First some technical data:

Exchange version (Get-ExchangeServer | fl name,edition,admindisplayversion): 14.0 Build 639.21

After installing and forwarding the http/https ports, there were no problems for the mac, after a while I was also preparing to switch my account to 2010 on all computers, then the problems began.

On the Exchange 2003 server I used ISA server 2007, where you just select the RPC protocol to be allowed and ISA does the rest. (Client PCs connect on 135, and then the server assigns the client a private port in the 49152-65535 range, wich the ISA firewall will open automatically if needed)

The new Exchange 2010 server is behind an transparent Linux firewall (using Shorewall), and the RPC range is too big to just open all the RPC ports. I thought, limiting the RPC range is an option, but RPC over HTTPS is a much safer way and because the Belgium internet provider Telenet blocks all outgoing traffic on port 135, from clients to the internet (since the blast virus centuries ago!), RPC over HTTPS had to be configured anyway.

Some errors I ran into:

• Error Message: This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust (http://support.microsoft.com/kb/297681)
• Indefinitely loop of asking for logon credentials (login and password) when opening outlook, username and password were correct of course, but they weren't accepted(I found out this was because the authentication type wasn't the same for IIS, the client and Outlook Anywhere)(on the bottom there is a link with other causes and solutions)
• After using outlook for a while (2-3minutes) (configured to connect without SSL), it prompts 3 certificate errors

Steps that worked for me:

Because windows seems to have a seriously strict certificate policy I also just installed the certificate services on the server.

Step 1 Installing Windows Server 2008 R2 x64 and Exchange 2010

1. Install Windows Server 2008 R2 x64 (Configure your static IP and computername)
2. Run DCPROMO
3. Install Roles
   1. Active Directory Certificate Services
      • Certification Authority
      • Certification Authority Web Enrollment
   2. Web Server IIS
      • Security: Basic Authentication
      • Security: Windows Authentication
      • Performance: Static Content Compression
      • IIS 6 Management Compatibility: IIS6 Metabase Compatibility
4. Install Features
   1. RPC over HTTP Proxy
5. Install 2007 Office System Converter: Microsoft Filter Pack
6. Set startup mode of "Net.Tcp Port Sharing Service" to Automatic: Using the powershell: Set-Service NetTcpPortSharing -StartupType Automatic
7. Install Updates (to be sure) and reboot
8. Install Exchange 2010

Step 2 Installing Certificate

1. Follow this tutorial to install the certificate signed by your own CAhttp://gretech.be/blog/index.php/2010/04/24/installing-exchange-certificate-using-ad-certificate-services-gui-on-exchange-2010/

Step 3 Enable Outlook Anywhere (RPC over HTTP)

1. Open Exchange Management Console
2. Server Configuration > Client Access > Right click your server > Enable Outlook Anywhere
3. Fill in the External host name, check NTLM, complete the wizard(I chose to use NTLM, because with NTLM it is possible to remember your password in windows, so you aren't always asked to enter credentials when opening outlook. check later steps to configure that on your client windows PC)
4. Reboot
5. Check that it is activated: Event viewer > Richt click Application log > Filter > Event ID: 3006, normally there is a log that says it is enabled;
6. HOSTS file edit, Normally this action is only needed if the exchange server is a Domain member, and is not required if the Exchange server and DC are the same. But just to be sure I did it anyway:
   1. Open C:\Windows\system32\drivers\etc\hosts file
   2. comment #::1 if needed
   3. add something like this: (gretechmail is the computername):::1 localhost91.196.171.202 gretechmail

      91.196.171.202 gretechmail.adn.gretech.be

Enable Outlook Anywhere Video tutorial (Only step 1 needed)

Default settings for Exchange-related virtual directories in Exchange Server 2007

Step 4 Autodiscover

1. Create the CNAME autodiscover.emaildomain.com (f.e. if your email domain is @gretech.be, create a domain autodiscover.gretech.be and point it to the mailserver, in our case: gretechmail.adn.gretech.be)or you can also use a SRV record if your DNS allows this
   : http://support.microsoft.com/kb/940881

More autodiscover options and troubleshooting can be found here: http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/

Testing Autodiscovery: Test-OutlookWebServices -Identity Administrator | fl

Problem: First Autodiscover didn't work for me, after running the above command in the Exchange shell, I've got the following error:

When contacting https://gretechmail.adn.gretech.be/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (500) Internal Server Error.

