UAG Replacement?

There is a change of Forefront product via Important Changes to the Forefront Product Line. If you have yet to deploy and looking for the UAG replacement, perhaps you may look into the application request routing via Part 1: Reverse Proxy for Exchange Server 2013 using IIS ARR. However, the ARR is only handling http traffic.

Forefront Unified Access Gateway

Based on product strategy, customer feedback, and prevailing market dynamics, Microsoft has made the decision not to deliver any further full version releases of Forefront UAG.

Microsoft customers continue to have access to select remote access and secure application publishing capabilities through Windows Server 2012 R2.  Windows Server is not a complete replacement for all UAG scenarios, but it does provide:

• DirectAccess deployment and policy management.  This capability has been part of Windows Server 2012 since its initial release in September 2012.
• Basic secure application publishing via the new Web Application Proxy service in the Remote Access role of Windows Server 2012 R2.  This new service allows customers to securely publish access to resources through a reverse proxy and includes integration with Active Directory Federation Services (ADFS) for conditional access policy and multi-factor authentication capabilities.

Customers will be granted a Windows Server 2012 Standard server license for each UAG server license with active Software Assurance to allow them to make the transition.  For customers who wish to continue using Forefront UAG, Microsoft will provide maintenance and support through the standard Microsoft support lifecycle.  Mainstream support will continue through April 14, 2015, and extended support will continue through April 14, 2020.  Customers with active Software Assurance on UAG as of Dec. 1, 2013 may also add new UAG server instances, users, and devices without any requirement to order additional licenses.

Install and Configure Exchange 2010 - Part 5

In this post, i will show you the basic configuration of Mailbox Server role.

Mailbox Server Role Configurations
1. Database Availability Group (DAG)

Create Database Availability Group (DAG)
1. Login into EXCH01. Open EMC > Mailbox > Database Availability Groups > Click New Database Availability Groups.

2. Enter the DAG information

3. Finish

Manage Database Availability Group (DAG)

1. Right click on the DAG01 and “Manage Database Availability Group Membership”

 2. Click Add and select EXCH01 and EXCH02 into the membership list
 

3. Click Finish

Manage Database Availability Group Properties
1. Before configuring the alternative witness server, logon to AD and configure Exchange Trusted Subsystem
 
 
2. Add in RMS01 into the Exchange Trusted Subsystem group

3. Logon to RMS01 and look for local administrators group
 

4. Add in Exchange Trusted Subsystem into the local administrators group

5. Choose Properties of DAG01

6. Entering the alternate witness server and directory
 

7. Add in the DAG IP Address
 

8. Both EXCH01 and EXCH02 should be listed into Operational Servers

Database Availability Group Network

Rename the DAG Network accordingly.

Using two network adapters in each DAG member provides you with one MAPI network and one Replication network, with redundancy for the Replication network and the following recovery behaviors:

• In the event of a failure affecting the MAPI network, a server failover will occur (assuming there are healthy mailbox database copies that can be activated).
• In the event of a failure affecting the Replication network, if the MAPI network is unaffected by the failure, log shipping and seeding operations will revert to use the MAPI network, even if the MAPI network has it's ReplicationEnabled property set to False. When the failed Replication network is restored to health and ready to resume log shipping and seeding operations, you must manually switch over to the Replication network. To change replication from the MAPI network to a restored Replication network, you can either suspend and resume continuous replication by using the Suspend-MailboxDatabaseCopy and Resume-MailboxDatabaseCopy cmdlets, or restart the Microsoft Exchange Replication service. We recommend using suspend and resume operations to avoid the brief outage caused by restarting the Microsoft Exchange Replication service.

Enable Database Activation Coordination (DAC) Mode

1. Logon to EXCH01 or EXCH02, enter the following cmdlet into EMS

Set-DatabaseAvailabilityGroup DAG01 -DatacenterActivationMode DagOnly

2. Enter the following cmdlet to verify

Get-DatabaseAvailabilityGroup DAG01 | fl name,*activation

Add Database Copies
1. Select database to enable database copies and choose “ Add Mailbox Database Copy”
 

2. Browse the target server to enable mailbox database copies
 

3. Finish

4. Repeat step 1 to step 3 for the remaining mailbox database

2. Offline Address Book (OAB)

Set the default offline address book. The generation server can be anyone of the Exchange Mailbox server.

3. Journaling (Optional)
In Microsoft Exchange Server 2010 organization, the Journaling agent generates journal reports that contain message metadata, and the entire original message is attached to the journal report. It's important to protect the integrity of journal reports and the journaling mailbox, and to protect them from unauthorized access.

Exchange 2010 provides the following journaling options:

• Standard journaling: Standard journaling is configured on a mailbox database. It enables the Journaling agent to journal all messages sent to and from mailboxes located on a specific mailbox database. To journal all messages to and from all recipients and senders, you must configure journaling on all mailbox databases on all Mailbox servers in the organization. 

• Premium journaling: Premium journaling enables the Journaling agent to perform more granular journaling by using journal rules. Instead of journaling all mailboxes residing on a mailbox database, you can configure journal rules to match your organization's needs by journaling individual recipients or members of distribution groups. You must have an Exchange Enterprise client access license (CAL) to use premium journaling.

The Journaling can be enabled either by using premium journaling (journal rules) or standard journaling (per-mailbox database journaling), a mailbox that's used for collecting journal reports is required. This is known as a journaling mailbox.

In our setup, we are using standard journaling.

Create Journaling Mailbox

1. Logon to EXCH03, launch EMC and navigate to Recipient Configuration > Mailbox > New Mailbox

2. On the Introduction page, click User Mailbox

3. On the User Type page, click New User

4. On the User Information page, complete the fields.

5. Browse and select the database JOURNAL01

 

6. Skip the Archive Settings by click Next

7. Click New to create mailbox

8. Finish

Configure The Journaling Mailbox To Accept Messages Only From The Microsoft Exchange Recipient
1. Enter the following cmdlet in EMS
Set-Mailbox Journal -AcceptMessagesOnlyFromSendersOrMembers "Microsoft Exchange" -RequireSenderAuthenticationEnabled $true

2. Enter the following cmdlet to verify
Get-Mailbox journal | fl *accept*,*require*

Disable Storage Quota Limits For The Journaling Mailbox
1. Enter the following cmdlet in EMS
Set-Mailbox journal -UseDatabaseQuotaDefaults $false -IssueWarningQuota unlimited -ProhibitSendQuota unlimited -ProhibitSendReceiveQuota unlimited

Enable Per-Mailbox Database Journaling

1. Enter the following cmdlet in EMS

Set-MailboxDatabase DB01 -JournalRecipient journal

2. Repeat step 1 for the remaining mailbox databases

 

3. Enter the following cmdlet to verify

Get-MailboxDatabase | ft name,*journal* -AutoSize

Exclude Journaling Database From Provisioning

1. Enter the following cmdlet in EMS

Set-MailboxDatabase journal01 –IsExcludedFromProvisioning:$True

 

2. Enter the following cmdlet to verify

Get-MailboxDatabase journal01 | fl *exclude*

Install and Configure Exchange 2010 - Part 4

In this post, i will show you the basic configuration of Client Access Server role.

Client Access Server Role Configurations
1. Client Access Array

Create CAS Array
1. In the AD DNS, create a new host A records. Name the record to OUTLOOK01.internal.local. Set the TTL to 5 minutes.
 

2. Open the EMS, and enter the following cmdlet
New-ClientAccessArray -Fqdn "OUTLOOK01.internal.local" -Site "HQ" -Name "OUTLOOK01.internal.local"

3. Enter the following cmdlet to verify
Get-ClientAccessArray "OUTLOOK01.internal.local" | fl Name, Members

Set Mailbox Database into Client Access Array
1. Enter the following cmdlet to set mailbox database
Set-MailboxDatabase “<DATABASE NAME>” –RpcClientAccessServer OUTLOOK01.internal.local
Replace the <DATABASE NAME> = the database name of the mailbox database
 

2. Enter the following cmdlet to verify
Get-MailboxDatabase | fl Name, RpcClientAccessServer

2. Certification Configuration

Generate New Exchange Certificate

1. Enter the following cmdlet via EMS in EXCH01

Set-Content -path "d:\mail_cert.req" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "C=XX, S=XX, L=XX, O=XX, OU=IT, CN=mail.external.com" -DomainName mail.external.com, autodiscover.external.com, rms.external.com -PrivateKeyExportable $True)

2. The request file will be generated into d:\. Get the mail_cert.req file and submit to the authorize certificate authority. During this setup, Digicert was selected, thus submit the mail_cert.req to DigiCert.

3. DigiCert will issue a certificate after the submission the mail_cert.req file. Get the certificate and copy into EXCH01.

4. In the EMC, select “This is a pending certificate signing request (CSR)” and choose “Complete Pending Request”.

5. Browse the certificate that you have copied into EXCH01 in step 3.

 

6. Finish

 

7. You have completed the certificate request

Export Certificate
1. In the EMC, select the newly requested certificate and choose “Export Exchange Certificate”.

 

2. Name the export certificate and store into a location. This certificate will be used for EXCH02, RMS01, RMS02, UAG01 and UAG02. Enter a password to protect certificate. The entered password is used for importing.

3. Finish. Copy the exported certificate into EXCH02, RMS01, RMS02, UAG01 and UAG02.

Import Certificate
1. In the EMC, Select EXCH02 and choose “Import Exchange Certificate”
 
 
2. Browse for the certificate and enter the password.

3. Ensure the EXCH02 is listed in the server list

4. Click “Import”

5. Finish

6. Certificate has been imported into EXCH02

Assign Service to Certificate

1. Select the newly imported certificate and choose “Assign Services to certificate”

2. Ensure both EXCH01 and EXCH02 were selected

3. Assign and select the required services and Next

 

4. Assign

5. Yes to All to confirm the action for both windows.

 

6. Finish

7. The services was assigned to certificate

3. Outlook Web App Configuration

NOTE: Both EXCH01 and EXCH02 have the identical configuration.

4. Exchange Control Panel Configuration

NOTE: Both EXCH01 and EXCH02 have the identical configuration.

5. Exchange ActiveSync Configuration

NOTE: Both EXCH01 and EXCH02 have the identical configuration.

6. Offline Address Book Configuration

NOTE: Both EXCH01 and EXCH02 have the identical configuration.

1. Open the EMS and enter the following cmdlet

Set-OabVirtualDirectory -Identity EXCH01\"OAB (Default Web Site)" -InternalUrl https://mail.external.com/OAB -BasicAuthentication:$True

 Set-OabVirtualDirectory -Identity EXCH02\"OAB (Default Web Site)" -InternalUrl https://mail.external.com/OAB -BasicAuthentication:$True

2. Enter the following cmdlet to verify

Get-OabVirtualDirectory | fl name,server,internalurl,externalurl,*authen*

7. Exchange Web Service Configuration

NOTE: Both EXCH01 and EXCH02 have the identical configuration.

1. Open the EMS and enter the following cmdlet

Set-WebServicesVirtualDirectory -Identity EXCH01\"EWS (Default Web Site)" -InternalUrl https://mail.external.com/ews/exchange.asmx -BasicAuthentication:$True

Set-WebServicesVirtualDirectory -Identity EXCH02\"EWS (Default Web Site)" -InternalUrl https://mail.external.com/ews/exchange.asmx -BasicAuthentication:$True

2. Enter the following cmdlet to verify

Get-WebServicesVirtualDirectory | fl name,server,internalurl,externalurl,*authen*

8. Outlook Anywhere Configuration

NOTE: Both EXCH01 and EXCH02 have the identical configuration.

1. In the EMC, select EXCH01 and choose “Enable Outlook Anywhere”

2. Enter external hostname mail.external.com and choose basic authentication

3. Finish

4. Repeat the step 1 to step 3 for EXCH02

9. Autodiscover Service Configuration

NOTE: Both EXCH01 and EXCH02 have the identical configuration.

1. Enter the following to set the AutodiscoverServiceInternalUri

Set-ClientAccessServer -Identity EXCH01 -AutoDiscoverServiceInternalUri https://mail.external.com/Autodiscover/Autodiscover.xml

Set-ClientAccessServer -Identity EXCH02 -AutoDiscoverServiceInternalUri https://mail.external.com/Autodiscover/Autodiscover.xml

2. Enter the following cmdlet to verify
Get-ClientAccessServer | fl name,server,*uri*

10. Configure Change Password Feature in OWA
NOTE: Both EXCH01 and EXCH02 have the identical configuration.

1. Logon to EXCH01 and navigate to Start > Run > regedit. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

2. Create the following DWORD (32-bit) value

3. Name it to ChangeExpiredPasswordEnabled. The value type will be REG_DWORD. Set the value of ChangeExpiredPasswordEnabled to 1. Exit Registry Editor

4. Navigate to Start > Run > Services.msc. Restart IIS

5. Repeat step 1 to step 4 for EXCH02