In This Series: Diary of an Exchange 2007 Upgrade

1. Diary of an Exchange 2007 Upgrade: Part 1
2. Diary of an Exchange 2007 Upgrade: Part 2
3. Diary of an Exchange 2007 Upgrade: Part 3
4. Diary of an Exchange 2007 Upgrade: Part 4
5. Diary of an Exchange 2007 Upgrade: Part 5
6. Diary of an Exchange 2007 Upgrade: Part 6

Dear Diary,

Progress on the migration has been a little slow over the past week given a few other things I’ve had to pay attention to, but I’m now in a position to move a small group of mailboxes to finalise testing before a mass migration of mailboxes.

I have tested mail flow in and out of the organisation by configuring the SMTP relay server in the DMZ to pass SMTP traffic into the Exchange 2007 hub transport servers. Once the client is happy to direct inbound SMTP through the hub transport servers this will only take a few changes on the MIMEsweeper server.

Thanks to Aaron Tiensivu, I’ve noticed that McAfee VirusScan is still scanning disks that I’ve configured for exclusion. To fix this, I’ll have to add “\Device\HarddiskVolume*” to the exclusion list to stop this behaviour and ensure critical Exchange files are not scanned.

Update: Because I’ve moved to London I’m no longer working on this project but I’ve have handed it over to Paul. Be sure to check out his blog for any Exchange related posts, such as this one e-mail address policies.

Diary of an Exchange 2007 Upgrade: Part 6 is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

In This Series: Diary of an Exchange 2007 Upgrade

1. Diary of an Exchange 2007 Upgrade: Part 1
2. Diary of an Exchange 2007 Upgrade: Part 2
3. Diary of an Exchange 2007 Upgrade: Part 3
4. Diary of an Exchange 2007 Upgrade: Part 4
5. Diary of an Exchange 2007 Upgrade: Part 5
6. Diary of an Exchange 2007 Upgrade: Part 6

Dear Diary,

Since I’ve got the CCR cluster running I’ve run some performance tests with JetStress to get an idea of how the disk subsytem will cope. I ran a 24 hour test with 6 databases of 60 GB each. JetStress has returned the tests with a pass. The test resulted in an average CPU usage of 25%, a little over 4GB of free RAM and disk stats looks fine as well, so I think the sizing of the servers has gone well. If network becomes an issue we can add a second adapter to each server to increase performance. Here’s the output from the JetStress test to get an idea of how this system looks.

I have also installed an internal PKI installation to provide certificates for some of the Exchange roles, replacing the certificates generated during Exchange setup. The PKI installation involved installing an Enterprise Root Certificate Authority in the parent domain and a Subordinate Enterprise Certificate Authority in the sub-domain containing the user accounts and resources including the Exchange servers. The subordinate CA is being used to assign certificates, whilst the root CA will only be used to assign certificates to subordinate CAs. 

Applying certificates to particular roles in Exchange 2007 is a fairly simple process with the new Exchange Management Shell. This can be done in a two part process. First find the thumbprint of the applicable certificate (details have been changed to protect the innocent):

[PS] C:\>dir cert:\LocalMachine\My | flSubject      : CN=smaug1.corp.company.local
Issuer       : CN=Company Subordinate Enterprise CA, DC=corp, DC=company, DC=local
Thumbprint   : A9FA90232D2F334BE633FE99295A3528687160B2
FriendlyName :
NotBefore    : 05/06/2007 13:27:48
NotAfter     : 04/06/2008 13:27:48
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.
               Oid, System.Security.Cryptography.Oid, System.Security.Cryptogra
               phy.Oid, System.Security.Cryptography.Oid, System.Security.Crypt
               ography.Oid, System.Security.Cryptography.Oid, System.Security.C
               ryptography.Oid}

Then using the thumbprint, we can assign this certificate to a number of roles on the CAS servers:

[PS] enable-ExchangeCertificate -thumbprint A9FA90232D2F334BE633FE99295A3528687160B2 -services “IIS,IMAP,POP”

I have also installed anti-virus software (McAfee GroupShield and VirusScan), there were no surprises there, the installation was straight-forward. Tomorrow we will be installing and configuring CommVault Galaxy for backup and restore. The challenge here will be understanding how this works in a CCR environment.

Mail flow, internal and external to the organisation, and free/busy data has been tested successfully. I’m now testing Outlook Web Access to ensure users don’t miss out on one of their favourite tools during the migration of mailboxes. More soon.

Diary of an Exchange 2007 Upgrade: Part 5 is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

TechNet has an article on moving the database and log file paths for a Storage Group in an Exchange cluster running in a Cluster Continuous Replication environment, however it’s missing a couple of steps which are fairly important to the process.

If you attempt to move the database or log file locations on a clustered Exchange Server 2007 server you will receive the following error:

Error:
This operation cannot be performed on a remote server or a clustered mailbox server in a cluster continuous replication enviornment. Please use the -ConfigurationOnly option and then manually move the files.
Parameter name: ConfigurationOnly

Exchange Management Shell command attempted:
move-StorageGroupPath -Identity ‘exchsrvr\Second Storage Group’ -LogFolderPath ‘G:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group’

To move the file locations then you will have to change the configuration and move the files manually on both nodes, even though the page on TechNet indicates the command will move the files automattically. Here’s how I went through this process on a live system to move the log files.

In this example the server name is exchsrvr and the storage group name is First Storage Group. I’m moving the log files from F:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group to G:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group. All of these commands are run in the Exchange Management Shell.

On the Active node or the Passive node, suspend the copy of the storage group:

Suspend-StorageGroupCopy -Identity:'exchsrvr\First Storage Group'

On the Active node, dismount the database (or databases) in the storage group:

Dismount-Database -"Identity:'exchsrvr\First Storage Group\Mailbox Database'

On the Active node modify the configuration of the storage group to use the new path for the log files:

Move-StorageGroupPath -"Identity:'exchsrvr\First Storage Group' -LogFolderPath:'G:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group' -ConfigurationOnly

On the Active and Passive nodes, create the new folders to store the log files:

MD "G:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group"

On the Active and Passive nodes, move the log files to the new location. (The prefix for the log files for this storage group is E0):

Move "F:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\E0*.*" "G:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group"

On the Active node, mount the database:

Mount-database -"identity:'exchsrvr\First Storage Group\Mailbox Database'

On the Active or Passive nodes, resume the storage group copy process:

Resume-StorageGroupCopy -Identity:'exchsrvr\First Storage Group'

The process was surprisingly simple in the end, but it’s easy to say that now that I’ve done it at least once.

How to Move a Storage Group in a Cluster Continuous Replication Environment is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

In This Series: Diary of an Exchange 2007 Upgrade

1. Diary of an Exchange 2007 Upgrade: Part 1
2. Diary of an Exchange 2007 Upgrade: Part 2
3. Diary of an Exchange 2007 Upgrade: Part 3
4. Diary of an Exchange 2007 Upgrade: Part 4
5. Diary of an Exchange 2007 Upgrade: Part 5
6. Diary of an Exchange 2007 Upgrade: Part 6

Dear Diary,

I’ve fixed the issue I was having with the Majority Node Set cluster - it pays to check your information against more than one source. This particular issue was caused by disabling Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks on the heartbeat/private network adapater on each node in the cluster.

You would normally do this on a standard quorum cluster, however because a Majority Node Cluster does not use shared storage, each node needs to view cluster information via a UNC path on the other node or nodes. The following error was recorded in the cluster log file (C:\WINDOWS\CLUSTER\cluster.log):

000003bc.000007ec::2007/05/26-02:14:31.082 ERR  Majority Node Set <Majority Node Set>: CreateTreeConnection(10.10.12.2\878350f8-22f8-49ca-90ca-8d3d361df536$) returned 0xc00000be hdl 0xffffffff

Re-enabling those items on the network connection, immediately got the cluster back up and running. You can read more about configuration network connections for a CCR cluster on TechNet: How to Configure Network Connections for Cluster Continuous Replication

I’ve also now got the Exchange cluster up and running. The installation experience has been simplified since previous versions of Exchange and is now a no brainer. Installing the active and passive nodes is just a matter of selecting the Active or Passive Clustered Mailbox Role during installation.

The next phase for this project is testing the new Exchange servers – mail flow, cluster failover and performance and ensuring features such as Address Books and Free/Busy information can be seen during the migration of mailboxes.

This morning I had a meeting with a few member of the clients’ IS team including the IT Manager in which we discussed the progress thus far and the impacts of starting the migration of mailboxes. I am very keen to ensure testing is successful before moving mailboxes; however the IT Manager is also keen to see the solution up and running. We need to ensure the solution will work and the client needs the project to be on budget, so there is definitely a balance to be struck here.

Next up will be my experiences with testing load on the servers and intial migration of some of the organisation’s services such as Outlook Web Access.

Diary of an Exchange 2007 Upgrade: Part 4 is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

In This Series: Diary of an Exchange 2007 Upgrade

1. Diary of an Exchange 2007 Upgrade: Part 1
2. Diary of an Exchange 2007 Upgrade: Part 2
3. Diary of an Exchange 2007 Upgrade: Part 3
4. Diary of an Exchange 2007 Upgrade: Part 4
5. Diary of an Exchange 2007 Upgrade: Part 5
6. Diary of an Exchange 2007 Upgrade: Part 6

Dear Diary,

Things will be quiet on the Exchange front for the next few days as I’m delivering ISA Server training to some of the other engineers, but I’ll be back into Exchange on Monday.

On Exchange though, I’ve been having some issues getting the cluster up and running. I’m using a Majority Node Set cluster with a File Share Witness to host Cluster Continuous Replication, a new feature of Exchange Server 2007. Unfortunately the cluster breaks after configuration and restarting the cluster service, and consistently too. So on Monday I’ll have to dig deeper to find a solution. More after then.

Diary of an Exchange 2007 Upgrade: Part 3 is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

In This Series: Diary of an Exchange 2007 Upgrade

1. Diary of an Exchange 2007 Upgrade: Part 1
2. Diary of an Exchange 2007 Upgrade: Part 2
3. Diary of an Exchange 2007 Upgrade: Part 3
4. Diary of an Exchange 2007 Upgrade: Part 4
5. Diary of an Exchange 2007 Upgrade: Part 5
6. Diary of an Exchange 2007 Upgrade: Part 6

Dear Diary,

In this second entry I want to tell you about the operating system installation and the initial Exchange Server install.

Operating System Installation

The installation of Windows didn’t quite go a smoothly as I had originally hoped. This client does not have any existing tools for automated installations of Windows, so I had planned to use Windows PE to install Windows Server from source files located on the network. This was a bit of a pain as there is no DHCP in this particular subnet and after problems with using Windows PE 2.0 to install Windows Server 2003, I decided to build the machines manually because I’d spent enough time on the OS install already. Not the ideal situation, but it got the job done.

After manually installing Windows Server 2003 R2 Enterprise Edition x64 to all four machines, I then installed the following updates:

• Internet Explorer 7.0 + KB931768
• .NET Framework 2.0 + KB926776
• MSXML 6.0 Parser
• Windows Server 2003 x64 Service Pack 2
• Windows PowerShell 1.0

Organisation Upgrade

Before moving too much further, I checked the Exchange 2007 readiness of the organisation with the Exchange Server Best Practice Analyser. The only issue found with the organisation was a recommedation to suppress link state changes. As this organisation is highly centralised, I’ve skipped making those changes and proceeded to updating the organisation. Updating the schema and preparing the domain was straightforward, no issuse there.

Client Access Servers

Installation of the Client Access, Hub Transport and Unified Messaging roles on the two IBM 336 was simple enough, but I ran into all sorts of trouble when I my concentration slipped and I accidently installed the Mailbox role on a server that wasn’t intended to be a mailbox server.

To remove the mailbox role, I first had to remove the Public Folder replicas contained on that server. Attempting to remove the role would produce this error:

Uninstall cannot proceed. Database ‘Public Folder Database’: The public folder database specified contains folder replicas. Before deleting the public folder database, remove the folders or move the replicas to another public folder database.

Removing the replicas proved to be difficult; I could get so far with the Remove-PublicFolder command so I ended up deleting the Public Folder store with ADSIEDIT so that I could remove the Mailbox role successfully. The Exchange team have a lot to answer for in regards to Public Folder management in Exchange 2006 RTM.

Where To Next?

Now that the CAS, HT and UM rules are in place, the next step is to get the clustered Mailbox role up and running. My next entry will detail that process.

Diary of an Exchange 2007 Upgrade: Part 2 is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

In This Series: Diary of an Exchange 2007 Upgrade

1. Diary of an Exchange 2007 Upgrade: Part 1
2. Diary of an Exchange 2007 Upgrade: Part 2
3. Diary of an Exchange 2007 Upgrade: Part 3
4. Diary of an Exchange 2007 Upgrade: Part 4
5. Diary of an Exchange 2007 Upgrade: Part 5
6. Diary of an Exchange 2007 Upgrade: Part 6

Dear Diary,

I am currently in the process of upgrading an Exchange Server 2003 organisation to Exchange Server 2007, so I thought it might be a good idea to tell you about my experience whilst I perform the upgrade. This will mostly be in point format but I’ll expand on some points where required.

Where Are We At?

At this stage the organisation consists of:

• A single forest with one parent domain (holding two DCs) and a child domain (with four DCs) with all users, computers and resources
• All DCs run Windows Server 2003 and the domain is set to Windows 2000 Native mode
• Approximately 1100 users
• Two front-end servers running Exchange Server 2003 Enterprise Edition
• Two back-end servers running Exchange Server 2003 Enterprise Edition
• One server in a separate Windows 2000 domain running Exchange Server 5.5
• All Exchange 2003 servers are located in a single data centre
• An SMTP relay host in the DMZ running MIMESweeper
• Almost 100% of the clients connect via Outlook 2003 from a Terminal Server, so there are no cached-mode clients
• Remote access to Outlook Web Access is provided via Citrix Access Gateway Advanced 4.2. At this stage, Access Gateway does not work with Outlook Web Access 2007

Even though there are next to no cached-mode clients, the existing servers are not stressed and the actual amount of e-mail moving around and in and out of the organisation is low.

Where Are We Going?

To upgrade this organisation, we are migrating to this (the server hardware has been reallocated to this project from previous roles):

• Two IBM xSeries 336 server running Windows Server 2003 R2 Enterprise Edition x64 SP2 on dual Intel Xeon 3GHz CPUs with 4 GB of RAM. These servers will run the CAS, HT and UM roles.
• Two IBM xSeries 346 servers running Windows Server 2003 R2 Enterprise Edition x64 SP2 on dual Intel Xeon 3GHz CPUs with 8 GB of RAM. These servers will be clustered to run the new Cluster Continuous Replication model for Exchange 2007
• At this stage we won’t be installing an Edge Transport server because the anti-spam/anti-virus software in the DMZ doesn’t support Exchange 2007
• Mailboxes on the Exchange 5.5 server will be migrated using EXMERGE

In the next entry I’ll detail installation of the OS, update of AD and install of Exchange and some lessons learnt.

Diary of an Exchange 2007 Upgrade: Part 1 is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

During a migration from Exchange Server 2003 to Exchange Server 2007 you need to add the Exchange 2007 server to replicas for each of the Public Folders (as you would need with any Exchange server migration) and this includes the System folders as well.

In our case I missed the SCHEDULE+ FREE BUSY folder. This resulted in Outlook 2003 clients unable to see Free/Busy information when creating a meeting request. The user would see this error in Outlook when attempting to see another users schedule:

no free/busy information could be retrieved

In addition to this, the following error was logged on the Exchange Server:

Event Type: Error
Event Source: MSExchangeFBPublish
Event Category: General
Event ID: 8207
Date: 8/05/2007
Time: 3:16:17 PM
User: N/A
Computer: EXCHSVR
Description:
Error updating public folder with free/busy information on virtual machine exchsrvr. The error number is 0×80004005.

After a bit of digging around, it occurred to me that I’d missed adding the new server to the Public Folder replicas. To add the replicas you will need to get the list of the sub-folders of the SCHEDULE+ FREE BUSY folder. You can see this list with this command (replace exchsrvr with the name of your server):

Get-PublicFolder -server exchsvr "\non_ipm_subtree\SCHEDULE+ FREE BUSY" -recurse | Format-List

Then to add the replicas run these commands (you’ll have to add your own server and organisation names):

Set-PublicFolder -Identity "\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY\EX:/o=Company/ou=First Administrative Group" -Replicas "exchsrvr\Public Folder Database"
Set-PublicFolder -Identity "\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY\EX:/o=Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)" -Replicas "exchsrvr\Public Folder Database"

Once I did this and ran OUTLOOK.EXE /cleanfreebusy, so I didn’t have to wait for the free/busy data to be published, all was well.

Exchange Server 2007 and Public Folder Replicas is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

I’ve upgraded our internal Exchange organisation over the last week and I’ve got to say Exchange 2007 is a completely different ball game. Now for seasoned Exchange architects and administrators a lot of the Exchange 2007 upgrade process is probably not new, but for those of us who don’t look after Exchange full time it’s a steep learning curve. The biggest challenges for me have been around the new Exchange Management Shell. I think the implementation of PowerShell as the basis for all Exchange management is a good thing – there’s nothing like being able to paste the exact command line into your change log. However there’s been a couple of issue that I’ve got with Exchange 2007:

1. The lack of detailed command line examples; and
2. The stuff that’s been removed from the GUI since Exchange 2003.

Here’s an example. After upgrading to Exchange Server 2007, you need to upgrade the e-mail address policies. Now upgrading the Default Policy, this is straight-forward, this is done with the following command:

Set-EmailAddressPolicy “Default Policy” –IncludedRecipients AllRecipients

Note that command doesn’t actually upgrade the policy, it recreates it. Why there isn’t and upgrade option I don’t know. So what happens when you want to “upgrade” a custom e-mail policy? Well you can use the wizard to create a new policy, but what do you do when you need to create a policy that uses a custom attribute (i.e. and LDAP query). In Exchange 2003 there was a nice GUI that you could use to construct the LDAP query:

Now in Exchange 2007 there is no query builder, instead you get just this:

Then check out the documentation on the Set-EmailAddressPolicy command. There’s actually no detail there about what a custom attribute is let alone a link to how to create one. How’s that for a kick in the teeth?

So it looks like I’ll be learning about it more about LDAP queries (or maybe just keeping an Exchange 2003 server around in VM instead). After a bit of digging I’ve found a few links about LDAP queries, but let’s home Microsoft have something better in store for Exchange 2007 SP1.

• LDAP Query Basics
• How to write a LDAP search filter
• Softerra LDAP Administrator 3.4 (This has some LDAP query functionality but I’ve only test the free version which doesn’t have this functionality)

Even though I’m disappointed in the lack of clear documentation I am looking forward to being able to completely manage Exchange from the command line because deep down, I’m a command line kinda guy.

An Exchange 2007 Upgrade Is Like a Poke in the Eye is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

We recently had client with a requirement to provide Outlook Web Access and Exchange over the Internet/Outlook Anywhere (RPC over HTTPS) access using a single IP address on ISA Server. The problem with making both of these services available on a single IP address is that both utilise HTTPS which by default is TCP 443. RPC over HTTPS with Outlook can’t use an alternate port – if you attempt to specify and alternate port Outlook UI you receive the following error:

The proxy server you have specified is invalid. Correct it and try again.

Therefore the solution was to provide Outlook Web Access on an alternate port (TCP 444), whilst leaving RPC over HTTPS on TCP 443. In this case we setup a web publishing rule that used a web listener using TCP 444 pointing to the internal Exchange server configured to accept HTTPS on TCP 443. However, we found that users would receive the following error messages in the browser when moving or deleting e-mail messages:

“Moving or copying items between Exchange servers is not supported” and “502 Bad Gateway”

The solution to this was to configure IIS on the Exchange server to use TCP 444 for HTTPS/SSL and reconfigure the ISA Server web publishing rule to specify TCP 444 for SSL for the web listenter and the published server. I presume this has something to do with the dynamic nature of the Outlook Web Access application, but I’ve not had a chance to investigate any deeper.

Publishing Outlook Web Access on an Alternate Port is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

After performing two Exchange disaster recoveries in as many months, I’ve come up with a list of Fifteen Ten Commandments for Exchange Server

1. Thou shalt not place the log files and databases on the same physical disks
2. Thou shalt not store the log files or the databases on the system partition
3. Thou shalt use redundant paths to the SAN on which the logs files or databases are stored
4. Thou shalt not use a domain administrator account to backup the information stores or mailboxes
5. Thou shalt not run the backup server services as the domain Administrator
6. Thou shalt not run Exchange Server on a domain controller if thou wishest to recover the server quickly
7. Thou shalt run full backups to flush the Exchange log files and commit them to the database
8. Thou shalt use the Exchange Server Best Practices Analyser tool
9. Thou shalt run an application level firewall to protect Outlook Web Access
10. Thou shalt not covet thy neighbour’s Lotus Notes server

The Ten Commandments of Exchange Server is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Outlook Web Access can be protected with an extra layer of authentication via RSA SecurID. This can be implemented in one of two ways:

1. ISA Server 2004
ISA Server 2004 implements the SecurID Web Filter that allows ISA Server to authenticate connections before providing access to published web servers. See the ISA Server help for information, but the requirements are:

1. The RSA ACE Client does not need to be installed on the server. ISA Server comes with it’s own RSA ACE client DLLs and thus does not require the client installation. All that is required is to create the agent host and copy SDCONF.REC to %SYSTEMROOT%\SYSTEM32
2. The Network Service account must have read/write access to the following registry key: HKLM\Software\SDTI\ACECLIENT.

There are two issues with this implementation:
- The user will be prompted with an RSA authentication prompt; and
- The RSA authentication web page is not customisable.

2. RSA Web Agent for IIS
The RSA Web Agent for IIS, installed on the Exchange Server, offers authentication directly from IIS and also offers a ‘single sign-on’ solution.

RSA Authentication Agent 5.3 for Web for Internet Information Services
http://www.rsasecurity.com/node.asp?id=2807

The download contains the Agent software and a PDF file (WebAgent_IIS.PDF) for implementing RSA authentication on protected web pages. Page 51 of the PDF contains configuration information for implementing the single sign-on solution for Outlook Web Access. The information listed in the document is fairly straight-forward, however where it mentions Exchange System Manager to configure the HTTP Virtual Server, it should say IIS Manager.

There are a few things to be aware of when implementing this solution:

Requirements
- The Exchange server/s must be running Exchange Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 1;
- The domain must be at Windows Server 2003 Functional Level;
- Although the RSA documentation discusses implementing this solution in a front-end/back-end scenario, this solution will work in an environment without front-end servers.

Installation
- After installing the RSA Web Agent software, IIS may need to be restarted (IISRESET) before RSA Authentication will work. The web browser may report ’500. Internal Server error’;
- Create a second virtual server in IIS on the Exchange Server before implementing RSA auth. In this way, RSA can be implemented without affecting the existing Default Web Site and OWA will continue to work. This also allows for internal access to OWA via Integrated authentication and and external site with RSA auth for publishing;
- To create the virtual server, right click the Default Web Site and select All Tasks/Save Configuration to a file. Use this configration file to create a new site: right click Web Sites and select New/Web Site (from file). Provide access to this site via a second IP address or use host headers;
- Test that standard RSA authentication works before implementing the single sign-on configuration;
- After configuration anonymous access to OWA as per the RSA documentation, check the directory access to the following file, otherwise users will be prompted with an authentication prompt when they logoff from OWA: /exchweb/bin/USA/logoff.asp;

UPDATE: I forgot to add a third method of adding RSA authentication to OWA: RSA ClearTrust. ClearTrust is better integrated into the authentication than the Web Agent, however this requires additional cost above the standard RSA SecurID Authentication.

UPDATE #2: There’s a much better way to protect OWA with RSA authentication now that ISA Server 2006 has been released. Check out my post here.

Protecting Outlook Web Access with RSA authentication is post from stealthpuppy.com. Except as noted otherwise, this work is ©2005-2010 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.