Microsoft Exchange and Blackberry Server Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

New Articles on amset.info #2

I have added some new content on OWA...

Redirecting OWA... How you have can have a single URL for both OWA and OMA then redirect accordingly.
Or have a plain http URL on your web site for the users to remember that redirects them to a secure site - means you don't have to open port 80 to your production network.
http://www.amset.info/exchange/owa-redirectpages.asp

OWA URLS
By manipulating the URLs in OWA you can display the information in different ways.
http://www.amset.info/exchange/owa-urls.asp

Stop Exchange using a Script
I have posted the script file I use when I need to stop Exchange.
http://www.amset.info/exchange/shutdown-script.asp

Coming Soon...
As I seem to be helping with a lot of EAS and OMA queries at the moment so I am currently working on a series of articles on Exchange Active Sync, Outlook Mobile Access. Look for those real soon.

First to Six Million in a single TA at EE

Last week it was speculated in the Experts Exchange Newsletter who would be the first to six million points in a single topic area - me or objects (see here http://blog.sembee.co.uk/archive/2006/03/03/8.aspx).
Overnight (9th - 10th March) I won that little race.
To give you an idea of the level of achievement, my six million points in the Exchange Server Topic Area is more than anyone other than the top five (at the time of writing) experts have on the entire site.
I guess the next target is first to 10 million points overall!

VPN Through a PIX

Stuck out on site with a client, I couldn't connect to home via VPN. The client has a Cisco PIX and a quick bit of research showed that while the PIX will allow PPTP pass-through, it isn't enabled by default.

Apparently you need 6.3 of the PIX software, but then you can add the following command to the configuration and can then use the Windows VPN client:

fixup protocol pptp 1723

A quick change and I was able to connect home.
More information on Cisco's web site
You have to make a similar change if you need to go through a PIX with the Cisco VPN client to connect to a remote Cisco VPN server. In that case the command is:
ISAKMP NAT-TRAVERSAL
Another command that requires version 6.3 of the PIX software.

Why you shouldn't use Self Generated SSL Certificates

A constant theme on many of the Internet forums is the use of self generated SSL certificates versus purchased SSL certificates, particularly when deploying RPC over HTTPS or Outlook Web Access.
Many people will advocate that using a self generated certificate is fine and will do the job.
This could be a certificate generated from the selfssl.exe tool that is supplied with the IIS Resource Kit, or Microsoft's certificate application.
However I am not one of them, and always deploy Exchange with a purchased certificate.

Use of SSL Certificates
SSL Certificates have two main tasks. 

  1. To prove that the server you are accessing is the server that you meant to access.
  2. To encrypt the connection between the application being used to access the server, and the server itself.

There are three things that your web browser looks for when accessing a secure site.

  • that the name on the certificate matches the address being accessed
  • the certificate is issued by someone the browser trusts, or the certificate matches one already installed on the web browser
  • the certificate is valid.

If any of those three fail, then you will get a warning message popup.
With self generated certificates, you will get the warning message when you access the server. This is because the certificate hasn't been issued by a trusted authority.
You can get round that warning message by importing the certificate in to the web browser. However that makes a lot of work with deployment, complicates matters and also means that you have to repeat the exercise when the certificates expires.
It also doesn't help when people are accessing your site from a public computer where you cannot install the certificate, such as an internet café or their machine at home.
And that is where self generated certificates start to cause problems.
You can tell your users to ignore the message when connecting to your site, but users have a habit of only hearing what they want to hear. They will hear "ignore the message" but forget the bit "when using our site". In these days of phishing and spoof web sites network administrators need to give out a consistent message - and telling users to ignore a security warning is a very example of failing to do that.
A security warning of any kind looks unprofessional and shows a lack of concern for security.

So what are the alternatives?
The best alternative is to purchase an SSL certificate.
However many administrators think that they need to go to one of the big SSL certificate issuers such as Verisign and pay US$400 or more per year - and that is just for a 40 bit certificate.
That is not the case.
I do my deployments using RapidSSL certificates. They cost US$69 per year and that is for a 128bit certificate. Their root certificate is in most of the popular web browsers so there is no complication there.
If you do need to deploy the certificates to Pocket PC devices, then that can be easily done (see http://www.amset.info/pocketpc/certificates.asp).
You could also certificates from Certificates for Exchange which are trusted by Windows Mobile 5.0 with MSFP and higher. Nothing to install on the devices making deployment easy.
You may also see some "free" SSL certificates around. These should be looked at carefully, paying particular attention to the root certificate support. If the root certificate isn't in the majority of web browsers then you will have the same problem as when issuing your own certificates - prompts and imports.

Do Self Generated Certificates Have a Place?
Yes they do. I use them all the time in lab environments. When I have control over every item accessing the service, then I will use the a self generated certificate and make all of adjustments as required to get it to work correctly. However in a production deployment, they are never used.

Mentioned in EE Newsletter Again

Yet another mention in the Experts Exchange Newsletter. This is starting to get embarrassing.
See the original here: http://www.ee-stuff.com/Newsletter/022806newsletter.htm
However here is the quote:
Kudos: There aren't enough superlatives to describe what Sembee has accomplished since he joined EE a little over two years ago. First he makes Rookie of the Year, and follows that up as Expert of the Year. Then he becomes the first EE member to crack the 7,000,000 point level; 5.8 million of those points -- more than all but five members have in total are in the Exchange Server topic area. It's a race to see whether he or objects will be the first to reach 6,000,000 in a single topic area.