Microsoft Exchange and Blackberry Server Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Kemp Release Free Load Balancer Virtual Appliance

Kemp have released a free load balancing virtual appliance. If you have a small environment and don't need the high availability of two load balancers, then this could be an ideal solution. 


There are some limitations, particularly around the throughput (only 20mps) but if you are using a small environment or a lab, then it could be all that you need. Absolutely no reason to use Windows Network Load Balancing any more. 

If you have Kemp load balancers in your production environment, then it is an ideal way to have the same in your test environment. It will also make this a valuable learning tool for Exchange and server administrators. 

No support included, but that is to be expected. 

It looks like it is pretty much the complete feature-set from Kemp, including:

Layer 4/7 load balancing
Content switching
Caching, compression engine
MS Exchange 2010/2013 optimized
Pre-configured virtual service templates

The only thing it is missing features wise is Active/Hot Standby redundant operation.

If you are going to use this in a production site, then I would watch that maximum throughput though. 

Update for Visual Studio 2010 Tools for Office Runtime (KB3001652) Install Hang

Looks like the updates for today (10th Feb 2015) has an update that isn't installing correctly.

KB3001652 Update for Visual Studio 2010 Tools for Office Runtime.

On Windows 8.1 machines it seems to just hang.
However on a Windows 7 machine, I got a runtime installer appear, which required me to click through a few steps to install. 

Therefore it looks like it is hanging because the setup installer is hidden in the background. 

This was further confirmed by trying to reset the Windows Update system using my script from here: http://wuauclt.info/scripts.asp

In the command prompt window it said that a file couldn't be deleted because it was held open by another process. 

Looking in Task Manager, I found a setup.exe process running. Killing that process immediately brought up the Reboot now windows in Windows Update. I ran the script again and it was successful. A reboot also passed without incident, taking just a couple of minutes which was normal for the VM I was using. 

As the lab system I am testing against uses a WSUS, I declined the update. For home users, you should probably hide it. I expect it will get pulled by Microsoft very shortly. 

So the complete method to deal with this stuck update.

1. In task manager, find the setup.exe that is running in the background which you cannot see and end the task. 
2. Run the script from my web site above, to clean out Windows Update.
3. Reboot. 
4. Re-run Windows Update. When you see the update listed, hide it. 

Install all other updates as normal and reboot. 

Did Blackberry EZPass? Watch for automatic enrolment in support programme

If you took advantage of the Blackberry EZ-Pass programme earlier this year to get free licences for BES 10 and then BES 12, you should have been receiving emails asking you to renew the support. For all EZPass upgraders, support expires on Jan 31st. 

However it is easy to miss in these emails is that if you do not opt out, then you will be invoices for the renewal automatically. This could end up being very expensive. For my four licences, Blackberry were asking for over £700!

"Important information on opting out 

If you do not wish to renew your Advantage Level Technical Support, you must opt-out of the program in order to avoid being invoiced following the close of the program. Please contact BlackBerry to receive instructions regarding the opt-out process."

What are the options here? 

There are a number of options available, depending on your own needs. 

  1. Renew. 
    The price quoted is for support on all of your Silver CALS that you got for free via the EZPASS programme. They also include support, so when BES 12.1 or higher is released, then you will be able to upgrade. 
  2. Opt out and pay nothing else.
    The EZPASS programme provided Silver Perpetual CALs. Therefore if you opt out, then you will stay on the version that you have now. You will be unable to upgrade to new versions of BES for free and will not get any support. You need to contact Blackberry for the opt out. You will then get an email with a link to a web site to click on and confirm the opt out. If you have not had that email then you have not opted out.
  3. Re-Purchase the licences fresh. 
    All new licences are annual subscription, so you need to pay to renew each year. This is what I am doing. New silver licences here in the UK are £15 a year, therefore I could renew my four licences for 10 years and still save money.
    However another client was quoted the equivalent of £12 a user, so it made sense to renew. 
    Furthermore, if after 12 months they decided not to renew, then their licences are still valid, as they are perpetual. There would simply be no further support available. 
Make a decision - doing nothing is not an option. 

Remember though, I am not an employee of Blackberry and therefore the advice above is my interpretation of the licencing of BES. If you are unclear, you should speak to Blackberry Sales. 

