The Essential Business Server Team Blog

How to Reinstall Microsoft Exchange Server Standard Edition 2007 Edge Transport Server Role on Windows Essential Business Server Security Server

[Today's post comes to us courtesy of Ketan Thakkar]

This article describes the steps involved in reinstalling Edge Transport Server role in Microsoft® Exchange Server Standard Edition 2007 on Windows® Essential Business Server Security Server. During this period, Internet mail flow will be down as the Edge Server is responsible for sending and receiving mails to and from Internet. Please forward mail traffic to alternate incoming mail gateway during this process to send and receive mails continuously. We will need to create a send connector with address space * and allow communication for port 25 from Security server to the Messaging server

To perform the following procedure, the account you use must be a member of the following groups:

• Enterprise Administrators group
• Domain Administrators group
• Exchange Organizations Administrators group

1. Export Edge Transport Server Configuration:
1. On the Security Server, open elevated Exchange Management Shell by selecting start > Programs > Microsoft Exchange Server 2007 > right click on Exchange Management Shell and select run as administrator
2. Navigate to C:\Program Files\Microsoft\Exchange Server\Scripts .
3. Export Edge Configuration by typing the command .\ExportEdgeConfig.ps1 as following:
   
   .\ExportEdgeConfig.ps1' -CloneConfigData:"C:\CloneConfigData.xml" -Key:"ABCD8484KD84LS02ABCD8484KD84LS02"
   
   Note: This is just an example key; it can be any combination of letters and numbers. Key Length needs to be 16, 24 or 32 bytes long. Please note down this key to be used later when we import the configuration. Make sure the Microsoft Exchange Transport service is in running state before running this command.
   
   If the command was successful you should see the following message displayed on the screen:
   Edge configuration is exported successfully to c:\ExportEdgeconfig.xml
2. Remove Edge Transport Server Subscription:
1. On the Security Server type the following command to remove Edge Transport Server Subscription in the Exchange Management Shell:
   
   Remove-EdgeSubscription -Identity EBS-SEC
   
2. Type Y at the confirmation prompt.
3. Uninstall Exchange Edge Transport Server Role:
1. On the Security Server open a command prompt with elevated privileges. To do this click on Start > right click on command prompt and select run as administrator.
2. Navigate to C:\Program Files\Microsoft\Exchange Server\Bin directory and run the following command to remove the Edge Transport Server Role:
   
   Setup.com /mode:uninstall /role:et
   
   If the command was successful you should see the following message displayed on the screen:
   The Microsoft Exchange Server setup operation completed successfully
   
   Note: You must reboot the server after this step
4. Install Edge Transport Server Role:
1. On the Security Server open a command prompt with elevated privileges. To do this click on Start > right click on command prompt and select run as administrator.
2. Navigate to C:\Program Files\Windows Essential Business Server\Bin\EXCHSRVR80 directory and run the following command to install the Edge Transport Server Role:
   
   Setup.com /mode:install /role:et /sourcedir:"c:\Program Files\Windows Essential Business Server\Bin\EXCHSRVR80"
   
   At the successful completion of the command, you should get the following on the screen:
   The Microsoft Exchange Server setup operation completed successfully.
   Setup has made changes to operating system settings that require a reboot to take effect. Please reboot this server prior to placing it into production.
   
   You can track the install/reinstall process from the following logs if there are any issues: C:\ExchangeSetupLogs
   
   Note: You must reboot the server after this step
5. Import Edge Transport Server Configuration:
   There are 2 phases in importing Edge Transport Server Configuration. Validate Phase and Import Phase. We create a Configuration Answer file in the first phase which validates the information provided in the previously saved Configuration file created in step 1. If all the validations are successful then we can run the second phase and import the configuration. To create the answer file perform the following steps:
1. Open the Exchange Management Shell by selecting start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell
2. Navigate to Exchange “C:\Program Files\Microsoft\Exchange Server\Scripts”.
3. Run the validate phase typing the command .\ImportEdgeConfig.ps1 as following:
   
   .\ImportEdgeConfig.ps1' -cloneConfigData "C:\CloneConfigData.Xml" -cloneConfigAnswer "c:\cloneConfigAnswer.xml" -isImport $false
   
   You should get the following result after running the above command:
   Warning:Passwords will be encrypted with the default script encryption key
   Validation succeeded for ConnectivityLogPath element of type DirectoryPath
   Validation succeeded for MessageTrackingLogPath element of type DirectoryPath
   Validation succeeded for PickupDirectoryPath element of type DirectoryPath
   Validation succeeded for PipelineTracingPath element of type DirectoryPath
   Validation succeeded for ReceiveProtocolLogPath element of type DirectoryPath
   Validation succeeded for ReplayDirectoryPath element of type DirectoryPath
   Validation succeeded for RoutingTableLogPath element of type DirectoryPath
   Validation succeeded for RootDropDirectoryPath element of type NullableDirectoryPath
   Validation succeeded for SendProtocolLogPath element of type DirectoryPath
   Validation succeeded for SourceIPAddress element of type IPAddress
   Validation succeeded for SourceIPAddress element of type IPAddress
   Validation succeeded for Bindings element of type Bindings
   Validation succeeded for Fqdn element of type FQDN
   Answer File is successfully created: c:\cloneConfigAnswer.xml
4. Run the import phase typing the command .\ImportEdgeConfig.ps1 as following:
   
   .\ImportEdgeConfig.ps1' -cloneConfigData "C:\CloneConfigData.Xml" -cloneConfigAnswer "c:\cloneConfigAnswer.xml" -isImport $true -Key:"ABCD8484KD84LS02ABCD8484KD84LS02"
   
   Note: This should be the same key that was used in step 1 for exporting edge configuration.
   Press ‘a’ whenever prompted
   You can track the Edge configuration import/export through the following log if there are any issues:
   C:\Program Files\Microsoft\Exchange Server\Logging\SetupLogs\cloneLogFile.log
6. Edge Subscription:
1. On the Security Server open Exchange Management Shell by selecting start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell. Create new Edge Subscription using following command:
   
   New-EdgeSubscription -FileName "C:\EdgeSubscriptionExport.XML"
   
   Press Y to confirm.
   Note: We must also create the new subscription on the Hub Transport Server within 24 hours.
2. Copy the Edge Subscription file EdgeSubscriptionExport.xml to the Messaging Server on C:\. Exchange Organization Administrators must have read access to the file.
3. Create a new Edge Subscription file on the Messaging Server. You can perform this step either from Exchange Management Shell or through Exchange Management Console. We will look at the method through Exchange Management Shell first. To do this open Exchange Management Shell by selecting start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell:
   
   New-EdgeSubscription -FileName "c:\EdgeSubscriptionExport.xml" –site “Default-First-Site-Name”
   
   Note: Make sure that we can connect to the Security Server through 50636 from the Hub Transport Server.
4. You can verify that the Exchange EdgeSync service successfully propagated the configuration data. Run the Test-EdgeSynchronization cmdlet in Exchange Management Shell as below:
   
   Test-EdgeSynchronization
   
   You should get the following result after running the above command:
   Name : EBS-SEC
   LeaseHolder : EBS-MSG
   LeaseType : Option
   ConnectionResult : Succeeded
   FailureDetail :
   LeaseExpiry : 11/8/2008 9:14:25 PM
   LastSynchronized : 11/8/2008 8:14:25 PM
   CredentialStatus : Synchronized
   TransportServerStatus : NotSynchronized
   TransportConfigStatus : Synchronized
   AcceptedDomainStatus : Synchronized
   SendConnectorStatus : Synchronized
   MessageClassificationStatus : Synchronized
   RecipientStatus : Synchronized
   CredentialRecords : Number of credentials 3

At this point Microsoft® Exchange Edge Transport Server Role reinstallation is complete.

How to Renew Your EBS SSL Certificates

[Today's post comes to us courtesy of Sharique Ahmed]

This article describes how to use the Update Certificates Wizard of your Windows Essential Business Server (EBS) servers. Running the Update Certificates Wizard automates the renewal of Windows Essential Business Server (EBS) SSL certificates.

Windows EBS installs the Active Directory Certificate Services server role on the Management Server. This creates a single-tier enterprise public key infrastructure (PKI) hierarchy with a certification authority that is specific to the Windows EBS domain. This private certification authority issues self-signed certificates that are used by default by Forefront TMG for publishing secure Web sites such as Outlook Web Access and Remote Web Workplace.

To update the certificates for Internet access that are issued by Windows EBS, use the Update Certificates Wizard. Certificates that are issued by Windows EBS typically expire after two years. It is recommended that you update each certificate before its expiration date to ensure that your Security Server and Messaging Server function normally.

The wizard can update the following private Secure Sockets Layer (SSL) certificates:

• Messaging Server: This certificate is used for SSL connections to Internet Information Services (IIS) Web sites, such as Outlook Web Access.
• Security Server: This certificate is used by Forefront TMG to publish the Terminal Services Gateway and SSL Web sites in your network.

NOTE: You cannot use the Update Certificates Wizard to update any certificate that is not issued by Windows EBS.

IMPORTANT: Updating your certificates briefly interrupts Internet connectivity and client access to Microsoft Exchange through Outlook Web Access. To minimize impact to users on your network, update certificates during a scheduled service maintenance period.

To update the SSL certificates:

1. Log on to the Management Server with an account that is a member of the Domain Admins group.
2. Click Start, point to All Programs, click Windows Essential Business Server, click Tools, and then click Update Certificates. The Update Certificates Wizard appears.
3. Supply the User Credentials and Domain Name.
4. On the Choose Certificates section, check the Server Certificate(s) that you wish to renew.
5. Click Update. A progress bar will now be displayed.
6. On the Finish page, click Close.

More Information:

• http://technet.microsoft.com/en-us/library/cc940952.aspx
• http://technet.microsoft.com/en-us/library/cc463518.aspx

Happy Holidays

The EBS Team wishes you a safe and peaceful holiday season.

A case study was just released on 15DEC08.  Read more on my Product Manager blog.

How to Reinstall Microsoft Forefront Security for Exchange Server in Essential Business Server

[Today's post comes to us courtesy of Harpreet Singh]

Today we will discuss how to remove and reinstall Microsoft Forefront Security for Exchange Server in Essential Business Server.

Important these steps will remove FSE, after you follow these steps, FSE will be removed from your server. Any settings that you have made will still remain in the configuration file in the Microsoft Forefront Security folder. The incidents database file, Statistics.xml file, and your licensing information will also remain. Before uninstalling, we recommend that you backup up Microsoft Forefront Security for Exchange. For more information about how to back up and restore Forefront Security for Exchange, click the following link:

Backing up and restoring Forefront Security for Exchange Server http://technet.microsoft.com/en-us/library/cc765430.aspx

Step 1: Uninstall Forefront Security for Exchange in EBS

To uninstall Microsoft Forefront Security for Exchange Server (FSE), log on as an administrator to the EBS Messaging server.

1. Stop the FSCController service from services.msc, this will also stop the Microsoft Exchange Information Store service.
2. Control Panel, click Programs and Features.
3. Select Microsoft Forefront Security for Exchange Server, and then click Uninstall. Click Yes to begin the removal.
4. On the Uninstall Complete page, click Finish.
5. Any settings that have been made still remain in the configuration file (fdb files) in the Microsoft Forefront Security folder in Program Files(x86). The incidents database file, Statistics.xml file, and your licensing information also remain.
   Note:
1. If you will be reinstalling FSE and want to retain those settings, do nothing.
2. If you will not be reinstalling FSE or you want to start with fresh settings, delete this folder. If you are not planning to reinstall Forefront Security for Exchange Server, restart the stopped Exchange services.

Step 2: Install Forefront Security for Exchange in EBS

To install Microsoft Forefront Security for Exchange Server (FSE), log on as an administrator to EBS Messaging server.

1. Run Setup.exe file located under C:\Program Files\Windows Essential Business Server\Bin\FSS.
2. On the Welcome screen, click Next to continue.
3. Read the license on the License Agreement screen and click Yes to accept it.
4. On the Customer Information screen, enter the User Name and Company Name.
5. On the Installation Location screen, select Local Installation.
6. On the Installation Type screen, select Full Installation.
7. On the Quarantine Security Settings screen, select the desired setting.
   Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter matches. This is the default.
   Compatibility Mode enables messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine.
8. On the Engines screen, approve or change the antivirus engine selection. The Microsoft Antimalware Engine and four other randomly selected engines are chosen. You can modify the engine selection, choosing a maximum of five engines, including the Microsoft Antimalware Engine.
9. On the Engine Updates Required screen, read the warning about engine updates and Click Next.
10. Select Use Proxy Settings and enter the name or IP address of the EBS Security Server on the Proxy Information screen. Enter 8080 for the port number.
11. On the Choose Destination Location screen, accept the default destination folder for the product.
12. On the Select Program Folder screen, click Next.
13. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied.
14. On the “Restart Exchange Transport Service screen”, click Next to recycle the service. If you click Skip you must manually restart the service for FSE to begin scanning incoming email.
15. Wait until the status changes to All services started, before clicking Next to continue.
16. On the “Restart Exchange Information Store Service screen”, click Next to recycle the service. If you click Skip you must manually restart the service for FSE to begin scanning email.
17. Wait until the status changes to All services started, before clicking Next to continue.
18. On the Install Shield Wizard Complete screen, Click Finish to complete the installation.

HP servers supporting EBS

I recently discovered this matrix that shows the HP servers supporting EBS. 

Need to lower your costs and increase productivity? How do you convince the CFO or CEO of the value of EBS?

This post on my Product Manager blog provides contains two slides from an EBS deck discussing TCO, productivity and competitive advantage.  Following review and internal distribution, I will ask a few IT Pros how to review as a tool to use when discussing EBS with their business decision maker, e.g. CFO, CEO, etc.

When you read the post, please complete the one-question survey: "What do you think about the amount of information on www.microsoft.com/ebs?"

How to Change an EBS Server’s IP Address

[Today's post comes to us courtesy of Sharique Ahmed]

This article describes how to change the IP addresses of your Windows Essential Business Server (EBS) computers. You can use the Change IP Address Settings Wizard to change the IP address settings of a network adapter on the Windows EBS Management Server, Security Server, or Messaging Server. When you change the IP address settings on one server, the wizard reconfigures connections to the other two servers to keep your network functioning properly. For more information on all the settings that are changed please see http://technet.microsoft.com/en-us/library/d37f87de-5601-4a9f-9487-a79779933100.

Important

• Do not use native tools in Windows Server 2008 to change the IP address settings of a network adapter on a server for Windows EBS. If you already changed IP address settings manually, restore the previous IP address settings, and then follow the steps in this procedure.
• The new IP address setting may affect the connectivity of other computers and devices in your domain, including client computers. If you use the DHCP Server service for dynamic addressing, renew the IP configurations of these computers and devices to update them by running ipconfig /renew. Computers with static IP address assignments may need to have their default gateway or DNS server entries manually modified.
• Changing the IP address settings on a server for Windows EBS briefly interrupts network connectivity. To minimize the impact to the users on your network, change IP address settings during a scheduled service maintenance period.
• You should only run the Change IP Address Settings Wizard on one server at a time.
• There is no Change IP Address Settings Wizard for the Premium Server.
• The Change IP Address Settings Wizard does not update the SCE Managed Computers Group Policy Group Policy object or the System Center Essentials All Computers Policy Group Policy object. You may need to adjust these Group Policy settings to ensure proper network functionality. For more information about modifying Group Policy objects, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=133100).
• If you replace a Windows EBS server and you configure the IP address settings manually, you need to use the Active Directory Service Interfaces Editor (ADSI Edit) to record these settings in Active Directory. For more information, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=125622).
• If you move the Security Server to a different subnet, do the following on the Security Server:
• Delete existing network routes to subnets of the Management Server and the Messaging Server. Use the route print and route delete commands. For more information, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=133804).
• Add new persistent static routes to subnets of the Management Server and the Messaging Server. Use the route add –p command.
• If you move the Management Server and the Messaging Server to a different subnet, do the following on the Security Server:
• If no Windows EBS servers exist on the subnet that you are moving from, delete the existing network routes to the subnet you are moving from. Use the route delete command.
• If this is the first Windows EBS server on the subnet that you are moving to, add a persistent static route to the subnet you are moving to. Use the route add –p command.

To change the IP address settings of a network adapter on the Management or Messaging Server

1. Log on to the Management Server or Messaging Server with an account that is a member of the Domain Admins group.
2. Click Start, click All Programs, click Windows Essential Business Server, click Tools, and then click Change IP Address Settings.
3. On the Before you begin page, read the instructions, and click Check to test the connectivity from this server to the other two EBS servers. If the wizard cannot connect to one or both of the other EBS servers you cannot proceed.
4. On the Choose IP address settings page, enter your new IP address, subnet mask, and default gateway settings for the network adapter and then click Change.
5. On the Finish page, click Close.

To change the IP address settings of a network adapter on the Security Server

1. Log on to the Security Server with an account that is a member of the Domain Admins group.
2. Click Start, click All Programs, click Windows Essential Business Server, click Tools, and then click Change IP Address Settings.
3. On the Choose a network adapter page, choose the network adapter you wish to modify and click Next.
4. If you have chosen the internal network adapter, click Check to test the connectivity from this server to the other two EBS servers. If the wizard cannot connect to one or both of the other EBS servers you cannot proceed. The step is automatically skipped for the external adapter.
5. On the Choose IP address settings page, do one of the following:
   a. If you are changing the IP address settings of the external adapter on the Security Server, and you want to use the DHCP, click Use DHCP to automatically configure the IP address settings. Then click Change.
   b. If you are changing the IP address settings of the external adapter on the Security Server and you have a static IP address, click Manually configure the IP address settings. Then enter the new IP address, subnet mask, and default gateway. Then click Change
   c. If you are changing the IP address of the internal adapter enter the new IP address, subnet mask, and default gateway. Then click Change.
6. On the Finish page, click Close.

Decommissioned DNS Servers Appear During Replacement Mode Install

[Today's post comes to us courtesy of Justin Crosby]

When Windows 2008 Essential Business Server is installed, your current DNS servers are stored in Active Directory.  EBS uses this data to configure the DNS settings on a server during a replacement mode install.  If you retire a DNS server between the original install and a replacement mode install the replacement mode install may fail at the Network Configuration step due to the fact that the server could not reach the decommissioned DNS server.  You will receive the following error message:

DNS record cannot be updated

The host (A) resource record for this server cannot be updated on DNS server <IP>. Wait a few minutes, and then click Retry.

Resolution:

To fix this issue you need to modify the following setting. Before changing any Active Directory setting make sure you have a full, tested backup:

1. Open ADSI Edit (adsiedit.msc) on the Management or Messaging server.
2. Click “Action” and “Connect to…”
3. Under “Connection Point” choose “Select a well known Naming Context”, choose “Configuration” and then click “OK”.
4. Expand Configuration [domain.local]
5. Expand CN=Configuration,DC=Domain,DC=local
6. Expand CN=Services
7. Expand CN=MMSConfiguration
8. Right-click CN-DnsServer and select Properties
9. Select the “keywords” attribute and click Edit.
10. Highlight “DnsAddress=x.x.x.x”  and hit “Remove”
    
11. Replace the retired DNS server IP(s) with the correct IP address(es) and click Add.
    
    Note: This value is a single line value, you cannot add multiple lines. You also cannot add any spaces.
12. Once you have completed this change you must restart the replacement mode install.

Activating EBS

When activating from a evaluation EULA, EBS is activated the same as Windows Server. 

To enter in the key all you need to do is;

1. Make sure you have the keys for EBS.  You should have one for each Server role, Management, Messaging and Security.  You’ll also need CALs either device or user CALs to suit your organization.
2. Ensure you have your internet connection correctly setup

Click Start

Right Click Computer and select Properties

Next click Change Product Key

Enter your product key for the right server role and click Next

Follow the rest of the prompts to complete the key activation.  Repeat for the other two servers.

Next you’ll want to add your CALs

Start the EBS console and select the Licenses tab

Click Install CAL Packs and run through the Wizard

Finally assign the CALs to the users and devices as required

Thanks Nick for this guidance!!!

Remote monitoring, management and reporting for EBS

An excerpt from the Level Platforms press release:   

Level Platforms announces immediate delivery of comprehensive best practices monitoring and management for the next wave of Microsoft products for small and midsize businesses.

Level Platforms Partners can now deploy comprehensive remote monitoring, management and reporting for SBS 2008 and EBS 2008 in minutes by downloading and applying the new integrated suite of Policy Modules.  These powerful new Solution Kits are available for both On Premise as well as Hosted versions of the award-winning Managed Workplace software.

Read the entire press release from Level Platforms

Happy Thanksgiving from the EBS Team

ISVs supporting EBS

Trend Micro Inc. Latest Version of Trend Micro Worry-Free Business Security Protects Windows Essential Server Solutions

SonicWALL, Inc. SonicWALL Announces Security Solutions for Windows Essential Business Server and Windows Small Business Server

Mimosa Systems, Inc. Mimosa Systems Gears Up for Big Opportunities With Windows Essential Business Server 2008

N-able Technologies; N-able Technologies Announces Leading Edge Microsoft Server System Support, Adds Essential Business Server 2008 Integration with N-central 6.7

Objectworld Communications Corp. Objectworld Announces Support for Windows Small Business Server 2008 and Windows Essential Business Server 2008

CA; CA ARCserve Backup Delivers Day One Support for Microsoft's Windows Essential Business Server 2008 EBS

Calyptix Security; Calyptix Eliminates Security Complexities with Windows Small Business Server and Essential Business Server 2008

ScriptLogic; ScriptLogic Delivers Support for SMB-Focused Windows Essential Server Solutions

FullArmor Corporation; FullArmor Adds Support for Windows Essential Business Server and Windows Small Business Server

The Change IP Wizard does not update System Center Essentials Group Policy Objects in Windows Essential Business Server

[Today's post comes to us courtesy of Damian Leibaschoff]

When the Management server is configured in Windows Essential Business Server 2008, 2 group policies are configured as part of the System Center Essentials (SCE) deployment. These policies allow the Management server to deploy the SCE agent and access SCE Managed Computers in your domain.

One of these policies is the "SCE Managed Computers Group Policy (MGMT_MG)" (Note that the name in the parenthesis will vary depending on the server name you have used for your management server, on this case, the management server is called MGMT), this policy defines firewall exceptions that apply to members of the "SCE Managed Computers" group among other things. We will discuss the impact of this policy on another post, but keep in mind that this policy will define which machines can access remote desktop on the machines where the policy is applied to, and by default that is the Management server IP only.

Another policy is the "System Center Essentials All Computers Policy", this applies to all computers in the domain and it also defines firewall exceptions among other things. We will discuss the impact of this policy on a different post, but do keep in mind that by default, the firewall actions defined on this group policy will affect what machines can access shares and remote manage the machine where the policy is applied to, and by default that is the Management server IP only.

These firewall exceptions on both group policies are set based on the IP of the Management server, only allowing the Management server access to the machines where the policies are applied to.

After running the Change IP Wizard on the Management server, the new IP will NOT be updated in the previously mentioned policies, thus, proper access for SCE to connect to the managed computers or when trying to deploy its agent to a new computer will be affected and potentially fail.

To correct this you must manually update the policies with the correct IP for the Management server after you have completed the Change IP wizard. For that, follow these steps:

1-On the Management server, go to start, Run, and type GPMC.MSC and then click ok.

2-Expand the Forest, Domains, your domain, and select "SCE Managed Computers Group Policy (MGMT_MG)" (Note that the name in brackets might be different). Use Right-Click Edit once selected.

3-Expand Computer Configuration\Policies\Administrative templates\Network\Network Connections\Windows Firewall\Domain Profile

4-Edit the following value: "Windows Firewall: Allow inbound Remote Desktop exceptions" and configure it using the new IP for the Management server. Please note that if you are allowing RDP or RWW connections from the Internet, this policy might cause some conflicts, so it might be necessary to change this policy to allow a bigger range of exceptions.

Repeat Steps 1-3 but for the "System Center Essentials All Computers Policy"

4-Edit the following values with the new Management server IP: "Windows Firewall: Allow inbound file and printer sharing exception",  and "Windows Firewall: Allow inbound remote administration exception". Once again, these policies might be too restrictive for your environment, on this case only the Management server would be able to access other workstation's shares, so keep that in mind when planning your network.

If you would like more information about changing the IP of your EBS server, please check the following link

http://technet.microsoft.com/en-us/library/cc540075.aspx

How to Reinstall Microsoft Forefront Threat Management Gateway on Windows Essential Business Server Security Server

[Today's post comes to us courtesy of Manish Kapoor]

INTRODUCTION

This article describes how to reinstall Microsoft® Forefront™ Threat Management Gateway, Medium Business Edition on Windows® Essential Business Server Security Server.  This may be necessary as a last-effort troubleshooting step or to repair a damaged installation of Forefront TMG.  The steps in this article will, of course, cause loss of network connectivity until Forefront TMG is reinstalled and reconfigured.

Important: Before using these steps, it is recommended that you make a complete backup of the Security Server.

There are four steps to uninstalling and reinstalling TMG on EBS:

1. Backup the existing firewall settings

2. Uninstall Forefront TMG from Security Server

3. Install Forefront TMG on Security Server

4. Restore the Forefront TMG firewall configuration

Backup the existing firewall settings

To save network firewall settings to an XML file

1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.

2. Click the Security tab, and in the results pane, click Network firewall. In the tasks pane, click Save firewall settings.
   

3. In the Save as dialog box, choose a name and a location for the XML file that will contain the current configuration settings for the network firewall. Click Save to begin.

4. Click Close on the “the settings were successfully saved” dialog when it appears.

Uninstall Forefront TMG from Security Server

To uninstall Forefront TMG from the server, follow these steps:

1. From Control Panel open Programs and Features on the Security Server
2. Highlight “Microsoft Forefront Threat Management Gateway” and click on Uninstall/Change
     
3. The next screen gives the option to either remove or repair Forefront TMG from the server. Select the option to Remove and select next. 
     
4. Select whether you would like to retain the existing log files and cache files on the server. If you want to remove the files, do not check anything. If you wish to retain them, check both the options and select next.
      
5. The installation wizard will proceed with the removal of TMG from the server. Uninstalling TMG from Programs and Features also removes its LDS instance (ISASTGCTRL).
      
6. Reboot the server when prompted.

Reinstall Forefront TMG on Security Server

Forefront TMG can be reinstalled using the following steps:

1. Navigate to the following location on the Security Server
   •           %ProgramFiles%\Windows Essential Business Server\Bin\ISA
2. Double-click on ISAAutorun.exe to start TMG setup.
     
3. On the “Microsoft Forefront TMG Setup” screen, click on “Install Forefront TMG”.
     
4. Select “Install Forefront Threat Management Gateway” and click on next.
5. Accept the defaults on the Component Selection screen and click next.
     
6. On the Internal Network screen use these steps to configure your network settings:
   1. Click on Add
   2. In the “Addresses” window that comes up next, click on “Add Adapter”.
   3. Select the network adapter for your internal network and click OK, then OK again.    
        
   4. Once you are back to the “Internal Network” screen, click next.
7. Click Next to acknowledge the “Setup will restart these services on the server: SNMP Service, IIS Admin Service, World Wide Web Publishing Service and Microsoft Operations Manager Service” message.
8. Click “Install” to begin the setup of Forefront TMG on the server.

After installation has completed and Forefront TMG console is launched for the first time, the TMG console will launch the Getting Started Wizard.

Before proceeding to restore the settings, click on “Close” at the “Getting started wizard” screen. This brings up a confirmation window, asking “Are you sure you want to close the Getting Started Wizard?” Uncheck the box against “Automatically launch the wizard the next time the Forefront TMG Management console is launched” and click Yes.

Restore the Forefront TMG Settings

To restore the settings previously backed up before uninstalling Forefront TMG, use the following steps:

1. Launch the Essential Business Server Administration Console.

2. Click the Security tab, and then click on Network firewall. In the tasks pane, click Apply Saved Settings.

3. In the Open dialog box, choose the name and the location of the XML file saved in the “Backup the existing firewall settings” section of this article. Click Open to apply the settings.

4. Once the settings have been committed, a “the network firewall settings were applied successfully” dialog will appear. Click Close to dismiss the dialog.

If you were unable to back up your most recent settings before uninstalling Forefront TMG, you can restore TMG to the settings configured during the EBS installation using these steps:

%ProgramFiles%\Windows Essential Business Server\Data

1. Launch the Windows® Essential Business Server Administration Console on the Management server

2. Click on the Security tab

3. Highlight Network Firewall and click on Restore Default Network Firewall Settings under Network Firewall Tasks.

4. In the resulting dialog, click Yes to restore the default settings.

5. Click close to dismiss the “Default network firewall settings were successfully restored” dialog.

How To Change the Public Certificate used by Windows Essential Business Server for Incoming Web Requests

[Today's post comes to us courtesy of John Bay]

Summary

When Windows Essential Business Server installs, setup will generate a self-signed certificate name based on the name of you specify during installation.  The certificate name will always be the name you selected for your remote access URL during setup:

It may be desirable to change the name of this certificate or to replace this certificate with a certificate from a trusted authority.  For instance, you may have installed EBS with a remote access URL of "remote.contoso.com" but later decide that you want to change the URL to "rww.contoso.com" or "mail.contoso.com".  The other common scenario is that you may want to replace the self-signed certificate on the external interface with a public certificate, but retain the same FQDN.  Both scenarios are covered in this document.

The remote access URL is used to publish the following virtual directories by default:

• Remote Web Workplace - /Remote/*
• Remote Web Workplace Robots.txt - /Remote/Robots.txt
• ActiveSync - /Microsoft-Server-ActiveSync/*
• Microsoft Exchange Outlook Anywhere and Terminal Services Gateway (RPC over HTTPS) - /rpc/*
• Microsoft Exchange Server Publishing: Outlook Web Access - /public/*, /OWA/*, /Exchweb/*, /Exchange/*
• If the SharePoint Add-in is installed, the default web listener will also publish its virtual directories

If you are replacing the certificate with a certificate from a trusted authority and already have the trusted certificate in a PFX formatted file, you can skip to step 1 in the section labeled “The following steps are accomplished on the Security server.” 

