This allows Entourage to access 'Keychain' in Mac OS where user certificate is stored. Entourage will then go and talk to 'Exchange' virtual directory on server. User certificate will be used for CCA and connection to Exchange mailbox will be established in seconds. We are done!

But What About GAL Access?
After some research I found that currently it is not possible in Windows Server 2003 to require CCA for LDAP connections & queries. Thus if you want your Entourage users to access your Windows Global Catalog Server (LDAP Server) for 'GAL Access' (Global Address List) feature, you will need to configure it appropriately (non-SSL over ports 3268 & 389 or SSL over ports 3269 & 636) and also provide domain credentials in Exchange account settings in Entourage. Entourage uses the same set of domain credentials provided on first tab (screenshot) for authentication against Exchange & LDAP Server. The authentication processes are separate for IIS (for Exchange mailbox & public folder access) & LDAP Server (for 'GAL Access' feature). If CCA is required for authentication by IIS (at 'Exchange' & 'Public' virtual directories), then Entourage will use client certificate for that and will only use domain credentials for authentication against LDAP Server for 'GAL Access' feature.

Smart Cards
Some organizations out there use Smart Cards to store user certificate which is generally used by them for digital signing and encryption of outgoing mail. They will continue to work in the same way for CCA feature as well. Just select the same user certificate over here as well.

DST Workaround for Entourage 2004 & 2008 Users in ANZ

Update: The fixes for this issue have been released in 11.5 (Entourage 2004) & 12.1 (Entourage 2008) Updates for Office for Mac.

I wanted to quickly provide this workaround to the users of Entourage 2004 & 2008 in Australia & New Zealand (ANZ) time zones until Microsoft releases fixes thru updates at Mactopia website.

Issue
When Entourage 2004 & 2008 users organize meetings by inviting other users who are using Microsoft Outlook or OWA (Outlook Web Access) against their Exchange mailboxes (version of Exchange Server does not matter here), then those meeting attendees may see the incoming meeting invite being an hour off. This issue is not seen if all meeting attendees are Entourage users.

Cause
This happens as Entourage 2004 & 2008 use DST information from related 'Timezones' files for users in ANZ time zones, which are not up to date with current information.

Resolution
Microsoft is working to release a fix for this issue in an update for both versions of Entourage but a final release date is not available yet. When that update is available, users can safely install it and it will replace the files which they will put on their systems as a result of applying the workaround provided below.

Workaround
Below are the steps to follow for both versions of Entourage. Only Entourage users will need to apply this workaround on their machines, no action is required by other users who are using Microsoft Outlook or OWA.

Entourage 2004

1. Quit Entourage (Entourage should not be running when you apply this workaround)
2. Back up the current 'Timezones' file in folder: Mac Hard Drive : Applications : Microsoft Office 2004 : Office (just copy it to a backup folder on your hard drive)
3. Download the updated 'Timezones' file for Entourage 2004 from here (extract its content before proceeding to next step)
4. Copy the downloaded 'Timezones' file to the same location as above in Step 2, replacing the existing 'Timezones' file
5. That's it, you are done, launch Entourage and every meeting you create now will not display the issue described above

Entourage 2008

1. Quit Entourage (Entourage should not be running when you apply this workaround)
2. Back up the current 'Timezones.ics' file, go to folder: Mac Hard Drive : Applications : Microsoft Office 2008 : Office, locate a file by the name of 'EntourageCore.framework', now Control-Click on it and choose 'Show Package Contents' in the resulting menu, a new window will appear, in that window go to folder: Versions : 12 : Resources : en.lproj (you will find the 'Timezones.ics' file here, just copy it to a backup folder on your hard drive)
3. Download the updated 'Timezones.ics' file for Entourage 2008 from here (extract its content before proceeding to next step)
4. Copy the downloaded 'Timezones.ics' file to the same location as above in Step 2, replacing the existing 'Timezones.ics' file
5. That's it, you are done, launch Entourage and every meeting you create now will not display the issue described above

Note: Any meetings which were scheduled earlier and display the issue described in this post will not automatically get fixed. If you want to fix them, you will have to open them and make a change in them (like add one character to its subject/title or notes area, etc.), then save them and send update to all attendees. This change will force Entourage to recalculate DST info as per the updated 'Timezones' file.

Workaround Removal
If at anytime you may need to remove or undo this workaround, just follow the same steps as above and replace the 'Timezones' files with the original ones which you backed up earlier.

How Does Entourage Work?

As my blog is focused on Entourage as an 'Exchange Client', let's start with the most obvious topic which will provide details on how Entourage works with a mailbox on an Exchange Server. This blog will encompass the currently supported versions of Entourage & Exchange Server, i.e. Entourage 2004 & 2008, and Exchange 2000, 2003 & 2007. Let's list all the different features in Entourage for which it needs to talk to Exchange Server or any other server in a Windows Active Directory based environment. (Note: All ports mentioned below are server side ports)

Entourage Setup Assistant (screenshot)
The very first feature which you use in Entourage is the 'Entourage Setup Assistant' (or 'Account Setup Assistant') after you create a new identity. If you try to configure your Exchange account using the setup assistant, it talks to available DNS server configured in Mac OS X 'Network Preferences' to locate a Windows Domain Controller or Global Catalog Server hosting Active Directory and then authenticates & inquires about Exchange mailbox server for user. The whole process is described over here in detail. Server side ports used are 53 (for DNS queries) and 3268 (for authentication & LDAP queries to locate mailbox server).

Mailbox Synchronization (screenshot)
After you have setup your Exchange account (using setup assistant or manually), Entourage goes and talks to the Exchange server (front-end or back-end mailbox server) thru IIS (Internet Information Server) to get connected to your mailbox. This communication is HTTP (WebDAV protocol) in nature, thus can happen over port 80 (without SSL) or 443 (with SSL) as per your server side requirements.

Public Folders (screenshot)
Another server you have to enter in Exchange account settings is your public folders server. Generally in big enterprises public folder servers are maintained separately from mailbox servers on the back-end. Entourage communicates with the public folder server in the same way as with an Exchange mailbox server, i.e. HTTP (WebDAV) over port 80 (without SSL) or 443 (with SSL).

Global Address List (screenshot)
In Entourage you also have to provide a Directory or LDAP server name, which in a Windows Active Directory based environment is your Global Catalog Server so that you can have access to 'Global Address List' (GAL) of your Exchange organization. Entourage uses ports 389 (without SSL) & 636 (with SSL) for authentication and then to access GAL, it sends LDAP queries over ports 3268 (without SSL) or 3269 (with SSL), so a combination of two ports is used for GAL feature, i.e. 389 & 3268 (without SSL) or 636 & 3269 (with SSL).