The solution that worked for me was:

Remove-AutodiscoverVirtualDirectory -Identity "gretechmail\Autodiscover (Default Web Site)"

New-AutodiscoverVirtualDirectory

Step 5 Configuring Exchange 2007 Hub Transport role to receive Internet mail (this applies only when installing all exchange services on 1 server, so no edge server)

http://msexchangeteam.com/archive/2006/11/17/431555.aspx

• Server Configuration > Hub Transport > Default Receive connector: Allow anonymous connections on the receive connector
• Organization Configuration > Hub Transport > Accepted domains: Accept your domains to enter the server
• Organization Configuration > Hub Transport > Create new Send Connector (to Internet, all domains) (http://www.petri.co.il/configuring-exchange-2007-send-external-email.htm)
• Enable Anti-spam (using the poweshell):cd "C:\Program Files\Microsoft\Exchange Server\V14\Scripts\"./install-AntispamAgents.ps1

  restart-service msexchangetransport

• Disable the Microsoft Exchange EdgeSync service service

Step 6 Configure outlook and remember my password

1. Install the CA certificate in IE with admin rights
   (XP: use the created Rootinstall.asp page of step 2
   Vista/7: Download, Open and install the CA-cert.cer file created in step 2 in the "Trusted Root certification authorities" folder)
2. Control Panel > View profiles > Add > Enter a profile name.
3. Normally if autodiscover works, you can enter your name and email according to the AD data.

But, for testing purposes, screenshots of the manual procedure below.

1. Control Panel > View profiles > Add > Enter a profile name.
2. Manually configure server settings > Select Microsoft Exchange and click next
3. Server: f.e gretechmail.adn.gretech.be (in our case)Username: f.e. Gregory BeankensClick more setting (ignore errors)
4. On the Security tab
   1. Encryption > Check Encrypt data between Microsoft Outlook and Microsoft Exchange
   2. Logon network security > Negotiate Authentication
5. On the Connection tab
   1. Check Connect to Miscrosoft Exchange using HTTP
   2. Click Exchange Proxy Settings (check screenshot below)
6. Click OK in all the windows and then Next to finish the wizard

How to remember my password:

1. Control panel > User accounts, if necessary click on your account name
2. On the left, manage your credentials (manage your network passwords in vista) > Add
   Domain:
3. The AD domain name (f.e. adn.gretech.be)Username: Username (f.e. Gregory Beankens)
   (ADdomainName\Username in Windows XP and Vista)

Handy installation guide for 2007, looks like 2010 installation.

http://www.commodore.ca/windows/exchange/how_to_setup_exchange_2007_in_2hours.htm

Other solutions for the indefinitely loop of asking for logon credentials (login and password) when opening outlook.

http://dominicfallows.co.uk/2008/11/03/outlook-2007-keeps-asking-for-a-password-when-connecting-to-exchange-2007-rpc-over-http-outlook-anywhere/

1. Role: Active Directory Certificate Services
   (Certification Authority & Certification Authority Web Enrollment)
   (if asked for an expire date, put it on 2060 or so)

Summary:
First we create a certificate server for the domain, after that we export a certificate request from Exchange, we import it in the created Certificate Authority server using the web interface, then save the .cer file  and import that one in Exchange again. After all that, do not forget to import the Certificate Authority certificate on the client pcs to avoid security warnings.

Step 1: Creating exchange certificate and exporting the request:

Follow this tutorial:
http://blogs.microsoft.co.il/blogs/eldadc/archive/2009/07/15/how-to-configure-exchange-2010-certificate.aspx
- On the Organization and Location page, save the .req file for e.g. C:\Exch_req.req.
When asked to send the request to a certificate authority, goto step 2. After step 2 continue the above tutorial.

Step 2: Submit Certificate request to your Certificate server

1. In IE on your Certificate Server, surf to https://127.0.0.1/certsrv (first make sure 127.0.0.1 is a trusted website)
   
2. Click Request a certificate
3. Advanced certificate request
4. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
5. Open C:\Exch_req.req with notepad, and copy the thumbprint (the string between the  start and end message)
6. Paste this thumbprint in the Saved Request: field
7. Change the Certificate Template to Web Server
8. Click Submit
9. Download the Base64 version, .cer and .p7b version, save them to C:\exch-sert.cer and C:\exch-sert.p7b
10. Continue the tutorial from step 1.

Step 3: Get your CA certificate and create installation web page for clients (so clients accept all certificates from this CA)

1. Again goto https://127.0.0.1/certsrv/
2. Click Download a CA certificate, certificate chain, or CRL, and click Yes in the Web Access Confirmation dialog
3. Select Base 64
4. Click Download CA certificate and save it to C:\CA-cert.cer
5. Create an edit C:\Inetpub\Wwwroot\Rootinstall.asp
6. Open: http://support.microsoft.com/?scid=kb%3Ben-us%3B297681&x=6&y=7 and goto step 3, copy that text in the file.
7. Replace
   Set MyFile = fs.OpenTextFile("c:\certificates\base64.cer", 1)
   by
   Set MyFile = fs.OpenTextFile("C:\CA-cert.cer", 1)
8. Browse to the Rootinstall.asp file from a client browser. If your root certificate is not already in the store, you are prompted to install it.

Vista / Windows 7: The Rootinstall.asp page doesn't seem to work in Vista and 7, Clients have to install the certificate manual.
To allow clients to download the above created .cer file, open the Server Manager and open IIS7,

First add the mime type: (IIS > Mime Types, add extension: .cer, type: application/pkix-cert)

Second, rename the .cer mapping to .cer1 to allow the file to be downloaded by the clients.

Links
http://it.thelibrarie.com/weblog/?p=55