User Rights Assignment Windows 2008 Server Relay

  • On the computer running NPS, in Server Manager, expand Network Policy and Access Services, expand NPS, expand Policies, and then click Network Policies.

  • In the Actions pane, click New.

    The New Network Policy wizard appears.

  • Type a name for the policy, for example, Grant Access to Members of CorpRemoteAccessUsers Group.

  • For Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next.

  • On the Specify Conditions page, click Add.

  • On the Select condition dialog box, select User Groups, and then click Add.

  • On the User Groups dialog box, click Add Groups, type or browse to the group you want to add, and then click OK.

    The domain/group name appears in the User Groups dialog box.

  • Click OK. The User Groups condition with the domain/group name appears on the Specify Conditions wizard page.

  • Click Next.

  • On the Specify Access Permission wizard page, select Access granted, and then click Next.

  • On the Configure Authentication Methods wizard page, specify the authentication methods to be used when this policy is used to configure a connection to the RRAS server. When you have selected and configured the methods, click Next.

    Security Note
    We recommend that you use only one of the EAP authentication methods or MS-CHAP-v2.
  • On the Configure Constraints wizard page, specify parameters that you want to enforce on the connection. For Idle Timeout and Session Timeout, the connection is dropped if either timeout value is reached. For the other constraints, the connection request must match the configured parameter, or the connection attempt is rejected. Click Next.

  • On the Configure Settings wizard page you can configure Remote Authentication Dial-In User Service (RADIUS) attributes that are sent to the client to configure its use of the connection. If your network uses Network Access Protection (NAP) to help enforce network client health, then you can configure the connection to allow only limited access to a remediation server group until the client is verified as compliant with the NAP policy. You can also configure whether the client can use multiple connections to increase available bandwidth and how that bandwidth is managed. Finally, you can configure IP filters to restrict network traffic that can be sent or received, the encryption that is used for the connection, and how the client receives its IP address configuration for the connection.

  • On the Completing New Network Policy wizard page, confirm your settings. Click Previous to return to any page to adjust any settings. Click Finish on this page when you are done.

    The policy is saved, and appears in the Network Policies list. The policy is assigned a Processing Order. Policies are evaluated in the order shown in this column. The first policy to match the conditions of the connection request is the one used to authorize and configure the connection. When troubleshooting connection failures, ensure that the policy order is not causing an unexpected policy to be used.

  • SMTP (Simple Mail Transfer Protocol) is used when you set up an on-premises multi-function printer, scanner, fax, or line of business (LOB) application that needs to send email. If some or all of your mailboxes are in Office 365, there are a few options available: SMTP relay, client SMTP submission, or Direct Send.

    SMTP Relay: An SMTP relay is used to send mail from your organization by authenticating the IP address or certificate of the sender. Any email address (including non-Office365 mailboxes) can send mail using an SMTP relay, as long as it uses a domain that’s set up as yours in Office 365.

    Client SMTP Submission: Client SMTP submission allows your device or LOB application to send emails using an email address associated with an Office 365 mailbox by authenticating itself using that account. Each device can have their own sender address or all devices can use one address such as printer@yourdomain.com.

    Direct Send: Direct Send can be used if the device or LOB application has the ability to send mail by itself. If so, the device or LOB application does not use Office 365 to send the mail, but the mail is received by Office 365 for delivery to your Office 365 accounts.

    Requirement:

    • Your on-premises domain must be added as an accepted domain in Office 365. For example, if the account you’re relaying from is email@yourdomain.com,  you have to add netwoven.com as an accepted domain in Office 365.
    • Your on-premises account must also be either an Exchange Online-licensed user in Office 365 or an alternative email address of an Exchange Online-licensed user. For example, if the account that you’re relaying from is sharepoint@yourdomain.com  and you want to relay through email@yourdomain.com  (an Office 365 user), you have to add sharepoint@yourdomain.com  as an alternate email address to email@yourdomain.com.
    • You also need a virtual SMTP server running in your domain to relay mail to office 365, authenticating itself as email@yourdomain.com
    • You need an SMTP incoming connector in exchange online to allow direct submission method of SMTP mail delivery

    Configuration Steps:

    A. Configure Exchange Online to receive inbound Emails from other sources-

    1. Obtain the public IP address you’re using on-premise. A dynamic IP address isn’t supported or allowed. You can share the IP with other devices and users, but you shouldn’t be sharing the IP with anyone outside of your company. Make note of this IP address for later.
    2. Log on to the Office 365 Portal.
    3. Select Domains. Highlight one of your domains and use the wizard to obtain your MX record. Or if you already have a verified domain, then goto Manage DNS to find the MX Record. The MX record will look similar to yourdomain-com.mail.protection.outlook.com. Make a note of the MX record for later.