Out of Office Assistant
This is a new feature only in Entourage 2008. When connecting to Exchange 2000/2003 based mailboxes, Entourage sends a WebDAV query to pull up 'Options' page from OWA (Outlook Web Access) thru which it sets the OOF Assistant. The port usage for this feature is same as described above under 'Mailbox Synchronization' section.

When connecting to an Exchange 2007 CAS, it works thru 'Exchange Web Services' ('OOFURL' in 'autodiscover.xml') to configure 'OOF Assistant' with appropriate settings. Entourage 2008 uses port 80 (without SSL) or 443 (with SSL) for this feature depending on related configuration on Exchange 2007 CAS. Keep in mind that this feature does not work and fails with an error if you connect directly to an Exchange 2007 mailbox server on back-end as 'autodisover' and 'Exchange Web Services' are not present on it, they are only present on an Exchange 2007 CAS.

Free/Busy Info (screenshot)
When Entourage users schedule a meeting with other users in their Exchange organization, they can also view their free/busy information, i.e. whether other users are free or busy on particular day/time slots.

Entourage 2004 retrieves free/busy information for other users by talking to a public folder server hosting consolidated free/busy info for all users. This communication is also HTTP (WebDAV) in nature thus happens over port 80 (without SSL) or 443 (with SSL). Entourage 2004 pulls free/busy information in this way in all cases. It does not matter where Entourage user's mailbox is located, i.e. on Exchange 2000, 2003 or 2007 Server. Therefore, it is necessary to provide a public server name in Exchange account settings (under 'Advanced' tab) in Entourage 2004.

Entourage 2008 utilizes 'Availability Service' (AS, part of 'Exchange Web Services') on Exchange 2007 to retrieve free/busy information for other users (having mailboxes located on any version of Exchange Server) if it is connecting directly to an Exchange 2007 Client Access Server (CAS). For mailboxes located on Exchange 2007 server, AS pulls free/busy info directly from users' mailboxes while for mailboxes located on Exchange 2003 server (or earlier versions), AS sends the WebDAV query (HTTP, this query always goes over port 80 from CAS to an internal Public Folder server) to respective public folder server hosting those users' free/busy information. Entourage 2008 uses port 80 (without SSL) or 443 (with SSL) for this feature depending on related configuration on Exchange 2007 CAS. You also don't need to enter a public folder server name in Exchange account settings (under 'Advanced' tab) in Entourage for this feature to work, just the name of Exchange 2007 CAS (in 'Exchange server' field under 'Account Settings' tab) is enough.

If Entourage 2008 is connecting directly to a backend mailbox server (Exchange 2007 or earlier versions) or a front-end server (Exchange 2003 or earlier versions) then it utilizes the same WebDAV (HTTP) procedure to pull up the free/busy info as Entourage 2004 does (discussed above). It cannot use AS in this scenario as its only available on an Exchange 2007 CAS.

Folder Sharing
When an Entourage user (User1) accesses a shared folder of another user (User2) in his Exchange organization, it uses the same WebDAV (HTTP) based communication which it uses to access the mailbox of Entourage user (User1). The port usage is also the same as described above under 'Mailbox Synchronization' section. Same applies when you use Entourage to assign folder sharing permissions (Folder : <right click> : Sharing : Permissions tab).

Delegate Management (screenshot)
Using Entourage you can also assign access permissions to your delegates so that they can access your folders such as Inbox, Calendar & Contacts. Entourage 2004 establishes a direct connection to your mailbox server for this purpose, which utilizes MAPI (RPC over TCP). Why? Please read the 'CAUSE' section in KB 909269. Entourage 2004 first connects to port 135 ('End-point Mapper' or 'epmap') on Exchange mailbox server, which refers it to 'Exchange System Attendant Service' ('MAD.exe', there is no fixed port for 'MAD', its assigned dynamically). Exchange server then authenticates Entourage client by talking to a 'Domain Controller' or 'Global Catalog Server'. After successful authentication Entourage finally connects to mailbox store on Exchange server (there is no fixed port for 'store' either) and sets two parameters as mentioned in KB 909269. Entourage 2004 uses this procedure irrespective of the version of Exchange server (2007 or earlier versions) to which its connecting for mailbox access. Entourage 2008 works in the same way except when its connecting to an Exchange 2007 CAS with SP1 installed.

Entourage 2008 utilizes the new delegate management web service if its connecting to an Exchange 2007 CAS with Service Pack 1 installed. This communication happens over port 80 (without SSL) or 443 (with SSL) as per the server side configuration. The major advantage of this feature is that Entourage users can now assign delegation rights to other users independent of their location, i.e. they can do it while connected from internal or external locations.

Mailbox Quota Management (screenshot)
Entourage users can also find how much space their mailbox is utilizing on server at different levels, like at the top mailbox level, at each folder level, etc. They can do that by going to any folder, right click on it, choose 'Folder Properties' and then go to 'Storage' tab. The port usage for this feature is same as described above under 'Mailbox Synchronization' section.

Password Expiration Notice (screenshot)
Entourage also checks for Windows domain (where your Exchange server resides) password expiration on every launch or every 24 hours afterwards to see if user's password is going to expire in the next 10 days or not. It does that thru an LDAP query to your Windows 'Domain Controller' or 'Global Catalog Server' configured in Exchange account settings (under 'Advanced' tab). This communication happens over port 389 (without SSL) or 636 (with SSL).

Entourage 2008 – New Features (Part II)

Now let's talk about features which are exclusive to Entourage 2008 users in an Exchange organization where they are working with other Outlook users. Some of them, like Calendar features below may also apply to non-Exchange users as well.

Calendar Features
Entourage 2008 contains several new features and improvements in the area of event & calendar management. They are:

Accept, Tentative & Decline Buttons on Meeting (screenshot) - After a single instance or recurring meeting is accepted or tentatively added to the calendar (like by 'Calendar Assistant' in Exchange 2007), Entourage 2008 users are now able to act on the resulting event from the event itself. This is essentially the same as acting on a meeting request when it arrives in user's Inbox. This feature can also be used to decline a previously accepted meeting request later when user's plan changes.

Event Deletion Update (screenshot) - If an Entourage user (as a meeting attendee) deletes a previously accepted single instance or recurring meeting (or a single instance of a recurring meeting), the user is prompted to send a response to meeting organizer.

