Exchange 2007/2010 certificates and new Go Daddy


I found recently a situation where the Godaddy cert chain wasn’t installed and some phone clients had issues, the following is a proven request\import process to install the cert and chain.

 So I gave this process to a friend and found out that I should either rename or subtitle this post, “Getting SBS 2008 to recognige your 2048 bit certificate” – great side effect!

  1. First make your cert request in powershell, it should look something like this:
    • New-ExchangeCertificate -GenerateRequest -SubjectName “C=US, O=Company, CN=mail.domain.com” -domainname mail.domain.com,autodiscover.domain.com,hostname,hostname.domain.local -FriendlyName mail.domain.com -privatekeyexportable:$true -path c:\cert_myserver.txt
    • IMPORTANT: don’t do any new cert requests or run any wizards until the cert is imported
  2. Send the cert request to Godaddy as a UCC certificate
  3. Import the Certificate to complete the request
    • Import-ExchangeCertificate –Path “C:\CertificateFile.cer” | Enable-ExchangeCertificate -Services pop, smtp, iis, imap
  4. Export the certificate
    1. Start –> Run –> MMC –> Add Snap-in –> certificates –> Local computer
    2. Right click certificate –> all tasks –> export
      1. Include the certificate chain and private key
      2. Enter a password
  5. Re-Import certificate including chain (this imports the chain certs also)
    1. Right click in a blank area of the certificate MMC –> all tasks –> import
    2. Select the certificate you exported –> import –> include the certificate chain.

 

And yes there are other was to get to the same result, this is just a simple easy to explain way

Advertisements

Publish Exchange 2010 with TMG (cont)


Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 3/4 active sync)

Configure Active sync rule on TMG

  1. Open Forefront TMG
  2. Click on image_thumb5[1]
  3. In the Action Pane under Task click  image_thumb6[2]
  4. Give the rule a Name ill name mine “2010 Activesync”
  5. image
  6. Next –> Next
  7. image
  8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
  9. image
  10. The external name is what you use to access active sync(Also needs to be on the cert)
  11. image
  12. Select the Listener OA listener created on Part 2.
  13. image_thumb24[1]
  14. image
  15. image
  16. Finish
  17. Now Outlook anywhere is published!
  • Go Back To OWA
  • Go Back to Outlook anywhere

  • Move on to SMTP

    Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

    1. OWA
    2. EWS\Outlook anywhere
    3. Active sync
    4. SMTP

  • Publish Exchange 2010 with TMG (cont)


    Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 2/4 EWS\Outlook anywhere)

    Configure Outlook anywhere rule on TMG

    1. Open Forefront TMG
    2. Click on image_thumb5[1]
    3. In the Action Pane under Task click  image_thumb6[1]
    4. Give the rule a Name ill name mine “2010 OA”
    5. image
    6. Next –> Next
    7. image_thumb8[1]
    8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
    9.  image_thumb9[1]
    10. The external name is what you use to access OA (Also needs to be on the cert)
    11. image
    12. Click new to make a new Listener
    13. image_thumb11[1]
    14. Name it whatever you want, I named mine “Basic Auth” because I am going to use it for Basic auth for OA\EWS.
    15. image_thumb12[1]
    16. Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
    17. image
    18. Select the certificate you imported earlier
    19. image_thumb14[1]
    20. Use HTTP Authentication
    21. image 
    22. Click –> Next –> Finish –> Select the Listener.
    23. image
    24. image 
    25. image_thumb19[1]
    26. Finish
    27. Now Outlook anywhere is published!

    Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

    1. OWA
    2. EWS\Outlook anywhere
    3. Active sync
    4. SMTP

    Problems with Autodiscover, Out of Office, Free Busy, OWA and Outlook Anywhere


    One of the most common issues I see has to do with certificates, so to start out we need to understand some things about certificates.

    Certificates are used to encrypt traffic between exchange servers and clients.

    There are 3 things that need to be true for a certificate to be valid.

    1. The name used to access the resource needs match the certificate exactly.
      Example: If I connect to say owa with mail.mydomain.com then the certificate needs to also have mail.mydomain.com on it in either the subject or the subject alternate name field. clip_image002
    2. The Certificate time must be valid
    3. The issuing Certificate Authority must be trusted by the client. (It needs to exist in the “Trusted Root Certificate Authorities)

    clip_image004

    Now that we have some VERY basic info about certificates.

    The issues I see constantly are: Autodiscover, Out of Office, Free Busy and Outlook Anywhere miss-configuration.

    Reasons:

    1. Not using a trusted certificate
      • Solution: use a 3rd party cert provider
    2. The certificate name does not match the DNS name\s
      • Solution: create a new cert request containing all the names used to access the server. Minimum of
        1. Autodiscover.domain.com
        2. <ExternalName>.domain.com
        3. <InternalName>.domain.local (if using for internal systems also)

    Example of a correct cert request:

    •  
      • New-ExchangeCertificate -GenerateRequest -SubjectName “C=US, O=Org Name, CN=mail.domain.com” -domainname mail.domain.com, autodiscover.domain.com, servername, servername.domain.local -FriendlyName mail.domain.com -privatekeyexportable:$true -path c:\cert_myserver.txt

    Example of Cert import

    •  
      • Import-ExchangeCertificate –Path “C:\CertificateFile.cer” | Enable-ExchangeCertificate -Services pop, smtp, iis, imap  (2007 Example)
      • Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\newcert.cer -Encoding Byte -ReadCount 0)) | Enable-ExchangeCertificate -Services SMTP   (2010 Example)
    1. External URLs not defined correctly
    2. Can’t resolve Fully qualified domain names (FQDN)

               Should look like this

             image

    1. SCP Record does not contain the correct value
      1. Test from outlook:
        1. Hold CTRL and Click the outlook Icon in the system tray image and select “Test Email Auto Configuration”image
        2. Uncheck guess smart and click Test
      2. check SCP value returned
        1. If you get info on the results tab then autodiscover is working
        2. If not look at the Log tab and look at the URL that is returned

                  image

    1.  
      1. Test the URL (Type it into Internet explorer) if its not change SCP to a valid URL
        1. Run ADSIEDIT and view the “Service Binding Information” to verify the correct value

                         image

    2. Set the SCP allong with the internal URL: Set-ClientAccessServer CASServerName -AutoDiscoverServiceInternalUri https://mail.domain.local/Autodiscover/Autodiscover.xml