    4. Make certain that the domains that the application or device is sending as have been properly verified. If the domain is not verified, emails could be lost and you won’t be able to track them through Office 365 using Message Trace.
    5. Goto Exchange Admin Console to create the SMTP connector. In the upper right, select Admin and then select Exchange from the drop down. If you have Small Business, then see the instructions here.

    6. In the Exchange Admin Center, select Mail Flow > Connectors.

    7. If no inbound connector exists, create one.
      • Give the connector a name.
      • Select On-Premises for the Connector Type.
      • Under Domains, add a single asterisk (*). This will allow sending to any domain. Other values in this field will limit the domains that you can send mail to.
      • In the IP Addresses section, add the IP address from Step 1.
      • Leave all the other fields with their default values and select Save.

    8. In the DNS for your domain, we suggest that you modify your SPF record to include the IP address from Step 1. The finished string should look similar to this: v=spf1 ip4:20.1.1.3 include:spf.protection.outlook.com ~all where 20.1.1.3 is your public IP address. Skipping this step could cause email to be sent to recipients’ junk mail folders.
    9. In the device’s settings, specify a Smart Host value equal to the MX record value you recorded in Step 3.
    10. Now its time to create an IIS SMTP proxy in on-premise to allow all application to send mails.

     B.Set up Exchange Online as an SMTP Relay Using Windows Server 2012-

    Install Internet Information Services (IIS)
    1. In Server Manager, select Add Roles.
    2. On the Before you begin page in the Add Roles Wizard, select Next.
    3. On the Select Installation Type page, select Role-based or Feature-based installation.
    4. On the Select destination server page, choose Select a server from the server pool, and select the server that will be running SMTP services. Select Next.
    5. On the Select Server Roles page, select Web Server (IIS), and then select Next. If a page that requests additional features is displayed, select Add Features and then select Next.
    6. On the Select Role Services page, make sure that Basic Authentication under Security is selected, and then select Next.
    7. On the Confirm Installation Steps page, select Install.
    Install SMTP
    1. Open Server Manager and select Add Roles and Features.
    2. Select Server Selection and make sure that the server that will be running the SMTP server is selected and then select Features.
    3. On the Select Features screen, choose SMTP Server. You may be prompted to install additional components. If that’s the case, select Add Required Features and select Next.
    4. Select Install. After the installation is finished, you may have to start the SMTP service by using the Services snap-in for the Microsoft Management Console (MMC).
    Set up SMTP
    1. Open Server Manager, select Tools, and then select Internet Information Services (IIS) 6.0.
    2. Expand the current server, right-click the SMTP Virtual Server, and then select Properties.
    3. On the General tab, select Advanced > Add.
    4. In the IP Address box, specify the address of the server that’s hosting the SMTP server.
    5. In the Port box, enter 587 and select OK.
    6. On the Access tab, do the following:
    7. Select Authentication and make sure that Anonymous Access is selected.
    8. Select Connection > Only the List Below and then specify the IP address of the server that’s hosting SMTP.
    9. Select Relay > Only the List Below and then specify the IP address of the server that’s hosting SMTP.
    10. On the Delivery tab, select Outbound Security, and then do the following:
    11. Select Basic Authentication.
      • Enter the credentials of the Office 365 user who you want to use to relay SMTP mail.
      • Select TLS Encryption.
      • Select Outbound Connections and in the TCP Port box, enter 587 and select OK.

    C. Set up Exchange Online as an SMTP Relay Using Windows Server 2008-

    Install Internet Information Services (IIS)

    1. In Server Manager, select Add Roles.
    2. On the Before you begin page in the Add Roles Wizard, select Next.
    3. On the Select Server Roles page, select Web Server (IIS) and select Install.
    4. Select Next until you get to the Select Role Services page.
    5. In addition to what is already selected, make sure that ODBC Logging, IIS Metabase Compatibility, and IIS 6 Management Console are selected and then select Next.
    6. When you’re prompted to install IIS, select Install. You may need to restart the server after the installation is finished.
    Install SMTP
    1. Open Server Manager and select Add Roles and Features.
    2. On the Select Features screen, choose SMTP Server. You may be prompted to install additional components. If that’s the case, select Add Required Features and select Next.
    3. Select Install. After the installation is finished, you may have to start the SMTP service by using the Services snap-in for the Microsoft Management Console (MMC).
    Set up SMTP
    1. Select Start > Administrative Tools > Internet Information Services (IIS) 6.0.
    2. Expand the current server, right-click the SMTP Virtual Server, and then select Properties.
    3. On the General tab, select Advanced > Add.
    4. In the IP Address box, specify the address of the server that’s hosting the SMTP server.
    5. In the Port box, enter 587 and select OK.
    6. On the Access tab, do the following:
      • Select Authentication and make sure that Anonymous Access is selected.
      • Select Connection > Only the List Below and then specify the IP address of the server that’s hosting SMTP.
      • Select Relay > Only the List Below and then specify the IP address of the server that’s hosting SMTP.
    7. On the Delivery tab, select Outbound Security, and then do the following:
      • Select Basic Authentication.
      • Enter the credentials of the Office 365 user who you want to use to relay SMTP mail.
      • Select TLS Encryption.
      • Select Outbound Connections and in the TCP Port box, enter 587 and select OK.

