Web browsers will return an error such as:

The security certificate issued by this website was not issued by a trusted certificate authority

On inspection of the certificate being issued by the website you may see this error:

The issuer of this certificate could not be found

This can be confusing for people who assume that any certificate issued by a commercial CA such as Thawte will be trusted by devices and web browsers that people are connecting from, especially when it occurs after renewing an existing Thawte SSL certificate.

Thawte has published the reason for this:

On June 27 2010, in the interest of better security, thawte signed all certificates with a primary and secondary intermediate that need to be installed along with the SSL certificate. Any certificate issued on or after this date requires the primary and secondary intermediate to be installed.

The new certificates are issued by an intermediate CA known as “Thawte SSL CA”.  This CA is not automatically trusted by most web browsers.  Thawte provides instructions for installing the correct certificates on the web server or ISA Server that is publishing the website.

Take note of the final steps, the change may not take effect until IIS or ISA Server are restarted.

If your site still have the chaining error, restart the IIS service. If the problem continues, the whole server needs a reboot to use the new roots.

Related posts:

• Exchange Server 2010 and the Benefits of Commercial SSL Certificates
• How to Issue a SAN Certificate to Exchange Server 2010 from a Private Certificate Authority
• Exchange Server 2010 “The Certificate is Invalid for Exchange Server Usage” Error
• How to Assign an SSL Certificate to Exchange Server 2010 Services
• Exchange 2010 Certificate Revocation Checks and Proxy Settings

This article SSL Certificate Trust Errors for New Thawte Certificates is © 2010 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Remember to configure the Hub Transport server to accept inbound internet email first.

Open the ISA Server Management console and navigate to <ISA server name>/Firewall Policy.

Click on Publish Mail Servers in the Tasks pane on the right side of the ISA Server Management Console.

Give the rule a meaningful name such as “Permit Inbound SMTP” and click Next to continue.

Choose Server-to-server Communication and click Next to continue.

Tick the box for SMTP and click Next to continue.

Enter the IP address of the Exchange Server 2007 server.  Click Next to continue.

Select the External network to listen for requests.  Click Next to continue.

Click Finish to close the publishing rule wizard.

Apply the ISA rule changes.

Related posts:

• Configuring the Exchange Server 2007 Hub Transport Server
• Route outbound email through the Exchange Server 2007 Hub Transport server
• Publish Exchange Server 2007 OWA Using ISA Server 2006
• How to Share an Email Domain Between Two Mail Systems
• Block Users Sending to Specific Domains with Exchange Server 2007

This article Publish incoming SMTP to the Exchange Server 2007 server with ISA Server 2006 is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Open the ISA Server Management console and navigate to <ISA server name>/Firewall Policy.

Click on Publish Exchange Web Client Access in the Tasks pane on the right side of the ISA Server Management Console.

Enter a meaningful name for the new publishing rule such as “Exchange Remote Access”.  Click Next to continue.

Select the Exchange version Exchange Server 2007 and tick the Outlook Web Access box.  Click Next to continue.

Choose Publish a single Web site or load balancer.  Click Next to continue.

Choose Use SSL to connect to the published Web server or server farm as this is the most secure option.  Click Next to continue.

Enter the FQDN of the Client Access Server.  If for any reason your ISA Server is not able to resolve this name you should also tick the box and enter a name or IP that ISA can use to connect to the server.  Click Next to continue.

Enter the Public Name of the server.  This should match the name on the SSL certificate you imported on the Exchange and ISA servers, the External URL setting on the OWA virtual directory for the Exchange Client Access Server configuration, and the external DNS name that your clients use to connect to Exchange remote access.  Click Next to continue.

Click New to create a new web listener for Exchange Remote Access.

Give the listener a meaningful name such as “ExchangeSSL”.  Click Next to continue.

Choose Require SSL secured connections with clients.  Click Next to continue.

Select the External network to listen for incoming web requests.  If you have more than one external IP address you must click Select IP Addresses and specify which IP address bound to the External network to listen on.  Click Next to continue.

Click Select Certificate and choose the SSL certificate you imported on the ISA Server firewall.  Click Select and then click Next to continue.

