In this post, I'll go over the steps and describe the process of renewing a certificate on an Exchange 2013 client access server.
This post assumes the following:
1. You're running Exchange 2013
2. You have an on-premise certificate authority (In this example, a Microsoft CA).
On to the work...
1. You do NOT want to use the built-in certificate renewal process found in Exchange 2013's ECP. This will only renew against the certificate against the server's own local CA!
Log on to the Exchange 2013 CAS.
Open a Run command, and type: mmc
Add the Certificate snap-in within this mmc for the local computer.
Under the Personal store, you will find the certificate that we need to renew.
Right-click the certificate, under All Tasks, select Renew Certificate with New Key.
The dialog shown next will walk you through renewing the certificate, all data for the certificate should be present since we are just renewing an existing certificate.
Once you finish the steps in this dialog, you're all done!
In some circumstances, you may run in to an issue that you do not have permissions to renew the certificate. In this case, you must logon to your CA server and add the appropriate group/computer account(s) for requesting and enrolling certificates for a given template. In this case again, you will want to add the computer account of the Exchange server since this object is requesting against your CA.
Sunday, November 29, 2015
Tuesday, September 8, 2015
Lync Trunk Translation Gotchya
In a recent configuration for a migration I've been working on - I had to configure some trunk translation rules. For those that are not aware of what "trunk translation rules" are, these rule-sets that take effect outside of any dial plan translations and do not appear when the user dials a number from a Lync client.
When setting up analog extensions (new-csanalogdevice), you can set the number with -LineURI, and this function also allows you to set the extension, just as you would a normal Lync user's DID for enterprise voice (tel:+15553334444;ext=1234). Keep in mind, when creating a trunk translation rule, you will need to accommodate the rule to look for the ext=xxxx section of the number!
Or, completely omit the ext=1234 section from your analog extension standardization like I have done in my environment.
When setting up analog extensions (new-csanalogdevice), you can set the number with -LineURI, and this function also allows you to set the extension, just as you would a normal Lync user's DID for enterprise voice (tel:+15553334444;ext=1234). Keep in mind, when creating a trunk translation rule, you will need to accommodate the rule to look for the ext=xxxx section of the number!
Or, completely omit the ext=1234 section from your analog extension standardization like I have done in my environment.
Sunday, April 19, 2015
Renewing Lync 2013 Front End Certificate Common Mistakes
This topic can be widely found by searching Google, but many people fail to point out a few extremely important steps that will result in a cascade failure.
Most notably, after the certificate on your Front End server is renewed, make sure that ALL servers within your Lync environment are trusting the newly renewed Front End certificate.
This would be the following servers/roles:
I have seen instances where the services will fail to stop/start, if this happens to you then you will need to resort to restarting the entire server.
Most notably, after the certificate on your Front End server is renewed, make sure that ALL servers within your Lync environment are trusting the newly renewed Front End certificate.
This would be the following servers/roles:
- Lync Edge
- Lync Mediation
- Exchange CAS/UM
Once certificate renewal/assignment is complete, the last item to-be performed would be restarting the Front End Lync services by issusing the following commands:
Stop-CSWindowsService
This will take some time to complete, then issue:
Start-CSWindowsService
I have seen instances where the services will fail to stop/start, if this happens to you then you will need to resort to restarting the entire server.
Ok guys, I just wanted to touch base on this subject, as it seems it is a common mistake many people are making. Any questions, feel free to ask.
Monday, March 9, 2015
WPAD What?
If you've ever wanted to simplify your corporate network's browser settings, this post describes just that.
There are 4 key factors to make this work:
- You are using a proxy for internet access.
- You are using Microsoft Group Policy to set\adjust system proxy\IE settings.
- You have access to internal DNS.
- You will need a proxy.pac or wpad.dat file. In this example, we will use wpad.dat.
1. The proxy server in this example is used to control internet access to users via Microsoft Active Directory group membership. For example, if Bob is a member of group "InetAccessFull", the proxy checks this membership and would grant him full access to the internet. However, if Bob was a member of "InetAccessLimited", the proxy server would only grant him to select filtered sites.
My particular proxy also will host the wpad.dat file. I will not get in to detail how to host this, because many proxies settings vary, but it's hosted just as any other file on a website. In this example, the URL to access would be http://proxy.example.com/wpad.dat
2. With the introduction of IE9+, Microsoft has introduced IE gpo's in group policy "preferences".
You will need to add whichever browser support you need for your environment. Here I have added 8, 9 and 10. IE 11 is supported through version 10 gpo's.
To properly set the system proxy settings, you will need to set the gpo accordingly. Under Internet Options -> Connections -> LAN Settings - make sure Automatically detect settings is checked!
This is the default IE option, but we will force it in case a user decides to change it. With this enabled, IE (or any browser) will check the LAN for a specific DNS record, wpad.example.com.
This is the default IE option, but we will force it in case a user decides to change it. With this enabled, IE (or any browser) will check the LAN for a specific DNS record, wpad.example.com.
3. Create a DNS host or alias for wpad.example.com -> proxy.example.com. If you're using Microsoft DNS, you will need to perform an additional step, as this is blocked by default.
See this article for details: https://technet.microsoft.com/en-us/library/cc995158.aspx
After completion, try a test ping to wpad.example.com, it should now resolve and respond.
4. The wpad.dat file is a script that the system will read and translate for access to certain LAN segments or internet.
Here is a snippet of code to get you started, keep in mind, this is very basic:
function FindProxyForURL(url, host) {
// Do not proxy local plain host names
if (isPlainHostName(host)) {
return 'DIRECT';
}
// Exceptions that do not need proxied
if ((host == "80.80.20.20") ||
(dnsDomainIs(host, ".the-example.com")) ||
(dnsDomainIs(host, ".another-example.com"))) {
return "DIRECT";
}
// Do not proxy local lan subnet
if (isInNet(host,"192.168.0.0","255.255.0.0")) {
return "DIRECT";
}
// Do not proxy local example.com domain addresses
if (dnsDomainIs(host, ".example.com")) {
return "DIRECT";
}
// Default return condition is the proxy, since it’s assumed that everything
// else is on the Internet.
return "PROXY proxy.example.com:9090";
} // End of function
Save the file as wpad.dat and upload to your web server or proxy server of choice.
This is by far one of the simplest forms of enabling access by proxy script to a corporate LAN. Moreover, iOS, android, and many other devices will support this method as well!
Subscribe to:
Posts (Atom)