Time Zone Mismatch Warning (screenshot) - Outlook for Windows handles time zones differently when sending recurring vs. single instance meeting invites. In the recurring case, Outlook stamps the invite with sender's time zone and thus they are received & displayed appropriately in Entourage. On single instance meeting invites, Outlook does not stamp sender's time zone and thus Exchange Server stamps its own time zone on the invite. When Entourage receives such an invite, it uses the time zone stamped by Exchange to calculate start and end times. Some issues may occur if Exchange server is in a different time zone than the Entourage user (see KB 925376). Entourage 2008 displays better event status text related to event and local computer's time zones to handle this situation.

Processing of Incoming New Meeting Requests - Entourage 2008 behaves like Outlook and moves invites to 'Deleted Items' folder after they are processed in the Inbox by user. Invites having attachments with them are still left in the Inbox so that user can access them later when needed. Entourage 2008 does not support having attachments with events placed on Calendar.

Conflict Status (screenshot) - When an invite arrives, Entourage now compares it to the contextually related primary calendar (like Exchange Calendar) to determine if the invite conflicts with an existing event or not. If any portion of the time span of the invite intersects or overlaps with an existing event, an appropriate status text to that effect is displayed on the incoming new meeting request.

Adjacent Status (screenshot) – Same determination as above is made for detecting new invite being adjacent to an existing invite and if the beginning and/or end of the new invite's time span equals an existing event's time span, an appropriate status text to that effect is displayed on the incoming invite.

New Events Are Always Added to December - When the Mac OS X 'International Language' preference is set to Portuguese or Spanish, all new events created using Entourage 2004 appear in December of the respective year, though it preserves the day and date of event. This issue has been resolved in Entourage 2008 through adding support for 'Textual Separators' (like 'de') which is used to separate day, month and year in Portuguese, Spanish & some other languages.

To Do List (screenshot)
Entourage 2008 does not support synching with 'Tasks' folder in an Exchange mailbox but it does support the new 'To Do' based tasks feature (also in Outlook 2007 & Exchange 2007 OWA Premium) which lacks tasks assignment and progress tracking. This feature allows users to easily create and view their daily action items as well as provide a consistent experience with Outlook. Though 'To Do List' appears with the local 'Tasks' folder in Entourage, 'To Dos' are synchronized to the Exchange server and users will find consistent experience working with their 'To Do' items no matter which client they are using at a particular instant, be it Outlook 2007, Entourage 2008 or Exchange 2007 OWA Premium. The 'To Do List' can also be printed which provides a handy resource for users who are mostly in and out of meetings.

Out of Office Assistant (screenshot)
Using 'OOF Assistant' feature in Entourage 2008 users can set their out of office (OOF) status along with an OOF message when connecting to an Exchange Server. The feature is supported for Exchange 2000 or higher versions. This feature requires 'Outlook Web Access' to be functional on Exchange Server (2000 & 2003). Its implementation is based upon the 'OOF Assistant' available in OWA (2000 & 2003) and thus provides equivalent feature-set. It does not provide support for 'OOF Rules' which is available in Outlook for Windows. Support for separate internal and external OOF messages is only available for Entourage 2008 users connecting to a mailbox on Exchange 2007 Server. Such users can also set the OOF period (i.e. start and end date & times) and they can also send rich text or HTML based OOF messages. Entourage 2008 utilizes 'Exchange Web Services' and 'autodiscover' on Exchange 2007 for this feature.

Kerberos Authentication (screenshot)
Entourage 2008 supports Kerberos for authentication only for Exchange and LDAP (used for GAL access in Exchange organizations) accounts. It is not supported for all other types of accounts which you can configure in Entourage, like POP/SMTP, IMAP, Hotmail & News (NNTP) accounts. Mac OS X (Tiger and later) includes built-in support for Microsoft Kerberos (MSK) authentication and Active Directory authentication policies, such as password changes, expiration and forced password changes. By leveraging the OS's Kerberos service, Entourage provides better password handling and a cleaner setup experience. Kerberos authentication will mainly work only inside the corpnet environments as obtaining a Kerberos ticket (first step before you can use Kerberos authentication in Entourage) requires access to a Kerberos ticket or 'Key Distribution Center' (KDC), which generally in a Microsoft Windows Active Directory based environment is a 'Domain Controller' or a DC serving in Global Catalog Server (GC) role. Exchange Servers that are internally accessible are primarily the ones serving in back-end mailbox server roles, they support Kerberos authentication thus they can be used for connecting to Exchange mailboxes by Entourage users using Kerberos. Front-end or Client Access Servers (CAS) do not support Kerberos authentication for mailbox connectivity (by default) for users thus users will have to use three-tier domain credentials (i.e. username, domain & password for Windows Integrated/NTLM or Basic Authentication with SSL) to connect to their mailboxes. If Entourage is configured to use Kerberos authentication with Exchange account and user tries to assign delegation rights to another user on his own mailbox, then Entourage may try to establish a MAPI connection with user's mailbox server (see KB 909269 for more info) and it does not use Kerberos authentication for that purpose. MAPI library code which is used for delegation does not support Kerberos authentication. MAPI connection is established by Entourage for delegation rights assignment if mailbox server is running Exchange 2007 RTM or lower, like Exchange 2003 or 2000 (any version or build). For MAPI connectivity to user's mailbox server Entourage uses NTLM v2 authentication and thus it prompts the user with domain credentials dialog, asking user to enter username, password and domain.

Interoperability with Exchange 2007
Exchange 2007 introduced a whole new set of 'Web Services' which can be utilized thru SOAP (which is based on XML, another widely used protocol) based programming to interact with users' mailboxes and most of the other major components of Exchange. Entourage 2008 utilizes some of those features provided by 'Exchange Web Services' (EWS) thru SOAP based calls which are sent directly to CAS (Client Access Server) as EWS (and 'autodiscover') virtual directory is hosted only on a CAS server. The new features in Entourage 2008 which utilize 'Exchange Web Services' on server side are: 'Out of Office Assistant' (discussed above), 'Free/Busy Info Pull-up' & 'Delegate Rights Management'. Another new feature that's available on Exchange 2007 Server and supported in Entourage 2008 is working with 'Managed Folders'. This comes under the area of 'Messaging Records Management' which has been emphasized in Exchange 2007 (see demo here).

