Archive for the ‘Exchange 2007’ Category

Why you can no longer just have one SSL certificate with all the servernames included.

Internal server names in publically recognized SSL certificates are about to become just as extinct as Sharks in Chinese waters.

The CA / Browser forum has decided to implement changes to SSL requirements, that will phase out all use of internal server names in public SSL certificates. The CA / Browser forum includes all the major certificate authorities and browser developers, so the change will be forced upon everyone.

The negative impact

It especially hits small to medium businesses with just a few servers. I.e. Exchange, Lync and Small Business Server, where a single SAN certificate including both public and internal server names, will save them both time and resources otherwise needed for reconfiguration, internal PKI solutions and/or reverse proxy and similar systems to allow usage of a separate internal and external SSL certificate on a single website/service.

Exchange 2010 will by default use a single website and configure it self to use its internal FQDN i.e. exchangeserver01.fairssl.local and external FQDN i.e. webmail.fairssl.dk for this one website/SSL certificate. The change will require a change in configuration or systems surrounding the Exchange 2010 environment to continue working without both names in one SSL certificate.

SBS 2011 on the other hand has received the functionality to use split DNS to use the external server name both internally and externally, this not much mentioned change may have something to do with Microsoft being on the CA / Browser forum board, so they would have known about this change for a while.

Larger companies typically have more resources and will have an easier time separating internal and external SSL certificates, without having to buy new solutions like Forefront TMG, SSL offloaders, Internal PKI, etc. But my guess is still that a large number of them will still need to change some configuration to avoid problems with internal server names.

Why?

The reasoning behind this phase out is to secure against Man-in-The-Middle (MTM) attacks, where it is possible to pretend to be an internal server via a publicly recognized SSL certificate. Even thou it is a highly unlikely way to attack most systems, the theoretical possibility is enough to spark the change. I just wish they had been a little more giving on the deadlines.

My personal recommendation to my customers with SSL certificates containing internal server names Read the rest of this entry »

How to get Outlook 2007 to save sent e-mail from a shared mailbox in the shared mailbox, and not pay for it!

What company with more than well.. 2 employees do not need a shared mailbox? well almost all the ones I know use some system to share a company general e-mail address and mailbox, this could be info@sole.dk, spamtrap@sole.dk or support@sole.dk and so on.

One of the pains of shared mailboxes has always been to get the Sent e-mail to actually land in the SENT folder of the shared mailbox, and not the users default SENT folder.

It is actually possible to get Outlook 2007 to do this, without having to pay for 3rd party add-ons that may or may not be stable and time consuming.

So since, youre still reading and haven't jumped to another Google result, You must be wanting to know how, well it's quite simple, all we have to do is.

  • Ensure we have a specific hotfix on Outlook 2007
  • Set one little registry key

So first up the registry key, we need to add it for current user.

Shared Mailbox Registry Fix (dont forget hotfix)

Read the rest of this entry »

How to configure Exchange 2007 and ISA with FBA and NTLM, without loosing ActiveSync on the way

Basicly we are here, because we want to use Forms Based Authentication (FBA) for our Outlook Web Access (OWA) users in Exchange 2007, while still using NTLM/Kerberos authentication for Outlook Anywhere (OA), wich in turn means less entering of the users password, while still not killing our ActiveSync clients since they only run Basic authentication.

Confused? let me try and make it easier.

  • We prefer FBA for OWA, it is just more nice for the user to get a webpage to login to their OWA.
  • We prefer NTLM for OA, it gives less password prompts and well it sounds safer than basic authentication
  • We still want ActiveSync with Basic, but it fails if we use NTLM on our connection as well so we need to seperate them

ISA Rules

What is the solution? Well its rather simple, we configure our services to use the authentication as we prefer, but we need to do some configuring of public DNS, Public IP's and ISA to get all 3 authentication schemes to work at the same time. Basicly NTLM and Forms Based Authentication just does not mix. If you use FBA on a listener in ISA it will always fallback to Basic authentication if the client does not support FBA. It is not possible to use NTLM and FBA on the same ISA 2006 listener.

I have added screenshots of the important bits of the configuration in the bottom, and You should have all the required info to get it working, but You will need some basic knowledge of how to setup up Exchange 2007, ISA 2006 with Exchange 2007, etc. Read the rest of this entry »

How to install a SSL certificate backup file on Exchange 2007 and still have time for facebook

The easiest way (I love easy!) to order and install an SSL certificate on Exchange 2007, is to order a SAN (Subject Alternative Name) certificate with AutoCSR meaning you dont have to create a CSR but instead get a certificate backup file (PKCS#12, P12. PFX). You also save time with the SAN because you only use one certificate for all services and can move services from one domain to another in the certificate with no problems.

Make sure you get a SAN certificate including the full domain name(s) you use to access Outlook Web Access, Outlook Anywhere, Autodiscover and any internal servernames using the certificate (usually free).

The Certificate you order should contain something like this:

  • mail.sole.dk and/or owa.sole.dk - for Outlook Web Access
  • autodiscover.sole.dk and any other e-mail domain you use with Autodiscover/OA.
  • MYSERVER01 and MyServer01.domain.local - and any other internal servername that will be using the certificate

Personally I setup servers to respond only to OWA and ActiveSync on the mail./owa. domain, and use all other services like Outlook Anywhere, etc. on the autodiscover. address, this way I can use Forms Based Authentication/Basic with my OWA/ActiveSync website, and NTLM with my other services. You can see more information about this from my previous blogs here. Some people argue for and against having internal server names in the certificate, but I figure if they are free anyways, and might help why not add them - and if security is so much an issue that internal server names must not be revealed, you have other much bigger problems anyway.

Now some simple commands to manipulate Exchange 2007 SSL certificates. (Stolen from the danish Exchange 2007 guide on FairSSL, I co-authored the manual) Read the rest of this entry »

How to configure ISA 2006 with FBA for OWA and NTLM for Outlook Anywhere and Autodiscover in Exchange 2007

Configuration of Exchange 2007 with Outlook Web Access (OWA), Outlook Anywhere (OA), ActiveSync and Autodiscover can add grey hair to any system administrator or IT consultant. Then also trying to get different authentication schemes and ISA 2006 to play nice is not making it any easier.

Most Administrators have a wish to configure their environments used externally as securely as possible, including using SSL certificates with HTTPS instead of no encryption with HTTP, and using NTLM authentication instead of Basic authentication. But security is not everything, a userfriendly interface like Forms Based Authentication (FBA) is a must to avoid user iritation and support calls.

However getting FBA and NTLM to work together in ISA with Exchange 2007 can be quite scary, so lets go deeper and find out what we need to be aware of to get it working.

Read the rest of this entry »

How to use OWA for both Exchange 2003/2007 during migration and extra things to consider

owa2007A customer asked me if it was possible during migration from Exchange 2003 to Exchange 2007 to use Outlook Web Access for both mailbox servers, during the migration period. Medium sized companies are not able to migrate everything during a big bang migration, and needs access to both the old system and the new internally as well as externally i.e. using OWA during the migration.

Exchange 2007 has been designed with the CAS role serving the OWA website and it has been designed to work with both Exchange 2007 and Exchange 2003 mailbox servers, so out of the box it will support the customers wishes. In this case they had asked another company to make the design plans for the migration but the system administrator felt uneasy with the plan and asked me to have a look at it.

It turned out the design did not allow OWA access to both mailbox servers during the migration, due to a small oversight, an easy one to make and even easier to fix. If You are planning to or in the progress of migrating to Exchange 2007, make sure you read the following things to consider!

Read the rest of this entry »