Configuring Exchange 2010 Services for using wildcard certificates

I recognized, that many people do have problems with configuring Exchange with wildcard certificates. The reason for this is probably that it’s not possible to configure all services the same way and each need a special configuration that the administrator have to think of. I’ll try to give you a comprehensive guide how to configure the whole Exchange with wildcard certificates.

Let’s start with SMTP and IIS, to see what certificates are activated for what services you can use Powershell cmdlet get-exchangecertificate. You should use this command on Exchange Server itself, running it from remote Powershell session will not show you the services being activated for the particular certificate.

[PS] C:\Users\administrator.IN\Desktop>Get-ExchangeCertificate
Thumbprint                                Services   Subject
----------                                --------   -------
BC413FCE3830A0D4CDF793BDD4E9F5AC1348E93A  ......
95C280E27ADF33C6A0D726C622DCDCCCA4A10272  ...WS.     CN=*, OU=Home, O=Home, L=MUC, S=BY, C=DE</span>

Above you see a result from such a command, you see that on the server are installed two certificates, of which one is activated for IIS (W) and for SMTP Service (S). The certificate enabled for these services is a wildcard certificate. You enable a certificate with the command enable-exchangecertificate -services -thumbprint, where you use the thumbprint of the certificate which is installed on the Exchange Server.

Normally you would use this command also for enabling the certificate for other services like POP3 and IMAP4, this is not possible with wildcard certificates. In that case you have to use set-imapsettings -X509CertificateName and set-popsettings -X509CertificateName respectively to enable a wildcard certificate on Exchange Server

[PS] C:\Users\administrator.IN\Desktop>Get-PopSettings
UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
------------------------  -----------                       ---------                         -------------------
{:::110,}     {:::995,}             SecureLogin             

Above you can see my pop settings and enabled certificate. While setting this command you shouldn’t use * as the certifcate name, instead you need to put the right FQDN name, your users will use to connect to Exchange.

Also for federation trust you shouldn’t use enable-exchangecertificate cmdlet with wildcard certificate. For that you can use new-federationtrust or set-federationtrust cmdlets.

Now as we set the Exchange Certificate we need to do some adjustments to be able to successfully connect to the exchange with our clients. Of course I assume the used certificate is a 3rd party one and is fully trusted by the clients, so we don’t need to add the certification authority certificate to Trusted Root Certification Authorities on each and every client device. So how we can connect with outlook anywhere using our new certificate. Firstly we need to enable Outlook Anywhere on our Exchange Server, secondly  we need to tell Exchange to use our wildcard certificate for outlook anywhere connections. We can do that with the Powershell command

Set-OutlookProvider EXPR -CertPrincipalName msstd:*

We should also set the Outlook client with the same settings, although outlook 2010 using Autodiscover should automatically set the correct settings in the user profile, the good idea is to check if everything is correct.

This way we configured Exchange to support wildcard certificate. Now we can connect to OWA, POP3, IMAP3 or even Outlook Anywhere, using secure connections.

Exchange 2010 Tracking Log for last 30 minutes

Here is a script I made to get a tracking log from Exchange hub transport server for last 30 minutes.

get-messagetrackinglog -EventID "RECEIVE" -Server hub2 -Start (((get-date -UFormat "%m-%d-%Y")`
+ " " + ((Get-Date).Addminutes(-30)).ToLongTimeString())) | ft Sender, recipients, MessageSubject, Timestamp

I’m using -UFormat for the date as it’s most comfortable for me, but you can change it to .Net FrameWork time format. You can also adjust the time back which the logs will be searched for – just change the parameter .Addminutes to something else.

Automatic Archive function in Cisco devices

Cisco devices include some usable function to automatically save current configuration to Archive. This can be a great approach to start with backups of the configuration.

To use it you need to add something like following statements:

configure terminal
path tftp://$h-config

In configuration mode you need to enter the archive sub-mode then you can add a path to your archive, which can be a TFTP, FTP Server or even flash file system on your Switch or Router. You can also use variables like $h for hostname or $t for time stamp. You can also schedule at which times will the configuration be automatically copied to the archive path. In the example above I decided to use statement ‘write-memory’ which means that everytime the configuration will be saved it will be also automatically copied to the archive. In the archive you can save many versions and with ‘show archive’ you can see all of them and even decide which version you’d like to restore. Great feature, isn’t it?


Editing Multivalued Property with PowerShell

You have a Receive Connector with allowed IP addresses that need to be changed from time to time? Editing the connector with Exchange GUI is one of the options you could use, but there is a much better, faster and more convinced method to do that.
Let say we have a receive connector on server “HUB1” which is called “Inbound SMTP Relay” and we accept only some IP addresses, that can connect to the connector and send E-mails through it, unfortunately we are not able to use any authentication on the hosts so we indeed are forced to use “Remote IP Ranges” feature to do at least basic restriction on who can use our receive connector.

Let see some details from the output of the command:

Get-ReceiveConnector "hub1\*relay*" | fl
RemoteIPRanges            : {,,,}
RequireEHLODomain         : False
RequireTLS                : False
EnableAuthGSSAPI          : False
ExtendedProtectionPolicy  : None
LiveCredentialEnabled     : False
TlsDomainCapabilities     : {}
Server                    : HUB1
SizeEnabled               : Enabled
TarpitInterval            : 00:00:05
MaxAcknowledgementDelay   : 00:00:30
AdminDisplayName          :
ExchangeVersion           : 0.1 (8.0.535.0)

As we can see, there are 4 IP addresses allowed to use the connector, so how can we add additional IPs to the list. Unfortunately the RemoteIPRanges  is a multivalued Property so you will not be able to easy edit it, but with PowerShell scripting using variables you can achieve your goal pretty easy.

Below you’ll find an example how I dealt with that.

$newIP= Read-Host "Add New IP Address"
$a=Get-ReceiveConnector hub1\*relay*
$a.RemoteIPRanges += "$newIP"
$a | Set-ReceiveConnector -RemoteIPRanges $a.RemoteIPRanges

1. Line asking for the IP that should be added to the Receive Connector
2. creating a variable with details of the current receive connector configuration

3. Variable $a.RemoteIPRanges includes all current set IP addresses for the connector, with setting the variable “+=” we’re adding the new IP address to it
4. the last line is again getting the properties of the receive connector and pipes that to a new command setting a connector with new -RemoteIPRanges parameter which this time includes the updated list of IP addresses.

You can of course multiply the statements for another connector or even for next server and with one run you can update all your connectors at once.