Free/Busy Info Pull-up - In Exchange environment when an Entourage user tries to schedule meetings with other users, the classic way to pull up their free/busy information is to send a WebDAV based query (Get /public/?Cmd=freebusy) to Public Folder server configured in Entourage (Exchange Account Settings : Advanced tab). Entourage 2004 still works in this way while Entourage 2008 can also utilize 'Exchange Web Services' (available only on Exchange 2007 Server) for this purpose. If Entourage 2008 is connecting to a CAS server for mailbox connectivity (Entourage : Exchange Account Settings), then it utilizes the 'autodiscover' & web services (EWS) running on CAS for querying free/busy information for Exchange users. On initial connection Entourage always requests the 'autodiscover' service on CAS to provide the contents of 'autodiscover.xml' file, that file contains URL information for EWS and related services which are used by Entourage for OOF assistant, F/B info pull-up and delegation. There is an 'Availability Service' (AS) also there offered by EWS, using the URL for AS (which is there in 'autodiscover.xml') called as 'ASURL', Entourage can pull up F/B info for attendees of a meeting. If Entourage is connecting directly to a mailbox server (back-end) for mailbox contents (Entourage : Exchange Account Settings), then a call to retrieve the contents of 'autodiscover.xml' fails as 'autodiscover' and EWS only run on a CAS server thus in that case, even if you point Entourage to a CAS server for Public Folder access (Entourage : Exchange Account Settings : Advanced tab), it can't use ASURL to pull up F/B info, and thus it falls back to classic mechanism described above, i.e. send a WebDAV based query to Public Folder server.

Delegate Rights Management - In Exchange 2007 Service Pack 1, a new web service is included for delegate management. Entourage 2008 uses that for delegate management if it is available on server side, i.e. if SP1 is installed on Exchange 2007 server. Again it works thru CAS server only because it's a web service and EWS is only available thru CAS as described above. If Entourage is connecting to Exchange 2007 RTM build or earlier versions like Exchange 2003 or 2000, then it falls back to classic delegate rights assignment procedure which uses a direct MAPI connection to mailbox server of Entourage user (discussed above). The best part of using the web service for delegate management on server side is that it can work thru a pure HTTPS connection, no need to have a direct connection to mailbox server and thus it's location independent as CAS servers in enterprise environments are published to Internet for OWA access. Entourage feature-set in this regard has not changed, meaning the options available for delegate rights management process (i.e. add/remove delegate, set desired permissions, etc.) are still the same but now it can use delegate management web service if its available on server side to assign delegate rights, which is great new for remote users.

Support For Managed Folders (screenshot) - Exchange 2007 has a new feature known as 'Managed Folders' as part of Microsoft's effort to help our customers with 'Messaging Records Management'. Using managed folders Exchange administrators can provide their users with extra folders in their mailboxes to be used for archiving and journaling (or any other use) which are managed by them on server side thru custom policies configured for retention and size quota. Users interact with them like they do with any other folder in their mailboxes, the limited control makes sure that they are not able to delete the top level managed folder created and provided by their administrators, but they sure can create subfolders of any type under it and manage them as they desire. The same policies (size or quota mainly) apply to all subfolders created under a managed folder. Entourage 2008 provides identical experience to Outlook & OWA 2007 when working with managed folders on Exchange 2007 server. It syncs the contents of managed folders just like it syncs the contents of all other folders in a user's mailbox. With every managed folder administrator can also have some policy statement text which describes what that folder's purpose is and any other related information, Entourage displays that on top of the items list view where it lists all items in that folder. The size quota is also mentioned in terms of percentage used & available and the actual size in megabytes. If user exceeds the quota, an appropriate warning is displayed for user's information.

Support For Message Classification (screenshot) - Exchange 2007 also has a new feature using which users can classify a message based on administrator's provided message classifications, which can be defined and set on server side and are then available for use in different Exchange clients like OWA & Outlook 2007. This feature can be used for company wide distribution and exchange of important documents and information thru e-mail. Examples include legal documents, contract information, classified or confidential information, etc. All such classified messages usually display some text informing user what kind of information they contain and if any corporate or company policy applies with regards to the provision or exchange of such info. Entourage 2008 supports the display of those text labels at the top of such messages for its users' information.

Interoperability with Outlook 2007
Entourage 2008 also has some features which improves its interoperability with Outlook 2007. This increases the feature parity between Outlook and Entourage. Some limitations of Entourage 2008 are also mentioned below for the purpose of full disclosure.

Free/Busy Permissions (screenshot) - Outlook 2007 has added a new set of permissions for 'Free/Busy' (F/B) data for users having mailboxes on Exchange 2007 server. Users can now determine what level of free/busy information should be available and visible to other users who are trying to schedule meetings with them. These levels are: None (no F/B data is visible), Free/Busy time (only F/B time is visible in the graphic form, new permission level), Free/Busy time, subject, location (meeting time, subject and location is visible, new permission level) & Full Details (all meeting information is visible, i.e. equal to Reviewer permission). These new F/B permission levels however are not available in Entourage 2008. Using Entourage 2004 a user cannot retrieve this level of information even if he has required permissions assigned to him. Entourage 2008 though works identically to Outlook 2007 and shows appropriate F/B info to its users according to assigned permissions. Entourage uses the new 'Availability Service' provided by 'Exchange Web Services' running on an Exchange 2007 'CAS' Server for this feature. The F/B info is displayed via a tooltip above a particular free/busy block when Entourage user views F/B info for other attendees in a meeting request being composed.

Payload Calendars (screenshot) - In Outlook 2007, a user can send another person a partial or full copy of his calendar by e-mail, including free/busy information with or without details and attachments (if there are any with events). All details are included in that e-mail within an '.ics' file along with an HTML representation of sender's calendar. If recipient is an Entourage 2004 user then opening the '.ics' file launches Apple's iCal application and Entourage does not handle it itself. HTML representation of the senders calendar though appears fine in that e-mail. Even if the user changes the association of '.ics' file to Entourage, user can only see one event, not multiple events if that file contains multiple events. Now in Entourage 2008 when such an '.ics' file is opened from a mail attachment, Entourage handles the file even if another application is the registered '.ics' file handler at Mac OS level. It also handles an '.ics' file containing multiple events and the collection of individual events including their free/busy information is automatically added to default calendar in Entourage. Attachments with any events in this case will not show up with events after they are imported to Calendar in Entourage.

Flagging & To Do Tasks - Outlook 2007 users can flag a mail item or contact and create a 'To Do' task. Entourage 2008 also includes the same feature which works identically (discussed above).

