Saturday, 29 May 2010

Exchange Servers and Certificates

In a previous post I detailed how to configure Outlook Anywhere which relies on HTTPS. This must use a certificate infrastructure and this post I hope will instruct you on how to configure your CA, distribute the necessary Exchange certificate and how to configure Exchange and clients.

1. Install the Active Directory Certificate Services role on a member server or a domain controller. During installation of the service make sure that you choose an enterprise server.

2. Create a duplicate version 3 template of the web certificate. This version will allow you to create a certificate with multiple subject alternative names (a SAN certificate). Make sure that the CAS machine that is Internet facing is defined on the templates security tab (ACL).

3. Ensure that the template created is defined in the list of templates provided by your CA.

4. On the defined CAS, using an elevated MMC with added computer certificate, request a computer certificate from the CA.

5. During the request you can define multiple subject alternative names by adding different DNS names. The names I suggest are based on the following public ( and private (compulinx.local) DNS names.


6. As you can see from point 5, multiple DNS names are included. These represent both public and private names (where mail is public and ex1 represents your exchange server NetBIOS name). The same certificate can be used for internal and external clients. You can choose not to include the internal names for security (personally I wouldn’t worry considering that if a hacker can make an intrusion using a NetBIOS name then you might as well give them a domain account!). However, you should include an SRV record in your DNS where autodiscover _TCP port 443 maps to the CAS machine.

7. Once the CAS machine has any Exchange certificate check in the trusted root folder for the root CA certificate. Copy this certficate to any workgroup client that will make use of Outlook and Outlook Anywhere.

8. You will need to establish that Exchange uses the requested certificate. First, determine what certificates are on board by using the following command:

[PS] Get-ExchangeCertificate -DomainName EX1 | fl subject,thumbprint

You will most likely find 2 certificates in the list; the certificate just requested and an original certificate which is self signed. You can delete this from the MMC personal certificates snap-in. We need to enable the certificate for use with various Exchange services.

[PS] Get-ExchangeCertificate -Thumbprint abcdef  | Enable-ExchangeCertificate -Services "IIS,SMTP"

Friday, 28 May 2010

The Client Access Server Role Pt4

Outlook Anywhere and Autodiscover

Microsoft Outlook 2007/2010 AutoDiscover is an Exchange Server 2007/2010 service, or more specifically Exchange Web Service, which allowed easy to configure Outlook 2007 profiles in your organization. In order to automatically configure and connect previous versions of Outlook to Exchange 2000 and 2003 Servers, you needed to do so using the Custom Installation Wizard from the Office Resource Kit or a similar tool. But now the users can configure their Outlook profile themselves, as they only need to click next a few times and specify their e-mail address and password. This will allow the construction of a Outlook 2007/10 profile to be built irrespective of whether the client machine is AD member or in a workgroup.

The last point made here is an important consideration. An AD machine member is able to query active directory and determine the location of the Exchange server and then communicate directly with that server. An employee on a home desktop would need to VPN into the office network and via the authenticated tunnel be able to make this query and exchange connection.

The Outlook client uses MAPI (Messaging Application Program Interface). It allows client programs to become 'messaging-aware'. Remember that its an API. It needs a transport mechanism to connect to your exchange server. Here comes RPC. MAPI calls are transported using RPC hence the expression MAPI over RPC. This all works great if your machine is physically on the office wire and AD authenticated or as mentioned you first VPN to the office. But you can also now connect Outlook without the use of a VPN!
RPC can be encapsulted by HTTPS which can then traverse your office firewall, become decapsulated by an RPC/HTTP proxy and allow communication with your Exchange server. This is called Outlook Anywhere and relies on the Autodiscover service for seamless Outlook configuration. To accomplish Outlook Anywhere and automatic configuration read on and follow the following steps...

Configuration of Outlook Anywhere

  • Outlook Anywhere is not enabled by default. Before enabling it ensure that you add the RPC/HTTP proxy feature on the CAS server.
  •  Because HTTPS is used, ensure that you have a suitable SAN certificate installed. I will detail how to do this in a later post. It is worth remembering that the client machine must have the trusted root certificate installed.
You can enable Outlook Anywhere by using the following EMS command. As you can see, you will need to determine the method of authentication, the public DNS reference that users use to connect from the Internet and if SSL offloading is used.

[PS] Enable-OutlookAnywhere -DefaultAuthenticationMethod Basic -SSLOffLoading:$false

If you need to change the authentication method later on you can by using the following:

[PS] Set-OulookAnywhere "EX1\RPC (Default Web Site)" -DefaultAuthenticationMethod NTLM

Configuration of Autodiscovery

Now the tricky bit! Autodiscovery allows the automatic configuration of Outlook 2007/10 and mobile devices. In a nutshell, the service provides an XML file to the client providing information on where and how to connect to your exchange server. Internal clients query AD (as domain members) to find the XML file. External Internet clients use DNS. Lets be more specific.

The LDAP query made by domain members is an attempt to locate the Service Connection Point (SCP) for the autodiscover service (which provides the XML file). The SCP object lives in the configuration partition with the other Exchange configuration objects. Try the following:
  • Open LDP
  • Click Browse then Search and supply the following information:

The output you should see will provide the ServiceBindingInformation (the location of the XML file). Something like this

   serviceBindingInformation: https://EX1.compulinx.local/Autodiscover/Autodiscover.xml

As you can see this is the Internal domain reference of the Autodiscover web service and the XML file. Outlook will then connect to the service using the location information provided and download the XML file.

The file will provide the URL location for a number of different services running on the CAS server:

You can trace what happens during the connection by typing the following:

[PS] Test-OutlookWebServices

The output is lengthy, but you can determine a lot from it:

The SCP is located
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id : 1019
Type: Information
Message: A valid Autodiscover service connection point was found. The Autodiscover URL on this object is https://EX1.compulinx.local/Autodiscover/Autodiscover.xml.

The Autodiscover Service is contacted

RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1006
Type: Information
Message: Contacted the Autodiscover service at https://

The Availability Service is contacted (one of the URLs defined in the XML file)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1024
Type: Success
Message: [EXCH] Successfully contacted the AS service at https://
EX1.compulinx.local/EWS/Exchange.asmx. The elapsed time was 93 milliseconds.

The Unified Messaging Service is contacted (one of the URLs defined in the XML file)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1026
Type: Success
Message: [EXCH] Successfully contacted the UM service at https://
EX1.compulinx.local/EWS/Exchange.asmx. The elapsed time was 15 milliseconds.

The RPC/HTTP proxy is contacted (therefore Outlook Anywhere)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1128
Type: Success
Message: [EXPR] Successfully contacted the RPC/HTTP service at https://EX1.compulinx.local/rpc. The elapsed time was 0 milliseconds.

Notice here that the URLs reference the internal name space (ie. the domain.local reference as I am not using split DNS). This all indicates that internal users have no problem using autodiscovery to connect Outlook clients and have them configured automatically. But please understand that the URLs returned are internal references. Workgroup Internet users cant use these URLS (for one thing .local is being used and this is not a valid TLD).

External users must be able to obtain the XML file aswell and also the URLs returned must reference the public DNS namespace.
The CAS server running autodiscover can be found by updating the clients hosts file or updating the public DNS (i.e IP). During configuration of Outlook the user is promted to define a name, an email address and a password. The domain name is taken from this email address and the client appends autodiscover to the domain name. A public DNS lookup is made. Now the client will pass through the corporate firewall where HTTPS has been redirected to your CAS server.
The URL used is https://autodiscover.smtpdomain/Autodiscover/Autodiscover.xml. Once contacted the XML file will be returned. However this time the URLs are public.
You should make sure that the services autodiscovery puts you in touch with have both the correct internal and external references. From the test output above you can see that this needs to be checked for the following:
  • Web services virtual directory
  • Offline Address Book
  • Unified Messaging
  • Outlook Anywhere
The web services infact covers a lot of the services. Includes Out of Office, Availability Service for Free/Busy etc. and unified messaging. To determine current configuration type:

[PS]Get-WebServicesVirtualDirectory | fl

To configure the external and internal URLs type:

[PS] Set-WebServicesVirtualDirectory -Identity "EX1\EWS (Default Web Site)" -InternalURL https://EX1.compulinx.local/EWS/Exchange.asmx -ExternalURL -BasicAuthentication:$true

To determine the current configuration of the offline address book type:

[PS] Get-OABVirtualDirectory | fl

To configure the external and internal URLs type:

[PS] Set-OABVirtualDirectory -Identity "EX1\OAB (Default Web Site)" -InternalURL https://EX1.compulinx.local/OAB -ExternalURL -RequireSSL:$true

To determine the URLs used Outlook Anywhere

[PS] Get-OutlookAnywhere | fl

To configure the correct external URL type:

[PS] Enable-OutlookAnywhere -DefaultAuthenticationMethod Basic -SSLOffLoading:$false
(You did this above when you enabled Outlook Anywhere)

You will also need to check and set the for ActiveSync:

[PS] Get-ActiveSyncVirtualDirectory | fl

[PS] Set-ActiveSyncVirtualDirectory -Identity "EX1\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL

    Wednesday, 5 May 2010

    The Client Access Server Role Pt3

    Exchange 2010 and Mobile Devices

    Mobile devices like PDAs and mobile phones can connect to Exchange 2010 to send/read email messages and other items such as calendar, contacts and tasks. The technology behind this is ActiveSync. ActiveSync is based on HTTP/HTTPS and is designed to connect mobile devices across the Internet.
    Enabling/Disabling ActiveSync

    ActiveSync is on by default  but you can turn it off by configuring IIS on the CAS. To do this do the following:

       1. Open IIS Manager from Administrative Tools
       2. In the console tree open the Application Pools node
       3. Locate MSExchangeSyncApplicationPool
       4. Select Stop from the Actions Menu
      This will disable ActiveSync. Conversely, choosing 'Start' will enable ActiveSync

      Enabling/Disabling ActiveSync per User

      ActiveSync can be enabled/disabled on a per user basis by performing the following steps:

      [PS] Set-CASMailbox "Andrew Stevens" -ActiveSyncEnabled $True
      [PS] Set-CASMailbox "Andrew Stevens" -ActiveSyncEnabled $False

      Restrict Mobile Devices

      By default users can synchronize any ActiveSync capable device with Exchange. You can prevent users from connecting with specific devices by using a devices 'Device ID'. However, you should understand that you can only determine this value once an ActiveSync device has connected and synchronized with Exchange.

