Rather by accident I discovered this was not working on the site. I know it used to work, but when the old certificate expired last year I was on holiday in The States, and had a panic trying to disable https, (to keep the site up until I got back and bought a new cert). So I’m guessing its been broken since then.
Solution
I spent about two days looking at forums about how to do this, and every time I edited the NGINX default file, the site stopped working. In the end I found one post in the middle of a discussion about this and that was the ONLY solution that worked for me.
Paste the following WITHIN your server block.
[box]
# Force HTTP to HTTPS Redirection (Entire Site)
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
[/box]
Related Articles, References, Credits, or External Links
Note: Below I’m using Exchange 2016, but the same approach will work for previous versions.
There are a load of reasons why you might want to do this, but before you go off in this direction consider why you are doing this in the first place. For example, if the user requesting this does not need an Exchange mailbox, i.e. because they only use their Gmail account then it’s probably a better idea to make them a mail-user. (That’s an AD user account, that has an external mailbox, and does not have an Exchange mailbox). For staff e.g. external contractors, part time staff, holiday cover staff, Mail-users might be a better fit.
If you are still reading you have a user with an Exchange mailbox, and you want to forward their email to an Email address outside your organisation, there are many ways of enabling forwarding, but fundamentally there’s only two things to consider;
Do you still want mail to get delivered to their Exchange mailbox while forwarding?
What is the external Email address you want to forward to?
Armed with this information you can decide what approach you want to take to achieve this.
Solution
Option 1: Get The User to Set Up Mail Forwarding in OWA
The best option for the lazy admin! “Oh, are you aware you can set this up yourself?” Even give them this URL as a walkthrough if you like 🙂
From within Outlook Web App open your ‘Options’
Mail > Inbox and Sweep Rules > Inbox Rules > Add
Note: On older versions of OWA look in Organize email > inbox rules > Add.
Give the rule a name > Set to [Apply to all messages] > Forward Redirect or Send > Forward Message To.
Note: Setting Redirect instead of Forward will NOT keep a copy in you local Exchange Mailbox.
Enter the external email address to forward to > Save.
OK.
Option 2: Enable Mail Forwarding In Exchange Admin Center
To forward mail externally for an ‘Exchange Mailbox User’, you need to create a ‘Contact’. A contact is an active directory object (not a user) that has an email address (in our case the external one). Log into Exchange Admin Center > Recipients > Contacts > Add > Mail Contact.
Create a contact and give it a sensible name (so when it appears in the Global Address List it’s obvious what it is*)
*Note: You can hide them from the GAL if you like, with the following PowerShell;
On the Mailbox Tab, locate the user you want to setup forwarding for, and edit them.
Mailbox Features > Scroll Down to ‘Mail Flow‘ > View Details > Tick ‘Enable Forwarding‘ > Browse to the CONTACT you created earlier > OK.
Note: You may also want to select “Deliver message to both forwarding address and mailbox”.
Option 3: Setup Mailbox Forwarding With PowerShell
There’s a lot of rubbish written about this online, sites give you a line of PowerShell to paste in and it does not work, because there’s other things you need to do to make this work.
Example 1: Couldn’t find object “pete@externaldomain.com“. Please make sure that it was spelled correctly or specify a different..
If you setup mail forwarding using the ExternalEmailAddress you need to CREATE A CONTACT FIRST! Or you see the error above.
To Setup External Forwarding and Keep a Local Copy of the Email
Note: It’s the ‘$false‘ that does not maintain the local copy.
What about ExternalSMTPEmailAddress?
OK there’s another parameter you can set, it’s called ExternalSMTPAddress when you set this you DON’T NEED A CONTACT. This sounds great and again theres a load of blog posts that give you the PowerShell to set this for a user AND IT DOES NOT WORK!
Note: If you setup mail forwarding using this method the forwarding address is NOT VIEWABLE IN THE GUI, if you have enabled keep a local copy, that IS viewable.
Example 2 : My ExternalSMTPAddress Forwarder is not working?
This is because what other sites don’t tell you is unless you specified the target domain (for the remote email address), as AutoForwardEnabled it has a habit of not working!
See Below to setup Mail forwarding with ExternalSMTPAddress properly.
To Setup External Forwarding and Keep a Local Copy of the Email
Note: It’s the ‘$false‘ that does not maintain the local copy.
Removing Mail Forwarding For a User
I wont insult your intelligence and tell you how to do this in the GUI just reverse engineer the above, but if you used ForwardingSMTPAddress you wont see it in the GUI! To remove ALL forwarding for a user, use the following command;
“I seem to get a lot of spam”, and “I get a lot more spam than I used to” are right up there with “My computer is running slow”. It’s a problem that, eats up users time and fills your mail stores with junk, and time/disk space costs money.
SEM is tiny! In a world where a graphics driver is now over 100MB the entire install suite is less than 11MB. This is going into my test network so testing its ability to limit spam is NOT the point of this exercise, I’m looking at the ease of installation, configuration, and administration.
SEM Pre-Requisites
1. Exchange 2000, 2003, 2007, 2010, or 2013.
2. Windows Server 2000, 2003, 2003 R2, 2008, 2008 R2, or 2012.
3. .Net framework version 2.0 (SP1).
4. MDAC (Microsoft Data Access Components) version 2.7.
5. Internet Information Services.
Solution
Before You Start
1. If you have already installed the Microsoft Anti Spam agents you might want to remove them, (not that you have to). If you don’t know you can run the following command;
[box]
Get-TransportAgent[/box]
If you just have the four below then you DO NOT have the extra agents installed.
2. If yours looks like the one below, then YOU DO have them installed.
3. As stated you don’t have to remove them but if you want to simply execute the following two commands;
[box]
cd "Program FilesMicrosoftExchange ServerV15Scripts"
./Uninstall-AmtispamAgents.ps1
[/box]
4. Answer each question, then run;
[box]
services.msc[/box]
5. Restart the Microsoft Exchange Transport service.
7. The installer is pretty straight forward > Next > Accept the EULA > Next > Enter your details > Next > Accept or change the install location > Next.
8. The product will install.
9. At this point it’s downloading definitions form the internet, and it will take a while.
10. When complete it needs to setup a user that the services will run under. Just supply a password > Next.
Note: This user (by default) is added to the local administrators group, and the Exchange Organization Management group.
11. Finish.
12. The management console installs on TCP port 5000, so if you need to access it through a firewall you will need to open that port.
13. Toolbars Tab: From here, I’ll jump straight to the configuration section, this drops you straight onto the Plugins tab. From here you can change the logo that will be displayed with the toolbar (this is NOT visible with Outlook 2013). You can also change the URL it points to and adding rights to users.
14. Toolbar Tab > Outlook Toolbar: On a client running Outlook > Download Outlook Toolbar > Run the installer.
Note: The installer is a .exe file, I would have preferred a .msi file, so I could deploy this out (on mass), to domain clients via GPO.
17. Now when you launch Outlook you can see the plugin loading.
18. You will now have an extra toolbar with the following options.
BE AWARE: You install the OWA toolbar ONCE on the Exchange CAS server.
19. Toolbars > Outlook Web Application: Install OWA toolbar.
20. Yes.
21. Now when your clients access OWA, you have the toolbar.
22. Latest news: Essentially this is just an RSS feed from the manufacturer to keep you abreast of software updates etc. If you have some RSS aggregation software you can add this same feed.
23. Mailbox Tab > Mailboxes: Here it will list all the mailboxes, by default the ‘Default policy’ will be applied and virus filtering will NOT be enabled (this is an add on license). you can also access statistics for this particular mailbox, and view quarantined emails. The User filter settings are for applying an exception for this one mailbox (I’ll cover this later). If you can’t locate a particular user there is also a search function.
24. Mailbox Tab > Usergroups: Usergroups are used to apply policies, any new group requires you to maintain membership manually. But if your Active Directory is well designed, you can select your SPAMfighter groups based on your OU structure.
SEM – SPAMfighter – Configuring and Working with Policies
This is pretty intuitive, and the default policy comes preconfigured and already applied, though with all filtering systems it will probably take you a little while to get it streamlined to your requirements. The policies section has four main tabs;
Filter Settings: What tools you are going to use to look for spam. Accept Actions: What it will do if it finds nothing. Block Actions: What it will do if it finds something. User Filter settings: Exceptions to the filters for one or more users. Mailboxes: Puts you straight back to the mailbox section you saw earlier.
25. Out of the box there are five filters enabled.
26. But there are four further filters that you can add to the policies.
SPAMfighter – Filters
27. VIRUSfighter Antivirus Filter for SPAMfighter Exchange Module: Remember this is an ‘Add on’ so it would only apply to mailboxes that have this enabled. It’s on its most conservative setting, and will replace the infected email with safe content.
28. SPAMfighter Sender Filter > Whitelist:Simply add either a particular email address you want to allow or add in an entire domain.
29. If your lists get a little unwieldy you can import or export them, and chose weather to overwrite them or append the imported list to your existing list.
30. And where there is a Whitelist there is a Blacklist, it’s configured exactly the same.
31. Automatic Whitelist: This is a brilliant feature! It dynamically adds the addresses our users send to to the Whitelist, and maintains the cache for 10 days (which you can alter). I’m surprised this is disabled by default.
Note: This will be enabled by default in the next release.
32. SPAMfighter Content Filter > Whitelist phrases: Gives you the power to automatically Whitelist emails based on a phrase they contain i.e. Your corporate email disclaimer or default signature.
33. SPAMfighter Content Filter > Blacklist phrases: As the warning says be careful with this section, this is the sort of thing that is handy for blocking “We attempted to deliver your parcel but were unable to” emails that urge you to click an attached zip file full of infected spyware nastiness.
34. SPAMfighter Content Filter > Whitelist Attachments: Here you can upload an attachments (like your company logo from your email signatures) and the system will whitelist and allow through emails containing them.