Outlook 2010 MAPI over HTTPS Support

The hotfix for MAPI over HTTP support for Outlook 2010 has been released at last. 

Currently requiring a manual request and installation, no word on whether it will be available through any of the automated distribution methods. 


(This replaces kb2899591 released in December which was withdrawn). 

On the server, MAPI over HTTP requires Exchange 2013 SP1 (aka CU4) or higher. It is a new communication protocol for Exchange/Outlook communication which will eventually replace RPC over HTTP. 

For the client the hot fix requires Outlook 2010 SP2 to be installed. 

Lots more background on MAPI over HTTP on the Exchange team blog: http://semb.ee/mapi-http-blog

Changes to SSL Certificates

There have been a lot of changes to the way that SSL certificates are issued and the impact of those changes are now being particularly felt within the Exchange community. 

What has changed?

The CA/Browser forum (made up of the companies that issue the certificates and the browser developers who use them) decided that that all certificates issued with an expiry date after 1st November 2015 will be restricted to internet resolvable FQDN's only. 
This means that you cannot have an SSL certificate with:
- Single name hosts - such as intranet, server, exch01
- Internal only domains - such as server.example.local
- Internal IP addresses (both Ipv4 and Ipv6). 
This applies to both the common name and any additional names on the certificate. 

Furthermore, if you have a certificate that is still in force with an invalid name from the list above, then it will be revoked on 1st October 2016. 

How does this affect Exchange?

Exchange 2003 isn't really affected by this, because most people simply purchased standard single name SSL certificates. 

Exchange 2007 and later however are being impacted. 
During the early life of Exchange 2007 the advice for SSL certificates was to include both the internal and external host names of the Exchange server. This was because the default configuration of Exchange uses the server's real name and therefore did not require additional modification.

However it quickly became apparent that this wasn't the best way to deploy Exchange web services, as end users were entering the same address internally as they were externally. Split DNS was the answer there http://semb.ee/splitdns

Following the changes to the guidelines for issuing certificates, the changes to Exchange, including setup of a split DNS system is almost mandatory.
I have instructions on how to do that on my main web site at http://semb.ee/hostnames 

Going Forwards

With this change, you can now get away with just two host names on an SSL certificate for full client support:
- host.example.com
- autodiscover.example.com
With our own certificates coming with five "names" available by default, and unlimited server licence, this means you can use the other slots to secure additional services. Once the certificate has been installed on the Exchange server, export it and then import the certificate in to other servers that need it - along side the required intermediate certificate. 
If your DNS provider supports SRV records, then you can even use a standard single name SSL certificate. However mobile devices in particular seem to have some problems with the SRV autodiscover method, so if you are going to deploy mobile devices, stick with a UC (Unified Communications) type certificate. One of the cheapest sources for those is our own site CertificatesforExchange.com http://semb.ee/certs

If you have a certificate with internal names that expires after 1st October 2016, then you should get it rekeyed with the internal names removed, so the certificate is not revoked. 

What else is changing?

From April 2015, the maximum period a certificate can be issued for is being reduced to 39 months. This is to ensure that the names on certificates are checked frequently that they still belong to the original purchaser.

SHA-1 certificates are being phased out very quickly and in 2017 Microsoft will stop trusting them. However a lot of browsers will start showing warning messages on these kinds of certificates in 2016. Therefore to protect yourself, ensure that you are requesting SHA-2 certificates and have replaced any SHA-1 certificates by the end of 2015.

Action Points

What should you do about your own SSL certificates?

  1. Check whether they are SHA-1 or SHA-2. 
    To do that, browse to the SSL site, then open the SSL certificate. Click on the Details tab and then look for Signature Hash Algorithm. It should NOT say SHA1. 
    Do not confuse with Thumbprint Algorithm, which will always say SHA1, no matter the type of the certificate.
    If they are SHA1, then get them rekeyed to SHA-2. If your provider doesn't allow that, then change provider. http://semb.ee/certs

  2. Check your server configuration and start to move everything over to use the same host name internally and externally. This is easily done by setting up a split DNS system, then changing the Exchange configuration. If your certificate still contains the internal names they will continue to work until you change the SSL certificate, providing a time to educate the end users about the names to use. 
Remember if you replace a certificate before it has expired, revoke the old one. This will often happen automatically when you get a certificate rekeyed, but it does no harm to do that yourself anyway.