More Information

The first step is to create the certificate with the desired name.  This step is performed on the Management Server. 

The following steps are accomplished on the Management Server.

1.  On the Management Server, open Internet Information Services (IIS) Manager.

2. In IIS Manager Click on the Management server in tree in the left pane.

3. In the Features pane, double click on Server Certificates.

4. In the action pane, click Create Domain Certificate.

5. The create certificate wizard will appear.   Fill out the certificate form with the appropriate information.  When you are prompted to specify the Online Certificate Authority choose select and choose your internal certificate authority.   In the Friendly Name field type the new name for the external certificate (i.e. www.contoso.com)

6. Once the wizard completes, the new certificate should be displayed in the list of certificates in IIS Manager.  We need to export the certificate and import it into the store of the Security server.  To export the certificate, right click on the certificate and choose export.  Enter a filename and a password and choose OK to complete the export. 

7. The certificate should now be exported to a file on Management server.  We need to copy this file to a location that is accessible by the Security server.

The following steps are accomplished on the Security Server.

1.  On the Security server, we need to open the certificate store for the local computer and import the certificate that we exported from the Management server.  Run mmc.exe and select “ file” then “add/remove snap-in.”

2. Choose certificates and click add.  When prompted, choose computer account.

3. Choose OK to return to the MMC.

4. Double click Certificates and Personal and then Certificates.

5. Right click on Certificates and choose All Tasks/Import

6. Browse to the file that you exported in Step 7 above or the PFX file that contains your public certificate.

7. Enter in the password for the file when prompted and finish out the wizard leaving all the settings as default. 

8. At this point, the certificate is imported into the store on the Security server.  Now we have to assign the certificate to the Web Listener in Forefront TMG.  We need to open the Forefront TMG Management console. 

9. Go to Firewall Policy and click on the Toolbox. 

10. In the Toolbox go to Network Objects and expand Web Listeners. 

11. Open the properties of the External Web Listener.

12. Go to the certificates tab

13. Choose select and pick the desired certificate.

Once the certificate is installed you should also change the public name on the web publishing rules to match the name of the public certificate.

1. Open the Forefront Threat Management Gateway console.

2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.

3. In the results pane, double-click Remote Web Workplace Publishing Rule.

4. In Remote Web Workplace Publishing Rule Properties, click the Public Name tab.

5. Under Web sites and IP addresses, click your present remote name (for example, remote.contoso.com) and then click Edit.

6. In the Public Name dialog box, type a new public domain name and then click OK twice.

7. To save changes and update the configuration, in the results pane, click Apply.

The same change must be made on the following web publishing rules:

• Microsoft Exchange Server Publishing: Outlook Web Access
• Microsoft Exchange Outlook Anywhere and Terminal Services Gateway publishing Rule (RPC over HTTPS)
• Microsoft Exchange Active Sync Web Publishing Rule
• Server publishing rule to redirect to Remote Web Workplace
• Remote Web Workplace Robots.txt Publishing Rule

Once the proper certificate is installed on the Security Server edit the MMS Configuration store in Active Directory to match the new certificate name. 

1.  On the Management Server, run adsiedit.msc

2. Right click on ADSI Edit in the left side of the console and choose Connect To.

3. Select a well known Naming Context and choose Configuration.

4. Double click Configuration

5. Double click CN=Configuration,DC=<localdomain> where “<localdomain>” is the entry for your EBS domain name.

6. Double-click Services

7. Double-click CN=MMSCONFIGURATION

8. Right-click on the object CN=ISASetupTask and choose properties

9. Double-click the keywords attribute

10.  Highlight the Value RemoteAccess URL and choose Remove.  Note:  This will place the value in the editor.  Do not exit or close the dialog at this point.

11. Edit the value for RemoteAccessURL to make it the new public name and click Add.

12.  Click OK to exit the Multi-valued String Editor.

13.  Choose OK and close out the MMC

Note: There is also a certificate installed in Exchange on the Security Server to enable secure SMTP communication (issued by the CA on Management Server).  These steps do not update that certificate.  Under normal circumstances, there is no need to modify the internal certificate.