Sembee Blog of Exchange MVP Simon Butler

Changes to SSL Certificates

There have been a lot of changes to the way that SSL certificates are issued and the impact of those changes are now being particularly felt within the Exchange community. 

What has changed?

The CA/Browser forum (made up of the companies that issue the certificates and the browser developers who use them) decided that that all certificates issued with an expiry date after 1st November 2015 will be restricted to internet resolvable FQDN's only. 
This means that you cannot have an SSL certificate with:
- Single name hosts - such as intranet, server, exch01
- Internal only domains - such as server.example.local
- Internal IP addresses (both Ipv4 and Ipv6). 
This applies to both the common name and any additional names on the certificate. 

Furthermore, if you have a certificate that is still in force with an invalid name from the list above, then it will be revoked on 1st October 2016. 

How does this affect Exchange?

Exchange 2003 isn't really affected by this, because most people simply purchased standard single name SSL certificates. 

Exchange 2007 and later however are being impacted. 
During the early life of Exchange 2007 the advice for SSL certificates was to include both the internal and external host names of the Exchange server. This was because the default configuration of Exchange uses the server's real name and therefore did not require additional modification.

However it quickly became apparent that this wasn't the best way to deploy Exchange web services, as end users were entering the same address internally as they were externally. Split DNS was the answer there http://semb.ee/splitdns

Following the changes to the guidelines for issuing certificates, the changes to Exchange, including setup of a split DNS system is almost mandatory.
I have instructions on how to do that on my main web site at http://semb.ee/hostnames 

Going Forwards

With this change, you can now get away with just two host names on an SSL certificate for full client support:
- host.example.com
- autodiscover.example.com
With our own certificates coming with five "names" available by default, and unlimited server licence, this means you can use the other slots to secure additional services. Once the certificate has been installed on the Exchange server, export it and then import the certificate in to other servers that need it - along side the required intermediate certificate. 
If your DNS provider supports SRV records, then you can even use a standard single name SSL certificate. However mobile devices in particular seem to have some problems with the SRV autodiscover method, so if you are going to deploy mobile devices, stick with a UC (Unified Communications) type certificate. One of the cheapest sources for those is our own site CertificatesforExchange.com http://semb.ee/certs

If you have a certificate with internal names that expires after 1st October 2016, then you should get it rekeyed with the internal names removed, so the certificate is not revoked. 

What else is changing?

From April 2015, the maximum period a certificate can be issued for is being reduced to 39 months. This is to ensure that the names on certificates are checked frequently that they still belong to the original purchaser.

SHA-1 certificates are being phased out very quickly and in 2017 Microsoft will stop trusting them. However a lot of browsers will start showing warning messages on these kinds of certificates in 2016. Therefore to protect yourself, ensure that you are requesting SHA-2 certificates and have replaced any SHA-1 certificates by the end of 2015.

Action Points

What should you do about your own SSL certificates?

  1. Check whether they are SHA-1 or SHA-2. 
    To do that, browse to the SSL site, then open the SSL certificate. Click on the Details tab and then look for Signature Hash Algorithm. It should NOT say SHA1. 
    Do not confuse with Thumbprint Algorithm, which will always say SHA1, no matter the type of the certificate.
    If they are SHA1, then get them rekeyed to SHA-2. If your provider doesn't allow that, then change provider. http://semb.ee/certs

  2. Check your server configuration and start to move everything over to use the same host name internally and externally. This is easily done by setting up a split DNS system, then changing the Exchange configuration. If your certificate still contains the internal names they will continue to work until you change the SSL certificate, providing a time to educate the end users about the names to use. 
Remember if you replace a certificate before it has expired, revoke the old one. This will often happen automatically when you get a certificate rekeyed, but it does no harm to do that yourself anyway. 

Exchange 2007/2010/2013 Outbound SMTP Banner Testing

Back in 2009 I posted that automated tools like those at mxtoolbox will return false negative results on the SMTP banner tests. (http://semb.ee/banner2007)

 

This is because the SMTP banner presented for inbound email is different to outbound email.

 

This is still the case with Exchange 2010 and 2013. You shouldn't try and change the Receive Connector configuration to "fix" this problem as will cause further issues with Exchange.

 

However with those tools providing false information, it raises the question of how do you easily test the banner so that you can see how a remote server will see your server?

 

Of course one way is to simply send an email to a remote server which you have control over, and check the headers. That isn't always practical and if you don't have your own server, using something Gmail or Hotmail might mean the message gets block because you haven't configured things correctly.

 

One of the blacklist operators has setup a system that will show you exactly what you are sending back, in the form of an NDR.

