Tuesday, April 27, 2010

Introducing the new ESE Consultants' Corner

Welcome to the first edition of the ESE Consultants’ Corner! The ENow Solutions Engine is dedicated to helping the greater Microsoft community by providing an online resource of free articles, video tutorials, and advice on the hottest topics in Microsoft technology today. Instead of us always choosing the topic, we wanted to spice things up a bit. Our ESE writers are renowned experts in their fields, so we want you to put their knowledge and experience to the test!

Our writers consult on a daily basis, and constantly receive calls from either customers or colleagues asking about Exchange, Active Directory, Virtualization, Cloud computing, etc. Some of the questions they encounter are common, but others at times are very weird.

The ESE Consultants’ Corner is devoted to answering only the really cool questions our writers get asked on a daily basis. We will share with you their answers to the common questions and the not-so-common ones, so that you can benefit and learn from their expertise. The ESE Consultants’ Corner will be devoted to covering a broader range of topics as well as addressing questions that require fast answers.

We want to hear from you! Do you have an advanced technical question that you need answered? Do you have a design or planning issue that you want expert input on?

Please send your questions to: ese@enowinc.com. This will give you access to the ESE experts and allow you to ask them questions directly. If we encounter a really tricky question, then we might devote an article to it.

The rules for submission are simple:

  • ENow will select the best questions and answer them in the next edition of the Constultant Corner.

We want you to have a say in the topics we discuss, so email us your questions today!

Before we begin the Consultants' Corner, please note Mahmoud's Magdy's updated OCS-DNS calculator below.

The key to a successful Office Communications Server Deployment: The Errata and new OCS-DNS Certificate Calculator

By: Mahmoud Magdy

I have received lots of feedback regarding the OCS-DNS certificate calculator. Since there was some confusion, I have written this errata for clarification and also made some corrections to the calculator to make it clearer.

Please note the following:

  • You can use the calculator with OCS 2007 R2 only. You cannot use it with OCS 2007 as we have not tested it against 2007. There are no plans to test it in the future, but it might be something we pursue further down the road.
  • You can use the calculator for Exchange 2007 and 2010 deployments; there are no differences between both products in regards to the certificate requirements.
  • For HLB (hardware load balancers) the calculator will work if you assigned the edge FQDN to the VIPs. It has been tested and will work very smoothly.
  • To generate certificate request, use the OCS installer to create the certificate using the certificate wizard, then copy and paste the names generated by the certificate calculator into the certificate wizard.
  • Make sure to import the certificate on the same server you generated the certificate request from and export it along with the private key. This is mandatory to be able to assign the certificate to other servers.

We have uploaded a new version of the calculator that has the following fixes:

  • If you are using a certificate for Exchange and OCS, the certificate common name must be sip.domain.com or whatever the FQDN that will be assigned to the edge access and web conference. (This is a limitation that comes from the OCS that has been fixed in the current release.)
  • If you cannot make the certificate common name the Edge Access FQDN, then you can use a separate certificate for the Access Edge and Web Conference Edge.
  • We removed the web conference FQDN selection, since it has to match the FQDN assigned to the access FQDN.
  • We added port feature, so now you can assign a port and this will help in configuring the web conference edge.

http://support.enowzone.com/Downloads/OCS-DNS-Certificate-calculator-V1.5.xlsx

Credentials

Username: enowzone\freetrial

Password: H3althCh3ck

First Consultant’s Corner post:

By: Mahmoud Magdy

Hello! My name is Mahmoud Magdy and I am honored to be hosting the first ESE Consultants’ Corner. For this edition’s post, I chose to answer several questions I recently received that will benefit our readers the most.

Q: I am sending a large amount of emails per day and I am afraid of being listed as a spammer. What are the rules regarding spam?

A: You may rest easy because you will not be listed as a spammer just because of the large amount of emails you send. In fact, you will not be listed if you send a single spam email to as many as 1,000 or more recipients. The general rule of thumb regarding spam is this: being listed as a spammer is not related to the amount of email you sent, but rather the content of the emails and to whom they are sent. If you are simply sending advertisement emails to your customers then you will not be listed, but if you send advertisements to a mailing list that you don’t own then you are busted.

However, if your email system that is sending these types of messages is not secure and properly configured, then you will be blocked. The most common errors include DNS mis-configuration, SMTP banner and FQDN, and SPF solution, among many others.

Q: We have an internal application that sends emails using our internal relay connector. Will these emails be listed as spam?