Electronic Business Card (screenshot) - Outlook 2007 contact items have a new 'Business Card' area as well as a built-in editor. A 'Send as Business Card' option allows users to exchange contacts (vCard format including images and formatting) via e-mail. Outlook users can also insert their own business cards as signatures at the end of e-mail messages. Both Entourage 2004 & 2008 display the HTML representation of incoming 'Business Card' correctly in-line in the message. Using the attached 'vcf' file that contact can also be opened and added into default 'Contacts' folder in Entourage. If that contact also has a picture embedded in it, that's also imported into Entourage when that contact is added thru its corresponding 'vcf' file. Keep in mind that Entourage 2008 does not sync the associated pictures in contacts added thru Outlook 2007, when user connects to the same Exchange mailbox using Entourage.

Meeting Updates (screenshot) - Meeting updates in Outlook 2007 now have an improved status description of any changes from preceding invite(s). The original invite data (i.e. time, location, etc.) is shown in the status area with a strikethrough directly next to the current or new value. Both Entourage 2004 & 2008 show a standard message in info bar which says: 'This is an update to an existing event'.

Sharing Messages (screenshot) - Outlook 2007 has a new method of quickly sharing calendar and contacts folders via e-mail. Using this option results in reviewer rights for the recipient as well as a request for the recipient to share the same folder. Entourage 2004 and 2008 both do not support this feature, the sharing message displays fine but has no effect on Entourage.

Delegate Changes - Outlook 2007 has added a new meeting requests forwarding option, i.e. 'My delegates only, but send a copy of meeting requests and responses to me (recommended)'. This option sends the original meeting request to the delegate, while the principal receives an informational message with the details of the invite. Entourage 2004 & 2008 users in principal roles still receive original meeting request with Accept/Decline buttons, so there is no change in Entourage's behavior due to this new feature in Outlook.

Categories - Outlook 2007 has improved its category feature which is also very identical to Entourage but Entourage still does not sync category information to & from Exchange Server thus if a user is using multiple clients to connect to his mailbox, and uses categories in Entourage, that information is still kept local in Entourage database and is not synched back to server.

RSS, InfoPath & SharePoint Integration (screenshot) - Outlook 2007 has added support for RSS feeds, improved InfoPath integration and Windows SharePoint support. These features are not supported in Entourage 2008. Only RSS Feeds folder is accessible thru Entourage if a user is also using Outlook 2007 to connect to the same mailbox. Any RSS feed to which user has subscribed thru Outlook are also synchronized by Entourage to its local database so that user can access them.

Entourage 2008 – New Features (Part I)

Since the release of Entourage 2008 for Mac, I have been watching the newsgroups, blogs and forums and I see one request more than any other which is to have a comprehensive list of features in Entourage 2008. In this blog I will try to provide exactly what our customers and Entourage users are looking for. As my expertise mainly lies with Entourage's interaction with Exchange Server thus I will also highlight the features important to Exchange users. This blog provides a list of features and a brief description of them, later I will blog on those specific features in detail from users' and administrators' perspectives.

Let's start with features which are common for all Entourage 2008 users irrespective of the type of mail server they are connecting to (Part I). In Part II I will talk about those features which are exclusive to Entourage 2008 users in an Exchange organization where they are working with other Outlook users

Application Shell (screenshot)
The main user interface of Entourage 2008 has been redesigned to provide a modern and compelling user experience that demonstrates to its users that Entourage is a premium messaging application and an integrated part of Office for Mac suite. It consists of 4 main areas, i.e. Toolbar (on top), Folder List (on left hand side), Item List (in the middle) & Preview Pane (on right hand side). There is a new 'View Switcher' panel (top left hand corner) to switch to different available modules, i.e. Mail, Address Book, Calendar, Notes, Tasks & Projects. The new 'MiniCal' (bottom left hand corner) can now be displayed in all folder views and it can be turned on or off using the toggle button.

Customizable Toolbars (screenshot)
Every toolbar you find in Entourage 2008 is now customizable, i.e. toolbar for every folder view, item view & composition window. Users can customize it by right clicking on it and choosing the option 'Customize Toolbar' or use the same option under 'View' menu.

Favorites Bar (screenshot)
This is a new addition in Entourage 2008 and provides feature parity with Outlook for Windows. Its located just below the toolbar in the main UI. Users can drag and drop any folder (or saved search) in their 'Folder List' to 'Favorites' bar and that creates a shortcut (or alias) for that folder which can then be used by the user to quickly get to that folder from any view in Entourage. 'Favorites' bar remains visible and accessible from all views in Entourage 2008 just like the main toolbar on top. Some really cool features of 'Favorites' bar are: it displays the number of unread items right beside the folder name, drag & drop folders to add/remove & re-organize them, drag and drop items to move them from one folder to another, etc.

Folder List (screenshot)
In the new 'Folder List' the folders related to the default mail account are displayed on the top and then rest are displayed according to alphabetical order with respect to the account names. Local folders (related to 'On My Computer') show up after all the other accounts if they are not associated with a default POP mail account. The first level children folders have been shifted to the left and start at the same position as their parent folder.

To Dos (in Item List) (screenshot)
Working thru 'Item List', users can now quickly toggle the state of flag for an item and use the contextual menu to take more precise actions to create 'To Dos'. This new feature provides more consistency with Outlook for Windows. These flags are also synched back to user's mailbox on Exchange server and thus also reflect in Outlook for Windows & OWA (Premium only, not Basic), similarly if user flags an item as a 'To Do' item using Outlook or OWA Premium, its also reflected in Entourage.

Preview Pane (screenshot)
Entourage 2008 also displays the e-mail sender's picture in 'Preview Pane' if user receives an e-mail from a contact with a picture saved in contacts folder. The pictures associated with contacts are not synchronized with Exchange server or the one saved thru Outlook for Windows will not be available in Entourage either. All pictures are saved with associated contacts in local database only. The message headers also display the category color in their background when viewed in preview pane. A new effect known as 'Glass' can be experienced in the message header area, where background color (reflects category) has two distinct shades. This effect is also available in Calendar when viewing appointments and meetings in any view.

New Calendar Experience (screenshot)
All calendar views have been redesigned to provide more solid look and feel which enhances end user experience. There is a new 'Today' button which brings a user back to the current day in any view. 'To Do List' (discussed later in Part II) can be displayed on the right hand side of all calendar views. It lists all 'to do' tasks (created by flagging items in Inbox) & tasks (from local Tasks folder which is not synchronized with Exchange server). The new 'All Day Events Area' is designed to display events that transpire over a full day or set of dates. All events have tile like appearance when they are placed on calendar, they inherit the category color and exhibit glass effect as well. They are composed of many elements like free/busy indicator, meeting title/subject, meeting location, travel time indicator & several different status icons. For users who create events on their calendars very frequently, Entourage provides a way to create them quickly by dragging the mouse from start to end time (works in both directions, up or down) and then populating the event title and location by typing inline inside the event tile.

