Cybersecurity Reference Architecture: Security for a Hybrid Enterprise

Gallery

Posted on June 15, 2020 by LM Publications

The Microsoft cybersecurity reference architecture will be explained by demoing key components, starting with Azure Security Center for a cross platform visibility, protection and threat detection. Then a walk through on how you can secure different Azure services covering Azure … Continue reading →

Configure ADFS Extranet Lockout Protection

Gallery

Posted on May 7, 2020 by LM Publications

Extranet lockout provides the following key advantages: It protects your user accounts from brute force attacks where an attacker tries to guess a user’s password by continuously sending authentication requests. In this case, AD FS will lock out the malicious … Continue reading →

Migration from Office 365 or Microsoft 365 mailboxes to G Suite using the G Suite Data Migration Service

Gallery

Posted on August 9, 2019 by LM Publications

Supported Environment Microsoft 365, Office 365, Exchange 2016, 2013, 2010, 2007 or 2003. Supported G Suite G Suite Enterprise, Business, Basic, and Education accounts G Suite Cost Standard prices are shown. Google occasionally offers special discounts to some customers for … Continue reading →

Prepare Windows 10 Master Image & Deploy Windows Virtual Desktop

Gallery

Posted on April 2, 2019 by LM Publications

Microsoft announced Windows Virtual Desktop and began a private preview. Since then, we’ve been hard at work developing the ability to scale and deliver a true multi-session Windows 10 and Office 365 ProPlus virtual desktop and app experience on any … Continue reading →

Convert Synced User to In-Cloud User

Gallery

Posted on November 5, 2018 by LM Publications

Here is the scenario: Synced ID: Specifies the immutable ID of the federated identity of the user. This should be omitted for users with standard identities. You have local Active Directory with AAD Connect installed, which sync users and password … Continue reading →

Decide on Office 365 Migration Path

Gallery

Posted on September 7, 2018 by LM Publications

This gallery contains 1 photo.

Deciding on the best migration path of your users’ email to Office 365 can be difficult. Your migration performance will vary based on your network, existing messaging systems design, mailbox size, migration speed, and so on. For migrations from an … Continue reading →

Azure AD B2B Collaboration With SharePoint Online

Gallery

Posted on July 31, 2018 by LM Publications

This gallery contains 2 photos.

Azure AD B2B collaboration capabilities to invite guest users into your Azure AD tenant to allow them to access Azure AD service Azure AD B2B collaboration invited users can be picked from OneDrive/SharePoint Online sharing dialog boxes. OneDrive/SharePoint Online invited … Continue reading →

Office 365 MailFlow Scenarios and Best Practices

Gallery

Posted on January 24, 2018 by LM Publications

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam … Continue reading →

Migrate Office 365 Relying Party Trust to Different ADFS Farm

Gallery

Posted on November 21, 2017 by LM Publications

To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment. Prerequisites: Existing ADFS Farm … Continue reading →

Office 365 Hybrid Deployment with Multiple Active Directory Forests

Gallery

Posted on August 13, 2017 by LM Publications

This article explains how you can deploy a hybrid Office 365 and Exchange on-premises environment with multiple Active Directory Forest. An organisation that utilizes an account forest and a resource forest to separate Active Directory accounts and Exchange servers in … Continue reading →

Configuring Azure ExpressRoute using PowerShell

Gallery

Posted on July 24, 2017 by LM Publications

Microsoft Azure ExpressRoute is a private connection from on-premises networks to the Microsoft cloud over a private peering facilitated by a network service provider. With ExpressRoute, you can establish a faster, low latencies and reliable connection to Microsoft cloud services, … Continue reading →

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Gallery

Posted on April 4, 2017 by LM Publications

Hybrid Configuration Business Case. On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send. Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus … Continue reading →

Upgrading AD FS to Windows Server 2016 FBL

Gallery

Posted on March 20, 2017 by LM Publications

This article will describe how to install new ADFS 2016 farm or upgrade existing AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016. Prerequisites: ADFS Role in Windows Server 2016 Administrative privilege in both ADFS … Continue reading →

Login to Exchange Online PowerShell using MFA

Gallery

Posted on March 6, 2017 by LM Publications

Once you enable MFA on Admin account, you will be denied access to EXO using PowerShell until you update Azure PowerShell version to latest. Download and install Microsoft Online Services Sign-In Assistant and Azure Active Directory Connection preview Use Connect-MsOlService … Continue reading →

Exchange 2010/2013 to Exchange 2016 Migration Step by Step

Gallery

Posted on February 1, 2017 by LM Publications

Deployment Location: On-premises Target Environment: Exchange Server 2016 CU4 Current Environment: Exchange Server 2010 or Exchange Server 2013 or mixed Public Folder Location: Exchange Server 2013 Understanding of Exchange Server 2016: Exchange Server 2016 wraps up in two Exchange roles … Continue reading →

Enable multi-factor authentication for office 365 users using PowerShell

Gallery

Posted on January 20, 2017 by LM Publications

The script enables strong authentication for Office 365 users from a CSV input. Before you turn on strong auth or multi-factor auth, take necessary measure to communicate with users to notify them that they will have to register their mobile … Continue reading →

Add multiple users to Office 365 security groups using PowerShell Scripts

Gallery

Posted on January 18, 2017 by LM Publications

Step1: Connect MSOL Services Connect-MsolService Step2: Find out ObjectID of the Security Group you would like add members to Get-MsolGroup –Maxresults 100000 | Where-Object {$_.DisplayName -eq “Test Security Group”} Get-MsolGroup –ObjectId “af407072-7ae1-4b07-a0ca-6634b7396054” OR Sign-in to Portal.Azure.Com and Select Azure Active … Continue reading →

Configuring Retention Policies in Office 365

Gallery

Posted on January 11, 2017 by LM Publications

Retention policies are used to manage email lifecycle. Retention policies are applied by creating retention tags, adding them to a retention policy, and applying the policies to mailboxes. To Create various retention policies in Office 365 using simple PowerShell. Connect … Continue reading →

Office 365: Configuring catch-all mailbox during migration

Gallery

Posted on January 10, 2017 by LM Publications

Step1: Create Catch-All Mailbox 1. Sign in to portal.office.com>Active Users 2. Create a new user named “Catch-All-Mailbox” and assign licenses either E1 or E3. Step2: Create exception Security Group (Optional Step) 1. Log onto Office 365 admin portal 2. Go … Continue reading →

Branding and Customizing the ADFS Sign-in Pages

Gallery

Posted on December 20, 2016 by LM Publications

Branding and promoting Company name and logos are common business practices. You would like to see your own brand whilst signing into to Microsoft Office 365. ADFS provides opportunity for businesses to customize sign in page and promote own brand. … Continue reading →

Centralized Mailflow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

Gallery

Posted on December 8, 2016 by LM Publications

Environment: Mailbox hosted on the Exchange Online Hybrid on-prem Exchange 2010/2013 with Microsoft Exchange Online Centralized Mailflow configured for Exchange 2013 Route all emails through on-premises configured for Exchange 2010 Accepted domain configured either Managed or Authoritative on the Exchange … Continue reading →

Export Office 365 Licenses

Gallery

Posted on December 6, 2016 by LM Publications

An Office 365 admin perform one repetitive task on the Azure AD PowerShell is to generate license report from Office 365. Two simple Cmdlets Get-MsolUser and Get-MsolAccountSku can be used to generate many reports. This article uses variation of these … Continue reading →

How to Configure Office 365 SMTP Relay

Gallery

Posted on November 29, 2016 by LM Publications

There are three ways you can setup SMTP Relay for Applications and multi-function devices using Office 365. All three options are elaborated here. Option 1 and Option 2 are configured within the application and devices. Option 3 are setup within … Continue reading →

Migrate On-premises Exchange Server to Office 365 using MigrationWiz

Gallery

Posted on November 3, 2016 by LM Publications

This gallery contains 9 photos.

Assumptions: An operational on-premises Microsoft messaging environment or an IMAP Source An operational Microsoft Office 365 tenant for Exchange Online Active Directory synchronised with Microsoft Azure Active Directory using DirSync Licenses are assigned to Active Users. There are place holder … Continue reading →

Mailflow Co-existence between G Suite and Office 365 during IMAP Migration

Gallery

Posted on October 20, 2016 by LM Publications

This article will explain how to create mail flow coexistence between disparate IMAP source and Exchange Online destination. Use case: Customer wants a mailflow co-existence between hosted email e.g. Gmail and Exchange Online during mailbox migration phase. Customer has on-premises … Continue reading →

On-prem to Office 365 Migration: PowerShell Script Collection

Gallery

Posted on October 8, 2016 by LM Publications

Connect to Azure Active Directory PowerShell without Password Prompt #Use Case: Log on to Office 365 tenant without typing credentials. $User=”Raihan@tenant.onmicrosoft.com” $Password=ConvertTo-SecureString -String “MyPassword” -AsPlainText -Force $O365CREDS= New-Object –TypeName “System.Management.Automation.PSCredential” –ArgumentList $User, $Password #$O365CREDS = Get-Credential -Username Raihan@tenant.OnMicrosoft.Com $SESSION = … Continue reading →

Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Posted on June 24, 2014 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Step1: Configure the SharePoint server

1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.

2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.

3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.

4. On the Alternate Access Mappings page, click Edit Public URLs.

5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.

6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.

7. When you have finished, click Save.

8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:

9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.

10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.

Step2: Create a New trunk

Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next

Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next

On the Authentication Page, Click Add, Select DC, Click Next

Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.

Select Use Forefront UAG Access Policies, Click Next

Select Default and Click Next

Click Finish.

Step3: add SharePoint web applications to the trunk.

In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.

In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.

On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.

On the Web Servers page, do the following:

In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.

In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.

In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.

In the Public host name box, enter a public host name of your choice for the SharePoint web application.

Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.

On the Authentication page, do the following:

To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.

To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.

On the Portal Link page of the wizard, if required, configure the portal link for the application.

If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.

When you have completed the wizard, click Finish.

The Add Application Wizard closes, and the application that you defined appears in the Applications list.

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.

Step4: Configure Mobile devices Access for SharePoint

When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:

1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.

2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.

3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.

4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.

5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.

Install and Configure Forefront UAG 2010 Step by Step

Posted on June 24, 2014 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Forefront UAG Overview:

Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
Easily integrates with Active Directory and enables a variety of strong authentication methods.
Limits exposure and prevent data leakage to unmanaged endpoints.

Assumptions:

The following servers is installed and configured in a test environment.

Systems Requirements:

Option	Description
Virtual Machine Name	DC1TVUAG01
Memory	8GB
vCPU	1
Hard Disk 1	50GB
Hard Disk 2	50GB
Network Adapter	2
Guest Operating System	Windows Server 2008 R2
Service Pack Level	SP1

Software Requirement:

Version	Microsoft Forefront Unified Access Gateway 2010
Service Pack Level	SP3

Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:

Microsoft .NET Framework 3.5 SP1
Windows Web Services API
Windows Update
Microsoft Windows Installer 4.5
SQL Server Express 2005
Forefront TMG is installed as a firewall during Forefront UAG setup
The Windows Server 2008 R2 DirectAccess component is automatically installed.

