Paginas

07 June 2016

Publishing Exchange 2010 Services in ISA 2006 or TMG 2010 with Certificates

 
 


In this Post I will show you how to Publish all of the Exchange Services in Firewall Rules (with certificates) so you can access it through Webmail, ActiveSync and/or Outlook Anywhere.

This will work with Microsoft Exchange 2007/2010 and Microsoft ISA 2006 and TMG 2010. Other versions of Exchange will work, but you will need to change some of the paths in the Firewall.

The Steps are:
  1. Create and Import the Certificates;
  2. Configure the Exchange Server;
  3. Create the Web Listener in the Firewall;
  4. Configure of the Publishing Rules
    1. WebMail (OWA)
    2. Outlook Anywhere
    3. ActiveSync
  5. Troubleshooting
With this configuration you can access your Email from Outside/Internet using your favorite browser or any mobile application that use Exchange Services or ActiveSync. With Outlook Anywhere you can use your Outlook like you were in the Office.

So, let's begin!


1. Create and Import the Certificates

  • Create a new certificate request in the Exchange Management Shell
New-Exchangecertificate -domainname owa.lab.com, lab.com, lab, autodiscover.lab.com, autodiscover.lab, lab-e2k10.lab.com, owa.lab.com, lab-e2k10 -Friendlyname "Microsoft Exchange 2010" -generaterequest:$true -keysize 1024 -path c:\mailcertrequest-25052016.req -privatekeyexportable:$true -subjectname "DC=lab, DC=com, o=LAB, CN=owa.lab.com"

Result
Thumbprint   Services Subject 978200E549A8E7B150879BA96B996DAF1B38D847 ..... CN=owa.lab.com, O=LAB...

NOTE: The first SAN name must be equal to the Common Name (in red)

  • Get the Certificate
If you don't have any CA installed, you can install it very quickly with the default configurations (don't forget to install CA Web Enrollment). Please follow carefully the instructions from Microsoft:
https://technet.microsoft.com/en-us/library/cc731183(v=ws.11).aspx

Now, if you open the browser and change the address to http://CA-SERVER-NAME/certsrv you can request a new certificate:


Click in Request a Certificate and then in Advanced certificate request choose "Certificate request by using a base-64-encoded CMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS #7 file".

Open the request file created with the powershell command c:\mailcertrequest-25052016.req, select everything (CTRL + A) and copy paste into the form. Select the Web Server Template:



Submit the Request and Choose the option "Download Certificate" (ex: C:\new_cert.cer).
Now go back to the Exchange Powershell and import the newly created certificate with the command:
 Import-ExchangeCertificate -path c:\new_cert.cer

Result
Thumbprint                                                                          Services      Subject ---------- -------- ------ A547C648A75B141BFBCD1E7D4FE23A0F6FC06149     .....             CN=owa.lab.com, O=LAB...


Validate the certificate thumbprint:

Dir cert:\LocalMachine\My | fl

Result
CN=owa.lab.com, O=LAB, DC=com, DC=lab Issuer : CN=lab-ca, DC=lab, DC=lab Thumbprint : A547C648A75B141BFBCD1E7D4FE23A0F6FC06149 FriendlyName : Microsoft Exchange 2007 NotBefore : 04-12-2007 13:14:04 NotAfter : 03-12-2009 13:14:04 Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography. Oid, System.Security.Cryptography.Oid, System.Security.Cryptogra phy.Oid, System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Security.C ryptography.Oid}

Connect the certificate with the Exchange Services:

Enable-ExchangeCertificate -thumbprint A547C648A75B141BFBCD1E7D4FE23A0F6FC06149 -services "IIS,SMTP,POP,IMAP"


2. Configure the Exchange Server

1. Define the Internal and External OWA Addresses:



2. Configure the Authentication in all of the Sites (owa (Default Web Site), Exchange (Default Web Site), Exchweb (Default Web Site) and Public (Default Web Site)):



After that, perform a "iisreset /force" in the command prompt.

