M365 and AZURE Blog: June 2012

Thursday, June 21, 2012

WHY ClientAccessArray name is internal ONLY

When deploying E210 it is recommended to set CAS ARRAY. ( Client Access Server Array) CAS Array is recommended even you have one CAS or a single multi-role Exchange serves you have in your deployment plans.

I wanted to reiterate why the FQDN of CAS Array should be internally resolvable via internal DNS and should not be exposed to outside.

The short answer is to prevent delay on outlook clients when they are outside and trying to connect. now let’s look into this a bit deeper and try to understand what does this mean to us?

when client opens outlook internally, outlook will try to resolve the home server property configured within the outlook. So the outlook gets FQDN something like outlook.internal.local which then , Outlook checks its configured TCP/IP and finds out what DNS server to talk to and request IP address for the name outlook.internal.local ,

Outlook opens up internally by Client………

It resolves the “home server property” outlook.internal.local
It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
It will ask the IP Address of “outlook.internal.local “ ( We assume this was configured within outlook)
The IP Address comes backup from DNS Server as 192.168.1.100 outlook.internal.local=192.168.1.100 ( Internal DNS Server provided the IP Address)
Now outlook will attempt to open TCP 135 to this destination 192.168.1.100

Outlook opens up Externally (CAS ARRAY NAME IS Resolvable from Outside)

It resolves the “home server property” outlook.internal.local
It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
It will ask the IP Address of “outlook.internal.local “ ( We assume this was configured within outlook)
It gets the IP 165.164.163.100 ( Assuming CAS ARRAY NAME IS PUBLISHED OUTSIDE)
Now outlook will attempt to open TCP 135 to this destination 165.164.163.100
The FireWALL on the destination network most likely wont allow TCP 135 connection back inside to VIP IP for the CAS ARRAY
The FireWALL will hold the connection before it releases the TCP connections
Outlook client now fall back and try to establish connection on port 80—HTTP
Outlook client cannot connect most likely port 80 is not allowed from outside
Outlook client FINALLY attempts to connect on port 443 HTTPS and gets through the firewall of destination network and established connection and this is where you see the “DELAY”

Outlook opens up Externally (CAS ARRAY NAME IS NOT Resolvable from Outside)

It resolves the “home server property” outlook.internal.local
It finds out what DNS server to talk too ( TCP/IP Stack defined on the workstation and DNS )
outlook.internal.local wont resolve an IP address
Outlook established HTTPS connection directly.

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Thursday, June 14, 2012

Allowing application servers to relay off Exchange Server 2010

Scenario: You have application server which needs to relay off your internal Exchange 2010 server ( printer, application etc.)

Platform:

Exchange 2010 HUB server	10.10.10.31
Application Relay Server	10.10.10.162

Task: Allow Application relay server relay off Exchange 2010 HTS server.

Log onto Exchange 2010 HTS Server open EMC under server configuration create new connector for application relay ( fallow the video)

New Receive connector, give it a name
Specify the FQDN for this connector , next
Modify who can relay off this connector , next, finish , Set Authentication and permissions group.

We have do the fist part now we will test the application relay, so log on to application server, and open command line, we will telnet on port 25 from application server to the HUB server and sent mail from command line if mail is received your application will work. Before we get going make sure port 25 from application server to HTS server is NOT BLOCKED , common issues antivirus software blockage, or firewall etc..

Monday, June 11, 2012

TMG 121 The semaphore timeout period has expired.

Error Code: 500 Internal Server Error. The semaphore timeout period has expired. (121)

If you are working on TMG server and Exchange 2010 scenario and receiving above errors , verifying couple things may save the day.

Check your static route table and make sure there is no loop causing this issue. Delete all your static route and add them one by one and make sure Static route is persistent and TMG internal NIC properties has these networks

Windows 2008 use Netsh ( route add , windows 2008 may not honor the static route, even the route may seem to be there from GUI)

NetSH Interface ip show route

Lets assume we have two interface

The interface inside = talk to Active Directory , This interface does not have DGW ( Default Gateway) , hence we need static route to tell the TMG how to reach back to this network.

Outside interface = Talk to Outside ) This interface has DGW ( Default Gateway) , okay if the internal DGW is 10.80.3.1 and we are trying to reach out to 10.80.3.102, then the NetSH command would be as fallows….. ( Replace the IP addresses suits to your own environment)

netsh Interface ipv4 add route 10.80.3.102/32 "inside" 10.80.3.1 store=persistent

*The netsh command automatically assumes – unless otherwise specified in the command – that the route added is persistent. We added the persistent statement anyways (-:

To delete any static route

netsh interface ipv4 delete route 10.0.0.0/8 "Internal" 10.0.0.5

See the Static route

netsh interface ip show route

Reset the Interface ( very powerful)

netsh interface tcp reset