    After creating the required setting for the IIS SMTP relay, we need to resolve additional issue that can be described as: Enable the IIS SMTP relay to send mail on behalf another Email address. For the demonstration purpose, let’s use the following scenario:

    We want to enable two internal Hosts, to send email using the IIS SMTP server. One Host is a Sharepoint application that uses the Email address: sharepoint@yourdomain.com, and the other host is a TFS server that uses the use the email address: tfs@yourdomain.com.

    In case that this Hosts trying to relay mail to the IIS SMTP server, that mail message will be rejected by the Exchange Online server because: by default, a recipient( in our example: email@yourdomain.com) cannot send email “on behalf” of other recipient’s ( in our example: sharepoint@yourdomain.com and tfs@yourdomain.com).

    The good news is that we don’t need to create a user account and Mailbox that will “represent” these Hosts, who will relay mail to the IIS SMTP Server.

    D. To enable the IIS SMTP server to send email to this Hosts, we can choose one of the following solutions-

    1. Using distribution group and assign “Send as permissions”
    2. Add additional Email address ( Alias)
    1. Using Distribution group to allow email send by host with send as permissions.

    This solution is based on creating a distribution group for each of the Hosts who needs to relay email to the IIS SMTP server. The distribution group will be configured as: security group (a SecurityDistribution group).

    The next step is: assigning “Send as permission” for the recipient whom the IIS SMTP Server use for authentication (in our example: email@netwoveninc.onmicrosoft.com). The send as permission could be assigned by using the Web interface or by using a PowerShell command.

    1. Assign “Send as permission” using the Office 365 management Web interface
      • Log in to Office 365 portal, in the Admin menu choose the option: Exchange
      • In the Exchange admin center choose the recipient menu –> groups
      • Click on the “Add” option and choose the  Security group option.

      • In our example, the new security-distribution group will be named as: SharePoint and TFS

      • Double click on the name of the new security-distribution (sharepoint) and choose the menu – group delegation.

      • Click on the add option and, add the recipient name that we use for the IIS SMTP credentials (in our example: email@netwoveninc.onmicrosoft.com).

      • We will need to repeat this procedure, for each of the LAN Hosts that will need to relay email using the IIS SMTP Server.
    Assign “Send as permission” using PowerShell command
    1. Assign “Send As” Permissions for a Mailbox/Distribution group PowerShell command syntax:
    2. Add-RecipientPermission  -AccessRights SendAs -Trustee

    Example:

    Add-RecipientPermission sharepoint -AccessRights SendAs -Trustee postmaster

    2. Add additional Email address ( Alias),/p>

    An additional option that we can use (instead of the securitydistribution group solution) is: add the email address that will be used by the LAN Mail enabled DevicesApplications as an additional email addresses (Alias) for the recipient who is used by the IIS SMTP Server.

    In our example, we will add two additional email address to the recipient named: email@yourdomain.com.

    1. Log in to Office 365 portal, in the Admin menu choose the option: Exchange
    2. In the Exchange admin center choose the recipient menu –> mailboxes
    3. Choose the recipient name that is used by the IIS SMTP Server (in our example- postmaster).

    E. Test SMTP email Delivery-

    You can test SMTP relay services without using a separate LOB application or device.

    To test SMTP relay services, use the following steps:

    a) Create a text file using Notepad or another text editor. The file should contain the following code. Replace the source and destination email addresses with the addresses you will use to relay SMTP.

    b) Save the text file as Email.txt.

    c) Copy the Email.txt file into the following folder: C:InetPubMailRootPickup.

    d) After a short time, the file should automatically be moved to the C:InetPubMailRootQueue folder. When the SMTP server delivers the mail, the file is automatically deleted from the local folder.

    e) If the SMTP server can’t deliver the message, a non-delivery report (NDR) is created in theC:InetPubMailRootBadMail folder. You can use this NDR to diagnose delivery issues.

    Tags:  Exchange Online   •   Office 365   •   OLB Mail to O365   •   SharePoint Online   •   SMTP Relay

    Share this article:

    0 Replies to “User Rights Assignment Windows 2008 Server Relay”

    Lascia un Commento

    L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *