Solved

remove TMG from a network with Exchange 2007

Posted on 2014-01-22
29
668 Views
Last Modified: 2014-01-24
Dear Experts,

I have a network with 3 x windows 2008 servers - a fileserver, exhcnage 2007 server and TMG server. It was an EBS 2008 installation  but I performed the 'make it right' procedure which stripped out the EBS functions leaving separate servers.

I had asked the question about removing the TMG server here http://www.experts-exchange.com/Microsoft/Windows_Security/Q_28335177.html and it was answered swiftly and satisfactorily for me but I would like a bit more granular information.

What do I need to do to remove the TMG server from the LAN with regards to the exchange services?

I will configure the hardware firewall to pass through SMTP and SSL traffic to the exchange server, ready for deployment. But what order should I adjust the exchange services to get it ready for the removal of the TMG box (which is hosting exchange edge roles)?

Do I need to adjust the send or receive connectors?
Do I simply uninstall the exchange components from the TMG server and it will kindly do all the work for me?

Thanks in advance.
0
Comment
Question by:tech53
  • 16
  • 13
29 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803087
Hello,

The first thing you should do is check your send and receive connectors to ensure they are setup for direct internet mail flow - http://technet.microsoft.com/en-us/library/bb738138%28v=exchg.141%29.aspx

If you are currently relaying outbound email through the TMG server, you will need to ensure port 25 outbound is open from your HT server to the internet before making any changes to the connector.

Next you should setup your firewall to direct SMTP and HTTPS traffic to your CAS and HT servers instead of the TMG server. If your external IP needs to change to do this, you should update your DNS records.

Now that the TMG server is out of the mix, you can uninstall all Exchange components from it.

-JJ
0
 

Author Comment

by:tech53
ID: 39803208
Thanks JJ,  

What about the digital cert?  Can I move it to the exchange server/IIS?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803215
If you don't have a certificate installed, you will need to install one.

-JJ
0
 

Author Comment

by:tech53
ID: 39803326
I already have the certificate installed on IIS on the exchange server.

when I run the get-exchangecertificate the cert shows up but has no services attached. Presumably, previously, exchange would have just used the internal cert and the public cert was attached to the ISA listener.

is it just a case of adding the services to the cert using
Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxxx -Services "SMTP,IMAP, POP, IIS"
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 39803340
Yes, that is exactly what you need to do.

-JJ
0
 

Author Comment

by:tech53
ID: 39803453
I know you cant see my system, but do you reckon that's all there is to it?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803459
It should be but I recommend you make the change in the firewall routing after hours and test. If something doesn't work, you can revert back to the TMG server and figure it out.

-JJ
0
 

Author Comment

by:tech53
ID: 39803471
and if I make the change regarding the certificate, and it doesn't work, how can I revert back form that?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803476
You just run Enable-ExchangeCertificate with the thumbprint of the previous cert.

-JJ
0
 

Author Comment

by:tech53
ID: 39803914
Ok,  I have:
- disconnected the ISA server
- added a hardware firewall and given it the same IP that the ISA had
- opened ports 25 and 443 to the exchange sever
- added the services to the public digital cert
- restarted exchange and IIS services
- created a new send connector

Mail flow is good. I have monitored it for an hour now. External clients using outlook anywhere are connecting fine, but the internal clients get an error when they open outlook.  It complains that the name on the security certificate does not match the site.  

The name on the cert is the internal name.  I believe that when I ran the Enable-ExchangeCertificate  command, it has removed the services from all other certs and applied them only to the public cert.  

How do I enable the web service on more than one cert?

thanks
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803928
You can't have more than one cert. You will need to change internal URLs to match the cert. Now, if your firewall allows your internal clients to connect to your external IPs, you are all set. If not, you will need to implement split-DNS.

-JJ
0
 

Author Comment

by:tech53
ID: 39803972
Or get a UCC ssl cert?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803991
No. You can no longer get commercial certs with private DNS names. Unless internally you are using a public DNS zone that is registered to you, you will either need to register a separate public DNS zone for internal use or setup split-DNS.

-JJ
0
 

Author Comment

by:tech53
ID: 39804716
The outlook security warning states that the site name doesn't match the certificate name.  Can I not change the site name that outlook is trying to connect to?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39804733
0
 

Author Comment

by:tech53
ID: 39804790
So if I simply change the internal name of the site, the cert name will match and the message will disappear?

No re-configuration of outlook client required?
0
 

Author Comment

by:tech53
ID: 39805230
Is this article doing the same thing?  http://support.microsoft.com/kb/940726

Can this be done in the exchange management console instead of the power shell?

thanks
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39806396
Yes, that article is doing the same thing. The changes need to be performed using powershell. Your Outlook clients will automatically pick up the changes due to autodiscover.

-JJ
0
 

Author Comment

by:tech53
ID: 39806473
Actually, the internal domain namespace is the same as the external so I was able to re-key the UCC cert with the extra SAN. So I don't need to change the URLs.

I generated the CSR, sent it off, added the SAN and imported it.  Then I enabled the IIS, smtp Pop and imap on the cert.  outlook opens normally now.  OWA works fine internally and externally.

But external clients using outlook anywhere can no longer connect.  Have I missed something?  I have restarted all IIS and exchange services.

cheers
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39806516
What names are on your cert and what DNS namespace are you using (you can change your domain to mydomain.com to hide it)?

-JJ
0
 

Author Comment

by:tech53
ID: 39806571
the SANs are:
DNS Name=remote.mydomain.com
DNS Name=remote.shorteneddomain.com  (this is for OWA only and works fine)
DNS Name=autodiscover.mydomain.com
DNS Name=mydomain.com
DNS Name=exchange.mydomain.com   (internal FQDN of exchange server)

Would it be anything to do with FBA or principal name (not that Ive changed them or anything)
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39806580
When you generated the new cert, did you change the primary name on the cert?

-JJ
0
 

Author Comment

by:tech53
ID: 39806592
no, the primary name remained the same.

Ive just noticed that theres a '?' on the default website in IIS.  It has loads of 'Unknown (net.tcp), Unknown (net.pipe) etc  and the binding is 808:*(net.tcp)

would that have anything to do with it, based on the fact that OWA is working?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39806599
No, those binding don't matter. Run the Remote Exchange Connectivity Analyzer and see what errors it returns - https://testconnectivity.microsoft.com/

-JJ
0
 

Author Comment

by:tech53
ID: 39806613
thanks,

got this:
Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
 
 Additional Details
 
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

Elapsed Time: 4 ms.  
 



and this:


Checking the IIS configuration for client certificate authentication.
  The test passed with some warnings encountered. Please expand the additional details.
 
 Additional Details
 
Client certificate authentication couldn't be determined because an unexpected failure occurred. WinHttpReceiveResponse failed with error 12002.

Elapsed Time: 30556 ms
 



then finally this:


Testing HTTP Authentication Methods for URL https://remote.mydomain.com/rpc/rpcproxy.dll?exchange:6002.
  The HTTP authentication test failed.
 
 Additional Details
 
An HTTP 500 response was returned from Unknown.
Headers received:
Connection: close
Content-Length: 0
Date: Fri, 24 Jan 2014 14:31:37 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET


Elapsed Time: 45518 ms.
0
 

Author Comment

by:tech53
ID: 39806615
Testing HTTP Authentication Methods for URL https://remote.mydomain.com/rpc/rpcproxy.dll?exchange:6002.
  The HTTP authentication test failed.


Where is this set?  Should I change it?  Why would changing a cert cause this?
0
 

Author Comment

by:tech53
ID: 39806937
JJ,

I have had to remove the rpc function from exchange and disable outlook anywhere and reinstall/restart.

then adjust the SSL settings on the rpc virtual directory in IIS to not force 128bit SSL connections.

All good now. Thanks an million.

Just to finish off now, and back to the ISA box - it is currently disconnected and the configuration is exactly as it was.  Should I give it a different local IP, reconnect it and remove it from the domain or can I just repurpose it as it stands?

Cheers
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39806945
Glad to hear you got it working. I would just repurpose the ISA server as it stands. ISA doesn't store any configuration info in AD, so there is no need to uninstall it.

-JJ
0
 

Author Closing Comment

by:tech53
ID: 39807265
Thanks JJ for sticking with me on this. All good now. Cheers.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now