Forefront TMG 2010 SP2 Rollup 5

ForeFrontA short notice for those utilizing TMG in their environment on the release of Rollup 5 for Microsoft Forefront Threat Management Gateway (TMG) 2010, Service Pack 2 (KB2954173).

Changes in this update:

  • 2963805 Account lockout alerts are not logged after you install Rollup 4 for TMG 2010 SP2
  • 2963811 FIX: The TMG Firewall service (wspsrv.exe) may crash when the DiffServ filter is enabled
  • 2963823 “1413 Invalid Index” after you enable cookie sharing across array members
  • 2963834 HTTPS traffic may not be inspected when a user accesses a site
  • 2967726 New connections are not accepted on a specific web proxy or web listener in Threat Management Gateway 2010
  • 2965004 EnableSharedCookie option doesn’t work if the Forefront TMG service runs under a specific account
  • 2932469 An incorrect value is used for IPsec Main Mode key lifetime in Threat Management Gateway 2010
  • 2966284 A zero value is always returned when an average counter of the “Forefront TMG Web Proxy” object is queried from the .NET Framework
  • 2967763 The “Const SE_VPS_VALUE = 2″ setting does not work for users if the UPN is not associated with a real domain
  • 2973749 HTTP Connectivity verifiers return unexpected failures in TMG 2010

TMG support will end on April 14th, 2015 and extended support will end on April 14th, 2020.

You can request Forefront TMG SP2 RU5 directly from support here.

Forefront TMG 2010 SP2 Rollup 4

ForeFrontA short blog on the release of Rollup 4 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (KB2870877).

Changes in this update:

  • 2889345 Accounts are locked out beyond the AccountLockoutResetTime period in Forefront Threat Management Gateway 2010 SP2
  • 2890549 Incorrect Performance Monitor values when queried from a .NET Framework app in Forefront Threat Management Gateway 2010
  • 2890563 “URL” and “Destination Host Name” values are unreadable in the web proxy log of Forefront Threat Management Gateway 2010
  • 2891026 Firewall Service leaks memory if Malware Inspection is enabled in Forefront Threat Management Gateway 2010
  • 2888619 A password change is unsuccessful if a user’s DN attribute contains a forward slash and an Active Directory LDAP-defined special character in Forefront Threat Management Gateway 2010
  • 2863383 “Query stopped because an error occurred while it was running” when you run a non-live query in Forefront Threat Management Gateway 2010 SP2
  • 2899720 Threat Management Gateway 2010 incorrectly sends “Keep-Alive” headers when it replies to Media Player WPAD file requests
  • 2899716 Firewall service (Wspsrv.exe) crashes when a web publishing request is handled in Forefront Threat Management Gateway 2010
  • 2899713 Access to certain SSL websites may be unavailable when HTTPS Inspection is enabled in Forefront Threat Management Gateway 2010

This again shows TMG isn’t “dead” since it received it’s End-of-Life status.. yet. Note that TMG support will end on April 14th, 2015 and extended support will end on April 14th, 2020.

You can request Forefront TMG SP2 RU4 directly from support here.

Exchange 2010 SP3 Rollup 2 & SP2 RU7 (updated)

Exchange 2010 LogoNote that the installation of Exchange 2010 SP3 RU2 might prompt for the Service Pack files. Yes, you read that right. Exchange fellow Steve Goodman posted a blog on this issue here.

Today the Exchange Team released Rollup 2 for Exchange Server 2010 Service Pack 3 (KB2866475). This update raises Exchange 2010 version number to 14.3.158.1.

Here’s a list of fixes contained in this Rollup:

