in production

Just to echo a note from Greg (guessing Greg Taylor from the Exchange team?) on that CU2 blog entry regarding a change in those annoying [to me at least] health/probe messages:


Just for heads up…

With CU2 inboundproxyprobe has new TLD in place:

You may want to correct your bypassed senders to: to avoid tons of spam from probe engine.



Guessing as they didn’t seem to own, this makes some sense – but from the world of training manuals and examples into production?’s MX records point at Microsoft Exchange Hosted Services (was Frontbridge – is that now FOPE?)

You may want to add to bypassed senders as well for futureproofing :-p

Posted in Uncategorized | Leave a comment

Permission and DNS errors creating a DAG in Exchange 2013 CU1

All sorts of issues creating a DAG in 2013 (CU1) – probably because of an aborted cross-domain DAG attempt (guessing this isn’t supported, but couldn’t find any docos saying so for 2013… doesn’t appear to work, so the pudding proves the point). Anyhoo, found this:

I had all 3 issues, and this fixed them – thank you Arnaud Buonaccorsi!

(BTW Scott Schnoll commented that article to point at the pre-staging recommendations at He’s probably right; if I’d RTFM I’m sure it would have worked first time, but I’m in a test lab and haven’t got the time to do things the right way 😉 )

Posted in Exchange 2013 | Tagged , , , | Leave a comment

Exchange 2013 CU2 available

Oops, didn’t notice this one from two days ago – CU2 for 2013 is now available for download from

Luckily as I’m working as a test engineer at the moment, I can get to test this out immediately – CU1 was way better than RTM – hoping this one is as much of an improvement, as I’m still not convinced it’s production ready…

Note the following from that page:

  • Exchange 2013 RTM CU2 includes schema changes. Therefore, you will need to execute setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms.
  • Exchange 2013 RTM CU2 includes enterprise Active Directory changes (e.g., RBAC roles have been updated to support new cmdlets and/or properties). Therefore, you will need to execute setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms.

Now, you need to run this on a machine in the same domain *and* the same site as the Schema Master. I didn’t have any 2013 servers in the same site and domain – one or other, not both.

Also, the machine you run it on (I tried it on my old Win 2003R2 server which is the DC / schema master / everything master) requires .Net 4.5 or later. Which it didn’t have. Awesome.

I took the easy option (for me) and moved my schema master to a different site – if you have the same issue and do the same, depending upon site topology and replication schedules you may have to force replication through sites and services to speed things up a bit.

I can see some Exchange admin frustration down the line with that one…

Posted in Uncategorized | Leave a comment

Where’s my UI gone?

Had an issue on a test machine where I removed Exchange 2013 and .Net Framework 3.5 and 4 features… rebooted after removal and  – hang on, where’s my UI gone? Both on the console and via remote connection (yes – RDP still worked), all I got was a command shell.

Tried running PowerShell (thought I might have accidentally removed the UI somehow) but that was gone as well… part of the .Net Framework features I guess. Saw some thread about running SConfig and adding in the UI feature – not an option (literally, wasn’t an option in the list)

Then I came across this:

Ran the following command and after a little wait, all was well:

Dism /online /enable-feature /all /featurename:Server-Gui-Mgmt /featurename:Server-Gui /featurename:ServerCore-FullServer

Weird, but thanks…

Aside | Posted on by | Tagged , | Leave a comment

Exchange Management Shell can’t connect to local server

I had this issue on a server in my test lab – EMS couldn’t connect to the local machine. There were several differnet errors at different times – couldn’t find a domain controller, http bad response, general ‘couldn’t connect’ type error. This box was a proper test machine- I had Exchange 2010 on it, uninstalled, installed Exchange 2013, uninstalled, changed domain. All stuff you shouldn’t do. But all was ok until it was made into a DC in a child domain. Then when installed Exchange 2013, EMS couldn’t connect locally. I uninstalled Exchange, put 2010 on – same issue. Went back to 2013 after removing the server from the domain, adding to the parent, dcpromoed to a DC in a new child domain, installed Exchange 2013 – same thing. Research over a period of a couple of weeks proved fruitless, until I saw an issue on the forums related to kerbauth.dll. Then I found this:

On investigation, I found that the kerbauth module (in IIS Manager – \Sites\Default Web Site\PowerShell – modules in the right pane) was pointing at the V14\bin directory, not v15. So, to fix the issue:

  • I removed the module from IIS (\Sites\Default Web Site\PowerShell – modules – right-click -remove)
  • Edited C:\Windows\System32\Inetsrv\config\ApplicationHost.config to point to the v15\bin directory (searched for v14, found the offending line pointing at v14/bin/kerbauth)
  • Did an iisreset
  • Restarted WinRM service
  • Clicked on ‘Configure Native Modules’ and enabled kerbauth

Boom! EMS can now connect to the local machine.

Posted in Aide memoire, Exchange 2010, Exchange 2013, Powershell | Tagged , | 1 Comment

A quick tour of the Clearswift SECURE Email Gateway

As I introduced the SECURE Email Gateway in my last blog post, I thought I’d take a few minutes to do a whistlestop tour of the current version (3.5 – actually 3.5.4 once you’ve patched it). In order to stop my RSI developing any further, I will refer to it hereafter as ‘the SEG’.

Management Console

The home screen contains links to the Management Centres, where you can manage policies, messages, reporting, system configuration, health and admin users. Along the top are dropdown menus for each of these Management Centres, with more links to specific configuration items. We’ll briefly look into each of these…


Policy Definitions


Your policy definitions define what your mail policy routes are (from and to) and your content rules are what you check for each route.

So, clearly you’ll need at least two routes – one in, one out – and these are provided out of the box. The set of content rules on each will probably be similar – the default ones for each route are similar by default – check for viruses, encrypted/unrecognised filetypes, large files and images, videos and profanity etc. with subtle differences – e.g. whether messages are dropped or quarantined.


Of course, both of these are fully customisable – you can create new routes as you wish based on address lists – either static (including wildcards) or synchronised from an LDAP server (i.e. AD). So if the managers say they can send and receive what they want, then create a policy route for them, then add the appropriate content rules. If Moira from Marketing is allowed to send videos to the PR company, create a rule from her, and set the content rules to allow video. If Dave from Finance wants…oh, you get the idea… Note that the order of routes is important as they are evaluated in order, so put the most restrictive at the top.


Anti-SPAM and AV

The Anti-Spam in SEG uses a Spam solution called SpamLogic – this includes features such as IP reputations (both local and from a database managed by Clearswift), realtime blocklist (RBL) servers, sender protection framework (SPF) and SenderID checks – all the standard stuff.


Out of the box AV is dependant on your licence, but Kaspersky and Sophos are the third-party options. There’s some good stuff in Clearswift’s ‘Zero Hour Malware’ feature – essentially through a connection to Clearswift, your gateway can get a ‘heads up’ on suspected attacks as they happen. Again, good stuff.

Lexical and Image Analysis

Content rules can include actions based on words or images. With words, the gateway performs a lexical analysis using some pre-defined (and customisable dictionaries) – swear words (in multiple languages), racism and other dodgy stuff. You assign scores for ‘hits’ and thresholds. So swear once, shame on you, but your message might get through. Swear twice, shame on me; your message gets bounced with a configurable alert – probably to your boss.

The image analysis stuff is primarily to detect porn of course. In testing it seemed pretty good at knowing the difference between filth and legitimate pictures. And if you’ve got a company logo that accidentally gets picked up, then a. change your logo, or b. add it to the IMAGElogic database and it’ll be OK’d by the gateway in future. Sweet.

Managing Messages and Reporting

The message centre is where you can see what’s been held – viruses, large messages etc. – and where you can perform operations (single / multiple / batch) such as release, delete, forward etc. You can also track messages through the gateway here as well. Oh, and view the queues on the gateway, and any other gateways you have peered (for redundancy/scaling)


There’s some reasonable reports out of the box as well- top senders, recipients, sender domains, virus senders, processing rates, message sizes. Comparable to the big boys in the main and pretty useful.


Personal Message Management (PMM)

Want your users to control what happens to messages that have been quarantined? This is what you need. Compared to Forefront this is very nice indeed. Might do a blog on this on its own at some point. Seriously Forefront was horrible at this…

Other system stuff

That’s it for the functionality, but just thought I’d end up with a quick lok at the other screens. The System Center is the main one – essentially it contains everything that isn’t to do with applying policies – including mail routing (by domain, with wildcards), address re-writing, peering with other gateways for fault-tolerance, getting updates from Clearswift (patches (3.5.4 currently) as well as AV/spam definitions (15 mins – 1 hour updates) as well as the mundane settings for Ethernet, DNS, TLS etc.


Oh, and there’s a system overview page. Nothing to see here, move on…


That’s it for the moment – whistle-stop and ridiculously high-level, but most people won’t have seen this. As I get time I might do a blog on some of these features in  more depth; personally I think they’re pretty good and worth a decent look.



Here’s the postamble:

  1. Disclaimers away: I do contract for Clearswift, but this is not a Clearswift communication. It is posted in good faith, but I can’t guarantee the accuracy of everything in this post, and therefore there are no warranties, and this transfers no rights, express or implied, whatever that means.
  2. You can download the ISO of SEG 3.5 from It’s a fully self-standing product – it’s built on Clearswift’s own Linux build – I’m not going to go into the install, but you’ll need to create a VM – the Linux system is 32-bit, so I would create a machine with 2-4GB RAM and a disk of at least 30GB. I’ve tested VMware and Oracle VirtualBox, but I prefer Hyper-V personally, and now it’s in Windows 8, it’s even more useful for testing. The only thing with Hyper-V is you need to remove the standard synthetic adaptor and add a legacy network adaptor as there are no drivers in the CS-Linux kernel for the synthetic NIC. Not a big deal. Put the CD in, follow the instructions, remove the D, reboot etc. and at the end you will have a gateway built.
  3. After the initial install, you’ll have to configure networking. In Hyper-V I normally use an internal virtual switch, and configure the host with an internal IP address(e.g. or Login to the console (console/console) and configure the IP address of the primary NIC so it can talk to your host(e.g. Once that’s done, connect to the IP address of the SEG server from a browser on your host machine – e.g. – and run through the intial config wizard. You’ll need license details (request from that Clearswift eval page), then enter details of your Exchange server, routing domains etc. – all simple stuff, which I won’t go into as I’m assuming a certain level of networking / messaging knowledge. When the wizard completes, browse again to the server and login as admin, with the password you set in the config wizard. Now you’re done and we can crack on with looking at the SEG itself.
  4. I know postamble isn’t technically a word, but I’m a firm believer in that if you use a word enough OED will eventually agree it’s a word. Deal with it. Eats, shoots, and leaves.
Posted in Clearswift, Email, Hygiene | Leave a comment

Exchange 2013: 421 4.3.2 Service not available

Mashing the gears of emailThere appears to be a bug in 2013 (inc. CU1) where the transport stops receiving connections with this error. In my case I have the FE role on the mailbox server, and also have a custom (hub transport) receive connector for apps (tighter scope), so have 6 receive connectors:

  • Client proxy | Bindings :::465, | RemoteIPRanges: All
  • Default | Bindings :::2525, | RemoteIPRanges: All
  • Default Frontend  | Bindings :::25, | RemoteIPRanges: All
  • Outbound Proxy Frontend  | Bindings :::717, | RemoteIPRanges: All
  • Client Frontend  | Bindings :::587, | RemoteIPRanges: All
  • Custom (anonymous allowed)  | Bindings | RemoteIPRanges: <specific IP of app servers

There are various discussions on the forums, many with snake-tonic solutions. Currently trying out one with setting the binding on the default receive connector (for internal relay on 2525) to the specific IP address of the server.

Problem is that the problem can occur anything from a few hours to days / weeks, with no reliable repro. Will try to remember to update this post if I see a reliable fix.

Posted in Aide memoire, Email, Exchange 2013 | 4 Comments