4. Configuring Client Access Policy Rules
All right. And we’ll start by checking to see if we have any client access rules. So we’re going to say, “GetClientAccessRule,” and hit Enter. All right, so you’ll notice it’s creating a new remote PowerShell session using modern authentication. It checked on Perm and the cloud both. Now, by the way, I’m already connected to the cloud, but if you’re not, make sure you’ve also gone through my previous lesson on connecting PowerShell to Exchange Online and all that.
But you can also type “Connect.” If you have the online commands, you can type Connect, Exchange Online, hit Enter, and then you can authenticate. Or you could pass the credentials along, like I did in my previous lesson. But I’m just going to authenticate just so you can kind of see the process of doing that again. All right, I’ll put the password in here, and then I’ll be officially authenticated. So that’s how you get reconnected. Remember though, if you haven’t already seen that earlier lesson, that’s where I show you how to get into PowerShell through the cloud. You’re going to want to do that because this is going to make sure you have all the commands you need stored in your memory. And if you just run the Get Client Access rule without connecting to the cloud, then it’s only going to show you rules related to Exchange on premise. But if you’re actually connected to the cloud, then it’ll do both. So you’ll have both of those listed there.
Okay, so while we look at that, I want to jump real quick. Let’s look at a couple of things here in Microsoft’s knowledge base. Now again, all you’ve got to do to pull up these articles is use the command for dealing with client access rules, which is called New Client Access Rules. So if you were just to open up a search engine and search for “new client access rule,” you could find both of the articles that I’m going to look at real quick with you here. These first two Okay, so the first command or the first thing I want to look at is the procedures for client access rules in Exchange Online. This article gets into how the formatting of these rules is going to work. First off, these first couple of commandlets that we have in PowerShell show us that we can get specific rules by their names.
We can identify them by name, and we can even reformat them as a list as opposed to a table if we want. Okay, looking down a little further, if we want to create a client access rule, we can use “new dash client access rule” and specify a name for the rule. And I’m going to demonstrate this. By the way, I just wanted to show you the knowledge-based article. But you can specify the name of the rule, and then if you’re going to have it enabled yet, and then the action that the rule is going to perform, whether it’s going to be denying or allowing, what the conditions are going to be, all of that.
So they have some really great examples in this very first article here that’s labelled “procedures for client access rules in Exchange Online.” Now obviously, that one is specifically for ExchangeOnline, but we also have the other article, which is purely about how to use the new Client Access rule command. So here are all your different switches and your different parameters. Remember, the Knowledge Base article will explain every one of these parameters to you. And there are some great examples here of how to use it. Okay? So in this case, they’re doing a new client access rule. They’re giving it a name. The action they’re performing is Allow, and they’re allowing the protocol for remote PowerShell.
So they’re letting somebody connect to a remote PowerShell. The other thing is that they’re setting a priority. So that gets us into issues where, what if you had multiple of these client access rules and they conflicted? Well, the priority is to control the conflict. The lower the number, the higher the priority. Okay, so this is blocking Active Sync, not allowing someone to come in via Active Sync with a specific range of addresses.
And then again, you can look at all the different parameters and what they do by using this Knowledge Base article. Okay, so I know I kind of sound like a broken record. You’ve probably heard me say this before. I love their Knowledge Base articles. They give some great examples and explain the different parameters, which are a really important part of all of this. Okay, so now that we’ve kind of looked through that, let’s jump back into the EMS. Currently, I don’t have any rules. You’ve seen me go through and run the Get ClientAccess rule there, and nothing shows up, right? So now what I’m going to do is type a new client access rule. Okay, name. I’m going to call this block Active Sync.
That’s going to be the name of the policy. All right, action. I’m going to deny access. You can just say “deny” or “deny access.” And then I’m going to say any of the protocols. And we’re going to use the Exchange Active Sync protocol. All right, we’ve got to make sure we spell that correctly. And if you go back into the Knowledge Base article, you can look up each one of the parameters that are allowed for that particular protocol parameter. Okay? You can specify the objects that you can put here, or you can look up the objects you can put there through that article. All right? So from there, I’m going to accept any client IP address range or range. And I’m going to do 192.168.0.0/24, which is my subnet range that I’m on right now. Okay, so we’re going to go ahead; now we’ll hit enter on that, and it’s going to look to create that for us.
And it says, “Okay, are you sure you want to do this?” We don’t want you to get locked out. I’m going to say, “Yes, I’m sure I want to do this.” It says, “All right, you’ve created it.” So now if I hit the up arrow a couple of times, I get the client access rule. I can see that a client access rule has been added. Okay, let’s add another one. new client access rule And let’s do names. And this is going to be an Outlook Web app, all right? also known as Outlook on the Web. So we’ll say action, and we’ll deny. And any protocols will suffice. Any protocols. And this will be an Outlook web app. So that’s the parameter we’re putting in for this one. And we’ll say “accept IP ranges.” Then we’ll set the 192, 168, and 00:24 times. So our range will enter the phrase “Are you sure?” Yes. All right. So now let’s go and clear the screen and get the rules. And we’ve got two rules. Look at the priority there if they were to conflict. Okay, now there’s another great thing you can do here. You can test the connection. I can type-test the client access rule.
All right. And I’ll handle the authentication. We’ll say the authentication type is going to be basic authentication. All right. Outlook Web App will be mentioned in the protocol. And we’ll say “remote address.” All right, let’s say that somebody at this command is going to let us test this connection. Let’s say somebody’s trying to connect to the Outlook Web app using this address. 100, zero, one. Okay, remote port. So remote a port And we’ll say 4, 4, 3, because that’s going to be the port they’re going to use if they’re connecting to that Outlook Web app, right? So we’re going to go ahead, and I’m sorry. We must also specify the user. So we’ll say “dash user” and we’ll say “[email protected].” So that’s me trying to connect to the Outlook Web App using that account. So hit enter. Okay, look what it did. It denied me. Why did it deny me? Because of this address, I am right here doing the test. Because of the role we created on 109 216 800, it would have prevented me from using that address. Now if it’s not going to deny you, you won’t see anything. Here, watch this. I’m going to change this now, and we’re going to pretend like we’re coming in from 192. Watch this. No reply. So if you don’t get any replies, no news is good created oSo basically, it’s going to work. All right? Okay, so that’s good.
Now again, I can type “getclient access rule” and hit enter. It’s going to show me my rules. And if I want to remove these rules, I can type “remove client access rule.” All right? We’ll say the name, and the rule will be removed. We’ll go ahead and remove the block on active sync. As a result, we’ll call it block active sync. We’ll hit enter. Let me check the parameter. Oh, I think I missed my parameter up there. Let me fix that. Identity is the correct way to say it, not name. So we’ll hit enter. It’ll say, “Are you sure?” Yes. All right. And let’s do this again, and this time we’ll do the Outlook Web outlook web app.Hit Enter. Are you sure? Yes. Okay, let’s get the client access rule, and they’re gone. So that’s how you remove them.
All right, guys, so hopefully that gives you a good idea now of how to use that. There is definitely some good information on the knowledge base that you can check out; it is definitely something you should play with. And be sure to use that test command and that test client access rule to test things out more. Again, you can go out here to the knowledge base to test the client access rule. All right, search for that, and you’ll see it show up in the knowledge base. You can pull that up, and then you can get some great information on just this command too. and how you can actually use this command to verify connectivity and all of that. So it has some that show you the parameters you can use, examples of how to use it, and each of the parameters. There’s definitely some useful information there, so take advantage of it, but hopefully this has given you a good understanding of the client access rule policies.
5. Autodiscover in Exchange
So this is a service that’s actually going to help connect your different clients to the actual Exchange services. So you might remember that we’ve talked about how, on a mailbox server, we have mailbox storage and all of that happening, but we’ve also got the Client Access services. And we’ve also got the fact that if you’re in a perimeter environment, you may have an edge transport port server that’s also going to play a role if somebody’s on the outside coming in.
