The Microsoft cybersecurity reference architecture will be explained by demoing key components, starting with Azure Security Center for a cross platform visibility, protection and threat detection. Then a walk through on how you can secure different Azure services covering Azure … Continue reading
Tag Archives: Office 365
Configure ADFS Extranet Lockout Protection
Gallery
Extranet lockout provides the following key advantages: It protects your user accounts from brute force attacks where an attacker tries to guess a user’s password by continuously sending authentication requests. In this case, AD FS will lock out the malicious … Continue reading
Migration from Office 365 or Microsoft 365 mailboxes to G Suite using the G Suite Data Migration Service
Gallery

This gallery contains 1 photo.
Supported Environment Microsoft 365, Office 365, Exchange 2016, 2013, 2010, 2007 or 2003. Supported G Suite G Suite Enterprise, Business, Basic, and Education accounts G Suite Cost Standard prices are shown. Google occasionally offers special discounts to some customers for … Continue reading
Prepare Windows 10 Master Image & Deploy Windows Virtual Desktop
Gallery

This gallery contains 2 photos.
Microsoft announced Windows Virtual Desktop and began a private preview. Since then, we’ve been hard at work developing the ability to scale and deliver a true multi-session Windows 10 and Office 365 ProPlus virtual desktop and app experience on any … Continue reading
Convert Synced User to In-Cloud User
Gallery
Here is the scenario: Synced ID: Specifies the immutable ID of the federated identity of the user. This should be omitted for users with standard identities. You have local Active Directory with AAD Connect installed, which sync users and password … Continue reading
Decide on Office 365 Migration Path
Gallery

This gallery contains 1 photo.
Deciding on the best migration path of your users’ email to Office 365 can be difficult. Your migration performance will vary based on your network, existing messaging systems design, mailbox size, migration speed, and so on. For migrations from an … Continue reading
Azure AD B2B Collaboration With SharePoint Online
Gallery

This gallery contains 2 photos.
Azure AD B2B collaboration capabilities to invite guest users into your Azure AD tenant to allow them to access Azure AD service Azure AD B2B collaboration invited users can be picked from OneDrive/SharePoint Online sharing dialog boxes. OneDrive/SharePoint Online invited … Continue reading
Office 365 MailFlow Scenarios and Best Practices
Gallery
Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam … Continue reading
Migrate Office 365 Relying Party Trust to Different ADFS Farm
Gallery
To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment. Prerequisites: Existing ADFS Farm … Continue reading
Office 365 Hybrid Deployment with Multiple Active Directory Forests
Gallery
This article explains how you can deploy a hybrid Office 365 and Exchange on-premises environment with multiple Active Directory Forest. An organisation that utilizes an account forest and a resource forest to separate Active Directory accounts and Exchange servers in … Continue reading
Configuring Azure ExpressRoute using PowerShell
Gallery
Microsoft Azure ExpressRoute is a private connection from on-premises networks to the Microsoft cloud over a private peering facilitated by a network service provider. With ExpressRoute, you can establish a faster, low latencies and reliable connection to Microsoft cloud services, … Continue reading
Office 365 Hybrid Deployment with Exchange 2016 Step by Step
Gallery
Hybrid Configuration Business Case. On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send. Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus … Continue reading
Upgrading AD FS to Windows Server 2016 FBL
Gallery
This article will describe how to install new ADFS 2016 farm or upgrade existing AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016. Prerequisites: ADFS Role in Windows Server 2016 Administrative privilege in both ADFS … Continue reading
Login to Exchange Online PowerShell using MFA
Gallery
Once you enable MFA on Admin account, you will be denied access to EXO using PowerShell until you update Azure PowerShell version to latest. Download and install Microsoft Online Services Sign-In Assistant and Azure Active Directory Connection preview Use Connect-MsOlService … Continue reading
Add multiple users to Office 365 security groups using PowerShell Scripts
Gallery
Step1: Connect MSOL Services Connect-MsolService Step2: Find out ObjectID of the Security Group you would like add members to Get-MsolGroup –Maxresults 100000 | Where-Object {$_.DisplayName -eq “Test Security Group”} Get-MsolGroup –ObjectId “af407072-7ae1-4b07-a0ca-6634b7396054” OR Sign-in to Portal.Azure.Com and Select Azure Active … Continue reading
Branding and Customizing the ADFS Sign-in Pages
Gallery
Branding and promoting Company name and logos are common business practices. You would like to see your own brand whilst signing into to Microsoft Office 365. ADFS provides opportunity for businesses to customize sign in page and promote own brand. … Continue reading
Centralized Mailflow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’
Gallery
Environment: Mailbox hosted on the Exchange Online Hybrid on-prem Exchange 2010/2013 with Microsoft Exchange Online Centralized Mailflow configured for Exchange 2013 Route all emails through on-premises configured for Exchange 2010 Accepted domain configured either Managed or Authoritative on the Exchange … Continue reading
Mailflow Co-existence between G Suite and Office 365 during IMAP Migration
Gallery
This article will explain how to create mail flow coexistence between disparate IMAP source and Exchange Online destination. Use case: Customer wants a mailflow co-existence between hosted email e.g. Gmail and Exchange Online during mailbox migration phase. Customer has on-premises … Continue reading
On-prem to Office 365 Migration: PowerShell Script Collection
Gallery
Connect to Azure Active Directory PowerShell without Password Prompt #Use Case: Log on to Office 365 tenant without typing credentials. $User=”Raihan@tenant.onmicrosoft.com” $Password=ConvertTo-SecureString -String “MyPassword” -AsPlainText -Force $O365CREDS= New-Object –TypeName “System.Management.Automation.PSCredential” –ArgumentList $User, $Password #$O365CREDS = Get-Credential -Username Raihan@tenant.OnMicrosoft.Com $SESSION = … Continue reading
Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Step1: Configure the SharePoint server
1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.
2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.
3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.
4. On the Alternate Access Mappings page, click Edit Public URLs.
5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.
6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.
7. When you have finished, click Save.
8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:
9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.
10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.
Step2: Create a New trunk
Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next
Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next
On the Authentication Page, Click Add, Select DC, Click Next
Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next
Select Default and Click Next
Click Finish.
Step3: add SharePoint web applications to the trunk.
In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.
In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.
On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.
On the Web Servers page, do the following:
In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.
In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.
In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.
In the Public host name box, enter a public host name of your choice for the SharePoint web application.
Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.
On the Authentication page, do the following:
To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.
To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.
On the Portal Link page of the wizard, if required, configure the portal link for the application.
If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.
When you have completed the wizard, click Finish.
The Add Application Wizard closes, and the application that you defined appears in the Applications list.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.
Step4: Configure Mobile devices Access for SharePoint
When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:
1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.
2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.
3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.
4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.
5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.
Install and Configure Forefront UAG 2010 Step by Step
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Forefront UAG Overview:
Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx
- Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
- Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
- Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
- Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
- Easily integrates with Active Directory and enables a variety of strong authentication methods.
- Limits exposure and prevent data leakage to unmanaged endpoints.
Assumptions:
The following servers is installed and configured in a test environment.
Systems Requirements:
Option |
Description |
Virtual Machine Name |
DC1TVUAG01 |
Memory |
8GB |
vCPU |
1 |
Hard Disk 1 |
50GB |
Hard Disk 2 |
50GB |
Network Adapter |
2 |
Guest Operating System |
Windows Server 2008 R2 |
Service Pack Level |
SP1 |
Software Requirement:
Version |
Microsoft Forefront Unified Access Gateway 2010 |
Service Pack Level |
SP3 |
Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:
- Microsoft .NET Framework 3.5 SP1
- Windows Web Services API
- Windows Update
- Microsoft Windows Installer 4.5
- SQL Server Express 2005
- Forefront TMG is installed as a firewall during Forefront UAG setup
- The Windows Server 2008 R2 DirectAccess component is automatically installed.
The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.
- Network Policy Server
- Routing and Remote Access Services
- Active Directory Lightweight Directory Services Tools
- Message Queuing Services
- Web Server (IIS) Tools
- Network Load Balancing Tools
- Windows PowerShell
Browser |
Features |
Firefox |
Endpoint Session Cleanup Endpoint detection SSL Application Tunneling Endpoint Quarantine Enforcement |
Internet Explorer |
Endpoint Session Cleanup Endpoint detection SSL Application Tunneling Socket Forwarding SSL Network Tunneling (Network Connector) Endpoint Quarantine Enforcement |
Device Name |
Features |
Windows Phone |
Premium mobile portal |
iOS: 4.x and 5.x on iPhone and iPad |
Premium mobile portal |
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0 |
Premium mobile portal |
Service Account for Active Directory Authentication:
Service Account |
Privileges |
Password |
xman\SA-FUAG |
Domain Users |
Password set to never expired |
The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.
- Add the server to an array of Forefront UAG servers at a later date.
- Configure the server as a Forefront UAG DirectAccess server at a later date.
- Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
- Publish the File Access application via a Forefront UAG trunk.
- Provide remote clients with access to the internal corporate network using SSTP.
Antivirus Exclusion:
Version |
Paths |
Processes |
Forefront UAG 2010 |
UAG installation folder (may be changed during installation) |
Forefront UAG DNS-ALG Service Forefront UAG Monitoring Manager Forefront UAG Session Manager Forefront UAG File Sharing Forefront UAG Quarantine Enforcement Server Forefront UAG Terminal Services RDP Data Forefront UAG User Manager Forefront UAG Watch Dog Service Forefront UAG Log Server Forefront UAG SSL Network Tunneling Server |
The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.
There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:
- Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
- Integrity of the content in the corporate network is retained.
- Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
- Hide corporate network infrastructure from perimeter and external threat.
Perimeter Port Requirement:
To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:
- HTTP traffic (port 80)
- HTTPS traffic (port 443)
- FTP Traffic (Port 21)
- RDP Traffic (Port 3389)
Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.
Infrastructure server |
Protocol |
Port |
Direction |
Domain controller |
Microsoft-DS traffic |
TCP 445 UDP 445 |
From UAG to DC |
Kerberos authentication |
TCP 88 UDP 88 |
From UAG to DC |
|
LDAP |
TCP 389 UDP 389 |
From UAG to DC |
|
LDAPS |
TCP 636 UDP 636 |
From UAG to DC |
|
LDAP to GC |
TCP 3268 UDP 3268 |
From UAG to DC |
|
LDAPS to GC |
TCP 3269 UCP 3269 |
From UAG to DC |
|
DNS |
TCP 53 UDP 53 |
From UAG to DC |
|
Exchange, SharePoint, RDS |
HTTPS |
TCP 443 |
From external to internal server |
FTP |
FTP |
TCP 21 |
From external to internal server |
Scenario#2
In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.
UAG Network Configuration
The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:
· First in Order- UAG internal adapter connected to the trusted network.
· Second in Order- UAG external adapter connected to the untrusted network.
The following are the network configuration for UAG server.
Option |
IP Address |
Subnet |
Default Gateway |
DNS |
Internal Network |
10.10.10.2 |
255.255.255.0 |
Not required |
10.10.10.1 |
External Network |
192.168.1.1 |
255.255.255.0 |
192.168.1.254 |
Not required |
Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.
Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
- UAG adapter connected to the trusted network: Internal Network
- UAG adapter connected to the untrusted network: External Network
Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
- Default Gateway should not be defined
- DNS Servers should be defined
- Client for Microsoft Networks binding – Enabled
- File and Print Sharing for Microsoft Networks binding – Enabled
- Register this connection’s address in DNS – Enabled
- Enable LMHOSTS Lookup – Disabled
- NetBIOS over TCP/IP – Default
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.
External Network Adapter
- Default Gateway should be defined
- DNS Servers should not be defined
- Client for Microsoft Networks binding – Disabled
- File and Print Sharing for Microsoft Networks binding – Disabled
- Register this connection’s address in DNS – Disabled
- Enable LMHOSTS Lookup – Disabled
- NetBIOS over TCP/IP – Disabled
Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)
External Network (Lowest)
To amend network binding follow the steps below:
1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.
2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.
4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.
Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.
DNS Forwarding:
The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:
Purpose |
Public Host Name |
Public IP Address |
Exchange |
webmail.xman.com.au |
203.17.x.x |
SharePoint |
sharepoint.xman.com.au |
203.17.x.x |
RDS |
remote.xman.com.au |
203.17.x.x |
FTP |
ftp.xman.com.au |
203.17.x.x |
Scenario#1 Firewall Rules consideration
External NAT Rules
The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.