    • 2837926 Error message when you try to activate a passive copy of an Exchange Server 2010 SP3 database: “File check failed”
    • 2841150 Cannot change a distribution group that contains more than 1,800 members by using ECP in OWA in an Exchange Server 2010 environment
    • 2851419 Slow performance in some databases after Exchange Server 2010 is running continuously for at least 23 days
    • 2853899 Only the first page of an S/MIME signed or encrypted message is printed by using OWA in an Exchange Server 2010 environment
    • 2854564 Messaging Records Management 2.0 policy can’t be applied in an Exchange Server 2010 environment
    • 2855083 Public Folder contents are not replicated successfully from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
    • 2859596 Event ID 4999 when you use a disclaimer transport rule in an environment that has Update Rollup 1 for Exchange Server 2010 SP3 installed
    • 2860037 iOS devices cannot synchronize mailboxes in an Exchange Server 2010 environment
    • 2861118 W3wp.exe process for the MSExchangeSyncAppPool application pool crashes in an Exchange Server 2010 SP2 or SP3 environment
    • 2863310 You cannot send an RTF email message that contains an embedded picture to an external recipient in an Exchange Server 2010 SP3 environment
    • 2863473 Users cannot access Outlook mailboxes that connect to a Client Access server array in an Exchange Server 2010 environment
    • 2866913 Outlook prompts to send a response to an additional update even though the response request is disabled in an Exchange Server 2010 environment
    • 2870028 EdgeTransport.exe crashes when an email message without a sender address is sent to an Exchange Server 2010 Hub Transport server
    • 2871758 EdgeTransport.exe process consumes excessive CPU resources on an Exchange Server 2010 Edge Transport server
    • 2873477 All messages are stamped by MRM if a deletion tag in a retention policy is configured in an Exchange Server 2010 environment

In addition to these fixes, this Rollup also includes a fix for the security issue described in Microsoft Security Bulletin MS13-061.

Notes:

  • As of Service Pack 2 Rollup 4, its no longer required to disable/re-enable ForeFront Protection for Exchange using the fscutility to be able to install the Rollup properly. However, if you want to remain in control, you can disable ForeFront before installing the Rollup using fscutility /disable and re-enable it afterwards using fscutility /enable;
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking;
  • If you got a DAG and want to properly update the DAG members, check the instructions here;
  • Rollups are cumulative, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2010 SP3 Rollup 2 here.

Exchange 2010 SP2
For those still on Exchange 2010 SP2, Microsoft released Exchange 2010 SP2 Rollup 7. This Rollup only includes the MS13-061 security fix and raises Exchange 2010 SP2′s version number to 14.2.375.0, can be downloaded here; the related KB article is KB2874216.

Exchange 2010 SP2 Rollup 6

Today the Exchange Team released Rollup 6 for Exchange Server 2010 Service Pack 2 (KB2746164). This update raises Exchange 2010 version number to 14.2.342.3.

Here’s the list of changes included in this Rollup:

  • 2489941 The “legacyExchangeDN” value is shown in the “From” field instead of the “Simple Display Name” in an email message in an Exchange Server 2010 environment
  • 2717453 You cannot move or delete a folder by using Outlook in online mode in an Exchange Server 2010 environment
  • 2733608 Corrupted Japanese DBCS characters when you send a meeting request or post a reply to a posted item in a public folder in an Exchange Server 2010 environment
  • 2734635 Folder-associated information (FAI) items are deleted when you run the New-InboxRule cmdlet or change Inbox rules in an Exchange Server 2010 environment
  • 2737046 AutoPreview feature does not work when you use Outlook in online mode in an Exchange Server 2010 environment
  • 2741117 High CPU utilization by Microsoft Exchange Replication service on Client Access servers in an Exchange Server 2010 environment
  • 2746030 Incorrect ExternalURL value for EWS is returned by an Exchange Server 2010 Client Access server
  • 2750188 Exchange Service Host service crashes when you start the service on an Exchange 2010 server
  • 2751417 Synchronization fails if you sync an external device to a mailbox through EAS in an Exchange Server 2010 environment
  • 2751581 OAB generation fails with event IDs 9126, 9330, and either 9338 or 9339 in an Exchange Server 2010 environment
  • 2760999 “The signup domain ‘org’ derived from ‘<TenantDomainName>.org’ is not a valid domain” error message when you use the Hybrid Configuration wizard in an Exchange Server
  • 2776259 Msftefd.exe process crashes if an email attachment has an unexpected file name extension or no file name extension in an Exchange Server 2010 environment
  • 2779387 Duplicated email messages are displayed in the Sent Items folder in a EWS-based application that accesses an Exchange Server 2010 Mailbox server
  • 2783586 Name order of a contact is displayed incorrectly after you edit the contact in an Exchange Server 2010 environment
  • 2783631 User-Agent field is empty when you run the Get-ActiveSyncDeviceStatistics cmdlet in an Exchange Server 2010 SP2 environment
  • 2783633 You cannot move or delete an email message that is larger than the maximum receive or send size in an Exchange Server 2010 environment
  • 2783649 Private appointment is visible to a delegate in an Exchange Server 2010 environment
  • 2783771 Mailbox on a mobile device is not updated when EAS is configured in an Exchange Server 2010 environment
  • 2783772 Edgetransport.exe process crashes after a journal recipient receives an NDR message in an Exchange Server 2010 environment
  • 2783776 You cannot perform a cross-premises search in a mailbox in an Exchange Server 2010 hybrid environment
  • 2783782 Error message when you use Scanpst.exe on a .pst file in an Exchange Server 2010 environment
  • 2784081 Store.exe process crashes if you add certain registry keys to an Exchange Server 2010 Mailbox server
  • 2784083 Week numbers in the Outlook Web App and Outlook calendars are mismatched in an Exchange Server 2010 environment
  • 2784093 SCOM alerts and event ID 4 in an Exchange Server 2010 SP2 organization that has Update Rollup 1 or later
  • 2784566 Exchange RPC Client Access service crashes on an Exchange Server 2010 Mailbox server
  • 2787023 Exchange Mailbox Assistants service crashes when you try to change a recurring calendar item or publish free/busy data in an Exchange Server 2010 environment
  • 2793274 A new option is available that disables the PermanentlyDelete retention action in an Exchange Server 2010 organization
  • 2793278 You cannot use the search function to search for mailbox items in an Exchange Server 2010 environment
  • 2793279 Exchange Server 2010 does not restart when the Microsoft Exchange Replication service freezes
  • 2793488 Internet Explorer freezes when you connect to the OWA several times in an Exchange Server 2010 environment
  • 2810616 Email message delivery is delayed on a Blackberry mobile device after you install Update Rollup 4 for Exchange Server 2010 SP2

