Installing Exchange 2010 Edge Server with Forefront Protection for Exchange (FPE) and Threat Management Gateway (TMG) – Part 1
I am mid-migration, in a co-existence setup with Exchange 2010, 2007 and 2003. So far the roles installed for Exchange 2010 are CAS, Hub and Mailbox on a single server. Into this mix I need to introduce an Edge Server, with message hygiene in the form of Forefront Protection for Exchange (FPE) and Threat Management Gateway (TMG) as a reverse proxy to publish OWA, ActiveSync et-al.
Since Edge, FPE and TMG can now all exist on a single 64-bit server, I will start with a clean installation of Windows Server 2008 R2, up to date with all the latest hot fixes. The server itself is nothing too spectacular, for testing purposes it has 2 virtual CPUs and 2GB RAM. It does need 2 NICs, one on the internal LAN and one on the DMZ. Since the DMZ is behind a hardware firewall, an external IP address has been mapped to the servers DMZ NIC. The server is named EDGE01.
Unable to access Outlook Web Access (OWA) after installing Update Rollup 1, 2, 3 or 4 – flogon.js errors
If you’re having trouble accessing OWA after updating Exchange 2010 with any of the Rollup packages, try this:
- Uninstall the update package from the Programs and Features control panel
- Download the package file directly from Microsoft, don’t use Windows Update
- Open a command prompt or PowerShell prompt as Administrator
- Navigate to the location of the package (.msp) and run from the elevated command prompt.
Apparently when Windows update installs the package it doesn’t run it with the elevated privileges to write to the folder in the Exchange program files – why, I have no idea!
On Monday I took the two Exchange 2010 exams, “70-662 TS: Microsoft Exchange Server 2010, Configuring” and “70-663 PRO: Deploying Messaging Solutions with Microsoft Exchange Server 2010” and I am pleased to say that I passed both of them, scoring an 812 on the 70-662 and 960 on the 70-663. I am especially pleased with the score on the PRO exam!
Overall, there’s quite a lot of overlap between the two exams, with the more heavily theory and design based PRO exam being a “high-level” of the more hands-on management and cmdlet based TS exam.
Study materials I used were Technet, SAMS Microsoft Exchange Server 2010 Unleashed and a test installation. I used practice exams from MeasureUp and also spent time answering peoples 2010 based questions on Experts Exchange and Technet Forums.
Up until now, I’ve been using BlogEngine.Net as my blogging platform, and up until now I’ve been relatively happy with using it. One of the major drivers for me as a “Microsoft” person was to use something that is based on Microsoft technology – BlogEngine.Net is based (as the name suggests) on the .Net framework. I’m much happier these days writing limited amounts of C#.Net than I am with PHP.
The problem is, I seemed to be spending more time fixing the blog than writing on it. I’ve had all sorts of problems, ranging from incompatibility with my hosting provider, theme compatibility issues, random code issues and more. Email notifications seem to work, then stop, then work again. Simple things like adding reCAPTCHA support to cut down the enormous amount of comment spam have taken days of head scratching. Whether or not these issues are down to my ignorance or the software, the outcome is the same, I don’t want to be fixing my blogging software, I want it to just work!
Then there’s the search engines, and the existing web presence that I have. A major consideration for me when changing the software is the fact that a lot of my traffic comes from links that are embedded in forums and other blogs – and that search engines respond with the existing BlogEngine posts rather than the newer ones. I’ve considered this, and I think it’s worth the risk. I will leave the BE running for a while and block search engine traffic to it so that direct links in will still be valid. I’ll see where the traffic takes me – but the advantages of changing now outweigh the risks. I will look to do some sort of URL redirect if it becomes an issue.
So why move to WordPress then? It’s not based on Microsoft technology and it could potentially set me back to square one with my web presence. Quite simply, it just works. It has a massive ecosystem built up around it of plug-ins, themes and widgets. It’s mature – very mature – software that is actively developed and much more widely used than BlogEngine.Net is.
The import of the BlogML from BlogEngine was pretty pain free - the categories came in as a GUID rather than the friendly name, but that was a simple matter of updating the MySQL table using a query. I’ve decided to slim down the categories, and as such I’ve moved the existing post categories into tags (handy little plug-in that). The theme I am using is nice enough, maybe when I have some time I’ll customise it a bit further.
But, I’ve made the jump; Windows Live Writer is plugged in to WordPress and I am hoping that it all comes together nicely. Recently I’ve been studying for my MCITP: Enterprise Exchange Administrator exams which I’m taking on Monday (70-662 and 70-663), so hopefully I can push some more Exchange stuff this way.
Until then, thanks for reading!
The Microsoft Exchange Remote Connectivity Analyzer is perhaps the best tool I’ve used in a long time for troubleshooting Exchange external access – it just works! On the forums and websites I read, it doesn’t seem to get the coverage that I’d expect, so I thought I’d give it a mention.
The environment is a single AD domain with 4 sites, Site1, Site2, Site3 and Site4. In Site1, Site2 and Site3 there are 3 Exchange 2003 servers, one per site. In Site4 there is an Exchange 2007 SP2 server (CAS, Mailbox, HT). All the connectors required worked as expected, and inter-site routing works as expected.
I introduced into the mix a 2010 Enterprise server (CAS, Mailbox, HT) to Site1 as a prelude to a full upgrade of the site to Exchange 2010. When a test mailbox from Exchange 2010 attempts to send to a mailbox in Site1 Exchange 2003, it routes via the Site4 Exchange 2007.
I’ve spent a fair bit of time today trying to sort out my iPhone sync to my Exchange Server, failing miserably. It used to work, pre-upgrade to iOS4, but for some reason fails to sync.
- iPhone fails to sync, generic timeout error (or is very slow)
- https://www.testexchangeconnectivity.com/ successfully tests the mailbox access
The server was configured as per http://support.microsoft.com/kb/817379/en-us to allow OWA/ActiveSync with SSL on OWA.
The iPhone was configured to accept the SSL certificate on the Exchange Server.
My brother Tom sent me this Apple KB (http://support.apple.com/kb/TS3398) which he’d found from the other side – Exchange servers he was managing were under very heavy load, which is another symptom of this issue.
I installed the new configuration as per the article, restarted the phone and the issue was fixed!
Requesting SCOM 2007 Gateway or Agent Certificates for Server 2008 from a Server 2003 Enterprise Certificate Authority
This is a pretty specific set of instructions for a specific environment:
- you are using Microsoft System Center Operations Manager 2007
- you have a Microsoft Certificate Services 2003 Certificate Authority on your domain
- you have non-domain Windows Server 2008 servers you wish to monitor or set up as a gateway server.
Getting a certificate for either a Gateway Server or remotely monitored Server can be a touch vexing. If you’re installing on the same domain as the SCOM management server the security settings take care of themselves, not so for non-domain servers, which require mutual certificate authentication. The Gateway must trust the Domain CA and identify itself as trusted to the Management Server. I have bashed my head against this several times now, so I thought I’d make a precise blog post to cover the steps required!
In this scenario, we will have 2 servers CA01, the Windows 2003 Certificate Authority, and Gateway01, the SCOM 2007 gateway. The certificate template for Operations Manager has been created on CA01 as per the documentation and is called “OperationsManagerCert”. On Gateway01 I have copied the Gateway installer to c:\SCOM\Gateway and the SCOM Tools to c:\SCOM\Tools. SCOM01 is our SCOM collection server.
CA01: Navigate to https://ca01/certsrv and download the CA Certificate.
Gateway01: Copy the CA Certificate to the c:\SCOM folder by whatever means you have. Open mmc.exe and add the Certificates Snap-in for the local computer account. Right click the Trusted Root Certification Authorities store and Import the CA01 CA certificate.
Gateway01: Open notepad and create a new certificate request file with the contents below. Name the file Gateway01.inf and save in c:\SCOM
Subject="CN=<FQDN of Gateway01>"
Gateway01: Open a command prompt as administrator and navigate to c:\SCOM, use certreq.exe to generate a certificate request:
certreq –new –f Gateway01.inf Gateway01.req
Gateway01: Open Gateway01.req in notepad and copy the contents to clipboard.
CA01: Open https://ca01/certsrv and start a new advanced certificate request, create the certificate request using a base64 encoded CMC. Paste the data from Gateway01.req into the “Saved Request” box. Select your SCOM certificate template and click next. Save the response as a Base 64 encoded certificate.
Gateway01: Copy the certificate file over to c:\SCOM on Gateway01 by whatever method you have available. Open a command prompt with admin rights and approve the new certificate with certutil.
certreq –accept Gateway01.cer
Check that the certificate has been imported into the Computer/Personal store using mmc.exe.
SCOM01: At this point you can either install your SCOM agent, or Gateway Server on Gateway01 – if you are installing the Gateway Server like me, you need to first approve the Gateway using the Gateway Approval Tool. Open a command prompt as administrator and navigate to “c:\Program Files\System Center Operations Manager 2007” or wherever your SCOM install is. Copy the Microsoft.EnterpriseManagement.GatewayApproval.Tool.exe from Support Tools into the parent folder (it requires .dlls in that folder).
Gateway01: Run the Gateway Server installer and enter the details of the Management Server and Management Group name. When that’s finished, you need to tell SCOM which certificate to use with the MOMCertImport.exe tool located in c:\SCOM\Tools
MOMCertImport /SubjectName Gateway01.Domain.Lcl
Give it a few minutes and you should be able to see the new gateway under Management Servers in the Administration console for SCOM. Remember to right-click, properties, security and allow the server to act as a proxy if it’s reporting for other servers.
I use the same procedure to install Agents in my DMZ that don’t have access to the certificate services – likewise our production web servers isolated in their hosting environment.
I hope this helps you, I know this is an article that I will be referring back to time and time again!
Exchange 2010 “New Local Move Request” and “New Remote Move Request” missing when you right-click a user’s MailBox
I’m currently testing an Exchange 2010 server for the organisation prior to a migration project, specifically testing moving mailboxes backwards and forwards. Something that confused me slightly for a few minutes was this: if there is an existing Move Request (pending, in progress, failed or completed) you will not see the “New Local Move Request” or “New Remote Move Request” -
Fortunately this is very simple to counter – simply clear the old “Move Request” and the options will be back in the Mailbox options:
Shhhh, don't tell the spam-bots, but after a blissful month of having broken the comments system and not having enough time to fix it, I've finally got round to doing it! Comments will now work without errors - and the spam-bots should have a hard time getting past reCaptcha too!
At some point I'll update to 1.6.1, but for now, I'm glad it's working again!