The details are here:

http://cbl.abuseat.org/helocheck.html

 

After sending the message, you will get an NDR back similar to this:

 

 

helocheck.abuseat.org rejected your message to the following e-mail addresses:

 

helocheck@helocheck.abuseat.org (helocheck@helocheck.abuseat.org)

 

 helocheck.abuseat.org gave this error:

*** The HELO for IP address 123.123.123.123 was 'mail.example.co.uk' (valid syntax) ***

 

 A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.

 

Diagnostic information for administrators:

 

Generating server: server.example.co.uk

 

helocheck@helocheck.abuseat.org

helocheck.abuseat.org #550 *** The HELO for IP address 123.123.123.123 was 'mail.example.co.uk' (valid syntax) *** ##

 

Original message headers: 

 

 

This service is a quick and easy way to verify the server is configured correctly. 

Stopping Auto Deletion in Mailbox Converted From a Resource

Recently at a client we configured some mailboxes as Resources. 
It was then decided that they would be better off as shared mailboxes, as they could be used for other tasks. Therefore the mailbox was converted to shared:

 

set-mailbox mailboxname -type:shared

 

However any emails sent to the new Shared mailbox were continuing to go in to the Deleted Items folder. This is the standard behaviour for a resource mailbox, as it is only expecting to get calendar items. 

The key is to disable the Calendar processing. You can see the current setting thus:

 

get-calendarprocessing mailboxname | select identity, AutomateProcessing

 

To disable it completely, you need to change the value of AutomateProcessing to none

 

set-calendarprocessing mailboxname -AutomateProcessing None

 

In this case, the folder still needed to accept and process calendar entries, so we changed it to AutoUpdate.

 

set-calendarprocessing mailboxname -AutomateProcessing AutoUpdate

 

The full parameters are discussed in the Technet article:

http://technet.microsoft.com/en-us/library/dd335046(v=exchg.141).aspx

 

Kudos to Holly at the client for finding the value which I had completely forgotten about!

Where to get free support for Microsoft Exchange Server

If you are having problems with your Exchange server, you have a number of sources for assistance. 

You can Google for the problem, and in many cases this will bring up something that can assist you.

If you have a fairly specific problem though, you might need to actually explain it to someone to get assistance. For that you have two main sources. 

1. Microsoft Support - this is of course a chargeable solution. 

2. Peer to peer support. 

The second option is very popular and is where you can get assistance from some of the top Exchange experts. Exchange MVPs (like myself) post in peer to peer locations, as do some Microsoft employees. 

Where to find peer to peer support

With the demise of the Microsoft Newsgroups, peer to peer support pretty much comes in two forms. 

  • Forums
  • Email Lists

Email Lists

One of the most active email lists was hosted by Sunbelt Software, who were acquired by GFI. GFI have now announced the lists are going away, so the new list can be found at "My IT Forum" http://myitforum.com/myitforumwp/services/email-lists/  

Yahoo Groups also have email lists for each version of Exchange, however these appear to be very low traffic. 

Use an Outlook.com account or a public folder to store the list traffic - they can get very busy and by putting the content in to a separate place it will keep it from your main email. 

Forums

There are lots of forums where you can get support for Microsoft Exchange. 

Microsoft Technet

Exchange 2013: http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver

Previous Versions: http://social.technet.microsoft.com/Forums/en-US/category/exchangeserverlegacy 

Very busy forums, which are monitored by Microsoft staff. However there are a lot categories therefore working out where to post can be a challenge. 

Experts Exchange

The Exchange section is very active and is one of the main places you will find me posting. Contrary to popular belief, you don't need to pay to either see the solutions or post a question. A free account can be created here: http://semb.ee/ee

Petri

Exchange 2000/2003: http://www.petri.co.il/forums/forumdisplay.php?f=12 

Exchange 2007/2010/2013: http://www.petri.co.il/forums/forumdisplay.php?f=36  

Another forum where you will find me posting, I also moderate the Exchange forums. Not quite as busy as some, but knowledgeable people post. 

Msexchange.org

http://forums.msexchange.org/ 

Another forum divided in to categories. 

There are other forums out there, but have very low traffic, which means your question may go unanswered. 

You can also find groups on Linked In, if you have an account there. 

More ways to get assistance can be found on my list of Exchange resources at http://exbpa.com/ 

SSL Compatibility and Testing

SSL certificates are a constant source of pain for Exchange administrators. With Exchange 2007 and 2010 so heavily dependant on web services, getting SSL setup correctly is important for correct operation. 

A lot of SSL certificate deployment is now being done for mobile device support, and then you open a new issue - SSL certificate compatibility. 

Recently I found a large list of SSL certificate and client compatibility. 

It is from a Danish SSL reseller called FairSSL:

http://www.ssltest.net/compare/sar.php 

Most useful for mobile platform compatibility, the combinations it lists are significant. 