My Day (screenshot)
'My Day' is a new application included with Entourage 2008 which provides its users with an easy and quick way to access their calendar, to do list & tasks without running the full Entourage application. It interacts with the database directly to pull up related information rather than going thru Entourage, thus you don't need to run Entourage to use 'My Day'. It enables users to easily manage their daily activities and with the help of robust preferences they can customize their access to data and their interaction behavior. Users can also create tasks quickly thru 'My Day' but cannot create events in Calendar. It can also print a quick snapshot of the day for you.

Reminders (screenshot)
Office Reminders is the new application in Entourage 2008 which is replacing 'Office Notifications' in Entourage 2004. Reminders is often the most frequently used application with regards to Outlook & Entourage, thus a redesign is expected to improve end user experience. It also supports reminders for 'To Do' items and thus provides a new way to interact with them.

WebKit Integration (screenshot)
Entourage 2004 uses Tasman engine (from Internet Explorer for Mac) to render complex HTML mail messages. Tasman Engine has now been replaced by Apple's WebKit in Entourage 2008. WebKit is the HTML rendition engine which is used by Apple's Safari web browser and thus Entourage using the same engine is now better integrated with Mac OS and Safari. Entourage 2008 still does not support the composition of complex HTML mail messages (with tables, embedded hyperlinks, etc.) like Outlook for Windows does.

Integrated Spotlight Search (screenshot)
Spotlight is the search feature by Apple which was introduced in Mac OS 10.4 (Tiger). It provides users with a single entry point for searching the entire contents of their computer. Support for Spotlight was first introduced in Update 11.2.3 for Entourage 2004, but it was not integrated into the application. Entourage 2008 now has integrated Spotlight based search feature. Spotlight based searches are really fast in Entourage and it provides an integrated UI for building queries, which can be saved as well for later use. Users can now also run search against the contents of attachments with mail items in their databases. If an e-mail contains an attachment of a file type which has been designated as 'un-safe' in Office 2008 for Mac then that is not available for searching. Encrypted messages are also not indexed for Spotlight based search as they were encrypted to keep the content secure.

Zip Compression Support (screenshot)
Entourage 2004 provides compression feature when a user sends attachments with message or meeting invite. It uses Stuffit software by Aladdin Systems to compress those attachments. The compression option is available by default if Stuffit software is already installed on user's Mac OS system. Apple used to provide Stuffit libraries by default when you install Mac OS but they have stopped doing so with Tiger (Mac OS 10.4). Thus now users (using Mac OS 10.4) have to download and install Stuffit directly from the vendor's site (a free version is available) to use the compression feature inside Entourage. Entourage 2008 uses a new mechanism to compress attachments which has replaced Stuffit with Zip compression. As of Panther (Mac OS 10.3), Zip compression is also supported in Mac OS. This makes zip the most cross-platform compatible compression method for Windows and Mac users exchanging files. It also improves interoperability with Windows users. Windows and Mac users can now extract a zip file without any help from a 3rd party software as underlying operating systems provide required support, this reduces the need of installing any additional software to be able to work with zip files. Entourage 2008 uses 'Ditto' from Mac OS X to provide Zip compression feature. Ditto is a shell command that supports Zip compression while retaining resource forks. It is available in Mac OS X out of the box and is used by Entourage 2008 for compressing outgoing folders and files. Ditto is used and preferred over 'zip' shell command which is also available in Mac OS X because 'zip' command does not preserve resource forks.

Digital Signing & Encryption (S/MIME) (screenshot)
Entourage 2008 provides support for newer industry standard hash algorithms for digitally signing and encrypting mail messages. The use of old and weak encryption algorithms has been deprecated. Support for AES (Advanced Encryption Standard) based encryption and decryption has also been added. On top of this support for SHA-256, 384 and 512 with RSA keys ('SHA' stands for 'Secure Hash Algorithm & 'RSA' is another such algorithm named after their inventors) has been added for digitally signing and verifying e-mail messages. Entourage supports RSA & DSA (Digital Signature Algorithm) for signing and/or encrypting messages in any key length. It also warns users when RSA or DSA key size is less than 1024 bits in length. All these new features require Mac OS 10.4 (Tiger) or higher.

Unsafe Attachment Blocking (screenshot)
Entourage 2008 has built-in mechanisms to prevent its user from sending and opening unsafe file types as e-mail attachments. As Entourage is widely used as an Exchange client thus in enterprise environments administrators may want to modify or override the default attachment blocking policies, thus a procedure is available here for them to be able to do so and deploy that to their users. This provision makes it an evident fact that this feature is not to stop users from sending unsafe attachments through e-mail, but to help them avoid accidentally forwarding unsafe attachments to other users and then as a result of that spreading virus (if unsafe attachments are infected with some virus). Since unsafe attachments can be used to hide viruses thus its important to provide a mechanism to try to prevent that and make the whole user experience more secure and better. User education is another most important part of this effort. The list of file types which are blocked by default is available here. Attachment security mechanism is applied at two different levels, one is to block direct user access to unsafe attachments from being opened through Entourage, and second is to help user make proper decisions about sending unsafe attachments through Entourage. The blocked attachments are never deleted from incoming messages, they are just blocked from being accessed inside Entourage.

Junk E-mail Enhancements (screenshot)
In Entourage 2008, when a message is moved to 'Junk E-mail' folder, it is marked by an open red envelope (under 'Priority' field) signifying that it is a junk e-mail message. A warning also appears in the info-bar section of the message which warns about using the hyperlinks in the message. This warning is there on all junk e-mail messages whether they contain any links or not. The headers area also reflects a darker shade of gray for junk mail messages. Entourage 2004 had a 'Safe Domains' list and now Entourage 2008 has a new list named as 'Blocked Senders' list. It can contain e-mail addresses and domains which Entourage user wants to block as senders of junk e-mail. Both 'Safe Domains' & 'Blocked Senders' lists are stored in the Entourage database on a per identity basis. Users can also right click on 'Junk E-mail' folder and click on 'Empty Junk E-mail' option to permanently delete all junk messages in the folder (rather than delete them first and then empty 'Deleted Items' folder). It works like emptying your 'Deleted Items' folder. The algorithm used for processing incoming e-mail to identify junk mail has also been improved which reduces the number of false positives.

