ISA 2006 and Exchange 2010 OWA SSL Publishing

May be an unusual mix of products, but my ISA 2006 installation has been rock-solid and I haven’t seens a real need to upgrade to the newer TMG.

The scenario is as follows:

  • GoDaddy SSL Certificate Purchase
  • Secure Exchange 2010 with cerficate for OWA
  • Publish OWA via ISA using HTTPS

GoDaddy has pretty good guides for downloading and installing the certifcate into IIS7 (assuming you’re running Exchange 2010 on Windows 2008).

When you try to publish the site using SSL via ISA 2006, ISA requires you to make it aware of the SSL certificate. This was not a requirement back in the day of ISA 2004. The world of IT seems to get more complicated with each revision.

If you import the SSL certificate onto the ISA 2006 server by just double-clicking on it, ISA still will not be able to see the certifcate when you click on the Certificate tab for the Listener.

The correct way to import the certificate is via MMC console.
Load up the MMC Console, and add the Certificate snapin. Make sure you use Computer Account, and choose This Computer.

The certificate needs to be imported into the Personal section.

Here is the important part. You need to import the certificate with the Private Key. How do you do this?

If you don’t, you’ll probably have an error like:

  • Private key handle error
  • Private key not installed
  • See below…

Easy, go to Exchange Management Console on the server where you just imported the certificate. Do this by opening IIS, click on your server name on the left. Click on Server Certificates in the middle.

Then click on Export in the right. This will allow you to export the GoDaddy Certificate you just purchased (or any other certificate for that matter), with a Private Key. You know when a private key is being exported because a password is needed. Save this certificate somewhere, and copy it to the ISA 2006 server.

Armed with a certficate with Private Key, we can now import it into the Certificate store. Resuming from where we left off, right-click on the Personal certificate store, All Tasks, Import. Display all files (*.*), and select the certificate you just copied over. You will need to enter the password you set earlier. Click next and ensure the certificate is stored under Personal.

Last step is to tell ISA 2006 to use that certificate. With any luck, you’re greeted with all green ticks. Select the certificate and OK all the way out.

For later down the track…

I found that when my GoDaddy certificate expired, I renewed and updated the certicate on the Exchange 2010 server only. I did not reimport the certificate in ISA 2006 or install it into the Certificate store. Seems to be running fine, and no certificate errors.

Seems ISA 2006 only wants to “see” the certificate initially, and subsequent renewals doesn’t seem to phase it.

Also note that if you are trying to use Outlook Anywhere, this method may not work. Outlook Anywhere requires some more fiddling with ISA 2006 to allow the certificate to be passed through successfully. More info soon…

Exchange 2003 to 2010 Migration with Tips and Tricks

Now I know there are articles out there, but I wanted to write one that had enough detail for anyone attempting this to follow, but with as few steps as possible.

Obviously make sure you Exchange 2003 server is working well before moving to 2010.

