When configuring an Exchange 2010 hybrid environment a Receive Connector is created on the Exchange 2010 server. This Receive Connector is configured with the FQDN entered in the Hybrid Configuration Wizard (see previous blog post on Exchange 2010 Hybrid) and the source IP addresses of the Microsoft Exchange Online servers. If one of these servers access the Exchange 2010 environment, they end up on the Office 365 Receive Connector (based on the IP address) and the correct SSL certificate is returned. This way mutual TLS is established between Exchange 2010 on-premises and Exchange Online.
It sometimes happens that the wrong certificate is used for SMTP communication between Exchange on-premises and Exchange Online, thus resulting in SMTP mail flow failure between the two.
You can check this in the Exchange Admin Center (EAC) in Exchange Online. Logon to the EAC in Exchange Online, select Mail Flow and click the Connectors tab. You’ll see two connectors. One connector for mail from Exchange 2010 to Exchange Online, and one connector for mail from Exchange Online to Exchange 2010.
Continue reading Exchange 2010 Hybrid cannot establish Mutual TLS wrong certificate is used
In an earlier blog post I wrote about Using an F5 LTM Load Balancer for Reverse Proxy with Lync 2013. This works fine for the domains that you have entered when configuring the Lync 2013 iApp in the F5.
If you have multiple SIP domains and thus multiple Simple URLs like meet.contoso.com, meet.fabrikam.com and meet.alpineskihouse.com it doesn’t work out-of-the-box and your Lync client will fail using these URL’s.
To get this working you have to manually configure the Lync Revese Proxy iRule in the F5. To do this you first have to disable Strict Updates, otherwise updating the iRule will fail (for security reasons this makes sense).
When Strict Updates is disabled navigate to the proper iRule as shown in the following figure:
You’ll notice that the initial FQDN’s are configured here, in our example for lyncweb, meet, dialin and lyncdiscover. To get this working for other URL’s just add the other domains and you’re done (and don’t forget the lyncdiscoverinternal name).
When done, don’t forget to enable Strict Updates again, just in case…
By now you should have heard about the heartbleed bug. This is a serious vulnerablility in the popular OpenSSL cryptographic software library. In case you think “but I don’t use this open stuff” you’re wrong. You might not, but vendors might be.
Continue reading Heartbleed vulnerability, Exchange and load balancers
Ok, I couldn’t resist it… In my previous blog I wrote about publishing Lync services using a Kemp Load Master. Since I’m not married to Kemp (although you might think differently, and so does Marco 😉 I also have an F5 LTM up-and-running in my lab. Time to have a closer look at the F5 when it comes to reverse proxy with Lync 2013.
Again, in my lab I have a Lync 2013 Enterprise Edition, in the perimeter network I have a Lync 2013 Edge Server, but I will use an F5 LTM load balancer.
Continue reading Using an F5 LTM Load Balancer for Reverse Proxy with Lync 2013
In my previous blog I wrote about the new SSL offloading capabilities in Exchange 2013 SP1. In this blog I will explain how to use this with a load balancer. In my lab environment I’m using an F5 (virtual) LTM running on Hyper-V. My lab is configured as shown in the following figure:
Continue reading load balancing in Exchange 2013 SP1 with F5