But either way, whether somebody’s on the outside trying to get in and get access to their email or whether they’re on the inside, they’ve got to be hooked into the right mailbox server that actually has their mailbox database that’s going to give them access to their email, right? And so the Auto Discover service is going to be what’s going to make that magic happen. Okay, so the other thing about the auto-discovery service is that whether they’re inside, outside, or even in what’s called a “multi forest” scenario of active directory, where you have multiple domains and multiple forests, the auto-discovery service should work across the board. So this is built to handle a small environment. It’s also been built to handle a very large environment.
Okay? This will all be based on a virtual directory in Exchange 2016, 2019, and beyond. So on your IIS server, your Internet information services, and the default website, we have an actual virtual directory called the Auto Discover Virtual Directory. That virtual directory is going to play a role in making all of this work because the connection itself is going to happen across HTTP, and the Auto Discover virtual directory is what’s going to tie into that. Your Active Directory is going to have something called an SCP, which stands for Service Connection Point. That’s going to be pointing to the proper URLs that we’ve got with our Exchange environment and our IS. Okay? And so that will play a role in all of this on the inside; someone is questioning on the inside; that will happen.
All right, so that’s part of the deal with that. For domain-joined computers, we’ve also got our Client Access services. Our goal here is your CAS, which is also part of your mailbox server role. It’s going to make sure that people are properly authenticated. So if they’re within the domain, for example, they have to authenticate to your active director, domain controllers, and all that. Kerberos and other such things will play a role in this. It’ll authenticate and proxy the services to the proper Exchange server using the mapping protocol messaging API. Okay? Now on the outside, if you’re using Exchange Online, you would authenticate with the Microsoft 365 Services and Exchange Online. And of course, there’s also a hybrid deployment, which I’m not going to thoroughly get into now because that’s coming up later. But in a hybrid deployment, you can have a sort of mix. On the inside, they’re sometimes authenticating. If they’re on the inside, and then if they’re on the outside, they could go directly to exchange online. So the authentication process is a part of the hybrid discussion, which will be expanded on later.
Okay. And then, in terms of Microsoft Outlook, you have an Outlook client pull up Outlook; all that will happen there is a person, as long as they know their email address, username, and password, the auto discover process will be initiated. And that’s really the only ingredient that’s needed on the client side: they just need to know that email address, that username and password, or whatever authentication system we’re using most of the time, username and password, but you could use multifactor if you wanted to as well. And that’s it; that’s your key ingredient. And then from there, it’s going to hit the proper virtual directory. If they’re inactive directories, go to the service connecting point, then the connection point, and so on. In fact, let’s look at this little example here. You’ll notice an Outlook client is pulling it up. It’s performing a query. So the user enters their username, email address, and whatever password they prefer. If they’re part of the domain, they’re in the inactive directory. It’s going to query the SCP object.
Okay, what is that? That’s the service connection point. All right. So the auto-discovery service, with the help of the virtual directory, is going to get created inside of Active Directory. Active Directory is the active database. It also has the global catalog, so it can query that. It can perform a query against Active Directory. Active Directory is going to reply back with the auto-discovered information in the form of an XML file, an extensible markup language file. So it’s going to return that information back.It’s got the URL of the proper service, the clientaccess service, that it’s supposed to talk to, which again is going to be on your mailbox server. So it’s then going to connect using HTTPS to the client access server service, which again is on the mailbox server in the mailbox. The client access service of the mailbox server is going to reply back. The auto-discover service returns the addresses of the services that have this client’s information. Keep in mind that the client could be tied to multiple mailboxes.
So when it replies back with that information, it’s going to reply back with all the different server information that could get this person to the different mailboxes that they need access to. Okay, so a couple of other things here about auto discover.They tell you here that you have four options for your clients. The first two that you see on the screen, these different methods that you see here, are for just one single SMTP namespace in an organization. So you’re talking about a small area. And the last couple are for multiple SMTP namespaces. So bigger environments Okay, so the first one there is the URL that this person will be hitting, and this is going to tie to the Virtual Directory at examlabpractice.com Autodiscoverdiscover XML.This is going to happen automatically. This is not something that I’m having to type in. This is just going to happen right out of the gate as part of the deal with something like Outlook. And of course, you have the other one connected. This is autoscover autoscover autoscover.xml examinepractice autoscover autoscover.xml.
The last couple are auto-discover Redirect URL. So it’s autodiscovery, examination practice, and XML discovery. Okay, it’s just going to say the title URL if you opened up Outlook or something, for example, and let’s say that Outlook has multiple URLs that it works with. So I’ve got an email address such as [email protected], and I have another email mailbox account that’s part of the organization, which is [email protected]. Okay, well, if I had that, then it could use both of those URLs to search for the Auto Discover service. The other way that this can work is by searching through DNS for SRV information. SRV information—that’s a service record. And if you’re in an Active Directory domain, you’ll have SRV records in your DNS that will direct your users to the correct location. Okay, so the last thing I want to look at here before I jump over to the operating system—and this is right off Microsoft’s knowledge base, by the way—is the fact that your different URLs for the virtual directories are going to definitely play a role in auto discovery here. You’ve got to make sure that your virtual directories are set up properly for these different services.
So you’ll notice that you have an offline address book, and it mentions the URL there that’s listed. You must ensure that it is properly configured. Now we’ve had a lesson on virtual directories before. Okay, I will refresh your memory a little bit coming up here in a second because I want to show you again where that’s configured. But you’ve got to make sure you’re pointing to the right virtual directories. This is especially important for devices on the outside as well as devices on the inside. If they’re within the domain and you’re pointing to on-premises, Exchange, and all that, then you have Active Directory. That type of baby, you’re getting where you need to go. But if you’re on the outside, it’s critical that we have our external URLs set up properly. So the first one there is OAB, which is Outlook address book. Sorry, Offline address book, that’s the URL that it defaults to for your offline address book settings. It would be mail examlabpractice.com in my case. Then the Exchange Web Services themselves, the EWS, got that set to mail. Mine would be mailexamlabpractice.com. EWS exchangeasmx. I need to double-check that everything is set up correctly.
Then there’s Outlook, which can be found anywhere. Then they say Mapp over HTTP is used with Exchange 2013 Service Pack 1 or later. So Exchange 2010 and below use the older way, the RPC method. And the map over HTTP and really the same thing will be used with your newer ones, the newer Exchange versions. The URL is basically going to be the same. The only difference is that there will be hash mapping at the end. Okay. So again, you’ve got to make sure these virtual directories are configured properly. So let me jump over to the operating system, and we’ll look at a little bit of that right now. Go to Tools, and then we can click on IIS Manager. So your Internet Information Services manager This is where your virtual directories are actually being hosted for Exchange. They’re being hosted through your web services.
And if I expand the default website, you can see all of those here. Okay, it shouldn’t be too much tweaking you need to do here, though. You may have to deal with some certificate stuff, SSL stuff here, and all that, but it’s very important that these are here and that your service is up and running, or you’re going to have a lot of problems out of Exchange. Now if we jump over to the Exchange Admin Center, let’s pop back over to the Exchange Admin Center here. If we zoom in, we’re going to go to the servers object here, and then we’re going to click on Virtual Directories up here. You can see all the virtual directories there, and the Auto Discover service is there. And if I wanted to tweak the path for the virtual directories graphically, I could click on these virtual directories, click this little wrench symbol here, and specify what I wanted this external URL to be. As a result, we must definitely configure our external URLs.
And I have actually done a lesson on that already. So if you haven’t seen that, it’s earlier in the course here. But we would add our server, and then, if I wanted, I could set what I wanted this external URL to be. Another thing we can do if we go into our EMS Change Management shell is type “Get” and then whatever virtual directory we want. If we want to see the offline address book virtual directory, for example, I can type OAB and then hit Enter, hit Tab, and then Enter, and you’ll see the Outlook or offline address book virtual directory information. You notice that it’s going to throw an error for NYCex Two because, for NYCx Two, I’ve currently got it shut down to free up some memory in my machine here. If you want to see a specific server, though, you can do a dash server and then specify the name of the server you want to see. So it’ll just show me that I’m on the wrong track, sorry. We’ll put an ex on it. It will only show me Example 1. And if you want to see all the information formatted differently, don’t forget I can do a pipe format as a list format, and it’ll show it all in a list format instead of a table format.
Okay, so I can do that. That was the offline address book. But I could also look at the Exchange web service one as well. So we’ll say Web Services Virtual Directory. Hit enter on that. And this is going to show me the virtual directory for your EWS, your Exchange services. Allow me to insert server. We’ll say NYC, enter it, and see what happens. All right? And as you can see, this is currently my internal URL, but I still don’t have an external URL. In fact, if I format that as a list, okay, so we’ll hit enter on that, format it as a list, and you’ll notice that the external URL is listed out as this right here: mail examlabpractice.com.And that’s what we had set earlier in the class, right? That was what you saw me doing in that earlier lesson.
What about Microsoft Outlook? Anywhere? I could say that you can get Outlook anywhere. All right, hit enter on that. That will display the Outlook anywhere information. I’m still not going to find Extwo again because it’s shut down. But you can see the internal and external information for this as well, right here. Okay? All right, so if you wanted to see Mappy, there’s Git Mappy. Let me fix that Mappy virtual directory server. We’ll say NYC, ex. 1, and display that information as well. And again, if we want to format it as a list, we’ll say “format as a list.” All right, that will show you all the information. Okay? Remember that if I need to change this virtual directory information for auto-discovery, I can change it to set Mappy virtual directory. You can easily specify this parameter and change these parameters to what you need them to be if you pull up knowledge base article two. Okay? All right. Okay, guys, so that is how you can kind of look at your virtual directory information for your auto-discover, make sure that’s all set up properly, and you can also tweak things if you need to.
6. Understanding Internal and External Certificates
So it’s time now for us to discuss the concepts of digital certificates with Exchange. Now, it’s pretty common practise nowadays for most companies to have something called a PKI, a public key infrastructure. And the idea of your public key infrastructure is that you’ve got to have a way that people can trust the servers that they’re interacting with.
You’ve got Outlook connecting in.You’ve got lots of web browsers connecting through HTTP and things like that. They’re going to be interacting with your Exchange environment, your web browsers, your apps, and all that. The only way that they know that they’re talking to the devices that they think they’re talking to is if you have what is called a “digital certificate,” okay? So ordinarily, the way this is set up, we’re going to have to have a PKI. But there’s something you’ve got to think about when it comes to PKI, when it comes to your public infrastructure and dealing with digital certificates: there are different routes that companies will take. And in some cases, they’ll use a mixture of all of this. For one, you can do what’s called a “self-signed certificate.” This is actually what we’ve got in exchange right now.
We have what is called a “self-signed certificate” that is set up on our Exchange servers right now. And all it is is basically a digital certificate that is on the Exchange server that says, Hey, I am who I say I am, according to me. And that digital certificate comes with a public-private key that can be used for encrypting and decrypting information going back and forth between a client, okay? Now, the problem with the self-signed certificate is that a self-signed certificate is really only going to be valuable if people trust that certificate. And here’s the problem: The certificate is coming from the server and says they are who they say they are. According to them, It’s kind of like, look at it from this standpoint. Let’s say that my driver’s licence was like a digital certificate, okay? And I’m driving down the road, and I’m speeding, and I get pulled over by a police officer. And the police officers: let me see your driver’s license. So I hand the police officer my driver’s license, and let’s say that my driver’s licence says that I am who I say I am according to me, okay?
So it says this driver’s licence was issued to John Christopher, and it was issued by John Christopher, okay? That’s not going to fly, right? Because I’ve got to have some kind of authority that people trust. In other words, the police officers had to trust this authority in order for it to work. So you can use a self-signed certificate in a very small environment. You might be able to get away with that, but that’s not really going to work very well in your environment because it means that you’re susceptible to being tricked. If you’re allowing self-signed certificates in your environment, who’s to say a hacker doesn’t set up an Exchange server somewhere in a virtual machine or something and generate its own certificate? We have to get our computers to trust that certificate, right? As a result, using a self-signed certificate is not the best option. Another option, which will be more common in an internal environment, is to use what is known as an internal CA. So instead of a self-signed certificate, you’re going to use an internal CA. That’s an internal certificate authority.
So what we’re going to do there is have a server that is going to be a CA, a certification authority. We’re going to set that up on a server, and that certificate authority can issue certificates out to our Exchange server. So our Exchange servers can get certificates for their virtual directories to prove who they are. At that point, your clients internally would trust that. So the virtual directories running on IIS (Internet Information Services) will have a TLS or SSL certificate associated with them. And that way, they can prove they are who they say they are. And remember, that’s really the goal of certificates: to prove that something is what it says it is or who it says it is, and also to provide encryption as well as integrity for what’s being done. Integrity means that somebody can’t just change the information without you knowing. Here’s the problem with that, though.
That works fine for your internal Exchange servers and your internal computers. You can set up as many CAS as you want. You can have what are called roots and subordinates. And Microsoft lets us have CA services for free. It’s just part of the deal. If you own a server and have licenced it, you can install certificate services on the server with no problem. The issue you run into next, though, is going to be if you’re dealing with the outside world. So if we’re dealing with somebody who’s on the outside, like this guy right here, he’s working from home. Well, if this is a company-issued computer, then you can tell that computer to trust the certificate, no problem. You can use group policies to do that. You could import it through Intune’s System Center Configuration Manager, which is now called Endpoint Configuration Manager. You can make it so this computer will trust your internal CA. But what if this is somebody’s home computer, and we want them to be able to check their email from home? So you’re going to set up a certificate on your Edge server and all that, and it’s going to talk to your internal.
The problem is the certificate would come from this internal CA, and this guy’s computer is not going to trust that automatically. So what will end up happening is that the person is going to get a message that pops up on their screen that says, “Hey, the certificate is valid, but it’s been received from an untrusted CA.” So that’s going to cause us a problem. That’s going to create a big problem for us because they’re not going to trust it. So the way around that is to use what is called a “commercial CA” or a “public CA.” Okay, so this is a public CA; this is a certificate authority, such as GoDaddy. Or you could use Equifax, Verisign, Geo, Trust—all these different ones. But that’s usually going to be a commercially trusted CA. So our web browsers all have a bunch of certificate authorities out there that are already part of our trust database on all of our computers, whether you’re using Windows, Macintosh, Unix, Linux, or whatever. And if you get a certificate from a third-party CA, then if you go that route, the good news is that your web browsers are going to trust that CA, and the CA is going to vouch for your organization. And at that point, they’re not going to get the little message that pops up saying that they aren’t trusted. Okay? So that’s what this guy right here is going to be. He’s going to be our public and trusted CA. So now what happens is I put one of those certificates on here, and I could have my external virtual directories have a certificate from this commercial CA. So, when my client hits edge and all of that edge is coming in and talking to my internal, they won’t get that pop up.
But it’s important to understand that internally, it’s not going to cost you any money other than just having a licenced copy of the server. You can issue certificates all you want, but if you’re dealing with entities that are not part of your organisation and don’t already have a digital certificate, then that’s something you’ve got to fix. Before I get too far into this, I’d like to point out that, as far as Exchange Online is concerned, we don’t have too many issues with it because Microsoft hosts their own commercial CAS. They’ve got their certificates from the commercial CA that they’re doing with Exchange Online. So I’m not really having to add a bunch of certificates for my Exchange Online. So really, this is more focused on dealing with the on-premises side of things as opposed to Exchange Online.
7. Installing a CA for Exchange Certificates
Manager here. We’ll proceed to the Manage Add Roles and Features page. Okay, we’re going to go ahead and click Next. We’re going to start playing our parts. And if you look closely, you’ll notice that I have a role called the Active Directory Certificate Services Role. I can select that, and then I can add the features here on my server. I’m going to click Next, and at that point, I can choose that I want to be a certificate authority. All right? So I’m going to click Next on that, and then I’m going to install the role. This will take a moment to install, so we’ll pause and come back. Okay, so it’s done installing. So we’re going to click “close.” We’re going to come up here to the top, and you’ll notice there’s a little warning message here on my server. Just click that, and it will say Configure the Contradictory Certificate Service. So we’re going to go ahead and click to configure it, all right?