On the same site they also have a tool to verify that your SSL certificate is installed correctly. Most of the SSL vendors also provide this, but if you don't have the login details (perhaps because the certificate was just supplied to you) then it is a useful service to have:

http://www.ssltest.net/ 

With more SSL providers now using intermediate certificates to issue the certificates, rather than the root, getting the certificates installed correctly can mean the difference between SSL working and not. 

[ad]

Autodiscover Proxy Failure

An interesting little issue with a client's configuration caused a problem recently.

The problem only affected users off site using Outlook Anywhere. While they could get their email correctly, the availability service didn't. This stopped Out of the Office from working correctly unless OWA was used, or the end user was in the office.  

This particularly configuration uses a Client Access Server in a data centre, which proxies over a site to site VPN in to the main office where another CAS, plus the mailboxes are actually located. Therefore the issue had to be around a configuration difference between the two servers. 

Running 

get-clientaccesserver servername |fl 

on the server in the data centre and comparing it to the server in the main office, showed that the value for AutodiscoverSiteScope was populated with the AD site for the main office. This was because the server in the data centre had been built in that location initially and then moved. 

Removing that entry so it was blank resolved the issue:

Set-clientaccessserver servername -AutodiscoverSiteScope $null 

A five minute fix resolved an annoying problem for the end users. 

Got a Blackberry on BIS - Got Exchange/SBS - You Need a BES Express

 

If you were affected by the Blackberry Internet Service outage today (10th October 2001) and your Blackberry connects to an in-house email server running Exchange server (2003 or higher), then you really should be running a BES (Blackberry Enterprise Server) or BES Express (BESX).

A Blackberry connected to a BES/BESX gives you the full functionality of the Blackberry with true two way synchronisation of Email, Contacts, Calendar and Tasks. It is an extension of your Inbox. No need to maintain two sets of data that kind of synchronises. 

If you use BESX, then the software is free and you do not have to change your device subscription/tariff. For smaller installations the software can be installed on your server in  a few hours and give you complete control over the devices that connect. 

If you are in an industry where the email traffic is sensitive, the data exchange between your Blackberry and the BES/BESX cannot be intercepted as the encryption is managed by your server, not the one at RIM. This provides a more secure mobile email solution. 

Through my company Sembee Ltd, I can install and configure a BES Express for you for just £250 plus VAT if installed on to an existing server (other terms and conditions apply). That includes post installation configuration and guidance on maintenance, handset setup etc. 

For more information, contact me through the company web site at http://www.sembee.co.uk/ 

 

Future Version of Exchange Error When Removing Public Folder Database

During a recent migration from Exchange 2007 to 2010 I found I was unable to remove the public folder store from the Exchange 2007 server. 

It was returning the following error when using remove-publicfolderdatabase or using EMC on Exchange 2007. 

Remove-PublicFolderDatabase : Object is read only because it was created by a future version of Exchange: 0.10 (14.0.100.0). Current supported version is 0.1 (8.0.535.0).

Obviously the Exchange 2010 server had touched the database in some way, probably due to the Offline Address Book migration. 

The fix was quite simple - remove it using the Exchange 2010 Exchange Management Shell. Can't use the GUI as the Exchange 2007 public folders do not appear in there.

Get-PublicFolderDatabase -Server EXCH2007 | Remove-PublicFolderDatabase

Where "Exch2007" is the name of the Exchange 2007 server. 

After removing the database I refreshed the GUI and was then able to drop the Storage Group and complete the removal of Exchange 2007. 

Case Study 1 - Three Men and a Little Server

14. February 2011 20:45 by Simon Butler in Case Study, Small Business Server

This case study is a little different from the normal deployments I do, because it is a very small installation - only three users. However it is a very high net worth deployment, and has shown to be very successful.

Background

Three people run a company providing professional services to much larger companies. All three live out in the countryside with their families.
The company doesn't have a central office, each spend most of their time with clients, or at home in a study type area.
At the time I was asked to assist, they were using a hosted Exchange solution and files were being stored all over the place. It was becoming a nightmare to manage.

The also wanted to do something about the speed.
Being in the countryside, broadband speed is an issue. None of the three homes has a speed fast enough to run a server. With young families, there was also the concern of other demands on the computer and broadband connection. This introduces problems with dealing with network security and generally trying to split the business computer work from leisure.

I was asked to come up with some kind of solution that would give them a decent speed where ever they are, and also protect their and the client data.

The Solution

The solution I proposed, and implemented in late 2010 was very simple, but highly effective.

Hardware: This was a single Dell PowerEdge server, Eight disks, 30gb of RAM - with space for more.

