Tuesday, September 29, 2009

Hide your internal Exchange server name on EHLO HELO - Change your SMTP banner

I had a single Exchange server 2007 (exchange1.intra) on my internal network.
This server had the CAS, Transport and Mailbox roles installed on it.
This server used an SMTP relay to send/receive emails (public name : mail.mycompany.com).
Emails sent to some recipient servers were rejected with the following error :

This came from the fact that some recipient servers double check the name of the server sending the email with a telnet/ehlo-helo request on it :
telnet mail.mycompany.com 25
> 220 exchange1.intra Microsoft ESMTP MAIL Service .....
exchange1.intra is different from mail.mycompany.com
You can check your mail server with useful online tools line MXToolBox

Unfortunately, you cannot change your SMTP banner on your Exchange server if it has the mailbox role installed on it.

In order to change your SMTP banner, you need to :

1- add another server (echange2.intra) to your Exchange organization with the mailbox role, move all mailboxes on it and remove the mailbox role from
echange1.intra.

2-
remove the default Exchange header (will hide that your server is running Exchange) on echange1.intra.
Run in the Exchange Management Shell the following command, where
send connector is the name of your send connector:
Get-SendConnector “send connector” | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights “ms-Exch-Send-Headers-Routing” -user “NT AUTHORITY\Anonymous Logon”

Restart the Exchange Transport service.

3- Set up your new banner with the name of the public server (mail.mycompany.com)
Open a command prompt on exchange1.intra :
cd C:\inetpub\AdminScripts
cscript adsutil.vbs set smtpsvc/1/connectresponse "mail.mycompany.com My Company"

4- Check on echange1.intra that in the send connector properties, you have filled the correct FQDN for helo/ehlo requests


Then the telnet feedback will be:
telnet mail.mycompany.com 25
> 220 mail.mycompany.com My Company

And your emails won't be rejected anymore.

PS : if you have an SMTP virtual server (IIS), don't forget to put
mail.mycompany.com in the masquerade domain and FQDN fields.



Monday, September 28, 2009

Certificate Errors with Exchange 2007

There is so much information about Exchange 2007 and certificate errors on the internet that it is sometimes difficult to wade through it all and find exactly what you are looking for.

I’m not going to repeat all of it here but I would like to give a quick summary of what I think solves most of the issues people are having when it comes to OWA, OAB and Autodiscover certificate errors, including the error “The name of the security certificate is invalid or does not match the name of the site”. There are obviously many ways to do this. I find this the easiest and most straight forward.

Basically, when you have a single CAS server (e.g. “server1.mydomain.local”) being accessed over IIS (for EAS, OWA, OAB etc.) using more than one URL (e.g. “owa.officialdomain.com”, autodiscover.officialdomain.com) you need a certificate which contains all of your URLs (a UC cert). To create this certificate use the Exchange Management Shell:

New-Exchangecertificate -domainname owa.officialdomain.com, autodiscover.officialdomain.com, server1.mydomain.local, server1 -Friendlyname owacert -generaterequest:$true -keysize 1024 -path c:\certrequest.txt -privatekeyexportable:$true -subjectname "DC=mydomain, DC=local, CN=server1.mydomain.local”

 

With this request, go to your MS CA (or some online CA) and request the certificate. Then import it using the Management Shell:

Import-Exchangecertificate -path c:\certnew.cer

 

The management shell will then display the thumbprint, which you will need for enabling the certificate:

Enable-exchangecertificate –services IIS –thumbprint AE8863602018F46A7E72DFA7A49D3484335EF98F

 

You should now have your certificate working with all URLs without the invalid name errors.

Obviously, the rest of your configuration will need to be correct, i.e. you will have to your clients trust either the certificate itself or the issuing CA.

 

Note:

If you have pre-Vista SP1 Windows clients (e.g. XP), Outlook will not be able to connect to the Outlook Anywhere address unless it is the CN of the cert subject

Set NTP servers on Windows Server 2008

First, check/set the following registry values :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"Type"="NTP"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"Enabled"=dword:00000001

Then, run the following commands :

w32tm /config /syncfromflags:manual /reliable:yes/manualpeerlist:time.nist.gov,tick.usno.navy.mil,tock.usno.navy.mil,0x8
w32tm /config /update
w32tm /resync

Thursday, September 24, 2009

VMWare ESXi 3.5, USB and APC UPS

It appears that ESXi doesn't support sharing USB ports among VMs, and as my APC battery is monitored through USB, I cannot have APC PowerChute running on one of my VMs.
For USB (or serial port) monitored batteries, you will need to use a physical machine. This can be understandable if you want to shut down the host too.

Administrative Template File for Forefront (Forefront.adm)

Forefront doesn't come with any .adm file to manage it through group policies.
You can use Forefront Client Security Console to setup parameters (scan schedule, user's rights...).
When deployed using a GPO, you'll find parameters under Extra Registry Settings which is not very handy.
On the Aaron Tiensivu's Blog you will find an adm file (forefront.adm) that you can copy to your C:\Windows\inf folder of your server running Group Policy Management to have a more readable view.

Wednesday, September 23, 2009

Windows Explorer Problems with Office SharePoint Server 2007 on Windows Server 2008 R2

I was installing MOSS 2007 on Windows 2008 R2 recently and the installation went very smoothly. You basically create a slipstreamed installation source of MOSS with SP2 and run it like you would any other install – Google it – there are plenty of how-to's out there.

Everything was running fine until I tried to open a document library in Windows Explorer using “Actions”-“Open with Windows Explorer”. The browser just didn’t react, neither did Windows Explorer.

It turns out I had installed the WebDAV that comes with IIS and the WebDAV that comes with SharePoint didn’t like that one bit. Using the Server Manager I removed WebDAV from the IIS features, bounced the server and all was well.

Wednesday, September 9, 2009

Analyzing IIS Logs

I have worked with applications before which analyze web logs but the most of them required a lot more work and configuration (or costs) than I am often prepared to invest.
I was looking for a simple tool that would allow me to point to my IIS logs and say “analyze”!
After a little bit of searching and a lot of giving up on software that was either needing too much work or just poorly written/documented, I found this:
WebLog Expert Lite
It does everything I need and best of all it’s freeware!