Exchange & Outlook UPDATE, Exchange Edition--Certificates and Exchange, Part 2--September 14, 2006

--------| Exchange & Outlook UPDATE |--------

*Commentary: Certificates and Exchange, Part 2
*Special: UK Exchange and Mobility User Group Launches
*Exchanging Ideas: Exchange Recovery Tools
*New and Improved: RoadSync Supports Exchange Server 2003 SP2 Mobility Features



Try Symantec Backup Exec 10d for Windows

Automated "One-Click" Disaster Recovery for Microsoft Exchange

Secure Your Online Data Transfer with SSL


Sponsor: Symantec

Try Symantec Backup Exec 10d for Windows
Symantec Backup Exec(TM) 10d for Windows Servers is designed for disk, delivering reliable, faster, and more efficient true continuous data protection for Windows servers. Backup Exec 10d revolutionizes data protection by eliminating backup windows and introducing the industry's first web-based file retrieval. Combined with its existing family of high performance agents and options to Microsoft Exchange, SQL, SharePoint Portal Server, and other database application data, as well as Linux/UNIX server data and desktops and laptops, Backup Exec 10d delivers the only comprehensive disk and tape based solution. Download the trialware now to see how fast and flexible this solution is.


***COMMENTARY: Certificates and Exchange, Part 2
by Paul Robichaux, Exchange Editor, [email protected]

Last week, I wrote about Secure Sockets Layer (SSL) certificates and how Exchange uses them ("Certificates and Exchange, Part 1," September 7, 2006,, InstantDoc ID 93440). This week, I delve into more detail about how Exchange Server 2007 uses certificates. Exchange 2007's features are significantly different from Exchange Server 2003, and understanding how the new features work is important to your deployment planning. (One minor correction to last week's column: Alert reader JP Donnio pointed out that I was comparing two different types of certificates. To be fair, I should compare Comodo's $139 certificate to's $90 high-assurance certificate, not the $20 low-assurance version.)

When you install Exchange 2007, the product automatically generates a brand-new certificate intended for use only with Exchange. This certificate is a full 128-bit SSL-capable certificate, but it's self-signed, so it won't be on the trust list of your browser, your mobile device, or computers joined to your domain, and you'll get a certificate-trust warning when you try to use the certificate with Microsoft Outlook Web Access (OWA).

The installed certificate will automatically be assigned for use with HTTP, SMTP, IMAP, and POP. This instant assignment is handy because it means communications that use those protocols are protected from the time you complete the installation. For example, Exchange will respond to SMTP Transport Layer Security (TLS) requests by using both the Internet-standard STARTTLS verb and the Exchange 2007–specific X-ANONYMOUSTLS extension. Likewise, OWA is immediately protected because the self-signed certificate for the Client Access server role is assigned to the Exchange virtual directory at installation time.

You can manipulate Exchange 2007 certificates in several ways. First, the Microsoft PowerShell cmdlet Get-ExchangeCertificate lets you see the certificate properties, including which roles or protocols the certificate is assigned to. By default, when you run Get-ExchangeCertificate on a newly installed server, you'll see a single certificate with its services field set to "all." You'll also see that the certificate is assigned to several Microsoft IIS virtual directories, including OWA and Exchange ActiveSync.

Having so much automatic protection is a good starting point, but what if you want to introduce other certificates? The answer is "it depends." For services offered through IIS, you'll need to use the standard Internet Services Manager (ISM) interface to request and manage certificates. Fortunately, ISM makes moving your existing certificates to a new Exchange 2007 Client Access server easy, provided that you have an exportable private key in the certificate. (If not, your Certificate Authority—CA—might let you rekey the certificate, but policies vary, so don't count on this capability.)

If you want separate certificates for other Exchange services, such as Autodiscover, you'll need to become acquainted with two additional cmdlets: New-ExchangeCertificate and Import-ExchangeCertificate. The former lets you generate new self-signed certificates or certificate requests (which you can then send on to your preferred CA). Once you get the certificate back from the CA, you'll use Import-ExchangeCertificate (which expects a Public-Key Cryptography Standards #12 file as input) to link the CA-issued certificate with the Exchange services you want to use.

You need to keep some subtleties in mind as you plan your certificate deployment. For one thing, remember that you might have multiple services on a single Client Access server. Microsoft currently recommends adding an extra subject name to the certificate so that the certificate is issued to, say, and, but not every third-party CA allows this additional name. Second, bear in mind that it's perfectly OK to use self-signed certificates for your internal operations, but you might want to use externally issued certificates for public-facing services such as TLS-protected SMTP, OWA, and Exchange ActiveSync. In particular, some Windows Mobile 5.0 devices can't be easily loaded with new certificate roots, and that limitation might influence your choice of CA.


Sponsor: Mimosa

Automated "One-Click" Disaster Recovery for Microsoft Exchange
Automate disaster recovery for Exchange with just one click! Complete recovery of data and service continuity can be available at your fingertips. Download the free whitepaper to find out how now!


***SPECIAL: UK Exchange and Mobility User Group Launches
by Anne Grubb, [email protected]

IT pros in the UK who have an interest in Exchange and Windows Mobile devices have a new focal point for their community. The Microsoft Messaging & Mobility User Group UK, started in July by Nathan Winters, a senior technical consultant for b2Lateral in London, with help from Eileen Brown of Microsoft UK, is the UK's first Exchange-related user group. "I attended the first \[Mark\] Minasi Forum meeting in May, which inspired me to try and set up something community-based in the UK," said Winters.

Winters' vision for the user group is to serve as a gathering point for Exchange enthusiasts of all levels of experience and "provide a link between Microsoft and Exchange users to improve the product and the skills of those using Exchange," he said. The group's Web site at will play a key role in driving the user group and, Winters said, "becoming a key resource for Exchange pros with high-quality articles and well supported forums." The group will also have regular meetings with speakers from within and outside Microsoft and also is planning an Exchange Server 2007 launch event with Microsoft and Culminis, a user group for IT professionals interested in Microsoft products.



Focus: Exchange Recovery Tools

Go back in time to recover your priceless data
You don't need a time machine to restore valuable data after a hardware failure or data corruption. These 12 recovery tools can help you recover your Exchange data.

Have a question? Got answers? Join your peers in the Exchange discussion forums:
Current Threads:
Using Certificates to Digitally sign emails
Two Forests, One Exchange Server in the other Forest
Really old free busy data needed

Don't forget to sound off in our Instant Poll. This month's question is "In a typical work week, how much time do you spend managing SharePoint?"

~~~~ Hot Spot: ~~~~

Secure Your Online Data Transfer with SSL
Increase your customers' confidence and your business by securely collecting sensitive information online. In this free white paper you'll learn about the various applications of SSL certificates and their appropriate deployment, along with details of how to test SSL on your web server.


by Blake Eno, [email protected]

RoadSync Supports Exchange Server 2003 SP2 Mobility Features
DataViz announced that its Exchange ActiveSync client, RoadSync, is now available for mobile devices with Windows Mobile 2003 Second Edition software. RoadSync wirelessly synchs email, attachments, calendar, and contacts, but this edition supports new mobility features added in Microsoft Exchange Server 2003 Service Pack 2 (SP2). These features include Direct Push technology, Remote Wipe, Global Address List Lookup, and IT Policy Enforcement. DataViz will also offer RoadSync for Windows Mobile 5.0, which will support new Exchange 2007 productivity features such as email flagging, online mailbox search, and support for linked SharePoint files. For more information, contact DataViz at 203-874-0085.

Wanted: your reviews of products you've tested and used in production. Share your experiences and ratings of products to "[email protected]" and get a Best Buy gift certificate.


These Windows-related events, papers, and resources will help you keep your knowledge and skills up to date and help you deploy, secure, and maintain the latest Exchange- and Windows-related technologies. For more Exchange related resources, visit

Linux + Unix + Windows — TechX World
Pure-play IT shops are a nice idea, but the reality today is that we are all faced with interoperability issues. TechX World 2006 gives you access to leading experts in the field and will prepare you to master interoperability issues in your environment.

Tired of using separate products on your Microsoft Exchange server for antivirus, antispam, attachment filtering, disclaimers, content auditing/filtering? This Webcast will address the latest threats to messaging security and spotlight Sunbelt's Messaging Ninja, which enables system administrators to easily secure their messaging infrastructures and stop threats at the Exchange Server.

Can you distinguish between the facts and fiction of Linux? Get the straight answers about Linux, UNIX, and Windows--together and head-to-to head comparisons. Read articles and download free resources today! You can also test your Linux skills and enter to win a $150 MSN Music gift card!

Randy Franklin Smith outlines five evaluation points to consider when choosing your antispyware solution in this free podcast. Download it today!

Integrate fax services with business applications for major increases in ROI. Find out how fax technology can benefit your bottom line and improve business processes. Download the free ebook today!



Extend Microsoft Windows Rights Management Services (RMS) to support enterprise requirements for information protection, including proprietary business data. Download the free whitepaper today!



Special Invitation for VIP Access
Become a VIP subscriber and get continuous, inside access to ALL content published in Windows IT Pro magazine, SQL Server Magazine, Exchange and Outlook Administrator newsletter, Windows Scripting Solutions newsletter, and Windows IT Security newsletter. Subscribe now and SAVE $100:

Get the Windows IT Pro Utility Kit FREE
SAVE up to $30 off Windows IT Pro magazine and get an exclusive Windows IT Pro Utility Kit CD FREE with your paid order! In addition, you'll also get unlimited access to the entire online article archive, which houses more than 9,000 helpful Windows IT articles. This is a limited-time offer, so order now:

~~~~ Contact Us ~~~~

About the newsletter -- [email protected]
About technical questions --
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring UPDATE -- [email protected]


This email newsletter is brought to you by Exchange & Outlook Administrator, the leading publication for IT professionals managing, securing, optimizing, and migrating Exchange and Outlook. Subscribe today!

View the Windows IT Pro Privacy policy at

Windows IT Pro a division of Penton Media Inc.
221 East 29th Street, Loveland, CO 80538,
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All Rights Reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.