And here’s a little pop-up box. So it says, “Okay, this is going to be the credentials that have the authority to finish off the certificate installation.” So we’re going to click “Next.” We’re going to select the Certification Authority, all right? And then at that point, we can click Next and continue. We’ll go with Enterprise CA standalone. So an enterprise CA in your Active Directory can hand out certificates using the automated enrollment capability that your CA has to offer. That means that devices can get autoenrolled and get certificates without an administrator having to moderate every single individual certificate. An enterprise CA can also issue certificates dynamically to all your Active Directory services. This is usually the one you should use if you’re dealing with mostly internal devices. If you are dealing with just the Internet and you’re trying to stick purely to Internet standards, then standalone is going to be the way to go. But standalone is a much more static solution when it comes to dealing with certificates.
I’m going to actually go with Enterprise here. We’re going to click Next on there, and then this one is going to ask me if I want to be a root or a subordinate. The very first server that gets installed in your environment is the root, and then all other secondary servers would be subordinates. Since this is the first CA that’s been installed, I’m going to go with root. And then I’ve got to have a private key that I’m going to use as the master private key for my CA. And I don’t have an existing one, so I’m going to say create a new one. All right. And then it’s going to ask me which algorithms and cryptographic service providers I want to use. RSA is the most common right now. The most common key length for your encryption keys is 2048 bits. Do digital signatures now to ensure the data’s integrity. The most common hash algorithm everybody’s using today is Sha 256, and that is the secure hash algorithm. So that’s what we’re going to use for our digital certificates and signatures in our environment. So we’re going to click next. It says, “What do you want the common name of your CA to be?” Okay, I’m just going to call it that. Each city has its own CA. That’s going to be the name of my CA. All right, you can leave the other names, the distinguished names, the same. Next. And then, how long do you want your root certificate to be valid? Five years is the default. I could set that to whatever I want. Remember that the longer something is valid, the more likely it can be hacked. So less is more in terms of security. All right, I’m going to click next, and then it’s going to say, “Where do you want the database and log to be stored?” It’s going to store it there by default. I’m just going to leave those as default locations, and then it lets me just kind of verify everything. And then I’m going to go ahead and click to configure.
All right, we’ll let this run through, pause the video, and pick back up after it’s done. Okay, so, as you can see, it’s now done. I’m going to hit close. And if I go back up to the tools menu on my server manager, I should now have a tool called the Certification Authority Tool. So I can click on that. And from here, I’ll be able to see all the different certificates that I’ve issued out and all that good stuff. So we’ll go right here, over to the left. and I’m expanding my CA. All right. and I can see issued certificates. I haven’t issued any certificates yet. I could check to see if I’d revoked any certificates, rendering them invalid for pending requests. That’s if a request has come in and didn’t get auto-approved; failed requests would show me if there are any errors. And then the certificate templates will show me the different certificate types that I will currently hand out. Now, this is not the only type of certificate that your certificate authority knows how to issue. You can actually right-click this, click Manage, and you can approve other certificates to be sent out as well if you want. So that’s going to bring up this big list of certificates here. There are a bunch of different certificates here that I could allow if I wanted to.
Okay. All right? So, what I’d like to do now is go over to exchange, where we’ll look at the certificates and how they’ll be managed on the exchange side. I’m going to click on servers, and I’m going to go to my virtual directories, and I’m going to set my ECP virtual directory. So I’m going to click the little edit symbol here. Let me zoom in on that for you, too. And we’re going to set the virtual directory for the internal to also be mail examlabpractice.com.Our external is currently mail examlabpractice, but not our internal. So that’s what we’re going to do. We’re going to hit save. Now it’s going to set our virtual directory. So now that I’ve got the virtual directory setup and my certificate authority set up, I can actually go to the certificates menu option here and click the plus sign. And I’m now officially able to create a certificate, which I can use to create a certificate request for CA. Okay? So that walks you through the process of setting up the CA. And now you can actually request certificates, and you can associate those with your virtual directors if you want.