Thursday, June 21, 2012

WHY ClientAccessArray name is internal ONLY

 

When deploying E210 it is recommended to set CAS ARRAY. ( Client Access Server Array) CAS Array is recommended even you have  one CAS or a single multi-role Exchange serves you have in your deployment plans.

I wanted to reiterate why the FQDN of CAS Array should be internally resolvable via internal DNS and should not be exposed to outside.

The short answer is to prevent delay on outlook clients when they are outside and trying to connect. now let’s look into this a bit deeper and try to understand what does this mean to us?

when client opens outlook internally, outlook will try to resolve the home server property configured within the outlook. So the outlook gets FQDN something like outlook.internal.local which then , Outlook checks its configured TCP/IP and finds out what DNS server to talk to and request IP address for the name outlook.internal.local ,

Outlook opens up internally by Client………

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • It will ask the IP Address of “outlook.internal.local “  ( We assume this was configured within outlook)
  • The IP Address comes backup from DNS Server as 192.168.1.100 outlook.internal.local=192.168.1.100 ( Internal DNS Server provided the IP Address)
  • Now outlook will attempt to open TCP 135 to this destination 192.168.1.100

 

image

Outlook opens up Externally (CAS ARRAY NAME IS Resolvable from Outside)

 

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • It will ask the IP Address of “outlook.internal.local “ ( We assume this was configured within outlook)
  • It gets the IP  165.164.163.100 ( Assuming CAS ARRAY NAME IS PUBLISHED OUTSIDE)
  • Now outlook will attempt to open TCP 135 to this destination 165.164.163.100
  • The FireWALL on the destination network most likely wont allow TCP 135 connection back inside to VIP IP for the CAS ARRAY
  • The FireWALL will hold the connection before it releases the TCP connections
  • Outlook client now fall back and try to establish connection on port 80—HTTP
  • Outlook client cannot connect most likely port 80 is not allowed from outside
  • Outlook client FINALLY attempts to connect on port 443 HTTPS and gets through the firewall of destination network and established connection and this is where you see the “DELAY”

Outlook opens up Externally (CAS ARRAY NAME IS  NOT Resolvable from Outside)

  • It resolves the “home server property” outlook.internal.local
  • It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
  • outlook.internal.local wont resolve an IP address
  • Outlook established HTTPS connection directly.

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Thursday, June 14, 2012

Allowing application servers to relay off Exchange Server 2010

Scenario: You have application server which needs to relay off your internal Exchange 2010 server ( printer, application etc.)

Platform:

Exchange 2010 HUB server 10.10.10.31
Application Relay Server 10.10.10.162

Task: Allow Application relay server relay off Exchange 2010 HTS server.

Log onto Exchange 2010 HTS Server open EMC under server configuration create new connector for application relay ( fallow the video)

  • New Receive connector, give it a name
  • Specify the FQDN for this connector , next
  • Modify who can relay off this connector , next, finish , Set Authentication and permissions group.

 

image

 

We have do the fist part now we will test the application relay, so log on to application server, and open command line, we will telnet on port 25 from application server to the HUB server and sent mail from command line if mail is received your application will work. Before we get going make sure port 25 from application server to HTS server is NOT BLOCKED , common issues antivirus software blockage, or firewall etc..

 

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Monday, June 11, 2012

TMG 121 The semaphore timeout period has expired.

 

Error Code: 500 Internal Server Error. The semaphore timeout period has expired. (121)

If you are working on TMG server and Exchange 2010 scenario and receiving above errors , verifying couple things may save the day.

Check your static route table and make sure there is no loop causing this issue. Delete all your static route and add them one by one and make sure Static route is persistent and TMG internal NIC properties has these networks

image

Windows 2008 use Netsh ( route add , windows 2008 may not honor the static route, even the route may seem to be there from GUI)

NetSH Interface ip show route

image

Lets assume we have two interface

image

The interface inside =  talk to Active Directory , This interface does not have DGW ( Default Gateway) , hence we need static route to tell the TMG how to reach back to this network.

Outside interface = Talk to Outside  ) This interface has  DGW ( Default Gateway) , okay if the internal DGW is 10.80.3.1 and we are trying to reach out to 10.80.3.102, then the NetSH command would be as fallows….. ( Replace the IP addresses suits to your own environment)

netsh Interface ipv4 add route 10.80.3.102/32 "inside" 10.80.3.1 store=persistent

image

*The netsh command automatically assumes – unless otherwise specified in the command – that the route added is persistent. We added the persistent statement anyways (-:

To delete any static route

netsh interface ipv4 delete route 10.0.0.0/8 "Internal" 10.0.0.5

See the Static route

netsh interface ip show route

Reset the Interface ( very powerful)

netsh interface tcp reset 

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)