Rule(s) |
Description |
Source IP |
Public IP Address (Destination IP Address) |
Port |
NAT Destination |
Status |
1 |
Exchange |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
2 |
SharePoint |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
4 |
RDS |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
5 |
FTP |
Any |
203.17.x.x |
21 |
10.10.10.2 |
Forward |
The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:
Rules |
Description |
Source IP |
Port TCP & UDP |
NAT Destination |
Destination |
Status |
1 |
Exchange |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.3 |
Forward |
2 |
SharePoint |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.4 |
Forward |
4 |
RDS |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.5 |
Forward |
5 |
FTP |
10.10.10.2 |
TCP 21 |
Not Required |
10.10.10.6 |
Forward |
6 |
Client |
10.10.12.0/24 10.10.13.0/24 |
TCP 443 TCP 21 |
Not Required |
10.10.10.2 |
Forward |
7 |
Domain Controller |
10.10.10.2 |
445, 88, 53 389, 636 3268, 3296 |
Not Required |
10.10.10.1 |
Forward |
Understanding Certificates requirements:
Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names.
Launch Certificate Manager
1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:
2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.
3. Follow the instructions in the Certificate Import Wizard.
Common Name |
Subject Alternative Name |
Certificate Issuer |
RDS.xman.com.au |
– |
Verisign/Digicert |
webmail.xman.com.au |
autodiscover.xman.com.au |
Verisign/Digicert |
ftp.xman.com.au |
– |
Verisign/Digicert |
sharepoint.xman.com.au |
– |
Verisign/Digicert |
Understanding Properties of Trunk
- Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
- Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
- IP address: Specify the external IP address used to reach the published Web application or portal.
- Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
- HTTP/HTTPS port: Specify the port for the external Web site.
UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.
Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:
URL List |
Methods |
Allow Rich Content |
InternalSite_Rule54 |
HEAD |
Checked |
SharePoint14AAM_Rule47 |
HEAD |
Checked |
Published Applications and Services:
Install Forefront UAG:
Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.
Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.
On the Welcome page of Setup, do the following:
Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.
Restart the Server.
Initial Configuration Using Getting Started Wizard
In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.
On the Define Network Adapter Settings page, in the Adapter name list do the following:
To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.
To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.
After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:
If you are running Forefront UAG on a single server, click Single server.
If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.
After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.
If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.
Configure Remote Desktop (RDP) to Forefront UAG
After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:
Ensure that remote desktop is enabled on the Forefront UAG server.
Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.
To do this, open the Forefront TMG Management console from the Start menu.
1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.
2. On the Rule Action, Click Allow, Click Next
3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next
4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next
5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.
Exchange 2013 Upgrade, Migration and Co-existence
Migration Guide
Exchange 2007/2010 to Exchange 2013 Migration Step by Step Guide
How to Configure Unified Messaging in Exchange 2013 Step by Step
Mail flow in Exchange 2013
Source: Microsoft TechNet
Source: Microsoft TechNet
Protocol | Exchange 2007 & Exchange 2013 | Exchange 2007 & Exchange 2013 |
Namespace | legacy.domain.com | no additional namespace |
OWA | Non-silent redirection to legacy.domain.com |
Proxy to CAS2010 Silent direction |
EAS | Proxy to MBX2013 | Proxy to CAS2010 |
Outlook Anywhere | Proxy to CAS2007 | Proxy to CAS2010 |
Autodiscover | Redirect to CAS2007 | Proxy to CAS2010 |
EWS | Autodiscover | Proxy to CAS2010 |
POP/IMAP | Redirect to CAS2007 | Proxy to CAS2010 |
OAB | Redirect to CAS2007 | Proxy to CAS2010 |
RPS | N/A | Proxy to CAS2010 |
ECP | N/A | Proxy to CAS2010 |
Exchange 2013 Perquisites
Supported Co-existence Scenario
- Exchange 2010 SP3
- Exchange 2007 SP3+RU10
Supported Client
- Outlook Anywhere Only, Outlook 2007 or later
- Outlook for Mac 2011
- Entourage 2008 for Mac
Active Directory
- Windows 2003 Forest Functional Level or higher
- At least one global catalog. two global catalog is highly recommended for redundancy purpose
- No support for RODC or ROGC
Namespace
- Contiguous
- Non-Contiguous
- Single level Domain
- disjoint
Operating Systems
- Windows Server 2008 R2 SP1
- Windows Server 2012 or Windows Server 2012 R2
Other Components
- Internet Information Service (IIS)
- .Net Framework 4.5
- Unified Communication Managed API
Cumulative Updates
- CU is a full exchange installer or binary
- Required for co-existence with Exchange 2007/2010
Upgrade from Exchange 2010 to Exchange 2013
1. Prepare
- Prepare Exchange 2010 with SP3
- Test Exchange using Test cmdlets
- Test Active Directory health status
- Prepare Active Directory Schema using Exchange 2013 schema
2. Deploy Exchange 2013
- Install both Exchange 2013 MBX and CAS servers
- Install Management Server on admin PC
3. Obtain and deploy Certificates
- Create Certificate CSR from Exchange 2013
- Sign the certificate from public CA
- Install Certificate and assign certificate to IIS,SMTP,POP,IMAP
OR
- Export certificate from Exchange 2010 and import into Exchange 2013
4. Configure Mail flow
- Create mail and autodiscover namespace and point to Exchange 2013
- Add Exchange 2013 MBX server into Send Connector
- Configure Frontend receive connector
- Create anonymous relay
5. Switch Primary Name Space
- Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
- Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
- Switch port 25 forwarding to Exchange 2013
- Validate traffic flow to Exchange 2013
6. Move Mailboxes
- Build Exchange DAG
- Migrate user mailbox
- Migrate resource mailbox
- Migrate public folders
7. Repeat additional sites
8. Decommission Exchange 2010
Upgrade from Exchange 2007 to Exchange 2013
1. Prepare
- Prepare Exchange 2007 with SP3 +RU
- Test Exchange using Test cmdlets
- Test Active Directory health status
- Prepare Active Directory Schema using Exchange 2013 schema
2. Deploy Exchange 2013
- Install both Exchange 2013 MBX and CAS servers
- Install Management Server on admin PC
3. Obtain and deploy Certificates
- Create a certificate CSR from Exchange 2013 with legacy namespace
- Sign the certificate from public CA
- Install Certificate and assign certificate to Exchange 2013 IIS,SMTP,POP,IMAP
- Install same certificate into Exchange 2007
4. Configure Mail flow
- Create legacy DNS record pointing to Exchange 2007
- Create mail and autodiscover namespace and point to Exchange 2013 CAS
- Create Send Connector in Exchange 2013
- Configure Frontend receive connector
- Create anonymous relay
5. Switch Primary Name Space
- Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
- Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
- Switch port 25 forwarding to Exchange 2013
- Validate traffic flow to Exchange 2013 using MCA and ExRCA
6. Move Mailboxes
- Build Exchange DAG
- Migrate user mailbox
- Migrate resource mailbox
- Migrate public folders
7. Repeat additional sites
8. Decommission Exchange 2007
Validate External Connectivity
- Use Microsoft connectivity analyzer https://testconnectivity.microsoft.com/?tabid=client
- Use remote connectivity analyzer http://www.exrca.com
- Use Test cmdlets
Certificate Best Practice
- Minimize number of certificates
- Minimize number of host name
- use split DNS for Exchange host name
- Don’t list machine name in certificates
- Use Subject Alternative Name Certificate or SAN certificates
Restart Transport Services and Information Store Service
- Patch Exchange Server using WSUS or ConfigMgr
- Reboot DAG member one by one
- Reboot CAS server one by one
- Management Tools
- User Exchange 2013 Administration Center to manage co-existence and migration tasks
- Use Exchange 2010 management console to move offline address book
Cutover Process
- Public folder migration is part of final cutover
- Exchange and Active Directory health check
- verify proposed and implemented Exchange 2013
Post Migration
- Shutdown Exchange 2010 servers for minimum 48 hours in working days
- Decommission Exchange 2010
TrendMicro Worry-Free Business Advanced Configuration Step by Step
Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).
Trend Micro offers the following editions:
Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.
Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.
Features worry-free business Features
- Component Updates
- Device Control
- Antivirus/Anti-spyware
- Firewall
- Web Reputation
- URL Filtering
- Behavior Monitoring
- User Tools
- Instant Messaging Content
- Filtering
- Mail Scan (POP3)
- Mail Scan (IMAP)
- Anti-Spam (IMAP)
- Email Message Content
- Filtering
- Email Message Data Loss Prevention
- Attachment Blocking
TrendMicro Components:
Registration Key
A Registration Key comes with your purchase of Worry-Free Business Security. It has
22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx
Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.
Security Server
At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location
Scan Server
The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.
Downloads scanning-specific components from Trend Micro and uses them to scan clients
Agents
Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.
Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats
Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats
Web Console
The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.
WFBS Ports
WFBS uses the following ports:
• Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:
• IIS server default website: The same port number as your HTTP server’s TCP port.
• IIS server virtual website: 8059
• Apache server: 8059
• Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.
Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.
SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.
Proxy port: Used for connections through a proxy server.
Systems requirements:
- 1 vCPU, 2GB RAM, 10GB additional space
- IIS 7.5 Windows Server 2008 R2
- Internet Explorer
- Adobe Acrobat
- Java client
- Clients that use Smart Scan must be in online mode. Offline clients cannot use Smart Scan
- Administrator or Domain Administrator access on the computer hosting the
- Security Server
- File and printer sharing for Microsoft Networks installed
- Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
- If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications
TrendMicro Download Location:
Installation:
1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.
2. Click Next. The License Agreement screen appears.
3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.
4. Click Next. The Setup Type screen appears.
5. From the Setup Type page, choose one of the following options:
- Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.
- Minimal Install
- Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.
6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.
7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).
8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.
9. Click Next. The Select Components page appears.
10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.
- Security Server (default): The Security Server hosts the centralized web-based management console.
- Security Agent (default): The agent protects desktops and servers.
- Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.
- Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.
11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.
12. Click Next. The Computer Prescan page appears.
13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:
Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:
- the boot area and boot directory (for boot sector viruses)
- the Windows folder
- the Program Files folder
- Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.
14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:
- Internet Information Services (IIS) server
- Apache Web server 2.0.xx
15. Click Next. The Web Server Identification page appears.
16. Choose from one of the following server identification options for client-server communication:
- Server information – Choose domain name or IP address:
- Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.
- IP address – Verify that the target server’s IP address is correct.
17. Click Next. The Administrator Account Password page appears.
18. Specify different passwords for the Security Server web console and the Security Agent.
Note: The password field holds 1-24 characters and is case sensitive.
- Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.
- Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.
19. Click Next. The SMTP Server and Notification Recipient(s) page appears.
20. Enter the required information:
- SMTP server – the IP address of your email server
- Port – the port that the SMTP server uses for communications
- Recipient(s) – the email address(es) that the SMTP server uses to send alert notifications. You can enter multiple email addresses when more than one person needs to receive notifications.
21. Click Next. The Trend Micro Smart Protection Network page appears.
22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.
23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.
- Proxy server type
- Server name or IP address
- Port
- User name and Password – Provide these only if the proxy server requires authentication.
24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.
25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.
26. Set the following items:
- Installation Path – This is the destination folder where the Security Agent files are installed.
- Security Agent Listening Port – This is the port number used for Security Agent and Security Server communications.
27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.
28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:
- Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
- Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
- Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.
- Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.
- Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.
- Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.
- URL Filtering – This blocks specified categories of websites (for example, pornographic sites and social networking) according to your company’s policy.
- Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.
- Device Control – This regulates access to external storage devices and network resources.
29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.
30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.
- When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.
- When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.
31. Click Next. The Install Messaging Security Agent page appears.
32. Provide the following information:
i. Exchange Server
ii. Domain Administrator Account
iii. Password
33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:
- Target Folder – This is the folder where the MSA files are installed.
- Temp Folder – This is the system root folder for MSA Agent installation.
- Spam management
- End User Quarantine – If selected, WFBS creates a separate spam folder on Microsoft Outlook in addition to the Junk E-mail folder.
- Outlook Junk Email folder – If selected, WFBS stores spam mail into this folder. Since Outlook typically moves spam mail in the End User Quarantine (EUQ) folder to the Junk E-mail folder, Trend Micro recommends to select this option.
35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:
- If you wish to verify previous installation settings, click Back.
- Click Next to proceed with the actual installation.
The Install Third Party Components page appears. This page informs you which third party components will be installed.
36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.
Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install
- Log on to the WFBS console.
