Configure Exchange with One Certificate for Both Internal and External Connections

Starting with Exchange 2007 and Outlook 2007, client connections to the server are encrypted using SSL technology.  This requires a valid certificate be installed on the Exchange server or the Outlook client will warn the user each time they open Outlook.  By default, Exchange installs a self-signed certificate during installation which will be automatically valid for any Outlook clients connecting from computers within the same domain as the server.  However, if you plan to set up remote users with Outlook using RPC over HTTPS (also known as Outlook Anywhere), the the users internet-facing Client Access Server will require an externally valid SSL certificate.  In situation where a company only has one Exchange server handling all roles, this quickly becomes a problem.  Once the externally valid certificate is installed on the Exchange server, all internal clients on Outlook 2007 or later will receive a certificate error each time Outlook is opened.  This is because the Exchange server is presenting itself to the clients with its valid internal network name (e.g. exchange.company.local), while the certificate shows its valid external name (e.g. mail.company.com).  This conflict is the source of the Outlook warning.

The simplest way to circumvent this issue is to purchase a mutli-domain certificate, which will be valid for both the external and internal name of the server.  There are two major downsides to this, however.  One is cost.  Multi-domain certificates are significantly more expensive than standard, single name certificates.  The second downside is that the certificate will contain the internal name of the server and the certificate will be available publicly for anyone to see.  This can be a security liability, exposing internal network information to anyone who cares to look.

The better solution is to modify the Exchange server to use *only* the external server name when making connections to clients.  This allows a single name certificate to be used to secure all connections made by the server and ensures the server will only ever refer to itself by this chosen external name.  The steps to accomplish this are somewhat complex, but thankfully, some great people have written Powershell scripts which execute the necessary commands for both Exchange 2007 and Exchange 2010.  Using these scripts automatically changes the name used both internally and externally by all virtual directories as well as the SCP on the server.

Below are copies of the scripts for both Exchange 2010 and Exchange 2007.

Brian St. Marie - Sr. Systems Engineer

========================================================

 

Exchange 2007  Credit to Exchange Ninjas (http://www.exchangeninjas.com/set-allvdirs)

 

========================================================

 

# Script to allow you to set all virtual directories to a common name like mail.company.com

 

Start-Transcript

 

# Variables

 

[string]$UMExtend = '/UnifiedMessaging/Service.asmx'

[string]$OABExtend = '/OAB'

[string]$SCPExtend = '/Autodiscover/Autodiscover.xml'

[string]$EWSExtend = '/EWS/Exchange.asmx'

[string]$ConfirmPrompt = 'Set this Value? (Y/N)'

[string]$NoChangeForeground = 'white'

[string]$NoChangeBackground = 'red'

 

Write-host 'This will allow you to set the virtual directories associated with Autodiscover provided services to the name you provide.'

Write-host ''

[string]$base = Read-host 'Base name of virtual directory (e.g. mail.company.com)'

write-host ''

# =======================================================

# Validate if a third party trusted certificate is being used

# because BITS won't use untrusted certificates

[string]$set = Read-host 'Is the certificate being used an internally generated certificate? (Y/N)'

Write-host ''

 

if ($set -eq 'Y')    {

    [string]$OABprefix = 'http://'

}    else    {

    [string]$OABprefix = 'https://'

}

 

# =======================================================

# Build the Autodiscover URL and set the SCP Value

 

Write-host 'Setting Autodiscover Service Connection Point' -foregroundcolor Yellow

write-host ''

 

$SCPURL = 'https://' + $base + $SCPExtend

 

[array]$SCPCurrent = Get-ClientAccessServer

 

Foreach ($value in $SCPCurrent) {

    Write-host 'Looking at Server: ' $value.name

    Write-host 'Current SCP value: ' $value.AutoDiscoverServiceInternalUri.absoluteuri

    Write-host 'New SCP Value:     ' $SCPURL

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

   

    if ($set -eq 'Y')    {

         Set-ClientAccessServer -id $value.identity -AutoDiscoverServiceInternalUri $SCPURL

    }    else {

        write-host 'Autodiscover Service Connection Point internal value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

 

# =======================================================

# Build the EWS URL and set the internal Value

 

Write-host 'Setting Exchange Web Services Virtual Directories' -foregroundcolor Yellow

write-host ''

 

$EWSURL = 'https://' + $base + $EWSExtend

 

[array]$EWSCurrent = Get-WebServicesVirtualDirectory

 

Foreach ($value in $EWSCurrent) {

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current Internal Value: ' $value.internalURL

    Write-host 'New Internal Value:     ' $EWSUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y')    {

        Set-WebServicesVirtualDirectory -id $value.identity -InternalURL $EWSURL

     } else {

        write-host 'Exchange Web Services Virtual Directory internal value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

     }

 

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current External Value: ' $value.externalURL

    Write-host 'New External Value:     ' $EWSUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y')    {

        Set-WebServicesVirtualDirectory -id $value.identity -ExternalURL $EWSURL

    } else {

        write-host 'Exchange Web Services Virtual Directory external value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

 

# ======================================================

# Build the OAB URL and set the internal Value

 

Write-host 'Setting OAB Virtual Directories' -foregroundcolor Yellow

write-host ''

 

$OABURL = $OABprefix + $base + $OABExtend

 

[array]$OABCurrent = Get-OABVirtualDirectory

 

Foreach ($value in $OABcurrent) {

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current Internal Value: ' $value.internalURL

    Write-host 'New Internal Value:     ' $OABUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y')    {

        Set-OABVirtualDirectory -id $value.identity -InternalURL $OABURL

    } else {

        write-host 'OAB Virtual Directory internal value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

 

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current External Value: ' $value.externalURL

    Write-host 'New External Value:     ' $OABUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y') {

        Set-OABVirtualDirectory -id $value.identity -ExternalURL $OABURL

    } else {

        write-host 'OAB Virtual Directory external value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

 

# =======================================================

# Build the UM URL and set the internal Value

 

Write-host 'Setting UM Virtual Directories' -foregroundcolor Yellow

write-host ''

 

$UMURL = 'https://' + $base + $UMExtend

 

[array]$UMCurrent = Get-UMVirtualDirectory

 

foreach ($value in $UMCurrent) {

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current Internal Value: ' $value.internalURL

    Write-host 'New Internal Value:     ' $UMUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y') {

        Set-UMVirtualDirectory -id $value.identity -InternalURL $UMURL

    } else {

        write-host 'UM Virtual Directory internal value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

 

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current External Value: ' $value.externalURL

    Write-host 'New External Value:     ' $UMUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y') {

        Set-UMVirtualDirectory -id $value.identity -ExternalURL $UMURL

    } else {

        write-host 'UM Virtual Directory external value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

Stop-Transcript

 

 

 

========================================================

 

Exchange 2010                  Credit to Barry Martin (http://virtualbarrymartin.me/2009/12/29/how-to-setup-exchange-2010-to-use-a-single-certificate-for-internal-and-external-use/)

 

========================================================

 

# Script to allow you to set all virtual directories to a common name like mail.company.com

Start-Transcript

# Variables

[string]$UMExtend = “/UnifiedMessaging/Service.asmx”

[string]$OWAExtend = “/OWA”

[string]$OABExtend = “/OAB”

[string]$SCPExtend = “/Autodiscover/Autodiscover.xml”

[string]$EWSExtend = “/EWS/Exchange.asmx”

[string]$ECPExtend = “/ECP”

[string]$ConfirmPrompt = “Set this Value? (Y/N)”

[string]$NoChangeForeground = “white”

[string]$NoChangeBackground = “red”

Write-host “This will allow you to set the virtual directories associated with setting up a single SSL certificate to work with Exchange 2010.”

Write-host “”

[string]$base = Read-host “Base name of virtual directory (e.g. mail.company.com)”

write-host “”

# =======================================================

# Validate if a third party trusted certificate is being used

# because BITS won’t use untrusted certificates

[string]$set = Read-host “Is the certificate being used an internally generated certificate? (Y/N)”

Write-host “”

if ($set -eq “Y”)    {

    [string]$OABprefix = “http://”

}    else    {

    [string]$OABprefix = “https://”

}

# =======================================================

# Build the Autodiscover URL and set the SCP Value

Write-host “Setting Autodiscover Service Connection Point” -foregroundcolor Yellow

write-host “”

$SCPURL = “https://” + $base + $SCPExtend

[array]$SCPCurrent = Get-ClientAccessServer

Foreach ($value in $SCPCurrent) {

    Write-host “Looking at Server: ” $value.name

    Write-host “Current SCP value: ” $value.AutoDiscoverServiceInternalUri.absoluteuri

    Write-host “New SCP Value:     ” $SCPURL

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

  

    if ($set -eq “Y”)    {

         Set-ClientAccessServer -id $value.identity -AutoDiscoverServiceInternalUri $SCPURL

    }    else {

        write-host “Autodiscover Service Connection Point internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# =======================================================

# Build the EWS URL and set the internal Value

Write-host “Setting Exchange Web Services Virtual Directories” -foregroundcolor Yellow

write-host “”

$EWSURL = “https://” + $base + $EWSExtend

[array]$EWSCurrent = Get-WebServicesVirtualDirectory

Foreach ($value in $EWSCurrent) {

    Write-host “Looking at Server: ” $value.server

    Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $EWSUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”)    {

        Set-WebServicesVirtualDirectory -id $value.identity -InternalURL $EWSURL

     } else {

        write-host “Exchange Web Services Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

     }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $EWSUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”)    {

        Set-WebServicesVirtualDirectory -id $value.identity -ExternalURL $EWSURL

    } else {

        write-host “Exchange Web Services Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# ======================================================

# Build the OAB URL and set the internal Value

Write-host “Setting OAB Virtual Directories” -foregroundcolor Yellow

write-host “”

$OABURL = $OABprefix + $base + $OABExtend

[array]$OABCurrent = Get-OABVirtualDirectory

Foreach ($value in $OABcurrent) {

    Write-host “Looking at Server: ” $value.server

   Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $OABUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”)    {

        Set-OABVirtualDirectory -id $value.identity -InternalURL $OABURL

    } else {

        write-host “OAB Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $OABUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-OABVirtualDirectory -id $value.identity -ExternalURL $OABURL

    } else {

        write-host “OAB Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# =======================================================

# Build the UM URL and set the internal Value

Write-host “Setting UM Virtual Directories” -foregroundcolor Yellow

write-host “”

$UMURL = “https://” + $base + $UMExtend

[array]$UMCurrent = Get-UMVirtualDirectory

foreach ($value in $UMCurrent) {

    Write-host “Looking at Server: ” $value.server

    Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $UMUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-UMVirtualDirectory -id $value.identity -InternalURL $UMURL

    } else {

        write-host “UM Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $UMUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-UMVirtualDirectory -id $value.identity -ExternalURL $UMURL

    } else {

        write-host “UM Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# =======================================================

# Build the ECP URL and set the internal Value

Write-host “Setting ECP Virtual Directories” -foregroundcolor Yellow

write-host “”

$ECPURL = “https://” + $base + $ECPExtend

[array]$ECPCurrent = Get-ECPVirtualDirectory

foreach ($value in $ECPCurrent) {

    Write-host “Looking at Server: ” $value.server

    Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $ECPUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-ECPVirtualDirectory -id $value.identity -InternalURL $ECPURL

    } else {

        write-host “ECP Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $ECPUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-ECPVirtualDirectory -id $value.identity -ExternalURL $ECPURL

    } else {

       write-host “ECP Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# =======================================================

# Build the OWA URL and set the internal Value

Write-host “Setting OWA Virtual Directories” -foregroundcolor Yellow

write-host “”

$OWAURL = “https://” + $base + $OWAExtend

[array]$OWACurrent = Get-OWAVirtualDirectory

foreach ($value in $OWACurrent) {

    Write-host “Looking at Server: ” $value.server

    Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $OWAUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-OWAVirtualDirectory -id $value.identity -InternalURL $OWAURL

    } else {

        write-host “OWA Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $OWAUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-OWAVirtualDirectory -id $value.identity -ExternalURL $OWAURL

    } else {

       write-host “OWA Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

Stop-Transcript

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Exchange 2010 Transaction Logs Rapidly Filling Disk Space

Recently we migrated a relatively small company from a POP3 email service  to their own Microsoft Exchange 2010 server. Over the course of two days we imported approximately 25 mailboxes which grew the message store database to around 16GB. On the fifth day we noticed that the disk drive on our brand new mail server was completely full. We discovered that the Exchange transaction logs had grown to an astonishing 189GB in just three or four days!

The first step was to immediately remedy the storage issue by dismounting the mailbox database and using the eseutil /mh command to verify that the database had shutdown cleanly and that there were no more log files to be played into the database. This turned out to be true which didn't really help us come to a conclusion.  We decided to move the massive amount of logs to an alternative storage location just in case.

With the database mounted and the storage situation taken care of (for now) it was time to begin monitoring the logs. I began checking on the server every few hours over the weekend and to my delight it appeared that the logs had settled down and all was well. As users began to trickle in Monday morning I quickly found out that I was very wrong. I watched transaction logs be created at the rate of one log file every 1 to 3 seconds!  After doing a little research I was pointed in the direction of ExMon. This is the Exchange User Monitoring utility that was written by MS guys a few Exchange versions back but it continues to be supported to this day. Armed with the user monitoring tool, I was able to watch performance activity as the various mailboxes were accessed and manipulated.

A few patterns became evident and two very important columns in the tool helped me resolve our problem.  One column being CPU% and the most important being Log Bytes. CPU% is the store CPU percentage consumed by the user. This can reach very high numbers upon opening Outlook and during a send/receive action but it should not constantly be in the 90%-100% range for a single user. The other tipoff was the Log Bytes per user. As a user receives a message or takes action on a message by moving it to a folder or deleting it etc., Exchange will create a transaction of this event and store it in a log file.  If a user has an excessively large number of log bytes written along with an excessively high CPU% over several refresh periods, you can be sure that they are your trouble mailboxes.

It turns out that four of our users had some imported messages that were corrupted and therefore stuck on synchronizing to the database. Each time the message begins to sync a transaction is recorded. Since the message failed to synchronize it attempts again and again which creates a constant loop. We determined that all of the necessary mail had already completed the import process so the resolution was simple. We rebuilt each problem users Outlook profile which downloaded all of the "good" mail that was successfully synchronized after the initial PST import.

Tips for using the ExMon tool can be found here.

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Outlook Import Wizard

Converting Windows Mail to Microsoft Outlook is easy to do with the Outlook Import Wizard.  I had a client that was on Outlook Express which changed over to Windows Mail in Windows Vista and Windows 7. They had a lot of email, contacts, and calendar events that needed to be converted into Outlook. I found the Outlook Import Wizard makes it much easier to convert EML files to a PST file.  ELM files can be found in C:\Users\{your user account name}\AppData\Local\Microsoft\Windows Mail\Local Folders\account.oeaccount file. You can find the conversion tool by just doing a search in Google. I encourage people to make the switch to Outlook if they are planning on purchasing MS office or have already purchased it and are not yet utilizing the Outlook program.

Dennis Foote - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Sending as an Email Alias in Outlook and Exchange

Oftentimes, users want the ability to send email from a different address using Microsoft Outlook.  With a Microsoft Exchange server, it's very easy to add additional email addresses for users to receive mail, but not so easy to allow them to send from those addresses.

Each mailbox on an Exchange server has a primary address.  This is the address from which all mail is addressed when sending through this mailbox.  So even if you add aliases to this mailbox which allow it to receive mail on a different address, the user will not be able to send from that address.

Unfortunately, despite this being a highly requested feature by users for many years, Microsoft has yet to create any way to allow users to do this natively in Outlook and Exchange.

One workaround is to create a second "dummy" mailbox and assign the alias address to this mailbox instead.  Permissions can them be added to this dummy mailbox to allow the user to choose the dummy mailbox address as the "From" field on new emails.  The dummy mailbox can then be configured to forward any incoming email to the alias to the user's primary mailbox.  This will work, but it is a bit clunky, and requires the user to select the alias address out of the Global Address List each time they want to send an email with the alias address.

Likewise, a distribution list can be used to accomplish the same thing.  In addition, using a distribution list can allow more than one person to receive mail on the alias address, which can be useful for generic email aliases like support@ or sales@.  However, it still requires the users to select the alias address from the Global Address List each time they want to send from the alias.

The last option is to use a third party product to add functionality to Outlook which will allow the user to select a mailbox alias as their sending address as they compose a new email.  This setup is the most straightforward and intuitive for users, but it does require additional cost and software.

As multiple addresses per user becomes more and more common, hopefully Microsoft will add this functionality into future versions of Outlook and Exchange.  For now,  while there are no perfect solutions for this common problem, there are workarounds which can do the job.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!