In addition to these fixes, this Rollup also includes a fix for the security issue described in Microsoft Security Bulletin MS13-012.

As of Rollup 4, its no longer required to disable/re-enable ForeFront Protection for Exchange using the fscutility to be able to install the Rollup properly. However, if you want to remain in control, you can disable ForeFront before installing the Rollup using fscutility /disable and re-enable it afterwards using fscutility /enable.

If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.

If you got a DAG and want to properly update the DAG members, check the instructions here.

Note that Rollups are cumulative, i.e. they contain fixes released in earlier Rollups for the same product level (RTM, SPx). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2010 SP2 Rollup 6 here.

Forefront TMG 2010 SP2 Rollup 3

ForeFrontA short blog on the release of Rollup 3 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

For Exchange, this Rollup fixes unexpected authentication prompts when using OWA published using Forefront Threat Management Gateway (TMG) 2010 in conjunction with RSA authentication and Forms-based Authentication (FBA). For a full list of changes, consult knowledgebase article kb2735208.

This again proves TMG isn’t “dead” since it received it’s End-of-Life status. So again, when you got TMG, don’t panic: For TMG, support will end on April 14th, 2015 and extended support will end on April 14th, 2020. You have some time to look into alternatives.

You can request Forefront TMG SP2 RU3 directly from support here.

Exchange 2010 SP2 Rollup 5 v2

Exchange-2010-Logo-733341[1]Today the Exchange Team released version 2 of Rollup 5 for Exchange Server 2010 Service Pack 2 (KB2785908). This is an updated version of Rollup 5, released on November 14th but pulled due to a DAG issue; this updated Rollup should fix that issue. This update raises Exchange 2010 version number to 14.2.328.10.

For a list of changes included in the original version of Rollup 5, consult the original EX2010SP2RU5 post here. In addition, this version of the Rollup addresses vulnerabilities described in MS12-080 and will fix the following error when running Get-DatabaseAvailabilityGroup after installing of the original version of the Rollup:

An unexpected error has occurred and a Watson dump is being generated: Could not load type ‘Microsoft.Exchange.Rpc.ActiveManager.AmDeferredRecoveryEntry’ from assembly ‘Microsoft.Exchange.Rpc, Version=14.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35′.

Oddly, when comparing the lists of issues fixed, the following fix went MIA in Rollup 5 v2:

  • 2748870 Declined meeting request is added back to your calendar after a delegate opens the request by using Outlook 2010

I’ll update this article when I receive information on the missing KB2748870 fix.

As of Rollup 4, its no longer required to disable/re-enable ForeFront Protection for Exchange using the fscutility to be able to install the Rollup properly. However, if you want to remain in control, you can disable ForeFront before installing the Rollup using fscutility /disable and re-enable it afterwards using fscutility /enable.

If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.

If you got a DAG and want to properly update the DAG members, check the instructions here.

Note that Rollups are cumulative, i.e. they contain fixes released in earlier Rollups for the same product level (RTM, SPx). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2010 SP2 Rollup 5 v2 here.