- Click Security Settings > Add. The Add Computer page appears.
- Under Computer Type section, choose Desktop or server.
- Under Method section, choose Remote install.
- Click Next. The Remote Install page appears.
- From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.
- Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_NameUsername format; for workgroup computers, use the Target_Computer_NameLocal_Administrator_User_Name format.
The computer is added to the Selected Computers list. - Repeat Steps 6-7 if you want to add more computers to the list.
- Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.
Installing Agent for Exchange Server
The Messaging Security Agent (MSA) can also be installed from the Web Console.
1. Log on to the Web Console.
2. Click the Security Settings tab, and then click the Add button.
3. Under the Computer Type section, click Microsoft Exchange server.
4. Under Microsoft Exchange Server Information, type the following information:
• Server name: The name of the Microsoft Exchange server to which you want
to install MSA.
• Account: The built-in domain administrator user name.
• Password: The built-in domain administrator password.
5. Click Next. The Microsoft Exchange Server Settings screen appears.
6. Under Web Server Type, select the type of Web server that you want to install on
the Microsoft Exchange server. You can select either IIS Server or Apache Server.
7. For the Spam Management Type, End User Quarantine will be used.
8. Under Directories, change or accept the default target and shared directories for
the MSA installation. The default target and shared directories are C:Program
FilesTrend MicroMessaging Security Agent and C$, respectively.
9. Click Next. The Microsoft Exchange Server Settings screen appears again.
10. Verify that the Microsoft Exchange server settings that you specified in the
previous screens are correct, and then click Next to start the MSA installation.
11. To view the status of the MSA installation, click the Live Status tab.
Configure Smart Host for Outbound Email
1. Open the Exchange Management Console.
2. Click on the plus sign (+) next to Organization Configuration.
3. Select Hub Transport and click the Send Connectors tab.
4. Right-click the existing Send Connector then select Properties and go to the Network tab.
5. Select Route mail through the following smart hosts and click Add.
6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:
o HES US / Other Regions Relay Record: relay.sjc.mx.trendmicro.com
o HES Europe, Middle East, and Africa (EMEA) Relay Record: relay.mx.trendmicro.eu
7. Click OK.
8. Go to the Address Space tab and click Add.
9. Add an asterisk (*) and then click OK.
10. Click Apply > OK.
11. Go to the Source Server tab and add your Exchange Server.
12. Click Apply > OK.
Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.
C:Usersraihan >nslookup
> set type=mx
> domainname.com.au
Non-authoritative answer:
domainanme.com.au MX preference = 20, mail exchanger = mx1.domainname.net.au
domainanem.com.au MX preference = 10, mail exchanger = mail.domainname.com.au
mx1.domainname.net.au internet address = 203.161.x.x
mail.domainname.com.au internet address = 116.212.x.x
Pinging domainname.com.au [203.161.x.x] with 32 bytes of data:
Registered Hosted Email Security
Firstly you’ll need to have registered with Trend Micro Online https://olr.trendmicro.com/registration/ .
Create service account (See upcoming post on creating a secure services account)
- Open ActiveDirectory Users and Computers
- Create a user sa-TrendMicroHE with password never expires
Open Hosted Email Security Web console
- Visit the link that applies to your location
- For EMEA users: https://emailsec.trendmicro.eu
- For others: https://us.emailsec.trendmicro.com
- Login with your details you setup in the online registration earlier and don’t forget to tick Log on with Trend Micro Online Registration user name and password
Register Your Domains with Trend Micro
1. Go to the Trend Micro Online Registration portal.
2. Create a new OLR account.
a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.
Enter your HES Registration Key.
If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.
Select I Accept, then click Submit.
Complete the registration information form.
Specify your OLR logon ID.
Note: The OLR logon ID will also serve as your HES portal login ID.
Click Submit.
The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.
3. Using the provided OLR username and password, log on to the HES console:
For US: https://us.emailsec.trendmicro.com/loginPage.imss
For EMEA: https://emailsec.trendmicro.eu/loginPage.imss
Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.
4. Enter your domain and IP information, then click Add Domain.
5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.
6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.
Navigate to Administration > Domain Management
- All the fields are pretty much self-explanatory, except for Seats assigned: 1 (no need to use more)
- Click Activate Domain
- Now this you would think would be it, except it goes to the list below which you then need to check the tick box of the domain and then Click Check MX Record
Download the ActiveDirectory Sync Client
- Navigate to Administration > Directory Management
- Click Imported User Directories so it becomes Enabled with a green tick
- Navigate to Administration > Web Services
- Click on the Applications bar so it get’s a Green Tick as above
- Click on Generate Service Authentication Key, copy this key for use later in the setup
- Click and download the ActiveDirectory Sync Client
Install the ActiveDirectory Sync Client
http://esupport.trendmicro.com.au/solution/en-us/1059663.aspx
http://esupport.trendmicro.com.au/solution/en-us/1060411.aspx
1. Extract the ActiveDirectory Sync Client file and run setup.exe
2. Usual I agree, next, next stuff
3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.
4. Click Next
5. Leave installation path as is, and change to install for Everyone
6. Click Next
7. Click Next
8. Click Close when finish
9. The ActiveDirectory Sync Client will then open
10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)
LDAP://OU=Users,,OU=CompanyName,DC=<yourdomain>,DC=com
11. Click Add
LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com
12. Click Add
13. Click Configure
- Username: as per web login
- Service Auth Key: as the key we copied earlier from the web console under Administration> Web Services
- Proxy: leave as automatic unless your network requires otherwise
- Synchronize: leave at 1
14. Click OK
15. Click Apply
16. This will restart the service
Amend ClientMHS_AD_ACL.config
1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad
2. Installed Config file looks like this:
<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>
3. Change the following to add groups and public folders. Ref
<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”group”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”publicFolder”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”*”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>
4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client
5. Click Sync Now
6. Give it a few moments then click History
7. Here you should see the correct number of groups and users you expect. Check the times are correct for when you’ve pressed. And it should finish with Sync domain <yourdomain.com> successful
8. Click Close
9. Click Close
Post Configuration Check
- open the Hosted Email Security Console
- Navigate to Administration > Directory Management
- Click the Export to CSV for the domain you’re wanting to check
- This will generate a CSV file, which you can use notepad to check that all your email addresses have synced
Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Step1: Configure the SharePoint server
1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.
2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.
3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.
4. On the Alternate Access Mappings page, click Edit Public URLs.
5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.
6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.
7. When you have finished, click Save.
8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:
9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.
10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.
Step2: Create a New trunk
Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next
Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next
On the Authentication Page, Click Add, Select DC, Click Next
Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next
Select Default and Click Next
Click Finish.
Step3: add SharePoint web applications to the trunk.
In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.
In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.
On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.
On the Web Servers page, do the following:
In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.
In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.
In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.
In the Public host name box, enter a public host name of your choice for the SharePoint web application.
Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.
On the Authentication page, do the following:
To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.
To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.
On the Portal Link page of the wizard, if required, configure the portal link for the application.
If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.
When you have completed the wizard, click Finish.
The Add Application Wizard closes, and the application that you defined appears in the Applications list.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.
Step4: Configure Mobile devices Access for SharePoint
When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:
1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.
2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.
3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.
4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.
5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.
Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
When you create a Forefront Unified Access Gateway (UAG) HTTPS portal trunk, only HTTPS requests that arrive at the Forefront UAG are handled by the trunk. This topic describes how to create a redirect trunk to automatically redirect HTTP requests made by remote endpoints to the HTTPS trunk.
Web Sites | Inbound Requested Port | Request Redirected To |
RDS.xman.com.au | 80 | 443 |
ftp.xman.com.au | 80 | 443 |
webmail.xman.com.au | 80 | 443 |
sharepoint.xman.com.au | 80 | 443 |
Step1: Before you create a redirect trunk, note the following:
1. Make sure that you have already created the HTTPS trunk to which you want to redirect HTTP requests.
2. Make sure you define all the parameters of the HTTPS Connections trunk before you create the redirect trunk, including the definitions you make in the Forefront UAG Management console after completing the New Trunk Wizard.
If at a later stage, you change the IP address or port number of the HTTPS Connections trunk, do one of the following:
1. Update the IP address or port number manually in the relevant redirect trunk.
2. Delete the existing redirect trunk and create a new one.
3. Redirect trunks are not monitored by the Forefront UAG Web Monitor.
4. Sessions in redirect trunks are not calculated in the session count of Forefront UAG. When an HTTP session is redirected to HTTPS via a redirect trunk, it is only counted as one HTTPS session.
Step2: create a redirect trunk
1. In the Forefront UAG Management console, in the left navigation tree, right-click HTTP Connections, and then select New Trunk.
2. In the Create Trunk Wizard, select HTTP to HTTPS redirection, and then click Next.
3. All HTTPS trunks for which no redirect trunk exists are listed.
4. Select the HTTPS trunk to which you want to redirect HTTP requests, and then click Finish.
5. A new trunk with the same name as the HTTPS trunk you selected is created in the left navigation tree.
6. HTTP requests that arrive at the external Web site that is defined for this trunk are redirected to the HTTPS trunk you selected in the wizard.
Publish Exchange Server 2010 using Forefront UAG 2010 Step by Step
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Step1: configure Exchange to use basic authentication
1. Start the Exchange Management Console.
2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.
3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).
4. In the Actions pane, under owa (Default Web Site), click Properties.
5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.
Step2: publish Outlook Web Access on a Forefront UAG portal
Right Click on HTTPS Connections, Click New Trunk, Click Next
Select Portal Trunk and Publish Exchange Applications via portal, Click Next
Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next
Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.
Type the service account which will talk to DC from UAG, Click Ok
Select the DC, Click Select. Leave rest of the settings as is. Click Next
Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au
Select Default and Click next
Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next
Type the name of the application, Click next
Select default and click next
On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.
Click Configure an application server, Click Next
On the Web Servers page of the wizard:
In the Addresses list, enter the IP address or host name of the Client Access server.
In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.
On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.
On the Outlook Anywhere Page, Select basic Authentication, Click next
On the Portal Link page of the wizard, configure the portal link for the application.
If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.
On the Authorization page of the wizard, select which users are authorized to access this application.
On the Completing the Add Application Wizard page of the wizard, click Finish.
Once configured, you will see the following screen.
If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.
To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
Publishing Remote Desktop Services Using Forefront UAG 2010 Step by Step
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
The following procedures describe how to export RemoteApp settings from RDS, and then publish RemoteApps and import the RemoteApp settings, via Forefront Unified Access Gateway (UAG).
Step1: Exporting RemoteApp settings from RDS
Before you can publish RemoteApp applications, you must export RemoteApp settings from RDS.
1. On the RD Session Host server, click Start, click Administrative Tools, click Remote Desktop Services, and then click RemoteApp Manager.
2. Ensure that the RemoteApp Programs list contains the programs that you want to provide to end users.
3. In the Actions pane, click Export RemoteApp Settings.
4. Click Export the RemoteApp Programs list and settings to a file, and then click OK.
5. Specify a location to save the .tspub file, and then click Save.
Step2: Publishing RemoteApps and importing RemoteApp settings
This procedure describes how to publish RemoteApps via Forefront UAG, and import RemoteApp settings during the publishing process.
1. In the Forefront UAG Management console, select the portal in which you want to publish RemoteApp applications. In the Applications area of the main portal properties page, click Add. The Add Application Wizard opens.
2. On the Select Application page of the wizard, select Terminal Services (TS)/Remote Desktop Services (RDS). In the list, select RemoteApp.
3. On the Configure Application page of the wizard, enter a name for the RemoteApp application.
4. On the Select Endpoint Policies page of the wizard, do the following:
5. In Access policy, select a Forefront UAG policy with which endpoints must comply in order to access the published RemoteApps in the portal. In Printers, Clipboard, and Drives, select access policies with which endpoints must comply in order to access these local resources during remote desktop sessions.
6. To enable single sign-on for the session, select the Use RDS Single Sign-On (SSO) Services check box.
7. If the trunk through which you are publishing the RemoteApp applications uses Network Access Protection (NAP) policies, and you have a Network Policy Server (NPS) configured, do the following:
8. Select Require Network Access Protection (NAP) compliance, to specify that only endpoints that comply with NAP policy can access published RemoteApps.
9. Select Require NAP compliance for RDS device redirection only, to specify that only endpoints that comply with NAP policy can access devices and resources on RDS servers, such as drives, printers, and the clipboard. Access to other resources and applications on RDS servers does not require NAP compliance.
