On the strength of its market position, Microsoft has recently been placed in the Leaders Quadrant in Gartner’s Magic Quadrant for Secure E-mail Gateway.

The Secure Messaging solution offers customers a hybrid model of in-the-cloud services – Forefront Online Protection for Exchange – and on-premises software – Forefront Protection 2010 for Exchange Server – to provide defence-in-depth protection.

For the complete report, click here

Client network traffic is area that often generates many questions. This area is frequently the subject of discussion when site consolidation is being discussed which also raises the issues of network cost and sizing.

While there is some information available on how to estimate this client network traffic, this is mostly relevant to Exchange 2007 and Outlook 2007. I am not aware of any changes in Exchange 2010 and Outlook 2010 that will change the client network requirements, so the information below is based on this.

The first bit of information you need are user profiles, use the Microsoft Exchange Server Profile Analyzer tool to collect this information if you don’t already have it. You can download the Microsoft Exchange Server Profile Analyzer tool from the links provided at the bottom of this page.

Next we determine how much traffic is generated by each user profile per day. In the table below, all values are in Kilobytes/User/Day. The table separates sending from all other actions which are labelled as aggregate.

Now that we have these values, how do we use them? The last piece of the puzzle is the formula. The following formula can be used to estimate the network traffic (in KB/Sec) required by your Exchange 2010 clients.

Using this formula and the data in the above tables, if we wanted to calculate the network requirements for 2,500 heavy users who use Outlook in Cached Mode it would look something like this:

Network Traffic (KB/Sec) = 677 KB/Sec. To convert this to Mbps:

Network Traffic (Mbps) = 5.4 Mbps.

This formula assumes all these users are in the same time zone, so they do the majority of the work during an 8 hour day.

This information is based on the original post from MS Exchange Team blog.

Download Microsoft Exchange Server Profile Analyzer (32 bit) here

Download Microsoft Exchange Server Profile Analyzer (64 bit) here

In November last year I mentioned that Windows 2008 R2 support for Exchange 2007 was been announced. The Exchange product team yesterday announced the release of Exchange 2007 Service Pack 3 (SP3).

SP3 for Exchange 2007 enables Exchange 2007 to be installed on the Windows Server 2008 R2 version of the operating system as well as Windows 7 support for the Exchange management tools. Other enhancements include advanced protection options against e-mail security threats, such as spam and viruses and tools which help manage internal compliance and high availability.

For more information about Exchange 2007 SP3, see Microsoft TechNet

Download Exchange 2007 SP3 here

The Exchange 2007 and Exchange 2010 Mailbox Server Role Requirements Calculators have recently been updated. If you use either of these tools often, you’ll no doubt appreciate how much effort must to into keeping them updated.

Apart from some bug fixes, there have been a few enhancements too, for the Exchange 2010 calculator, these include:

• Added two new columns to the primary datacenter “Active Database Configuration / DAG” table.  These columns now expose the total number of databases activated in each site after server failure events.  This change was added to expose cross-site database failover events.
• The calculator now includes an option to activation block secondary datacenter mailbox servers that host HA database copies.  This allows you to design a solution where you can activate the secondary datacenter in the event of a primary datacenter failure mode, or choose to activate a copy in the secondary datacenter manually, but prohibits Active Manager from automatically activating a copy in the secondary datacenter. 
• Added support for 32-cores.

For detailed information on these and other enhancements, see the following links:

• Updates to the Exchange 2007 Mailbox Server Role Storage Requirements Calculator
• Updates to the Exchange 2010 Mailbox Server Role Requirements Calculator

To download the revised version, click here for Exchange 2007 and here for Exchange 2010

I was looking around the attachments section of the MS Exchange Team blog earlier trying to find an older version of the Exchange 2010 Mailbox Server Role Requirements Calculator when I came across “E2010+MBX+Role+Calc+Spoof.xlsx” I was curious to see what it was so I downloaded it.. lets just say it was not the version I was looking for, but it made me laugh..

I recently posted about the new features that will be available in Exchange 2010 Service Pack 1 (SP1). Microsoft have announce the availability of Exchange Server 2010 SP1 Beta. This could be very useful for those currently planning their deployment and looking to have a test some of the new features.

The SP1 beta is available to the public and can be downloaded here

In the first 5 parts of this series, I went through all the steps required to successfully install Forefront Protection 2010 for Exchange Server and Forefront Threat Management Gateway (TMG) 2010 on the same server as your Exchange Server Edge Transport role. I also looked at some basic configuration so we should now be able to send and receive email.

What about external access? TMG 2010 can also securely publish all your Exchange Server related services such as Outlook Web App (OWA), Outlook Anywhere and ActiveSync (EAS).

In this final part of the series I’ll look at publishing OWA to the internet. While my focus is mainly on OWA, Outlook Anywhere and EAS should also work after very little or no additional configuration. I’ll start by creating a new certificate request and then submitting it to certificate authority and then install the issued certificate. I’ll then go over how to correctly export the issued certificate and import it on the TMG server. I’ll then conclude the series by creating a new “Exchange Web Client Access Publishing Rule”.

A few notes before I begin.. When working with certificates, there are two options, I have opted to use my own Enterprise Root CA which has been installed on my domain controller. You are of course welcome to purchase a certificate from a third-party CA, if you decide that this is a better option for you, the basic configuration steps below will not differ all that much, the only difference will be in how you submit the request to the CA. I highly recommend purchasing a UC Certificate for this, please see the following Microsoft TechNet article for more information.

This post also assumes that your domain controllers already accept LDAP connections over SSL. To enable this, you need to install a server certificate on each of your domain controllers. The following Microsoft TechNet article may provide some guidance if you need further assistance with this.

The first step is to confirm out OWA configuration, this is done by opening the Exchange Management Console, expand “Server Configuration”, click “Client Access” and then right-click “owa (Default Web Site)” and select “Properties”

It is also important to change the authentication settings by clicking on the “Authentication” tab. We need to disable forms based authentication as TMG will be providing this feature. If you keep Exchange forms based authentication enabled your users will be prompted to log into OWA twice.

We now need to create a certificate request for the certificate that will be used to OWA. This can of course be done from the Exchange Management Shell by making use of the New-ExchangeCertifate cmdlet or by making use of the new wizard included in the Exchange Management Console. To access the wizard, click “Server Configuration”, select your CAS server and click “New Exchange Certificate”

“Enter a friendly name for the certificate”, I usually use the external FQDN here. Click “Next”

If you are using a wildcard certificate, you can enter the root domain name here, I have elected not to use a wildcard certificate. Click “Next”

Next, select your required configuration. Enter your configuration and click “Next”

Review your certificate domains, I usually enter the server name without a suffix as well, but this is not necessarily required. Ensure that you have your internal, external and both autodiscover names listed and click “Next”

Enter your organization and location details and click “Next”

Review your certificate configuration summary and click “Next”

Once complete, click “Finish”

For those looking to use the Exchange Management Shell to complete this request, the command would look something like this:

New-ExchangeCertificate -FriendlyName 'dogfood.cgoosen.com' –GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=AU,S="NSW",L="Sydney",O="cgoosen.com",OU="test lab",CN=dogfood.cgoosen.com' –DomainName 'tlex01.testlab.local','dogfood.cgoosen.com','autodiscover.testlab.local','autodiscover.dogfood.cgoosen.com','tlex01' -Server 'TLEX01'

Now that we have completed out certificate request, it is time to submit this request to a CA. I’ll be using my Enterprise Root CA which is installed on my domain controller, so I’ll just submit the request opening https://tldc01.testlab.local/CertSrv Click “Request a certificate”

Then click on “advanced certificate request”

Since we have already created the certificate request, select “Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file”

Paste the certificate request in the box provided, select the “Web Server” template and click “Submit”

Click “Yes” to acknowledge the “Web Access Confirmation”

Next download only the “DER encoded” certificate.

Now that we have our new certificate, it’s time to install it. Once again, click “Server Configuration” and select your new certificate. Click “Complete Pending Request”

Select your new certificate and click “Complete”

Once completed, click “Finish”. You have now installed your new certificate.

We now need to assign services to the certificate, click “Server Configuration” and select your new certificate. Click “Assign Services to Certificate”

Select your CAS server and click “Next”

Ensure that you have selected “Internet Information Services” and click “Next”

Review the configuration summary and click “Assign”

Once completed, click “Finish”

Now that we’ve installed the new certificate and assigned services to it, lets give it a quick test internally. My internal URL is https://tlex01.testlab.local/owa

Before we can import the certificate on the TMG server, you need to export the certificate along with its private key from the CAS server. Open the “Certificates” MMC and make sure you are viewing the “Local Computer”. We need to export 2 certificates. The first is the Enterprise Root CA certificate located in the “Trusted Root Certificate Authorities” store.

The second certificate is the new exchange certificate we just installed, it should be located in the “Personal” store.

Lets start with the Enterprise Root CA certificate, right-click the certificate and click “Export”. Click “Next”

Select “DER encoded binary X.509 (.CER)” and click “Next”

Give it a meaningful and name be sure to note down the location and click “Next”

Review the settings and click “Finish”

Once completed successfully, click “Ok”

Next we export the exchange certificate along with its private key. right-click the certificate and click “Export”. Click “Next”

Ensure that you have selected “Yes, export the private key” and click “Next”

Ensure that you have selected “Export all extended properties” and click “Next”

You need to protect the private key by using a password, be sure to remember what password you enter here and click “Next”

Give it a meaningful and name be sure to note down the location and click “Next”

Review the settings and click “Finish”

Once completed successfully, click “Ok”

Once you have those 2 certificates, (ca_cert.cer and cas_cert.pfx if you followed my naming convention) copy them to your TMG server. The log onto the TMG server and open the “Certificates” MMC and make sure you are viewing the “Local Computer”. We now repeat the previous process in reverse.

First we import the Enterprise Root CA certificate, expand the “Trusted Root Certificate Authorities” store, right-click “Certificates” and select “Import”. Click “Next”

Locate the certificate and click “Next”

You will notice that it will already have the correct location specified, do not change this, just click “Next”

Review the settings and click “Finish”

Once completed successfully, click “Ok”

We then import the exchange certificate. Expand the “Personal” store right-click “Certificates” and select “Import”. Click “Next”

Locate the certificate and click “Next”

Enter the private key password (you do remember it, right?) Ensure that you have selected “Include all extended properties” and click “Next”

The correct location should already be specified, do not change this, just click “Next”

Review the settings and click “Finish”

Once completed successfully, click “Ok”

Once this is done, should should be able to double-click the exchange certificate and check the status. Both certificates should be “Ok”

The final step in the process is to create a “Exchange Web Client Access Publishing Rule”. Open the TMG Management Console, right-click “Firewall Policy”, select “New” and then select “Exchange Web Client Access Publishing Rule”

Give your rule a meaningful name and click “Next”

Select your Exchange version and select “Outlook Web Access”, then click “Next”

Select your publishing type and then click “Next”

Since we will be using SSL, select that option and click “Next”

Enter your internal site name, only enter the FQDN, there is no need to add HTTP/S or /OWA. Click “Next”

Enter your public name here, again only the FQDN. Click “Next”

Select your web listener, since I don’t already have one, I am going to create a new one by clicking “New”

Enter a meaningful name and click “Next”

We will be using SSL and want to require SSL connections from all clients. Click “Next”

Select your listener IP address, this should be your external network address. Click “Next”

Click “Select Certificate” and then select the exchange certificate we installed in the previously. Click “Select”

Click “Next”

Next we look at authentication settings, since our server is not a part of the domain, we are unable to use “Windows” authentication. Make sure “HTML Form Authentication” is selected, select “LDAP (Active Directory)” and click “Next”

I won’t be making use of SSO, make your selection and click “Next”

We need to add at least one LDAP server for user authentication, add your domain controllers here, type your domain name and I highly recommend that you make use of LDAP over SSL. Click “Next”

Review your web listener configuration and click “Finish”

Select the web listener you just created and click “Next”

Select “Basic Authentication” and then click “Next”

This rule will apply to “All Authenticated Users”, click “Next”

Review your configuration and then click “Finish” to create the rule.

Once the rule has been created, we need to apply it to TMG, click “Apply”

You should now see your rule listed..

Now for the fun part, lets test our configuration. If you visit your external URL, mine is https://dogfood.cgoosen.com/owa you should be presented with a OWA login form. Notice the “Secured by Microsoft Forefront Threat Management Gateway” banner at the bottom.

Enter your user name in the format “Domain\user name” and your password and click “Log On” If you have any certificate alerts, you may need to install your Root CA certificate to the “Trusted Root Certification Authorities” store on your workstation. If you are using an Enterprise Root CA, it uses Group Policy to propagate its certificate to the “Trusted Root Certification Authorities” store for all users and computers in the domain.

If everything has been correctly configured, you should be presented with your inbox.

To summarise, in this final part of the series I created a new certificate request and then submitted it to certificate authority. Once I had downloaded the issued certificate, I installed it on my exchange CAS server and assigned services to it. I then exported the issued certificate and imported it on the TMG server. To complete the process, I created a new “Exchange Web Client Access Publishing Rule”.

In this 6 part series, I went through the process of installing Exchange Server Edge, Forefront Protection 2010 for Exchange Server and TMG 2010 on the same server. Consolidating these services greatly reduces management complexity and overhead.

We finally have our consolidated Exchange Server Edge and TMG 2010 server installed, but what now? How do we take advantage of all the great new features? In this part of the series, I’ll configure our E-Mail Policy, create a new Edge Subscription and then configure Antivirus and File Filters

Firstly, we’ll configure our E-Mail Policy. If you open the TMG Management Console, select “E-Mail Policy” and then select “Configure E-Mail Policy” from the tasks pane.

On the “Welcome to the E-Mail Policy Wizard” screen, click “Next” to continue

On the “Internal Mail Server Configuration” screen, add all the Exchange hub servers that you want to forward incoming mail to. You also need to add your accepted domains. Then click “Next”

For the “Internal E-Mail Listener” choose the Internal network. You can also specify which IP to listen on if multiple IPs are available. Click “Next”

For the “External E-Mail Listener” choose to listen on the External network and specify the FQDN that will be presented in HELO and EHLO commands.

Enable spam filtering, virus and content filtering. You also have the option to enable EdgeSync Traffic, you should enable this here as it will create the relevant System Policy to allow port 50636 for communication with the Exchange hub transport server.

Click “Finish” to complete the e-mail policy wizard

TMG will prompt you to create a System Policy, click “Yes”

Once done, click “Apply” to apply the new E-Mail Policy

Next, we setup a new edge subscription, From the TMG Management console, navigate to “E-Mail Policy” and in the “Tasks” plane, click “Generate Edge Subscription Files”

Make a note of where you save this file. Once complete, copy the edge subscription file to your Hub Transport server.

Log on to your Hub Transport server and open the Exchange Management Console, then expand “Organization Configuration” and click on “Hub Transport”. Click “New Edge Subscription under the “Actions” menu.

Select the appropriate AD site and locate the edge subscription file copied from your TMG server. Click “New”

Once the wizard completes successfully, click “Finish”

Expand “Organization Configuration”, click on “Hub Transport” and select the “Edge Subscriptions” tab. You should now see your edge subscription listed there.

On your Hub Transport server, ensure that the “Microsoft Exchange EdgeSync” service is set to automatically start.

On the Hub Transport server, open the Exchange Management Shell and start edge synchronization by issuing the following cmdlet

Start-EdgeSynchronization

After a few minutes, you should be able to verify that your edge synchronization is working by opening the “Exchange Management Shell” and issuing the following cmdlet:

Get-SendConnector

Next, We need to verify the authentication settings on the Receive Connectors.

On the Hub Transport server, open the Exchange Management Console and expand to "Server Configuration", click on "Hub Transport", right click on the "Default Receive Connector" and select Properties. On the Authentication tab, verify that TLS and Exchange Server authentication are selected.

On the TMG server, open the TMG Management console and navigate to "E-Mail Policy", right click on the "Internal_Mail_Servers" route and select Properties. On the Listener tab, click "Authentication Settings" and verify that only TLS and Exchange Server Authentication are selected.

Lastly, we can configure Antivirus scanning and file filtering settings. In this example I will enable a 3 antivirus engines and configure file filtering to block .EXE files.

On the TMG server, open the TMG Management console, click “E-Mail Policy, then select the “Virus and Content Filtering” tab,

Click “Select AV Engines” on the Tasks Pane. Select one or more engines from the list. The click “OK”

Next, click the “Enabled” link below “File Filtering”. On the File Filters” tab, click “Add” and then on the General tab give it a meaningful name. You can apply the filter to inbound and/or outbound messages.

On the File Types tab select Microsoft Windows Executable. Click “Apply”

Confirm that the filter has been added and click “OK”

Once done, click “Apply” to apply the settings

To summarise, in this part of the series I configured my E-Mail Policy/ I then created and verified a new Edge Subscription. I finished off by configuring Antivirus and creating a File Filter to block .EXE files.

In the next and final part of this series, I’ll look at how to securely publish Outlook Web App.

Here we are, Part 4 of the series. To recap what I have done thus far.. I’ve installed the Exchange Server Edge role followed by Forefront Protection 2010 for Exchange Server.

In this part I install TMG 2010 and perform some basic configuration. The minimum system requirements for TMG 2010 can be found on Microsoft TechNet.

To get started, insert your Forefront Threat Management Gateway 2010 installation media and then select “Run Preparation Tool”

This launches the “Forefront TMG Preparation Tool”, read through the notes on the welcome screen and click “Next”. Read and accept the License Agreement and click “Next”

Depending on your environment, select the appropriate Installation Type. I won’t be installing a TMG array so I selected “Forefront TMG services and Management”. Then click “Next”

Once all the prerequisite features have been installed, click “Finish” to launch the TMG 2010 installation wizard.

Click “Next” on the welcome screen. Read and accept the License Agreement and click “Next”

Next you will be presented with the “Customer Information” page with the Product Serial Number. Once you have entered the appropriate details, click “Next” and verify the installation path. Change this as appropriate and click “Next”

Next we need to define our internal network ranges. Be sure to include all of them there, mine are fairly simple and are all included in the range 172.0.0.0-172.0.0.255.

During the installation, some services will be restarted. Acknowledge this warning by clicking “Next”

Click “Install” to begin the installation.

Once the installation has completed successfully, click “Finish”

Congratulations, you now have TMG 2010 installed. Lets look at some basic configuration. The first time you launch the TMG Management Console, you’ll be presented with the “Getting Started Wizard” The first step is to “Configure network settings”

Click “Next” to continue and then select the appropriate network template, you’ll want to select “Edge Firewall” here. It should be noted that the “Single network adaptor” template has many limitations and will not work in our scenario. Click here to read more about single network adapter limitations. Click “Next” to continue

Ensure that your LAN or “Internal” network settings are configured correctly and click “Next” *note the absence of a “Default Gateway”

Then, ensure that your Internet or “External” network settings are configured correctly and click “Next”

Click “Finish” to complete the network setup wizard.

The next step is to “Configure system settings”

Click “Next” to continue and then confirm the “Host Identification” settings, note once again that this server is a member of a workgroup and is not part of the domain. Click “Next”

Click “Finish” to complete the system configuration wizard

The final step is to “Define deployment options”

Click “Next” to continue and on the “Microsoft Update Setup” screen, select the appropriate setting and click “Next”

Activate the relevant licenses and features and click “Next”

On the “NIS Signature Update Settings” screen, select the appropriate setting and click “Next” if in doubt, just leave the defaults

Would you like to join the “Customer Experience Improvement Program”? make your selection and click “Next” and then decide if you would like to participate in the “Microsoft Telemetry Reporting Service”, make your selection and click “Next”

Click “Finish” to complete the deployment wizard

You have now completed the “Getting Started Wizard”

To summarise, in this part of the series I installed TMG 2010 and then proceeded to perform some basic configuration. In the next part of the series, I’ll configure our email policy and create a new Edge Subscription

Welcome to Part 3! In the pervious part of the series I looked at the process of preparing a Windows Server 2008 R2 server for installation. I then installed the Exchange Server Edge Transport Transport role.

In Part 3 of the series I’ll install Forefront Protection 2010 for Exchange Server, the installation is fairly quick and painless so it should not take too long! I recommend checking out the minimum system requirements on Microsoft TechNet.

To get started, insert your Forefront Threat Management Gateway 2010 installation media and then select “Install Microsoft Forefront Protection 2010 for Exchange Server.

The first step is to read and accept the License Agreement and click “Next”. “During the installation, it may be necessary to stop and start the following services..” read and accept this message by clicking “Next”

Select the appropriate installation paths and click “Next”

Enter any proxy server information (if any) and click “Next”

Decide if you would like to enable Antispam now or later, these settings can be changed again once installed. Click “Next”

Decide if you would like to enable Microsoft Update and click “Next” *note: I have selected to not enable Microsoft Update at this time, depending on your environment, your selection may or may not be the same. It is always recommended to keep your servers up to date.

Would you like to join the “Customer Experience Improvement Program?” decide and then click “Next”. Once you have confirmed your settings and click “Next” to begin the installation

Once the installation has completed successfully, click “Finish”

To summarise, in this part of the series I installed Forefront Protection 2010 for Exchange Server on the same server that already has the Exchange Edge Transport role installed from Part 2.

In the next part of the series I’ll install Forefront Threat Management Gateway 2010 on the same server.