Michael,
Hold off on wasting your time with the pings for now. I have some 
inconsistencies I need to validate first.
However, I am seeing posts about using an internal CA with e2k7+ just not 
giving good results?
Have you found this to be the case as well?

Thanks!
jlc

-----Original Message-----
From: Michael B. Smith [mailto:mich...@owa.smithcons.com]
Sent: Wednesday, April 29, 2009 7:29 AM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2007/10 ssl cert

Are you talking about the ValidPorts registry key? Don't touch it! :-P Exchange 
autoconfs that in both 2007 and 2010.

I'll look into your rpcping results later today...

________________________________________
From: Joseph L. Casale [jcas...@activenetwerx.com]
Sent: Tuesday, April 28, 2009 12:47 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2007/10 ssl cert

Well in 2003 Server and E2k3, you must specify name and ports for the DC/GC?
Also, here are some interesting tidbits done from outside the lan on a wkst
With 2k3 res kit:

rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P 
"user,dom,pass" -I "user,dom,pass" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 5.1, Service Pack 3

RPCPinging proxy server internal.fqdn.local with Echo Request Packet
Sending ping to server
Response from server received: 401
Client is not authorized to ping RPC proxy
Ping failed.

****

rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P 
"user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6001
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 5.1, Service Pack 3
Completed 1 calls in 594 ms
1 T/S or 594.000 ms/T

****

rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P 
"user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6002
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 5.1, Service Pack 3
Completed 1 calls in 203 ms
4 T/S or 203.000 ms/T

****

rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P 
"user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6004
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 5.1, Service Pack 3

Exception 1722 (0x000006BA)

So it looks like I have two problems, the 1722 suggests reg entries (IPv6 is 
disabled)? This is Exchange 2007/10 (two identical labs built to test) so I 
don't mangle ports AFAIK? The 401 uptop has me baffled!

Thanks so much!
jlc

-----Original Message-----
From: Michael B. Smith [mailto:mich...@owa.smithcons.com]
Sent: Tuesday, April 28, 2009 10:04 AM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2007/10 ssl cert

I don't understand your question "no mention of the DC and applicable ports"???

If you specify auth types on the vdirs, you will almost certainly break 
something. Don't do it.

________________________________________
From: Joseph L. Casale [jcas...@activenetwerx.com]
Sent: Monday, April 27, 2009 5:59 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2007/10 ssl cert

Appreciate all of that. Well, I am at a loss. I have been troubleshooting this
now on my own setup inside and esx server, and even rolled out a new dc and
exchange server using 2010 and same behavior. Obviously I am missing 
something...
In the registry, there is no mention of the dc and applicable ports? Is
This not something needed in '07/10? Also, is there ever a need to manually
specify Auth types on the IIS virtual dirs?

Thanks Michael!
jlc

-----Original Message-----
From: Michael B. Smith [mailto:mich...@owa.smithcons.com]
Sent: Monday, April 27, 2009 3:03 PM
To: MS-Exchange Admin Issues
Subject: RE: Exchange 2007/10 ssl cert

Well, they do very different things. :-)

The -IncludeAcceptedDomains parameter is a switch. If it is set to true (or 
just specified without a ":$false", then all of the Accepted Domains in the 
organization are included in the certificate request (if -GenerateRequest is 
set to true). I don't think that I have ever used the -IncludeAcceptedDomains 
switch.

The -DomainName parameter is a list of domains that you want to be represented 
as subject alternative names (SANs) within the certificate. The list of domains 
in the -DomainName parameter and the contents resulting from the 
-IncludeAcceptedDomains parameter are merged to come up with a full list of the 
domains that will be in the SAN list of the certificate request.

Finally, the -SubjectName parameter identifies the organization who is 
requesting the certificate (think of it as the "subject company for the cert"). 
The organization and country should absolutely be correct.

So, a typical certificate request, for a single server environment, where the 
server is named SERVER1 and the AD domain is named ESSENTIAL.LOCAL and the 
email domain is TheEssentialExchange.com:

new-ExchangeCertificate -GenerateRequest -Path C:\Temp\Cert-request.txt 
-Subject "c=US, O=The Essential Exchange, CN=mail.TheEssentialExchange.com" 
-domainName Essential.Local, Server1, Server1.Essential.Local, 
mail.TheEssentialExchange.com, autodiscover.TheEssentialExchange.com 
-FriendlyName "Cert for mail.TheEssentialExchange.com" 
-privateKeyExportable:$true

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~             http://www.sunbeltsoftware.com/Ninja                ~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~             http://www.sunbeltsoftware.com/Ninja                ~


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~             http://www.sunbeltsoftware.com/Ninja                ~

~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~             http://www.sunbeltsoftware.com/Ninja                ~


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~             http://www.sunbeltsoftware.com/Ninja                ~

Reply via email to