Today we are announcing the availability of the 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (aka CU14). CU14 includes fixes for customer reported issues, a security change, and all previo...
Updated Feb 22, 2024
Version 11.0
Blog Post
I wanted to share my journey and insights gained from activating Extended Protection (EP) on our Exchange 2019 mailbox servers, as this information might prove valuable to others in similar situations.
Initial Setup:
Exchange Version: Exchange Server 2019 CU13 Nov23SU.
Infrastructure: Utilization of a Load Balancer without an installed certificate. Some Exchange services are exposed to the internet through various publishing solutions, each employing distinct certificates from those used on the mailbox servers. The configurations are as follows:
- Native ActiveSync --(BasicAuth)--> 3rd Party WAF --(BasicAuth)--> Exchange 2019 NLB ActiveSync
- MDM ActiveSync --> (CertAuth) --> MDM Solution --(KCD)--> Exchange Servers Active Sync & EWS
- OWA --(BasicAuth with MFA)--> 3rd Party solution --(FBA)--> Exchange 2019 NLB OWA
Concerns & Clarifications:
The prerequisites for activating EP were largely clear, except for the requirement concerning "SSL Bridging". To address this uncertainty, we initiated discussions with Microsoft and our MDM provider. The core takeaway was that EP primarily concerns scenarios involving "Windows Authentication". Consequently, our configurations, including Native ActiveSync with BasicAuth and OWA with FBA, faced no expected issues. It was highlighted that the MDM scenario, due to its reliance on KCD for authentication from MDM to Exchange, differs from typical Windows Integrated Authentication frameworks used at both ends, thereby most likely not posing an obstacle. Nonetheless, a recommendation was made to consult our MDM vendor to preempt any potential issues. Should any issues emerge post-activation, Microsoft recommends a selective deactivation of EP, focusing solely on the affected Frontend virtual directory (v-Dir) to mitigate the problem. MDM vendor confirmed that EP can be actived with our MDM setup. Following their confirmations, we proceeded with the activation of EP.
Implementation & Outcome:
We proceeded to update all servers to Exchange Server 2019 CU14 with the /DoNotEnableEP switch. Subsequently, EP was enabled on each server using the ExchangeExtendedProtectionManagement.ps1 script. I'm pleased to report that we've encountered no issues post-activation so far, eliminating the need for any rollback of EP, even on a single virtual directory.
Final Thoughts:
For those contemplating the activation of EP on their Exchange servers, I hope my experience sheds light on the process and assuages any concerns regarding potential complications. Best of luck in your endeavors!