Tag Archives: Exchange 2010

Kemps Load Balancer and Exchange 2010

I ran into an interesting issue where misconfiguration of kemp load balancer turned a Exchange 2010 environment into open relay internal to organization and internal client machines will be able to send out email to external recipient without authenticating

Setup was something like this

Internet SMTP Traffic –> Barracuda Anti Spam Firewall (DMZ – 192.168.1.1) —> Kemp Load Balancer (SMTP, HTTP, HTTPS Load Balancing (172.16.1.20) –> Exchange 2010 Hub Transport Servers (172.16.1.X)

Kemp Load balancer supports layer 7 Transparency, it supports two modes Non-transparent (where Kemps IP address is passed to the server instead of client IP address trying to access server) and Transparent mode (where Actual client IP address is passed to the server, instead of Kemps).

Now since Kemps was passing traffic from internet to hub transport server – A separate receive connector was setup which was allowing (192.168.1.1) to relay anonymously to exchange servers, but Kemps was setup in non-transparent mode i.e for any SMTP traffic passing through it was showing Kemps’ IP address as source IP instead of client IP address, so if a machien on internal machine connect to Kemps’ and send SMTP traffic it was appearing to coming from kemp and in turn will be allowed to submitted to Exchange 2010 server, to fix this after troubleshooting and spending several days with Kemps on phone we came up with following configuration… This only applies Configure Kemps Load balancer in a single armed configuration since that is how we were using Kemps

disable SNAT (System Configuration –> Misc Options –> SNAT Control) , Configure SMTP Service Properties (Virtual Server Configuration for SMTP –> Force L7 checked , Layer 7 Transperancy Checked)

Set Default Gateway on all Exchange Hub Transport Servers to Kemps HA(Cluster IP address)

This will configure load balancing the way it should…

Leave a comment

Filed under Uncategorized

Useful Exchange 2010 CMDlET

ALLOW ANONYMOUS RELAY TO EXTERNAL DOMAINS

By Default Anonymous Permission group allows mail flow to internaly domains only, to allow devices authenticating as anonymous users anonymous logon needs to have “”ms-Exch-SMTP-Accept-Any-Recipient”” Extended Right which can be set by using following cmdlet, replace “External Relay Connector” with appropriate Connector.

NEVER run this cmdlet on an internet facing connector…

Get-ReceiveConnector “External Relay Connector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

CHANGE SMTP BANNER

If you need to change SMTP banner for a receive connector following cmdlet can be used

For connector on local server
Set-receiveconnector –identity “NameOfConnector” –banner “220 I am not the connector you are looking for”

For connector on a remote server
Set-receiveconnector –identity “REMOTESERVERNAME\NameOfConnector” –banner “220 I am THE connector you are looking for”

TEST OUTLOOK CONNECTIVITY FROM EXCHANGE SERVER

if you are seeing outlook connectivity/timeout and/or password prompt issues test-outlookconnectivity cmdlet can be very useful to troubleshoot those issues below are some variations of the cmdlet which can be used

Test-OutlookConnectivity -TrustAnySslCert $true
Test-OutlookConnectivity -Protocol:Http -GetDefaultsFromAutoDiscover:$true -verbose
Test-OutlookConnectivity -RpcProxyServer:EXCHPDC01V -RpcProxyAuthenticationType:Basic -ClientAccessServer:EXCHPDC01V
Test-OutlookConnectivity -RpcProxyTestType:Internal -RpcTestType:Server
Test-OutlookConnectivity -RpcProxyTestType:external -RpcTestType:Server
Test-OutlookConnectivity -RpcProxyTestType:external -RpcTestType:Array
Test-OutlookConnectivity -RpcProxyTestType:Internal -RpcTestType:Array
Test-OutlookConnectivity -Protocol:tcp -GetDefaultsFromAutoDiscover:$true -verbose

Leave a comment

Filed under Uncategorized

First Look at Exchange 2010 – Part 1

I just took Microsoft Online Clinic 6900- Introudction to Exchange Server 2010.

Here is the summary of from the clinic, these are rough notes as I was taking it. This one is from Part 1 – Introduction to Exchange 2010 Overview.

some of the new features introudced in Exchange 2010

Gives you ability to Deploy Services Incremntally (looking for clarification)
Health Reports
Role based Access Control (RBAC)
Self Service Support for end users
Improved Database Engine – Defragmentation Manager
Dicover Feature – Allows to search multiple mailboxes for contents
Archiving and Retention Rules
Improved unified messaging – preview of voicemail outlook, SMS capabilites when a message is missed etc.
Improved Automated Tools
Enhanced archiving and monitoring
Protected Voicemail
Enahnced Caller ID support
Text translation of voicemail in various langugages
Federated Sharing (Allows an organization to share calanders to third parties)
Need for Windows Clustering for Exchange 2010 Database High Availibilty
Redundant Mailbox servers are created such that it makes Clustering services invisible to the Administrator

Deployment Scenarios

Migration to Exchange 2010 seems easy except that as I was expecting that there will be in place upgrade from exchange 2007 to Exchange 2010 – YOU CAN’T DO THAT Below are some of the things which will need to be in place to do Side by side/swing migration.

  1. Exchange 2003 SP2/Exchange 2007 SP2 or higher enviroments can be Upgraded Migrated since you CAN’T do inplace upgrade to Exchange 2010, forest containing exchange 5.5 or exchange 2000 can not be upgraded directly to exchange 2010,
  2. Co-Existance with Exchange 2003 SP2 or Exchange 2007 SP2 and above Only
  3. Just like previous versions of exchange it needs updated AD Schema
  4. Active Directory Should be in Windows 2003 Forest Functionality mode
  5. Needs At least one Windows 2003 SP2 GC in each site where Exchange Server will be installed

Does NOT support RODC or ROGC
DOES NOT Windows 2008 Active Directory
Does NOT support in-place upgrade from Exchange 2003 (understandable) or Exchange 2007 (WHY)
Exchange 2010 servers CAN NOT be used as front end for Exchange server 2003

For Exchange 2003 and Exchange 2007 move to Exchange 2010 will need to be performed as a side by side deployment or swing migration, Exchange 2010 surprisingly DOES NOT Support in place upgrade from Exchange 2007.

Exchange 2010 can be deployed in separate AD Forest – Exchange Resource Forest – to separate Administration of Exchange from AD

Supports more clients than prior versions
Outlook
Outlook Live
Web Access
Windows Mobile
Enoutrage

some services are Tailored for Hosting partner – I will try to get more details on it.

INSTALLATION

Pre-Reqs
Need accounts with Schema Admin, Enterprise Admin, domain admins just like prior versions

Extend Schmea – setup /prepareschema
Prepare AD – setup /preparead /organizationName:XYZ (CAN’T BE CHANGED)
Prepare Domain -setup /preparedomain
Start the Setup Wizard – Setup wizard checks for following pre-reqs if they are installed it is grayed out.
Dot net 3.5
Windows Remote Management
Powershell 2.0

Localized Langugage For install and Admin

Error Reporting

Typical – HT, CAS, MB and Exchange Managment Server
Custome – HT/CAS/MB/UM/ET/EMC

Answer do you have any client computers running outlook 2003 and eariler or Entourage in your organization? if yes the setup creates Public Folders

It runs Readiness Check
Finishes the installation

EMC is similar to Exchange 2007

Guidelines for Optimizing Exchange Server 2010
Exch2k10 can not be installed on a forest that has Exchange 5.5 or 2000 servers. Exchange 2003 or Exchange 2007 needs to be at SP2 or higher
Ensure that Hub Transport role is installed for sending and receiving emails :).
Deploy Mulitple Hub Transport servers per site.
Consider deploying multip,e CAS in each site.

Leave a comment

Filed under Uncategorized