On Premises Exchange Integration Windows Server 2012 Essentials
July 11, 2012 25 Comments
Yes, you heard me right. Hopefully by now the news of the end of development, shall we say, of SBS 2011 Standard has settled in, and you are ready for how to tackle the void left in the market. I know many partners and folks are talking about alternatives, Kerio, Hosted 
Exchange or any number of other solutions, but i wanted to demonstrate how easy it is to setup the OnPrem (OP) integration with an Exchange server, and how it is possible to access both, using 1 single public IP address.
I have no idea how much it would actually cost to do in production though!
So, first of all, this is all based on the beta code recently released, so i do reserve the right to look stupid when they pull the code out due to ‘feedback’.
Second of all, this is based on Windows Server 2012 Essentials, with a second server running Windows 2008 R2 Standard, w/SP1 and Exchange 2010.
What will you need?
- A server running WSE
- A server running Windows 2008 R2 SP1
- Exchange 2010 Media
- SSL Certificate
- Dare i suggest, an Internet Connection?
Modify Group Membership
The very first step is to make our Domain Administrator a member of the Enterprise Admins group.
From the WSE server, go to Start, then Administrative tools.
- Open up Active Directory Users and Computers (ADUC), then under the Users container, find your Domain Administrator account.
- Go to the properties of the account.
- Go to the Member Of tab, and click Add.
- Type in Enterprise Admins, then click OK and close down ADUC.
Install WSE Connector Software
I’ll assume you have installed your 2008R2 server, and it is in a workgroup ready to go.
You may not know, that the WSE Dashboard now supports Servers. That means we can install the connector!
If you’re thinking that means WSE will backup a server, It won’t.
First of all, open up a web browser on your Server2008R2 box, and go to the connect site of the WSE server, this would be
http://wseserver/connect
Click on the button to download software, and run when prompted.
Those of you already familiar with SBS Essentials, will have seen this all before.
The connect to server wizard will start, and run through a few steps.
Ordinarily we would enter a standard user account here, but i am using the Domain Admin account.
After a reboot we have to chose whether this computer is for us, or another user, and also to enter a description.
After a short time the wizard should complete, and you will see your server now shows up in the dashboard.
See, i told you it would appear in the dashboard.
Now we need to do some prep in order to get Exchange installed.
First off you will need some Exchange media, i just used the trial download that is available.
I extracted the Exchange media out to a folder called EX in the downloads folder of my profile.
Second you need to install some server roles.
Install Server Roles required for Exchange
We need to install a few server roles in order for Exchange to function. I prefer PowerShell for this because i think its easier. I found a really useful blog post on exactly this topic here.
So, go ahead and open up an Administrative PowerShell window.
Then run the following:
Import-Module ServerManager
Then:
Add-WindowsFeature NET-Framework, RSAT-ADDS, Web-Server, Web-Basic-Auth, Web-Windows-Auth, Web-Metabase, Web-Net-Ext, Web-Lgcy-Mgmt-Console, WAS-Process-Model, RSAT-Web-Server, Web-ISAPI-Ext, Web-Digest-Auth, Web-Dyn-Compression, NET-HTTP-Activation, RPC-Over-HTTP-Proxy –Restart
Your server will install those roles and reboot.
Install Exchange & Configure
Now, for a little customisation of my own. I wrote a script that will use the Exchange command line installation method, and then run through a ‘wizard’ to add the crucial components to make Exchange work as you would expect.
I will make the script available for download soon.
My custom script is called Install.ps1, as you can see below, you have to modify PowerShells Execution Policy to run scripts, which is easily done by typing:
Set-ExecutionPolicy RemoteSigned
If you are downloading a script from the internet, you will usually need to ‘unblockit’ by right clicking the file, going to properties and clicking Unblock.
Install.ps1 – Running…
I have cropped the above slightly, and not going to explain each step, however the script installs Exchange, installs the Office 2010 Filter pack, then asks the Administrator some basic questions about the environment (coloured sections) and then Sets up Accepted Domains, Email Address Policy, Receive Connectors and Send Connectors. The Send Connector section will support a smart host that requires Authentication as well, and you can also change the SMTP port number, all from this one script.
You can read more about the Script here
http://wp.me/p1i7Su-128
Moving on, we can now go ahead and enable the integration.
Install SSL Certificate for Exchange
For Exchange to work correctly over the internet, we will need an SSL certificate.
This needs to be a different SSL certificate (different common name) than the certificate used for RWA on the WSE server.
That suits me because i gave up using Third Party domain names on my SBSE or WSE servers, and now always use the free *.remotewebaccess.com domain provided by Microsoft. It also means i am free to use my existing SBSE SSL for Exchange.
You will need your SSL Certificate in PFX Format (this means it includes the private key)
On your Exchange Server, open up an MMC.
Use the File menu to add snapin, and then add the Certificates Snapin for the Local Computer.
Expand Certificates, Personal, and in the free space, right click, then choose All Tasks, Import.
Complete the wizard to install your PFX file.
You will see your certificate shows up.
Now, we need to load the Exchange Shell.
Enter this command:
Get-ExchangeCertificate
You will see several results returned, one of which should easily be identifiable as the certificate we just installed.
Copy the ‘Thumbprint’ of that certificate.
Now enter:
Enable-ExchangeCertificate –Thumbprint XXXXXXXXXXXXX –Services IIS,SMTP
This command will import your certificate onto the Default Website for use with OWA / OA and also enable it for use with SMTP if needed.
If we run the ‘Get’ command again, we can now see the services are enabled for that certificate.
Enable Outlook Anywhere
Now we just need to quickly enable Outlook Anywhere, which we can do easily from the Exchange Management Console (EMC), proof if you needed it i am not 100% committed to PowerShell yet.
Open up the EMC, Expand Server Configuration, then choose Client Access. On the right hand side Choose Enable Outlook Anywhere.
Enter the address you will use to access your server remotely.
Then click Enable.
Install Application Request Routing to WSE
Now we can switch over to the WSE server and install the magic component.
Go to IIS.net and download Application Request Routing.
You will likely need to install the Web Platform Installer, which gave me an error about .NET2 (which i ignored and refreshed the page) it then continued as normal. I have screen shots of the process but not the error as i was scratching my head for a moment. You will also most likely need to adjust your security zones and add a site to trusted sites.
Hopefully you can get through that, and get ARR installed.
Another side note as you can see below, it says it failed, and it also says it succeeded. I chose to ignore the failure, and it turned out ok for me.
You will need to copy the PFX file over to your WSE server and have it in a easy to type path.
Open up c:\program files\windows server\bin in an administrative command prompt.
Enter the following:
ARRConfig Config –Cert <path to cert> –hostnames <common name in SSL>
For Example,
ARRConfig Config –Cert c:\users\dfunk\desktop\ssl.pfx –hostnames remote.sbsessentials.co.uk
You are then prompted for the password on the certificate and then it should complete for you.
Wait, no, you now have an error.
We need to enable Exchange Integration in the Dashboard (almost forgot)
Enable WSE Exchange Integration
Load up the Dashboard, and follow the prompts under ‘Email’ to enable Integration to your Exchange Server.
The Dashboard will reload, and you should have a nice green tick!
We can go back to our command prompt, run the same command, and this time it completes.
And that’s it!
Finish and Test Connectivity
Assuming you have the correct DNS records in place, ie an MX record and an A record that point to the right public IP address you have now integrated your on premises Exchange Server.
Don’t forget to open port 25 on your router and point to your Exchange servers internal IP.
(Just to show these both go to the same IP)
You can also now go to www.testexchangeconnectivity.com and run a test to make sure everything is ok!
I got a green check, and also a warning about a certificate chain, but i am just focussing on the green check.
Check Check!!
Anyway, i hope you found this useful, it was certainly a lot of fun to work on.
I am very interested to hear comments about this integration feature/idea and also any comments on the beta as a whole!
Update 15/08/201 : Microsoft has now made public it’s own steps which are available here.
About Robert Pearman
Great work!
What about Sharepoint Foundation Server 2010? Maybe you already work on that?
Why did you choose Server 2008 R2 SP1 instead of Server 2012 for the Exchange Server machine? Will there be trouble ahead?
No reason really, just if i were going to deploy this on day one, i would probably use 2012 as a host, but Exchange 2010 on 2008R2 is a known quantity.
Right now only server 2008 r2 and not 2012 is supported for Exchange 2012. There’s a schema update ulimately needed to get 12 to work (of which we don’t have access to
I think Susan means Exchange 2010.
Great walkthrough Robert! Are you aware yet of the licensing requirement details when we go with this configuration; for the second server would we need Windows CAL’s for networks <25 users in addition to the Exchange CAL's? Or are the CAL's covered by Essentials? Can we run Essentials 2012 as a VM or does it need to be a separate physical server?
No, no other servers in the network would be covered by the Essentials ‘CALs’ althought final pricing and CAL information is yet to be published.
Found this blog and would like to thank you for the walk through.
One question though: I am trying to get a windows 2012 essentials up and running with an exchange server.
The scenario I would like to create is have the people log into the RWA on essentials and have a link to OWA. Is there any way of doing this in a fashion so that the user wouldn’t have to log into 2 sites? (First having to log into the RWA, and then having to put in the credentials for OWA)
My goal is to set up a web interface similiar to the sbs 2011.
Cheers
Yes, you can just add a link to the OWA URL via the WSE Dashboard.
Under Settings, AnywhereAccess, Customize, Home Page Links. You can add/remove the links as required.
As for not having to login twice, i am not sure about that. There may be some sort of single sign on tool you can use, somthing like AuthAnvil – from Scorpion Software.
A way around 2 SSL Certs…
Configure everything as this guide says… but ARR add-on for IIS is not required.
When done, point port 80 and 25 to your exchange server’s internal IP Address. Point 443 to your Essentials server.
Open IIS on your Exchange Server, drill down to OWA and open SSL settings on OWA and uncheck Require SSL, and then click apply on the right hand window pane.
You can host your organizations website on the same Member/Exchange Server in IIS as a new site, just use a host header to direct traffic to it. ie, Mycompany.com vs http://org.remotewebaccess.com/owa both on port :80. (do not use a host header on remote web access or owa)
You will have to switch the pointer for Port 80 back to your Essentials server in order to domain join new computers via the connect site. But OWA, Remote Web Access and your company’s web page are all hosted internally now. Also note, that you will not get to OWA via https://, only form http://… if this gets complicated, use your company website, but add a page with links or re-directs to keep things easy on your users, they can book-mark there way around from there.
I would not suggest or approve of the idea of running your Exchange services over HTTP.
I would also not advocate the hosting of your company website on a server on your internal network.
Hi,
In the RWW I have a box calles Check E-Mail. This is leading to the WSE external URL /owa. This leads to an IIS error. Is there a way to link this to the external Exchange URL? From the Setup you provide, I understand to have two URLS (one for WSE RWW and one for Exchange owa)
Is there a way to integrate both into one URL?
Cheers
It has been some time since i looked at it, but from memory that should already be the case.
Ill check it out.
Thank you for your great article!
You wrote that you use the free remote.remotewebaccess.com domain for OWA and essentials2012.remotewebaccess.com for RWA to get a free white certificate for both services.
But how does it work when I have a dynamic IP? The Essentials-Server will update the essentials2012.rwa.com Domain, but how does it work for the remote.rwa.com domain? Is there an ddns-updater for rwa.com to install on the exchange server?
Cheers
I think you may have mis-understood.
I use the Free SSL (remotewebaccess.com) only for RWA. OWA is handled using an SSL i purchased, in this case for SBSEssentials.co.uk
Both URLS (or fqdns) go to the same IP address, in my case i had a static IP. with a dynamic IP i would set the second address (remote.sbsessentials.co.uk) as a CNAME of your remotewebaccess.com address, and this should take care of your dynamic IP issue.
i have followed you article and all went well except the part for connecting exchange to the 2012 essentials dashboard,when i tried to connect it it said it failed with an unknown error but after a restart it says its connected but keeps failing when i try to view mailbox properties from the users tab and if i try to remove the integration it shows the same unknown error message
are you running exchange 2010?, was this a migration?
Yes its exchange 2010 SP3 and no clean install of windows 2008 r2 sp1 and exchange 2010
what do the ope logs show in c:\prograndata\windows server\logs (on the essentials)
did the server join the domain ok?
the opewizard logs say System.TimeoutException when i tried to connect exchange to essentials but when i try to remove it it says failed to connect to OPEManager
the server joined the domain fine
I have sorted it, i deleted the reg key HKEY_LOCA_MACHINE\SOFTWEAR\Microsoft\WINDOWS SERVER\Productivity and opened the dashboard which still had the green tick next to exchange but when i clicked Setup Exchange Server Integration it went back to the setup and this time was successful
cool, good work.
First off, Kudos! Great post.
Any luck with Exchange 2013 CU1 on a Server 2012 member server?
I have been beating my head against a wall trying to get this done. Seeing this confirms it is possible now. Your notes here will be invaluable.
What problems are you running into?
Failures during install. Lots of them. Have tried manual un-installs, complete OS re-installs…
I am giving up on Exchange 1013… Needs more time to bake. Got it working, but had issues getting admin tools to work correctly. Not to useful if I cannot get accounts set up. But ecp looked nice… Working now on Exchange 2010 SP3 on Server 2012.
Now, on a fresh clean OS install… So far install feature requirements are different, so your script will not work due to it checking before installing exchange. But some of the other functions might work…
I will let you all know how it goes. Or come back for help :)
In our company we are working productive for two weeks with WSE and Exchange 2013 CU1 on Server 2012. We had some problems with public folders, but they’re fixed now. FYI: We have not used Roberts install-script. Just checked the requirements in the wizard and then we configured the Exchange-Integration in the wse-dashboard. It woked very well. P.S. Sorry for my english, it’s not my native language ;-)