The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.

Network Policy Server
Routing and Remote Access Services
Active Directory Lightweight Directory Services Tools
Message Queuing Services
Web Server (IIS) Tools
Network Load Balancing Tools
Windows PowerShell

Supported Browser Clients:

Browser

Features

Firefox

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Endpoint Quarantine Enforcement

Internet Explorer

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Socket Forwarding

SSL Network Tunneling (Network Connector)

Endpoint Quarantine Enforcement

Supported Mobile Devices:

Device Name	Features
Windows Phone	Premium mobile portal
iOS: 4.x and 5.x on iPhone and iPad	Premium mobile portal
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0	Premium mobile portal

Service Account for Active Directory Authentication:

Service Account	Privileges	Password
xman\SA-FUAG	Domain Users	Password set to never expired

Domain Joined Forefront UAG:

The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.

Add the server to an array of Forefront UAG servers at a later date.
Configure the server as a Forefront UAG DirectAccess server at a later date.
Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
Publish the File Access application via a Forefront UAG trunk.
Provide remote clients with access to the internal corporate network using SSTP.

Antivirus Exclusion:

Version

Paths

Processes

Forefront UAG 2010

UAG installation folder (may be changed during installation)
%ProgramFiles%\Microsoft Forefront Unified Access Gateway

Forefront UAG DNS-ALG Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\DnsAlgSrv.exe

Forefront UAG Monitoring Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\MonitorMgrCom.exe

Forefront UAG Session Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\SessionMgrCom.exe

Forefront UAG File Sharing
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\ShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\UserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\WatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlios.exe

Forefront UAG Placement:

The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:

Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
Integrity of the content in the corporate network is retained.
Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
Hide corporate network infrastructure from perimeter and external threat.

Scenario#1

Perimeter Port Requirement:

To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:

HTTP traffic (port 80)
HTTPS traffic (port 443)
FTP Traffic (Port 21)
RDP Traffic (Port 3389)

Backend Port Requirement

Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.

Infrastructure server	Protocol	Port	Direction
Domain controller	Microsoft-DS traffic	TCP 445 UDP 445	From UAG to DC
	Kerberos authentication	TCP 88 UDP 88	From UAG to DC
	LDAP	TCP 389 UDP 389	From UAG to DC
	LDAPS	TCP 636 UDP 636	From UAG to DC
	LDAP to GC	TCP 3268 UDP 3268	From UAG to DC
	LDAPS to GC	TCP 3269 UCP 3269	From UAG to DC
	DNS	TCP 53 UDP 53	From UAG to DC
Exchange, SharePoint, RDS	HTTPS	TCP 443	From external to internal server
FTP	FTP	TCP 21	From external to internal server

Scenario#2

In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.

UAG Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:

· First in Order- UAG internal adapter connected to the trusted network.

· Second in Order- UAG external adapter connected to the untrusted network.

The following are the network configuration for UAG server.

Option	IP Address	Subnet	Default Gateway	DNS
Internal Network	10.10.10.2	255.255.255.0	Not required	10.10.10.1
External Network	192.168.1.1	255.255.255.0	192.168.1.254	Not required

Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

UAG adapter connected to the trusted network: Internal Network
UAG adapter connected to the untrusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

Default Gateway should not be defined
DNS Servers should be defined
Client for Microsoft Networks binding – Enabled
File and Print Sharing for Microsoft Networks binding – Enabled
Register this connection’s address in DNS – Enabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

Default Gateway should be defined
DNS Servers should not be defined
Client for Microsoft Networks binding – Disabled
File and Print Sharing for Microsoft Networks binding – Disabled
Register this connection’s address in DNS – Disabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose	Public Host Name	Public IP Address
Exchange	webmail.xman.com.au	203.17.x.x
SharePoint	sharepoint.xman.com.au	203.17.x.x
RDS	remote.xman.com.au	203.17.x.x
FTP	ftp.xman.com.au	203.17.x.x

Scenario#1 Firewall Rules consideration

External NAT Rules

The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.

Rule(s)	Description	Source IP	Public IP Address (Destination IP Address)	Port	NAT Destination	Status
1	Exchange	Any	203.17.x.x	443	10.10.10.2	Forward
2	SharePoint	Any	203.17.x.x	443	10.10.10.2	Forward
4	RDS	Any	203.17.x.x	443	10.10.10.2	Forward
5	FTP	Any	203.17.x.x	21	10.10.10.2	Forward

Internal Firewall Rules

The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:

Rules	Description	Source IP	Port TCP & UDP	NAT Destination	Destination	Status
1	Exchange	10.10.10.2	TCP 443	Not Required	10.10.10.3	Forward
2	SharePoint	10.10.10.2	TCP 443	Not Required	10.10.10.4	Forward
4	RDS	10.10.10.2	TCP 443	Not Required	10.10.10.5	Forward
5	FTP	10.10.10.2	TCP 21	Not Required	10.10.10.6	Forward
6	Client	10.10.12.0/24 10.10.13.0/24	TCP 443 TCP 21	Not Required	10.10.10.2	Forward
7	Domain Controller	10.10.10.2	445, 88, 53 389, 636 3268, 3296	Not Required	10.10.10.1	Forward

Understanding Certificates requirements:

Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names.

Launch Certificate Manager

1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:

2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.

3. Follow the instructions in the Certificate Import Wizard.

Common Name	Subject Alternative Name	Certificate Issuer
RDS.xman.com.au	–	Verisign/Digicert
webmail.xman.com.au	autodiscover.xman.com.au	Verisign/Digicert
ftp.xman.com.au	–	Verisign/Digicert
sharepoint.xman.com.au	–	Verisign/Digicert

Understanding Properties of Trunk

Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
IP address: Specify the external IP address used to reach the published Web application or portal.
Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
HTTP/HTTPS port: Specify the port for the external Web site.

UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.

Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:

URL List	Methods	Allow Rich Content
InternalSite_Rule54	HEAD	Checked
SharePoint14AAM_Rule47	HEAD	Checked

Published Applications and Services:

Install Forefront UAG:

Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.

Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.

On the Welcome page of Setup, do the following:

Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.

Restart the Server.

Initial Configuration Using Getting Started Wizard

In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

On the Define Network Adapter Settings page, in the Adapter name list do the following:

To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.

To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.

After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:

If you are running Forefront UAG on a single server, click Single server.

If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.

After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.

If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.

Configure Remote Desktop (RDP) to Forefront UAG

After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:

Ensure that remote desktop is enabled on the Forefront UAG server.

Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.

To do this, open the Forefront TMG Management console from the Start menu.

1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.

2. On the Rule Action, Click Allow, Click Next

3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next

4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next

5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.

Exchange 2013 Upgrade, Migration and Co-existence

Posted on January 26, 2014 by LM Publications

Migration Guide

Exchange 2007/2010 to Exchange 2013 Migration Step by Step Guide

How to Configure Unified Messaging in Exchange 2013 Step by Step

Mail flow in Exchange 2013

Source: Microsoft TechNet

Protocol	Exchange 2007 & Exchange 2013	Exchange 2007 & Exchange 2013
Namespace	legacy.domain.com	no additional namespace
OWA	Non-silent redirection to legacy.domain.com	Proxy to CAS2010 Silent direction
EAS	Proxy to MBX2013	Proxy to CAS2010
Outlook Anywhere	Proxy to CAS2007	Proxy to CAS2010
Autodiscover	Redirect to CAS2007	Proxy to CAS2010
EWS	Autodiscover	Proxy to CAS2010
POP/IMAP	Redirect to CAS2007	Proxy to CAS2010
OAB	Redirect to CAS2007	Proxy to CAS2010
RPS	N/A	Proxy to CAS2010
ECP	N/A	Proxy to CAS2010

Exchange 2013 Perquisites

Supported Co-existence Scenario

Exchange 2010 SP3
Exchange 2007 SP3+RU10

Supported Client

Outlook Anywhere Only, Outlook 2007 or later
Outlook for Mac 2011
Entourage 2008 for Mac

Active Directory

Windows 2003 Forest Functional Level or higher
At least one global catalog. two global catalog is highly recommended for redundancy purpose
No support for RODC or ROGC

Namespace

Contiguous
Non-Contiguous
Single level Domain
disjoint

Operating Systems

Windows Server 2008 R2 SP1
Windows Server 2012 or Windows Server 2012 R2

Other Components

Internet Information Service (IIS)
.Net Framework 4.5
Unified Communication Managed API

Cumulative Updates

CU is a full exchange installer or binary
Required for co-existence with Exchange 2007/2010

Upgrade from Exchange 2010 to Exchange 2013

1. Prepare

Prepare Exchange 2010 with SP3
Test Exchange using Test cmdlets
Test Active Directory health status
Prepare Active Directory Schema using Exchange 2013 schema

2. Deploy Exchange 2013

Install both Exchange 2013 MBX and CAS servers
Install Management Server on admin PC

3. Obtain and deploy Certificates

Create Certificate CSR from Exchange 2013
Sign the certificate from public CA
Install Certificate and assign certificate to IIS,SMTP,POP,IMAP

Export certificate from Exchange 2010 and import into Exchange 2013

4. Configure Mail flow

Create mail and autodiscover namespace and point to Exchange 2013
Add Exchange 2013 MBX server into Send Connector
Configure Frontend receive connector
Create anonymous relay

5. Switch Primary Name Space

Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
Switch port 25 forwarding to Exchange 2013
Validate traffic flow to Exchange 2013

6. Move Mailboxes

Build Exchange DAG
Migrate user mailbox
Migrate resource mailbox
Migrate public folders

7. Repeat additional sites

8. Decommission Exchange 2010

Upgrade from Exchange 2007 to Exchange 2013

1. Prepare

Prepare Exchange 2007 with SP3 +RU
Test Exchange using Test cmdlets
Test Active Directory health status
Prepare Active Directory Schema using Exchange 2013 schema

2. Deploy Exchange 2013

Install both Exchange 2013 MBX and CAS servers
Install Management Server on admin PC

3. Obtain and deploy Certificates

Create a certificate CSR from Exchange 2013 with legacy namespace
Sign the certificate from public CA
Install Certificate and assign certificate to Exchange 2013 IIS,SMTP,POP,IMAP
Install same certificate into Exchange 2007

4. Configure Mail flow

Create legacy DNS record pointing to Exchange 2007
Create mail and autodiscover namespace and point to Exchange 2013 CAS
Create Send Connector in Exchange 2013
Configure Frontend receive connector
Create anonymous relay

5. Switch Primary Name Space

Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
Switch port 25 forwarding to Exchange 2013
Validate traffic flow to Exchange 2013 using MCA and ExRCA

6. Move Mailboxes

Build Exchange DAG
Migrate user mailbox
Migrate resource mailbox
Migrate public folders

7. Repeat additional sites

8. Decommission Exchange 2007

Validate External Connectivity

Use Microsoft connectivity analyzer https://testconnectivity.microsoft.com/?tabid=client
Use remote connectivity analyzer http://www.exrca.com
Use Test cmdlets

Certificate Best Practice

Minimize number of certificates
Minimize number of host name
use split DNS for Exchange host name
Don’t list machine name in certificates
Use Subject Alternative Name Certificate or SAN certificates

Restart Transport Services and Information Store Service

Patch Exchange Server using WSUS or ConfigMgr
Reboot DAG member one by one
Reboot CAS server one by one
Management Tools
User Exchange 2013 Administration Center to manage co-existence and migration tasks
Use Exchange 2010 management console to move offline address book

Cutover Process

Public folder migration is part of final cutover
Exchange and Active Directory health check
verify proposed and implemented Exchange 2013

Post Migration

Shutdown Exchange 2010 servers for minimum 48 hours in working days
Decommission Exchange 2010

TrendMicro Worry-Free Business Advanced Configuration Step by Step

Posted on November 14, 2013 by LM Publications

Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).

Trend Micro offers the following editions:

Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.

Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.

Features worry-free business Features

Component Updates
Device Control
Antivirus/Anti-spyware
Firewall
Web Reputation
URL Filtering
Behavior Monitoring
User Tools
Instant Messaging Content
Filtering
Mail Scan (POP3)
Mail Scan (IMAP)
Anti-Spam (IMAP)
Email Message Content
Filtering
Email Message Data Loss Prevention
Attachment Blocking

TrendMicro Components:

Registration Key

A Registration Key comes with your purchase of Worry-Free Business Security. It has

22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx

Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.

Security Server

At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location

Scan Server

The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.

Downloads scanning-specific components from Trend Micro and uses them to scan clients

Agents

Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.

Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats

Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats

Web Console

The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.

WFBS Ports

WFBS uses the following ports:

• Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:

• IIS server default website: The same port number as your HTTP server’s TCP port.

• IIS server virtual website: 8059

• Apache server: 8059

• Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.

Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.

SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.

Proxy port: Used for connections through a proxy server.

Systems requirements:

1 vCPU, 2GB RAM, 10GB additional space
IIS 7.5 Windows Server 2008 R2
Internet Explorer
Adobe Acrobat
Java client
Clients that use Smart Scan must be in online mode. Offline clients cannot use Smart Scan
Administrator or Domain Administrator access on the computer hosting the
Security Server
File and printer sharing for Microsoft Networks installed
Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications

TrendMicro Download Location:

WFB 8.0

Download Center

Installation:

1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.

2. Click Next. The License Agreement screen appears.

3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.

4. Click Next. The Setup Type screen appears.

5. From the Setup Type page, choose one of the following options:

Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.
Minimal Install
Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.

6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.

7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).

8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.

9. Click Next. The Select Components page appears.

10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.

Security Server (default): The Security Server hosts the centralized web-based management console.
Security Agent (default): The agent protects desktops and servers.
Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.
Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.

11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.

12. Click Next. The Computer Prescan page appears.

13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:

Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:

the boot area and boot directory (for boot sector viruses)
the Windows folder
the Program Files folder
Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.

14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:

Internet Information Services (IIS) server
Apache Web server 2.0.xx

15. Click Next. The Web Server Identification page appears.

16. Choose from one of the following server identification options for client-server communication:

Server information – Choose domain name or IP address:
Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.
IP address – Verify that the target server’s IP address is correct.

17. Click Next. The Administrator Account Password page appears.

18. Specify different passwords for the Security Server web console and the Security Agent.

Note: The password field holds 1-24 characters and is case sensitive.

Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.
Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.

19. Click Next. The SMTP Server and Notification Recipient(s) page appears.

20. Enter the required information:

SMTP server – the IP address of your email server
Port – the port that the SMTP server uses for communications
Recipient(s) – the email address(es) that the SMTP server uses to send alert notifications. You can enter multiple email addresses when more than one person needs to receive notifications.

21. Click Next. The Trend Micro Smart Protection Network page appears.

22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.

23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.

Proxy server type
Server name or IP address
Port
User name and Password – Provide these only if the proxy server requires authentication.

24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.

25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.

26. Set the following items:

Installation Path – This is the destination folder where the Security Agent files are installed.
Security Agent Listening Port – This is the port number used for Security Agent and Security Server communications.

27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.

28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:

Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.
Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.
Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.
Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.
URL Filtering – This blocks specified categories of websites (for example, pornographic sites and social networking) according to your company’s policy.
Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.
Device Control – This regulates access to external storage devices and network resources.

29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.

30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.

When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.
When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.

31. Click Next. The Install Messaging Security Agent page appears.

32. Provide the following information:

i. Exchange Server

ii. Domain Administrator Account

iii. Password

33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:

Target Folder – This is the folder where the MSA files are installed.
Temp Folder – This is the system root folder for MSA Agent installation.
Spam management
End User Quarantine – If selected, WFBS creates a separate spam folder on Microsoft Outlook in addition to the Junk E-mail folder.
Outlook Junk Email folder – If selected, WFBS stores spam mail into this folder. Since Outlook typically moves spam mail in the End User Quarantine (EUQ) folder to the Junk E-mail folder, Trend Micro recommends to select this option.

35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:

If you wish to verify previous installation settings, click Back.
Click Next to proceed with the actual installation.

The Install Third Party Components page appears. This page informs you which third party components will be installed.

36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.

Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install

Log on to the WFBS console.
Click Security Settings > Add. The Add Computer page appears.
Under Computer Type section, choose Desktop or server.
Under Method section, choose Remote install.
Click Next. The Remote Install page appears.
From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.
Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_NameUsername format; for workgroup computers, use the Target_Computer_NameLocal_Administrator_User_Name format.
The computer is added to the Selected Computers list.
Repeat Steps 6-7 if you want to add more computers to the list.
Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.

Installing Agent for Exchange Server

The Messaging Security Agent (MSA) can also be installed from the Web Console.

1. Log on to the Web Console.

2. Click the Security Settings tab, and then click the Add button.

3. Under the Computer Type section, click Microsoft Exchange server.

4. Under Microsoft Exchange Server Information, type the following information:

• Server name: The name of the Microsoft Exchange server to which you want

to install MSA.

• Account: The built-in domain administrator user name.

• Password: The built-in domain administrator password.

5. Click Next. The Microsoft Exchange Server Settings screen appears.

6. Under Web Server Type, select the type of Web server that you want to install on

the Microsoft Exchange server. You can select either IIS Server or Apache Server.

7. For the Spam Management Type, End User Quarantine will be used.

8. Under Directories, change or accept the default target and shared directories for

the MSA installation. The default target and shared directories are C:Program

FilesTrend MicroMessaging Security Agent and C$, respectively.

9. Click Next. The Microsoft Exchange Server Settings screen appears again.

10. Verify that the Microsoft Exchange server settings that you specified in the

previous screens are correct, and then click Next to start the MSA installation.

11. To view the status of the MSA installation, click the Live Status tab.

Configure Smart Host for Outbound Email

1. Open the Exchange Management Console.

2. Click on the plus sign (+) next to Organization Configuration.

3. Select Hub Transport and click the Send Connectors tab.

4. Right-click the existing Send Connector then select Properties and go to the Network tab.

5. Select Route mail through the following smart hosts and click Add.

6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:

o HES US / Other Regions Relay Record: relay.sjc.mx.trendmicro.com

o HES Europe, Middle East, and Africa (EMEA) Relay Record: relay.mx.trendmicro.eu

7. Click OK.

8. Go to the Address Space tab and click Add.

9. Add an asterisk (*) and then click OK.

10. Click Apply > OK.

11. Go to the Source Server tab and add your Exchange Server.

12. Click Apply > OK.

Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.

C:Usersraihan >nslookup

> set type=mx

> domainname.com.au

Non-authoritative answer:

domainanme.com.au MX preference = 20, mail exchanger = mx1.domainname.net.au

domainanem.com.au MX preference = 10, mail exchanger = mail.domainname.com.au

mx1.domainname.net.au internet address = 203.161.x.x

mail.domainname.com.au internet address = 116.212.x.x

Pinging domainname.com.au [203.161.x.x] with 32 bytes of data:

Registered Hosted Email Security

Firstly you’ll need to have registered with Trend Micro Online https://olr.trendmicro.com/registration/ .

Create service account (See upcoming post on creating a secure services account)

Open ActiveDirectory Users and Computers
Create a user sa-TrendMicroHE with password never expires

Open Hosted Email Security Web console

Visit the link that applies to your location
- For EMEA users: https://emailsec.trendmicro.eu
- For others: https://us.emailsec.trendmicro.com
Login with your details you setup in the online registration earlier and don’t forget to tick Log on with Trend Micro Online Registration user name and password

Register Your Domains with Trend Micro

1. Go to the Trend Micro Online Registration portal.

2. Create a new OLR account.

a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.

Enter your HES Registration Key.

If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.

Select I Accept, then click Submit.

Complete the registration information form.

Specify your OLR logon ID.

Note: The OLR logon ID will also serve as your HES portal login ID.

Click Submit.

The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.

3. Using the provided OLR username and password, log on to the HES console:

For US: https://us.emailsec.trendmicro.com/loginPage.imss

For EMEA: https://emailsec.trendmicro.eu/loginPage.imss

Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.

4. Enter your domain and IP information, then click Add Domain.

5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.

6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.

Navigate to Administration > Domain Management

All the fields are pretty much self-explanatory, except for Seats assigned: 1 (no need to use more)
Click Activate Domain
Now this you would think would be it, except it goes to the list below which you then need to check the tick box of the domain and then Click Check MX Record

Download the ActiveDirectory Sync Client

Navigate to Administration > Directory Management

Click Imported User Directories so it becomes Enabled with a green tick
Navigate to Administration > Web Services

Click on the Applications bar so it get’s a Green Tick as above
Click on Generate Service Authentication Key, copy this key for use later in the setup
Click and download the ActiveDirectory Sync Client

Install the ActiveDirectory Sync Client

http://esupport.trendmicro.com.au/solution/en-us/1059663.aspx

http://esupport.trendmicro.com.au/solution/en-us/1060411.aspx

1. Extract the ActiveDirectory Sync Client file and run setup.exe

2. Usual I agree, next, next stuff

3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.

4. Click Next

5. Leave installation path as is, and change to install for Everyone

6. Click Next

7. Click Next

8. Click Close when finish

9. The ActiveDirectory Sync Client will then open

10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)

LDAP://OU=Users,,OU=CompanyName,DC=<yourdomain>,DC=com

11. Click Add

LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com

12. Click Add

13. Click Configure

Username: as per web login
Service Auth Key: as the key we copied earlier from the web console under Administration> Web Services
Proxy: leave as automatic unless your network requires otherwise
Synchronize: leave at 1

14. Click OK

15. Click Apply

16. This will restart the service

Amend ClientMHS_AD_ACL.config

1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad

2. Installed Config file looks like this:

<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>

3. Change the following to add groups and public folders. Ref

<?xml version=”1.0″ encoding=”utf-8″?>

<ad_acl>

<ldap_path name=”default”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

<ldap_path name=”default”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

<ldap_path name=”default”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

<ldap_path name=”default”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

</ad_acl>

4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client

5. Click Sync Now

6. Give it a few moments then click History

7. Here you should see the correct number of groups and users you expect. Check the times are correct for when you’ve pressed. And it should finish with Sync domain <yourdomain.com> successful

8. Click Close

9. Click Close

Post Configuration Check

open the Hosted Email Security Console
Navigate to Administration > Directory Management
Click the Export to CSV for the domain you’re wanting to check
This will generate a CSV file, which you can use notepad to check that all your email addresses have synced

Worry Free Business Files and Folder Exclusion

Worry-Free Business Best Practice

Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Step1: Configure the SharePoint server

1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.

2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.

4. On the Alternate Access Mappings page, click Edit Public URLs.

7. When you have finished, click Save.

8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:

10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.

Step2: Create a New trunk

Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next

Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next

On the Authentication Page, Click Add, Select DC, Click Next

Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.

Select Use Forefront UAG Access Policies, Click Next

Select Default and Click Next

Click Finish.

Step3: add SharePoint web applications to the trunk.

In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.

On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.

On the Web Servers page, do the following:

In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.

In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.

In the Public host name box, enter a public host name of your choice for the SharePoint web application.

On the Authentication page, do the following:

To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.

On the Portal Link page of the wizard, if required, configure the portal link for the application.

If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.

When you have completed the wizard, click Finish.

The Add Application Wizard closes, and the application that you defined appears in the Applications list.

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.

Step4: Configure Mobile devices Access for SharePoint

1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.

2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.

3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.

4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.

Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

When you create a Forefront Unified Access Gateway (UAG) HTTPS portal trunk, only HTTPS requests that arrive at the Forefront UAG are handled by the trunk. This topic describes how to create a redirect trunk to automatically redirect HTTP requests made by remote endpoints to the HTTPS trunk.

Web Sites	Inbound Requested Port	Request Redirected To
RDS.xman.com.au	80	443
ftp.xman.com.au	80	443
webmail.xman.com.au	80	443
sharepoint.xman.com.au	80	443

Step1: Before you create a redirect trunk, note the following:

1. Make sure that you have already created the HTTPS trunk to which you want to redirect HTTP requests.

2. Make sure you define all the parameters of the HTTPS Connections trunk before you create the redirect trunk, including the definitions you make in the Forefront UAG Management console after completing the New Trunk Wizard.

If at a later stage, you change the IP address or port number of the HTTPS Connections trunk, do one of the following:

1. Update the IP address or port number manually in the relevant redirect trunk.

2. Delete the existing redirect trunk and create a new one.

3. Redirect trunks are not monitored by the Forefront UAG Web Monitor.

4. Sessions in redirect trunks are not calculated in the session count of Forefront UAG. When an HTTP session is redirected to HTTPS via a redirect trunk, it is only counted as one HTTPS session.

Step2: create a redirect trunk

1. In the Forefront UAG Management console, in the left navigation tree, right-click HTTP Connections, and then select New Trunk.

2. In the Create Trunk Wizard, select HTTP to HTTPS redirection, and then click Next.

3. All HTTPS trunks for which no redirect trunk exists are listed.

4. Select the HTTPS trunk to which you want to redirect HTTP requests, and then click Finish.

5. A new trunk with the same name as the HTTPS trunk you selected is created in the left navigation tree.

6. HTTP requests that arrive at the external Web site that is defined for this trunk are redirected to the HTTPS trunk you selected in the wizard.

Publish Exchange Server 2010 using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Step1: configure Exchange to use basic authentication

1. Start the Exchange Management Console.

2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).

4. In the Actions pane, under owa (Default Web Site), click Properties.

5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.

Step2: publish Outlook Web Access on a Forefront UAG portal

Right Click on HTTPS Connections, Click New Trunk, Click Next

Select Portal Trunk and Publish Exchange Applications via portal, Click Next

Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next

Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.

Type the service account which will talk to DC from UAG, Click Ok

Select the DC, Click Select. Leave rest of the settings as is. Click Next

Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.

Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au

Select Default and Click next

Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next

Type the name of the application, Click next

Select default and click next

On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.

Click Configure an application server, Click Next

On the Web Servers page of the wizard:

In the Addresses list, enter the IP address or host name of the Client Access server.

In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.

On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.

On the Outlook Anywhere Page, Select basic Authentication, Click next

On the Portal Link page of the wizard, configure the portal link for the application.

If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.

On the Authorization page of the wizard, select which users are authorized to access this application.

On the Completing the Add Application Wizard page of the wizard, click Finish.

Once configured, you will see the following screen.

If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.

To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

Publishing Remote Desktop Services Using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

The following procedures describe how to export RemoteApp settings from RDS, and then publish RemoteApps and import the RemoteApp settings, via Forefront Unified Access Gateway (UAG).

Step1: Exporting RemoteApp settings from RDS

Before you can publish RemoteApp applications, you must export RemoteApp settings from RDS.

1. On the RD Session Host server, click Start, click Administrative Tools, click Remote Desktop Services, and then click RemoteApp Manager.

2. Ensure that the RemoteApp Programs list contains the programs that you want to provide to end users.

3. In the Actions pane, click Export RemoteApp Settings.

4. Click Export the RemoteApp Programs list and settings to a file, and then click OK.

5. Specify a location to save the .tspub file, and then click Save.

Step2: Publishing RemoteApps and importing RemoteApp settings

This procedure describes how to publish RemoteApps via Forefront UAG, and import RemoteApp settings during the publishing process.

1. In the Forefront UAG Management console, select the portal in which you want to publish RemoteApp applications. In the Applications area of the main portal properties page, click Add. The Add Application Wizard opens.

2. On the Select Application page of the wizard, select Terminal Services (TS)/Remote Desktop Services (RDS). In the list, select RemoteApp.

3. On the Configure Application page of the wizard, enter a name for the RemoteApp application.

4. On the Select Endpoint Policies page of the wizard, do the following:

5. In Access policy, select a Forefront UAG policy with which endpoints must comply in order to access the published RemoteApps in the portal. In Printers, Clipboard, and Drives, select access policies with which endpoints must comply in order to access these local resources during remote desktop sessions.

6. To enable single sign-on for the session, select the Use RDS Single Sign-On (SSO) Services check box.

7. If the trunk through which you are publishing the RemoteApp applications uses Network Access Protection (NAP) policies, and you have a Network Policy Server (NPS) configured, do the following:

8. Select Require Network Access Protection (NAP) compliance, to specify that only endpoints that comply with NAP policy can access published RemoteApps.

9. Select Require NAP compliance for RDS device redirection only, to specify that only endpoints that comply with NAP policy can access devices and resources on RDS servers, such as drives, printers, and the clipboard. Access to other resources and applications on RDS servers does not require NAP compliance.

10. Select Do not require NAP compliance, if you do not require clients to use NAP to access the published RemoteApps.

11. On the Import RemoteApp Programs page of the wizard, do the following:

12. In File to import, specify the location of the exported .tspub file, or click Browse to locate the file.

13. In RD Session Host or RD Connection Broker, specify the name of an RD Session Host (if different from that specified in the imported settings file), or the name of the RD Connection Broker server.

14. If you are using an RD Connection Broker server, in IP addresses, IP address ranges, FQDNs, or subnets, add the names of all RD Session Hosts that might be used by the RD Connection Broker. To specify multiple servers, use an IP address range or subnet.

15. On the Select Publishing Type page of the wizard, in the Available RemoteApps list, double-click each RemoteApp that you want to publish via Forefront UAG, to add it to the Published RemoteApps list. The list of available RemoteApps is retrieved from the imported .tspub file.

16. On the Configure Client Settings page of the wizard, specify how RemoteApps should be displayed. You can set a display resolution and color, or select to use display settings retrieved from the imported .tspub file.

17. Complete the Add Application Wizard.

Install and Configure Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Forefront UAG Overview:

Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
Easily integrates with Active Directory and enables a variety of strong authentication methods.
Limits exposure and prevent data leakage to unmanaged endpoints.

Assumptions:

The following servers is installed and configured in a test environment.

Systems Requirements:

Option	Description
Virtual Machine Name	DC1TVUAG01
Memory	8GB
vCPU	1
Hard Disk 1	50GB
Hard Disk 2	50GB
Network Adapter	2
Guest Operating System	Windows Server 2008 R2
Service Pack Level	SP1

Software Requirement:

Version	Microsoft Forefront Unified Access Gateway 2010
Service Pack Level	SP3

Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:

Microsoft .NET Framework 3.5 SP1
Windows Web Services API
Windows Update
Microsoft Windows Installer 4.5
SQL Server Express 2005
Forefront TMG is installed as a firewall during Forefront UAG setup
The Windows Server 2008 R2 DirectAccess component is automatically installed.

The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.

Network Policy Server
Routing and Remote Access Services
Active Directory Lightweight Directory Services Tools
Message Queuing Services
Web Server (IIS) Tools
Network Load Balancing Tools
Windows PowerShell

Supported Browser Clients:

Browser

Features

Firefox

Endpoint Session CleanupEndpoint detectionSSL Application TunnelingEndpoint Quarantine Enforcement

Internet Explorer

Endpoint Session CleanupEndpoint detectionSSL Application TunnelingSocket Forwarding

SSL Network Tunneling (Network Connector)

Endpoint Quarantine Enforcement

Supported Mobile Devices:

Device Name	Features
Windows Phone	Premium mobile portal
iOS: 4.x and 5.x on iPhone and iPad	Premium mobile portal
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0	Premium mobile portal

Service Account for Active Directory Authentication:

Service Account	Privileges	Password
xmanSA-FUAG	Domain Users	Password set to never expired

Domain Joined Forefront UAG:

The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.

Add the server to an array of Forefront UAG servers at a later date.
Configure the server as a Forefront UAG DirectAccess server at a later date.
Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
Publish the File Access application via a Forefront UAG trunk.
Provide remote clients with access to the internal corporate network using SSTP.

Antivirus Exclusion:

Version

Paths

Processes

Forefront UAG 2010

UAG installation folder (may be changed during installation)
%ProgramFiles%Microsoft Forefront Unified Access Gateway

Forefront UAG DNS-ALG Service
%ProgramFiles%Microsoft Forefront Unified Access GatewayDnsAlgSrv.exeForefront UAG Monitoring Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewayMonitorMgrCom.exeForefront UAG Session Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewaySessionMgrCom.exeForefront UAG File Sharing
%ProgramFiles%Microsoft Forefront Unified Access GatewayShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewayuagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%Microsoft Forefront Unified Access Gatewayuagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewayUserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%Microsoft Forefront Unified Access GatewayWatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewaywhlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewaywhlios.exe

Forefront UAG Placement:

The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:

Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
Integrity of the content in the corporate network is retained.
Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
Hide corporate network infrastructure from perimeter and external threat.

