Exchange 2013 -- How to display message tracking log on Exchange 2013

Start from the Exchange 2013, Microsoft removed Message Tracking Log Explore that was for administrator to trace the messages in and out in the mail server.

Delivery Report (EAC)

On Exchange 2013, you can use EAC to track messages with delivery report, but it limited in a mail box with dedicated a sender or a recipient.

Get-MessageTrackingLog (Shell)

Or, you can use the shell to trace the message.

Get-MessageTrackingLog

You can add more parameters to reduce the out results.
(List most command parameters below, for detail, please refer to MS DOC.)

-Start The start date and time of the date range.

-End The End parameter specifies the end date and time of the date range. Message delivery information is returned up to, but not including, the specified date and time.

 -EventId The EventId parameter filters the message tracking log entries by the value of the EventId field. The EventId value classifies classify each message event. Example values include DSN, Defer, Deliver, Send, or Receive.

 -Sender The Sender parameter filters the message tracking log entries by the sender's SMTP email address.

-Recipients The Recipients parameter filters the message tracking log entries by the SMTP email address of the message recipients. You can specify multiple recipient email addresses separated by commas. 

-ResultSize The ResultSize parameter specifies the maximum number of results to return. If you want to return all requests that match the query, use unlimited for the value of this parameter. The default value is 1000. 

Example to use parameters:
Search messages that send from peter@example.com to mary@forexample.com, start date is 2015/04/25, end date is 2015/04/27. EventID is SEND and no result size limited.

Get-MessageTrackingLog -start "2015/04/25" -end "2015/04/27" -EventId "Send" -Sender "peter@example.com" -Recipients "mary@forexample.com" -ResultSize Unlimited

Use "Format-Table" can customize format of output.

Get-MessageTrackingLog -start "2015/04/27" -Sender "zachary@xxxx.xxxx | ft EventId, Source, Sender, Recipients, MessageSubjet

Out-GridView (Shell)

Of course, add more parameters can reduces the output of result, but still not easy to read shows as command line.
There is a new feature comes with PowerShell 2.0 called Out-GridView. It displays the result in a user interface likes original Message Tracking Log Explore in Exchange 2010 or before.
Example:

Get-MessageTrackingLog -ResultSize Unlimited -Start “2015/04/27” | Out-GridView

Fortigate -- VIP Service Port vs. Policy Service

Important Concept

The service of firewall policy is defined protocol between source interface and destination interface. It might straightforward on the service configuration when setup standard protocol between two interfaces, but it might get confused when you customize port and set it on the firewall policy.

Scenario

We have a web server host internally and need to public to Internet with static WAN IP address. We don't want to use standard HTTP and HTTPs port on the internet.

Condition (All conditions below are fake value)

• Web Server Internal IP: 192.168.1.10
• Web Server Internal Service Port: HTTP(80), HTTPS(443)
• Web Service Internet IP: 8.8.8.9
• Web Service Internet Port: HTTP(9980), HTTPS(9443)

Initial Configuration

1. Create new Virtual IP (VIP)
   config firewall vip
       edit "Web Service HTTP"
           set extip 8.8.8.9
           set extintf "WAN"
           set portforward enable
           set mappedip 192.168.1.10
           set extport 9980
           set mappedport 80
       next
       edit "Web Service HTTPS"
           set extip 8.8.8.9
           set extintf "WAN"
           set portforward enable
           set mappedip 192.168.1.10
           set extport 9443
           set mappedport 443
2. Create Custom Service
   config firewall service custom
           edit "TCP_9980"
                   set protocol TCP/UDP/SCTP
                   set tcp-portrange 9980
           next
           edit "TCP_9443"
                   set protocol TCP/UDP/SCTP
                   set tcp-portrange 9443
           next
3. Create Firewall Policy
   config firewall policy
           edit 72
                   set srcintf "WAN"
                   set dstintf "Internal"
                           set srcaddr "all"
                           set dstaddr "Web Service HTTP" "Web Service HTTPS"
                   set action accept
                   set schedule "always"
                           set service "TCP_9980" "TCP_9443"
                   set logtraffic enable
           next

Issue of Initial Configuration

After the setup, I tried to connect from Internet to customize port but fail. Why??

Refer to the beginning subject, "The service of firewall policy is defined protocol between source interface and destination interface."
Base on my requirement, Internet users access to my web service must connect to customized port 9980 and 9443, but between interface "WAN" and "Internal", it should be standard port of HTTP and HTTPS, that is why connection fail on the initial configuration.

Correct Configuration

3. Create Firewall Policy

config firewall policy
        edit 72
                set srcintf "WAN"
                set dstintf "Internal"
                        set srcaddr "all"
                        set dstaddr "Web Service HTTP" "Web Service HTTPS"
                set action accept
                set schedule "always"
                        set service "HTTP" "HTTPS"
                set logtraffic enable
        next

Schematic diagram

Windows -- How to enable LDAP over SSL on Windows 2012 or later

By default, Windows domain controller provide LDAP service with no encryption by SSL. If you need to enable SSL on LDAP service (LDAPS), there have two options for you to deploy it.

Option 1:

You can install an Enterprise root CA on domain controllers, it makes all DCs accept LDAPs request immediately. (But install CA on DC is not suggested by MS)

Option 2:

In most case, user already installed Enterprise Root CA on the member server and can follow the instruction link below to set it up.
LDAP over SSL (LDAPS) Certificate
Windows Server 2012 - Enable LDAPS

In my case, I am using Standalone CA with no "Certificate Templates" since it only appear in Enterprise CA. I can't  issue a new templates for DC to enroll new certificate directly.

Here is my steps to submit request to Standalone CA to get certificate and import to DC for LDAPS.

1. Turn on IE and connect Standalone CA https://standalone.ca/certsrv.
2. Click Request a Certificate.
3. Click Advanced certificate request.
4. Click Create and submit a request to this CA.
5. Provide identifying information as required.
6. In the Name box, type the fully qualified domain name of the domain controller.
7. In the Type of Certificate Needed Server list, click Server Authentication Certificate.
8. Under Key Options, set the following options:
• Create a new key set
• CSP: Microsoft RSA SChannel Cryptographic Provider
• Key Usage: Exchange
• Key Size: 1024 - 16384
• Automatic key container name
• Mark keys as exportable
9. Under Advanced Options, set the request format as CMC.
10. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
    san:dns=dns.name[&dns=dns.name]
    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both names must be included in the SAN attributes. The resulting attribute string is displayed as follows:
    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
11. Click Submit.
12. If the CA is not configured to issue certificates automatically, a Certificate Pending webpage is displayed and requests that you wait for an administrator to issue the certificate that was requested. 
    
    To retrieve a certificate that an administrator has issued, connect to http://standalone.ca/certsrv, and then click Check on a Pending Certificate. Click the requested certificate, and then click Next. 
    
    If the certificate was issued, the Certificate Issued webpage is displayed. Click Install this Certificate to install the certificate.
13. Turn on mmc console and add "My user Account" certificates to snaps-ins and click OK.
14. under Personal -> Certificates, double click on the certificate we installed on step 12.
15. On Details tab, click "Copy to Files ..." to turn on Certificate Export Wizard.
16. Select "Yes. export the private key" and click Next.
17. Type in the password and click Next.
18. Give a file name for exported key and select a location to store file.
19. Turn on MMC and add "Service Account" certificates to snaps-ins, select "Local Computer", select "Active Directory Domain service" and click OK.
20. Right click on the NTDS\Personal, "All Task", "Import".
21. Browse the file you stored at step 18 and type in the password you set at the same step.
22. After imported the certificate, you can start using LDAPS as you wish now.

Reference:

Microsoft KB 931351