10. Select Do not require NAP compliance, if you do not require clients to use NAP to access the published RemoteApps.
11. On the Import RemoteApp Programs page of the wizard, do the following:
12. In File to import, specify the location of the exported .tspub file, or click Browse to locate the file.
13. In RD Session Host or RD Connection Broker, specify the name of an RD Session Host (if different from that specified in the imported settings file), or the name of the RD Connection Broker server.
14. If you are using an RD Connection Broker server, in IP addresses, IP address ranges, FQDNs, or subnets, add the names of all RD Session Hosts that might be used by the RD Connection Broker. To specify multiple servers, use an IP address range or subnet.
15. On the Select Publishing Type page of the wizard, in the Available RemoteApps list, double-click each RemoteApp that you want to publish via Forefront UAG, to add it to the Published RemoteApps list. The list of available RemoteApps is retrieved from the imported .tspub file.
16. On the Configure Client Settings page of the wizard, specify how RemoteApps should be displayed. You can set a display resolution and color, or select to use display settings retrieved from the imported .tspub file.
17. Complete the Add Application Wizard.
Install and Configure Forefront UAG 2010 Step by Step
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Forefront UAG Overview:
Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx
- Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
- Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
- Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
- Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
- Easily integrates with Active Directory and enables a variety of strong authentication methods.
- Limits exposure and prevent data leakage to unmanaged endpoints.
Assumptions:
The following servers is installed and configured in a test environment.
Systems Requirements:
Option | Description |
Virtual Machine Name | DC1TVUAG01 |
Memory | 8GB |
vCPU | 1 |
Hard Disk 1 | 50GB |
Hard Disk 2 | 50GB |
Network Adapter | 2 |
Guest Operating System | Windows Server 2008 R2 |
Service Pack Level | SP1 |
Software Requirement:
Version | Microsoft Forefront Unified Access Gateway 2010 |
Service Pack Level | SP3 |
Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:
- Microsoft .NET Framework 3.5 SP1
- Windows Web Services API
- Windows Update
- Microsoft Windows Installer 4.5
- SQL Server Express 2005
- Forefront TMG is installed as a firewall during Forefront UAG setup
- The Windows Server 2008 R2 DirectAccess component is automatically installed.
The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.
- Network Policy Server
- Routing and Remote Access Services
- Active Directory Lightweight Directory Services Tools
- Message Queuing Services
- Web Server (IIS) Tools
- Network Load Balancing Tools
- Windows PowerShell
Browser | Features |
Firefox | Endpoint Session CleanupEndpoint detectionSSL Application TunnelingEndpoint Quarantine Enforcement |
Internet Explorer | Endpoint Session CleanupEndpoint detectionSSL Application TunnelingSocket Forwarding
SSL Network Tunneling (Network Connector) Endpoint Quarantine Enforcement |
Device Name | Features |
Windows Phone | Premium mobile portal |
iOS: 4.x and 5.x on iPhone and iPad | Premium mobile portal |
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0 | Premium mobile portal |
Service Account for Active Directory Authentication:
Service Account | Privileges | Password |
xmanSA-FUAG | Domain Users | Password set to never expired |
The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.
- Add the server to an array of Forefront UAG servers at a later date.
- Configure the server as a Forefront UAG DirectAccess server at a later date.
- Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
- Publish the File Access application via a Forefront UAG trunk.
- Provide remote clients with access to the internal corporate network using SSTP.
Antivirus Exclusion:
Version | Paths | Processes |
Forefront UAG 2010 | UAG installation folder (may be changed during installation) %ProgramFiles%Microsoft Forefront Unified Access Gateway |
Forefront UAG DNS-ALG Service %ProgramFiles%Microsoft Forefront Unified Access GatewayDnsAlgSrv.exeForefront UAG Monitoring Manager %ProgramFiles%Microsoft Forefront Unified Access GatewayMonitorMgrCom.exeForefront UAG Session Manager %ProgramFiles%Microsoft Forefront Unified Access GatewaySessionMgrCom.exeForefront UAG File Sharing %ProgramFiles%Microsoft Forefront Unified Access GatewayShareAccess.exe Forefront UAG Quarantine Enforcement Server Forefront UAG Terminal Services RDP Data Forefront UAG User Manager Forefront UAG Watch Dog Service Forefront UAG Log Server Forefront UAG SSL Network Tunneling Server |
The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.
There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:
- Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
- Integrity of the content in the corporate network is retained.
- Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
- Hide corporate network infrastructure from perimeter and external threat.
Perimeter Port Requirement:
To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:
- HTTP traffic (port 80)
- HTTPS traffic (port 443)
- FTP Traffic (Port 21)
- RDP Traffic (Port 3389)
Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.
Infrastructure server | Protocol | Port | Direction |
Domain controller | Microsoft-DS traffic | TCP 445UDP 445 | From UAG to DC |
Kerberos authentication | TCP 88UDP 88 | From UAG to DC | |
LDAP | TCP 389UDP 389 | From UAG to DC | |
LDAPS | TCP 636UDP 636 | From UAG to DC | |
LDAP to GC | TCP 3268UDP 3268 | From UAG to DC | |
LDAPS to GC | TCP 3269UCP 3269 | From UAG to DC | |
DNS | TCP 53UDP 53 | From UAG to DC | |
Exchange, SharePoint, RDS | HTTPS | TCP 443 | From external to internal server |
FTP | FTP | TCP 21 | From external to internal server |
Scenario#2
In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.
UAG Network Configuration
The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:
· First in Order- UAG internal adapter connected to the trusted network.
· Second in Order- UAG external adapter connected to the untrusted network.
The following are the network configuration for UAG server.
Option | IP Address | Subnet | Default Gateway | DNS |
Internal Network | 10.10.10.2 | 255.255.255.0 | Not required | 10.10.10.1 |
External Network | 192.168.1.1192.168.1.2192.168.1.3
192.168.1.4 192.168.1.5 |
255.255.255.0 | 192.168.1.254 | Not required |
Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.
Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
- UAG adapter connected to the trusted network: Internal Network
- UAG adapter connected to the untrusted network: External Network
Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
- Default Gateway should not be defined
- DNS Servers should be defined
- Client for Microsoft Networks binding – Enabled
- File and Print Sharing for Microsoft Networks binding – Enabled
- Register this connection’s address in DNS – Enabled
- Enable LMHOSTS Lookup – Disabled
- NetBIOS over TCP/IP – Default
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.
External Network Adapter
- Default Gateway should be defined
- DNS Servers should not be defined
- Client for Microsoft Networks binding – Disabled
- File and Print Sharing for Microsoft Networks binding – Disabled
- Register this connection’s address in DNS – Disabled
- Enable LMHOSTS Lookup – Disabled
- NetBIOS over TCP/IP – Disabled
Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)
External Network (Lowest)
To amend network binding follow the steps below:
1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.
2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.
4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.
Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.
DNS Forwarding:
The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:
Purpose | Public Host Name | Public IP Address |
Exchange | webmail.xman.com.au | 203.17.x.x |
SharePoint | sharepoint.xman.com.au | 203.17.x.x |
RDS | remote.xman.com.au | 203.17.x.x |
FTP | ftp.xman.com.au | 203.17.x.x |
Scenario#1 Firewall Rules consideration
External NAT Rules
The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.
Rule(s) | Description | Source IP | Public IP Address
(Destination IP Address) |
Port | NAT Destination |
1 | Exchange | Any | 203.17.x.x | 443 | 192.168.1.2 |
2 | SharePoint | Any | 203.17.x.x | 443 | 192.168.1.3 |
4 | RDS | Any | 203.17.x.x | 443 | 192.168.1.4 |
5 | FTP | Any | 203.17.x.x | 21 | 192.168.1.5 |
The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:
Rule(s) | Description | Source IP | Port
TCP & UDP |
Destination |
1 | Exchange | 10.10.10.2 | TCP 443 | 10.10.10.3 |
2 | SharePoint | 10.10.10.2 | TCP 443 | 10.10.10.4 |
4 | RDS | 10.10.10.2 | TCP 443 | 10.10.10.5 |
5 | FTP | 10.10.10.2 | TCP 21 | 10.10.10.6 |
6 | Client | 10.10.12.0/24 | TCP 443
TCP 21 |
10.10.10.2 |
7 | Domain Controller | 10.10.10.2 | 445, 88, 53
389, 636 3268, 3296 |
10.10.10.1 |
Understanding Certificates requirements:
Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names. Certificates must be in .pfx format with private key within the certificate.
Launch Certificate Manager
1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:
2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.
3. Follow the instructions in the Certificate Import Wizard.
Common Name | Subject Alternative Name | Certificate Issuer |
RDS.xman.com.au | – | Verisign/Digicert |
webmail.xman.com.au | autodiscover.xman.com.au | Verisign/Digicert |
ftp.xman.com.au | – | Verisign/Digicert |
sharepoint.xman.com.au | – | Verisign/Digicert |
Understanding Properties of Trunk
- Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
- Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
- IP address: Specify the external IP address used to reach the published Web application or portal.
- Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
- HTTP/HTTPS port: Specify the port for the external Web site.
UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.
Trunk Name | Public Host Name | HTTPS Port | External IP Address | Authentication Server(s) |
Exchange | webmail.xman.com.au | 443 | 192.168.1.2 | DC1TVDC01 |
SharePoint | sharepoint.xman.com.au | 433 | 192.168.1.3 | DC1TVDC01 |
RDS | remote.xman.com.au | 443 | 192.168.1.4 | DC1TVDC01 |
FTP | ftp.xman.com.au | 21 | 192.168.1.5 | DC1TVDC01 |
Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:
URL List | Methods | Allow Rich Content |
InternalSite_Rule54 | HEAD | Checked |
SharePoint14AAM_Rule47 | HEAD | Checked |
Published Applications and Services:
Install Forefront UAG:
Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.
Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.
On the Welcome page of Setup, do the following:
Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.
Restart the Server.
Initial Configuration Using Getting Started Wizard
Before you run the initial configuration, you must patch the UAG with an order described in this article . To patch UAG, open command prompt using run as Administrator. Go to the location where you saved all the service packs and patches. Run one by one. Note that if you do not run the setup as an administrator setup will roll back and fail because it cannot modify registry.
In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.
On the Define Network Adapter Settings page, in the Adapter name list do the following:
To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.
To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.
After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:
If you are running Forefront UAG on a single server, click Single server.
If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.
After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.
If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.
Configure Remote Desktop (RDP) to Forefront UAG
After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:
Ensure that remote desktop is enabled on the Forefront UAG server.
Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.
To do this, open the Forefront TMG Management console from the Start menu.
1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.
2. On the Rule Action, Click Allow, Click Next
3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next
4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next
5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.
Publish Exchange Server 2010 using Forefront UAG 2010 Step by Step
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Step1: configure Exchange to use basic authentication
1. Start the Exchange Management Console.
2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.
3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).
4. In the Actions pane, under owa (Default Web Site), click Properties.
5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.
Step2: publish Outlook Web Access on a Forefront UAG portal
Right Click on HTTPS Connections, Click New Trunk, Click Next
Select Portal Trunk and Publish Exchange Applications via portal, Click Next
Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next
Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.
Type the service account which will talk to DC from UAG, Click Ok
Select the DC, Click Select. Leave rest of the settings as is. Click Next
Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au
Select Default and Click next
Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next
Type the name of the application, Click next
Select default and click next
On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.
Click Configure an application server, Click Next
On the Web Servers page of the wizard:
In the Addresses list, enter the IP address or host name of the Client Access server.
In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.
On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.
On the Outlook Anywhere Page, Select basic Authentication, Click next
On the Portal Link page of the wizard, configure the portal link for the application.
If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.
On the Authorization page of the wizard, select which users are authorized to access this application.
On the Completing the Add Application Wizard page of the wizard, click Finish.
Once configured, you will see the following screen.
If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.
To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
Transition from Exchange 2010 to Exchange 2013 Step by Step
BUY IT NOW:
Amazon USA
Amazon UK
BARNES & NOBLE
Book World
Assumptions:
You have the following infrastructure operational and functioning as desired.
-
Domain Controller
-
Certificate Authority
-
Exchange Server 2010 SP2 DAG
-
FF TMG 2010 SP2
Current Exchange Version:
Prerequisites:
-
Windows Server 2012 installed on computers which will house Exchange Server 2013.
-
Windows Media Foundation. Use Add Roles and features Wizard to install Media Foundation on Windows Serer 2012.
