07 September 2012

Exchange 2010 Access is Denied EMC and EMS

There are plenty of reasons why an administrator could be denied access to the EMS or EMC.

One fairly unique problem that besieged me prevented me from accessing the EMC or EMS. Rebooting didn't fix it either.

After plenty of regular troubleshooting strategies I discovered that the WINHTTPS proxy had been set to something else besides the default and it was preventing me from accessing anything.

netsh winhttp show proxy revealed a proxy was configured, so I ran netsh winhttp reset proxy and then it was fixed! EMC and EMS back online!

Current WinHTTP proxy settings:

    Direct access (no proxy server).

Hope this helps someone out there...

Installing certificates on MS Forefront 2010 with Threat Management Gateway

This post is pretty much a no-brainer but in the context of the hassles I had with this site I've decided to include it here to close the chapter (and seeing that it had two other senior engineers stumped; one a network guru and the other an Exchange guru, it seems worthwhile to note).

After running all the certificates for MS Exchange 2010 and getting the Certificate Revocation status verified, all internal access to Exchange 2010 was secured via SSL. The challenge was now getting the remote users secured.

Note this is a solution pertaining specifically to a Threat Management Gateway and you don't need to do this if you aren't using Forefront.

I had dotted all the i's and crossed all the t's but the darned thing still gave a certificate error when accessing remotely. Checking the TMG's firewall properties I verified that Outlook Anywhere, ActiveSync and Exchange Web App's Listeners for HTTPS were using the correct certificates but it still wasn't working.

Then I noticed that the certificates inside MMC snap-in were showing plain old certificates without the embedded private key; so I tried this:
  • On MS Exchange 2010 server, export the Exchange certificate WITH the private key
  • In the TMG MMC Snap-in, import the Exchange certificate WITH the private key
  • Go to the Forefront TMG dashboard, Firewall Policy...
    • Select each service (Allow Outlook Anywhere; Allow Exchange Active Sync; Allow Exchange Web App) and ...
      • Properties à Listener à Properties à Certificates à Select Certificate à Choose the new one à OK
      •   Apply changes to TMG
      • SOLVED!

Renew Exchange 2010 Certificate generates a binary file - conversion to base64 tips

When renewing an SSL certificate for Exchange 2010, the process is fairly straightforward and there are plenty of sites to give advice on how to do this. Two sites to consider would be Technet and Go Daddy and the steps are summarised as follow -

  1. In the console tree, click Server Configuration
  2. Select the server that contains the certificate, and then select the certificate you want to renew. 
  3. In the action pane, click Renew Exchange Certificate
  4.  On the Renew Exchange Certificate page, select the services you want to assign to the renewed certificate. The services that are checked are currently assigned to the certificate. 
  5.  When you click Assign, the Progress page will confirm your selections and try to renew the certificate. 
  6.  Click Yes to overwrite the existing certificate with the renewed certificate. 
  7.  The Completion page will display the status of the request in addition to the syntax of the cmdlet needed to renew the certificate. 
Of course, it's never this easy and in my experience running a certificate renewal in Exchange 2010 generates a binary file (.req) that can't be easily copied and pasted into a web interface on the CA's side. In the past one would simply use Open With --> Notepad to get the certificate information but now Exchange 2010 generates the REQ file as binary and typically the file contents look like this:

Binary format:
0é♦k0é♥S☻☺ 0[1

When they should look something like this:

Base64 format:

In order to get the binary to base64 you need to convert it. There are various methods to do this and I have used both online tools and websites and the Command Prompt to achieve this, with the Command Prompt certainly being the far easier method to accomplish this (especially since it inserts the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer automatically... making it a much more 'pure' conversion).

  1. Just upload the file, upload the .REQ file, click convert to source data button and grab the output. 
  2. Paste contents to your favourite text editor
  3. Add the header and footer (both must be on separate lines) and then you're good to go!
The header must be a line on its own at the top as so:


And the footer must be a line on its own at the bottom as so:


Using the Command Prompt (preferred method):

certutil -encode (req filename) (target filename)


You can then copy this file's contents and paste it to the appropriate CA's webform to complete the certificate request!