How-to-guide: Basic configuration Exchange 2010 SP1
Posted 06 January 2011 - 12:29 PM
Please note that this guide is designed to get you up and running in a LAB Environment as quickly as possible.
This guide is provided as is without any guarantee, if you find any errors please report them in the forums.
The purpose with this how-to-guide is to give those administrators around the world an insight in how to configure a default/basic installation to work with basic functionality.
Let's get started…
In the previous post I successfully installed Exchange 2010 so let's take it from there.
Here are a couple of things that we need to know from the beginning..
o Using own certificate server (CA) or buying from 3rd part?
o Using single name certificate or going with SAN/UC certificate?
· Mail flow?
o Is there any existing mail server or gateway?
· DNS settings
o MX records?
· Firewall rules
o Who handles the firewall? What rules need to be configured?
· Send/Receive connectors
· Email address policy
All those points above needs to be investigated before starting the configuration of Exchange.
The mail flow and firewall rules hangs together, if you don't handle the firewall yourself, be a nice friend to the firewall guy/girl!
That's where we should start, investigate if there are any existing rules for incoming SMTP (port 25) traffic allowed and if there are, where do they go?
Let's say they goes to an existing Exchange 2003 server, also investigate if there are any other rules pointing to this server.
Most commonly there would be a firewall rule for HTTPS (port 443) to this server as well, this is used for Outlook Web App (OWA), ActiveSync (EAS) and Outlook Anywhere (OA).
So let's say those two rules are allowed and pointing to the "legacy" Exchange 2003 server.
There is no need to change anything right now, one consideration is that the best would be if we can use a new public IP address for the new server so they can both be published.
Or else the users won't be able to use OWA, EAS and OA.
But if there aren't so many users and not so much mail data to be migrated, I would recommend doing this over a weekend with a "big-bang" and then switch the server to the new one.
Then you won't need an extra public IP address or those other coexistence configurations.<br style=""> <br style="">
With this consideration we need to check if there are any existing certificates on the Exchange 2003 server and if that can be used on our new server.
This is done by starting a MMC console, selecting certificates and choosing computer (local), go to personal and check if there are any.
The picture below shows the certificate that's installed.
Also check if IIS is using this certificate, it's done in the IIS manager (mmc console). Right click Default Web Site and select the tab "Directory Security".
If there is any certificate it should be located under "Secure communications" and the "View certificate…" should be available to click on.
In my example below it shows the certificate that's installed.
Let's export this certificate so it can be used on Exchange 2010 server.
This is done by viewing the certificate and selecting the tab "Details" and pressing "Copy to file…".
Select "Yes, export the private key". Press Next.
Select the option "Include all certificate in the certification path if possible". Press Next.
Set a password for the certificate file. Press Next.
Check the path. Press Next.
The certificate is now exported, this should be copied to the new Exchange 2010 server.
When the certificate is copied to the Exchange server, start up the Exchange Management Console.
Go to server configuration and right click the Exchange server and select "Import Exchange certificate".
Press the browse button and select the certificate file and type in the password for it. Press Next.
Make sure that the Exchange server is selected. Press Next.
Right click the imported certificate, click "Assign services to certificate".
Make sure that the Exchange server is selected. Press Next.
I will use this certificate for the following services: SMTP and IIS. Make your selection and press Next.
Press "Yes to all".
So let's say that the migration will be done over a weekend since we have about 100 users and 50 GB mail data.
The migration is going to be started at Friday at 17.00 when the office(s) have been closed and the end-users have gone home over the weekend.
If this is a migration there is certainly an already configured MX record that points to the firewall.
But if there aren't anyone created, this needs to be done for the SMTP domains that we should be able to use.
We need to have an A record pointing to the external IP address, let's say my external IP in this case (what the picture shows) is: 172.16.2.12.
Then an MX record should be created and pointing to that A record.
In a Windows DNS it's done like this.
Right click the appropriate DNS zone and choose "New Mail Exchanger (MX)".
Browse to the record pointing to the external IP address and set a priority to the MX record.
If we only have one record it doesn't matter, I will set it to 10.
It looks like this when it's completed.
Let's continue to configuring the firewall rules for allowing incoming SMTP traffic to the Exchange server.
In my environment I'm using a Threat Management Gateway (TMG) server for taking care of the traffic.
Start up the Forefront TMG Management.
Give it a friendly name. Press Next.
Select "Server-to-Server communication". Press Next.
Mark SMTP. Press Next.
Type in the IP address of the mailserver. Press Next.
Check the box for External. Press Next.
This could also be achieved by using the new feature in TMG called E-mail policy.
A firewall rule for outgoing SMTP traffic needs to be added.
Select "Create Access Rule" in the action panel and give the rule a friendly name.
Make sure the rule is "Allow". Press Next.
Select the SMTP protocol, make sure it's the SMTP and not SMTP Server. Press Next.
Create a computer object and select this one. Press Next.
Select External as the destination. Press Next.
Make sure "All Users" is selected. Press Next.
Don't forget to Apply the rules, or else they won't take action.
Another thing that needs to be configured is the Receive and Send Connectors.
The receive connector is used to receive mails and the send connector is to send mails, that's pretty obvious.
Receive connectors is found in EMC under Server configuration, Hub transport. There is "Client WNEX01" and "Default WNEX01".
The default one can either be used or we can create a new one, it's pretty up to you.
A recommendation if the server is published like this way, I would create a new receives connector so the correct name is included.
The receive name should match the send connectors name.
Let's start and create a new receive connector.
Make sure the IP address is selected and type in the appropriate FQDN name for the connector.
It's time for the send connector to be created so we can be able to send mails.
Go to Organization configuration, Hub transport and select the tab Send Connector.
Select New Send Connector and type in a friendly name and select Internet as usage.
In the address space, make sure the address is * so you will be able to send mails to all domains using this connector.
Next thing to choose between is the use for how the mails should be sent.
Using DNS or Smarthost, in most cases the smarthost is used, if the customer have a SMTP Gateway/Spam solution etc.
Or if the mails needs to be sent through the ISP, if not the DNS method can be used.
Make sure that your firewall has a rule for that, or else it won't work.
Make sure the server is selected as a source server (HUB)
Email address policy
To could be very helpful to have in place, it's configured under Organization configuration and Hub transport, select the tab for Email address policy.
Choose Edit on the default policy. Press Next.
Press the Add button and select how the addresses should be created, I've selected email@example.com.
It will look like this
Since in a Swede, we have some characters that are not so nice to have in an email address. We want to filter them out.
Just press the address you want to edit or mark it and press F2. In my case it will look like this:
And I'm setting this as the reply (primary) address as well. Press Next.
Apply the policy immediately. Press Next.
Maybe there are some more additional steps that might be interesting for you to read about.
Just send a comment or a post :-)
Thanks for reading and I hope it did gave you some good information.
- yellowflowers likes this
Microsoft Community Contributor Award 2011/2012 - MCITP Exchange 2010
My linkedin profile at > http://se.linkedin.c...sson/10/b4a/225
Follow me on Twitter > @jonand82
Follow windowsnoob.com on Twitter > @windowsnoob
Check my blog at > http://www.testlabs.se/blog
3 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users