Software: On to the bare metal I installed VMWARE vSphere 4.1
Then in to the virtual platform I installed six virtual machines:

VM 1: A Linux based firewall called pfSense. This protected the other machines.
VM 2: SBS 2008 Premium. Exchange 2007, commercial SSL certificate, all features enabled and turned on.
VM 3: Windows 2008. SQL Server. This also had BES Express and a monitoring tool for the VMWARE platform from Veeam.

VM 4 - 6: Windows 7 Professional. All three were identical, with Office, Adobe Acrobat Reader, AV and other tools installed.

Each of the workstation installations also had Dropbox installed.

The server was installed in to a data centre, where the data centre was able to provide backup storage for the server. Backup was provided by Backup Assist.

In Operation

The key to this implementation was the Terminal Services gateway feature of Windows 2008 and the RWW feature of SBS 2008.

What this allowed each staff member to do was connect to their virtual desktop in the data centre, from any machine and work. If they had to stop what they were doing, they could just disconnect, and come back to it.
This meant that working on the train, or in a client site was perfectly possible. Each of them had a laptop with 3g cards, wireless etc, so could get access back to the server easily. If the connection dropped for any reason, reconnecting would pick up from where they started.

Dropbox was used to allow files to be moved between the virtual workstations in the data centre and their personal computer. This could be to work on a file locally, copy it to a USB stick, because it contained video or for printing. It was found that the printers at home didn't like RDP very much, so printing was disabled.

The Blackberry devices gave access to email, and crucially the little known feature that allows access to the file system.

Benefits of This Solution

The server was in a secure location, not dependant on one place, with power or broadband issues. Email was quick, and filtering done in the data centre.
No more emailing files to each other, they could be just copied to a network share. This made collaboration much easier.
As all data was stored in the data centre, if the laptop was stolen, was damaged or simply failed, the loss would be small and it would be easy to get up and running again.

At home, if someone was relegated to a child's computer because they were using Daddy's computer for "homework", then the impact was negligible, as all the computer required was the RDP client. The home broadband speed was fine for this kind of work. No concerns with data security while the children are on the computer, as it was all in the data centre.

This also means that the home and roaming computers can be anything, they don't have to worry about compatibility with the "office" . It just needs to be something recent that has an RDP client.

RDP clients are common, one staff member is using it with an Apple iPad. Other tablets are being investigated, and I wouldn't be surprised if a Blackberry Playbook was used when those are released.

Terminal Services

We did consider using a full terminal server, but this was discounted for a number of reasons, the main one being cost of licencing it. However should the company grow, a terminal server can be quickly added to the deployment with little fuss.

Conclusion

A compact single server installation has proven to be very cost effective and given these users performance and security that they are very happy with.

Sent Items Storage for Shared Mailboxes

The default behaviour of Outlook with regards to sent items continues to come up on forums as an issue.

By default, when you send an email using the From field via your Send As permissions, the item you have sent goes in to your own Sent Items folder. This is because you sent it, not the person whose mailbox it was sent from. This can be useful from a tracking point of view (who sent the email).

However it may also be useful for the item to be stored in the Sent Items folder of the Shared Mailbox so that other users or even the mailbox owner can see what was sent.

How you achieve this depends on the version of Outlook that you are running. The version of Exchange doesn't matter.

For Outlook 2003 and 2007, a registry change is required, following the installation of an update. If you are keeping the machines up to date, then further updates should not be required.
These registry changes are outlined in the following articles:

Outlook 2007
http://support.microsoft.com/kb/972148
Requires Outlook 2007 Hotfix: 970944
http://support.microsoft.com/kb/970944/

Outlook 2003
http://support.microsoft.com/kb/953804/
Requires Outlook 2003 Hotfix: 953803
http://support.microsoft.com/kb/953803/


For older versions of Outlook, you will need to look at third party tools. The only one that I am aware of are the tools from Ivasoft: http://www.ivasoft.biz/

For OWA, you will need to use a server side tool, again the third party tools from the above site are the only ones that I am aware of - and support for latest version of Exchange isn't available.

For Outlook 2010, no registry change is required, you just need to add the mailbox in a different way.
Instead of adding the mailbox as an additional mailbox through the Properties of the primary mailbox, add the additional mailbox as an additional Account. That means going through the new Account wizard again. This feature also allows you to have connections to another mailbox in another Exchange forest at the same time - I have used this to migrate public folders (see http://blog.sembee.co.uk/post/Cross-Forest-Public-Folder-Migration.aspx)

However if you are using Outlook 2010, you should also be aware of the issues  in this KB article: http://support.microsoft.com/kb/2297543 (Performance problems when you try to access folders in a secondary mailbox in Outlook 2010).

(Late posting because I forgot to press publish).