Tag Archives: Exchange 2007

Kemps Load Balancer and Exchange 2010

I ran into an interesting issue where misconfiguration of kemp load balancer turned a Exchange 2010 environment into open relay internal to organization and internal client machines will be able to send out email to external recipient without authenticating

Setup was something like this

Internet SMTP Traffic –> Barracuda Anti Spam Firewall (DMZ – 192.168.1.1) —> Kemp Load Balancer (SMTP, HTTP, HTTPS Load Balancing (172.16.1.20) –> Exchange 2010 Hub Transport Servers (172.16.1.X)

Kemp Load balancer supports layer 7 Transparency, it supports two modes Non-transparent (where Kemps IP address is passed to the server instead of client IP address trying to access server) and Transparent mode (where Actual client IP address is passed to the server, instead of Kemps).

Now since Kemps was passing traffic from internet to hub transport server – A separate receive connector was setup which was allowing (192.168.1.1) to relay anonymously to exchange servers, but Kemps was setup in non-transparent mode i.e for any SMTP traffic passing through it was showing Kemps’ IP address as source IP instead of client IP address, so if a machien on internal machine connect to Kemps’ and send SMTP traffic it was appearing to coming from kemp and in turn will be allowed to submitted to Exchange 2010 server, to fix this after troubleshooting and spending several days with Kemps on phone we came up with following configuration… This only applies Configure Kemps Load balancer in a single armed configuration since that is how we were using Kemps

disable SNAT (System Configuration –> Misc Options –> SNAT Control) , Configure SMTP Service Properties (Virtual Server Configuration for SMTP –> Force L7 checked , Layer 7 Transperancy Checked)

Set Default Gateway on all Exchange Hub Transport Servers to Kemps HA(Cluster IP address)

This will configure load balancing the way it should…

Leave a comment

Filed under Uncategorized

Useful Exchange 2010 CMDlET

ALLOW ANONYMOUS RELAY TO EXTERNAL DOMAINS

By Default Anonymous Permission group allows mail flow to internaly domains only, to allow devices authenticating as anonymous users anonymous logon needs to have “”ms-Exch-SMTP-Accept-Any-Recipient”” Extended Right which can be set by using following cmdlet, replace “External Relay Connector” with appropriate Connector.

NEVER run this cmdlet on an internet facing connector…

Get-ReceiveConnector “External Relay Connector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

CHANGE SMTP BANNER

If you need to change SMTP banner for a receive connector following cmdlet can be used

For connector on local server
Set-receiveconnector –identity “NameOfConnector” –banner “220 I am not the connector you are looking for”

For connector on a remote server
Set-receiveconnector –identity “REMOTESERVERNAME\NameOfConnector” –banner “220 I am THE connector you are looking for”

TEST OUTLOOK CONNECTIVITY FROM EXCHANGE SERVER

if you are seeing outlook connectivity/timeout and/or password prompt issues test-outlookconnectivity cmdlet can be very useful to troubleshoot those issues below are some variations of the cmdlet which can be used

Test-OutlookConnectivity -TrustAnySslCert $true
Test-OutlookConnectivity -Protocol:Http -GetDefaultsFromAutoDiscover:$true -verbose
Test-OutlookConnectivity -RpcProxyServer:EXCHPDC01V -RpcProxyAuthenticationType:Basic -ClientAccessServer:EXCHPDC01V
Test-OutlookConnectivity -RpcProxyTestType:Internal -RpcTestType:Server
Test-OutlookConnectivity -RpcProxyTestType:external -RpcTestType:Server
Test-OutlookConnectivity -RpcProxyTestType:external -RpcTestType:Array
Test-OutlookConnectivity -RpcProxyTestType:Internal -RpcTestType:Array
Test-OutlookConnectivity -Protocol:tcp -GetDefaultsFromAutoDiscover:$true -verbose

Leave a comment

Filed under Uncategorized

Blocking InternalDomain Name Coming from outside with Anonymous Authentication

Exchangepedia.com has an excellent article on HOW TO: Prevent annoying spam from your own domain which can be found at following link

http://exchangepedia.com/blog/2008/09/how-to-prevent-annoying-spam-from-your.html

CMDLET to Prevent spam from your own domain

Get-ReceiveConnector “Incoming Internet Mail” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Leave a comment

Filed under Uncategorized

Generating and installing Exchange 2007 Cert on Windows 2008

Step1
Genererate CSR Request
New-ExchangeCertificate -GenerateRequest -Path c:\mailserver_domainname_com.csr -KeySize 1024 -SubjectName “c=US, s=Wisconsin, l=Madison, o=My Company Name, ou=IT, cn=mail.EXTERNALDOMAIN.com” -DomainName OPTIONAL.EXTERNALDOMAIN2.COM, autodiscover.EXTERNALDOMAIN.com, SERVERNETBIOSNAME, SERVERNETBIOSNAME.INTERNALDOMAIN.local -PrivateKeyExportable $True

If you are not a EMS person- Digicert has made it easy for you and offers online CSR Generation for Exchange 2007 UCC/SAN cert. Below is the link
https://www.digicert.com/easy-csr/exchange2007.htm

ENSURE THAT COMMON NAME IS CORRECT – IF IT IS NOT THEN CORRECT IT, YOU CAN CHANGE ALL OTHER HOSTNAMES IN CERT BESIDES THE COMMON NAME by yourself. But for CN plan on spending good chunk of time on phone with SSL provider.

Step2
Submit CSR request to your SSL Provider and wait for Domain Control Validation email, validate email from Certificate Authority

Step3
Download Certificate files and Import intermediate Certificate to mailserver’s certificate store.

If you are using GoDaddy, Follow Instructions found here
https://certs.godaddy.com/InstallationInstructions_alt.go

Step4
Import Exchange Certificate and enable it for appropriate services to Enable it for IIS,SMTP, POP and IMAP use cmdlet below. substitute “c:\MyNewUCCCertfromcheapsslprovider.cer” with your certificate file path

Import-ExchangeCertificate -path c:\MyNewUCCCertfromcheapsslprovider.cer | Enable-ExchangeCertificate -Services “IIS,SMTP,POP,IMAP”

Step5
Verify that Exchange 2007 is using correct certificate by typing following cmdlet
Get-ExchangeCertificate | where {$_.services -eq “IMAP, POP, IIS, SMTP”}

Leave a comment

Filed under Windows 2008