  1. Check Default SMTP Virtual Server to ensure you do not have any smarthosts in there on the Exchange 2003 server (Under First Administrative Group – Servers – Servername – Protocols – SMTP). This will prevent mailflow between 2003 and 2010 servers.
  2. Install Exchange 2010 on the new server (I’m assuming single server here – not recommended by Microsoft). Plenty of articles on how to do this.
  3. Disable Linkstate on Exchange 2003 and reboot (or restart Exchange 2003 services) (Command Prompt to x:ExchSvrBin and type Regsvr32 -u xlsasink.dll)
  4. Move/create a mailbox onto the 2010 server. Connect Outlook or log into webmail on that server to conduct some tests. Test the following: Email flow between 2003 and 2010 mailboxes (both directions) and email flow from 2003 -> external and 2010 -> external
  5. If there are issues with mailflow between 2003 and 2010 delete and recreate the connectors. The connectors are setup automatically when you installed Exchange 2010.
  6. Replicate Public Folders and other instructions as per article (do everything but decommision the Exchange 2003 server): http://support.microsoft.com/default.aspx?kbid=822931
    Do not change Replication Schedule or Replication Priority when replicating the Public Folders. You could end up bogging down the connectors with excess traffic and grinding the Exchange servers to a halt.
  7. Move mailboxes. You will have to do this with the Exchange 2010 ESM (not the 2003).
  8. For seamless transition with Outlook 2003 clients, you need to disable the requirement for encrypted connection.
    Run this in the Exchange Powershell on the 2010 server:
    Set-RpcClientAccess –Server <servername> –EncryptionRequired $False
    Otherwise in Outlook 2003, you will need to choose the Encrypt Connection between Outlook and Exchange server option. This is not hard, however in migration scenerios, it will prevent seamless handover between legacy Exchange 2003 servers and Exchange 2010 servers when you are moving mailboxes.
  9. I would leave the Exchange 2003 server running for 2 weeks before removing to ensure there is a automatic handoff to the new Exchange 2010 servers when users connect in with Outlook for the first time. Otherwise you will be running around reconfiguring Outlook to point to the new 2010 server
  10. Rehome Receipient Update Services. Use the Exchange 2003 System Manager to do so. Point it to the other Exchange Server, and the correct Domain Controller.
  11. Remove Exchange 2003 server as per article above from Microsoft.
  12. It’s not unusual that during a process/migration like this to have errors with the Offline Address Book to Global Address List. If you are getting such errors during Sending/Receiving in Outlook, you may have to rebuild/recreate the Offline Address Book after all the above steps have been completed. Symptoms of a faulty OAB/GAL are that newly created users do not appear. A temporary workaround is to get your users to type in their full email address for the time being.

Exchange 2007/2010 Active Sync 0x85010004 or 85010014

Are you using the administrator account to test with activesync? You shouldn’t be!

If you are getting these messages in Event Log: User “domainnameadministrator” cannot synchronize their mobile phone with their mailbox because  Exchange ActiveSync has been disabled for this user.

And on your Windows Mobile phone have error code 0x85010004

It’s probably because you’re trying to use the administrator account to test with! This is not supported under Exchange 2007/2010 as the administrator does not inherit permissions in AD which makes it hard to give it activesync rights. Use a user’s account instead!

If this is not the case, then try one of two things (I found this normally happens when migrating from 2003 -> 2007/2010 – never seen it with a fresh install)

  1. Remove and recreate ActiveSync Directory (use Exchange Powershell)
    Remove-ActiveSyncVirtualDirectory -Identity “Microsoft-Server-ActiveSync (Default Web Site)”New-ActiveSyncVirtualDirectory -Server “xxx” -WebSiteName “Default Web Site” -ExternalURL “http://www.xxx.com/Microsoft-Server-ActiveSync

    or for a single server deployment
    New-ActiveSyncVirtualDirectory -WebSiteName “Default Web Site” -ExternalURL “http://www.xxx.com/Microsoft-Server-ActiveSync

  2. Use the powershell to give the user ActiveSync rights
    Set-CASMailbox -Identity <username> -ActiveSyncEnabled $true

    Also, more specifically for error 85010014
    Make sure you check that the user does Inherit permissions from the parent. Load up ADU&C – Make Sure View -> Advanced Options is ticked – Find User – Properties – Security – Advanced – Tick Allow Inheritable Permissions from the Parent… Ok all the way back out.

Other than that, make sure you check the obvious. Are you using SSL on both the Exchange and device side, or are you turning it off? It must match up.

Exchange 2007 and 2010 – Total emails/messages sent and received

I had a request to find out the number of emails sent out of an Exchange server as they wanted it for auditing purposes. Message tracking center is cumbersome to use for this. Instead, the performance monitor was fairly good (but had limitations).

To get to Performance Monitor for Exchange (you can use the standard one too if you want) . Load up Exchange Management Console – Toolbox – Performance Monitor.

Right click on graph and choose Add Counters. Choose MsExchangeTransport SMTPReceieve, highlight _total and click Add. Do the same for MsExchangeTransport SmtpSend.

Once added, scroll through the counter list on the bottom and highlight either Messages Sent Total or Messages Received Total. Look at the number in Last. This is the number of emails sent or received.

Your next question is, “emails sent or received since when?”. The answer to this is: Since the server was last restarted. To get when it was last restarted just use the command prompt and type: “net statistics server” or “net statistics workstation”. It will give you the time and date these two services were last restarted which will coincide with when the server was restarted (as these two services cannot be restarted without restarting the server).

Hope this helps!