Load Balancing Exchange 2007 Client Access Servers using Windows Network Load-Balancing Technology – Part 3: Creating Certificates and Testing Client Services
July 5, 2011 Leave a comment
In this article we’ll continue where we left off in part two. We will create a new subject alternative name (SAN) certificate that includes all necessary Fully Qualified Domain Names (FQDNs) and NetBIOS names and install it on both nodes in our NLB cluster. Lastly, we’ll do the testing necessary to ensure client services work as expected.
We have a lot to go through in this article, so we better get started…
Testing the Load-Balanced Client Access Server Setup
Before we continue with the remaining configuration steps, now would be a good time to test whether we have an NLB cluster that works as expected. To do so, open a browser on one of the servers or a client if you prefer, then type the FQDN for the NLB Cluster, in my setup this is https://mail.ehlo.dk/owa. As can be seen in Figure 3.1 below, we’ll get a couple of security alerts, since we’re trying to access OWA 2007 via the NLB cluster name. This is because the FQDN isn’t included in the self-signed SSL certificate that is installed on each Client Access server during the Exchange 2007 setup. We’ll fix this problem later, for now let’s just click Yes.
Figure 3.1: Certificate Security Warning
The familiar OWA 2007 forms-based authentication logon page will now appear, and we can access OWA by logging on with a username and password as shown in Figure 3.2.
Figure 3.2: OWA 2007 Forms-based Logon Page
Because of the certificates issue, Exchange ActiveSync and Outlook Anywhere will not work yet, so there’s no reason to test access from those clients at this stage (we will do so later in the article).
Simulating Downtime of the First Node in the NLB Cluster
Accessing OWA 2007 using the NLB cluster name didn’t show us much else than that we were able to connect to the first Client Access server in our NLB cluster. To test whether the single point of failure that exists in organizations with only one Client Access server deployed have been eliminated, let’s try to simulate a malfunctioning Client Access server. We can do this by disabling the NLB LAN network adapter on the first server as shown in Figure 3.3.
The NLB LAN adapter should be disabled on the first Client Access server in the NLB cluster as this is the server that has the highest priority. Also note that if you’re connected to this Client Access server using a remote desktop connection, you’ll get disconnected.
Figure 3.3: Disabling the LAN Connection
With the network adapter disabled, let’s try to access OWA 2007 once again. If the NLB cluster has been configured correctly, a nice OWA 2007 forms-based logon page should appear and things looks good so far.
With that we can conclude the NLB cluster works as expected.
Considerations when running the Hub Transport Server role on the NLB Cluster Nodes
For economical reasons, many organizations choose to install both the Client Access and Hub Transport server roles on the same physical boxes in order to keep the total number of Exchange 2007 servers as low as possible. If you plan on following a similar approach, and at the same time want to load-balance the Client Access servers using NLB, you must make sure SMTP (and if used secure SMTP aka TLS) are excluded under the Port Rules tab on the NLB property page (Figure 3.4). The reason for this is that Exchange 2007 Hub Transport servers have been designed with resiliency built in (that is if one Hub Transport server doesn’t respond to an SMTP connection, another Hub Transport server in the site will respond), and therefore shouldn’t be load-balanced using NLB.
If you use other ports for SMTP communication, these should also be excluded in the NLB cluster configuration.
Although configuring the Client Access server role in a Windows NLB on servers with both the Client Access and Hub Transport server roles works perfectly, the scenario is unsupported by Microsoft. The reason is this scenario wasn’t tested extensively using the Exchange 2007 RTM version. It will instead be supported with Exchange Server 2007 SP1.
Figure 3.4: Port Rules Definitions
Creating a new SSL certificate on the First Node
Because the FQDN used to access the Client Access servers in our NLB cluster doesn’t match the FQDN specified in the common name field nor the subject alternative names field in the default self-signed SSL certificate that automatically is installed on each Client Access server during Exchange 2007 setup (Figure 3.5 and 3.6), we must create a new certificate.
Figure 3.5: Subject Alternative Names on CAS01 Certificate Property page
Figure 3.6: Subject Alternative Names on CAS01 via the Exchange Management Shell
For the purpose of this article series, we’ll generate a new certificate using an internal Microsoft certificate authority server, but in a corporate production environment, you would in most situations want to submit the certificate request to a 3rd party certificate authority.
Because we need a certificate in which multiple FQDNs have to be specified, we must use a subject alternative name (SAN) certificate. At the time of this writing only a handful 3rd party CAs offer these types of certificates, most of which are listed in the following KB article: http://support.microsoft.com/kb/929395.
As we’re going to generate a request for a new SAN certificate, we must use the New-ExchangeCertificate cmdlet for this purpose, as the IIS Manager isn’t capable of creating requests for SAN certificates. To do this launch the Exchange Management Shell, then type the following command (replace the names with your own):
New-ExchangeCertificate –GenerateRequest –SubjectName “C=dk, O=EHLO organization, CN=mailehlo.dk” –DomainName mail.ehlo.dk, autodiscover.ehlo.dk, cas01.ehlo.dk, cas02.ehlo.dk –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true
After hitting Enter, the thumbprint for the new certificate request will be listed as shown in Figure 3.7.
Figure 3.7: Generating a request for a new SAN Certificate
Submitting the SAN Certificate to a Microsoft Certificate Authority
With the SAN SSL certificate request generated, we can submit it to our Microsoft CA, or almost that is. The reason I why I say so, is because by default a Microsoft CA cannot handle certificates with the SAN field properly. To fix this issue log on to the Domain Controller and open a command prompt window, then type the following command:
Certutil –setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
After hitting Enter, you should see the old and new value as in Figure 3.8.
Figure 3.8: Changing the EditFlags on the Microsoft CA
Now restart Certificate Services (CertSVC) service on the Microsoft CA server (Domain Controller) in order to have the changes applied (Figure 3.9).
Figure 3.9: Restarting the Microsoft Certificate Service
We’re now ready to submit the certificate request to the Microsoft CA. One way to do this is to open a browser and type http://dc_name/certsrv. On the Welcome page, click Request a certificate (Figure 3.10).
Figure 3.10: Microsoft Certificates Welcome page
On the Request a Certificate page, click advanced certificate request (Figure 3.11).
Figure 3.11: Requesting a Certificate
On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file (Figure 3.12).
Figure 3.12: Selecting the second option on the Advanced Certificate Request page
Now paste the content of the certificate request file into the Base-64-encoded window as shown in Figure 3.13. Then select Web Server in the certificate template drop-down menu and click Submit.
Figure 3.13: Submitting the Certificate Request
The certificate has been issued and you can download a DER or Base 64 encoded version by clicking Download certificate or Download certificate chain. Let’s select Base 64 encoded followed by clicking Download certificate chain (Figure 3.14).
Figure 3.14: Downloading the issued Certificate
It’s time to import the issued certificate using the Import-ExchangeCertificate cmdlet. We do this by typing the following command:
Import-ExchangeCertificate –Path c:\certnew.p7b
The certificate has now been imported to the personal certificate store.
To verify the certificate looks like expected, let’s now type the following command:
Get-ExchangeCertificate -Thumbprint <thumbprint> | FL
Figure 3.16: SAN Certificate – Detailed Information
Finally we need to enable the certificate for the client services, our end-users will use to connect to their mailboxes. In this setup I’ll enable the certificate for OWA, EAS, Outlook Anywhere, POP3 and IMAP4. To do so we need to type:
Enable-ExchangeCertificate –Thumbprint <thumbprint> -Services “IIS, POP, IMAP”
Figure 3.17: Enabling the SAN certificate
The certificate has now been enabled for these services but only on the first Client Access server in our NLB cluster.
Importing and Enabling the SAN SSL certificate on the Second Client Access Server in the NLB Cluster
To import the SAN certificate on the second Client Access server in the NLB cluster, we first need to export it from the first Client Access server. When doing so, we need to make sure we export the certificate with its private key. This is done by opening the Certificates snap-in. To open the Certicates snap-in, click Start > Run and type mmc.exe to first open an empty MMC window. Now click File > Add/Remove Snap-in > Add > Select Certificates > Click Add > Select Computer Account > Click Next > Finish > Close and finally OK. Expand Certificates (Local Computer) > Personal, then right-click on the certificate that should be exported. On the context appearing menu, select All Tasks > Export (Figure 3.18).
Figure 3.18: Selecting Export on the Context Menu
In the Certificate Export Wizard, click Next. On the Export Private Key page, select Yes, export the private key as shown in Figure 3.19 then click Next.
Figure 3.19: Exporting the private key
On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX) and tick Include all certificates in the certificates path if possible as shown in Figure 3.20. Click Next.
Figure 3.20: Selecting the format to use
Enter a password and click Next (Figure 3.21).
Make sure you remember this password as you need it when importing it on the second Client Access server.
Figure 3.21: Enter a password in order to protect the private key
Now specify the path to where you want to save the .PFX file (Figure 3.22), then click Next.
Figure 3.22: Specifying the path for the .PFX file
Finally click Finish.
Okay with the certificate exported, let’s copy it to the C: drive of the second Client Access server, and then open the Exchange Management Shell on that server. To import the certificate, type the following command:
Import-ExchangeCertificate –Path c:\exported_cert.pfx –Password:(Get-Credential).password
When pressing Enter, you’ll be prompted for the password you specified earlier on as shown Figure 3.23. It doesn’t matter what username you specify as this isn’t used in this type of authentication.
Figure 3.23: Importing the certificate
After clicking OK, the certificate has been imported (Figure 3.24).
Figure 3.24: Certficate imported
Now copy the certificate thumbprint to the clipboard, then enable the certificate for the required services by typing the following command (just like we did on the first Client Access server):
Enable-ExchangeCertificate –Thumbprint <thumbprint> -Services “IIS, POP, IMAP”
Figure 3.25: Enabling the SAN certificate on the second Client Access Server
The SAN certificate has now been properly enabled on both servers, and if the clients trust the root CA from our internal Microsoft CA, we should no longer get security warnings, when accessing OWA via the NLB cluster name as shown in Figure 3.26.
Figure 3.26: Accessing OWA 2007 without security warnings
Testing Outlook 2007 Connectivity
Now that we have verified OWA 2007 access works as expected, let’s move on and test connectivity using Outlook 2007. In order to do so, let’s switch to the client machine and launch Outlook 2007. On the Auto Account Setup page, enter the name, E-mail address and password for a mailbox-enabled user in your setup then click Next.
Using the Exchange 2007 Autodiscover service, Outlook 2007 will now try to configure your Outlook profile settings automatically. If everything goes well, the configuration should complete within a minute and you should see a screen similar to the one shown in Figure 3.28.
If the client doesn’t trust the root CA certificate, you’ll get one or two security warnings during this process.
Figure 3.28: Outlook configuration completed successfully
Now that the Outlook profile has been configured properly, click Finish in order launch Outlook 2007. With Outlook open, let’s see whether the autodiscover service works properly. We can do this by right-clicking on the Outlook icon in the System tray, while holding down the CTRL key, then in the context menu selecting Test E-Mail AutoConfiguration. On the Test E-mail AutoConfiguration page, enter your E-mail address and password, then clear Use Guesssmart and Secure Guesssmart Authentication and click Test.
After a little while, you will be informed whether the URLs to the different Outlook features, that are dependent on the Autodiscover service, are valid and working correctly. As can be seen in Figure 3.29, Outlook AutoConfiguration, Out of Office (OOF), the Offline Address Book (OAB) and Unified Messaging are all dependent on the Autodiscover service.
Figure 3.29: Autodiscover dependent features works as expected
If we click on the XML tab, we can see the content of the Autodiscover XML file used by the respective Outlook profile (Figure 3.30).
Figure 3.30: Autodiscover XML file used by the Outlook profile
Testing Exchange ActiveSync Connectivity
In this article we won’t use a Windows Mobile device to test whether Exchange ActiveSync (EAS) works as expected. Instead we’ll use the Test-ActiveSyncConnectivity cmdlet which allows us to simulate a full synchronization from a Windows mobile device against a specified mailbox.To test Exchange ActiveSync connectivity via a specific Client Access server type:
Test-ActiveSyncConnectivity –ClientAccessServer <name of CAS>
As can be seen in Figure 3.31 below Exchange ActiveSync connectivity to a mailbox works fine via both Client Access servers (the latency is of course not acceptable, but this is a test lab).
Figure 3.31: Testing Exchange ActiveSync Connectivity
For more detailed test results type:
Test-ActiveSyncConnectivity –ClientAccessServer <name of CAS> | FL
Okay we have reached the end of part three, which was the last in this three part article series on how you deploy Client Access server in a NLB setup, install valid SAN certificates and finally test client connectivity. I hoped you enjoyed it!