Leave the authentication settings set to HTML Form Authentication with Windows (Active Directory).  Click Next to continue.

Clear the Enable SSO check box.  Click Next to continue.

Click Finish to complete the New Web Listener wizard.  Select the web listener you have just created and click Next to continue.

Choose Basic Authentication for authentication delegation.  Click Next to continue.

Note: Delegation using Basic authentication allows a single SSL certificate, public IP address, and ISA publishing rule to be used for all Exchange remote access methods (eg Outlook Web Access and Outlook Anywhere).  In environments with multiple public IP addresses and a requirement to delegate Outlook Anywhere authentication using Kerberos/NTLM then Negotiate(Kerberos/NTLM) would be chosen.

Leave the users set to Authenticated Users.  Click Next to continue.

Click Finish to complete the Publishing Rule wizard.

Right click the newly created rule and choose Properties.

Navigate to the Paths tab.  Click the Add button to add more paths to the publishing rule for ActiveSync, AutoDiscover, and Outlook Anywhere.

Note: If you are planning to publish these services on separate IP addresses and SSL certificates you would not perform these steps.

Add the following paths:

• /rpc/*
• /Microsoft-Server-ActiveSync/*
• /AutoDiscover/*

Click OK when you have added each of the paths to the rule.

Apply the ISA rule changes.

Related posts:

• Publish incoming SMTP to the Exchange Server 2007 server with ISA Server 2006
• Configuring the Exchange Server 2007 Hub Transport Server
• Configuring the Exchange Server 2007 Client Access Server
• SSL Certificate Trust Errors for New Thawte Certificates
• Exchange Remote Connectivity Analyzer Updated

This article Publish Exchange Server 2007 OWA Using ISA Server 2006 is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Configure the Receive Connector

To allow the Exchange server to accept incoming email from the internet the default Receive Connector must be modified.  Navigate to Server Configuration/Hub Transport.  Open the properties of the default Receive Connector.

Select the Permission Groups tab and enable the Anonymous Users group.  Click OK when complete.

Configure the Send Connector

Navigate to Organization Configuration/Hub Transport.  In the Actions pane to the right of the Exchange Management Console click New Send Connector.

Enter a meaningful name such as Internet Email and set the intended use to Internet.

Click Next to continue.

Click the Add button and add an SMTP address space of * to route all mail to external domains over this Send Connector.

Click OK and then Next to continue.

If you route your outgoing mail via an ISP smart host or email security service choose that option and enter the IP address or DNS name of the smart host.  You can add more than one smart host if necessary.  Otherwise leave it configured to use DNS to route mail directly to the destination.

Click Next to continue.  The Hub Transport server is automatically included as a source server for the Send Connector.  Click Next to continue, then New to create the Send Connector with the chosen settings.  When the Send Connector has been created successfully click Finish.

Allow the Exchange Server 2007 server to send email to the internet

Add a rule on your network’s firewall to permit the Exchange Server 2007 server to send traffic to the internet on TCP port 25.  On an ISA Server 2006 firewall the process is as follows.

Open the ISA Server Management console and navigate to <ISA server name>/Firewall Policy.

Click on Create Access Rule in the Tasks pane on the right side of the ISA Server Management Console.

Give the new Access Rule a meaningful name such as “Permit Outbound SMTP”.  Click Next to continue.

Set the Rule Action to Allow.  Click Next to continue.

Leave the Protocols set to “Selected protocols”.  Click the Add button and choose SMTP from the Common Protocols list.  Click Add again to add SMTP to the list of permitted protocols for this Access Rule.

Click Close to close the Add Protocols selection dialog, then click Next to continue.

For the Access Rule Sources click the Add button and then click New -> Computer.

Enter the name and IP address of the Exchange Server 2007 server then click OK.

In the Add Network Entities dialog navigate to Computers and select the computer object you just created.  Click Add to add it to the new Access Rule, then click Close.

Now that the Exchange server is showing in the list of Access Rule Sources click Next to continue.

In the Access Rule Destinations dialog click Add, navigate to Networks select External then click Add and Close.  Click Next to continue.

Leave the User Sets configured to All Users.  Click Next to continue, then click Finish to close the New Access Rule Wizard.

Apply the ISA rule changes.

Related posts:

• Publish incoming SMTP to the Exchange Server 2007 server with ISA Server 2006
• How to Share an Email Domain Between Two Mail Systems
• Route outbound email through the Exchange Server 2007 Hub Transport server
• Publish Exchange Server 2007 OWA Using ISA Server 2006
• How to Configure a Relay Connector for Exchange Server 2010

This article Configuring the Exchange Server 2007 Hub Transport Server is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

This week SonicWALL’s license servers suffered a glitch rendering thousands of customer units useless and leaving the customers’ networks open to attack.  The affected devices included firewall and email security appliances.

Security appliances are popular for no good reason at all.  The decision maker in many organisations falls for marketing hype that a “hardware firewall” is better than the alternative, ignoring the obvious fact that the appliance is ultimately no different to any other firewall that consists of a piece of hardware running secure OS and firewall features.

When purchasing a firewall or security product the decision should not be based on perception but rather fact.  I’m sure no SonicWALL customer ever imagined that the company could make an error on their license servers that would comprimise their security in such a manner.  Its worth noting that once your Microsoft ISA Server firewall is up and running it can never become “unlicensed” by an error at Microsoft.

Related posts:

• Tom Shinder on “hardware” firewalls
• SSL Certificate Trust Errors for New Thawte Certificates
• How to Configure a Relay Connector for Exchange Server 2010
• Causes of MapiExceptionNotAuthorized Error Sending to Public Folders
• Publish incoming SMTP to the Exchange Server 2007 server with ISA Server 2006

This article Well-designed security systems fail gracefully, SonicWALL does not is © 2008 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

For my ISA Server deployments I like to take it a step further and use a little ASP code to generate some nicer looking tables that are a more visually appealing than the IIS directory browsing view.  Just follow the instructions from ISAServer.org, and then drop the ASP file into the same web folder on the IIS server.  You may also need to enable the Active Server Pages web extension for the IIS server.

The report page will look something like this.

Download the ISA Reports ASP Code

Related posts:

• SSL Certificate Trust Errors for New Thawte Certificates
• Publish incoming SMTP to the Exchange Server 2007 server with ISA Server 2006
• Publish Exchange Server 2007 OWA Using ISA Server 2006
• Configuring the Exchange Server 2007 Hub Transport Server
• Well-designed security systems fail gracefully, SonicWALL does not

This article Creating an ISA Reports Web Server is © 2007 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

I was drawn to a particular quote in his article about the relative security of ISA Server to other popular firewalls in the context of the number of reported security vulnerabilities for each product.

A quick look at www.secunia.com shows that the ISA Firewall (2004 and 2006) have no active security issues. Compare this with any “hardware” firewall and you will see that the ISA Firewall is more secure than just about any hardware firewall.

There are a lot of firewall appliances out there so I didn’t do an exhaustive search of their stats on Secunia, but I did take a look at the stats for ISA Server, Cisco Pix, and OpenBSD as those are the three firewalls I am most familiar with in my professional life.

ISA Server

Cisco Pix

OpenBSD

I found those numbers to be pretty interesting. It is not unusual to have a customer request that a two-tiered firewall infrastructure be implemented on their environment. Often this means they request that some type of “appliance”, be that a Cisco Pix or some other third party box painted red and given a secure sounding name, be placed between the internet and the ISA Server that we are implementing for them. Sometimes this is based on the principle of defense in depth, whereas other times it is based on a false belief that a product from Microsoft couldn’t possibly be secure. Maybe if they saw the stats above they would think otherwise.

Related posts:

• Well-designed security systems fail gracefully, SonicWALL does not
• Microsoft Exam 70-350: Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004
• Security hole found in OpenBSD
• SSL Certificate Trust Errors for New Thawte Certificates
• How to Configure a Relay Connector for Exchange Server 2010

This article Tom Shinder on “hardware” firewalls is © 2007 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com