Exchange 2010 SP2 Rollup 5 (Updated)

Update (November 16th): It turns out there’s a serious bug affecting DAGs after installing RU5. Recommendation is not to deploy RU5 while Microsoft investigates the issue. Meanwhile, the RU was also pulled. Note that this is the exact reason why I emphasize on not rushing updates in production and run them in test and acceptance environments first. When testing is not an option (but there are lots of options there with free virtualization technologies available), I recommend maintaining an incubation period of at least 1 month and monitoring sites like TechNet forum or related comments on the EHLO blog for issues.

Today the Exchange Team released Rollup 5 for Exchange Server 2010 Service Pack 2 (KB2719800). This update raises Exchange 2010 version number to 14.2.328.5.

Here’s the list of changes in this Rollup:

  • 2707146 IRM-protected messages cannot be returned in search results if the messages are recorded and sent to an external contact in an Exchange Server 2010 environment
  • 2710975 Some MAPI property objects in an ANSI .pst file contain unreadable characters if you import the file by using the “New-MailboxImportRequest” cmdlet
  • 2712001 ExTRA.exe does not collect data if you select a scheduled task for a data collection in an Exchange Server 2010 environment
  • 2712595 Microsoft Exchange RPC Client Access service crashes when you run the New-MailboxExportRequest cmdlet in an Exchange Server 2010 environment
  • 2716145 Store.exe crashes on an Exchange Server 2010 mailbox server if a VSAPI based antivirus software is used
  • 2717522 Microsoft Exchange System Attendant service crashes on an Exchange Server 2010 server when you update the OAB that contains a DBCS address list
  • 2720017 An RBAC role assignee can unexpectedly change a DAG that is outside the management role group scope in an Exchange Server 2010 environment
  • 2727802 Microsoft Exchange Replication service crashes intermittently when you try to move mailboxes from an Exchange Server 2003 server to an Exchange Server 2010 server
  • 2733415 Event ID 1 is logged on the Exchange Server 2010 Client Access server in a mixed Exchange Server 2010 and Exchange Server 2003 environment
  • 2733609 Email message and NDR message are not delivered if an email message contains unsupported character sets in an Exchange Server 2010 environment
  • 2743761 DAG loses quorum if a router or switch issue occurs in an Exchange Server 2010 environment
  • 2748766 Retention policy information does not show “expiration suspended” in Outlook Web App when the mailbox is set to retention hold in an Exchange Server 2010 environment
  • 2748767 You receive an NDR message that incorrectly contains recipients of successful message delivery in an Exchange Server 2010 environment
  • 2748870 Declined meeting request is added back to your calendar after a delegate opens the request by using Outlook 2010
  • 2748879 You cannot access a mailbox by using an EWS application in an Exchange Server 2010 environment
  • 2749075 A copy of an archived item remains in the Recoverable Items folder of a primary mailbox in an Exchange Server 2010 environment
  • 2749593 Outlook logging file lists all the accepted and internal relay domains in the Exchange Server 2010 organization when you enable troubleshooting logging
  • 2750293 Items remain in the “Recoverable Items\Deletions” folder after the retention age limit is reached in an Exchange Server 2010 environment
  • 2750847 An Exchange Server 2010 user unexpectedly uses a public folder server that is located far away or on a slow network
  • 2763886 “The operation failed” error in the Outlook client when you open a saved message from the Drafts folder and then try to send it in an Exchange Server 2010 environment

As of Rollup 4, its no longer required to disable/re-enable ForeFront Protection for Exchange using the fscutility to be able to install the Rollup properly. However, if you want to remain in control, you can disable ForeFront before installing the Rollup using fscutility /disable and re-enable it afterwards using fscutility /enable.

If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.

If you got a DAG and want to properly update the DAG members, check the instructions here.

Note that Rollups are cumulative, i.e. they contain fixes released in earlier Rollups for the same product level (RTM, SPx). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2010 SP2 Rollup 5 here.

Rereleases of latest Exchange 2010 and 2007 Rollups

The Exchange team rereleased the following Rollups:

These v2 updates solve an issue with a prematurely expiring certificate used to sign the update (see KB2749655), i.e. no code changes (apart from KB2756987).

The Exchange Versions, builds & dates page has been updated accordingly, including updated product version numbers.

Exchange 2010 SP2 Rollup 4

Today the Exchange Team released Rollup 4 for Exchange Server 2010 Service Pack 2 (KB2706690). This update raises Exchange 2010 version number to 14.2.318.2.

Here’s the list of changes in this Rollup:

  • 2536846 Email messages sent to a mail-enabled public folder may be queued in a delivery queue on the Hub Transport server in an Exchange Server 2010 environment
  • 2632409 Sent item is copied to the Sent Items folder of the wrong mailbox in an Exchange Server 2010 environment when a user is granted the Send As permission
  • 2637915 “550 5.7.1″ NDR when an email message is sent between tenant organizations in a multi-tenant Exchange Server 2010 environment
  • 2677727 MRM cannot process retention policies on a cloud-based archive mailbox if the primary mailbox is in an on-premises Exchange Server 2010 organization
  • 2685001 Retention policies do not work for the Calendar and Tasks folders in an Exchange Server 2010 SP1 environment
  • 2686540 Journal report is not delivered to a journaling mailbox in an Exchange Server 2010 environment
  • 2689025 Performance issues when you use the light version of Outlook Web App in an Exchange Server 2010 environment
  • 2698571 Some email messages are not delivered when you set the MessageRateLimit parameter in a throttling policy in an Exchange Server 2010 environment
  • 2698899 Add-ADPermission cmdlet together with a DomainController parameter fails in an Exchange Server 2010 environment
  • 2700172 Recipient’s email address is resolved incorrectly to a contact’s email address in an Exchange Server 2010 environment
  • 2701162 User A that is granted the Full Access permission to User B’s mailbox cannot see detailed free/busy information for User B in an Exchange Server 2010 environment
  • 2701624 ItemSubject field is empty when you run the Search-MailboxAuditLog cmdlet together with the ShowDetails parameter in an Exchange Server 2010 environment
  • 2702963 The “Open Message In Conflict” button is not available in the conflict notification message in Exchange Server 2010
  • 2707242 The Exchange Information Store service stops responding on an Exchange Server 2010 server
  • 2709014 EdgeTransport.exe process crashes intermittently on an Exchange Server 2010 server
  • 2709935 EdgeTransport.exe process repeatedly crashes on an Exchange Server 2010 server
  • 2713339 Multi-Mailbox Search feature returns incorrect results when you perform a complex discovery search in an Exchange Server 2010 environment
  • 2713371 Throttling policy throttles all EWS applications in Exchange Server 2010
  • 2719894 The Microsoft Exchange RPC Client Access service consumes 100 percent of CPU resources and stops responding on an Exchange Server 2010 Client Access server
  • 2723383 Incorrect time zone in a notification when the Resource Booking Attendant declines a meeting request from a user in a different time zone in an Exchange Server 2010 environment
  • 2724188 A subject that contains colons is truncated in a mixed Exchange Server 2003 and Exchange Server 2010 environment
  • 2726897 Event 14035 or Event 1006 is logged when Admin sessions are exhausted in an Exchange Server 2010 environment

In addition to these fixes, this Rollup also includes a fix for the WebReady security issue described in Microsoft Security Bulletin MS12-058 (KB2740358).

Note that  This Rollup includes changes enabling Retention Tags for Calendar Items and Tasks (see KB2685001). If you wish to retain pre-SP2RU4 functionality, implement the following registry key on each Mailbox server:
HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeMailboxAssistants\Parameters\ELCAssistantCalendarTaskRetentionEnabled=0×00000000 (REG_DWORD); default value is 1. More information on possible implications at the Exchange Team’s blog here.

Important: Be advised that it is reported that installing MS12-058 (KB2740358) means Rollup 4 will be installed on your system. This applies to manual installations but updates installed through Windows Update / WSUS as well, which might pose a challenge (or better, dilemma) for security departments (Thanks to Paul Bendall).

Those who use WSUS to deploy security updates or manually apply MS12-058 will be inadvertently applying Exchange 2010 SP2 RU4 as the security

As of this Rollup, its no longer required to disable/re-enable ForeFront Protection for Exchange using the fscutility to be able to install the Rollup properly. However, if you want to remain in control, you can disable ForeFront before installing the Rollup using fscutility /disable and re-enable it afterwards using fscutility /enable.

Note that Rollups are cumulative, i.e. they contain fixes released in earlier Rollups for the same product level (RTM, SPx). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production. For the correct procedure on how to update DAG members, check here.

You can download Exchange 2010 SP2 Rollup 4 here.

TechEd North America 2012 sessions

With the TechEd North America 2012 event still running, recordings and slide decks of finished sessions are becoming available online. Here’s an overview of the Exchange-related sessions: