This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
When you use Microsoft Outlook in cached mode, what I always recommend, and you add additional mailboxes to your outlook profile, you will notice that the OST file will grow. Outlook will download the mailbox items (mails, calendar entries, contacts etc.), and store them in the OST file. This is the default behaviour since Microsoft Outlook 2010. If you want to disable this behaviour, you have two options:
Edit the registry
Use a group policy object (GPO)
Edit the Windows registry
The easiest way is to use a reg file. Copy this text into a file and save it as disablecachedmode.reg. Then double click the file and confirm, that you want to import the registry file.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Cached Mode]
"CacheOthersMail"=dword:00000000
Please note the version number after “Office”.
Outlook
Version
Outlook 2016
16.0
Outlook 2013
15.0
Outlook 2010
14.0
Make sure that you use the appropriate version number for your Outlook! Otherwise this setting is applied, but not working.
Copy the Outlk16.admx or Outlk15.admx files to the PolicyDefinitions folder (either C:\Windows or Central Store), and the Outlk16.adml or Outlk15.adml to the corresponding language folder.
Then you can create a new GPO. The desired setting can be found under User Configuration >> Administrative Templates >> Microsoft Outlook 201x >> Outlook Options >> Delegates >> Disable shared mail folder caching. Set this to “enable” and apply the GPO.
Still using Microsoft Outlook 2010?
Please note, that the GPO template for Microsoft Outlook 2010 doesn’t contain the necessary setting that controls this functionality!
This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
EDIT: If you have already installed .NET 4.6.1, check this blog post on how to remove it (You Had Me At EHLO…)
Microsoft Exchange heavily relies on Microsoft .NET Framework. Because of this, Microsoft provides a matrix for the supported Microsoft .NET Frameworks. Mostly unknown is the fact, that Exchange doesn’t support the every Microsoft .NET Framework, and this is causing trouble sometimes. Some admins simply install the latest .NET releases because “it doesn’t hurt”. Well… it hurts!
Changes for .NET Framework 4.6.1
Microsoft has changed the support policy for .NET Framework 4.6.1 with the release of Exchange 2013 CU13 and Exchange 2016 CU2. Up to this versions, only .NET Framework 4.5.2 is supported. Starting with Exchange 2013 CU13 and Exchange 2016 CU2, Microsoft supports .NET Framework 4.6.1 together with a hotfix rollup (KB3146715 for Server 2012 R2, KB3146714 for Server 2012 and KB3146716 for Server 2008 R2). If you wish to install .NET Framework 4.6.1, make sure to install Exchange 2013 CU13 or 2016 CU2 first.
.NET Framework/ Microsoft Exchange
Exchange 2007 SP3
Exchange 2010 SP3
Exchange 2013 CU13 and later
Exchange 2016 CU2 and later
.NET Framework 3.5.1
X
X
.NET Framework 4.0
X¹
.NET Framework 4.5
X¹
X
.NET Framework 4.5.1
X¹
X
.NET Framework 4.5.2
X
X
.NET Framework 4.6.1
X²
X²
.NET Framework 4.6.2
¹ .NET 3.5 or 3.5.1 must be installed
² Supported with hotfix rollup (KB3146715 for Server 2012 R2, KB3146714 for Server 2012 and KB3146716 for Server 2008 R2)
Other .NET Framework versions
Microsoft .NET Framework 4.6.2 isn’t supported for any version of Microsoft Exchange. Other example: If you’re running Exchange 2010 SP3, don’t install anything above .NET Framework 4.5, not even 4.5.1. Check the Exchange Server Supportability Matrix for the supported .NET Framework for the Exchange version you’re running.
Side notes
Microsoft PowerShell is part of the Windows Management Framework (WMF). Microsoft Exchange only supports the WMF built into the underlying Windows Server version.
This also applies to Microsoft Outlook. I wonder how many Exchange projects fail because the Microsoft Outlook version, that is used by the customer, isn’t supported.
This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
Another bug in Exchange 2016 CU2. The Role of a new receive connector is greyed out. You can select “Front-End-Transport”. This is a screenshot from a german Exchange 2016 CU2.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Solution
Use the Exchange Management Shell to create a new receive connector. Afterwards, you can modify it with the Exchange Control Panel (ECP).
This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
After deploying a new Microsoft Exchange organization with Exchange 2016, or after deploying a Microsoft Exchange 2016 into an existing organization, you might notice a strange behaviour regarding the Offline Address Books (OAB).
Huh?! Where does this Exchange 2013 OAB come from? As you can see in the cmdlet output, there’s no Exchange 2013 in this organization.
[PS] C:\Windows\system32>Get-ExchangeServer | select Name, AdminDisplayVersion
Name AdminDisplayVersion
---- -------------------
MAIL-1 Version 14.3 (Build 123.4)
MAIL-2 Version 15.1 (Build 466.34)
MAIL-3 Version 15.1 (Build 466.34)
There is no Exchange 2013 server in this organization. Only Exchange 2010 (Build 14.3) and 2016 (Build 15.1).
This is nothing to worry about. Microsoft has confirmed that this is a bug. The OAB simply has the wrong name and Microsoft will fix it in an upcoming cumulative update. It’s not fixed in the latest CU2 for Exchange 2016! There’s also no need to change the name of the OAB.
So don’t panic, if you deploy a Microsoft Exchange 2016 CU2 and you see “Ex2013” in the OAB name. Ignore it.
This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
Sometimes it’s necessary to have two DNS servers that are authoritative for the same DNS namespace. This is the case if you use the same namespace for your web site and your internal Active Directory domain, e.g. terlisten-consulting.de. Or that you have created the zone terlisten-consulting.de in your Windows DNS to point specific hosts to internal IP addresses. The DNS servers at your ISP would be authoritative, and the domain controllers of your Active Directory would also be authoritative for the same domain. The response to a query depends on which DNS server you ask. So what would happen if you try to resolve www.terlisten-consulting.de, and the internal DNS has no record for it?
In this case, the domain controller in my lab is authoritative for terlisten-consulting.de. But he doesn’t has a A record for www.terlisten-consulting.de. If I remove the zone from my domain controller, or if I use an external DNS server, I get a non-authoritative answer.
This, the same DNS namespace on different DNS server, is called “split DNS” (sometimes also called split-horizon DNS, split-view DNS or split-brain DNS).
Do it right
Split DNS is pretty handy, and sometimes it’s necessary. When it comes to Microsoft Exchange, it a common practice to use the same external DNS namespace for the internal and external URLs. This requires, that I create a zone for the externally used DNS namespace on my internal DNS (in most cases: Microsoft Windows Activice Directory domain controllers). The downside: I must create all DNS entries on my internal DNS, and I must point them to their external IP addresses, except the ones that should point to an internal IP.
FQDN
Internal/ External IP address
www.terlisten-consulting.de
external IP address
exchange.terlisten-consulting.de
internal IP address
shop.terlisten-consulting.de
external IP address
Otherwise, users that use the domain controllers as DNS server, wouldn’t be able to resolve www or shop. This is challenging. But there’s a solution.
Create split DNS for single hosts
The Domain Name System is hierarchy organized. Because of this, I can tell my DNS server to be authoritative only for a sub-tree of a domain, e.g. exchange.terlisten-consulting.de. If I try to resolve www.terlisten-consulting.de, the DNS server would go down the hierarchy starting at the DNS root servers (or it would ask a forwarder). Instead of creating a zone for the whole namespace, create a zone for the host. Simply add
a new primary zone
don’t allow dynamic updates to the zone, and
create a new A or AAAA record for the host
Make sure
to leave the name field empty
don’t create a PTR record
point it to the internal IP of the host
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
A simple nslookup will show if split DNS works as expected.
Works as expected. Make sure to clear the DNS server cache after you have added the zones.
Windows DNS Server Policies
Windows Server 2016 will introduce Windows DNS Server Policies. DNS Policies will allow you to control how a DNS Server handles answers to queries based on parameters like source IP address, IP address of the network interface that has received the query etc. In future, DNS Server Policies can be used to configure split DNS.
This posting is ~8 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
Today I had a customer call, where a Exchange 2010 backup repeatedly failed. HPE Data Protector was unable to create a differential or incremental backup. For each database, the following error was logged:
[Minor] From: OB2BAR_E2010_BAR@exchangeserver.domain.tld "MS Exchange 2010+ Server" Time: 21.03.2016 20:00:27
[170:313] One or more copies of database DATABASE are already being backed up in a different session.
Interestingly, there was no other backup session running. But the night before, the backup jobs failed because of a network failure.
The solution is easy. This error is caused by a wrong information in the Data Protector database. To remove this, open an administrative CMD on the Data Protector Cell Manager and run this omnidbutil command:
This posting is ~8 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
Some day ago, I installed a new Exchange 2013 CU11 for some test ins my lab. Nothing fancy, just a single server deployment on a Windows Server 2012 R2 VM. I deployed this Windows Server from a template, which was updated with the latest Windows Patches and WMF some days ago. The Exchange setup went smooth. I updated the SSL certificates and the internal and external URLs for the virtual directories. Then I started the Exchange Management Shell (EMS), to update the Autodiscover URL in the service connection point (SCP) of the Active Directory.
VERBOSE: Connecting to exchange1.lab.local.
New-PSSession : Cannot find path '' because it does not exist.
At line:1 char:1
+ New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Micr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], RemoteException
+ FullyQualifiedErrorId : PSSessionOpenFailed
Well… that doesn’t look successful. I quickly switched to a PowerShell windows and imported the Exchange snap-in manually.
Windows PowerShell
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
PS C:\Users\Administrator> & 'C:\Program Files\Microsoft\Exchange Server\V15\Bin\RemoteExchange.ps1'
Welcome to the Exchange Management Shell!
Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List
Show quick reference guide: QuickRef
Tip of the day #22:
Get all Win32 WMI information, such as Perfmon counters and local computer configurations. For example, type:
Get-WMIObject Win32_PerfRawData_PerfOS_Memory
PS C:\Users\Administrator> Get-ExchangeServer | ft -AutoSize
Name Site ServerRole Edition AdminDisplayVersion
---- ---- ---------- ------- -------------------
EXCHANGE1 lab.local/Configuration/Sites/Cologne Mailbox, ClientAccess Enterprise Version 15.0 (Build 1130.7)
PS C:\Users\Administrator>
Looks better, isn’t it?
I compared my lab setup to a running Exchange 2013 single server deployment and I stumbled over the PowerShell version. In addition, I found the Windows Management Framework 5 Production Preview (KB3066437) on my freshly deployed Windows Server 2012 R2 VM.
[PS] C:\Windows\system32>$PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
5 0 10514 6
After checking the Exchange Server Supportability Matrix, it was clear what had happened: WMF 5 is not supported (Source). Not supported with Exchange 2013, and also not supported with Exchange 2016.
After I had removed KB3066437 from my Exchange server, the EMS loaded successfully.
Welcome to the Exchange Management Shell!
Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List
Show quick reference guide: QuickRef
Tip of the day #25:
One benefit of the Exchange Management Shell is that cmdlets can output objects to the console. You can then manipulate this output and organize it in interesting wa
ys. For example, to get a quick view in tabular format, use Format-Table:
Get-Mailbox | Format-Table Name,Database,RulesQuota
VERBOSE: Connecting to exchange1.lab.local.
VERBOSE: Connected to exchange1.lab.local.
[PS] C:\Windows\system32>
You should ALWAYS check if installed applications are supported with newer version of PowerShell/ WMF! Currentyl, no Exchange version is supported with PowerShell 5/ WMF 5.
This posting is ~8 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
Microsoft Exchange Server licensing is rather simple. You can choose between two Exchange licenses:
Standard (up to 5 mailbox databases)
Enterprise (up to 100 mailbox databases)
Standard and Enterprise only differ in the number of supported databases! Feedl free to use Exchange DAG with Exchange Standard and Windows Server Standard! To license your clients, you have to purchase a Client Access License (CAL) for each user or device that accesses your Exchange server environment. There are two types of CALs:
Standard
Enterprise (add-on for Standard CAL)
The Standard CAL is always necessary and enables most features of Exchange. The Enterprise CAL is an add-on license. If a user needs one of the Enterprise CAL features, you have to purchase a Standard AND an Enterprise CAL. The Enterprise CAL enables the following features:
In-Place Archive
Retention policies
Apply Information Rights Management (IRM)
Site mailboxes
DLP Policy Tips
Pretty simple, isn’t it? But have you thought about your Microsoft Outlook license? To use the Exchange Enterprise CAL features, you have to consider your Microsoft Outlook licensing! You have to use a Outlook version that is supported with your specific Exchange Server version, and you also have to consider if you have retail or volume license licenses. Microsoft Exchange Enterprise CAL features can be used with the following Microsoft Outlook licenses:
Outlook 2016
Outlook 2016 stand-alone (Retail or Volume License)
Outlook 2016 included with Microsoft Office Professional Plus 2016 (Volume License)
Outlook 2013
Outlook 2013 stand-alone (Retail or Volume License)
Outlook 2013 included with Microsoft Office Professional Plus 2013 (Volume License)
Outlook 2010
Outlook 2010 stand-alone (Retail or Volume License)
Outlook 2010 included with Microsoft Office Professional Plus Subscription (Retail)
Outlook 2010 included with Microsoft Office Professional Plus (Volume License)
Outlook 2007
Outlook 2007 stand-alone (Retail or Volume License)
Outlook 2007 included with Microsoft Office Ultimate 2007 (Retail)
Outlook 2007 included with Microsoft Office Professional Plus 2007 (Volume License)
Outlook 2007 included with Microsoft Office Enterprise 2007 (Volume License)
The correct Outlook client license is important! If you try to use Outlook 2013 included with Microsoft Office Professional (Retail) with In-Place Archive for example, the archive will not show up in Outlook. If everything is licensed correctly, your Outlook with enabled archiving should look like this:
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Please note, that Outlook 2007 is not supported with Exchange 2016. Please also note, that the Enterprise CAL features “Site mailboxes” and “DLP Policy Tips” can only be used with Outlook 2013 and later.
This posting is ~8 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
EDIT
This issue is described in KB2971270 and is fixed in CU6.
I ran a couple of times in this error. After applying changes to SSL certificates (add, replace or delete a SSL certificate) and rebooting the server, the event log is flooded with events from source “HttpEvent” and event id 15021. The message says:
An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.
If you try to access the Exchange Control Panel (ECP) or Outlook Web Access (OWA), you will get a blank website. To solve this issue, open up an elevated command prompt on your Exchange 2013 server.
C:\windows\system32>netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 1ec7413b4fb1782b4b40868d967161d29154fd7f
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 0.0.0.0:444
Certificate Hash : a80c9de605a1525cd252c250495b459f06ed2ec1
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 0.0.0.0:8172
Certificate Hash : 09093ca95154929df92f1bee395b2670a1036a06
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 127.0.0.1:443
Certificate Hash : 1ec7413b4fb1782b4b40868d967161d29154fd7f
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Check the certificate hash and appliaction ID for 0.0.0.0:443, 0.0.0.0:444 and 127.0.0.1:443. You will notice, that the application ID for this three entries is the same, but the certificate hash for 0.0.0.0:444 differs from the other two entries. And that’s the point. Remove the certificate for 0.0.0.0:444.
This posting is ~9 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
Microsoft has introduced the Web Application Proxy (WAP) with Windows Server 2012 R2 and has it positioned as a replacement for Microsoft User Access Gateway (UAG), Thread Management Gateway (TMG) and IIS Application Request Routung (ARR). WAP ist tightly bound to the Active Directory Federation Services (AD FS) role. WAP can be used
pre-authenticate access to published web applications, and
it can function as an AD FS proxy
The AD FS proxy role was removed in Windows Server 2012 R2 and it’s replaced by the WAP role. Because WAP stores its configuration in the AD FS, you must deploy AD FS in your organization. The server, that hosts the WAP, has no local configuration. This allows you to deploy additional WAP servers to create a cluster deployment. The additional servers get their configuration from the AD FS.
The deployment of WAP can be split into two parts:
deployment of the AD FS role
deployment of the WAP role
The AD FS deployment
You can deploy the AD FS role on a domain controller or on a separate server. AD FS acts as an identity provider. This means, that it authenticates users and provides security tokens to applications, that trust the AD FS instance. On the other hand it can act as a federation provider. This means, that it can use tokens from other identity providers and can provide security tokens to applications that trust AD FS. The AD FS role can be deployed onto a domain controller or a AD member server.
The first step is to install the AD FS role onto a AD member server or domain controller. I used the DC in my lab. Depending on your needs, this can be different. I used the PowerShell to install the AD FS role.
A reboot is not necessary. The next step is to configure the AD FS role. This process is supported by configuration wizard. Before you can start, it’s necessary to deploy the group Managed Service Account (GMSA). Open a PowerShell console and execute the following commands:
Then you can start the configuration wizard. If this is the first first AD FS server, select the first option “Create the first federation server in a federation server farm”.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
To perform the configuration, you need an account with domain administrator permissions. In my case, I simply used the Administrator account.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
You need to enroll an SSL certificate that is used for AD FS. This SSL certificate must include the DNS name for the AD FS server and also the Subject Alternative Names enterpriseregistration and enterpriseregistration.yourdomainname.tld. This screenshot includes the values that I used in my lab deployment. I entered this values into the “Attributes” box:
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Create the certificate and export it with the private key as pfx file. You must import the certificate into the “Personal” store of the local computer, that acts as AD FS server. You also need two DNS entries for the names, that are included in the certificate.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
If the certificate import was successful, you can select the certificate in the wizard. Add the Federation Service Name and the Display Name.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
The Service Account can be a existing domain user account or a Managed Service Account. I used my Administrator account for simplicity.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
If you deploy a single server, you can use the Windows Internal Database. If you plan to depliy multiple AD FS servers, you have ot use a SQL server database.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Review the options and continue with the pre-requisite checks. If everything went well, you can proceed with the installation. Finish the setup and close the wizard.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Open a browser and enter the AD FS URL into the address bar. In my case this URL looks like this:
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
If you get a screen like this, everything’s fine and AD FS works as expected. Check the Windows Server 2012 R2 AD FS Deployment Guide for more information. Now it’s time to deploy the Web Application Proxy.
The WAP deployment
To install the WAP role, simply open a PowerShell and run the Install-WindowsFeature cmdlet.
Then you can run the WAP configuration wizard. This wizard guides you through the configuration of the WAP role.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
First you have to connect to the AD FS server. Enter the Federation service name you used to deploy the AD FS instance, and provide the necessary user credentials.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
At this point you have to select the certificate, that is used by the AD FS proxy. You can use the same certificate you used for the AD FS server. But you can also create a new certificate. The certificate must be imported into the “Personal” store of the WAP server.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Confirm the settings and click “Configure”. At this point, the wizard executes the shown PowerShell command.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Close the wizard and open the management console of the Web Application Proxy to check the operational status. At this point, the WAP only acts as a AD FS proxy.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
To test the functionality, I decided to publish Outlook Web Access (OWA). Use the “Publish New Application Wizard” to publish a new application.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
To publish OWA, select “Pass-through” as pre-authentication method.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Now it’s getting interesting. When you enter the external URL, the backend server URL is automatically filled. External and Backend URL have to be the same URL. Because of this, you need split DNS (see “Configure the Web Application Proxy Infrastructure” and “AD FS Requirements” at the Microsoft TechNet Library). You also need a valid external certificate, that matches the FQDN used in the external URL.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Check the settings and click “Publish”. The wizard executes the shown PowerShell command.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
Close the wizard and check the functionality of the published application. This screenshot shows the access to OWA from one of my management VMs (MGMTWKS1):
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
This drawing shows my lab setup. I’ve used two subnets (192.168.200.64/27 and 192.168.200.96/27) to simulate internal and external access, as well as split DNS.
Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0
The host dc.vcloudlab.local (192.168.200.97) has the AD FS role installed and resolves cas.terlisten-consulting.de to 192.168.200.103 (HAProxy). MGMTWKS1 resolves the same FQDN to 192.168.200.109 (WAP1 – my WAP server).
Final words
This is only a very, very basic setup and I deployed it in my lab. The installation was not very difficult and I was quickly able to set up a working environment. Before you start to deploy AD FS/ WAP, I recommend to take a look into the TechNet Library:
