Mất hơn 2 tuần migrate Exchange 2003 sang 2010 xong và háo hức setup các hot features của Exchange 2010 để giới thiệu với bà con gần xa. Một trong số đó là Online Archive. Không còn pst file nữa, quá đã...haha.
Cho dù phải bấm bụng order thêm Enterprise CAL thì feature này cũng đáng đồng tiền bát gạo. Tạo riêng một mailbox db, enable online archive, vô OWA test thử, NOKIA..:-)...uống 1 ly cafe cho tỉnh táo cái đã để chuẩn bị document và email cho các users thì..... phát hiện nó chưa hề xuất hiện trong Outlook 2010 của mình, bộ Office 2010 Std mới implemented vài tháng trước....hmm
Đào bới các website về licensing thì té ngửa ra rằng feature này chỉ xuất hiện khi sử dụng Office 2010 phiên bản Pro Plus mà chỉ có em Volume Licensing mới có thoi nhehoặc phải sử dụng Outlook OEM or retail...:-(.
Má ơi đúng là lừa đảo kiểu Bill Gates cho dù ....Bill đã nghỉ hưu lâu rồi.
Nếu bạn là dân hay sử dụng đồ chùa thì không nói làm gì nhưng đã là dân sành điệu đã bỏ tiền ra mua chịu hàng hiệu :-) mà còn bị lừa thì đúng là đau còn hơn bò đá :-(. Đúng là không thể trách được tại sao người ta hay dùng crack...
Chính sách licence của Bill đã đủ phức tạp lắm lắm rồi mà còn cố ý cheat các khách hàng của mình nữa...bó tay thật...
23 Oct 2011
18 Oct 2011
Exchange 2010 mailboxes can not send to 2003 mailboxes
PROBLEM
Now we installed a new Exchange 2010 server in the same domain as the exchange 2003 server and installed the CAS, Mailbox and Hub roles. Next we about to move 70 mailboxes to the new Exchange 2010 server. Everything looks fine, users with mailboxed on the Exchange 2003 server can send mail to users on Exchange 2010 server. But the users with mailboxes on Exchange 2010 server can't send mail to mailboxes on exchange 2003. These messages stay in the 'SmtpRelayToTiRg' queue with error : 451 4.4.0 Primary Target IP address responded with: "451 5.7.3 Cannot Achieve Exchange Server authentication"
~~~~~
SOLUTION 2
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1087732&SiteID=17
Integrated Windows Authentication was not turned on, on my Default SMTP Virtual Server.....WORKED FOR ME
~~~~
Now we installed a new Exchange 2010 server in the same domain as the exchange 2003 server and installed the CAS, Mailbox and Hub roles. Next we about to move 70 mailboxes to the new Exchange 2010 server. Everything looks fine, users with mailboxed on the Exchange 2003 server can send mail to users on Exchange 2010 server. But the users with mailboxes on Exchange 2010 server can't send mail to mailboxes on exchange 2003. These messages stay in the 'SmtpRelayToTiRg' queue with error : 451 4.4.0 Primary Target IP address responded with: "451 5.7.3 Cannot Achieve Exchange Server authentication"
~~~~~
SOLUTION 1
I installed a Windows 2007 Exchange server in to my 2003 environment this week. All went well apart from that the mail sending from the 2007 test mailboxes ended up in a queue called smtprelaytotirg. The error message given being 451 4.4.0 Primary Target IP Address Responded with (501 5.5.4 Auth Command Cancelled).
This queue is basically where 2007 is failing to deliver because it can’t route correctly.
The resolution in this case for me was easy. All the connectors were in place as they should be, but the transport for SMTP on the original master 2003 Exchange server had limited access to certain IP addresses.
I added the IP address for the new Exchange 2007 server and bang, 20 mins later the queue is empty.
Just a minor hurdle :) Oh, the other one to watch out for is making sure it can resolve either by IP or FQDN for the SMTP server, it’ll fail on netbios or just a single name. Anyone still relying on WINS needs shot in the face with a screw driver.
~~~~~I installed a Windows 2007 Exchange server in to my 2003 environment this week. All went well apart from that the mail sending from the 2007 test mailboxes ended up in a queue called smtprelaytotirg. The error message given being 451 4.4.0 Primary Target IP Address Responded with (501 5.5.4 Auth Command Cancelled).
This queue is basically where 2007 is failing to deliver because it can’t route correctly.
The resolution in this case for me was easy. All the connectors were in place as they should be, but the transport for SMTP on the original master 2003 Exchange server had limited access to certain IP addresses.
I added the IP address for the new Exchange 2007 server and bang, 20 mins later the queue is empty.
Just a minor hurdle :) Oh, the other one to watch out for is making sure it can resolve either by IP or FQDN for the SMTP server, it’ll fail on netbios or just a single name. Anyone still relying on WINS needs shot in the face with a screw driver.
SOLUTION 2
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1087732&SiteID=17
Integrated Windows Authentication was not turned on, on my Default SMTP Virtual Server.....WORKED FOR ME
~~~~
Unable to assign "Send As" rights to Organization Units in Microsoft Exchange Server 2010
http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB21225
Configuring the Microsoft Exchange Server 2010 permissions for the administrator account fails with insufficient permissions for the Users container, or any Organization Unit, even when logged in as a domain administrator. Assigning Send As rights to specific users, or groups, works successfully.
PowerShell Command: Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=example,DC=com"
Active Directory operation failed on example.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission
PowerShell Command: Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=example,DC=com"
Active Directory operation failed on example.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission
~~~~~~~
~~~~~~~
Blackberry offers an alternative for running that powershell command
1. Open Active Directory Users and Computers.
2. Select the View menu and ensure Advanced Features is checked.
3. Right-click the Domain Name or Organizational Unit where Send As permissions are needed and select Properties.
4. Click the Security tab.
5. Click Advanced at the bottom on the Security tab.
6. Select Add and enter your Blackberry Service Account name (for example, BESadmin) and select OK.
7. When the permissions screen appears, change Apply onto: to User Objects (or Descendant User Objects on Microsoft Windows Server 2008).
8. In the permissions box, scroll down and check the Allow box beside Send As and press OK.
9. Press Apply and OK to exit.
it worked for me...
1. Open Active Directory Users and Computers.
2. Select the View menu and ensure Advanced Features is checked.
3. Right-click the Domain Name or Organizational Unit where Send As permissions are needed and select Properties.
4. Click the Security tab.
5. Click Advanced at the bottom on the Security tab.
6. Select Add and enter your Blackberry Service Account name (for example, BESadmin) and select OK.
7. When the permissions screen appears, change Apply onto: to User Objects (or Descendant User Objects on Microsoft Windows Server 2008).
8. In the permissions box, scroll down and check the Allow box beside Send As and press OK.
9. Press Apply and OK to exit.
it worked for me...
~~~~~~~~
17 Oct 2011
Adjusting Exchange 2003 mail flow settings for Exchange 2010
Adjusting Exchange 2003 mail flow settings for Exchange 2010
When bringing Exchange 2010 server into an existing Exchange 2003 environment, you can't initially send and receive Internet mail via the hub transport server. This is because Microsoft recommends that you place an edge transport server between the Internet and your back-end Exchange server.
An edge transport server is actually a hardened Exchange server that sits on the network perimeter. It maintains message hygiene as SMTP mail flows in and out of an Exchange organization. The edge transport server also shields back-end Exchange servers from direct Internet exposure.
Using an edge transport server is a good idea, but it's not a requirement. Given the current economic climate, I expect that a lot of organizations implementing Exchange 2010 will initially forgo the edge transport server to save money. If you decide to do this, you'll have to configure your hub transport server to send and receive Internet mail.
Note: If you decide not to use an edge transport server, I recommend that you place your mailbox server role on a different Exchange Server, if possible.
To prepare your hub transport server to send and receive Internet mail, create a send connector. The send connector allows the hub transport server to send mail directly to the Internet.
To create a send connector, follow these four steps:
- Open the Exchange Management Console and navigate to Organization Configuration -> Hub Transport.
-
- Go to the Actions pane and click on the New Send Connector link.
-
- When the New Send Connector Wizard opens, set the connector's use to Internet.
-
- Click Next and set the address to *.
Exchange Server 2010 also uses a default receive connector to receive Internet mail. The hub transport server expects to receive mail from an edge transport server, not directly from the Internet. Because of this, the receive connector is configured to block all unauthenticated inbound SMTP traffic.
Since most Internet mail is not authenticated, you must configure the receive connector to allow anonymous SMTP connections. To do so:
- Open the Exchange Management Console and navigate to Server Configuration -> Hub Transport Server.
-
- Right-click on the receive connector and select Properties. Windows will display the receive connector's properties sheet.
-
- Go to the Permission Groups tab and select the Anonymous Users check box.
-
- Click OK.
Typically, the MX record for your domain will point to a firewall, which will reroute inbound SMTP traffic to an internal server. Therefore, you must reconfigure the firewall port forwarding to send SMTP traffic to the edge transport server or to the newly configured hub transport server.
Converting recipient policies to Exchange 2010 email address policies
Most Exchange organizations' internal domain names are different than the external domain names. For example, my primary external domain name is brienposey.com, but my Exchange servers reside on an internal domain named production.com. In this case, you must use recipient policies to define the appropriate external email addresses for your users.
Microsoft has replaced recipient policies with email address policies in Exchange Server 2007 and Exchange 2010. This means that when migrating from Exchange 2003, you'll need to convert your recipient policies into email address policies.
Doing so is quite simple. Open the Exchange Management Shell and enter the following command:
Get-EmailAddressPolicy | where {$_.RecipientFilterType –eq "Legacy"} | Set-EmailAddressPolicy –IncludeRecipients AllRecipients
This EMS command compiles a list of all mailboxes that use a legacy recipient policy. The command then converts the recipient policy into an email address policy.
http://searchexchange.techtarget.com/Adjusting-Exchange-2003-mail-flow-settings-for-Exchange-2010
16 Oct 2011
14 Oct 2011
RoutingGroup cmd
New-RoutingGroupConnector -Name "RGC 2003-2010" -SourceTransportServers "exchange2010FQDN" -TargetTransportServers "Exchange2003FQDN" -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true
6 Oct 2011
Configuring Pass-through Disks in Hyper-V
Jeff Hughes
http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks-in-hyper-v.aspx
A question the CORE Team gets asked frequently deals with configuring Hyper-V Guest with Pass-through disks. In this blog I will cover this topic.
Pass -through Disk Configuration
Hyper-V allows virtual machines to access storage mapped directly to the Hyper-V server without requiring the volume be configured. The storage can either be a physical disk internal to the Hyper-V server or it can be a Storage Area Network (SAN) Logical Unit (LUN) mapped to the Hyper-V server. To ensure the Guest has exclusive access to the storage, it must be placed in an Offline state from the Hyper-V server perspective. Additionally, this raw piece of storage is not limited in size so, hypothetically, it can be a multi-terabyte LUN.
After storage is mapped to the Hyper-V server, it will appear as a raw volume and will be in an Offline state (depending on the SAN Policy (Figure 1-1)) as seen in Figure 1.
Figure 1: Raw disk is Offline
Figure 1-1 SAN Mode determination using diskpart.exe
I stated earlier that a disk must be Offline from the Hyper-V servers' perspective in order for the Guest to have exclusive access. However, a raw volume must first be initialized before it can be used. To accomplish this in the Disk Management interface, the disk must first be brought Online. Once Online, the disk will show as being Not Initialized (Figure 2).
Figure 2: Disk is Online but Not Initialized
Right-click on the disk and select Initialize Disk (Figure 3).
Figure 3: Initialize the disk
Select either an MBR or GPT partition type (Figure 4).
Figure 4: Selecting a partition type
Once a disk is initialized, it can once again be placed in an Offline state. If the disk is not in an Offline state, it will not be available for selection when configuring the Guest's storage.
In order to configure a Pass-through disk in a Guest, you must select Attach a virtual disk later in the New Virtual Machine Wizard (Figure 5).
Figure 5: Choosing to attach a virtual disk later
If the Pass-through disk will be used to boot the operating system, it must be attached to an IDE Controller. Data disks can take advantage of SCSI controllers. In Figure 6, a Pass-through disk is attached to IDE Controller 0.
Figure 6: Attaching a pass-through disk to an IDE Controller
Note: If the disk does not appear in the drop down list, ensure the disk is Offline in the Disk Management interface (In Server CORE, use the diskpart.exe CLI).
Once the Pass-through disk is configured, the Guest can be started and data can placed on the drive. If an operating system will be installed, the installation process will properly prepare the disk. If the disk will be used for data storage, it must be prepared in the Guest operating system before data can be placed on it.
If a Pass-through disk, being used to support an operating system installation, is brought Online before the Guest is started, the Guest will fail to start. When using Pass-through disks to support an operating system installation, provisions must be made for storing the Guest configuration file in an alternate location. This is because the entire Pass-through disk is consumed by the operating system installation. An example would be to locate the configuration file on another internal drive in the Hyper-V server itself. Or, if it is a cluster, the configuration file can be hosted on a separate cluster providing highly available file services. Be aware that Pass-through disks cannot be dynamically expanded. Additionally, when using Pass-through disks, you lose the capability to take snapshots, and finally, you cannot use differencing disks with Pass-through disks.
Note: When using Pass-through disks in a Windows Server 2008 Failover Cluster, you must have the update documented in KB951308: Increased functionality and virtual machine control in the Windows Server 2008 Failover Cluster Management console for the Hyper-V role installed on all nodes in the cluster.
This completes our discussion. I hope you will find this information useful and share it with your colleagues.
Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks-in-hyper-v.aspx
A question the CORE Team gets asked frequently deals with configuring Hyper-V Guest with Pass-through disks. In this blog I will cover this topic.
Pass -through Disk Configuration
Hyper-V allows virtual machines to access storage mapped directly to the Hyper-V server without requiring the volume be configured. The storage can either be a physical disk internal to the Hyper-V server or it can be a Storage Area Network (SAN) Logical Unit (LUN) mapped to the Hyper-V server. To ensure the Guest has exclusive access to the storage, it must be placed in an Offline state from the Hyper-V server perspective. Additionally, this raw piece of storage is not limited in size so, hypothetically, it can be a multi-terabyte LUN.
After storage is mapped to the Hyper-V server, it will appear as a raw volume and will be in an Offline state (depending on the SAN Policy (Figure 1-1)) as seen in Figure 1.
Figure 1: Raw disk is Offline
Figure 1-1 SAN Mode determination using diskpart.exe
I stated earlier that a disk must be Offline from the Hyper-V servers' perspective in order for the Guest to have exclusive access. However, a raw volume must first be initialized before it can be used. To accomplish this in the Disk Management interface, the disk must first be brought Online. Once Online, the disk will show as being Not Initialized (Figure 2).
Figure 2: Disk is Online but Not Initialized
Right-click on the disk and select Initialize Disk (Figure 3).
Figure 3: Initialize the disk
Select either an MBR or GPT partition type (Figure 4).
Figure 4: Selecting a partition type
Once a disk is initialized, it can once again be placed in an Offline state. If the disk is not in an Offline state, it will not be available for selection when configuring the Guest's storage.
In order to configure a Pass-through disk in a Guest, you must select Attach a virtual disk later in the New Virtual Machine Wizard (Figure 5).
Figure 5: Choosing to attach a virtual disk later
If the Pass-through disk will be used to boot the operating system, it must be attached to an IDE Controller. Data disks can take advantage of SCSI controllers. In Figure 6, a Pass-through disk is attached to IDE Controller 0.
Figure 6: Attaching a pass-through disk to an IDE Controller
Note: If the disk does not appear in the drop down list, ensure the disk is Offline in the Disk Management interface (In Server CORE, use the diskpart.exe CLI).
Once the Pass-through disk is configured, the Guest can be started and data can placed on the drive. If an operating system will be installed, the installation process will properly prepare the disk. If the disk will be used for data storage, it must be prepared in the Guest operating system before data can be placed on it.
If a Pass-through disk, being used to support an operating system installation, is brought Online before the Guest is started, the Guest will fail to start. When using Pass-through disks to support an operating system installation, provisions must be made for storing the Guest configuration file in an alternate location. This is because the entire Pass-through disk is consumed by the operating system installation. An example would be to locate the configuration file on another internal drive in the Hyper-V server itself. Or, if it is a cluster, the configuration file can be hosted on a separate cluster providing highly available file services. Be aware that Pass-through disks cannot be dynamically expanded. Additionally, when using Pass-through disks, you lose the capability to take snapshots, and finally, you cannot use differencing disks with Pass-through disks.
Note: When using Pass-through disks in a Windows Server 2008 Failover Cluster, you must have the update documented in KB951308: Increased functionality and virtual machine control in the Windows Server 2008 Failover Cluster Management console for the Hyper-V role installed on all nodes in the cluster.
This completes our discussion. I hope you will find this information useful and share it with your colleagues.
Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
28 Sept 2011
XP Screen saver has no settings option
1) Open the Registration Editor by Start menu > Run > enter "regedit"
2) Go here: "HKEY_CURRENT_USER\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\CONTROL PANEL\DESKTOP" (or use Ctrl + F)
3) Double click the binary data files and change their "value data"
ScreenSaveActive --> whether you're applying a screensaver
ScreenSaveTimeOut --> seconds after screensaver is activated
9 Jun 2011
Problems with "File Association" in Windows 7 64-bit
Symptom: + Associate program with file extension does not work. Program selected does not appear in the Open With window.
+ Default Program also does not work or it ignores all changes.
Problem: The program that you're pointing to isn't registered correctly.
~~~~~~~~~~~~~~
http://answers.microsoft.com/en-us/windows/forum/windows_7-files/problems-with-file-association-in-windows-7-64-bit/8a84fcec-22df-4942-8e35-d98dbe96e327
+ Default Program also does not work or it ignores all changes.
Problem: The program that you're pointing to isn't registered correctly.
Solution:
In regedit: Navigate to Computer\HKEY_CLASSES_ROOT\Applications and find your .exe name.
Navigate under its name to shell>open>command. In the Default change its location to the actual location of the executable, hit okay and then try and reassociate the file type as you normally would.
~~~~~~~~~~~~~~
http://answers.microsoft.com/en-us/windows/forum/windows_7-files/problems-with-file-association-in-windows-7-64-bit/8a84fcec-22df-4942-8e35-d98dbe96e327
5 Apr 2011
SSL Enabling OWA 2003 using your own Certificate Authority
1. Configuring the CA 2. Creating Certificate Request 3. Getting the Pending Request accepted by our CA 4. Appending the Certificate to the Default Website 5. Enable SSL on the Default Website 6. Testing our SSL enabled Default Website | |||||||
1. Configuring the Certificate Authority
The first thing to do is to decide which server should hold the Certicate Authority (CA) role, it could be any server as long as it’s at least a member server. If you have a single box setup, such as a Small Business Server (SBS), the decision shouldn’t be very hard.Note:
In order to add the Certificate Service Web Enrollment component (subcomponent to CA), which we’re going to use in this article, the server needs to be running IIS, so if you haven’t already done so, install IIS before continuing with this article. If you plan on installing the CA component on the Exchange server itself, then there’s nothing to worry about, because as you know, Exchange 2003 relies heavily on IIS, which means It’s already installed.
To install the CA component, do the following:
- Click Start > Control Panel > Add or Remove Programs
- Select Add/Remove Windows Components
- Put a checkmark in Certificate Services
We now have to select what type of CA to use, choose Enterprise root CA and click Next
In the following screen we have to fill out the Common name for our CA, which in this article is mail.testdomain.com.Leave the other fields untouched and click Next >
We now have the option of specifying an alternate location for the certificate database, database log, and configuration information. In this article we will use the defaults, which in most cases should be just fine.
Now click Next >
The Certificate Service component will be installed, when it’s completed, click Finish
2. Creating the Certificate Request
Now that we have installed the Certificate Services component, it’s time to create the Certificate Request for our Default Website. We should therefore do the following:- Click Start > Administrative Tools > Internet Information Services (IIS) Manager
- Expand Websites > Right-click Default Website then select Properties
- Now hit the Directory Security tab
- Under Secure Communications click Server Certificate…
As we’re going to create a new certificate, leave the first option selected and click Next >
Because we’re using our own CA, select Prepare the request now, but send it later, then click Next >
Type a descriptive name for the Certificate and click Next >
We now need to enter our organization name and the organizational unit (which should be pretty self-explanatory), then click Next >
In the next screen we need to pay extra attention, as the common name reflects the external FQDN (Fully Qualified Domain Name), to spell it out, this is the address external users have to type in their browsers in order to access OWA from the Internet.
Note: As many (especially small to midsized) companies don’t publish their Exchange servers directly to the Internet, but instead runs the Exchange server on a private IP address, they let their ISP’s handle their external DNS settings. In most cases the ISP creates a so called A record named mail.domain.com pointing to the company’s public IP address, which then forwards the appropriate port (443) to the Exchange servers internal IP address.
When your have entered a Common Name click Next >
Now it’s time to specify the Country/Region, State/Province and City/locality, this shouldn’t need any further explanation, when you have filled out each field, click Next >
In the below screen we have to enter the name of the certificate request we’re creating, the default is just fine, click Next >
In this screen we can see all the information we filled in during the previous IIS Certificate Wizard screens, if you should have made a mistake, this is your last chance to correct it. If everything looks fine click Next >
And finally we can click Finish.
3. Getting the Pending Request accepted by our Certificate Authority
Now that we have a pending Certificate Request, we need to have it accepted by our CA, which is done the following way:- On the server open Internet Explorer
- Type http://server/certsrv
Now that you’re welcomed by the Certificate Services, select Request a Certificate
Click advanced certificate request
Under Advanced Certificate Request click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Now we need to insert the content of the certreq.txt file we created earlier, you can do this by clicking the Browse for a file to insert or by opening the certreq.txt file in notepad, then copy/paste the content as shown in the screen below, then click Submit >
Now select Base 64 encoded then click Download certificate
Click Save
Choose to save the certnew.cer on the C: drive > then click Save
Close the Microsoft Certificate Services IE window.
4. Appending the Certificate to the Default Website
Okay it’s time to append the approved Certificate to our Default Website, to accomplish this we need to do the following:- Click Start > Administrative Tools > Internet Information Services (IIS) Manager
- Expand Websites > Right-click Default Website then select Properties
- Now select the Directory Security tab
- Under Secure Communications click Server Certificate… > then Next
Select Process the pending request and install the certificate > click Next >
Unless you have any specific requirements to what port SSL should run at, leave the default (443) untouched, then click Next >
You will now see a summary of the Certificate, again if you should have made any mistakes during the previous wizard screens, this is the final chance to correct them, otherwise just click Next >
The Certificate has now been successfully installed and you can click Finish
5. Enabling SSL on the Default Website
We have now appended the Certificate to our Default Website, but before the data transmitted between the clients and the server is encrypted, we need to click the Edit… button under Secure Communications. Here we should put a checkmark in Require Secure Channel (SSL) and Require 128-bit encryption just like below:
Now click OK.
6. Testing our SSL enabled Default Website
Now that we have gone through all the configuration steps necessary to enable SSL on our Default Website, it’s time to test if our configuration actually works.From the server (or a client) open Internet Explorer, then type:
http://exchange_server/exchange
You should get a screen similar to the one shown below:
This is absolutely fine, as we shouldn’t be allowed to access the Default Website (and any virtual folders below) through an unsecure connection. Instead we should make a secure connetion which is done by typing https, therefore type below URL instead:
https://exchange_server/exchange
The following box should appear:
Note: You may have noticed the yellow warning sign, this informs us The name on the security certificate is invalid or does not match the name of the site. Don’t worry there’s nothing wrong with this, the reason why it appears is because we aren’t accessing OWA through the common name, which we specified when the certificate was created. When you access OWA from an external client through mail.testdomain.com/exchange, this warning will disappear.
Click Yes
You will now be prompted for a valid username/password in order to enter your mailbox, for testing purposes just use the administrator account, like shown below:
Now click OK
We should now see the Administrator mailbox.
Notice the yellow padlock in the lower right corner, a locked padlock indicates a secure connection, which means OWA now uses SSL.
Final words
Even though it’s possible to run your OWA environments without securing it with a SSL certificate, I strongly advise against doing so, as this would mean any traffic send between the external OWA clients, and the Exchange server would be sent in cleartext (this includes the authentication process). As you now know SSL provides us with 128-bit encryption, but be aware enabling SSL in your OWA environment isn’t an optimal security solution, in addition to enabling SSL, you should at least have some kind of firewall (such as an ISA server) placed in front of your Exchange server(s). You might also consider enabling the new Exchange 2003 functionality Forms Based Authentication, which provides a few additional benefits such as a new logon screen, which, among other things, uses session cookies to make the OWA sessions more secure, unfortunately the Forms Based Authentication functionality is out of the scope of this article, but I will at some point of time in the near future write another article covering this funtionality.That was it for this time, I hope you enjoyed the article.
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
Subscribe to:
Posts (Atom)