A: For the general rules, please see the answer above. In regards to your particular situation:

1. I recommend that your application uses an email address that exists inside your organization

2. Try your best to authenticate the SMTP connection using your application; this will create an authenticated SMTP connection to your relay and it will be safe.

Q: My storage guy is doing a RAID X implementation because he told me this is the best option for my storage and Exchange deployment. Do you agree with him?

A: Let me preface this by saying that storage guys usually don’t like me. They are very professional and their work is very scientific, so when an Exchange guy comes in and tells them ‘This is how we should do storage,’ it does not go over well with them!

I recommend that you design your Exchange deployment using the Exchange storage calculator or your vendor’s calculator, and ask then storage guys to give you IOPs. Don’t worry about the RAID type as long as you get the required performance. Of course your must determine if the deployment option is the most cost effective method and will provide optimum performance. Storage guys really are the best people to tell you how to design your storage, but again make sure you ask for IOPs and not RIAD.

Q: I bought a server with 24 cores, but I heard that Exchange will not benefit from it. What I shall do?

A: Multi role deployment works well with 24 cores, and can even reduce issues without using the WSRM (Windows Server Resource Manager.) The problem is more with single role deployment and cross talk, but I must warn you that there is a catch: Microsoft testing shows when environments are sized according to Microsoft current guidance, multi-role systems perform fine without WSRM. (I will put a caveat on this by saying that most of the testing was done on 8-12 core systems.)

24 core systems have been low priority, so if Microsoft does not have a linear scale then these systems may benefit from WSRM. One other thing to be aware of with 24 core Intel systems is that most of the hex core (Dunnington) processors are over 1.5 years old. Until the processor vendors release the next round of 4 socket large core processors, you may be better off running a 2 socket Nehalem quad core system over a 4 socket hex core system.

Example:

  • The spec adjusted megacycles for a 24 core Intel Xeon X7450 server is 35237.
  • The spec adjusted megacycles for an 8 core Intel Xeon X5570 server is 44122.

In conclusion, today you can run a higher number of mailboxes on the newer 8 core servers than older 24 core servers.

I hope our first edition of the ESE Consultant’s Corner was helpful for you. What challenges are you facing in your environment? Need an expert opinion on an upcoming project? Feel free to email us your questions at ese@enowinc.com.

I look forward to hearing from you.

Until the next post, wishing you faster processors and bigger RAMs…

Mahmoud

Labels: , ,

posted by Enow Inc. at 8:22 AM 0 Comments

Tuesday, March 30, 2010

All for one and one for all: The key to a successful Office Communications Server Deployment

By: Mahmoud Magdy

One of the key factors to ensuring a successful Exchange/OCS deployment is that the certificates and DNS configurations must be setup correctly. I can say that more than 90% of the issues I troubleshoot in Exchange/OCS implementations can be traced back to Certificates and DNS issues.

Exchange and OCS heavily rely on Certificates as a key element of secure infrastructure deployment by using MTLS and TLS. The challenge is that implementing the certificate is confusing and comes with a price.

In this post we will investigate how to overcome these challenges and how you can use a single certificate for our Exchange/OCS deployment. Let us cut to the chase and go to the cool stuff.

Exchange and SSL -- an old story I have to tell:

Exchange started using SSL certificates when Exchange 2003 was introduced. At that time things were simple. To implement the certificate, all you had to do was create a certificate with a single name, for example (mail.domain.com), where it resolved to the External IP that was Nat’d to the Front End Server IP or Virtual IP if you were using several FEs.

As we all know, implementing certificates in Exchange 2007/2010 is more complicated and cumbersome. Now we have your standard mail.domain.com and the new introduced autodiscover.domain.com to deal with. This change also created the need for UCC certificates.

UCC certificates allow multiple names to be included in the certificate. This type of certificate is commonly called a SAN (Subject Alternative Names). For those of you who have worked with ISA 2004 or 2006 this may recall some nightmares as these certificates were not supported.

In order to publish a website over SSL, the “to” field in the ISA publishing rule had to match the certificate’s common name or (subject name), or you would get the famous (the targeted principle name is not correct) error. So we had to use 2 certificates in order to work around that, or use a single certificate, but not use ISA to publish Exchange websites. What a headache!







OCS 2007 R2, like if Exchange is not enough:


When OCS 2007 R2 was introduced, more changes also needed to be taken into account. In OCS 2007 R1, Microsoft decided to use MTLS for server to server communication and TLS for server to client communication. This meant that you needed to use an internal Certificate Authority (CA) in order to issue certificates for internal servers. Implementing remote access solutions in OCS was not as simple as it was in Exchange because it did not work with internally issued Certificates. In addition, OCS required DNS entries internally that is different than your external DNS records. Is your head spinning yet? Let’s take a closer look at internal DNS records used for a typical OCS 2007 R2 Deployment:


Please note that Those IPs will be VIPs if you use HA deployment. They will be created using HLB (hardware load balancers) since OCS doesn’t support MS WLB.

Note: You can change comp.domain.com to any name you want, just make sure to enter that name in the setup or modify it using LCSCMD command line tool.

Now let us take a look at the external DNS records used by OCS by an external User:

Keep in mind that SIP is used for Edge client access, webcon and AVconf are sample DNS entries that could be changed as they are not hard coded.

Combine it all with Certificates:

Now you have a table that lists all of the DNS names that is required, all you need to do is pull a certificate for each name (duh, that is why I am here writing this post, we want them all in one certificate). You can use single certificate, but let us see first the names that I will need to include in the certificate:

The above table list all the names required for OCS and Exchange, but there are 2 catches here:

  • SAN certificates are not supported by ISA2004/2006 for SSL publishing, you will have to use ISA 2006 SP1 or TMG since this issue were fixed in both versions.
  • If you use single certificate for Edge web conference and Edge Access, you will find that Edge server requires that names must be matched between Access/web conference IPs (you will note that in the edge server configuration wizard, you will be able to change the name, but it will not take effect), so the name must be matched, thus the same IP must be used so you will have to change the ports between access and web conference (in typical configuration Access/Web conf will use port 443, since OC clients are hard coded to try to use port 443, so you will have to change the web conf port to any other port, use 444 for simplification).

The final note has 2 catches:

  • 444 is a non standard port so you might have to adjust your firewall.


  • If you want to use port 443, then use a separate certificate for the Web Conference edge server IP.

You might wonder how I can change the port of the web conference without affecting the information worker, well the following diagram elaborates how web conference tokens are created:


The story begins when an external user clicks on the conference link (this external user is either domain user or anonymous user), then the following occurs:

  • The users access the Access Edge server and to get authenticated (Kerberos, NTLM for domain users or digest for anonymous users).

  • The front End server component contacts the web conf server component, AV component, Web component to add the user to the WEB MCU and AV MCU.

  • Pay attention in this step please, the user gets back an authentication token and configuration cookies that has the web conf edge/AV conf edge configuration and this is where the client gets notified about the ports used by the edge servers.

So as you can see web conf and AV conf ports are not hard coded, but are passed to the user in the config tokens.

Please note the web conf, front end and AV conf servers are located in the same box, but they were separated to elaborate how they work internally.

Avoid this common mistake:

One of the most common mistakes that we encounter in OCS implementations is seeing the FQDN for the AV authentication server and the port set to 443. This is not correct and will result in calling errors on the Office Communicator client. Please make sure that the AV authentication service uses port 5062.

Now after tons of notes, let’s make our final names table:

If you follow the suggestions listed in this article you will be able to use a single certificate for Exchange and OCS. Please note that I did not cover the internal edge certificate and pool certificate names as they are fairly simple to implement.

To help you, I have created my own Exchange/OCS certificate and DNS calculator. Please note this calculator is not supported by Microsoft and you should verify your configuration with a professional OCS/Exchange consultant. The calculator is very simple to use. All you will have to do is enter the OCS sip domain, host names used by edge server, OCS server type either (standard or enterprise) and DNS names and the certificate configuration will be created for you automatically.

To download the calculator, please use the link and credentials below:

Exchange/OCS Calculator:

http://support.enowzone.com/Downloads/OCS-DNS-Certificate-calculator-V1.4.xlsx

Credentials:
Username: enowzone\ese

Password: Tool4you

I hope that in this post I was able to help you out in your deployment and eliminate the confusion caused by using a single certificate for OCS and Exchange. Have a nice deployment and see you next time . . . !














Labels: , ,

posted by Enow Inc. at 9:31 AM 0 Comments

 
 

 


 

 

 

Click below for the ESE
.:ENOW Solutions Engine Pages

Featured Authors
E-Now Andy Grogan
E-Now Jay Gundotra
E-Now Lasse Pettersson
E-Now Hans Willi Kremer
E-Now Norber Klenner
E-Now Raphael Barini
E-Now Jonas Borelius
E-Now Kevin Wilson
E-Now Ismail Mohammed
E-Now Mahmoud Magdy

Previous Posts
Browse Monthly Archives

Suggest a Topic
Hire Us

Subscribe to
Posts [Atom]