- Download Exchange 2010 SP3
- Cumulative Update 1 for Exchange Server 2013
Step1: Perform a Server Switch Over for a Exchange 2010 SP2 DAG Member
Before you upgrade Exchange Server 2010 SP2 to Exchange 2010 SP3, you must perform a server switch over if you have Exchange DAG. You need to be assigned permissions before you can perform this procedure. use Exchange Management Shell and Run the following Command.
Move-ActiveMailboxDatabase -Server EXCHMBXSRV01 -ActivateOnServer EXCHMBXSRV02
Step2: Install Service Pack 3 on Exchange Server 2010 SP2
Download and Extract Exchange Server 2010 SP3 on the DAG member where you want run the Exchange 2010 Sp3 installer. Now follow the screen shot and upgrade Exchange Server 2010 SP2 to Exchange Server 2010 SP3.
you will be prompted for an warning which is A transient communication failure causes a Windows Server 2008 R2 failover cluster to stop working. Ignore the warning and continue. Once SP3 installed. Check the version which is as follows.
Repeat the step 2 in all Exchange Server in your Exchange Organization.
Step3: Prepare Windows Server 2012
Download Windows Server 2012 and install the following prerequisites on Windows Server 2012.
Windows Media Foundation. Use Add Roles and features Wizard to install Media Foundation on Windows Serer 2012.
Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
Microsoft Office 2010 Filter Pack 64 bit
Microsoft Office 2010 Filter Pack SP1 64 bit
Exchange 2013 setup automatically install features required by Exchange. Alternatively you can use the following PowerShell Command to install all the features at that same time. A reboot is required after installing features.
Step4: Prepare Active Directory and Active Directory Schema
Run the following command to prepare AD Schema and Active Directory.
setup /PrepareSchema /IAcceptExchangeServerLicenseTerms
setup /PrepareAD /OrganizationName:<organization name> /IAcceptExchangeServerLicenseTerms
since we already have an Exchange Organization, we don’t need to type Organization again. the following command is enough to prepare Active Directory. setup /PrepareAD /IAcceptExchangeServerLicenseTerms
Step5: Install CU1 for Exchange Server 2013
Log on to the computer on which you want to install Exchange 2013. After you have downloaded Exchange 2013 CU1, Copy Exchange-X64.exe file into Windows Server 2012 where you want to install Exchange Server 2013 . Extract the installer by double clicking the Exchange-x64.exe installer.
- On the Check for Updates page, Select Don’t check for updates right now, you can download and install updates manually later. We recommend that you download and install updates now. Click Next to continue. at this stage setup will copy the content and initialize installer.
- The Introduction page begins the process of installing Exchange into your organization. Click Next to continue.
- On the License Agreement page, Select I accept the terms in the license agreement, and then click Next.
- On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, click Next.
- On the Server Role Selection page, select both Mailbox role and Client Access role. Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. Click Next to continue.
- On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want to install Exchange. Click Next to continue.
- On the Malware Protection Settings page, choose keep it enabled. Click Next to continue.
- On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. Reboot the server from Server Manager>All Servers>Right Click on Server>Click Shutdown Local Server, Select Reboot, Click Ok.
- Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013.
- On the Completion page, click Finish.
- Restart the computer after Exchange 2013 has completed.
On a co-existence scenario if you type https://FQDN of Client Access Server/ecp you will see only Mailboxes.
If you type https://FQDN of Client Access Server/ecp?ExchClientVer=15 on internet explorer you will see detailed Exchange Administration Center.
Step6: Install Certificates on Exchange Server 2013 CAS Server(s)
Step7: Configure Outlook Web Access in Exchange 2013
Step8: Configure Send/Receive Connector
Open Exchange Administration Center using https://FQDN of Client Access Server/ecp?ExchClientVer=15 url. Create new Send Connector using this procedure.
- In the EAC, navigate to Mail flow > Send connectors, and then click Add
.
- In the New send connector wizard, specify a name for the send connector and then select Internet for the Type. Click Next.
- Verify that MX record associated with recipient domain is selected, which specifies that the connector uses the domain name system (DNS) to route mail. Click Next.
- Under Address space, click Add
. In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter *, which indicates that this send connector applies to messages addressed to any domain. Click Save.
- Make sure Scoped send connector is not selected and then click Next.
- For Source server, click Add
. In the Select a server window, select a Mailbox server that will be used to send mail to the Internet via the Client Access server and click Add
. After you’ve selected the server, click Add
. Click OK.
- Click Finish.
New-SendConnector –Internet –Name MysendConnector –AddressSpace Superplaneteers.com
Similarly you can use New-ReceiveConnector Cmdlet to create receive connector.
Step9: Test Internal/External Mail Flow using new Send Connector
Open internet explorer and type Https://FQDN of CAS Server/OWA Log on to OWA using domain nameusername and password and check email
Step10: Migrate Mailboxes, DL, Public Folder from Exchange 2010 to Exchange 2013
Before you start migrating Exchange mailboxes, se the Exchange Management Console to enable circular logging otherwise a large log will be generated when migrating mailboxes. you can enable circular logging in all mailbox database using the following power shell command
Get-MailboxDatabase | Set-MailboxDatabase –circularloggingenabled $true
Set-StorageGroup -Identity “First Storage Group” -CircularLoggingEnabled $true
Open Exchange Administration Center using https://FQDN of Client Access Server/ecp?ExchClientVer=15 url, In the EAC, navigate to Recipients > Migration, and then click Add .
In the New local mailbox move wizard, select the user you want to move click OK and then click Next.
On the Move configuration page, specify a name for the new batch. Select which options you want for the archive mailbox, and mailbox database location and click New. follow the screen to complete migration.
To migrate entire mailboxes from an existing Exchange 2010 DAG to new Exchange 2013 DAG using Exchange Management Shell in Exchange Server 2013 and run the following cmdlets.
Get-Mailbox -Database Manager-DB01 | New-MoveRequest -TargetDatabase Manager-DB02 -BatchName “DB01toDB02”
To find out more about New-MoveRequest cmdlet type Get-Help New-MoveRequest –Example or visit Move and Migration Cmdlets
Step11: Publish Exchange OWA to External Clients
Step12: Migrate Public Folder.
Step13: Migrate Exchange UM
Step14: Retire Exchange Server 2010
A detailed migration steps are available in this book.
BUY IT NOW:
Amazon USA
Amazon UK
BARNES & NOBLE
Book World
First Cumulative Update for Exchange 2013
Exchange 2007/2010 SP3 Released
Error message when you try to install Exchange Server 2010 SP2: “AuthorizationManager check failed”
Error: Message :
Cause:
1. Exchange Servers placed in a OU which has GPO applied to them.
2. PowerShell Execution Policy set to unrestricted or remote signed.
Solution:
Step1: Create a separate Organizational Unit in Active Directory and place Exchange Servers in that Organizational Unit . Do not apply any GPO on newly created Organizational Unit.
Step2: Log on to Exchange Server. Start Menu>Run>gpedit.msc
Right click on Local Computer Policy>Property>Disable computer Configuration settings and User Configuration Settings
Step3: Open PowerShell> issue the following command
Set-ExecutionPolicy –Scope LocalMachine –ExecutionPolicy Undefined –Confirm –Force
Step4: Reboot Server. Once rebooted log back on to the Exchange Server. check execution policy by issuing the command
Get-ExecutionPolicy –List
Step5: Start Menu>Run>services.msc . Stop any backup software and Antispam software services on the server.
Step6: Upgrade HT/CAS Server: Download Exchange 2010 SP2 and install Exchange SP2 by the issuing the following command in PowerShell
Setup.com /M:Upgrade /InstallWindowsComponents
Apply Service Pack 2 to HT and MBX server first. If you have multiple servers in HT/CAS Array than you can apply service to one exchange array member. your exchange infrastructure still be functional and service mail systems.
Step7: download Update Rollup1 for Exchange 2010 SP2 and apply rollup1.
Step7: Upgrade Mailbox Server: Log on to MBX server. Open Exchange Management Console>Click Server Configuration>Select Mailbox>Select Server>Click Switchover Server>Browse and Select a server>click ok. Wait few minutes to finish the operation. Check the mailbox node again. It should show Is Active: False.
Now follow the previous steps to upgrade to SP2 and Rollup1.
Caution: Take a snapshot if Exchange is a virtual server. If exchange 2010 SP2 installation fails for another reason revert the snapshot back to original. Exchange will still be functional even active directory schema is upgraded by exchange SP2 installer.
If server is physical than the following URL might be handy for you.
Understanding Backup, Restore and Disaster Recovery
Recover an Exchange Server
Exchange 2010 SP2 is available for download
Microsoft Exchange Server 2010 SP2 is available to download from Microsoft download center. Download link and benefits of SP2 is here. Read systems requirement and release notes before you proceed installation. You may need to backup/snapshot(if virtualized) exchange servers before final installation.
Blogging year 2010—-what stats says
Gallery
Sharing stats of my blog https://araihan.wordpress.com with my visitors. I started this free wordpress before founding http://microsoftguru.com.au Team WordPress.com + Stats Helper MonkeysJanuary 2nd, 2011, 03:35pm Here’s a high level summary of my overall blog health: Wow Blog-Health-o-Meter™ “We think … Continue reading
Configure FAX server using Windows Server 2008 and Standard Fax Modem
Gallery
In this article, I am going to deploy a test fax server using windows Server 2008 Fax Server Role, Standard Fax Modem (Motorola or US Robotics) and Exchange Server Email Distribution Group. A fax server is comprised of four different … Continue reading
How to configure Exchange 2010 Unified Messaging Server –step by step
An UM infrastructure is an integration of Microsoft Exchange Server, IP Gateway Conventional PBX and IP-PBX to deliver voicemail, greetings and customer messages to a single outlook client. Microsoft Exchange Server Unified Messaging (UM) combines voice messaging and e-mail messaging into a single messaging infrastructure. Unified Messaging puts all e-mail and voice messages into one Exchange 2010 mailbox that can be accessed from many different devices. After Unified Messaging servers have been deployed on a network, users can access their messages using Outlook Voice Access, from any telephone, from a mobile phone, or from the computer.
Systems Requirements
Microsoft Certified PBX and IP Gateway
Microsoft Telephony Advisor for Exchange Server
Unified Communication Architecture
To install Unified Messaging Server Role on Exchange 2010
- Log on to the server on which you want to install Exchange 2010
- Insert the Exchange 2010 DVD into the DVD drive (or browse to your install location). If Setup.exe doesn’t start automatically, navigate to the DVD drive and double-click Setup.exe
- On the Start page, click Choose Exchange language option. Select Install only languages from the DVD
- In the Exchange Server 2010 Setup wizard, on the Introduction page, click Next.
- On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
- On the Error Reporting page, select Yes, and then click Next.
- On the Installation Type page, click Custom Exchange Server Installation.
- On the Server Role Selection page, select the UM server role
- On the Customer Experience Improvement Program page, choose the appropriate selection for your organization, and then click Next.
- On the Completion page, click Finish
After you install and configure the Unified Messaging server, You must create the following objects after you successfully install the Unified Messaging server role:
- Dial Plan objects
- IP Gateway objects
- Hunt Group objects
- Mailbox Policy objects
- Auto Attendant objects
- UM Server objects
Once UM server configured. You must configure other UM devices such AudioCodecs IP Gateway, Siemens, Cisco or your preferred PBX, IP-PBX devices to work with Microsoft Exchange Server 2010 UM. Microsoft supported configuration “how to” guides are at the end this articles in PDF format.
How UM use Active Directory and HT server to Transmit Email
The Unified Messaging server role uses Active Directory site membership information to determine which Hub Transport servers are located in the same Active Directory site as the Unified Messaging server. The Unified Messaging server submits messages for routing to a Hub Transport server within the same Active Directory site. The Hub Transport server performs recipient resolution and queries Active Directory to match a telephone number, or another Unified Messaging property, to a recipient account. After the recipient resolution completes, the Hub transport server will deliver the message to the target mailbox in the same way as a regular e-mail message.
To Create UM Dial Plan
- In the console tree, navigate to Organization Configuration > Unified Messaging.
- In the action pane, click New UM Dial Plan.
- In the New UM Dial Plan wizard
- On the Set UM Servers page, click Add, and then, on the Select UM Server page, select the UM server that you want to add to the UM dial plan.
- On the Completion page, confirm whether the dial plan was successfully created.
- Click Finish to complete the New UM Dial Plan wizard
To enable Unified Messaging on an Exchange 2010 server
- In the console tree, navigate to Server Configuration > Unified Messaging.
- select the Unified Messaging server, Click on Enter Product Key to enter UM license
- Once licensed, In the result pane, select the Unified Messaging server to enable.
- In the action pane, click Enable UM Server
To Create an UM IP Gateway
- In the console tree, navigate to Organization Configuration > Unified Messaging.
- In the work pane, click the UM IP Gateways tab.
- In the action pane, click New UM IP Gateway.
- In the New UM IP Gateway wizard
- On the Completion page, confirm whether the UM IP gateway was successfully created.
- Click Finish to complete the New UM IP Gateway wizard
To Create an UM Hunt Group
- In the console tree, navigate to Organization Configuration > Unified Messaging.
- In the work pane, click the UM IP Gateways tab.
- In the result pane, select a UM IP gateway.
- In the action pane, click New UM Hunt Group.
- In the New UM Hunt Group wizard,view or complete the following fields, Associated UM IP gateway ,Name Dial plan Click the Browse button to select the dial plan that will be associated with the UM hunt group. Pilot identifier An extension number or a Session Initiated Protocol (SIP) Uniform Resource Identifier (URI) can be used in this field.
- On the Completion page, confirm whether the UM hunt group was successfully created
- Click Finish to complete the New UM Hunt Group wizard.
To add a UM server to a dial plan
- In the console tree, click Server Configuration.
- In the result pane, select the Unified Messaging server.
- In the action pane, click Properties.
- On the UM Settings > Associated Dial Plans, click Add.
- In the Select Dial Plan window, select the dial plan you want to add from the list of available dial plans, and then click OK.
- Click OK again to accept your changes.
- To configure the start-up mode
- In the console root, navigate to Server Configuration > Unified Messaging.
- In the result pane, click to select the Unified Messaging server you want to set up.
- In the action pane, click Properties.
- On the UM Settings tab, in the Startup Mode drop-down list, select one of the following settings: TCP Use this setting if the UM server is being added to only UM dial plans that are set to Unsecured but won’t be added to dial plans that are set to SIP Secured or Secured. In TCP mode, the UM server will only listen on TCP port 5060 for SIP requests. By default, the UM server will startup in TCP only mode. TLS Use this setting if the UM server is being added to UM dial plans that are set to SIP Secured or Secured but won’t be added to dial plans that are set to Unsecured. In TLS mode, the UM server will only listen on TCP port 5061 for SIP requests.
Dual Use this setting if the UM server is being added to UM dial plans that have different security settings. In Dual mode, the UM server can listen on ports 5060 and 5061 simultaneously.
Click OK.
To configure number of concurrent voice calls
- In the console tree, navigate to Server Configuration > Unified Messaging.
- In the result pane, click to select the Unified Messaging server you want to set up.
- In the action pane, click Properties.
- On the UM Settings tab, in the Maximum concurrent calls text box, type the maximum number of concurrent voice calls.
- Click OK.
To view number of active calls
- Click Start, click Programs, click Administrative Tools, and then click Performance.
- In the Performance console, right-click the details pane, and then select Add Counters from the menu. You can also press CTRL+I to open the Add Counters window.
- In the Add Counters window, in the Performance object list, select MSExchangeUMGeneral.
- In Select Counters from list, select Current Calls, click Add, and then click Close.
- In the Performance console, in the details pane, select the Current Calls counter to display the number of current calls. To add UM Mailbox
- In the console tree, navigate to Organization Configuration > Unified Messaging.
- In the work pane, click the UM Mailbox tab.
- In the action pane, click New UM Mailbox.
- In the New UM Mailbox wizard
- On the Completion page, confirm whether the UM Mailbox was successfully created.
- Click Finish to complete the New UM Mailbox wizard
To add UM Auto Attendant
- In the console tree, navigate to Organization Configuration > Unified Messaging.
- In the work pane, click the UM Auto Attendant tab.
- In the action pane, click New UM Auto Attendant .
- In the New UM Auto Attendant wizard
- On the Completion page, confirm whether the UM Auto Attendant was successfully created.
- Click Finish to complete the New UM Auto Attendant wizard
To verify UM mailbox property
- In the console tree, navigate to Organization Configuration > Unified Messaging.
- In the work pane, click the UM Mailbox tab.
- Right click Newly UM Mailbox.
- Click on Property
- AudioCodecs Configuration Guide
Siemens HiPath 4000 Configuration Guide
Design Guide for Cisco Unified Messaging 1.0
Cisco CallManager Express Configuration Guide
CallManager for Cisco Unity Express Configuration Example
Cisco Unity Express Command Reference Complete Book
Command Reference for Cisco Unified Messaging Gateway (Cisco UMG) Release 8.0
Cisco Unified Communication Software
Cisco IP Phone
- Cisco Unified Communications Manager Administration Guide, Release 7.1(2)Microsoft Exchange 2010 Unified Messaging PBX Configuration Note for Cisco Unified Communications Manager 7.0
Installation of Exchange 2007 service pack 3
First read what’s new in Exchange 2007 SP3. Here is quick guide on Exchange 2007 SP3 installation. Download Exchange 2007 Service pack 3 . As a precaution backup Exchange 2007. If you are running Exchange on vSphere then take a snapshot so that you can go back to pre-SP3 stage. Exchange 2007 SP3 is un-supported in an upgrade scenario on Windows Server 2008 R2.
To take snapshot>right click on virtual machine>Click on Snapshot>Click Take a Snapshot>Type Name and uncheck snapshot memory>Click Ok.
Stop any backup services agent such as Backup Exec or CommVault running on Exchange Server
Extract E2K7SP3EN64.exe and run setup.exe follow the installation prompt.
Once finish, reboot server. Verify all exchange related services started. Check internal and external email going and coming into organisation. Check CPU and memory uses in Exchange server. There are known issue with SP3 such as cpu sparks. install updaterollup1 for Exchange 2007 SP3 after installing SP3. You are good to go now.
SP3 Known Issue: CPU sparks
Rename Domain with Exchange 2007/2010 not feasible! an alternative solutions
Recently my company registered a new domain name and wanted to me to investigate best possible way to rename domain internally, change websites (hosted on IIS) publicly accessible CNAME to new domain name and change email address for entire organization. Fun hahh!! Google search appears that domain rename possible in win2k3 AD and exchange 2003 SP1. However, according to Microsoft TechNet I can not rename Windows 2008 native domain with Exchange 2007 . what happen to those who are in the following situation:
- Rename Business registration
- Merger and/or Acquisition between companies
- Change of ownership
If your management decide to have new user account@newdomain, email addresses@newdomain and websites with new domain name. Now you will not have a choice but find out a solution regardless of who says what. In this article (Ref: Plan A), I will investigate and share with you what happen if you rename domain on a test environment similar to my organisation i.e. Microsoft Active Directory 2008 and Exchange 2007/2010. Those who are in my situation, I will explain (Ref: Plan B) how I can accomplish same objectives with alternative deployment that means without messing around AD domain and Exchange 2007/2010. I know plan A is going to fail but worthwhile to produce documents to management and go for plan B. So that business runs smoothly. when time perfect and fund is available then rebuild Microsoft messaging systems for entire organization.
Do NOT perform these steps in a production environment. Domain rename is NOT supported when Exchange 2007/2010 installed in a member server.
Rename Domain on a Testbed
Objectives:
-
Rename Domain
-
Migrate IIS to new domain
-
Fix GPO and Exchange (only applicable for Exchange 2003)
Assumptions:
Steps involve:
- Set up your control station for the domain rename operation.
- Freeze the Forest Configuration
- Back up all the domain controllers in your forest.
- Generate the current forest description.
- Specify the new forest description.
- Generate domain rename instructions
- Push domain rename instructions to all domain controllers, and verify DNS readiness.
- Verify the readiness of the domain controllers.
- Execute the domain rename instructions
- Update the Exchange configuration, and restart the Exchange servers (Only applicable for Exchange 2003 SP1)
- Unfreeze the forest configuration
- Re-establish external trusts
- Fix Group Policy objects (GPOs) and links.
Precaution: Use the following link for Active Directory Backup and Restore in Windows Server 2008 or keep your resume handy
To verify the forest functionality to Windows Server 2008
- Open Active Directory Domains and Trusts.
- In the scope pane, right-click Active Directory Domains and Trusts and then click Raise Forest Functional Level.
- In the Select an available forest functional level box, click Windows Server 2008, and then click Raise.
- Click OK to raise the forest functionality, and then click OK again.
To analyze and prepare DNS zones for domain rename
- Compile a list of DNS zones that need to be created.
- Use the DNS MMC snap-in to create the required DNS zones compiled in step 1.
- Configure DNS zones according to “Add a forward lookup zone” in Windows Server 2008.
- Configure dynamic DNS update according to “Allow dynamic updates” in Windows Server 2008.
To generate the current forest description file
In windows server 2008, rendom and GPFix utility are available in %Windir%system32 folder. If you change your directory into c:Windowssystem32 and run rendom /list then domainlist.xml will be placed in same directory.
- On the control station, open a command prompt and change to the X:DomainRename directory.
- At the command prompt, type rendom /list the following command and press ENTER:
- Save a copy of the current forest description file (domainlist.xml) generated in step 2 as domainlist-save.xml for future reference by using the following copy command: copy domainlist.xml domainlist-save.xml
To edit the domainlist.xml file
- Using a simple text editor such as Notepad.exe, open the current forest description file domainlist.xml generated in “STEP 3: Generate the Current Forest Description” earlier in this document.
- Edit the forest description file, replacing the current DNS and/or NetBIOS names of the domains and application directory partitions to be renamed with the planned new DNS and/or NetBIOS names.
To review the new forest description in domainlist.xml
At the command prompt, type the following and then press ENTER: rendom /showforest
To generate the domain rename instructions and upload them to the domain naming master
- On the control station, open a command prompt.
- From within the X:DomainRename directory, execute the following command: rendom /upload
- Verify that the domain rename tool created the state file dclist.xml in the directory X:DomainRename and that the state file contains an entry for every domain controller in your forest
To discover the DNS host name of the domain naming master
- On the control station, open a command prompt.
- At the command prompt, type the following and then press ENTER: Dsquery server –hasfsmo name
To force synchronization of changes made to the domain naming master
The following procedure forces the Active Directory changes initiated at the Domain Naming master DC in STEP 4 to replicate to all DCs in the forest.
- On the control station, open a command prompt.
- At the command prompt, type the following and then press ENTER: repadmin /syncall /d /e /P /q DomainNamingMaster
where DomainNamingMaster is the DNS host name of the domain controller that is the current domain naming master for the forest.
To verify the readiness of domain controllers in the forest
1. On the control station, open a command prompt and change to the X:DomainRename directory
2. At the command prompt, type the following command and then press ENTER: rendom /prepare
3. Once the command has finished execution, examine the state file domainlist.xml to determine whether all domain controllers have achieved the
To execute the domain rename instructions on all domain controllers
- On the control station, open a command prompt.
- At the command prompt, type the following and then press ENTER: rendom /execute
- When the command has finished execution, examine the state file domainlist.xml to determine whether all domain controllers have reached either the Done state or the Error state.
- If the domainlist.xml file shows any DCs as remaining in the Prepared state, repeat step 2 in this procedure as many times as needed until the stopping criterion is met.
To force Rendom /execute to re-issue the RPC to a DC in the Error state
- In the domainlist.xml file, locate the <Retry></Retry> field in the domain controller entry for the DC that you believe should be retried.
- Edit the domainlist.xml file such that the field reads <Retry>yes</Retry> for that entry.
- The next execution of the rendom /execute command will re-issue the execute-specific RPC to that DC.
To fix up DFS topology in every renamed domain
On the control station, open a command prompt. For each Dfs root, if any of the topology components as described above needs to be fixed, type the following command (the entire command must be typed on a single line, although it is shown on multiple lines for clarity) and press ENTER:
dfsutil /RenameFtRoot /Root:DfsRootPath /OldDomain:OldName /NewDomain:NewName /Verbose
-Where-
DfsRootPath is the DFS root to operate on, e.g., \microsoftguru.com.aupublic.
OldName is the exact old name to be replaced in the topology for the Dfs root.
NewName is the exact new name to replace the old name in the topology.
To fix up Group Policy in every renamed domain
- On the control station, open a command prompt and change to the X:DomainRename directory.
- At the command prompt, type the following command (the entire command must be typed on a single line, although it is shown on multiple lines for clarity) and press ENTER:
gpfixup /olddns:OldDomainDnsName /newdns:NewDomainDNSName /oldnb:OldDomainNetBIOSName
/newnb:NewDomainNetBIOSName /dc:DcDnsName 2>&1 >gpfixup.log
-Where-
OldDomainDnsName is the old DNS name of the renamed domain.
NewDomainDnsName is the new DNS name of the renamed domain.
OldDomainNetBIOSName is the old NetBIOS name of the renamed domain.
NewDomainNetBIOSName is the new NetBIOS name of the renamed domain.
DcDnsName is the DNS host name of a domain controller in the renamed domain, preferably the PDC emulator, that successfully completed the rename operation with a final Done state in the dclist.xml state file in “STEP 8: Execute Domain Rename Instructions” earlier in this document.
For example,
gpfixup /olddns:wolverine.com.au /newdns:microsoftguru.com.au /oldnb:wolverine /newnb:microsoftguru /dc:dc.wolverine.com.au 2>&1 >gpfixup1.log
To force replication of the Group Policy fix-up changes made at the DC named in DcDNSName in above step of this procedure to the rest of the DCs in the renamed domain, type the following and then press ENTER: repadmin /syncall /d /e /P /q DcDnsName NewDomainDN
-Where-
DcDnsName is the DNS host name of the DC that was targeted by the gpfixup command.
NewDomainDN is the distinguished name (DN) corresponding to the new DNS name of the renamed domain.
Repeat steps in this procedure for every renamed domain. You can enter the commands in sequence for each renamed domain.
For Example, repadmin /syncall /d /e /P /q dc.microsoftguru.com.au dc=microsoftguru,dc=com, dc=au
To update the DNS name of the CA machine
- On the CA machine, open registry editor and locate the entry CAServerName under HKLMSystemCurrentControlSetCertSvcConfigurationYourCAName.
- Change the value in CAServerName to correspond to the new DNS host name.
To update the Web enrolment file
To enable proper Web enrollment for the user, you must also update the file that is used by the ASP pages used for Web enrollment. The following change must be made on all CA machines in your domain.
1. On the CA machine, search for the certdat.inc file (if you have used default installation settings, it should be located in the %windir%system32certsrv directory).
2. Open the file, which appears as follows:
<%’ CODEPAGE=65001 ‘UTF-8%>
<%’ certdat.inc – (CERT)srv web – global (DAT)a
‘ Copyright (C) Microsoft Corporation, 1998 – 1999 %>
<% ‘ default values for the certificate request
sDefaultCompany=””
sDefaultOrgUnit=””
sDefaultLocality=””
sDefaultState=””
sDefaultCountry=””
‘ global state
sServerType=”Enterprise” ‘vs StandAlone
sServerConfig=”OLDDNSNAMEYourCAName”
sServerDisplayName=”YourCAName”
nPendingTimeoutDays=10
‘ control versions
sXEnrollVersion=”5,131,2510,0″
sScrdEnrlVersion=”5,131,2474,0″
%>
3. Change the SServerConfig entry to have the NewDNSName of the CA machine.
To perform attribute clean up after domain rename
- On the control station, open a command prompt.
- At the command prompt, from within the X:DomainRename directory, execute the following command: rendom /clean
Command-line usage to run XDR-fixup.exe
XDR-fixup.exe /s:start_domainlist.xml /e:end_domainlist.xml [/user:username /pwd:password | *] [/trace:tracefile] /changes:changescript.ldf /restore:restorescript.ldf [/?]
Note This command is one line. It has been wrapped for readability.
Command-line usage to verify XDR-fixup.exe
Use the following command line to verify the changes that are made by XDR-fixup.exe:
XDR-fixup /verify:restorescript.ldf /changes:verifycorrections.ldf
To unfreeze the forest configuration
From within the X:DomainRename directory, execute the following command: rendom /end
To force remove domain member if fails to join new domain using following command. Then re-join domain manually.
netdom remove <machine-name> /Domain:<old-domain> /Force”
To use Control Panel to check for primary DNS suffix update configuration for a computer
The following procedures explain two ways to view the setting for a member computer that determines whether the primary DNS suffix changes when the name of the membership domain changes.
1. On a member computer, in Control Panel, double-click System.
2. Click the Computer Name tab and then click Change.
3. Click More and then verify whether Change primary domain suffix when domain membership changes is selected.
4. Click OK until all dialog boxes are closed.
To use the registry to check for primary DNS suffix update configuration for a computer
1. On the Start menu, click Run.
2. In the Open box, type regedit and then click OK.
3. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters.
4. Verify whether the value of REG_RWORD SyncDomainWithMembership is 0x1. This value indicates that the primary DNS suffix changes when the domain membership changes.
To determine whether Group Policy specifies the primary DNS suffix for a computer
- On a member computer, perform one of the following steps:
- At a command prompt, type gpresult. In the output, under Applied Group Policy objects, check to see whether Primary DNS Suffix is listed.
Open the Resultant Set of Policy Wizard, as follows:
In Active Directory Users and Computers, right-click the computer object, click All Tasks, and then click Resultant Set of Policy (Logging).
Open a command prompt and then type: ipconfig /all
Check the Primary DNS Suffix in the output. If it does not match the primary DNS suffix that is specified in the System Control Panel for the computer (see “To use Control Panel to check for primary DNS suffix update configuration for a computer” earlier in this document), then the Primary DNS Suffix Group Policy is applied.
u In the registry, check for the presence of the entry Primary DNS Suffix under HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSystemDNSclient. If a value is present, then the Primary DNS Suffix Group Policy is applied to the computer.
To install Support Tools
1. On the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition operating system CD, double-click the Support folder.
2. In the Support folder, double-click the Tool folder and then run suptools.msi.
To use ADSI Edit to add DNS suffixes to msDS‑AllowedDNSSuffixes
The attribute msDS‑AllowedDNSSuffixes is an attribute of the domain object. Therefore, you must set DNS suffixes for each domain whose name is going to change.
1. On the Start menu, point to Programs, Windows Server 2003 Support Tools, Tools, and then click ADSI Edit.
2. Double-click the domain directory partition for the domain you want to modify.
3. Right-click the domain container object, and then click Properties.
4. On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS‑AllowedDNSSuffixes.
5. In the Multi-valued String Editor dialog box, in the Value to add box, type a DNS suffix and then click Add.
6. When you have added all the DNS suffixes for the domain, click OK.
7. Click OK to closed the Properties dialog box for that domain.
8. In the scope pane, right-click ADSI Edit and click Connect to.
9. Under Computer, click Select or type a domain or server.
10. Type the name of the next domain for which you want to set the primary DNS suffix, and then click OK.
11. Repeat steps 2 through 7 for that domain.
12. Repeat steps 8 through 10 to select each subsequent domain and repeat steps 2 through 7 to set the primary DNS suffix for each subsequent domain that is being renamed.
To apply the Group Policy setting Primary DNS Suffix to groups of member computers
1. In Active Directory Users and Computers, right-click the domain or organizational unit that contains the group of computers to which you are applying Group Policy.
-Or-
In Active Directory Sites and Services, right-click the site object that contains the computers to which you are applying Group Policy.
2. Click the Group Policy tab.
3. In the Group Policy object Links box, click the Group Policy object that you want to contain the Primary DNS Suffix setting.
-Or-
To create a new Group Policy object, click New and then type a name for the object.
4. With the Group Policy object selected, click Edit.
5. Under Computer Configuration, click to expand Administrative Templates, Network, and then click DNS Client.
6. In the results pane, double-click Primary DNS Suffix.
7. Click Enabled, and then in the Enter a primary DNS suffix box, type the DNS suffix for the domain whose member computers are in the group you selected in Step 1.
8. Click OK.
9. Close the Group Policy dialog box, and then close the properties page for the selected object.
To configure the redirecting alias DNS entry
1. In the DNS MMC snap-in, expand the DNS server node to expose the old DNS zone.
2. Right-click the old DNS zone.
3. Click New Alias (CNAME ).
4. In the Alias name box, type the original fully qualified domain name (FQDN) of the HTTP Server..
5. In the Fully qualified domain name for target host box, type the new FQDN of the HTTP Server, and then click OK.
At this point you can test the redirection by pinging the FQDN of the old HTTP server. The ping should be remapped to the new FQDN of the HTTP server.
Issues involving domain rename:
- XDR-Fixup tool does not work on Exchange 2010
- Exchange SMTP stops functioning
- Exchange organization initialization fails
Simple alternative solutions without renaming domain
Microsoft does not support domain rename if Exchange 2007 installed in member server. So what could be work around if you have to have new user account, corresponding emails account and web sites with new domain name without renaming domain.
- Prepare a control workstation station and log on as a domain admin, schema admin and enterprise admin
- Create a new range of IP in your infrastructure
- Prepare an windows server 2008 and promote as your new primary domain with new domain name
- Create External trust between two domains
- Ask your ISP Add new Host (A) and MX record with new domain
- Point this new MX record to existing SMTP server
- Add new domain into trusted domain list
- Add new email policy for new domain
- Change default email address to new email addresses through email property of mailbox using Exchange management console
- Migrate IIS web sites to new web server
- Redirect CNAME record to new websites for customers and stakeholder
- Add 301 redirect using Google webmaster if necessary
Relevant Articles:
Microsoft Exchange System Attendant service does not start
completely remove Exchange 2000 or Exchange 2003 from Active Directory
How to remove Exchange Server 2003 from your computer
How to remove the first Exchange Server 2003 computer from the administrative group
Removing and Modifying Exchange 2007
Step-by-Step Guide to Implementing Domain Rename
Windows Server 2003 Active Directory Domain Rename Tools
Exchange Server Domain Rename Fixup
Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup)
Windows 2003 domain rename tools
How to configure reverse proxy using Forefront TMG 2010— step by step
Gallery
In this article, I am going to explain in dept of reverse proxy and how you can utilize reverse proxy functionality of Forefront TMG 2010 in your organisation. I will write a complete how to in this article. Let’s start … Continue reading
How to create E-Mail protection Policy in Forefront TMG 2010
Gallery
1. On the TMG computer (or using the remote management console), open the Forefront TMG Management Console. 2. Click Forefront TMG (Array Name) in the left pane. 3. Click E-Mail Policy and in the task pane click Configure E-Mail Policy … Continue reading
How to publish Exchange ActiveSync in Forefront TMG 2010
Gallery

This gallery contains 30 photos.
Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management>Expand Forefront Server>Right Click on Firewall Policy>Click New>Click Exchange Web Client Publishing Rule>Type Rule Name>Click Next>Select Exchange 2010 from Exchange version>check Exchange ActiveSync. Click Next. Now … Continue reading
Forefront TMG 2010: Publishing Exchange server 2010
Gallery

This gallery contains 2 photos.
To ensure that every Exchange client access mail securely from anywhere (internally and externally) Exchange deployment published through Forefront TMG 2010. you need to plan and deploy the different roles of Exchange Server which includes Exchange HT, CAS, ET and … Continue reading
How to configure Exchange 2010 Hub Transport (HT) Server
Hub Transport server role manages all mail flow inside the organization, applies transport rules, applies journaling policies and delivers messages to a recipient’s mailbox. Hub Transport server is placed internal network with an Active Directory Forrest. Messages that are sent to the Internet are relayed by the Hub Transport server to the Edge Transport server role that’s deployed in the perimeter network. Messages that are received from the Internet are processed by the Edge Transport server before they’re relayed to the Hub Transport server. If you don’t have an Edge Transport server, you can configure the Hub Transport server to relay Internet messages directly or utilize a third-party smart host. You can also install and configure the Edge Transport server agents on the Hub Transport server to provide anti-spam and antivirus protection inside the organization. It is best practice to keep two separate servers for HT and ET roles.
You must deploy a Hub Transport server role in each Active Directory site that contains a Mailbox server role. Deploying more than one Hub Transport server per site provides redundancy. When you install more than one Hub Transport server in an Active Directory site, the connections are distributed. HT server or HT servers read Active Directory for user authorization. That means you can deploy Single Sign on (SSO) in your organization.
To configure HT and ET, DNS record maintaining is vital part. The Edge Transport server queries the configured external DNS servers to find the DNS records that are required to deliver the message. The DNS servers that are configured for external DNS lookups are queried in the order in which they’re listed. If one of the DNS servers is unavailable, the query goes to the next DNS server on the list. The DNS servers are queried for the following information:
Mail exchange (MX) records for the domain part of the external recipient. The MX record contains the fully qualified domain name (FQDN) of the messaging server that’s responsible for accepting messages for the domain, and a preference value for that messaging server. To optimize fault tolerance, most organizations use multiple messaging servers and multiple MX records that have different preference values.
Address (A) records for the destination messaging servers. Every messaging server that’s used in an MX record should have a corresponding A record. The A record is used to find the IP address of the destination messaging server. The subscribed Edge Transport server uses the IP address to open an SMTP connection with the destination messaging server. The required combination of iterative DNS queries and recursive DNS queries that start with a root DNS server is used to resolve the FQDN of the messaging server that’s found in the MX record into an IP address.
In HT server or HT servers, you must obtain certificates from a Windows Enterprise Root Certificate Authority before you start installing HT role.
Prepare Windows Server 2008 x64
Install windows Features:
Windows Server 2008 x64 SP 2 or Windows Server 2008 R2
HT server must be a member of Active Directory Domain
Microsoft .NET Framework 3.5
WCF Activation
Windows Remote Management 2.0
Windows PowerShell V2
Active Directory Lightweight Directory Services (AD LDS)
Net TCP port sharing services started and automatic start-up
Microsoft Office Filter Pack installed.
Computer Certificate and web certificates installed
Install HT server
Configure HT Server
Add IP address of HT server as internal connector.
Specify local IP ranges.
Test Outlook Web App
Relevant Topics
How to configure Exchange 2010 Client Access Server (CAS) Role
Step by Step Guide on Exchange Server 2010 Edge Transport Role
Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010
Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010
Gallery

This gallery contains 68 photos.
Log on to Forefront TMG 2010 server using admin credential. Open Forefront TMG Management from start menu. Expand Forefront TMG>Firewall Policy>Select Tasks>Click Publish Exchange web client access. Click New button to add Exchange Farm i.e. Exchange CAS servers you … Continue reading
How to configure Exchange 2010 Client Access Server (CAS) Role
The Client Access server (CAS) role is one of five server roles for Microsoft Exchange Server 2010. CAS is placed in a DMZ or perimeter network facing internet that means CAS configured with a public IP accessible to external network. There are six components of CAS. Components are Outlook Web App, Exchange ActiveSync client applications, Post Office Protocol version 3 (POP3), Internet Message Access Protocol (IMAP) version 4, the Availability service and Auto discover Service. The Client Access server role also provides access to free/busy data by using the Availability service and enables certain clients to download automatic configuration settings from the Auto discover service.
The Client Access server role accepts connections to Exchange server 2010 from software clients such as Microsoft Outlook Express, Microsoft office Outlook and Eudora use POP3 or IMAP4 connections to communicate with the Exchange HT server. Hardware clients such as mobile phones, use ActiveSync, POP3 or IMAP4 to communicate with the Exchange server. You must install the Client Access server (CAS) role in every Exchange organization and every Active Directory Domain site that has the Mailbox server (HT) role installed.
Prerequisites
Operating System requirement is similar to other Exchange Server roles. CAS does not store any mailboxes. CAS acts as a media in-between clients and HT server. you don’t need big storage for CAS server but the following Windows Server 2008 features must be installed. Outlook web access is a secure https web access. Web certificate and computer certificates must be installed in CAS server. To configure Outlook Anywhere you need to buy a SSL certificate from third party vendor such as verisign or godaddy.
Installation
Configuration
Once you finish installation and configuration of CAS role. You have to create Outlook web publishing rule in Forefront TMG 2010 or ISA server otherwise you will be blocked by Forefront TMG.
Relevant Topics
Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010
Step by Step Guide on Exchange Server 2010 Edge Transport Role
Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step
Gallery
Microsoft Forefront Protection 2010 for Exchange Server provides ultimate protection for Microsoft Exchange server 2010 from viruses, worms, spyware and spam. Forefront Protection 2010 is an additional component included in Forefront TMG 2010 Enterprise version. However you can download and … Continue reading
Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step
Gallery

This gallery contains 58 photos.
Microsoft Forefront Protection 2010 for Exchange Server provides ultimate protection for Microsoft Exchange server 2010 from viruses, worms, spyware and spam. Forefront Protection 2010 is an additional component included in Forefront TMG 2010 Enterprise version. However you can download and … Continue reading
Transitioning from Exchange 2007 to Exchange 2010—-Step by Step
Exchange Server 2007 and Exchange Server 2010 are similar in architecture so the transition process is more straightforward. The following procedure illustrates a typical transition from Exchange Server 2007 to Exchange 2010:
Prerequisite:
Run Dcdiag, Netdiag and check FSMO roles functioning perfect.
All domains in an existing Active Directory forest have to be running in native mode.
The Active Directory forest has to be running on a Windows Server 2008 forest functionality level.
Each site in Active Directory should have at least one PDC, schema master and the Global Catalog server on a Windows Server 2008 SP2 level. It is recommended to have 64-bit type Domain Controllers and Global Catalog Servers for optimal performance preferably Windows Server 2008 x64 SP2 or Windows Server 2008 R2
All Exchange Server 2007 servers must have Exchange Service Pack 2 installed.
The Internet facing Active Directory sites must be the first sites that will be migrated to Exchange Server 2010.
Windows Server 2008 SP2 64 bit or Windows Server 2008 R2.
Internet Information Server needs to be installed for CAS.
Web Certificates must be installed in server holding CAS
Windows Remote Management (WinRM) 2.0
PowerShell 2.0 (Windows Server 2008 feature if R2 version)
.NET Framework 3.5 (Windows Server 2008 feature)
Desktop Experience (Windows Server 2008 feature)
Net. TCP Services started and set automatic (services.msc)
Disable TCP/IP6 from Registry (if you use tcp/ip4)
Better to Prepare a document showing task list and systems build info. Tick one after one when finishing a task accordingly.
Precautions:
Backup Active Directory global Catalog servers, Exchange servers and Servers that interoperate with Exchange Server, such as gateway systems or replicated directory servers. It is also a best practice to turn off any replication to other environments during the transition process, such as Forefront Identity Manager (previously named ILM, MIIS, IIFP, and MMS).
Please bear in mind that an in-place upgrade to Exchange Server 2010 in any scenario is NOT supported!
Please be aware that Win2k8 AD and Exchange 2010 (HT, MT, CAS, ET Role, Unified Messaging) are based on 64 bit architecture.
Migration from Windows 2003 AD Forest to Windows 2008 AD Forest and Forest Preparation
Create user with domain admin, schema admin and enterprise admin role from existing AD
Bring the AD forest and domains to Windows Server 2003 Functional Level
Insert Win2k8 Server DVD into Win2k3 DC
Use elevated command prompt using domain\username (where user name must be above mentioned) Start Menu>Run type runas /user:domain\username cmd.exe
d:\sources\adprep\adprep.exe /forestprep where d: is DVD ROM
d:\sources\adprep\adprep.exe /domainprep /gpprep
d:\Setup and select upgrade option to use existing DC
Transfer FSMO Roles for a new Win2k8 DC with new Hardware
Replicate AD database, GPO or wait tomstone to replicate
Run DCPROMO (Uncheck this is last remaining DC)
Raise new Domain Functional level to Win2k8
Insert Exchange 2010 DVD into DC to upgrade AD
Open command prompt and change directory to DVD rom
Type .\Setup /PrepareAD /OrganizationName:organisation_name
Transition Sequencing:
Once you have finished prerequisite, you have to take the installation order of the Exchange Server 2010 servers into account to minimize the impact:
Exchange Server 2010 Client Access Server. The Client Access Server can work with an Exchange Server 2007 Mailbox Server as well as an Exchange Server 2010 Mailbox Server.
Exchange Server 2010 Hub Transport Server (New Internal and External Connector). Documents all the policies you have in existing HT and apply same in new HT server.
Exchange Server 2010 Mailbox Server. After you have installed the Mailbox Server role and established a proper Public Folder replication between Exchange Server 2007 and Exchange Server 2010, you can start moving mailboxes to the new Exchange 2010 Mailbox Server. Of course, the Public Folder replication needs only be configured when Public Folders are used in Exchange Server 2007.
The Edge Transport Server can be installed at any time, since an Exchange Server 2010 Edge Transport Server can be subscribed to an Exchange Server 2007 SP2 Hub Transport Server. Use Export and Import option for all policies applied in previous ET server.
Transitioning from Exchange Server 2007 to Exchange Server 2010
1. Prepare Windows Server 2008 (RTM or R2) x64 edition server for the first Exchange 2010
2. Install the AD LDIFDE tools on the new Exchange 2010 server (to upgrade the schema).
3. Install necessary prerequisites (WWW for CAS server role) including web certificates.
4. Install CAS server role servers and configure per 2010 design. Validate functionality.
5. Transfer OWA, ActiveSync, and Outlook Anywhere traffic to new CAS servers.
6. Install Hub Transport role and configure per 2010 design.
7. Transfer inbound and outbound mail connector to the new 2010 HT servers.
8. Install mailbox servers and configure Databases (DAG if needed).
9. Create public folder replicas on Exchange 2010 servers using Exchange 2010 Public Folder tool.
10. Move mailboxes to Exchange 2010 using Move Mailbox Wizard.
11. Re-home the Offline Address Book (OAB) generation server to Exchange Server 2010.
12. Transfer all Public Folder Replicas to Exchange Server 2010 Public folder stores.
13. Delete Public and Private Information Stores from Exchange 2007 servers.
14. Remove Exchange 2007 Edge Transport subscription
15. Uninstall all Exchange 2007 servers.
Test Procedure:
Double check Exchange Roles and services are started
Check internal and external connector
Test OWA and Email using test user
Verify with the system build info you created at beginning to check what you might have missed out or not!
Key Factors:
The following key factors differentiate a 2007 to 2010 transition from a 2003 to 2010 transition:
Exchange admin groups and routing groups are already out of the picture.
The Recipient Update Service is no longer part of the transition process.
The public folder hierarchy does not need to be re-homed. Indeed, because public Folders are not required for Exchange Server 2007, they might not even be part of the transition.
One added advantage of transition from Exchange Server 2007 to Exchange Server 2010: if Outlook clients are at 2007 levels or above, the move mailbox process does not result in downtime, making the end user transition experience completely transparent.
Further Study
Transition from Exchange 2003 to Exchange 2010
Watch TechNet Video on Transition from Exchange 2007 to Exchange 2010
Step by Step Guide on Exchange Server 2010 Edge Transport Role
Edge Transport Role in Exchange Server 2010 provides an important layer of security between external and internal messaging infrastructure. The Edge server analyses messages and can identify spam, content, connection trends and take the appropriate action to prevent delivery of potentially harmful content, spam, and other undesired messages. So, all message coming to and going form entire organization scanned through Edge Transport Server and verify with the policies deployed in it then pass through toward external networks. The Edge Transport server plays a vital role in the messaging infrastructure, protecting the organization from attack and the preventing delivery of unnecessary email, which ultimately can save an organization’s reputation, reduce administrative overhead, and increase productivity.
Installation Prerequisite:
Windows Server 2008 x64 SP 2 or Windows Server 2008 R2
Microsoft .NET Framework 3.5
Windows Remote Management 2.0
Windows PowerShell V2
Active Directory Lightweight Directory Services (AD LDS)
Exchange Server 2010 HT, CAS, Mailbox Roles installed in a separate Windows Server 2008 computer
Installation:
Edge Transport Config:
Now from Start>All Programs>Microsoft Exchange Server 2010>Exchange Management Console you have to configure Anti-Spam, Receive Connectors, Send Connectors, Transport Rules, Accepted Domains tabs available in Edge Transport console. on
Anti-Spam
tab, you have to configure Content Filtering, IP Allow List, IP Allow List Providers, IP Block List, IP Block List Providers, Recipient Filtering, Sender Filtering, Sender ID and Sender Reputation through action pan.
EdgeSync Config on an Edge Transport Server:
In Edge Transport Server, Open the Exchange Management Shell> Type following
New-EdgeSubscription –FileName “C:\Edgeinfo.xml”
Copy the Edge subscription file to the Hub Transport server into C:\Edgeinfo.xml
In Hub Transport Server, Open Exchange Management Console>Organization Configuration>Hub Transport section
In the action pane, click New Edge Subscription>New Edge Subscription Wizard.
Click Browse>select Active Directory site>Select Default First Site
Browse to the location of the Edge subscription file you copied from the Edge Transport server and click Next>Finish
Verify synchronization to the Edge Transport server’s AD LDS and review the application log in Event Viewer on both Hub and Edge Transport servers
Further Study:
Key Words: Edge Transport, Exchange 2010, AD LDS, Windows Server 2008