Change OWA Logon Page in TMG

Normally when you use OWA you see the initial logon page where the credentials are asked like Domain\User name:


When you want to use the UPN (in most cases identical to the e-mail address) you can set this on the OWA Virtual Directory in the Exchange Management Console:


When you select “Use forms-based authentication” and select “User principal name (UPN)” the initial login page changes accordingly:


When using TMG2010 in front of Exchange 2010 things are different. The logon form is now generated by TMG, and the Exchange server itself is set to basic authentication. By default the TMG logon page for Exchange is set to show the Domain\Username format and unfortunately there’s no easy way to change the logon page to show something different.

Please note that although the default page shows Domain\Username you still can use the UPN to logon!

To change the logon page to show a different text (or change the layout completely) you have to change the HTML pages. These pages can be found on the TMG server in directory C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange\HTML. The various languages files can be found in subdirectories here, for example the Dutch language component can be found in subdirectory nls\nl. Open the strings.txt file, search for the L_UserName_Text string and change its value.


Restart the TMG Firewall service and open Outlook Web App. You’ll see that the logon page has now changed:


SSL offloading with Powershell

When you’re using a (hardware) load balancer in combination with Exchange Server 2010 you might want to offload SSL from the Exchange servers to the load balancers. This way you get more options available for persistence in the load balancer.

Enabling SSL offloading in Exchange 2010 is not that difficult but it consists of several steps which can be prone to error if you have to configure this on multiple servers (which is most likely the case of course with a load balancer).

Continue reading SSL offloading with Powershell

Building Hosted Exchange – Part V

In my earlier blog posts Building Hosted Exchange Part I (overview), Building Hosted Exchange Part II (Active Directory) and Building Hosted Exchange Part III (Exchange and ABP’s) and Building Hosted Exchange Part IV (Global Settings) we’ve created a simple Exchange 2010 organization that’s capable of hosting multiple organizations, separated from each other and each having their own Address Books. There’s one last issue I want to point out and that’s message routing. Exchange sees the entire Exchange organization as just one entity and does not care at all about routing between tenants. This is true for SMTP routing as well as out-of-office messages (which are SMTP messages as well of course) for internal and external OOF messages.

Note: using the Address Book Policies you can do ‘GAL segmentation’ but this is a feature that’s only targeted towards Address Books. Transport doesn’t do anything with Address Book Policies! Continue reading Building Hosted Exchange – Part V

SMTP Relay in Exchange 2010

When an Exchange 2010 Hub Transport Server is installed two Receive Connectors are automatically created:

  • Client Receive Connector – used by end users with an SMTP client that want to send out messages. This is authenticated SMTP and the connector is using port 587 for this;
  • Default Receive Connector – used to receive SMTP messages on port 25 from other Exchange Hub Transport Servers or the Edge Transport Server.

I always recommend not to change the default receive connectors with the exception of setting Anonymous Users on the Permission Groups to allow other SMTP hosts to submit messages as well.


Relaying SMTP messaging

For relaying SMTP messaging I normally recommend to use an additional Receive Connector with an additional IP address on the server. This IP address can have an easy to remember FQDN like

To create the new Receive Connector use the following command in the Exchange Management Shell:

New-ReceiveConnector –Name “Relay Connector (EXCH01)” –usage Custom –Bindings –FQDN –RemoteIPRanges –Server ServerName –PermissionGroups AnonymousUsers

This command will create a new Receive Connector, bind it to the IP address (this should be on the network card of the server of course) and allow the IP address to submit SMTP messages anonymously. However, only messages for recipients whose SMTP domain is an an Accepted Domain in the Exchange organization are accepted at this point. This is a default setting so the permissions on the Receive Connector have to be changed.

The ms-Ech-SMTP-Accept-Any-Recipient permission is to make sure that all submitted recipients are accepted by the Hub Transport Server. This permissions can be added with the Add-ADPermission cmdlet:

Get-ReceiveConnector –Identity “Relay Connector (EXCH01)” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

If you have multiple Receive Connectors and want to check whether or not anonymous relay is enabled on any connector you can use the following command:

Get-ReceiveConnector | Get-ADPermission | where {$_.extendedrights –like “*Any-Recipient”}

Upgrade Windows Standard to Enterprise

Note. When Exchange is installed on this particular server you can use this procedure only in a lab environment. To change an Exchange server is not a supported scenario!

When installing an Exchange 2010 environment in my lab I discovered that the Fail Over Clustering bits were not available on my planned DAG members. It turned out that I installed Windows 2008 R2 Standard Edition instead of Enterprise Edition. Even worse, Exchange Server 2010 SP2 was already installed as well.

On TechNet there’s an article that explains how to Upgrade Windows 2008 R2 without using the installation media (i.e. reinstall Windows 2008 R2 from scratch) using DISM, the Deployment Image Servicing and Management Tool.

Continue reading Upgrade Windows Standard to Enterprise

Microsoft UC Specialist