Scenario#1

Perimeter Port Requirement:

To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:

HTTP traffic (port 80)
HTTPS traffic (port 443)
FTP Traffic (Port 21)
RDP Traffic (Port 3389)

Backend Port Requirement

Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.

Infrastructure server	Protocol	Port	Direction
Domain controller	Microsoft-DS traffic	TCP 445UDP 445	From UAG to DC
	Kerberos authentication	TCP 88UDP 88	From UAG to DC
	LDAP	TCP 389UDP 389	From UAG to DC
	LDAPS	TCP 636UDP 636	From UAG to DC
	LDAP to GC	TCP 3268UDP 3268	From UAG to DC
	LDAPS to GC	TCP 3269UCP 3269	From UAG to DC
	DNS	TCP 53UDP 53	From UAG to DC
Exchange, SharePoint, RDS	HTTPS	TCP 443	From external to internal server
FTP	FTP	TCP 21	From external to internal server

Scenario#2

In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.

UAG Network Configuration

· First in Order- UAG internal adapter connected to the trusted network.

· Second in Order- UAG external adapter connected to the untrusted network.

The following are the network configuration for UAG server.

Option

IP Address

Subnet

Default Gateway

DNS

Internal Network

10.10.10.2

255.255.255.0

Not required

10.10.10.1

External Network

192.168.1.1192.168.1.2192.168.1.3

192.168.1.4

192.168.1.5

255.255.255.0

192.168.1.254

Not required

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

UAG adapter connected to the trusted network: Internal Network
UAG adapter connected to the untrusted network: External Network

Configuration Step 2 – Configure Network Adapters:

Internal Network Adapter

Default Gateway should not be defined
DNS Servers should be defined
Client for Microsoft Networks binding – Enabled
File and Print Sharing for Microsoft Networks binding – Enabled
Register this connection’s address in DNS – Enabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Default

External Network Adapter

Default Gateway should be defined
DNS Servers should not be defined
Client for Microsoft Networks binding – Disabled
File and Print Sharing for Microsoft Networks binding – Disabled
Register this connection’s address in DNS – Disabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Disabled

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose	Public Host Name	Public IP Address
Exchange	webmail.xman.com.au	203.17.x.x
SharePoint	sharepoint.xman.com.au	203.17.x.x
RDS	remote.xman.com.au	203.17.x.x
FTP	ftp.xman.com.au	203.17.x.x

Scenario#1 Firewall Rules consideration

External NAT Rules

The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.

Rule(s)	Description	Source IP	Public IP Address (Destination IP Address)	Port	NAT Destination
1	Exchange	Any	203.17.x.x	443	192.168.1.2
2	SharePoint	Any	203.17.x.x	443	192.168.1.3
4	RDS	Any	203.17.x.x	443	192.168.1.4
5	FTP	Any	203.17.x.x	21	192.168.1.5

Internal Firewall Rules

The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:

Rule(s)	Description	Source IP	Port TCP & UDP	Destination
1	Exchange	10.10.10.2	TCP 443	10.10.10.3
2	SharePoint	10.10.10.2	TCP 443	10.10.10.4
4	RDS	10.10.10.2	TCP 443	10.10.10.5
5	FTP	10.10.10.2	TCP 21	10.10.10.6
6	Client	10.10.12.0/24	TCP 443 TCP 21	10.10.10.2
7	Domain Controller	10.10.10.2	445, 88, 53 389, 636 3268, 3296	10.10.10.1

Understanding Certificates requirements:

Launch Certificate Manager

1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:

2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.

3. Follow the instructions in the Certificate Import Wizard.

Common Name	Subject Alternative Name	Certificate Issuer
RDS.xman.com.au	–	Verisign/Digicert
webmail.xman.com.au	autodiscover.xman.com.au	Verisign/Digicert
ftp.xman.com.au	–	Verisign/Digicert
sharepoint.xman.com.au	–	Verisign/Digicert

Understanding Properties of Trunk

Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
IP address: Specify the external IP address used to reach the published Web application or portal.
Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
HTTP/HTTPS port: Specify the port for the external Web site.

UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.

Trunk Name	Public Host Name	HTTPS Port	External IP Address	Authentication Server(s)
Exchange	webmail.xman.com.au	443	192.168.1.2	DC1TVDC01
SharePoint	sharepoint.xman.com.au	433	192.168.1.3	DC1TVDC01
RDS	remote.xman.com.au	443	192.168.1.4	DC1TVDC01
FTP	ftp.xman.com.au	21	192.168.1.5	DC1TVDC01

Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:

URL List	Methods	Allow Rich Content
InternalSite_Rule54	HEAD	Checked
SharePoint14AAM_Rule47	HEAD	Checked

Published Applications and Services:

Install Forefront UAG:

Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.

On the Welcome page of Setup, do the following:

Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.

Restart the Server.

Initial Configuration Using Getting Started Wizard

Before you run the initial configuration, you must patch the UAG with an order described in this article . To patch UAG, open command prompt using run as Administrator. Go to the location where you saved all the service packs and patches. Run one by one. Note that if you do not run the setup as an administrator setup will roll back and fail because it cannot modify registry.

In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

On the Define Network Adapter Settings page, in the Adapter name list do the following:

After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:

If you are running Forefront UAG on a single server, click Single server.

Configure Remote Desktop (RDP) to Forefront UAG

After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:

Ensure that remote desktop is enabled on the Forefront UAG server.

Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.

To do this, open the Forefront TMG Management console from the Start menu.

1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.

2. On the Rule Action, Click Allow, Click Next

3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next

4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next

5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.

Publish Exchange Server 2010 using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Step1: configure Exchange to use basic authentication

1. Start the Exchange Management Console.

2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).

4. In the Actions pane, under owa (Default Web Site), click Properties.

Step2: publish Outlook Web Access on a Forefront UAG portal

Right Click on HTTPS Connections, Click New Trunk, Click Next

Select Portal Trunk and Publish Exchange Applications via portal, Click Next

Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next

Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.

Type the service account which will talk to DC from UAG, Click Ok

Select the DC, Click Select. Leave rest of the settings as is. Click Next

Select Default and Click next

Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next

Type the name of the application, Click next

Select default and click next

On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.

Click Configure an application server, Click Next

On the Web Servers page of the wizard:

In the Addresses list, enter the IP address or host name of the Client Access server.

On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.

On the Outlook Anywhere Page, Select basic Authentication, Click next

On the Portal Link page of the wizard, configure the portal link for the application.

If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.

On the Authorization page of the wizard, select which users are authorized to access this application.

On the Completing the Add Application Wizard page of the wizard, click Finish.

Once configured, you will see the following screen.

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

Transition from Exchange 2010 to Exchange 2013 Step by Step

Posted on May 9, 2013 by LM Publications

BUY IT NOW:
Amazon USA
Amazon UK
BARNES & NOBLE
Book World

Assumptions:

You have the following infrastructure operational and functioning as desired.

Domain Controller
Certificate Authority
Exchange Server 2010 SP2 DAG
FF TMG 2010 SP2

Current Exchange Version:

Prerequisites:

Windows Server 2012 installed on computers which will house Exchange Server 2013.
Windows Media Foundation. Use Add Roles and features Wizard to install Media Foundation on Windows Serer 2012.
Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
Microsoft Office 2010 Filter Pack 64 bit
Microsoft Office 2010 Filter Pack SP1 64 bit
Download Exchange 2010 SP3
Cumulative Update 1 for Exchange Server 2013

Step1: Perform a Server Switch Over for a Exchange 2010 SP2 DAG Member

Before you upgrade Exchange Server 2010 SP2 to Exchange 2010 SP3, you must perform a server switch over if you have Exchange DAG. You need to be assigned permissions before you can perform this procedure. use Exchange Management Shell and Run the following Command.

Move-ActiveMailboxDatabase -Server EXCHMBXSRV01 -ActivateOnServer EXCHMBXSRV02

Step2: Install Service Pack 3 on Exchange Server 2010 SP2

Download and Extract Exchange Server 2010 SP3 on the DAG member where you want run the Exchange 2010 Sp3 installer. Now follow the screen shot and upgrade Exchange Server 2010 SP2 to Exchange Server 2010 SP3.

you will be prompted for an warning which is A transient communication failure causes a Windows Server 2008 R2 failover cluster to stop working. Ignore the warning and continue. Once SP3 installed. Check the version which is as follows.

Repeat the step 2 in all Exchange Server in your Exchange Organization.

Step3: Prepare Windows Server 2012

Download Windows Server 2012 and install the following prerequisites on Windows Server 2012.

Windows Media Foundation. Use Add Roles and features Wizard to install Media Foundation on Windows Serer 2012.

Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

Microsoft Office 2010 Filter Pack 64 bit

Microsoft Office 2010 Filter Pack SP1 64 bit

Exchange 2013 setup automatically install features required by Exchange. Alternatively you can use the following PowerShell Command to install all the features at that same time. A reboot is required after installing features.

Step4: Prepare Active Directory and Active Directory Schema

Run the following command to prepare AD Schema and Active Directory.

setup /PrepareSchema /IAcceptExchangeServerLicenseTerms

setup /PrepareAD /OrganizationName:<organization name> /IAcceptExchangeServerLicenseTerms

since we already have an Exchange Organization, we don’t need to type Organization again. the following command is enough to prepare Active Directory. setup /PrepareAD /IAcceptExchangeServerLicenseTerms

Step5: Install CU1 for Exchange Server 2013

Log on to the computer on which you want to install Exchange 2013. After you have downloaded Exchange 2013 CU1, Copy Exchange-X64.exe file into Windows Server 2012 where you want to install Exchange Server 2013 . Extract the installer by double clicking the Exchange-x64.exe installer.

On the Check for Updates page, Select Don’t check for updates right now, you can download and install updates manually later. We recommend that you download and install updates now. Click Next to continue. at this stage setup will copy the content and initialize installer.
The Introduction page begins the process of installing Exchange into your organization. Click Next to continue.
On the License Agreement page, Select I accept the terms in the license agreement, and then click Next.
On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, click Next.
On the Server Role Selection page, select both Mailbox role and Client Access role. Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. Click Next to continue.
On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want to install Exchange. Click Next to continue.
On the Malware Protection Settings page, choose keep it enabled. Click Next to continue.
On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. Reboot the server from Server Manager>All Servers>Right Click on Server>Click Shutdown Local Server, Select Reboot, Click Ok.
Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013.
On the Completion page, click Finish.
Restart the computer after Exchange 2013 has completed.

On a co-existence scenario if you type https://FQDN of Client Access Server/ecp you will see only Mailboxes.

If you type https://FQDN of Client Access Server/ecp?ExchClientVer=15 on internet explorer you will see detailed Exchange Administration Center.

Step6: Install Certificates on Exchange Server 2013 CAS Server(s)

Step7: Configure Outlook Web Access in Exchange 2013

Step8: Configure Send/Receive Connector

Open Exchange Administration Center using https://FQDN of Client Access Server/ecp?ExchClientVer=15 url. Create new Send Connector using this procedure.

