祝大家----中秋節快樂 ;-)

月餅

一心一意念著您;

二話不說跑過去!

三言兩語說動您;

四頂花轎請回去!

五顏六色真美麗;

六神無主難決定!

七上八下終選定;

八成我倆有緣份!

九種口味別忘記;

十之八九真如意!

祝大家----中秋節快樂 ;-)

Configuring Exchange 2010 Client Access Server (part 1)

When we install Exchange 2010 on a computer, it will automatically install a default self-signed certificate for communicating between Exchange Servers. Due to this certificate never is created or signed by a trusted Root CA, it cannot use in any clients in the organization.
The Exchange self-signed certificate will have Subject Alternative Name (SANs) that correspond to the name of the Exchange server as the server name and the server’s fully qualified domain name.
If we want to use the self-signed certificate, administrator need to do extra steps that let clients trust these certificate. In the moment, we will do a easy solution that get a certificate from an internal CA ---- Microsoft Activity Directory Certificate Services.

How to request and enable certificate on CAS?
Run the New Exchange Certificate WizardIn EMC, click on the Server Configuration node next to click on the New Exchange Certificate… in the Actions pane. The New Exchange Certificate wizard will be launched.
On the Introduction page , provide a friendly name as “Adatum Exchange Server” for the certificate next to click Next > button
On the Domain Scope page, mark Enable wildcard certificate check box and then enter Root domain for wildcard as "*.adatum.com” or “adatum.com” due to we want to apply this certificate to all subdomains using wildcards. That is this option allows you to add subdomains without having to update an existing certificate in the future. (# 1)
On the Organization and Location page, provide the related information next to click Browse… button for selecting Certificate Request File Path.
Select a path, provide file name with extension “.req” and then save it
Click Next > button after the request file name is specifically created and selected.
On the Certificate Configuration page, click New button to continue the process if Configuration Summary is true.
Click Finish button to close this wizard and continuously follow the step 1 to get the certificate issued from a CA.
In the moment, a pending request certificate will be created. (# 2)

Submit the resulting certificate request file to Root CAIn I.E. or other Browsers, go to the URL of the internal Certificate Server as http://pki.dw.com/certsrv/ and login in by authenticated user next to click Request a certificate in this Web site.
In the Request a Certificate page, click advanced certificate request
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file because we have already generated the request on the Exchange Server 2010.
In the moment, please open the request file we generated earlier
Select all content next to click Copy in menu
Paste it into the Base-64 encoded certificate request field
The result is as follows the diagram.
Set the certificate template to Web Server
Click Submit > button to generate the request
Select DER encoded next to click Download certificate to save this file to one path

Completing a pending certificate request
In EMC, click on the Server Configuration node, navigate to Server Management to choose one server that we want to import a certificate, select the new certificate next to click on the Complete Pending Request… in the Actions pane. Click Browse… button
Select the certificate file that is downloaded earlier.
Click Complete button to import a certificate to the Exchange server
Click Finish button to close this wizard
So does that will complete a pending certificate request (# 3) and is ready to be assigned to Exchange service.

Reference：
(# 1) Please take care the following scenarios:

• Wildcard certificates can’t be used in conjunction with OCS 2007 as secure communications for UM/OWA integration
• Wildcard certificates are not supported for older mobile devices such as Windows Mobile 5.0

(# 2) When we select and open this request certificate,
the certificate information tell us this CA Root certificate is not trusted and issued by point to itself.
(# 3) When we select and open this request certificate again,
In General tab, the information issued by has already been changed to Root CA
In Certification Path tab, its chain in top level also link to Root CA.

Basic Network Concept --- VLAN (part 1)

When two PC connect with Layer2 Switch by default setting and its IP address belong to the same network segment, the result must be communication can exchange each other.
In this network topology, when DW-HYPERV-01(192.168.101.11/24) ping DW-HYPERV-02(192.168.101.130/24) on command prompt, DW-HYPERV-02 can respond the message to DW-HYPERV-01, and vice verses.

If we want to block the communication between PCs, maybe we can buy another Switch and one by one connect with the Switch port. But this behavior is not good idea because we will lose the money.
Why we separate the network segment?
Maybe need to separate the different department/floor or avoid Virus/Spam/Broadcast/ARP attack so that make this plan.
How to save the money?
Maybe it will be good method to configure VLAN on Switch!
At first, we can realize what VLAN status is now by command line show vlan-switch
In the result, all Ethernet ports are active status and are assigned to VLAN 1. This is why PC can ping and the respond is normal each other.
In the next step, we will begin to create VLAN ID on switch by command
So does that there is two new VLAN ID on Switch now.
Finally, assign the Switch port number to the special VLAN ID
The port number will be mapped into VLAN ID one by one.
In the moment, the message exchange fail between PCs each other.

Of course, please remember to execute command wr for building and saving configuration. Otherwise, the above setting will miss if the Switch device is restarted in the future.