35. SPAMfighter Content Filter > Blacklist Attachments: Thankfully this is disabled by default, the list of file extensions is quite long, and contains some commonly used file extensions, You will need to do some planning and testing with this one if you want to enable it.
36. SPAMfighter Community Filter: This will filter mail based on mails that have already been blocked by other SPAMfighter users, it uses a scoring/weighting system. You simply set a threshold the higher you set it the more mail will be stopped, this will require some fine tuning.
37. SPAMfighter Language Filter:This is enabled by default, but no languages are selected (which is sensible). If you are never expecting any emails in Chinese you can block them here.
SPAMfighter Filters that you can Manually Add to the Policy.
38. SPAMfighter IP-address Filter: Pretty much does what it says on the tin! Though blocking spammers by IP address is a little hard to manage, and it’s pretty easy to spoof an IP address anyway, which is probably when this is not on the default policy.
39. SPAMfighter Sender Policy Framework Filter: Personally I think you would be crazy to turn this on! If you don’t know what an SPF record is then read the following article.
40. SPAMfighter DNSBL Filter: A DNSBL is a dynamic DNS list of known spammers, if you are familiar with RBL block lists this is similar.
41. SPAMfighter Combined Spam Score Filter: All the other filters check the mail and give it a score, if the score is higher than a certain threshold this this filter will aggregate all those scores and block the mail.
SPAMfighter – Policies > Accept Actions
42. If the mail makes it through all the filters, then this section decides what happens with it.
43. And that is adding information to the mail header that says the mail was scanned and accepted.
SPAMfighter – Policies > Block Actions
44. If the mail gets blocked by any of the filters, this section decides how that is handled.
Note: You can add other actions from the drop-down list below if this does not do what you require.
45. Just as for the accept policy action, this modifies the email header, though this one says the mail was blocked.
46. SPAMfighter Move To Folder Policy Action > Mailboxes : The second default policy action takes that filtered email and places it within a folder called SPAMfighter within the users mailbox.
Note: You can redirect that mail to another mailbox if that is your preference.
47. The system for Public Folders (if you use them) is identical.
48. Contacts: As is says contacts do not have a mailbox, but you can redirect filters contact mail to a specific mailbox should you wish.
49. User Filter Settings: This section can create an exception for one particular user, it simply creates another policy that you can apply to that user.
50. You can create new policies and apply then to particular users or usergroups, and make the system as granular as you like.
51. Statistics: On my test network I didn’t have any throughput on which to pull some meaningful statistics.
52. Statistics > Notifications: You can have daily/weekly/monthly reports emailed to you.
53. If you decide to purchase, the licenses are priced per mailbox. Prices start at £14.50 each (or £29.00 with the Antivirus) And go down to £2.45 (or £4.90 with Antivirus) depending on the amount you buy. They are available for 1, 2, and 3 year periods. For an up to date price list go here.
Related Articles, References, Credits, or External Links
Out of the box, Exchange (quite rightly) secures Outlook Web Access so that you have to access it via https. The problem is some of your users are used to accessing websites via http, (or simply typing a URL in their browser, without typing any prefix, so it defaults to http).
If you try and access OWA via http://server.domain.com/owa..
There are a number of ways to get round this, the simplest is to redirect that error message (above) back to the correct OWAURL.
WARNING: DO NOT do this on a Microsoft SBS Server. (For SBS you need to create the custom error messages on the OWA Virtual Directory (directly)). This procedure assumes you have a stand alone Exchange CAS server with no other web services or virtual directories being served from its IIS.
Solution
1. Open IIS Manager and drill down to the Default Web Site > Error Pages.
2. Add > Status code = 403.4 > Select “Respond with a 302 Request” > Type in the correct (https) URL for your OWA site > OK.
3. Then restart the website (or reboot the server).
Note: DONT attempt to test this in the Exchange server itself! That will always show the original error, you need to test it from a client machine.
Related Articles, References, Credits, or External Links
AnyConnect, is great for users, but most of them are not used to typing full URL’s into their browsers. Modern browsers will prefix your URL with ‘http://’ for you. That’s brilliant most of the time, but AnyConnect and SSLVPNneed to go to ‘https://’.
Wouldn’t it be good if your users typed vpn.petenetlive.com into their browsers, and instead of the browser ‘helpfully’ changing that to http://vpn.petenetlive.com, and it giving you an error message, the ASA redirected the traffic to https://vpn.petenetlive.com automatically?
Solution
There is just one command to do this for you, and it’s ‘http redirect outside 80‘. Below I’ve enabled it then saved the change.
[box]
Sent username "pix"
Type help or '?' for a list of available commands.
PetesASA>
PetesASA> enable
Password: ***********
PetesASA# configure terminal
PetesASA(config)# http redirect outside 80
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: ac21d44c 109662c4 66495572 e5a106c7
49756 bytes copied in 3.540 secs (16585 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Related Articles, References, Credits, or External Links