Anti-Phishing (screenshot)
Entourage 2008 also sports some new built-in anti-phishing features, which help users in detecting phishing messages and also aide users in making proper choices when dealing with such messages. Below are some of the anti-phishing features in Entourage 2008:

1. When a user hovers mouse pointer over links in an e-mail message in Junk E-mail folder, a pop-up tooltip with the full URL of the link is displayed
2. User is always warned when clicking on a link from a message in the 'Junk E-mail' Folder
3. User is always warned when clicking on links in HTML messages in Inbox (or Junk E-mail) folder which have mismatched text or domains (i.e. the visible hyperlink text is different than the embedded link text)
4. User is always warned when clicking on links in HTML messages in Inbox folder which have mismatched protocols (like http & ftp)
5. User is always warned when clicking on links in HTML messages in Inbox folder which have non-standard URLs, like consisting IP addresses, hexadecimal, octal or DWORD representations, etc.
6. User is always warned when clicking on links in HTML messages in Inbox folder which have login information embedded within the URL
7. Pictures thru embedded links are never downloaded automatically for messages in Inbox (or Junk E-mail) folder, regardless of 'Download pictures' settings under 'Security' in Entourage preferences, a message is displayed in info-bar letting the user know that pictures were not downloaded to protect user's privacy as they are used as 'beacons' (a common phishing practice), picture attachments with such messages which can be rendered inline are also not rendered

Smart Card Support
Entourage 2004 Service Pack 2 had very limited support for 'Smart Card' for specific purposes. Apple laid the ground work in their Mac OS X (10.4) and Entourage built support for Smart Cards on top of that. It was mainly on the request of US Department of Defense (and related military organizations like US Military) and only CAC (Common Access Cards) Smart Cards are supported at this point which are issued by DoD/US Military to its employees. Entourage 2008 has some enhancements in this area. Apple has also released a guide on its website for these customers. This article provides the manual for the 'Apple Federal Smart Card Package Installation and Setup Guide' in PDF format.

Online Help (screenshot)
The new 'Online Help' feature aligns with the Microsoft-wide help initiative, which incorporates a mixture of offline and online help, like in Office 2007 for Windows. The Microsoft online help system allows for future help topics in Mac Office to be easily & quickly incorporated and current content to be continuously updated. Microsoft Assistance Platform is a company-wide platform for assistance or help content. It encompasses authoring, publishing, hosting and analysis which are the basic components of continuous publishing. Continuous publishing is achieved thru publishing new and updated content on the Internet on an ongoing basis. A goal of continuous publishing is to respond to customers needs and desires in a timely fashion based on real data (like from support) & customer feedback. Office 2008 for Mac 'Help Viewer' is integrated into Entourage 2008 as well and provides assistance to its users which is consistent with the help provided for other applications in Office for Mac suite. It also offers 'Online Courses' & 'Quick Walk-Thrus' for several features in Entourage 2008.

Toolbox (screenshot)
Entourage 2008 now has Toolbox which is mainly composed of three tools, i.e. Scrapbook (was there in Entourage 2004 as well), Reference Tools & Object Palette (both are new to Entourage 2008). Reference Tools include the following tools for Entourage 2008 users: Thesaurus. Encarta Encyclopedia, Dictionary, Bilingual Dictionary, Translation & Web Search. Object Palette allows users to quickly find and insert images into your e-mail messages. It is designed to provide quick access to commonly used objects, like Shapes, Clip Art, Symbols & Photos. Users can also add photos from their iPhoto library or a folder. Read more about it over here. As a result of adding support for 'Reference Tools' in Entourage 2008, the link for 'Tools on the Web' & 'Dictionary' feature under 'Tools' menu (in Entourage 2004) have been removed.

Database Rebuild
With Entourage 2008 (using Microsoft Database Utility, see KB 268322) if you rebuild your database, you don't lose meta data, like categories, links, linked projects, flags, pictures saved with contacts & mail data cached in local database for different types of mail accounts (Exchange, IMAP, etc.).

Content Conversion Issue with Exchange & Entourage

Issue:
After you move an Entourage 2004 user's mailbox on server side using 'Move Mailbox' wizard in Exchange 2003 Server, you see performance issues on your Exchange Servers, most prominent of them is high number of disk Input/Output operations. This happens due to content conversion (MAPI to MIME) which takes place on server in real time, when those moved mailbox users access their mailbox content using Entourage.

KB Article:
This has been a known issue since long for other MIME clients like POP3 & IMAP (Microsoft Outlook is one of them) but its being exposed now more than ever by Entourage - the most popular MIME based Exchange client, which uses WebDAV (HTTP) for Exchange mailbox access. Now is a good time to read the KB article on this issue to properly familiarize yourself. I will then try to emphasize important parts in this blog.

329067 Information about performance issues that occur when you use POP3, IMAP, or WebDAV clients, such as Entourage, after you move mailboxes in Exchange Server 2003 or in Exchange 2000 Server

Details:
Let's go thru some important points and analyze them side by side.

1. Exchange server stores your mailbox content in a streaming store (.stm) file (a file to store content in MIME format) if you are an Entourage user, which is a MIME client. So let's say, John Doe got a new mailbox on an Exchange 2003 Server in his company, he is an Entourage 2004 for Mac user. He configured an Exchange account in Entourage (he specified a front-end Exchange Server name in his account settings) and connected to it, started using it for e-mail exchange with internal and external people. Exchange 2003 Server will keep all his mailbox contents in the 'stm' file.

2. Now one fine day Exchange Server Administrator decided to move John's mailbox to another database or server (as part of mailbox maintenance or planning for new server/storage, etc.). As per KB 329067 when an Entourage user's mailbox is moved on server side using 'Move Mailbox' wizard, Exchange Server performs that move by converting the content from MIME to MAPI and after that conversion the mailbox content is stored in an Exchange database (.edb) file (a file to store content in MAPI format). This is the store file format which Exchange uses by default for MAPI clients (like Microsoft Outlook 2003). This content conversion as a result of mailbox move is 'by design', i.e. that's how the 'Move Mailbox' feature was designed to work in Exchange Server. So after the move all items in John's mailbox have been converted into MAPI format.

3. John is still using Entourage 2004 and is totally unaware of the move. As he connects to a front-end server, he is not concerned about what's going on with his mailbox on back-end server. This is the beauty of connecting to a front-end. He continues to use Entourage and may see some performance lag especially when he works with his e-mails in Inbox, which has large attachments (like if John is a Graphic Designer and sends/receives large image files). This is due to the fact that every single item in John's mailbox, which went thru the 'mailbox move' operation, is now in MAPI format. And Entourage (a MIME client) does not recognize MAPI format, so Exchange Server does a content conversion 'on the fly' for Entourage and provides it a converted copy of that item in MIME format, which is later used by Entourage user. This happens on demand for a message or item when user access that in Entourage. The conversion is not persistent, so it will happen again if the same item is accessed again by Entourage user. 

4. The 'content conversion' happens on Exchange server in memory (RAM) and a temporary folder on hard drive, which results in lots of disk I/O operations. So for instance, if you moved 50 Entourage users and all of them have large items in their Inboxes, the 'content conversion' for them could cause a lot of disk I/O ops. High number of unexpected disk I/O ops can impact your server's performance. It can also muster the capability to take down your IIS Server (remember Entourage is a WebDAV client and connects to your mailbox thru OWA Virtual Directories under 'Default Website' in IIS, mainly 'Exchange' & 'Public') which is also discussed in KB 329067.

5. As a result of 'content conversion', Exchange Server Administrator noticed a sharp decrease in server performance. Main indicator will be high disk I/O ops, which can easily be caught and logged thru PerfMon (see 'Exchange Troubleshooting Assistant') or Performance Monitor Wizard. If you have Outlook/MAPI clients connecting to their mailboxes on the same server, then they may start seeing RPC delays (KB: 839862).

Recommendations:
Let's talk about some ways to address this issue on client and server side.

Client Side:
First let me clearly state that there is nothing to fix in Entourage to resolve this issue, unless we change the very nature of Entourage from being a MIME client to being a MAPI client. Still there are some steps you can take to alleviate this issue.

1. Organize your Inbox: Work to make sure you have least possible number of items in your Inbox. Both number and size of items are important here. Entourage downloads the full message along with the attachment, thus messages with attachments really matter here. They are going to cause a lot of 'content conversion' cycles on server side if you access them in your Inbox in Entourage. See if you can move them to a different folder, which you can create at the same level as Inbox under the main mailbox tree. This has been the number one reason which aggravates the 'content conversion' issue and contributes most to server performance degradation.

2. Sub-folders under Inbox: Please refrain from creating any sub-folders under Inbox. Some users keep their most important messages in sub-folders they create under Inbox or archive important messages there for easy access. If you have many messages in such sub-folders and regularly access them in Entourage, that will have almost the same effect as having lots of messages in Inbox. Reason being Entourage prioritize the synching of a folder based on your clicks and if you frequently access mail in these folders then that activity will cause Entourage to bump the sync priority of those folders, resulting in more 'content conversion' on server side. Thus Entourage can get really bogged down by all that synching of messages in Inbox and its sub-folders. Move all such sub-folders of Inbox to the root of your mailbox, at the same level as your Inbox is. Custom folders at the root of mailbox get lower priority in Entourage's built-in Sync Algorithm (keep in mind you can't modify the sync algorithm) and thus Entourage will sync them only when an item changes in those folders.

3. Organize your mailbox: Please delete the items you don't need anymore. Archive old items which you don't access anymore but may still need it. It would be better to archive them by moving to local folder set (Folders on My Computer), which will free up space in your Exchange mailbox as well. In case you want to have access to them at all times, like using Outlook Web Access while traveling then move them to a custom folder created under the main root of the mailbox.

4. Outbox & Drafts Folders: Make sure there are no messages stuck in Outbox folder, which you may have tried to send earlier and they weren't delivered due to some issue. Also make sure you don't have any large sized messages saved in Drafts folder. When you send a large size message which is larger than the allowed message size limit set on Exchange Server, then Entourage will give you a warning about that and will move the message to your Drafts folder, letting you edit that message and resend later. Sometimes users don't realize that those messages will be synched back to Drafts folder in your mailbox on Exchange Server silently in the background, that sync back and forth may also add to performance issues created by 'content conversion'.

A couple of notes as well:

a. Entourage does not re-sync all mailbox content after the mailbox move on server side. Content conversion will only happen if you will access an old message which was there in your mailbox prior to mailbox move and thus got converted from MIME to MAPI due to move on sever side.

b. All new content in Entourage, i.e. mail coming after mailbox move will be in MIME format, thus there will be no content conversion when you access that mail in Entourage. This is the main reason why adverse effects of 'content conversion' issue on server's performance subside after some time.

Server Side:
Please refer to KB 329067 for all server side recommendations, I recently edited that article to make sure it's up to date with correct information. Some main points to consider are:

1. IIS on front-end (or back-end) server may also go down due to 'content conversion' issue. All connections from Entourage clients to Exchange Server go thru IIS as mentioned above.

2. The Reg Key helps IIS maintain its memory better and sustain the communication pipe between Entourage clients and Exchange Server.

3. We have seen better results with higher values for this Reg Key, like 500 to 800 MB mostly, in some cases maximum value of 1 GB helped us bring the situation under control. It all depends on how your environment is setup, number of servers and clients.

4. Always set proper mailbox and message size limits on Exchange Server for your users. There is a higher probability that this issue will hit you more and in worst shape if you don't have such limits in place.

5. When the issue subsides after some time, please reset the Reg Key value to 128 MB (default) or you can simply remove it.

6. For 'Disk Storage Planning and Recommendations', please review this article on TechNet. It's written mainly for Exchange 2007 but will be helpful for all versions of Exchange and is particularly helpful in realizing the utilization of disk resources by 'content conversion' process.

Can This Issue Be Totally Avoided?
Yes, it can be totally avoided. I worked with my peers in Exchange Admin Support Team and one of them came up with this procedure. You will need 2 servers to work on this, one is the current mailbox server (Server1) where mailboxes of your Entourage users are located currently, other is the new or existing server (Server2) to which you will move mailboxes of your Entourage users. This procedure is not meant for the scenario where you are moving mailboxes from one database to other on the same server.

I hope this information will be helpful for all the Exchange Server Administrators out there who have Entourage users in their organization. Feel free to post comments and ask questions if something is not clear here. Cheers!

DST 2007 Changes & Entourage 2004 for Mac

I know a lot of users out there use Entourage 2004 as an Exchange Client and are thus concerned about upcoming DST Changes in March 2007. They want to know how Entourage will handle that change and what do they or their Exchange Server Administrators need to do. Here are some important points I wanted to share in this regard.

1. Earlier in 2006 Apple made changes in its Mac OS X (in 10.4.6 Update, look under 'Other' section) so that Mac OS X is aware of new DST 2007 changes.

2. Entourage 2004 at that time wasn't updated/aware of those changes, thus users were seeing the issue as described in KB: