Sembee Blog of Exchange MVP Simon Butler

Changes to SSL Certificates

There have been a lot of changes to the way that SSL certificates are issued and the impact of those changes are now being particularly felt within the Exchange community. 

What has changed?

The CA/Browser forum (made up of the companies that issue the certificates and the browser developers who use them) decided that that all certificates issued with an expiry date after 1st November 2015 will be restricted to internet resolvable FQDN's only. 
This means that you cannot have an SSL certificate with:
- Single name hosts - such as intranet, server, exch01
- Internal only domains - such as server.example.local
- Internal IP addresses (both Ipv4 and Ipv6). 
This applies to both the common name and any additional names on the certificate. 

Furthermore, if you have a certificate that is still in force with an invalid name from the list above, then it will be revoked on 1st October 2016. 

How does this affect Exchange?

Exchange 2003 isn't really affected by this, because most people simply purchased standard single name SSL certificates. 

Exchange 2007 and later however are being impacted. 
During the early life of Exchange 2007 the advice for SSL certificates was to include both the internal and external host names of the Exchange server. This was because the default configuration of Exchange uses the server's real name and therefore did not require additional modification.

However it quickly became apparent that this wasn't the best way to deploy Exchange web services, as end users were entering the same address internally as they were externally. Split DNS was the answer there http://semb.ee/splitdns

Following the changes to the guidelines for issuing certificates, the changes to Exchange, including setup of a split DNS system is almost mandatory.
I have instructions on how to do that on my main web site at http://semb.ee/hostnames 

Going Forwards

With this change, you can now get away with just two host names on an SSL certificate for full client support:
- host.example.com
- autodiscover.example.com
With our own certificates coming with five "names" available by default, and unlimited server licence, this means you can use the other slots to secure additional services. Once the certificate has been installed on the Exchange server, export it and then import the certificate in to other servers that need it - along side the required intermediate certificate. 
If your DNS provider supports SRV records, then you can even use a standard single name SSL certificate. However mobile devices in particular seem to have some problems with the SRV autodiscover method, so if you are going to deploy mobile devices, stick with a UC (Unified Communications) type certificate. One of the cheapest sources for those is our own site CertificatesforExchange.com http://semb.ee/certs

If you have a certificate with internal names that expires after 1st October 2016, then you should get it rekeyed with the internal names removed, so the certificate is not revoked. 

What else is changing?

From April 2015, the maximum period a certificate can be issued for is being reduced to 39 months. This is to ensure that the names on certificates are checked frequently that they still belong to the original purchaser.

SHA-1 certificates are being phased out very quickly and in 2017 Microsoft will stop trusting them. However a lot of browsers will start showing warning messages on these kinds of certificates in 2016. Therefore to protect yourself, ensure that you are requesting SHA-2 certificates and have replaced any SHA-1 certificates by the end of 2015.

Action Points

What should you do about your own SSL certificates?

  1. Check whether they are SHA-1 or SHA-2. 
    To do that, browse to the SSL site, then open the SSL certificate. Click on the Details tab and then look for Signature Hash Algorithm. It should NOT say SHA1. 
    Do not confuse with Thumbprint Algorithm, which will always say SHA1, no matter the type of the certificate.
    If they are SHA1, then get them rekeyed to SHA-2. If your provider doesn't allow that, then change provider. http://semb.ee/certs

  2. Check your server configuration and start to move everything over to use the same host name internally and externally. This is easily done by setting up a split DNS system, then changing the Exchange configuration. If your certificate still contains the internal names they will continue to work until you change the SSL certificate, providing a time to educate the end users about the names to use. 
Remember if you replace a certificate before it has expired, revoke the old one. This will often happen automatically when you get a certificate rekeyed, but it does no harm to do that yourself anyway. 

Net Framework 3.5 Installation errors Windows 2012/2012 R2

13. December 2014 10:30 by Simon Butler in Networking General
Recently tried to install Net Framework 3.5 on to an existing server which had been in production for a few months. 
Constantly failing with an error about being unable to find the source files, even though it was using an ISO which was used to build this and many other servers in the past. 

Clutching at straws, discovered that the server had a Windows Update installed, released in September 2014 for Net Framework 3.5, even though it wasn't installed. Some research on the internet indicated that it was one of these three:

KB2966826
KB2966827
KB2966828

Removing the update then attempting the installation again was successful. 

Once Net Framework had been installed, I ran Windows Update to reinstall the update I removed, plus numerous others that were required for Net Framework. 

Exchange 2010 Service Pack 2 End of Life

17. April 2014 10:45 by Simon Butler in Exchange 2010, MS Exchange Server

Completely forgot to mention last week that as well as Exchange 2003 going end of life, so did Exchange 2010 Service Pack 2. Therefore to continue to receive updates and support for Exchange 2010, you need to be on Exchange 2010 Service Pack 3. 

This follows Exchange 2010 RTM going end of life in October 2011 and Service Pack one in January 2013.

You can see the full list of Microsoft Exchange end of support dates on the Microsoft Lifecycle web site. http://semb.ee/enddates

Farewell Exchange 2003

8. April 2014 14:55 by Simon Butler in Exchange 2003, MS Exchange Server

Today is the day that support for Windows XP ends, but it is also the end of another product that was much loved in its day and even now is still in widespread use, and that is Exchange 2003.

 

Exchange 2003 was where I really got heavily involved with the Exchange product. I had played around a bit with Exchange 5.5 and 2000 at previous employers, but it was around the time of Exchange 2003 SP1 release that I really started to spend time with it.

 

I was thrown in to a migration from Exchange 2000 to 2003 within weeks of starting a new job, and having built my first server, interest in the product grew very quickly. It was working on Exchange 2003 problems within the community that first got me recognition from Microsoft via their MVP programme - which I have just been received for the ninth year.

 

Getting RPC over HTTPS to work was my first major achievement, and it became one of the most popular articles on my web site. Documentation wasn't great and it required manual registry changes to work correctly.

 

I remember the joy of having the 16gb database limit increased to 18gb initially, up to 75gb with a registry change that was introduced with one of the service packs.

 

By the time we got to service pack 2, Exchange 2003 was a pretty rock solid product. Reliable, with plenty of third party support. The introduction of ActiveSync over HTTP was particularly important, as just a short time later the iPhone was released which took advantage of it. Until that point, mobile sync support was limited to Windows Mobile devices or Blackberry.
There was a version of ActiveSync at RTM, but until the HTTP version came out, it only really worked for users in the USA, who had free email to text services.

 

Looking at it now, Exchange 2003 is a fairly basic email application, but for many companies it does all that they need. However it is starting to show its age. There are problems with some modern ActiveSync devices and OWA does not like the modern browsers and unless you are using Internet Explorer, the OWA experience is pretty painful. The limitation of 75gb on a database in standard edition is very limiting for all but the smallest of companies.

 

It was also the last version of Exchange that was administrated purely through a GUI. However with email platforms becoming bigger all the time, a GUI only approach quickly showed its weaknesses and the move to a modern scripting language like PowerShell was overdue.

 

 

As with many things, it was good for its time, but the more modern versions of Exchange, particularly Exchange 2010 are simply much better, more feature rich and a lot more suitable for the demands of a modern IT infrastructure. 

Exchange 2007/2010/2013 Outbound SMTP Banner Testing

Back in 2009 I posted that automated tools like those at mxtoolbox will return false negative results on the SMTP banner tests. (http://semb.ee/banner2007)

 

This is because the SMTP banner presented for inbound email is different to outbound email.

 

This is still the case with Exchange 2010 and 2013. You shouldn't try and change the Receive Connector configuration to "fix" this problem as will cause further issues with Exchange.

 

However with those tools providing false information, it raises the question of how do you easily test the banner so that you can see how a remote server will see your server?

 

Of course one way is to simply send an email to a remote server which you have control over, and check the headers. That isn't always practical and if you don't have your own server, using something Gmail or Hotmail might mean the message gets block because you haven't configured things correctly.

 

One of the blacklist operators has setup a system that will show you exactly what you are sending back, in the form of an NDR.

The details are here:

http://cbl.abuseat.org/helocheck.html

 

After sending the message, you will get an NDR back similar to this:

 

 

helocheck.abuseat.org rejected your message to the following e-mail addresses:

 

helocheck@helocheck.abuseat.org (helocheck@helocheck.abuseat.org)

 

 helocheck.abuseat.org gave this error:

*** The HELO for IP address 123.123.123.123 was 'mail.example.co.uk' (valid syntax) ***

 

 A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.

 

Diagnostic information for administrators:

 

Generating server: server.example.co.uk

 

helocheck@helocheck.abuseat.org

helocheck.abuseat.org #550 *** The HELO for IP address 123.123.123.123 was 'mail.example.co.uk' (valid syntax) *** ##

 

Original message headers: 

 

 

This service is a quick and easy way to verify the server is configured correctly. 

Blackberry 10 Simulator

30. January 2014 10:30 by Simon Butler in Blackberry, Blackberry 10

If you are curious to see what the Blackberry 10 device is all about, or you need to support it, then the simulator is probably a good choice. This is available free of charge from the Blackberry web site. 

The simulator usually has a more advanced version of the OS than currently available, as it is designed to help developers get ready for the new OS. 

At the time of writing this means 10.2.1 which includes the Android emulation feature. 

System Requirements

Due to the installer Blackberry use, you need to have JAVA installed on the workstation. 

It also requires VMWARE Player or Workstation. 

Installation

The default location during the install is in My Documents. However if you decide to install it somewhere else, then you should run the installer Elevated. After installation the permissions can be out, so give Users full control to the directory where the VM is stored. 

The virtual machine installs with the network set to NAT mode by default - I prefer it to be connecting directly, so change the configuration before booting the VM.  

Use

It is a little slow to load, and do ensure that you have the latest video card drivers and a machine with Hardware virtualisation support enabled in the BIOS. However once loaded and you get your head around the "swiping" with the mouse, it is very quick. 

Once you have it loaded, don't forget to change the keyboard and language settings. I also found the time zone was wrong and the clock was six hours wrong as well, despite "automatic" time sync being enabled. 

Application Installation

You can access the Blackberry App World, you can also use third party App Stores, such as the Amazon App Store. However if required you can also sideload applications. There are various methods to do this, one of the easiest is to use a Google Chrome Extension, which is discussed here:

http://semb.ee/sideload

Exchange Connectivity

Of course as an Exchange MVP, one of the first things I wanted to try was connecting it to Exchange. This works perfectly, I was able to add it to my test Exchange 2013 server very quickly, and also to a test BES 10 server. 

Downloads

The simulator is free to download, and can be found at this link:

http://semb.ee/bbsim 

Stopping Auto Deletion in Mailbox Converted From a Resource

Recently at a client we configured some mailboxes as Resources. 
It was then decided that they would be better off as shared mailboxes, as they could be used for other tasks. Therefore the mailbox was converted to shared:

 

set-mailbox mailboxname -type:shared

 

However any emails sent to the new Shared mailbox were continuing to go in to the Deleted Items folder. This is the standard behaviour for a resource mailbox, as it is only expecting to get calendar items. 

The key is to disable the Calendar processing. You can see the current setting thus:

 

get-calendarprocessing mailboxname | select identity, AutomateProcessing

 

To disable it completely, you need to change the value of AutomateProcessing to none

 

set-calendarprocessing mailboxname -AutomateProcessing None

 

In this case, the folder still needed to accept and process calendar entries, so we changed it to AutoUpdate.

 

set-calendarprocessing mailboxname -AutomateProcessing AutoUpdate

 

The full parameters are discussed in the Technet article:

http://technet.microsoft.com/en-us/library/dd335046(v=exchg.141).aspx

 

Kudos to Holly at the client for finding the value which I had completely forgotten about!

Cross Site DAG Issue When Using A Load Balancer

18. November 2013 22:20 by Simon Butler in Exchange 2010, MS Exchange Server, Kemp

Just deployed a new Kemp Load Balancer with a client which promptly broke their cross site DAG.

Usual horrible error:

[PS] C:\Windows\system32>Get-DatabaseAvailabilityGroup -Status

WARNING: Unable to get Primary Active Manager information due to an Active Manager call failure. Error: An Active

Manager operation failed. Error The Microsoft Exchange Replication service may not be running on server XXX-3. Specific

 RPC error message: Error 0x6ba (The RPC server is unavailable) from cli_AmGetDeferredRecoveryEntries.

 

(server xxx-3 is the remote server).

Discovered that the problem was due to an option enabled on the Kemp called Enable Server NAT (SNAT). You can find this under System Configuration, Miscellanious Options, Network Options. Disabling that corrected the issue almost immediately. Seems that the NAT broke the DAG. 

Free BES 10 CALs when you Activate a Blackberry 10 Device

11. July 2013 21:55 by Simon Butler in Blackberry

Looks like Blackberry are running an offer for free BES 10 CALs.

Activate a Blackberry 10 device and get two free CALs.

 

http://uk.blackberry.com/business/blackberry-10/blackberry-10-ready/license-offer.html

 

Activate a Blackberry 10 device between July 1st and August 31st 2013 and for each device you will get TWO free CALs. These CALS are the EMM Corporate type so will work for Blackberry 10 devices and Android/iPhone. At current prices they are worth almost £70 each.

 

The BES 10 software is free (trial download on the link above).

 

The window to claim the free CALs is quite small, so Blackberry have provided a link to be told when the registration process is open.