Comments on: Microsoft Issues Critical Security Updates for Exchange Server

By: Cedric

Cedric — Wed, 21 Jul 2021 15:30:38 +0000

Successfully installed RU32 on both our Ex2010 Servers along with Visual C++ Redistributable.

Having intermittent issues with OWA and the EMC failing… stuck at ‘Adding snap-in console’ basically times out and won’t launch successfully. I’m not seeing any relevant event logs info.

I’ve done several uninstalls/re-installs of the update and reboots with no luck.

Any ideas on what could be causing the issue?

By: Tony Redmond

Tony Redmond — Mon, 05 Apr 2021 09:41:33 +0000

In reply to M Elyas. If you are confident that your server is fully patched, you can allow OWA access.

By: M Elyas

M Elyas — Mon, 05 Apr 2021 07:53:57 +0000

Hi
I ask about opening OWA from outside after we install update its secure to open it??
so user can access Email over internet

By: Daniel Rita

Daniel Rita — Thu, 01 Apr 2021 21:42:26 +0000

Hi Tony,

I have a coexistence scenario between exchange 2010 SP3 and Exchange 2016, i’ve installed Rollup 32 in Exchange 2010 FE, and CU20 in the Exchange 2016, i’m getting an “invalid canary ” error when try to access to /ecp in the 2010 mailboxes, did anyone experienced the same?

Kind Regards,

By: Tony Redmond

Tony Redmond — Thu, 18 Mar 2021 23:30:39 +0000

In reply to Francis. Why would you roll back the mitigations?

By: Francis

Francis — Thu, 18 Mar 2021 23:25:36 +0000

Hello, After running the all in one mitigation script and patching the servers (CU19). Should I roll back the mitigations?

By: Stuart

Stuart — Thu, 18 Mar 2021 10:56:57 +0000

In reply to Tony Redmond. Thanks Tony, that's really helpful! Great article by the way!

By: kash

kash — Wed, 17 Mar 2021 13:38:45 +0000

Thanks for your response and advice

Upgraded fron Exchange 2016 CU17 to CU19 in a DAG environment took 5 hours from start to end

HAFNIUM patch took 45 mintues in DAG

Main point, it’s slow and cumbersome but paitence and lots of coffee.

By: Tony Redmond

Tony Redmond — Wed, 17 Mar 2021 13:02:17 +0000

In reply to Stuart Taylor.

https://docs.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/network-ports?view=exchserver-2019 says that 443 is used for:

Encrypted web connections are used by the following clients and services:
• Autodiscover service
• Exchange ActiveSync
• Exchange Web Services (EWS)
• Offline address book (OAB) distribution
• Outlook Anywhere (RPC over HTTP)
• Outlook MAPI over HTTP
• Outlook on the web (formerly known as Outlook Web App)

If you don’t use those features, you can keep 443 off. EWS is used in hybrid deployments to access on-premises mailboxes for calendar data, but as you say, all mailboxes are in the cloud, so….

By: Stuart Taylor

Stuart Taylor — Wed, 17 Mar 2021 10:30:38 +0000

Hi there,

We are running Exchange 2016 hybrid. Our on-premise Exchange server doesn’t host any mailboxes and is now fully patched. We’ve also temporarily blocked inbound access through 443 whilst the patching was being carried out and have confirmed that no malicious access or files have occurred.

Is there any reason why we need to unblock port 443? I’ve read that it’s needed for OWA, which we don’t use as all email is accessed via Exchange Online and also for Autodiscovery but I’m not sure if that’s something that we need if all our users access Office 365 Online.

Any advice greatly appreciated!

Thanks!