In the EAC, navigate to Mail flow > Send connectors, and then click Add .
In the New send connector wizard, specify a name for the send connector and then select Internet for the Type. Click Next.
Verify that MX record associated with recipient domain is selected, which specifies that the connector uses the domain name system (DNS) to route mail. Click Next.
Under Address space, click Add . In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter *, which indicates that this send connector applies to messages addressed to any domain. Click Save.
Make sure Scoped send connector is not selected and then click Next.
For Source server, click Add . In the Select a server window, select a Mailbox server that will be used to send mail to the Internet via the Client Access server and click Add . After you’ve selected the server, click Add . Click OK.
Click Finish.

New-SendConnector –Internet –Name MysendConnector –AddressSpace Superplaneteers.com

Similarly you can use New-ReceiveConnector Cmdlet to create receive connector.

Step9: Test Internal/External Mail Flow using new Send Connector

Open internet explorer and type Https://FQDN of CAS Server/OWA Log on to OWA using domain nameusername and password and check email

Step10: Migrate Mailboxes, DL, Public Folder from Exchange 2010 to Exchange 2013

Before you start migrating Exchange mailboxes, se the Exchange Management Console to enable circular logging otherwise a large log will be generated when migrating mailboxes. you can enable circular logging in all mailbox database using the following power shell command

Get-MailboxDatabase | Set-MailboxDatabase –circularloggingenabled $true

Set-StorageGroup -Identity “First Storage Group” -CircularLoggingEnabled $true

Open Exchange Administration Center using https://FQDN of Client Access Server/ecp?ExchClientVer=15 url, In the EAC, navigate to Recipients > Migration, and then click Add Add Icon .

In the New local mailbox move wizard, select the user you want to move click OK and then click Next.

On the Move configuration page, specify a name for the new batch. Select which options you want for the archive mailbox, and mailbox database location and click New. follow the screen to complete migration.

To migrate entire mailboxes from an existing Exchange 2010 DAG to new Exchange 2013 DAG using Exchange Management Shell in Exchange Server 2013 and run the following cmdlets.

Get-Mailbox -Database Manager-DB01 | New-MoveRequest -TargetDatabase Manager-DB02 -BatchName “DB01toDB02”

To find out more about New-MoveRequest cmdlet type Get-Help New-MoveRequest –Example or visit Move and Migration Cmdlets

Step11: Publish Exchange OWA to External Clients

Step12: Migrate Public Folder.

Step13: Migrate Exchange UM

Step14: Retire Exchange Server 2010

A detailed migration steps are available in this book.

BUY IT NOW:
Amazon USA
Amazon UK
BARNES & NOBLE
Book World

First Cumulative Update for Exchange 2013

Posted on April 10, 2013 by LM Publications

Cumulative update 1 for Exchange Server 2013 (KB2816900)

Update Rollup 10 for Exchange Server 2007 Service Pack 3 (KB2788321)

Details can be found here

Exchange 2007/2010 SP3 Released

Posted on March 25, 2013 by LM Publications

Exchange 2007/2010 SP3 released.

Download Exchange 2007 SP3

Download Exchange 2010 SP3

Error message when you try to install Exchange Server 2010 SP2: “AuthorizationManager check failed”

Posted on April 1, 2012 by LM Publications

Error: Message :

Cause:

1. Exchange Servers placed in a OU which has GPO applied to them.

2. PowerShell Execution Policy set to unrestricted or remote signed.

Solution:

Step1: Create a separate Organizational Unit in Active Directory and place Exchange Servers in that Organizational Unit . Do not apply any GPO on newly created Organizational Unit.

Step2: Log on to Exchange Server. Start Menu>Run>gpedit.msc

Right click on Local Computer Policy>Property>Disable computer Configuration settings and User Configuration Settings

Step3: Open PowerShell> issue the following command

Set-ExecutionPolicy –Scope LocalMachine –ExecutionPolicy Undefined –Confirm –Force

Step4: Reboot Server. Once rebooted log back on to the Exchange Server. check execution policy by issuing the command

Get-ExecutionPolicy –List

Step5: Start Menu>Run>services.msc . Stop any backup software and Antispam software services on the server.

Step6: Upgrade HT/CAS Server: Download Exchange 2010 SP2 and install Exchange SP2 by the issuing the following command in PowerShell

Setup.com /M:Upgrade /InstallWindowsComponents

Apply Service Pack 2 to HT and MBX server first. If you have multiple servers in HT/CAS Array than you can apply service to one exchange array member. your exchange infrastructure still be functional and service mail systems.

Step7: download Update Rollup1 for Exchange 2010 SP2 and apply rollup1.

Step7: Upgrade Mailbox Server: Log on to MBX server. Open Exchange Management Console>Click Server Configuration>Select Mailbox>Select Server>Click Switchover Server>Browse and Select a server>click ok. Wait few minutes to finish the operation. Check the mailbox node again. It should show Is Active: False.

Now follow the previous steps to upgrade to SP2 and Rollup1.

Caution: Take a snapshot if Exchange is a virtual server. If exchange 2010 SP2 installation fails for another reason revert the snapshot back to original. Exchange will still be functional even active directory schema is upgraded by exchange SP2 installer.

If server is physical than the following URL might be handy for you.

Recovery Databases

Understanding Backup, Restore and Disaster Recovery

Recover an Exchange Server

Reference Microsoft KB2668686

Exchange 2010 SP2 is available for download

Posted on December 12, 2011 by LM Publications

Microsoft Exchange Server 2010 SP2 is available to download from Microsoft download center. Download link and benefits of SP2 is here. Read systems requirement and release notes before you proceed installation. You may need to backup/snapshot(if virtualized) exchange servers before final installation.

Blogging year 2010—-what stats says

Gallery

Posted on January 3, 2011 by LM Publications

Sharing stats of my blog https://araihan.wordpress.com with my visitors. I started this free wordpress before founding http://microsoftguru.com.au Team WordPress.com + Stats Helper MonkeysJanuary 2nd, 2011, 03:35pm Here’s a high level summary of my overall blog health: Wow Blog-Health-o-Meter™ “We think … Continue reading →

Configure FAX server using Windows Server 2008 and Standard Fax Modem

Gallery

Posted on September 27, 2010 by LM Publications

In this article, I am going to deploy a test fax server using windows Server 2008 Fax Server Role, Standard Fax Modem (Motorola or US Robotics) and Exchange Server Email Distribution Group. A fax server is comprised of four different … Continue reading →

How to configure Exchange 2010 Unified Messaging Server –step by step

Posted on September 19, 2010 by LM Publications

An UM infrastructure is an integration of Microsoft Exchange Server, IP Gateway Conventional PBX and IP-PBX to deliver voicemail, greetings and customer messages to a single outlook client. Microsoft Exchange Server Unified Messaging (UM) combines voice messaging and e-mail messaging into a single messaging infrastructure. Unified Messaging puts all e-mail and voice messages into one Exchange 2010 mailbox that can be accessed from many different devices. After Unified Messaging servers have been deployed on a network, users can access their messages using Outlook Voice Access, from any telephone, from a mobile phone, or from the computer.

Systems Requirements

Microsoft Certified PBX and IP Gateway

Microsoft Telephony Advisor for Exchange Server

Exchange 2010 pre-requisites

Unified Communication Architecture

To install Unified Messaging Server Role on Exchange 2010

Log on to the server on which you want to install Exchange 2010
Insert the Exchange 2010 DVD into the DVD drive (or browse to your install location). If Setup.exe doesn’t start automatically, navigate to the DVD drive and double-click Setup.exe
On the Start page, click Choose Exchange language option. Select Install only languages from the DVD
In the Exchange Server 2010 Setup wizard, on the Introduction page, click Next.
On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
On the Error Reporting page, select Yes, and then click Next.
On the Installation Type page, click Custom Exchange Server Installation.
On the Server Role Selection page, select the UM server role
On the Customer Experience Improvement Program page, choose the appropriate selection for your organization, and then click Next.
On the Completion page, click Finish

After you install and configure the Unified Messaging server, You must create the following objects after you successfully install the Unified Messaging server role:

Dial Plan objects
IP Gateway objects
Hunt Group objects
Mailbox Policy objects
Auto Attendant objects
UM Server objects

Once UM server configured. You must configure other UM devices such AudioCodecs IP Gateway, Siemens, Cisco or your preferred PBX, IP-PBX devices to work with Microsoft Exchange Server 2010 UM. Microsoft supported configuration “how to” guides are at the end this articles in PDF format.

How UM use Active Directory and HT server to Transmit Email

The Unified Messaging server role uses Active Directory site membership information to determine which Hub Transport servers are located in the same Active Directory site as the Unified Messaging server. The Unified Messaging server submits messages for routing to a Hub Transport server within the same Active Directory site. The Hub Transport server performs recipient resolution and queries Active Directory to match a telephone number, or another Unified Messaging property, to a recipient account. After the recipient resolution completes, the Hub transport server will deliver the message to the target mailbox in the same way as a regular e-mail message.

To Create UM Dial Plan

In the console tree, navigate to Organization Configuration > Unified Messaging.
In the action pane, click New UM Dial Plan.
In the New UM Dial Plan wizard
On the Set UM Servers page, click Add, and then, on the Select UM Server page, select the UM server that you want to add to the UM dial plan.
On the Completion page, confirm whether the dial plan was successfully created.
Click Finish to complete the New UM Dial Plan wizard To enable Unified Messaging on an Exchange 2010 server
In the console tree, navigate to Server Configuration > Unified Messaging.
select the Unified Messaging server, Click on Enter Product Key to enter UM license
Once licensed, In the result pane, select the Unified Messaging server to enable.
In the action pane, click Enable UM Server To Create an UM IP Gateway
In the console tree, navigate to Organization Configuration > Unified Messaging.
In the work pane, click the UM IP Gateways tab.
In the action pane, click New UM IP Gateway.
In the New UM IP Gateway wizard
On the Completion page, confirm whether the UM IP gateway was successfully created.
Click Finish to complete the New UM IP Gateway wizard To Create an UM Hunt Group
In the console tree, navigate to Organization Configuration > Unified Messaging.
In the work pane, click the UM IP Gateways tab.
In the result pane, select a UM IP gateway.
In the action pane, click New UM Hunt Group.
In the New UM Hunt Group wizard,view or complete the following fields, Associated UM IP gateway ,Name Dial plan Click the Browse button to select the dial plan that will be associated with the UM hunt group. Pilot identifier An extension number or a Session Initiated Protocol (SIP) Uniform Resource Identifier (URI) can be used in this field.
On the Completion page, confirm whether the UM hunt group was successfully created
Click Finish to complete the New UM Hunt Group wizard. To add a UM server to a dial plan
In the console tree, click Server Configuration.
In the result pane, select the Unified Messaging server.
In the action pane, click Properties.
On the UM Settings > Associated Dial Plans, click Add.
In the Select Dial Plan window, select the dial plan you want to add from the list of available dial plans, and then click OK.
Click OK again to accept your changes.
To configure the start-up mode
In the console root, navigate to Server Configuration > Unified Messaging.
In the result pane, click to select the Unified Messaging server you want to set up.
In the action pane, click Properties.
On the UM Settings tab, in the Startup Mode drop-down list, select one of the following settings: TCP Use this setting if the UM server is being added to only UM dial plans that are set to Unsecured but won’t be added to dial plans that are set to SIP Secured or Secured. In TCP mode, the UM server will only listen on TCP port 5060 for SIP requests. By default, the UM server will startup in TCP only mode. TLS Use this setting if the UM server is being added to UM dial plans that are set to SIP Secured or Secured but won’t be added to dial plans that are set to Unsecured. In TLS mode, the UM server will only listen on TCP port 5061 for SIP requests.
Dual Use this setting if the UM server is being added to UM dial plans that have different security settings. In Dual mode, the UM server can listen on ports 5060 and 5061 simultaneously.

Click OK.

To configure number of concurrent voice calls
In the console tree, navigate to Server Configuration > Unified Messaging.
In the result pane, click to select the Unified Messaging server you want to set up.
In the action pane, click Properties.
On the UM Settings tab, in the Maximum concurrent calls text box, type the maximum number of concurrent voice calls.
Click OK. To view number of active calls
Click Start, click Programs, click Administrative Tools, and then click Performance.
In the Performance console, right-click the details pane, and then select Add Counters from the menu. You can also press CTRL+I to open the Add Counters window.
In the Add Counters window, in the Performance object list, select MSExchangeUMGeneral.
In Select Counters from list, select Current Calls, click Add, and then click Close.
In the Performance console, in the details pane, select the Current Calls counter to display the number of current calls. To add UM Mailbox
In the console tree, navigate to Organization Configuration > Unified Messaging.
In the work pane, click the UM Mailbox tab.
In the action pane, click New UM Mailbox.
In the New UM Mailbox wizard
On the Completion page, confirm whether the UM Mailbox was successfully created.
Click Finish to complete the New UM Mailbox wizard
To add UM Auto Attendant
In the console tree, navigate to Organization Configuration > Unified Messaging.
In the work pane, click the UM Auto Attendant tab.
In the action pane, click New UM Auto Attendant .
In the New UM Auto Attendant wizard
On the Completion page, confirm whether the UM Auto Attendant was successfully created.
Click Finish to complete the New UM Auto Attendant wizard To verify UM mailbox property
In the console tree, navigate to Organization Configuration > Unified Messaging.
In the work pane, click the UM Mailbox tab.
Right click Newly UM Mailbox.
Click on Property
AudioCodecs Configuration Guide
Siemens HiPath 4000 Configuration Guide

Design Guide for Cisco Unified Messaging 1.0

Cisco CallManager Express Configuration Guide

CallManager for Cisco Unity Express Configuration Example

Cisco Unity Express Command Reference Complete Book

Command Reference for Cisco Unified Messaging Gateway (Cisco UMG) Release 8.0

Cisco Unified Communication Software

Cisco IP Phone

Quick Start Guide for Outlook Voice Access 2010
Cisco Unified Communications Manager Administration Guide, Release 7.1(2)Microsoft Exchange 2010 Unified Messaging PBX Configuration Note for Cisco Unified Communications Manager 7.0

Installation of Exchange 2007 service pack 3

Posted on September 17, 2010 by LM Publications

First read what’s new in Exchange 2007 SP3. Here is quick guide on Exchange 2007 SP3 installation. Download Exchange 2007 Service pack 3 . As a precaution backup Exchange 2007. If you are running Exchange on vSphere then take a snapshot so that you can go back to pre-SP3 stage. Exchange 2007 SP3 is un-supported in an upgrade scenario on Windows Server 2008 R2.

To take snapshot>right click on virtual machine>Click on Snapshot>Click Take a Snapshot>Type Name and uncheck snapshot memory>Click Ok.

Stop any backup services agent such as Backup Exec or CommVault running on Exchange Server

Extract E2K7SP3EN64.exe and run setup.exe follow the installation prompt.

Once finish, reboot server. Verify all exchange related services started. Check internal and external email going and coming into organisation. Check CPU and memory uses in Exchange server. There are known issue with SP3 such as cpu sparks. install updaterollup1 for Exchange 2007 SP3 after installing SP3. You are good to go now.

SP3 Known Issue: CPU sparks

Rename Domain with Exchange 2007/2010 not feasible! an alternative solutions

Posted on September 4, 2010 by LM Publications

Recently my company registered a new domain name and wanted to me to investigate best possible way to rename domain internally, change websites (hosted on IIS) publicly accessible CNAME to new domain name and change email address for entire organization. Fun hahh!! Google search appears that domain rename possible in win2k3 AD and exchange 2003 SP1. However, according to Microsoft TechNet I can not rename Windows 2008 native domain with Exchange 2007 . what happen to those who are in the following situation:

Rename Business registration
Merger and/or Acquisition between companies
Change of ownership

If your management decide to have new user account@newdomain, email addresses@newdomain and websites with new domain name. Now you will not have a choice but find out a solution regardless of who says what. In this article (Ref: Plan A), I will investigate and share with you what happen if you rename domain on a test environment similar to my organisation i.e. Microsoft Active Directory 2008 and Exchange 2007/2010. Those who are in my situation, I will explain (Ref: Plan B) how I can accomplish same objectives with alternative deployment that means without messing around AD domain and Exchange 2007/2010. I know plan A is going to fail but worthwhile to produce documents to management and go for plan B. So that business runs smoothly. when time perfect and fund is available then rebuild Microsoft messaging systems for entire organization.

Light bulb Do NOT perform these steps in a production environment. Domain rename is NOT supported when Exchange 2007/2010 installed in a member server.

Rename Domain on a Testbed

Objectives:

Rename Domain
Migrate IIS to new domain
Fix GPO and Exchange (only applicable for Exchange 2003)

Assumptions:

Steps involve:

Set up your control station for the domain rename operation.
Freeze the Forest Configuration
Back up all the domain controllers in your forest.
Generate the current forest description.
Specify the new forest description.
Generate domain rename instructions
Push domain rename instructions to all domain controllers, and verify DNS readiness.
Verify the readiness of the domain controllers.
Execute the domain rename instructions
Update the Exchange configuration, and restart the Exchange servers (Only applicable for Exchange 2003 SP1)
Unfreeze the forest configuration
Re-establish external trusts
Fix Group Policy objects (GPOs) and links.

Precaution: Use the following link for Active Directory Backup and Restore in Windows Server 2008 or keep your resume handy Wink

To verify the forest functionality to Windows Server 2008

Open Active Directory Domains and Trusts.
In the scope pane, right-click Active Directory Domains and Trusts and then click Raise Forest Functional Level.
In the Select an available forest functional level box, click Windows Server 2008, and then click Raise.
Click OK to raise the forest functionality, and then click OK again.

To analyze and prepare DNS zones for domain rename

Compile a list of DNS zones that need to be created.
Use the DNS MMC snap-in to create the required DNS zones compiled in step 1.
Configure DNS zones according to “Add a forward lookup zone” in Windows Server 2008.
Configure dynamic DNS update according to “Allow dynamic updates” in Windows Server 2008.

To generate the current forest description file

In windows server 2008, rendom and GPFix utility are available in %Windir%system32 folder. If you change your directory into c:Windowssystem32 and run rendom /list then domainlist.xml will be placed in same directory.

On the control station, open a command prompt and change to the X:DomainRename directory.
At the command prompt, type rendom /list the following command and press ENTER:
Save a copy of the current forest description file (domainlist.xml) generated in step 2 as domainlist-save.xml for future reference by using the following copy command: copy domainlist.xml domainlist-save.xml

To edit the domainlist.xml file

Using a simple text editor such as Notepad.exe, open the current forest description file domainlist.xml generated in “STEP 3: Generate the Current Forest Description” earlier in this document.
Edit the forest description file, replacing the current DNS and/or NetBIOS names of the domains and application directory partitions to be renamed with the planned new DNS and/or NetBIOS names.

To review the new forest description in domainlist.xml

At the command prompt, type the following and then press ENTER: rendom /showforest

To generate the domain rename instructions and upload them to the domain naming master

On the control station, open a command prompt.
From within the X:DomainRename directory, execute the following command: rendom /upload
Verify that the domain rename tool created the state file dclist.xml in the directory X:DomainRename and that the state file contains an entry for every domain controller in your forest

To discover the DNS host name of the domain naming master

On the control station, open a command prompt.
At the command prompt, type the following and then press ENTER: Dsquery server –hasfsmo name

To force synchronization of changes made to the domain naming master

The following procedure forces the Active Directory changes initiated at the Domain Naming master DC in STEP 4 to replicate to all DCs in the forest.

On the control station, open a command prompt.
At the command prompt, type the following and then press ENTER: repadmin /syncall /d /e /P /q DomainNamingMaster

where DomainNamingMaster is the DNS host name of the domain controller that is the current domain naming master for the forest.

To verify the readiness of domain controllers in the forest

1. On the control station, open a command prompt and change to the X:DomainRename directory

2. At the command prompt, type the following command and then press ENTER: rendom /prepare

3. Once the command has finished execution, examine the state file domainlist.xml to determine whether all domain controllers have achieved the

To execute the domain rename instructions on all domain controllers

On the control station, open a command prompt.
At the command prompt, type the following and then press ENTER: rendom /execute
When the command has finished execution, examine the state file domainlist.xml to determine whether all domain controllers have reached either the Done state or the Error state.
If the domainlist.xml file shows any DCs as remaining in the Prepared state, repeat step 2 in this procedure as many times as needed until the stopping criterion is met.

To force Rendom /execute to re-issue the RPC to a DC in the Error state

In the domainlist.xml file, locate the <Retry></Retry> field in the domain controller entry for the DC that you believe should be retried.
Edit the domainlist.xml file such that the field reads <Retry>yes</Retry> for that entry.
The next execution of the rendom /execute command will re-issue the execute-specific RPC to that DC.

To fix up DFS topology in every renamed domain

On the control station, open a command prompt. For each Dfs root, if any of the topology components as described above needs to be fixed, type the following command (the entire command must be typed on a single line, although it is shown on multiple lines for clarity) and press ENTER:

dfsutil /RenameFtRoot /Root:DfsRootPath /OldDomain:OldName /NewDomain:NewName /Verbose

-Where-

DfsRootPath is the DFS root to operate on, e.g., \microsoftguru.com.aupublic.

OldName is the exact old name to be replaced in the topology for the Dfs root.

NewName is the exact new name to replace the old name in the topology.

To fix up Group Policy in every renamed domain

On the control station, open a command prompt and change to the X:DomainRename directory.
At the command prompt, type the following command (the entire command must be typed on a single line, although it is shown on multiple lines for clarity) and press ENTER:

gpfixup /olddns:OldDomainDnsName /newdns:NewDomainDNSName /oldnb:OldDomainNetBIOSName

/newnb:NewDomainNetBIOSName /dc:DcDnsName 2>&1 >gpfixup.log

-Where-

OldDomainDnsName is the old DNS name of the renamed domain.

NewDomainDnsName is the new DNS name of the renamed domain.

OldDomainNetBIOSName is the old NetBIOS name of the renamed domain.

NewDomainNetBIOSName is the new NetBIOS name of the renamed domain.

DcDnsName is the DNS host name of a domain controller in the renamed domain, preferably the PDC emulator, that successfully completed the rename operation with a final Done state in the dclist.xml state file in “STEP 8: Execute Domain Rename Instructions” earlier in this document.

For example,

gpfixup /olddns:wolverine.com.au /newdns:microsoftguru.com.au /oldnb:wolverine /newnb:microsoftguru /dc:dc.wolverine.com.au 2>&1 >gpfixup1.log

To force replication of the Group Policy fix-up changes made at the DC named in DcDNSName in above step of this procedure to the rest of the DCs in the renamed domain, type the following and then press ENTER: repadmin /syncall /d /e /P /q DcDnsName NewDomainDN

-Where-

DcDnsName is the DNS host name of the DC that was targeted by the gpfixup command.

NewDomainDN is the distinguished name (DN) corresponding to the new DNS name of the renamed domain.

Repeat steps in this procedure for every renamed domain. You can enter the commands in sequence for each renamed domain.

For Example, repadmin /syncall /d /e /P /q dc.microsoftguru.com.au dc=microsoftguru,dc=com, dc=au

To update the DNS name of the CA machine

On the CA machine, open registry editor and locate the entry CAServerName under HKLMSystemCurrentControlSetCertSvcConfigurationYourCAName.
Change the value in CAServerName to correspond to the new DNS host name.

To update the Web enrolment file

To enable proper Web enrollment for the user, you must also update the file that is used by the ASP pages used for Web enrollment. The following change must be made on all CA machines in your domain.

1. On the CA machine, search for the certdat.inc file (if you have used default installation settings, it should be located in the %windir%system32certsrv directory).

2. Open the file, which appears as follows:

<%’ CODEPAGE=65001 ‘UTF-8%>

<%’ certdat.inc – (CERT)srv web – global (DAT)a

<% ‘ default values for the certificate request

sDefaultCompany=””

sDefaultOrgUnit=””

sDefaultLocality=””

sDefaultState=””

sDefaultCountry=””

‘ global state

sServerType=”Enterprise” ‘vs StandAlone

sServerConfig=”OLDDNSNAMEYourCAName”

sServerDisplayName=”YourCAName”

nPendingTimeoutDays=10

‘ control versions

sXEnrollVersion=”5,131,2510,0″

sScrdEnrlVersion=”5,131,2474,0″

3. Change the SServerConfig entry to have the NewDNSName of the CA machine.

To perform attribute clean up after domain rename

On the control station, open a command prompt.
At the command prompt, from within the X:DomainRename directory, execute the following command: rendom /clean

Command-line usage to run XDR-fixup.exe

XDR-fixup.exe /s:start_domainlist.xml /e:end_domainlist.xml [/user:username /pwd:password | *] [/trace:tracefile] /changes:changescript.ldf /restore:restorescript.ldf [/?]

Note This command is one line. It has been wrapped for readability.

Command-line usage to verify XDR-fixup.exe

Use the following command line to verify the changes that are made by XDR-fixup.exe:

XDR-fixup /verify:restorescript.ldf /changes:verifycorrections.ldf

To unfreeze the forest configuration

From within the X:DomainRename directory, execute the following command: rendom /end

To force remove domain member if fails to join new domain using following command. Then re-join domain manually.

netdom remove <machine-name> /Domain:<old-domain> /Force”

To use Control Panel to check for primary DNS suffix update configuration for a computer

The following procedures explain two ways to view the setting for a member computer that determines whether the primary DNS suffix changes when the name of the membership domain changes.

1. On a member computer, in Control Panel, double-click System.

2. Click the Computer Name tab and then click Change.

3. Click More and then verify whether Change primary domain suffix when domain membership changes is selected.

4. Click OK until all dialog boxes are closed.

To use the registry to check for primary DNS suffix update configuration for a computer

1. On the Start menu, click Run.

2. In the Open box, type regedit and then click OK.

3. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters.

4. Verify whether the value of REG_RWORD SyncDomainWithMembership is 0x1. This value indicates that the primary DNS suffix changes when the domain membership changes.

To determine whether Group Policy specifies the primary DNS suffix for a computer

On a member computer, perform one of the following steps:
At a command prompt, type gpresult. In the output, under Applied Group Policy objects, check to see whether Primary DNS Suffix is listed.

Open the Resultant Set of Policy Wizard, as follows:

In Active Directory Users and Computers, right-click the computer object, click All Tasks, and then click Resultant Set of Policy (Logging).

Open a command prompt and then type: ipconfig /all

Check the Primary DNS Suffix in the output. If it does not match the primary DNS suffix that is specified in the System Control Panel for the computer (see “To use Control Panel to check for primary DNS suffix update configuration for a computer” earlier in this document), then the Primary DNS Suffix Group Policy is applied.

u In the registry, check for the presence of the entry Primary DNS Suffix under HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSystemDNSclient. If a value is present, then the Primary DNS Suffix Group Policy is applied to the computer.

To install Support Tools

1. On the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition operating system CD, double-click the Support folder.

2. In the Support folder, double-click the Tool folder and then run suptools.msi.

To use ADSI Edit to add DNS suffixes to msDS‑AllowedDNSSuffixes

The attribute msDS‑AllowedDNSSuffixes is an attribute of the domain object. Therefore, you must set DNS suffixes for each domain whose name is going to change.

1. On the Start menu, point to Programs, Windows Server 2003 Support Tools, Tools, and then click ADSI Edit.

2. Double-click the domain directory partition for the domain you want to modify.

3. Right-click the domain container object, and then click Properties.

4. On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS‑AllowedDNSSuffixes.

5. In the Multi-valued String Editor dialog box, in the Value to add box, type a DNS suffix and then click Add.

6. When you have added all the DNS suffixes for the domain, click OK.

7. Click OK to closed the Properties dialog box for that domain.

8. In the scope pane, right-click ADSI Edit and click Connect to.

9. Under Computer, click Select or type a domain or server.

10. Type the name of the next domain for which you want to set the primary DNS suffix, and then click OK.

11. Repeat steps 2 through 7 for that domain.

12. Repeat steps 8 through 10 to select each subsequent domain and repeat steps 2 through 7 to set the primary DNS suffix for each subsequent domain that is being renamed.

To apply the Group Policy setting Primary DNS Suffix to groups of member computers

1. In Active Directory Users and Computers, right-click the domain or organizational unit that contains the group of computers to which you are applying Group Policy.

-Or-

In Active Directory Sites and Services, right-click the site object that contains the computers to which you are applying Group Policy.

2. Click the Group Policy tab.

3. In the Group Policy object Links box, click the Group Policy object that you want to contain the Primary DNS Suffix setting.

-Or-

To create a new Group Policy object, click New and then type a name for the object.

4. With the Group Policy object selected, click Edit.

5. Under Computer Configuration, click to expand Administrative Templates, Network, and then click DNS Client.

6. In the results pane, double-click Primary DNS Suffix.

7. Click Enabled, and then in the Enter a primary DNS suffix box, type the DNS suffix for the domain whose member computers are in the group you selected in Step 1.

8. Click OK.

9. Close the Group Policy dialog box, and then close the properties page for the selected object.

To configure the redirecting alias DNS entry

1. In the DNS MMC snap-in, expand the DNS server node to expose the old DNS zone.

2. Right-click the old DNS zone.

3. Click New Alias (CNAME ).

4. In the Alias name box, type the original fully qualified domain name (FQDN) of the HTTP Server..

5. In the Fully qualified domain name for target host box, type the new FQDN of the HTTP Server, and then click OK.

At this point you can test the redirection by pinging the FQDN of the old HTTP server. The ping should be remapped to the new FQDN of the HTTP server.

Issues involving domain rename:

XDR-Fixup tool does not work on Exchange 2010
Exchange SMTP stops functioning
Exchange organization initialization fails

Simple alternative solutions without renaming domain

Microsoft does not support domain rename if Exchange 2007 installed in member server. So what could be work around if you have to have new user account, corresponding emails account and web sites with new domain name without renaming domain.

Prepare a control workstation station and log on as a domain admin, schema admin and enterprise admin
Create a new range of IP in your infrastructure
Prepare an windows server 2008 and promote as your new primary domain with new domain name
Create External trust between two domains
Ask your ISP Add new Host (A) and MX record with new domain

Point this new MX record to existing SMTP server
Add new domain into trusted domain list

Add new email policy for new domain

Change default email address to new email addresses through email property of mailbox using Exchange management console

Migrate IIS web sites to new web server
Redirect CNAME record to new websites for customers and stakeholder
Add 301 redirect using Google webmaster if necessary

Relevant Articles:

Microsoft Exchange System Attendant service does not start

completely remove Exchange 2000 or Exchange 2003 from Active Directory

How to remove Exchange Server 2003 from your computer

How to remove the first Exchange Server 2003 computer from the administrative group

Removing and Modifying Exchange 2007

Step-by-Step Guide to Implementing Domain Rename

Windows Server 2003 Active Directory Domain Rename Tools

Exchange Server Domain Rename Fixup

Microsoft KB842116

Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup)

Windows 2003 domain rename tools

How to configure reverse proxy using Forefront TMG 2010— step by step

Gallery

Posted on August 8, 2010 by LM Publications

In this article, I am going to explain in dept of reverse proxy and how you can utilize reverse proxy functionality of Forefront TMG 2010 in your organisation. I will write a complete how to in this article. Let’s start … Continue reading →

How to create E-Mail protection Policy in Forefront TMG 2010

Gallery

Posted on April 14, 2010 by LM Publications

1. On the TMG computer (or using the remote management console), open the Forefront TMG Management Console. 2. Click Forefront TMG (Array Name) in the left pane. 3. Click E-Mail Policy and in the task pane click Configure E-Mail Policy … Continue reading →

How to publish Exchange ActiveSync in Forefront TMG 2010

Gallery

Posted on April 9, 2010 by LM Publications

This gallery contains 30 photos.

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management>Expand Forefront Server>Right Click on Firewall Policy>Click New>Click Exchange Web Client Publishing Rule>Type Rule Name>Click Next>Select Exchange 2010 from Exchange version>check Exchange ActiveSync. Click Next. Now … Continue reading →

Forefront TMG 2010: Publishing Exchange server 2010

Gallery

Posted on April 9, 2010 by LM Publications

This gallery contains 2 photos.

To ensure that every Exchange client access mail securely from anywhere (internally and externally) Exchange deployment published through Forefront TMG 2010. you need to plan and deploy the different roles of Exchange Server which includes Exchange HT, CAS, ET and … Continue reading →

Share this:

Like this:

Share this:

Like this:

Migration Guide

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Command-line usage to run XDR-fixup.exe

Command-line usage to verify XDR-fixup.exe

Share this:

Like this: