Migrating from Microsoft Exchange to Zimbra Collaboration Suite

The Zimbra Collaboration Suite Migration Wizard for Exchange is used to migrate Microsoft® Exchange server email accounts to the Zimbra server and to import the email, calendar, and contact information for the selected Exchange users. The import process replicates the user’s Outlook® folder hierarchy, importing email messages, calendars and contacts from the Exchange server. Any keywords are converted to tags in Zimbra.

Accounts from Microsoft Exchange 2000, 2003 and 5.5 can be migrated.

During the migration, the wizard performs the following tasks:


Note: Only email messages, calendars, and contacts, including personal distribution lists are imported from Outlook. Other Outlook types, such as meeting requests, notes, tasks, rules and alerts, and files are not imported.

Permissions Needed for the Zimbra Migration Wizard

Considerations for retaining domain name when migrating

The Zimbra Migration Wizard utilizes the Exchange MAPI provider. Therefore, you must run the migration wizard from a Microsoft Windows
® computer that has either Outlook 2003, Exchange 2002 server or Exchange 2003 server installed. You will need to create a temporary MAPI profile for the Migration Wizard to use to conduct the migration. To create a new profile, refer to the Microsoft Office documentation.

When you run the Zimbra Migration Wizard, the wizard prompts you to select the MAPI profile that will be used to connect to the Exchange server. You must have full administrator privileges on the mailboxes to be imported.

Considerations for retaining domain name when migrating

If your users use the Calendar application, and you are not migrating all users to ZCS at the same time, configure ZCS with the same domain name as used on the Exchange server. When ZCS is configured with the same domain name, a user’s existing email address will be retained when the account migrates to ZCS.

Meeting requests and appointments contain recipient information in the form of email addresses. After migration, if the organizer of an appointment updates an existing appointment or if recipients reply to an invitation, the email address of the original message receives the notification. If the email address has been changed, the notification is not received.

Planning the Migration from Exchange to Zimbra

Before you attempt to migrate from the Exchange server, create a communication plan to notify users about the new Zimbra email program and to provide users with the new mail access information (Zimbra URL, login name, and password to use).

Zimbra recommends that you plan to perform the migration during off-peak use times. The Exchange server does not need to be stopped in order to migrate accounts. Any emails that are sent to or delivered from Exchange after the account is migrated are not saved in the Zimbra mailbox.

The migration wizard asks you questions in a series of dialog boxes about how to set up the new accounts. Before you start, you should determine:

After the accounts are created on the Zimbra server, the email messages calendar entries, and contact information are imported. You configure the following rules about which files to import:


By default, messages larger than 10 MB will not be imported. The message size includes the message and attachments. If the message is larger than 10 MB, a warning is logged to Migration Wizard log file, which can be reviewed from the Import Complete dialog when the migration is complete.

Note: You can modify the following registry key to change the default limit, “HKCU\Software\ZCSMigWiz\MaxAttachSizeMB”. The registry key should be specified in megabytes (MB). A value of 0 means no limit to the size of the message with attachments.

The import process contains a few assumption regarding naming:

Using the Zimbra Migration Wizard

Even though the migration wizard can be run from start to finish without stopping, Zimbra recommends that after the accounts are migrated, you stop. Before proceeding, change the mail relay information to point to the Zimbra server instead of the Exchange server. This will prevent any lost mail while the files are being imported.

Note: After the files have been imported to the Zimbra server, verify that the import was successful before deleting the Exchange accounts.

How to Migrate Accounts and Import Email

The Zimbra Migration Wizard can be downloaded from the Zimbra Administration Download page.

Enter the following


Click Next.

Note: If you create the domain name after you started the wizard, click Refresh Domains to update the list from the Zimbra server.

Click Next.

Click Launch Profile Chooser, to launch a standard Windows dialog box from which you can either choose an existing MAPI profile, or create a new one, as described in the Microsoft Office documentation.

Click Next.


Note: The Object Picker is a Windows standard dialog. For Help on how to complete the dialog boxes, click the ? on the dialogs.




Note: The steps above are for the Exchange 6.0 Query Builder. If you are migrating from Exchange 5.5, the Query Builder dialog is different. You must enter the search base for the LDAP query and you must construct the filter to identify which mailboxes to import.


The COS defines the features and preferences for these accounts. Classes of Service that have been configured on the Zimbra server are listed. If you recently created a COS and it is not listed, click Refresh COS. New COSs are added to the list.

IMPORTANT: Included in this list are two COSs called default and None.The COS named default refers to the default COS that was automatically created when Zimbra Collaboration Suite is installed. The COS named None is used to represent a COS configured for the domain that is being migrated. Configuring a domain COS is optional. Select None to provision the accounts with the COS assigned to the domain. If None is selected and the domain has not been configured with a specific COS, the COS named “default” is automatically assigned.

In the Initial Password section, enter a default password. This is the password for every account that is created.

Note: If password is not specified at the time of provisioning, after the migration you can either:

Click Next. The listed accounts are provisioned.

Note: If you do not want to create any of the accounts from this list, check Do not provision any users, and click Next. No accounts are created on the Zimbra server.

The provisioning of email accounts on the Zimbra server is complete. Before proceeding you should change the mail relay information for these users to point to the Zimbra server instead of the Exchange server. Any new email messages are sent to the Zimbra mailboxes.

Note: By default, messages larger than 10 MB will not be imported. The message size includes the message and attachments. To change the default, see  .

3 Ways to Migrate from Exchange 2003 to MDaemon

One the biggest challenges you’re likely to come across if you’re considering upgrading from Exchange 2003 to an alternative email platform, is how to move the colossal volumes of email you’re likely to have amassed over the years.

It can be a daunting prospect, but if you’re moving to MDaemon Messaging Server, the process is made considerably more simple than it might otherwise be, thanks to a free ‘MDMigrator’ utility that’s bundled in the installation folder.

It’s also possible to couple this migrator tool with an archiving solution like MailStore Server (special offer here for Exchange 2003 users), giving you a great opportunity to start afresh and to get the more unwieldy of mailboxes under control.

In this post I’ll take a look at each of the approaches…

Option 1: Migrate everything using the free MDMigrator tool

If you want to move absolutely everything across from your Exchange 2003 installation, straight to MDaemon, the free MDMigrator tool is a great way to do it and will save you countless hours by automating the process almost entirely.

The free MDmigrator will import and migrate:

  • User accounts
  • Email messages
  • Calendar entries
  • Contacts, tasks and notes
  • Public folders
  • Distribution lists

It copies all of the mailboxes from the selected server, creates MDaemon mailboxes for each user and then imports all of their mail, contacts, task, notes, and calendar data. Any distribution lists that are found are copied from address books and are imported as mailing lists in MDaemon.

Brad Wyro, Technical Training Specialist does a much better job of explaining the process than I can in this YouTube video:


There’s also a knowledgebase article on Migrating from Exchange 2003 which walks you through the process step by step.

Option 2: Archive with MailStore, migrate recent messages with MDMigrator

An alternative option is still to use the MDMigrator tool but instead of using it to move all of your email, you archive it beforehand with an archiving solution such as MailStore Server.

This is the one we recommend whenever possible as being a good compromise.

The role of MailStore (archive and ‘slim’ down mailboxes)

  1. Quick way to archive large volumes of email – The key benefit of MailStore is that it provides a fast and efficient method of archiving large volumes of email but without limiting what users have access to.
  2. Ensures users have fast access to all email – If a user wants to open email, they simply search or browse for it using from within Outlook using an integrated plug-in (there’s also a web version and phone app).
  3. Compresses and de-duplicates – The process of archiving also compresses attachments and de-duplicates messages so you should expect approximately a 50% space saving on the original data store.
  4. Deletes historic email from your server – with all email safely archived, MailStore can purge however much email you choose from Exchange. Typically, this would be everything but the last 6-12 months’ so there’s much less to move.
  5. Manages MDaemon on an ongoing basis – although we’re using MailStore for the migration process, it will continue to archive mail once the migration is complete.

The role of the MDMigrator

In this scenario the MDMigrator is performing the same function as it was in ‘Option 1‘and migrating the users, the calendar, contacts etc. (MailStore only handles email) however this time the bulk of the email has been archived and the mailboxes are much smaller than they otherwise would be.

The benefits of doing it this way include:

  • Your staff have an opportunity to become familiar with MailStore (while it’s linked to Exchange)
  • MDMigrator now needs to move less mail so that part is much quicker (MailStore is faster at handling this process)

Option 3: Archive all email but start afresh with MDaemon

Option 3 basically expands upon the previous one but instead of retaining a small amount of email in your Exchange mailboxes, you’re purging all of it so there’s nothing left to be moved. It’s all in the archive.

If it doesn’t cause a problem for your users – i.e. they’re quite happy accepting that they can easily access mail from MailStore via Outlook when they need it, starting afresh with MDaemon (in terms of email) is definitely worth considering.

In this scenario you are:

  • Connecting MailStore to Exchange
  • Using MailStore to archive all email
  • Purging ALL email from Exchange prior to move
  • Using the MDMigrator to move accounts, calendars, contacts etc. (but not email)
  • Connecting MailStore to MDaemon for ongoing archiving


As the administrator, I’m sure you’ll want to keep this process as simple you can. None of the options I’ve highlighted are particularly complex but in this case I think it’s likely how you approach it will largely depend on your users (probably the senior management).

If you’re unsure, a good compromise is ‘Option 2’ which offers the benefits of archiving with minimal change to the way users interact with Outlook.

It’s also worth noting that while I’ve highlighted the three main options that we’ve found to work well – there are still other ways you could approach it so please feel free to get in touch for a chat if I or the team can help.

Cách xoá thư điện tử trong dữ liệu của Exchange 2007 và 2010

Muốn xoá được thư điện tử đã gửi trên máy chủ Exchange 2007 / 2010

Bạn cần phải có quyền Administrator điều khiển máy chủ Exchange ở mức Windows Location Administrator và Exchange Administrators.

2 bước sau sẽ cần bạn thực hiện là:

1. Cấp quyền Admins để điều khiển Exchange can thiệp vào Mail box database.

2. Dùng quyền Run as Administrator để điều khiển Exchange Shell để xoá thư trong máy chủ Exchange Server.


Ever so often, an Exchange administrator faces a situation where messages that fit specific criteria need to be removed from a large number of mailboxes or from Exchange transport queues. The need may arise due to some sort of mass mailing, a message sent accidentally to a large distribution group or individual recipients, or it could be one of the steps required to be taken as a part of cleanup efforts after a mass-mailing virus outbreak (although the latter have been increasingly rare and generally taken care of by Exchange-aware antivirus scanners).

The steps for accomplishing this are documented in various places in Exchange documentation, but it can be difficult to refer to multiple sources if you have a mixed environment containing several versions of Exchange Server. We wanted to provide a single place with somewhat generic instructions on how to accomplish these tasks across all currently supported versions of Exchange Server – Exchange 2010, Exchange 2007, and Exchange 2003.

Removing messages from mailboxes

Removing messages using the Shell in Exchange 2010 RTM and Exchange 2007

In Exchange 2010 RTM and Exchange 2007, you can use the Export-Mailbox cmdlet to export or delete messages. In Exchange 2010 SP1, the functionality to export a mailbox is provided by the New-MailboxExportRequest cmdlet and is covered in a separate article. The functionality to search and delete messages is provided by the Search-Mailbox cmdlet.


In Exchange 2010, the Mailbox Export Import RBAC role must be assigned to the account used to perform this operation (using Export-Mailbox in Exchange 2010 RTM or Search-Mailbox in Exchange 2010 SP1). If the role isn’t assigned, you’ll be unable to run or “see” the cmdlet.

The versatile Export-Mailbox cmdlet can export mailbox content based on specific folder names, date and time range, attachment file names, and many other filters. A narrow search will go a long way in preventing accidental deletion of legitimate mail. For more details, syntax and parmeter descriptions, see the following topics:

The account used to export the data must be an Exchange Server Administrator, a member of the local Administrators group of the target server, and have Full Access mailbox permission assigned on the source and target mailboxes. The target mailbox you specify must already be created; the target folder you specify is created in the target mailbox when the command runs.

Adding and removing the necessary permissions

This example retrieves all mailboxes from an Exchange organization and assigns the Full Access mailbox permission to the MyAdmin account. You must run this before exporting or deleting messages from user mailboxes. Note, if you need to export or delete messages only from a few mailboxes, you can use the Get-Mailbox cmdlet with appropriate filters, or specify each source mailbox.

Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -User MyAdmin -AccessRights FullAccess -InheritanceType all

After exporting or deleting messages from mailboxes, you can remove the Full Access mailbox permission, as shown in this example:

Get-Mailbox -ResultSize unlimited | Remove-MailboxPermission -User MyAdmin -AccessRights FullAccess -InheritanceType all

Removing messages

Here are a few examples that remove messages.

This example removes all messages with the subject keyword “Friday Party” and received between Sept 7 and Sept 9 from the Inbox folder of mailboxes on Server1. The messages will be deleted from the mailboxes and copied to the folder DeleteMsgs of the MyBackupMailbox mailbox. The Administrator can now review these items or delete them from the MyBackupMailbox mailbox. The StartDate and EndDate parameters must match the date format setting on the server, whether it is mm-dd-yyyy or dd-mm-yyyy.

Get-Mailbox -Server Server1 -ResultSize Unlimited | Export-Mailbox -SubjectKeywords “Friday Party” -IncludeFolders “\Inbox” -StartDate “09/07/2010” -EndDate “09/09/2010” -DeleteContent -TargetMailbox MyBackupMailbox -TargetFolder DeleteMsgs -Confirm:$false

This example removes all messages that contain the words “Friday Party” in the body or subject from all mailboxes.

Depending on the size of your environment, it is better to do the extraction/deletion in batches by using the Get-Mailbox cmdlet with the Server or Database parameters (Get-Mailbox -Server servername -ResultSize Unlimited or Get-Mailbox -Database DB_Name -ResultSize Unlimited), or specifying a filter using the Filter parameter. You can also use the Get-DistributionGroupMember cmdlet to perform this operation on members of a distribution group.

Get-Mailbox -ResultSize Unlimited | Export-Mailbox -ContentKeywords “Friday Party” -TargetMailbox MyBackupMailbox -TargetFolder ‘Friday Party’ -DeleteContent

It is recommended to always use a target mailbox (by specifying the TargetMailbox and TargetFolder parameters) so you have a copy of the data. You can review messages before purging them so any legitimate mail returned by the filter can be imported back to its owner mailbox. However, it is possible to outright delete all messages without temporarily copying them to a holding mailbox.

This example deletes all messages that contain the string “Friday Party” in the message body or subject, without copying them to a target mailbox.

Get-Mailbox | Export-Mailbox -ContentKeywords “Friday Party” -DeleteContent


Phiên bản Exchange 2000, 2003:

Removing messages on Exchange 2003 and Exchange 2000 using ExMerge

The ExMerge utility can be used to extract mail items from mailboxes located on legacy Exchange Server versions. Follow the steps in KB 328202 HOW TO: Remove a Virus-Infected Message from Mailboxes by Using the ExMerge.exe Tool to remove unwanted messages from user mailboxes.

Removing messages from Public Folders

You can use the Outlook Object Model to remove messages from Public Folders. This works on any version of Exchange. The down side is that it’s slower and may stumble when it hits huge folders with tens of thousands of items. In Exchange 2010/2007, you can use Exchange Web Services to remove messages from Public Folders. EWS has no problem running against large folders.

The following posts have more details:


Xoá các thư dạng Pending hoặc Queues trong Exchange Server:

Removing messages from mail queues

There may be times where you need to purge messages from Exchange Server’s mail queues to prevent delivery of unwanted mail. For more details about mail queues, see Understanding Transport Queues.

Removing messages from mail queues on Exchange 2010 RTM and Exchange 2007

Removing a message from the queue is a two-step process. The first thing that must be done is that the message itself must be suspended. Once the messages have been suspended then you can precede with removing them from the queue. The below commands are based on suspending and removing messages based on the Subject of the message.

Exchange 2007 SP1 and SP2

This command suspends messages with the string “Friday Party” from transport queues on all Hub Transport servers in your Exchange organization:

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where{$_.Subject -eq “Friday Party” -and $_.Queue -notlike “*\Submission*”} | Suspend-Message

On Exchange 2007 RTM to SP2, you will not be able to suspend or remove message that are held in the Submission queue. So the command will not run against the messages in the submission queue.

This command removes all suspended messages from queues other than the Submission queue.

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where{$_.status -eq “suspended” -and $_.Queue -notlike “*\Submission*”} | Remove-Message -WithNDR $False

Exchange 2010 and Exchange 2007 SP3

This command suspends messages that have the string “Friday Party” in the message subject in all queues on Hub Tranpsort servers.

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where {$_.Subject -eq “Friday Party”} | Suspend-Message

This command removes messages that have the string “Friday Party” in the message subject in all queues on Hub Transport servers:

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | Where {$_.Subject -eq “Friday Party”} | Remove-Message -WithNDR $False

Note, you can run the command against an individual Hub Transport server by specifiying the server name after Get-TransportServer.

Suspend and remove messages from a specified transport queue

You can also suspend and remove messages from a specified queue. To retrieve a list of queues on a transport server, use the Get-Queue cmdlet.

This example suspends messages with the string “Friday Party” in the message subject in a specified queue.

Get-Message -Queue “server\queue” -ResultSize unlimited | where{$_.Subject -eq “Friday Party”} | Suspend-Message

This example removes messages with the string “Friday Party” in the message subject in the specified queue.

Get-Message -Queue “server\queue” -ResultSize unlimited | where{$_.Subject -eq “Friday Party” } | Remove-Message -WithNDR $False

Clear queues in Exchange Server 2000 and Exchange Server 2003 with MFCMAPI

In Exchange 2003/2000, you can use MFCMapi to clear the queues. For details, see KB 906557 How to use the Mfcmapi.exe utility to view and work with messages in the SMTP TempTables in Exchange 2000 Server and in Exchange Server 2003.

If there are a large number of messages in the queue, you may want to limit how many are displayed at a time. From the tool bar select Other > Options and under Throttle Level change the value to a more manageable number (for example, 1000).

Preventing message delivery using Transport Rules

In Exchange 2010 and Exchange 2007, you can use Transport Rules to inspect messages in the transport pipeline and take the necessary actions, such as deleting a message, based on the specified criteria. See Understanding Transport Rules for more details.

On Exchange 2010 and Exchange 2007, you can use the New Transport Rule wizard from the EMC to easily create transport rules. The following examples illustrate how to accomplish this using the Shell. Note the variation in sytnax between the two versions. (The Exchange 2010 transport rule cmdlets have been simplified, allowing you to create or modify a transport rule using a one-line command.)

Creating a Transport Rule to delete messages in Exchange 2010

This example creates a transport rule to delete messages that contain the string “Friday Party” in the message subject.

New-TransportRule -Name “purge Friday Party messages” -Priority ‘0’ -Enabled $true -SubjectContainsWords ‘Friday Party’ -DeleteMessage $true

Creating a Transport Rule to delete messages in Exchange 2007

This example creates a transport rule to delete messages that contain the string “Friday Party” in the message subject.

$condition = Get-TransportRulePredicate SubjectContains
$condition.Words = @(“Friday Party”)
$action = Get-TransportRuleAction DeleteMessage
New-TransportRule -name “purge Friday Party messages” -Conditions @($condition) -Actions @($action) -Priority 0

Note: If your Exchange Organization has mixed Exchange 2007 and Exchange 2010 you will have to create a rule for each Exchange version.

Mẹo: Configure your Microsoft CA to issue a cert with a longer expiration time for Exchange Mail

Mỗi một (01) năm, dân quản trị mạng lại nháo nhào đăng ký lại chữ ký số (CA) cho máy chủ Web Portal, Email Exchange, Wifi – Access Point…

Hệ thống nào mà quên việc này coi như “troubleShooting biết chắc là không hẹn lại đến”,  để bớt mấy việc làm điên cái đầu các bạn Admin,  tôi sưu tầm và viết ra mấy bước “mẹo” để xử lý việc trên đây. Hãy dựa vào Microsoft Certificate Authority để  issues certs  và tăng thời gian bị hết hạn “expiration date” dài ra cỡ 3 – 4 năm thay vì chỉ được 1 year theo ngầm định. Dưới đây là các bước cơ bản làm trên máy chủ MS-CA windows server 2008 / R2:


  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate, and then click the following registry key:


  4. In the right pane, double-click ValidityPeriod.
  5. In the Value data box, type one of the following, and then click OK:
    • Days
    • Weeks
    • Months
    • Years


  6. In the right pane, double-click ValidityPeriodUnits.
  7. In the Value data box, type the numeric value that you want, and then click OK. For example, type 10 (nhớ chuyển hệ Decimal).
  8. Stop, and then restart the Certificate Services service. To do so:
    1. Click Start, and then click Run.
    2. In the Open box, type cmd, and then click OK.
    3. At the command prompt, type the following lines. Press ENTER after each line.

      net stop certsvc
      net start certsvc

    4. Type exit to quit Command Prompt.

Bây giờ các bạn hãy gửi certreq.txt từ các máy chủ IIS (web) hoặc từ Exchange 2010/ IIS6 của Exchange 2007 tới máy chủ CA

Chúng ta sẽ có được các chữ ký CA issues certs với thời hạn sử dụng  4 years  thay vì chỉ được 1 năm.

Sưu tầm: How to set up TMG 2010 to publish Outlook Anywhere on Exchange 2010 & Exchange 2007


How to set up TMG 2010 to publish Outlook Anywhere on Exchange 2010. This article assumes that the TMG server is in the DMZ and is not a domain member, as per best practices.


First of all ensure that the Exchange 2010 CAS server is set up correctly:

  1. Install the RPC over HTTPs feature via Windows Server Manager.
  2. Go into the Exchange management console.
  3. Expand Server Configuration > Client Access.
  4. Right click on the CAS server and select Enable Outlook Anywhere.

As the TMG server is in the DMZ it will not trust the Exchange servers self signed certificate. In order for Outlook Anywhere to work, the TMG server must be able to access https://YourMailServer.YourDomain.Local/RPC/rpcproxy.dll

Therefore we need to create a new certificate that can be trusted by both the Exchange server and the TMG server. This is easily achieved by installing an internal root CA. I would recommend you do this on a Windows Server 2008 machine as it is easily able to create a SAN cert (it can be done on Windows Server 2003, but only via CLI).

You should also ensure that the TMG server can access the mail server by name. The best way to achieve this without opening up additional ports on the firewall is to add the following lines to the TMG servers hosts file: (Your mail servers IP address) YourMailServer YourMailServer.YourDomain.Local ExternalURLOfMailService.YourExternalDomain.Com

  1. Connect to a Windows Server 2008 machine and install the Active Directory Certificate Services role.
  2. Select both the Certification Authority and the Certification Authority Web Enrolment.

Once the above is complete we can create a new certificate for use in Exchange. Connect back to the Exchange server and perform the following:

  1. Launch the Exchange management console.
  2. Click on Server Configuration and then click on the mail servers name in the right hand pane.
  3. Click New Exchange Certificate on the actions pane.
  4. Follow the wizard. Do not worry too much about the Exchange Configuration screen as we can add and alter the Certificate Domains on the next screen. This is where we add all the required names for the SAN certificate.
  5. Once the wizard is complete and you have exported the certificate request you can launch a web browser to: http://YourRootCAServer/certsrv
  6. Authenticate.
  7. Select Request a certificate.
  8. Select advanced certificate request.
  9. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  10. Open your certificate request file and copy the string.
  11. Paste this into the Saved Request section of the certificate services website.
  12. Select the option to create a Web Server under Certificate Template.
  13. Select submit and complete the wizard.
  14. Once you have your certificate file, return to the Exchange management console.
  15. Select the option to complete a pending request and select your new certificate file.
  16. Once complete you may receive the following error against the new certificate in Exchange manager: The Certificate is Invalid for Exchange Server Usage.
  17. This is beacuse the server (and clients) have not had time to pick up the new certificate authority.
  18. To resolve this you can either wait, reboot the machines or update group policy via: gpupdate /force on the command line.
  19. Once the gpupdate /force has been run you may need to close and re-open the management console.
  20. Once the certificate shows as valid select Assisgn Services to Certificate.
  21. Follow the wizard and select the required services for your site (I would select all apart from Unified Messaging).
  22. At this point, client machines using Outlook might start getting certificate errors. This is because they have not had their policy updated to recognise the new root CA. Again, you can fix this either by rebooting the client machiens or runnign gpupdate /force

Exchange is now configured to allow RPC over HTTPs connections. To publish the server we need to do the following on the TMG server:

  1. Launch the TMG management console and browse to Firewall Policy.
  2. On the right hand side, select Tasks > System Policy Tasks > Edit System Policy.
  3. In the pop up window, select Authentication Services > Active Directory.
  4. Uncheck Enforce strict RPC compliance, and click OK.
  5. Right click Firewall Policy and select New > Exchange Web Client Access Publishing Rule.
  6. Follow the wizard selecting the following options: Exchange version – Exchange Server 2010 > Outlook Anywhere (RPC/HTTP(s)) (Note that once this is selected, the other client access services are greyed out. This is because RPC over HTTPs must exist in its own rule and cannot be shared with other services) > Publish a single Web site or load balancer > Use SSL to connect to the published Web server or server farm > Internal site name: YourMailServer.YourDomain.Local (check the TNG server is able to resolve this) > Public name: ExternalURLOfMailService.YourExternalDomain.Com > Select a Web listener from the dropdown (this can be the one used for OWA and should use a SAN cert. No authentication should be enabled). > No delegation, but client may authenticate directly > All Users > Finish.
  7. Right click the newly created rule and select properties.
  8. Select Test Rule.
  9. You should get no errors and the test should read as: Configuration Tests > YourTMGServerName > YourMailServerName.YourDomain.Local > https://ExternalURLOfMailService.YourExternalDomain.Com:443/rpc/
  10. If you get a HTTP error 500 message then follow this article: http://www.cenobite.eu/index.php?option=com_content&view=article&id=61:exchange-outlook-anywhere-error-an-aspnet-setting-has-been-detected-that-does-not-apply-in-integrated-managed-pipeline-mode&catid=3:exchange&Itemid=19

Outlook Anywhere configuration is now complete.

Sưu tầm: Securing Exchange 2010 with Forefront Threat Management Gateway (TMG) 2010, Publishing Outlook Web App

I went through all the steps required to successfully install Forefront Protection 2010 for Exchange Server and Forefront Threat Management Gateway (TMG) 2010 on the same server as your Exchange Server Edge Transport role. I also looked at some basic configuration so we should now be able to send and receive email.

What about external access? TMG 2010 can also securely publish all your Exchange Server related services such as Outlook Web App (OWA), Outlook Anywhere and ActiveSync (EAS).

In this final part of the series I’ll look at publishing OWA to the internet. While my focus is mainly on OWA, Outlook Anywhere and EAS should also work after very little or no additional configuration. I’ll start by creating a new certificate request and then submitting it to certificate authority and then install the issued certificate. I’ll then go over how to correctly export the issued certificate and import it on the TMG server. I’ll then conclude the series by creating a new “Exchange Web Client Access Publishing Rule”.

A few notes before I begin.. When working with certificates, there are two options, I have opted to use my own Enterprise Root CA which has been installed on my domain controller. You are of course welcome to purchase a certificate from a third-party CA, if you decide that this is a better option for you, the basic configuration steps below will not differ all that much, the only difference will be in how you submit the request to the CA. I highly recommend purchasing a UC Certificate for this, please see the following Microsoft TechNet article for more information.

This post also assumes that your domain controllers already accept LDAP connections over SSL. To enable this, you need to install a server certificate on each of your domain controllers. The following Microsoft TechNet article may provide some guidance if you need further assistance with this.

The first step is to confirm out OWA configuration, this is done by opening the Exchange Management Console, expand “Server Configuration”, click “Client Access” and then right-click “owa (Default Web Site)” and select “Properties”


It is also important to change the authentication settings by clicking on the “Authentication” tab. We need to disable forms based authentication as TMG will be providing this feature. If you keep Exchange forms based authentication enabled your users will be prompted to log into OWA twice.


We now need to create a certificate request for the certificate that will be used to OWA. This can of course be done from the Exchange Management Shell by making use of the New-ExchangeCertifate cmdlet or by making use of the new wizard included in the Exchange Management Console. To access the wizard, click “Server Configuration”, select your CAS server and click “New Exchange Certificate”


“Enter a friendly name for the certificate”, I usually use the external FQDN here. Click “Next”


If you are using a wildcard certificate, you can enter the root domain name here, I have elected not to use a wildcard certificate. Click “Next”


Next, select your required configuration. Enter your configuration and click “Next”


Review your certificate domains, I usually enter the server name without a suffix as well, but this is not necessarily required. Ensure that you have your internal, external and both autodiscover names listed and click “Next”


Enter your organization and location details and click “Next”


Review your certificate configuration summary and click “Next”


Once complete, click “Finish”


For those looking to use the Exchange Management Shell to complete this request, the command would look something like this:

New-ExchangeCertificate -FriendlyName ‘dogfood.cgoosen.com’ –GenerateRequest -PrivateKeyExportable $true -KeySize ’2048′ -SubjectName ‘C=AU,S=”NSW”,L=”Sydney”,O=”cgoosen.com”,OU=”test lab”,CN=dogfood.cgoosen.com’ –DomainName ‘tlex01.testlab.local’,’dogfood.cgoosen.com’,’autodiscover.testlab.local’,’autodiscover.dogfood.cgoosen.com’,’tlex01′ -Server ‘TLEX01′

Now that we have completed out certificate request, it is time to submit this request to a CA. I’ll be using my Enterprise Root CA which is installed on my domain controller, so I’ll just submit the request opening https://tldc01.testlab.local/CertSrv Click “Request a certificate”


Then click on “advanced certificate request”


Since we have already created the certificate request, select “Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file”


Paste the certificate request in the box provided, select the “Web Server” template and click “Submit”


Click “Yes” to acknowledge the “Web Access Confirmation”


Next download only the “DER encoded” certificate.


Now that we have our new certificate, it’s time to install it. Once again, click “Server Configuration” and select your new certificate. Click “Complete Pending Request”



Select your new certificate and click “Complete”


Once completed, click “Finish”. You have now installed your new certificate.


We now need to assign services to the certificate, click “Server Configuration” and select your new certificate. Click “Assign Services to Certificate”


Select your CAS server and click “Next”


Ensure that you have selected “Internet Information Services” and click “Next”


Review the configuration summary and click “Assign”


Once completed, click “Finish”


Now that we’ve installed the new certificate and assigned services to it, lets give it a quick test internally. My internal URL is https://tlex01.testlab.local/owa


Before we can import the certificate on the TMG server, you need to export the certificate along with its private key from the CAS server. Open the “Certificates” MMC and make sure you are viewing the “Local Computer”. We need to export 2 certificates. The first is the Enterprise Root CA certificate located in the “Trusted Root Certificate Authorities” store.


The second certificate is the new exchange certificate we just installed, it should be located in the “Personal” store.


Lets start with the Enterprise Root CA certificate, right-click the certificate and click “Export”. Click “Next”


Select “DER encoded binary X.509 (.CER)” and click “Next”


Give it a meaningful and name be sure to note down the location and click “Next”


Review the settings and click “Finish”


Once completed successfully, click “Ok”


Next we export the exchange certificate along with its private key. right-click the certificate and click “Export”. Click “Next”


Ensure that you have selected “Yes, export the private key” and click “Next”


Ensure that you have selected “Export all extended properties” and click “Next”


You need to protect the private key by using a password, be sure to remember what password you enter here and click “Next”


Give it a meaningful and name be sure to note down the location and click “Next”


Review the settings and click “Finish”


Once completed successfully, click “Ok”


Once you have those 2 certificates, (ca_cert.cer and cas_cert.pfx if you followed my naming convention) copy them to your TMG server. The log onto the TMG server and open the “Certificates” MMC and make sure you are viewing the “Local Computer”. We now repeat the previous process in reverse.


First we import the Enterprise Root CA certificate, expand the “Trusted Root Certificate Authorities” store, right-click “Certificates” and select “Import”. Click “Next”


Locate the certificate and click “Next”


You will notice that it will already have the correct location specified, do not change this, just click “Next”


Review the settings and click “Finish”


Once completed successfully, click “Ok”


We then import the exchange certificate. Expand the “Personal” store right-click “Certificates” and select “Import”. Click “Next”


Locate the certificate and click “Next”


Enter the private key password (you do remember it, right?) Ensure that you have selected “Include all extended properties” and click “Next”


The correct location should already be specified, do not change this, just click “Next”


Review the settings and click “Finish”


Once completed successfully, click “Ok”


Once this is done, should should be able to double-click the exchange certificate and check the status. Both certificates should be “Ok”


The final step in the process is to create a “Exchange Web Client Access Publishing Rule”. Open the TMG Management Console, right-click “Firewall Policy”, select “New” and then select “Exchange Web Client Access Publishing Rule”


Give your rule a meaningful name and click “Next”


Select your Exchange version and select “Outlook Web Access”, then click “Next”


Select your publishing type and then click “Next”


Since we will be using SSL, select that option and click “Next”


Enter your internal site name, only enter the FQDN, there is no need to add HTTP/S or /OWA. Click “Next”


Enter your public name here, again only the FQDN. Click “Next”


Select your web listener, since I don’t already have one, I am going to create a new one by clicking “New”


Enter a meaningful name and click “Next”


We will be using SSL and want to require SSL connections from all clients. Click “Next”


Select your listener IP address, this should be your external network address. Click “Next”


Click “Select Certificate” and then select the exchange certificate we installed in the previously. Click “Select”


Click “Next”


Next we look at authentication settings, since our server is not a part of the domain, we are unable to use “Windows” authentication. Make sure “HTML Form Authentication” is selected, select “LDAP (Active Directory)” and click “Next”


I won’t be making use of SSO, make your selection and click “Next”


We need to add at least one LDAP server for user authentication, add your domain controllers here, type your domain name and I highly recommend that you make use of LDAP over SSL. Click “Next”


Review your web listener configuration and click “Finish”


Select the web listener you just created and click “Next”


Select “Basic Authentication” and then click “Next”


This rule will apply to “All Authenticated Users”, click “Next”


Review your configuration and then click “Finish” to create the rule.


Once the rule has been created, we need to apply it to TMG, click “Apply”


You should now see your rule listed..


Now for the fun part, lets test our configuration. If you visit your external URL, mine is https://dogfood.cgoosen.com/owa you should be presented with a OWA login form. Notice the “Secured by Microsoft Forefront Threat Management Gateway” banner at the bottom.

Enter your user name in the format “Domain\user name” and your password and click “Log On” If you have any certificate alerts, you may need to install your Root CA certificate to the “Trusted Root Certification Authorities” store on your workstation. If you are using an Enterprise Root CA, it uses Group Policy to propagate its certificate to the “Trusted Root Certification Authorities” store for all users and computers in the domain.


If everything has been correctly configured, you should be presented with your inbox.


To summaries, in this final part of the series I created a new certificate request and then submitted it to certificate authority. Once I had downloaded the issued certificate, I installed it on my exchange CAS server and assigned services to it. I then exported the issued certificate and imported it on the TMG server. To complete the process, I created a new “Exchange Web Client Access Publishing Rule”.

Đã có 4 lý do để chuyển sử dụng từ Gmail sang Outlook.com?

Takeaway: Microsoft’s Gmail competitor has finally arrived. You might be surprised to learn that it brings some useful innovations to webmail. Here are the big four.

Microsoft now has a big-time Gmail competitor. Before you chuckle and say “that only took eight years,” keep in mind that Gmail is largely the same product that Google launched in 2004 — with some nice incremental tweaks to improve the user interface.

Microsoft wants to inject some innovation into webmail again — and it looks like they may have pulled it off. On Tuesday, the company unveiled Outlook.com, which is both its successor to Hotmail as well as its enhanced webmail for individual business professionals. It draws on Hotmail, Microsoft Exchange, and the Metro UI from Windows Phone 7 and Windows 8.

Based on my look at the working preview of Outlook.com that Microsoft has already released into the wild as well as an interview with one of Microsoft’s product leads on Outlook.com, I think there are four reasons why some users — especially professionals — will be legitimately tempted to make the switch from Gmail.

1. Automatic folders

The best new innovation in Outlook.com is what I like to call its “automatic folders” feature. The system attempts to smartly sort some of your mail for you by automatically creating virtual folders for common stuff like email newsletters, Facebook and Twitter alerts, and other repetitive messages that can end up burying more important emails from human beings you actually need to correspond with. Obviously, since this is run by an algorithm, there will certainly be some false positives and negatives and you might have to tweak it, but I like the low-touch nature of this feature. Microsoft has also tried to streamline the process of setting up your own inbox rules as well in Outlook.com.

In his blog post about the new service, Microsoft’s Chris Jones summed up the feature. “Outlook.com automatically sorts your messages from contacts, newsletters, shipping updates, and social updates,” wrote Jones, “and with our Sweep features you can move, delete and set up powerful rules in a few, simple clicks so you can more quickly get to the email you really want.”

Another mail management feature that I like in Outlook.com is that you can hover over a message and get a set of actions to delete the message or flag it as important or sort it to a folder — and you can even customize the functions you want to see on the hover-over.

2. Mobile experience

The biggest benefit that Microsoft has in designing a new webmail service in 2012 is that it can optimize it for today’s intensely-mobile world.

“The way people do mail on their mobile phone tends to be a little different,” said Brian Hall, General Manager of Windows Live and Internet Explorer. “They don’t do as much mail management.”

With that in mind, Microsoft used the automatic folder feature as its way of helping organize and prioritize users’ inboxes in a way that can work in virtually any type of desktop or mobile email client.

“Most people on a phone or tablet use the native mail client,” said Hall. “In those instances you want to make sure you work with any inbox. It’s a different approach than Priority Inbox from Google because they have to go create clients for mobile or else it breaks Priority Inbox.”

Hall also stressed that Microsoft is focused on delivering an excellent mobile web experience. In fact, the company is so focused on the native client and mobile web experience of Outlook.com that it doesn’t currently have plans to build an app for Microsoft’s own Windows Phone 7. ”It works beautifully with the native client,” said Hall.

On the other hand, he said they are working on an Android app, because “Android devices are less likely to have an Exchange ActiveSync client.”

3. Privacy protection

One of the creepiest parts of Gmail has always been the fact that it does text-mining on your emails and uses that information to surface targeted ads. That’s the price you pay for unlimited storage and a free service. For example, if you’re emailing back-and-forth with a family member about a trip to go hiking, Gmail will simultaneously surface text ads for things like Rocky Mountain vacations, hiking boots, and protein bars. While these ads are generally unobtrusive and occasionally even useful, it still freaks out some people to realize that Google is essentially “reading their mail.” This is especially true for business professionals and others who use email to transmit potentially valuable or sensitive information.

Capitalizing on this uneasiness, Microsoft is promising that Outlook.com will not do text-mining on your inbox, while still offering its service for free and with “virtually unlimited storage.”

“We don’t scan your email content or attachments and sell this information to advertisers or any other company, and we don’t show ads in personal conversations,” Jones stated.

That doesn’t mean Outlook.com won’t have ads. There are right-column ads on the main inbox screen, but there aren’t ads on individual messages. Also, I’m sure these ads are going to be targeted based on what Microsoft knows about you in general, just not on the content of your individual messages.

4. Social integration

One of my favorite plug-ins for Gmail is Rapportive, which fills the right column in Gmail with contact information about the person you’re emailing. It draws that information from LinkedIn, Twitter, and Facebook (once you’ve logged in to those services) and will even show you the LinkedIn job title and latest status updates from the contact you’re emailing.

Microsoft has taken this kind of functionality and built it directly into Outlook.com, filling the right column of its message screen with this same kind of social contact data, but displaying it in a little bit simpler, cleaner way that follows the Metro UI style. Outlook.com doesn’t appear to show quite as much data as Rapportive.

However, Microsoft has taken social integration a step further. You can not only view people in your social networks from within Outlook.com and see their latest updates, but from the “People hub” you can also respond to status updates on Twitter and write on someone’s Facebook wall, all directly from Outlook.com. You can also do Facebook chat within Outlook.com. The instant messaging functionality itself is another strong feature of Outlook.com. The implementation is certainly better integrated and more usable than GTalk in Gmail.

Bottom line

Hall said Microsoft was focused on several key priorities in Outlook.com: ”Clean UI, design for tablets and all devices, connected with the services you actually use (Twitter, Facebook, LinkedIn), works great with [Microsoft] Office and SkyDrive, and actually prioritizes your privacy.”

Before I took a look at Outlook.com, I couldn’t imagine that there was much Microsoft could do to innovate in webmail, and I expected it to feel like a desperate late attempt to make Hotmail relevant by copying Gmail. While Outlook.com is definitely aimed squarely at Gmail, I was surprised at how fresh it feels. There’s some really useful innovation in there, and I think it’s really smart for Microsoft to go after Google on privacy. It means Outlook.com won’t be nearly as powerful of a money-maker as Gmail, but it could build some needed goodwill from users.

I also like that Microsoft isn’t afraid to admit that this is aimed directly at stealing some of Gmail’s thunder. Hall said, ”If you’re a heavy Google Docs or a Google+ user, then Gmail is probably for you. Otherwise, if you use Facebook, Twitter, LinkedIn, and Office, then Outlook [dot com] is better.”

That’s an ambitious claim. And it may just have some legs.