I think that one of the coolest features of Exchange 2010 is the seamless free/busy and calendar federation between organizations. In order to get federation provisioned there are a number of steps you need to take which you can find detailed on Technet.
The first step of this setup involves creating a Federation Trust to the Microsoft Federation Gateway (MFG), but in order to create this trust you need to use a public certificate issued by one of the following Certificate Authorities (the haphazard thumbprint formatting is Technet’s, not mine):
| CA certificate friendly name | Thumbprint |
| Comodo | NA |
| Digicert Global Root CA | 083B:E056:9042:46B1:A175:6AC9:5991:C74A |
| Digicert High Assurance EV Root CA | 91 8d a5 e4 99 c1 5f 7c 62 75 b1 24 fe de 53 35 7c 34 bd 36 |
| Entrust.net CA (2048) | 801D 62D0 7B44 9D5C 5C03 5C98 EA61 FA44 3C2A 58FE |
| Entrust Secure Server CA | 99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539 |
| Go Daddy Secure Certification Authority | 7c46 56c3 061f 7f4c 0d67 b319 a855 f60e bc11 fc44 |
I recently was involved an Exchange deployment that involved purchasing a SAN certificate from Comodo. One of the certificate authorities Comodo uses to issue SAN certs is the USERTrust Legacy Secure Server CA, which has its own certificate issued by the Entrust.net Secure Server Certification Authority. Bottom line is the certificate you get verifies up to the Entrust certificate you can see below which the Federation Gateway supports.
After trying to create the Federation Trust we were seeing the following error:
An error occurred while attempting to provision Exchange to the Partner STS. Detailed information “An error occurred accessing Windows Live. Detailed information “The request failed with HTTP status 403: Forbidden.”.”
Basically this is the MFG’s way of saying “I don’t trust this certificate.” It turns out the MFG is geared to only accept certificates issued directly from one of the certificate authorities listed above which is not something I saw in the documentation. So if the Entrust Secure Server Certification Authority had issued our webmail certificate it would have been accepted. But like in our case, if your certificate is issued from a 3rd party intermediate certificate authority it won’t be accepted even if it technically verifies up to a support rooted authority.
The good news is a call to PSS resulted in Microsoft making a change on the MFG to accept certificates issued by this particular intermediate CA going forward for everyone. So if ran into this error previously you should be able to try again with the same certificate and see the trust succeed. As of this writing I’ve requested them to also add support for the AAA Certificate Services intermediate CA Comodo also issues certificates from.
One of the deployments I’ve been working on recently involved using F5 BigIP hardware load balancers to do SSL offloading for a two-node Exchange 2010 design. To give some background here usually you would just pass through port 443 (I’m skipping over the RPC Client Access piece since it’s not relevant here) from your load balancer straight to the Exchange servers, letting the servers handle the SSL encryption like in this diagram:
The benefit of that approach is it’s simple and a very common deployment method. On the flip side, you can benefit from offloading SSL encryption to the BigIPs and gain some more advanced forms of load balancing. In this case the improved load balancing was the goal along with some internal policies forcing this approach. What happens with SSL offloading is the HTTPS traffic ends at the BigIPs which turn around and pass port 80 clear-text traffic back to the Exchange servers so they have a bit less CPU work to do. That strategy looks more like this:
The problem with this configuration is Exchange is really designed to operate with SSL in mind and you have to go out of your way to allow it to operate in clear-text. What you’ll need to configure on each CAS server is:
The issue I ran into is after following all of these steps Autodiscover was still not functional through the load balancing. I could enter https://<CAS Array FQDN>/Autodiscover/Autodiscover.xml into a browser and reach the XML file with no problem, but running the Autodiscover test within Outlook would return a 404 error. Every other service was working just fine:
This threw me for awhile and after a bit of searching I ran across KB 980048 where it’s noted that Autodiscover cannot be used on port 80 with an HTTP POST request, which is what Outlook uses. My attempts at accessing the XML directly succeeded because I was only trying to download the file. Supposedly this is going to be fixed in Service Pack 1.
While the KB provides no immediate solution what I found that works is to use the same methodology Technet recommends for the Exchange Web Services web.config file. Go into your /Autodiscover folder and edit the web.config to replace all instances of httpsTransport with httpTransport (a simple search and replace should work). Be sure to save a copy before you make modifications, restart your server after making the change and you should be able to offload SSL for Autodiscover successfully. Since as far as I know this is undocumented today you can try this at your own risk, but it appears to be working.
Edit – post removed!
This post was originally written based on the Exchange 2010 beta bits before the Technet documentation was updated to reflect the actual required permissions for a DAG’s FSW. Consequently, it had a major error. You’ll want to visit Devin’s page for a full explanation and the correct way to set up the DAG. Always helps when you can read the documentation, right? 
This morning I set out to install Exchange 2010 on Server 2008 R2 and I was amazed I actually had this up and running within 20 minutes of booting my guest virtual machine. I have not looked in to many of the technical advantages of R2 over R1 for Exchange yet, but I can say that the installation requires a lot fewer prerequisite installs than on Server 2008 R1. Here’s a quick guide to getting up and running on R2 with all the server roles installed.
Install a Server 2008 R2 RTM server. I’d recommend using Enterprise Edition so you can add a 2nd Exchange server later and test out the DAGs. I had a Sysprepped image I was able to boot up and join to the domain very quickly.
Copy the Exchange2010-RC1-x64.exe file to your server and run it. Choose a location to extract the files to.
Open a command prompt with administrative privileges and navigate to the folder where you extracted the Exchange files.
Issue the command: servermanagercmd.exe -ip scripts\exchange-all.xml
Ignore the warning about servermanagercmd being deprecated and restart the server when the installation completes.
Open the Services MMC.
Change the Net.Tcp Port Sharing Service startup type to Automatic. The prerequisite check for the CAS role requires this to be set.
Open a command prompt with administrative privileges and navigate to the folder where you extracted the Exchange files.
Issue the command: setup
Click Choose Exchange language option and then click Install only languages from the DVD.
Click Install Microsoft Exchange.
Click Next.
Accept the license terms and click Next.
Select Yes to enable error reporting and press Next.
Select Custom Exchange Server Installation and press Next.
Select the Mailbox Role, Client Access Role, Hub Transport Role, Unified Messaging Role and Management Tools. Press Next.
Name the Exchange organization and press Next.
Select No for Outlook 2003 clients or Entourage (pre-Web Services edition) and press Next.
Check the box Client Access server role will be Internet-facing, enter your public URL (mail.domain.com) and press Next.
Select the option to join the CEIP and press Next.
After the prerequisite check completes click Install.
You can see my installer completed in about 12 minutes, which is pretty damn cool. This was a VM with 3 GB of RAM with its VHD on a RAID 10 set. Imagine if this was a production machine with a real amount of RAM.