Activate the Outlook Anywhere feature using the external name and NTLM authentication mode:



On the MMC console, open the certificates snapin choosing the Local Computer Account (Exchange Server).



Click on the certificate and export:



Click Yes on the export the private Key, choose a password and save the PFX file.
For more information follow this guide:
https://technet.microsoft.com/en-us/library/cc754329(v=ws.11).aspx

Install the "RPC over HTTP Proxy" in the CAS Server. Restart and check if all the services are all up and running.


3. Create the Web Listener in the Firewall

Open the ISA/TMG Server and select "View System Policy Rules" in "Firewall Policy". Click with the right mouse button in the policy "Allow all HTTP traffic from ISA Server to all network (for CRL downloads)" and select "Edit System Policy". Confirm that the red arrow point to "CRL Download" and choose the option "Enable this configuration group". Apply the changes:



Import the PFX Certificate on the ISA/TMG Server. On the mmc console, open the certificates snapin choosing the Local Computer Account (ISA/TMG Server). Click on Personal -> Certificates and choose Import:


Click Next and then browse to the PFX Certificate (you might need to change the browse extensions to find all them, like *.*). Type the same password when you exported and Finish the process. On the snapin you must have the certificate with the private key (the icon must appear with a yellow key).

Create the WebListener on the ISA/TMG Server going to Toolbox -> Web Listener -> New Web Listener and give it a Name like SSL:


 Choose the "Require SSL..." Option:


Select the Internal and External network (you must have an External IP Address free for all the Exchange Services Publications on port 443):


In the Internal Network pick "Select IP Addresses" and choose the Internal IP:


Do the same for the External IP Address (you can reuse an IP Address if the port 443 isn't being used):



Assing the previous certificate to both IP Addresses (I'm assuming that one IP is for external access and the other is for internal access with routing):

  
 Choose HTML Forms Authentication:
 
 
Activate Single Sign-On and specify the Active Directory Domain:




4. Configure the Publishing Rules
  • Webmail BASIC (OWA - Outlook Web Access)
Create a New Policy -> Exchange Publishing Rule -> OWA and Name it "OWA (Basic)"


It will work with Exchange 2007 and 2010 (choose the correct version and OWA):



Our Publishing Rules will use Certificates, so choose SSL:


Enter the internal name (the internal DNS name that the Users/Clients will access to Email) and the Internal Exchange Server name or IP Address:


Enter the external name (the external DNS name that the Users/Clients will access to Email). It must be the same as the internal name, because our certificate only have one DNS Name. If you have a Wildcard Certificate, you can use a different external name:


Choose the Web Listener that we created earlier:


Choose Basic Authentication (the next rule is equal to this one, but will use NTLM):



Finish the Wizard and open the proprieties. Remove "owa" from the paths:


This Rule is now completed.

  • Webmail NTLM (OWA - Outlook Web Access)
Copy the previous rule (right-click > copy, paste) and give it a name like "OWA (NTLM)". Change the Paths like the image below:


This Rule is now completed.

  •  Outlook Anywhere
Create a New Policy -> Exchange Publishing Rule -> Outlook Anywhere. This rule will use the same Listener as the OWA rule.


It will work with Exchange 2007 and 2010 (choose the correct version and Outlook Anywhere):



Our Publishing Rules will use Certificates, so choose SSL:


Enter the internal name (the internal DNS name that the Users/Clients will access to Email) and the Internal Exchange Server name or IP Address:


Enter the external name (the external DNS name that the Users/Clients will access to Email). It must be the same as the internal name, because our certificate only have one DNS Name. If you have a Wildcard Certificate, you can use a different external name:


Choose the same Web Listener that we created earlier:


Choose NTLM Authentication:

 

Finish the Wizard and this Rule is Completed.

  •   ActiveSync
Create a New Policy -> Exchange Publishing Rule -> ActiveSync. This rule will use the same Listener as the OWA rule.


It will work with Exchange 2007 and 2010 (choose the correct version and ActiveSync):



Our Publishing Rules will use Certificates, so choose SSL:


Enter the internal name (the internal DNS name that the Users/Clients will access to Email) and the Internal Exchange Server name or IP Address:


Enter the external name (the external DNS name that the Users/Clients will access to Email). It must be the same as the internal name, because our certificate only have one DNS Name. If you have a Wildcard Certificate, you can use a different external name:


Choose the Web Listener that we created earlier:


Choose Basic Authentication:



Finish the Wizard and all the rules are now completed.

This will work without a certificate warning if all the clients are in the domain. If not, you must export the CA Root Certificate and Import it in all the machines. Let's see an example of how to do this:

Go back to the Exchange Server and open the IIS Console. Open the "Default Web Site" proprieties, select "Directory Security" and "View Certificate":


Select "Certification Path” and in the Upper level, select the Certificate Authority and click "View Certificate". Select the "Details" tab and "Copy to File". In the Wizard select the following options:


The path to export the ROOT certificate:


Finish to Complete:


This certificate is only required in clients that are not in Domain (the others already have it, i Hope!). Let's see how to install this exported certificate in the Machines. Open MMC and add the certificate snapin for "Computer Account", Local Computer:



In "Trusted Root Certification Authorities", select "Certificates" and right click in "Certificates", "All Tasks" and choose "Import". Select the previously exported certificate (*.cer):


The next image is an example of the Outlook Anywhere configurations in an Outlook client look like. You can customize some options manually or by GPO (Group Policy):


 

5. Troubleshooting

All publishing scenario described above presupposes the existence of a split-dns type setting. For that, it means that the internal machines resolve the owa.lab.com name to the IP address of the CAS server (forward lookup zone created in the internal DNS), while customers in the Internet resolve the owa.lab.com to the public IP address CAS server (forward lookup zone on an external DNS).

You can configure the Internal and External paths of all the WebServices in powershell:

Set-ClientAccessServer -Identity lab-e2k7.lab.local -AutodiscoverServiceInternalUri https://owa.lab.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "lab-e2k7.lab.local\EWS (Default Web Site)" -InternalUrl https://owa.lab.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "lab-e2k7.lab.local\oab (Default Web Site)" -InternalUrl https://owa.lab.com/oab

Set-UMVirtualDirectory -Identity "lab-e2k7.lab.local\unifiedmessaging (Default Web Site)" -InternalUrl https://owa.lab.com/unifiedmessaging/service.asmx


If you have the following error:
Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site"

Probably Cause:
  • You replace the default self-signed Exchange 2007 certificate with a different certificate. Note The Exchange 2007 Setup program creates a default self-signed certificate when Exchange 2007 is installed.
  • The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
  • The Service Connection Point object for the Autodiscover service
  • The InternalUrl attribute of Exchange 2007 Web Service (EWS)
  • The InternalUrl attribute of the Offline Address Book Web service
  • The InternalUrl attribute of the Exchange unified messaging (UM) Web service
By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following is stored: https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following: mail.contoso.com This issue causes a name mismatch error to occur. Therefore, you receive the security warning message when you try to connect Outlook 2007 to the mailbox.

Resolution:
To resolve this issue, modify the URLs for the appropriate Exchange 2007/2010 components. To do this, follow these steps:
  • Start the Exchange Management Shell.
  • Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER: Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
  • Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER: Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
  • Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER: Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
  • Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER: Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
  • Open the IIS manager.
  • Expand the local computer, and then expand Application Pools.
  • Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. Consider the following example scenario:

  • The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to https://ServerName.contoso.com/ews/exchange.asmx.
  • The FQDN that is specified on the certificate points to the externally accessible host name of the server. For example, the certificate specifies an FQDN, such as mail.contoso.com.
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessible IP address of the CAS server in order to let internal clients access the server.

More Details in https://support.microsoft.com/en-us/kb/940726



No comments:

Post a Comment