      The device ID can be determined by using the Get-ActiveSyncDeviceStatistics:

      [PS] Get-ActiveSyncDeviceStatistics -MailBox: [alias] | ft DeviceModel, DeviceID, DevicePhoneNumber

      The DeviceID is based on International Mobile Equipment Identity. As mentioned this can be obtained once synchronization has ocurred. You can get the number by typing *#06# on the mobile device.
      You can add the device to a block list by typing the following:

      [PS] Set-CASMailbox [alias] -ActiveSyncBlockDeviceIDs 356059038180488

      You can block every device except the device you want to use by the following command:

      [PS] Set-CASMailbox [alias] -ActiveSyncAllowedDeviceIDs 356059038180488

      With the above command every device is blocked except this one.
      To clear the device id from the block list and the allowed list type the above commands but use $null  instead of the IMEI number:

      [PS] Set-CASMailbox [alias] -ActiveSyncBlockDeviceIDs $Null

      Mobile Device Policies

      Different devices used by your users have different features and settings. You can define which features and settings are provided for your users by establishing Mobile Device Polices. By default, a single policy is built and is visible:

         1. In the EMC, browse to Organization Configuration, Client Access node
         2. Select Exchange ActiveSync Mailbox Policies
         3. You should see a policy called default

      This policy is applied to all your users.

      Create A New Mobile Device Policy
      You can create a new policy in the EMS by typing the following:

      [PS] New-ActiveSyncMailboxPolicy "Managers"

      This creates a new policy with default settings and in this scenario the policy will be used for company managers.

      Set the New Policy to Users and Groups 

      You can define which groups/users should use the new policy by the following:

      [PS] Get-Mailbox andrew | Set-CASMailbox -ActiveSyncMailboxPolicy Managers

      Disable/Enable Mobile Device Features

      Once users and groups have been assigned you can control which features you want to be enabled/disabled.

      These include the following features:
      • Removable storage
      • Camera
      • Wireless network adapter
      • Infrared port
      • Internet sharing
      • Remote desktop
      • Synchronization with a PC
      • Bluetooth functionality
      These features can be turned off using the EMS. For example,

      [PS] Set-ActiveSyncMailboxPolicy "Managers" -AllowCamera $false

      This will turn off the use of the camera on the mobile device. However, this does depend on the device model and only really applies to Windows Mobile Devices.

      Manage Synchronization Settings

      You can also control synchronization settings. This would include the following items:
      How old emails and calendar items have to be before they are no longer synchronized
      Maximum size of email attachments
      Direct Push which pushes email to devices and does not require manual or pre-defined time synchronization at the device end
      Formatting of messages to HTML or text

      This can all be done using the EMS. For example,

      [PS] Set-ActiveSyncMailboxPolicy "Managers" -MaxEmailBodyTruncationSize 75 -AttachmentsEnabled $false

      This will allow maximum email size to be 75KB and disable attachments.

      Protection of Mobile Devices

      Protection of devices is essential. A first step is ensuring password protection on the device. The password requirements can be quite granular:

      As you can see the password setup can be quite involved. You can see from the above diagram that the number of failed attempts is set to 8. Anymore than this and the device is wiped clean destroying all data stored on the device! So I suggest you select Enable Password Recovery. If you do this a secondary password is generated and maintained on Exchange. An administrator can obtain this password as can the user via OWA.

      If the administrator requires access to the recovery password simply select the users mailbox using the EMC and in the action pane click the Manage Mobile Phone option. The recovery password is displayed which can then be given to the user.

      A user that has forgotten her password can determine the recovery password by going through control panel in OWA.

      The recovery password can also be obtained using the EMS. You will need to enable the ShowRecoveryPassword parameter in order for the password to be displayed. Try the following:

      [PS] Get-ActiveSyncDeviceStatistics -Mailbox "Andrew" -ShowRecoveryPassword | fl DevicePhoneNumber, RecoveryPassword

      Remote Wipe

      You can perform a remote wipe of a lost or stolen device. When I say wipe I really mean WIPE! Data on the device and any storage cards will be erased. The process can be performed using both console and shell. To perform a wipe using the shell, perform the following 2 steps:

      1. Get a list of devices for the unfortunate user

      [PS] Get-ActiveSyncDeviceStatistics -Mailbox "Andrew" | fl Identity

      2. Wipe the device using the returned device ID

      [PS] Clear-ActiveSyncDevice -Identity [DeviceIdentity]

      You can also perform the same thing and send a notification email to inform the person of the wipe (just to keep them happy!)

      3. [PS] Clear-ActiveSyncDevice -Identity [DeviceIdentity] -NotificationEmailAddresses ""