In the first and second part of this series of articles, the AD and DNS of the Exchange organization have already been installed and configured. Exchange 2016 was then installed in part 2. This part deals with the Exchange 2016 configuration.
To make things a little easier, here is a representation of the environment that will be installed:
Foreword
Bevor es mit der Konfiguration losgeht, müssen wir uns Gedanken über den Namespace machen. Das Active Directory in dieser Testumgebung hört auf den Namen frankysweb.org, der Exchange Server hört auf den Hostnamen „Exchange“. das ergibt folglich den FQDN exchange.frankysweb.org. Das hört sich doch schon einmal wie ein ordentlicher Name an. Trotzdem möchte ich gerne den Namen outlook.frankysweb.org für den Zugriff auf Exchange nutzen. Ich finde Outlook.frankysweb.org ist für die Benutzer einfacher zu merken, außerdem kommt irgendwann eine Migration und im Falle eines Releasewechsels möchten wir den Namen ja gerne beibehalten.
The following is therefore configured:
- OWA, Outlook, EWS, ActiveSync all connect to the Exchange Server via outlook.frankysweb.org
- Autodiscover is published via the name autodiscover.frankysweb.org
So let's start with the configuration
Configuration of the virtual directories
In order for access via outlook.frankysweb.org (or Autodiscover via autodiscover.frankysweb.org) to work, we first need 2 DNS entries on the internal DC / DNS server:
In der Zone frankysweb.org werden also die Host Einträge „outlook“ und „autodiscover“ jeweils mit der IP des Exchange Servers angelegt. In meinem Fall ist es die 172.16.100.13. Für die beiden Host-A Einträge muss der Haken bei „Verknüpften PTR-Eintrag erstellen“ entfernt werden. Gleiches gilt für „autodiscover“
Now the corresponding URLs can be configured on the Exchange Server. The easiest and quickest way to do this is via the Exchange Management Shell with the following commands:
Get-OwaVirtualDirectory -Server Exchange | Set-OwaVirtualDirectory -internalurl "https://outlook.frankysweb.org/owa" -externalurl "https://outlook.frankysweb.org/owa" Get-EcpVirtualDirectory -server Exchange | Set-EcpVirtualDirectory -internalurl "https://outlook.frankysweb.org/ecp" -externalurl "https://outlook.frankysweb.org/ecp" Get-WebServicesVirtualDirectory -server Exchange | Set-WebServicesVirtualDirectory -internalurl "https://outlook.frankysweb.org/EWS/Exchange.asmx" -externalurl "https://outlook.frankysweb.org/EWS/Exchange.asmx" Get-ActiveSyncVirtualDirectory -Server Exchange | Set-ActiveSyncVirtualDirectory -internalurl "https://outlook.frankysweb.org/Microsoft-Server-ActiveSync" -externalurl "https://outlook.frankysweb.org/Microsoft-Server-ActiveSync" Get-OabVirtualDirectory -Server Exchange | Set-OabVirtualDirectory -internalurl "https://outlook.frankysweb.org/OAB" -externalurl "https://outlook.frankysweb.org/OAB" Get-MapiVirtualDirectory -Server Exchange | Set-MapiVirtualDirectory -externalurl "https://outlook.frankysweb.org/mapi" -internalurl "https://outlook.frankysweb.org/mapi" Get-OutlookAnywhere -Server Exchange | Set-OutlookAnywhere -externalhostname outlook.frankysweb.org -internalhostname outlook.frankysweb.org -ExternalClientsRequireSsl:$true -InternalClientsRequireSsl:$true -ExternalClientAuthenticationMethod 'Negotiate' Get-ClientAccessService Exchange | Set-ClientAccessService -AutoDiscoverServiceInternalUri "https://autodiscover.frankysweb.org/Autodiscover/Autodiscover.xml"
Bei den Befehlen muss jeweils mur der Servername hinter dem Parameter „-Server“ entsprechend angepasst werden und die jeweilen URLs (-internalurl / –externalurl). Das sollte selbsterklärend sein.
The Exchange Server now has the names outlook.frankysweb.org and autodiscover.frankysweb.org
Webmaster mailbox configuration at Strato
This is a small intermediate step before configuring the certificates. An e-mail address for domain validation is required so that the certificates can be issued later. For this purpose, a mailbox with the e-mail address webmaster@frankysweb.org is created at the web host (in my case Strato).
Important: The mailbox is created at the web host (not yet on the Exchange server!
At Stro this works as follows. In the customer area, a new mailbox can be created under the item E-mail:
Enter your address and password and you're done:
This mailbox can now be accessed via Strato Webmail:
Background: I assume that it is a green field. The next step is to use StartSSL as the CA for the certificate. StartSSL issues domain validated certificates. To do this, an e-mail is sent to one of several predefined addresses with a code. You must therefore be able to receive e-mails to one of these addresses (for example webmaster@) in order to obtain the code.
This mailbox is therefore only used to obtain the certificate for the next step.
Request certificate via StartSSL
Note: Die CA „StartSSL“ gibt es nicht mehr. Stattdessen kann Let’s Encrypt verwendet werden, siehe dazu Certificate wizard for Let's Encrypt
Of course, we also need a corresponding certificate for Exchange, but it's not difficult and doesn't cost anything. In the configuration of the virtual directories, we have defined the URLs via which Exchange is to be accessed (outlook.frankysweb.org and autodiscover.frankysweb.org) and only these two names are required on the certificate.
StartCom (StartSSL) can be used to obtain a proper certificate; certificates with a 12-month term are available here free of charge. An account can be created here free of charge:
Nachdem ein Account angelegt wurde, muss die Domain validiert werden, dies geschieht über den Reiter „Validations Wizard“:
Im nächsten Schritt wird angegeben, an welche E-Mail Adresse der Verification Code geschickt werden soll (siehe oben „Webmaster Postfach“)
After a short time the code arrives at the webmaster, as our Exchange environment is not yet ready, Strato Webmail is used:
Note: You could also set up the webmaster mailbox on the Exchange, but I will deal with the receiving / sending of e-mails in a separate article. Hence the detour via Strato Webmail etc. Otherwise it doesn't fit thematically into the articles.
The wizard can now be completed with the code.
Now a certificate request can be created on the Exchange Server. This works again simply via shell:
New-ExchangeCertificate –Server "Exchange" –GenerateRequest –FriendlyName "StartSSL Exchange Cert" –PrivateKeyExportable $true –SubjectName "c=DE, s=NRW, l=Liemke, o=FrankysWeb, ou=IT, cn=outlook.frankysweb.org" –DomainName outlook.frankysweb.org,autodiscover.frankysweb.org –RequestFile "\\Exchange\C$\Anforderung.csr"
The command is also self-explanatory, if not, there is a corresponding explanation here:
https://www.frankysweb.de/kostenlose-san-zertifikate-auch-bei-startssl/
The certificate request can now be copied directly from the shell window:
Die Zertifikatsanforderung wird jetzt über den Punkt „Certificates Wizard bei StartSSL“ eingereicht:
In the wizard itself, the domain names are now specified, i.e. only outlook.frankysweb.org and autodiscover.frankysweb.org, and the certificate request is uploaded.
In my case, StartSSL would like to check me again:
Normally, however, the certificate is offered directly as a ZIP file download. As soon as the ZIP archive with the certificates is available, it can be stored on the Exchange server.
Installation of the certificate
The certificate issued by StartSSL is available in a ZIP archive in several formats:
The IISServer folder contains the actual certificate and the certificate of the intermediate certification authority (Intermediate):
Both certificates are unpacked into a folder (e.g. C:\Cert). The intermediate certificate is installed first
The certificate must be saved in the computer's certificate store:
Als Speicherort wird „Zwischenzertifizierungsstellen“ angegeben:
After the certificate has been installed, the certificate for the Exchange server must be installed and activated. The installation also works again simply via shell:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\Cert\2_outlook.frankysweb.org.crt -Encoding byte -ReadCount 0))
The command is also self-explanatory, only the path needs to be adjusted. After the import, the thumbprint of the certificate is also displayed; this is required to activate the certificate and can be used directly within the shell:
The certificate is activated with the following command:
Enable-ExchangeCertificate -Thumbprint F109BC84E8A477902C8E021A4D4E5CBAD13EC596 -Services POP,IMAP,SMTP,IIS
The certificate issue is not that bad after all...
Customize authentication
Now we can use the EAC for a change, so we can also verify the certificate:
Issued by StartCom, so everything worked. Of course, Internet Explorer throws a certificate warning here, as EAC is accessed via https://localhost.
However, the actual aim is to allow users to log in with their e-mail address. We have already created all the necessary prerequisites for this (AD name frankysweb.org):
The UPN and e-mail address will be frank@frankysweb.org later, for this the authentication method for OWA must be changed. This is done via the EAC. Server -> Virtual directories -> owa -> Authentication -> User principal name (UPN):
Finally, an iisreset:
Create send connector
The send connector can already be created, even if the UTM is not yet prepared to accept mails from Exchange and forward them accordingly. I am including this step here so that it fits in thematically with the article. So that mails can be sent in the future, a send connector is required, which can again be created quickly via shell:
New-SendConnector -Internet -Name "UTM-Route-to-Internet" -AddressSpaces * -SmartHosts 172.16.100.254 -Fqdn outlook.frankysweb.org
The command only needs to be adapted slightly again, enter the IP of the UTM and FQDN accordingly, in my case 172.16.100.254 (IP UTM) and outlook.frankysweb.org (FQDN for which we have a valid certificate)
Moving and renaming the database
Finally, the mailbox database is given a friendly name and moved to another storage location. I have equipped my Exchange server with a 200 GB disk on which both the Exchange installation and the database are stored. This is usually sufficient for small organizations, and I do not separate the database from the log files. After all, this is only a small environment. If you like it differently, you have the opportunity here:
Get-MailboxDatabase -Server Exchange | Set-MailboxDatabase -Name "MailboxDB" Move-DatabasePath "MailboxDB" -EdbFilePath E:\MailboxDB\MailboxDB.edb -LogFolderPath e:\MailboxDB
Summary
We now have an appropriately configured Exchange 2016 server with a valid certificate from a public CA. Although it is not yet possible to receive or send emails externally, the configuration of the UTM is still missing, it is already possible to test internally. Here is an example from a Windows 10 client:
OWA without certificate warning and login with the e-mail address:
Outlook 2016 (autodiscover and login via e-mail address also works without domain membership without certificate warnings):
All connections run via outlook.frankysweb.org:
The next part deals with the configuration of the UTM.
Note:
Die CA StartCom bzw StartSSL gibt es nicht mehr. Der CA wurde das Vertrauen entzogen. Kostenlose Zertifikate gibt es stattdessen bei Let’s Encrypt. Diese lassen sich sogar automatisieren: