1. Create an external DNS entry for Outlook Web Access in with your ISP
2. Create a NAT rule for the external IP to the internal IP of the Hub /Cas server
3. Configure the allow traffic rules as follows
4. Verify OWA is accessible externally
Wednesday, May 14, 2014
Firewall Configuration Palo Alto Exchange 2010 / 2013
1. Create an external DNS entry for Outlook Web Access in with your ISP
2. Create a NAT rule for the external IP to the internal IP of the Hub /Cas server
3. Configure the allow traffic rules as follows
4. Verify OWA is accessible externally
Extend Active Directory Schema using a custom Ldf file
Extend Active Directory Schema using a custom Ldf file
1. Copy the ldf file and paste it into notepad
2. Find and replace dc=x with dc=domain, dc=com
3. Log into a domain controller and run ldifde –I –f ldiffilename.ldf –v –j C:\Temp\
4. Verify the Schema extension using ADSIedit.msc
1. Copy the ldf file and paste it into notepad
2. Find and replace dc=x with dc=domain, dc=com
3. Log into a domain controller and run ldifde –I –f ldiffilename.ldf –v –j C:\Temp\
4. Verify the Schema extension using ADSIedit.msc
Demote a 2003 Domain Controller in a 2012 DC Environment
Demote
a 2003 Domain Controller in a 2012 DC Environment
Log into
the 2012 Domain controller and
Navigate
from Dashboard to Tools in Active Directory sites and Services right click on
the 2012 Domain controller and click properties. Verify the Domain Controller
is a Global Catalog Server
Open up Powershell and run the following cmds
Import-Module
ActiveDirectory
Move-ADDirectoryServerOperationMasterRole
-Identity "Target-DC" -OperationMasterRole 0,1,2,3,4
This moves the FSMO roles to the 2012 DC
Netdom
query FSMO
This verifies the roles have been successfully
transferred
Verify
the 2012 Domain controller no longer has the DNS network settings of the 2003
DC
Log into the 2003 Domain Controller
Stop the services DNS server
and netlogon on the 2003 Domain Controller
Run
dcpromo from the 2003 DC
Click
next
Click
Next
Click
next
Enter a
new password for the local administrator and Click Next twice
Click
Finish
Restart
the 2003 Server
Edge Server Installation
Edge Server Installation
The Edge server should not be joined to the domain
Set
up a proper hostname for the machine and configure the proper DNS suffix, so it
reflects the one of your organization. Exchange 2010 setup will not continue
when the DNS suffix is not set. Do not join the server to the domain.
Remember
that this is an external machine sitting in your DMZ, so you wouldn’t want the
machine to be exchanging domain data with the internal domain controllers.
Replication of Active Directory data for the Edge Transport server is
configured later in this article by using the Exchange Management Console. The
Edge Transport Role makes exchanging Active Directory data possible by using
the Active Directory Lightweight Directory Service.
Reboot
the machine.
Next,
head over to your internal DNS server and create an A-record for the FQDN of
the Edge Transport server. Configuring the A record is beyond the scope of this
article, but I will give you an example of the particular A-record in my own
environment:
Installing the required Server Roles.
run Power Shell as an Administrator and run
Import-Module Server Manager
Add-WindowsFeature Net-Framework,ADLDS, RSAT-ADDS –Restart
Opening ports
Be
sure to open the following ports on the firewall between your DMZ and internal
network, so the Edge Transport can communicate with the internal hub transport
server.
• Port 25 / TCP (SMTP) in both
directions
• Port 50636 / TCP (Edgesync
service over SSL) from internal network to your DMZ
Installing the Exchange 2010 Edge Transport Role
Start
the Microsoft Exchange 2010 setup and select the Custom Exchange server
Installation. Select the Edge Transport role. The prerequisites will be checked
and Exchange starts installing.
After
installation of the role, be sure to enter the Exchange product key BEFORE
creating the EdgeSync subscription XML. Do this by opening the Exchange
Management Shell and type the following command:
Set-ExchangeServer
-Identity MyEdgeServer -ProductKey aaaaa-aaaaa-aaaaa-aaaaa-aaaaa
Firewall rules for whitelisting Office 365
Firewall rules for white-listing Office 365
Office
365 portal (Ports 443 and 80)
111.221.111.196 portal.microsoftonline.com
65.52.196.64 portal.microsoftonline.com
94.245.108.85 portal.microsoftonline.com
70.37.97.234 portal.microsoftonline.com
65.52.148.27 portal.microsoftonline.com
65.52.184.75 portal.microsoftonline.com
65.52.208.73 passwordreset.microsoftonline.com
65.52.240.233 passwordreset.microsoftonline.com
157.55.185.100 passwordreset.microsoftonline.com
157.55.194.46 passwordreset.microsoftonline.com
65.54.165.55 g.msn.com
65.55.239.168 g.msn.com
207.46.216.54 g.msn.com
207.46.73.250 g.msn.co.jp
94.245.117.53 g.msn.co.uk
65.54.55.201 osub.microsoft.com
Remote
Connectivity Analyzer (Ports 443 and 80)
65.55.150.61
65.55.150.158
65.55.150.160
207.46.14.52
207.46.14.62
207.46.14.63
Microsoft
Online Services (Ports 443 and 80)
65.54.74.0/23 *.msecnd.net
65.54.80.0/20 *.msecnd.net
65.55.86.0/23 *.msecnd.net
70.37.128.0/23 *.msecnd.net
70.37.142.0/23 *.msecnd.net
70.37.159.0/24 *.msecnd.net
94.245.68.0/22 *.msecnd.net
94.245.82.0/23 *.msecnd.net
94.245.84.0/24 *.msecnd.net
94.245.86.0/24 *.msecnd.net
111.221.70.0/25 *.msecnd.net
111.221.71.0/25 *.msecnd.net
157.56.200.0/23 *.msecnd.net
207.46.70.0/24 *.msecnd.net
207.46.206.0/23 *.msecnd.net
213.199.148.0/23 *.msecnd.net
65.55.233.0/27 g.microsoftonline.com
65.54.165.0/25 g.microsoftonline.com
157.56.23.32/27 g.microsoftonline.com
132.245.0.0/16
157.55.59.128/25
157.55.155.0/25
157.55.130.0/25
157.55.145.0/25
157.56.53.128/25
157.56.55.0/25
157.56.58.0/25
157.56.151.0/25
157.55.227.192/26
207.46.150.128/25
207.46.198.0/25
213.199.182.128/25
207.46.57.128/25
111.221.127.112/28
65.54.82.0/24
157.56.236.0/22
URLs/FQDNs
(Ports 443 and
80)
*.outlook.com
*.microsoftonline.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.microsoftonlineimages.com
*.microsoftonlinesupport.net¹
*.msecnd.net
*.office365.com
*.officeapps.live.com
*.office.net
Hosted Exchange (Ports 25, 587, 443 and 80) * optionally 143, 993,995 if Imap
and POP will be used
r3.res.outlook.com
65.54.62.0/25
65.55.39.128/25
65.55.78.128/25
65.55.94.0/25
65.55.113.64/26
65.55.126.0/25
65.55.174.0/25
65.55.181.128/25
70.37.151.128/25
157.55.49.0/25
157.55.49.128/25
157.55.61.0/24
157.55.61.128/25
157.55.157.128/25
157.56.24.0/25
157.56.232.0/21
157.56.234.0/24
157.56.236.0/24
157.56.237.0/24
157.56.240.0/21
157.56.241.0/24
157.56.244.0/24
157.56.245.0/24
207.46.4.128/25
207.46.198.0/25
207.46.203.128/26
Federated Gateway
207.46.150.128/25
207.46.164.0/24
*.microsoftonline-p.com
*.live.com
*.microsoftonline.com
*.microsoftonlinesupport.net
Subscribe to:
Posts (Atom)