Skip to main content
Sign In   |   Help
 
Go SearchAdvanced Search
Home
Categories
Bloggers
www.pointbridge.com

View All Site Content

Using ISA 2006 / TMG to Publish Exchange 2007 and 2010
By: Matthew McGillen | Posted: June 25, 2010 at 2:08 PM
Add Comment Add Comment | Share It Share It | Category: Exchange Server
2
Comments

We've recently assisted a number of clients in Exchange 2007 à 2010 upgrades. In each case, they've been using ISA or TMG to publish external Exchange services. For the most part, it's been easy to find information on the subject: the MS Exchange team has a really nice write up on the ISA configurations for 2010 upgrade; ISAserver.org has a good write-up in general on ISA and Exchange; Elan Shudnow has a post or two on the subject; and there's always technet. All the info is helpful, however my issue was that there are 1,000,000 ways to configure these services with ISA and Exchange: Basic? NTLM? Prompts? Web listeners? Pre-Authentication? So many different routes has led to some confusion in setup.

Practically speaking, it turned out that most customers really wanted a simple setup:

  1. a single name (mail.company.com)
  2. Never prompted users for credentials in Outlook. Ever!

If this is sounds like you (or your customers), then I've got a condensed guide to make life easy. Below assumes that you have all users coming through ISA/TMG and going to the CAS 2010 servers. This also assumes that you have Exchange 2007 and 2010 mailboxes co-existing.

  1. Use a single name for Exchange 2010: mail.company.com
  2. Use a single name for Exchange 2007: legacymail.company.com
  3. Set up URL redirection for 2007 users. This article is really important as it outlines exactly how to transition from CAS 2007 to 2010.
  4. Use only one web listener with Forms Based Authentication turned on.

    1. Make sure that in the "advanced" box, you uncheck "all users must authenticate" and that you put in your AD domain for Basic Authentication

    2. Ensure you have "single sign-on" enabled on your web listener. This is required especially for OW 2007 and 2010 co-existence. See below for details on why this is.

  5. Use separate web publishing rules, all bound to your one listener, for each service:
    1. Outlook Anywhere 2010
      1. Authentication delegation: "no delegation, but client may access directly"

      2. Users: "All users" - note: do not use "all authenticated users"; this will cause Outlook Anywhere clients to never connect to Exchange. See below for details.

      3. Destination: Exchange 2010 CAS (or CAS farm)
    2. Outlook Web Access 2010
      1. Authentication delegation: Basic

      2. Users: "all authenticated users"

      3. Destination: Exchange 2010 CAS (or CAS farm)
    3. Active Sync 2010
      1. Authentication delegation: Basic

      2. Users: "all authenticated users"

      3. Destination: Exchange 2010 CAS (or CAS farm)
    4. Outlook Anywhere 2007
      1. Authentication delegation: "no delegation, but client may access directly"
      2. Users: "All users" - note: do not use "all authenticated users"; this will cause Outlook Anywhere clients to never connect to Exchange.
      3. Destination: Exchange 2007 CAS (or CAS farm)
    5. Outlook Web Access 2007
      1. Authentication delegation: Basic
      2. Users: "all authenticated users"
      3. Destination: Exchange 2007 CAS (or CAS farm)
    6. Active Sync 2007
      1. Authentication delegation: Basic
      2. Users: "all authenticated users"
      3. Destination: Exchange 2007 CAS (or CAS farm)
  6. Exchange server 2010 authentication:
    1. Outlook Anywhere: NTLM only
    2. Outlook Web Access: NTLM/Basic (no forms-based authentication)
    3. Active Sync: Basic
  7. Exchange server 2007 authentication:
    1. Outlook Anywhere: NTLM only
    2. Outlook Web Access: NTLM/Basic (no forms-based authentication)
    3. Active Sync: NTLM only
  8. Outlook 2007 / 2010 Authentication
    1. Set to NTLM

Q: Why should I only use one web listener / enable SSO?

The main reason why you should use one web listener for all 2007 and 2010 rules is due to single-sign on in OWA.

When you have an Exchange 2010 user coming through ISA and being connected to an Exchange 2010 CAS server for OWA, ISA will use forms-based authentication to authenticate the user & pass the user right on to the 2010 CAS. That's all great.

But when a user whose mailbox is still on Exchange 2007 connects to mail.company.com for OWA, ISA will handle the request, pass the request on to Exchange 2010 CAS. Exchange 2010 CAS will realize that the user is an Exchange 2007 user and it will send a client-side redirect to the user's browser for "legacymail.company.com", which is also being published by ISA. (assuming you've set this up properly). When the client's browser gets the redirect, you don't want the user to connect to legacymail.company.com and get prompted AGAIN.

You can do this – but it requires using a single web listener for both OWA publishing rules. The reason is that ISA doesn't support Single Sign-on (SSO) across multiple web listeners. So if you have the mail.company.com rule bound to the same listener as legacymail.company.com listener – the user will not get prompted when Exchange redirects him/her to the legacymail OWA page.

If you're using separate listeners, the redirection to legacymail will cause the user to get re-prompted.

Q: Why do I need to set the Outlook Anywhere rule to use "All Users"

Your main web listener is set to use Forms Based Authentication. This is what you'll need to make OWA work. But as you can imagine, Outlook Anywhere and Active Sync are not going to work with FBA. That's ok- if a client tries to connect to an FBA-enabled listener and it's unable to handle the form, ISA will fall back to Basic authentication.

Active Sync is cool with this; you've already entered your user name and password into your Active Sync device. This is good enough to get you through ISA.

Outlook Anywhere, however, is not cool with this. Since you've set your Outlook Anywhere authentication method to NTLM (step 7 above) it's not going to authenticate to a web listener that's looking for Basic. If you change Outlook Anywhere to use Basic authentication, this will work… but your end users will be prompted for username and password. Which you probably don't want.

So how best to fix it? Just set your Outlook Anywhere web publishing rule to allow "all users". So even though ISA is falling back to Basic authentication on the web listener, your rule is now saying: "I don't care if they're authenticated or not, just send them through". This allows anyone from the outside to at least make it through ISA without having ISA authenticate you. And since you've set the Outlook Anywhere rule to "no delegation, but allow client to authenticate directly" the Outlook client will just pass right through ISA and authenticate directly to the CAS server. The Outlook client is set to NTLM and now it's hitting the CAS server directly – so it's important to have the CAS server's authentication for Outlook Anywhere set to NTLM (step 5a above).

Q: Is it a bad idea to bypass ISA pre-authentication for Outlook Anywhere?

I personally don't think it's a big deal. Elan Shudnow's post has more to say about that, however.

If you are totally opposed to this concept, then you're going to need to live with either:

  • A separate name for Outlook Anywhere (outlook.company.com) with its own cert and web listener. OR
  • Use Basic authentication and force your users to be prompted for username and password.
Very Delayed Ringing in OCS 2007 R2 – subtitle: I hate SANs
By: Matthew McGillen | Posted: June 24, 2010 at 11:27 AM
Add Comment Add Comment | Share It Share It | Category: Office Communications Server
4
Comments

The SAN cert strikes again! I have a new mantra: don't ever use SAN certs with OCS. I know, I know. "It can be done / you have it working / it's cheaper / it's supposed to work". I get it. But this week was the last straw for me and the SAN; specifically the SAN cert on the Edge server's internal interface.

The Problem

I've had this issue a couple times: when you place a call with your MOC client, you hear a few slow beeps before the call actually starts ringing. In general, this isn't a showstopper. When you are working remotely on public WiFi etc, I understand that it might take a second or two to set up the call. But recently I've seen this happen for internal calls. And the delay has been close to 5 seconds. Worse yet, inbound calls were having the same delay; callers from the outside just heard dead silence while the call was being set up. And even worst yet: calls to response groups were timing out due to the long delay in the call ringing PLUS a delay between when an agent answered and when the call was connected. All told, there was an unnecessary delay of about 9 seconds.

I was really having a hard time figuring out what the problem was. The customer and I were looking at SIP Stack traces / wireshark captures and the strangest things were happening. We saw the call get offered to the mediation server and the mediation server would reply back with a SIP 183 trying. Then dead air for a few seconds… absolutely no message. Then the Front End and Mediation would exchange a SIP message or two. Then more dead air. Then finally, like 6 seconds later, we get a SIP Ringing message and the call goes through.

I looked everywhere in the logs for signs of what was happening. No errors on Mediation or Front End. It really just seemed like OCS had suddenly developed an inexplicable delay on every call.

But I did spot something very odd in the Front End server log – it seemed unrelated at the time, but it turned out to be the key.

Both the Mediation server and the Front End are configured with a parameter for the A/V Edge Authentication: edge.company.com:5062 for A/V authentication. Fine and dandy. For every call that's offered to the Mediation server, it starts up a stream with the Edge server, just in case you happen to be calling from the outside. It gets that stream working so that there's no delay in the call if/when OCS figures out you are remote; even if you are placing the call from inside the network.

The Unexpected Breakthrough

So the Front End server sits and waits for the OK from the AV Edge Authentication before proceeding with the call. This generally takes 1/100th of a second or so. But this is exactly where the delay in our calls was occurring. And the SIP Stack log revealed something in that request for AV Authentication:

<credentialsResponse credentialsRequestID="5541212">

<credentials>

<username>AgGGJAHMDLkByxJYc6ZaSgyqvYbLBFrF69SYPK2Eoa0BBBBBBboUW+3f4R7GOrqoXxq1a5dABc123=</username>

<password>+5ljflkjdf$lkjkjdfnvfkdf=</password>

<duration>480</duration>

</credentials>

<mediaRelayList>

<mediaRelay>

<location>intranet</location>

<hostName>EDGESERVER02</hostName>

<udpPort>3478</udpPort>

<tcpPort>443</tcpPort>

</mediaRelay>

</mediaRelayList>

</credentialsResponse>

</response>

Now this may not look odd to you, but it was odd. Because EDGESERVER02 was an old edge server, not in production anymore. The box still existed, but it had its services shut down and was not referred to by any other OCS server. Whaaaaa??? Where did it get this? And why was it using the shortname of the defunct edge server? It wasn't even an FQDN – it was the NETBIOS name of a server not even in the AD domain. I was bewildered. OCS had apparently lost its mind; nostalgic for the days that it had 2 edge servers to pick from. I really expected it to show edge.company.com here in the Media Relay list… that would have made sense, as that was the FQDN of the edge server.

I didn't mention this before, but we had recently been trying to load balance the edge servers. So we had created a new a record for edge.company.com and applied it to the internal interface of the edge servers, EDGESERVER01 and EDGSERVER02. I told the customer to create this new cert, and just to be sure, add the two different edge server names / FQDNs as SANs. The SAN list looked like this:

  • edge.company.com
  • EDGESERVER01
  • EDGESERVER02
  • EDGESERVER01.company.com
  • EDGESERVER02.company.com

So he did minted that cert, applied it and... that's what caused the problem.

I should point out that Elan Shudnow's post on A/V negotiation (thanks Liam!)  has a much more detailed view of what happens during communicator calls. Too bad I didn't see the part about the SAN messing up AV calls while troubleshooting this isuee! Although it's interesting to note that the calls actually _do_ work; it's just that it results in delays in making/receiving calls.

The Awful Conclusion

Apparently, during A/V authentication, the edge server reads from its internal edge certificate and offers one of the names in either the subject or the SAN in the "contact me here for A/V auth" setup. Just at random. In my case, the edge server was telling clients to contact EDGESERVER02 - which was no longer in production; just because that name appeared in the SAN list. This really shouldn't happen. The Edge should be offering the name that's configured on the internal interface (edge.company.com), regardless of what the cert says. I'd love to see this change in OCS Wave 14. Way too late, I know. But this seems like a bad idea in the way the Edge works.

Anyway, I had the customer re-issue the cert without the SANs and of course this fixed everything. The Edge offered the right name for A/V auth & the calls went through without a delay.

I learned:

  1. The Edge server is contacted for every single call, no matter if it's an internal one.
  2. SANs are bad luck - especially SANs on the

Do yourself a favor and don't use SANs on the edge internal interface cert.

OCS Wave 14 – Updates from VoiceCon
By: Matthew McGillen | Posted: March 24, 2010 at 2:36 PM
Add Comment Add Comment | Share It Share It | Category: Office Communications Server
 

While I'm not at VoiceCon this year, I've been following the developments there closely. Public info about Wave 14 (the next version of OCS) is starting to trickle out.

Some important info:

  1. Support for new standalone IP phones being unveiled by Polycom and Astra. I've been _begging_ for MS to incorporate more standalone devices for a long time. These look promising.
    1. Polycom's site has few pictures, but I found this pdf that gives you a sneak peek. Check out the "CX phones". Note the Cx3000 – non-roundtable conference phone.
    2. Astra's got some new and interesting OCS-optimized phones. Good info on the technical specs, too.
  2. Survivable Branch Appliances. This will give you the ability to put OCS clients and phones in remote locations (over the WAN) and have them still work even if the WAN link back to the OCS pool is down.
    1. NET has been my choice for voice gateways over the last year for their ability to handle remote survivability with their own code among other innovative ideas. The new UX series looks like it will be doing it according to the new Wave 14 specs
  3. Microsoft VP, Gurdeep Singh Pall's keynote address, talking about Wave 14. You need to register to see the keynotes, but it's worth it.
  4. Microsoft's response to a hypothetical RFP. Tons of awesome info about the new version. An absolute must-read!

Bottom line: OCS is being shored up to obsolete your PBX. For real, this time. J

12/11 is Doomsday for RMS and Office 2003
By: Matthew McGillen | Posted: December 14, 2009 at 10:08 AM
Add Comment Add Comment | Share It Share It
1
Comment

A client just had a nasty little issue with Rights Management Server today: it stopped working. Yeah, that's a pretty bad issue. As it turns out, anyone with RMS and Office 2003 will have this same experience. From the KB:

Starting on December 11, 2009, customers using Office 2003 will not be able to open Office 2003 documents protected with the Active Directory Rights Management Service (AD RMS) or Rights Management Services (RMS). Customers will also not be able to save Office 2003 documents protected with AD RMS/RMS. Cause: The issue has been identified as an Office 2003 certificate expiration issue.

That is definitely not awesome. Luckily there is a hotfix link in the KB article that resolves the issue. If you don't want to install the hotfix, the "workaround" in the KB article is rather humorous: "Open the document using Office 2007." Oh!!

Thanks to Patty for alerting me to the issue!

OCS 2007 R2 CWA - PIN Length Part II
By: Matthew McGillen | Posted: October 7, 2009 at 3:02 PM
Add Comment Add Comment | Share It Share It | Category: Office Communications Server
1
Comment

As a follow up to my previous post on the CWA PIN Length issue - I have something that solves the issue - for now. Of course it's not officially supported by Microsoft etc. etc. (MS says it will be fixed in Wave 14… grr!!!) but I think this a pretty clean way to change the display text.

It occurred to me that instead of messing with the ".resource" files (which were in some sort of binary format) that contained the offending string, we could just modify the bit of HTML that was calling the variable in the first place. Jeff Schertz and I spent a little while today hacking through the ".js" files on the CWA server and located the piece that actually referenced the resource file variable. We swapped the variable itself for the whole string of text that we actually wanted. And it fixed the prob. See below for instructions

 

  1. Edit the DialinForm.js file on the CWA server (you should make a backup just in case):

C:\Program Files\Microsoft Office Communications Server 2007 R2\Communicator Web Access\Server\cwa\Client\Dialin\DialinForm.js

  1. Locate the following line containing the string 'txtNewPINDesc':

document.getElementById("txtNewPINDesc").innerHTML = txtNewPINDesc_res;

  1. Change the variable with a static description using the desired PIN length:

document.getElementById("txtNewPINDesc").innerHTML = "Your PIN must be at least 27 digits and cannot include letters, spaces, sequential numbers, roman numerals, kanji, klingon, or lewd content. Customize this description as you see fit.";

  1. Reload the Dial-in Conferencing page (you'll need to do an F5 to refresh - it keeps a cached version of the old text otherwise)
  2. Bingo:

 

So you can now correctly apply the PIN policy number to your CWA page. I'm sure that if you update/patch CWA, this will all get overwritten, but it's a really easy fix to re-implement.

But really, I wish this would just get fixed properly sometime before Wave 14 - it's quite confusing to end users. And plus: who has a 5-digit PIN??? It would be seem to me like something that could be included in the next hotfix / rollup. Who knows - maybe we'll get lucky.
 

 About Matt McGillen
Practice Manager - Unified CommunicationsMatt McGillen is the practice manager for Unified Communications at PointBridge. He has over 10 years of IT consulting experience, focusing mainly on the government, legal, financial and health care s... [more]

 Tag Cloud

 External Links

 ‭(Hidden)‬ Admin Links
 
Home | Categories | Bloggers | All Posts | Recent Posts | Search PointBridge Blogs
About Us | Contact Us | What’s New at PointBridge | www.pointbridge.com
© 2007 PointBridge. All rights reserved. | One North Franklin, Suite 2470, Chicago, Illinois 60606 | 312.334.1900 Terms of Use