After you run the Security Configuration Wizard in Microsoft
Windows Server 2003 Service Pack 1 (SP1), the following symptoms may occur
after you restart the server:
- Microsoft Outlook users may not be able to connect to their
- Microsoft Exchange Server 2003 may not respond on the
required ports even though all the services are running.
Note Microsoft Outlook Web Access (OWA) users may be able to connect
to their accounts.
The symptoms for client machines that cannot connect to their
accounts are as follows:
Microsoft Outlook 2003 running in Online ModeYou receive an error message that is similar to the
Connecting to Microsoft Exchange Server. Your
Microsoft Exchange Server is unavailable.
Microsoft Outlook 2003 running in Cached Exchange Mode The status icon that is located in the bottom right corner of the
Outlook window will alternately change from the Trying to
connect state to the Disconnected state.
Outlook Web AccessYou receive an error message that is similar to the
Note If the OWA client tries to access the back-end Exchange 2003
server through the front-end server, the OWA client receives the following
The page cannot be displayed. The page you are
looking for is currently unavailable. The Web site might be experiencing
technical difficulties, or you may need to adjust your browser
HTTP/1.1 503 Service
These problems may occur if the following conditions are
- Exchange 2003 was not installed by using the default
installation path. The following path is the default folder path that is used
by Exchange 2003 Setup:
- You ran the Windows Server 2003 SP1 Security Configuration
Wizard, and you did not manually configure the services that were not found
during the Network Configuration section of the wizard.
These problems can also occur if the Security Configuration
Wizard policy that you created on one Exchange 2003 computer is imported to an
Exchange 2003 computer that has a different installation path.
To resolve these problems, use either of the following
- Roll back the Security Configuration Wizard
- Manually change the list on the Windows Firewall
Method 1: Roll back the Security Configuration Wizard policy
The Security Configuration Wizard includes a feature to roll back
the last policy that was applied to the server. To roll back the Security
Configuration Wizard policy, follow these steps:
- Click Start, point to
Programs, point to Administrative Tools, and
then click Security Configuration Wizard.
- On the Welcome page, click Next.
- On the Configuration Action page, click Roll back
the last applied security policy, and then click
- On the Select Server page, type the name of the server or
select the server on which you applied the security policy that you want to
Note By default, the Select Server page is already populated with the
name of the local server.
- Click Next.
- On the Rollback Security Configuration page, click
- On the Rolling Back Security Configuration page, confirm
that the policy roll back in complete, and then click Next.
- On the Completing the Security Configuration Wizard page,
- Restart the server on which the policy was rolled
After the server restarts, the services are in the same state as
they were before the last Security Configuration Wizard policy was applied.
Method 2: Manually change the list on the Windows Firewall Exceptions tab
tab of the Windows Firewall tool
lists all the programs and the ports that are defined as exempt from Windows
Firewall port blocking. When Exchange 2003 services are added to the
tab, the location of the service executable file
(.exe) is listed. If a Security Configuration Wizard policy is applied that
defines a path of a service .exe file that is not a valid path on the local
server, this path is listed in the Programs and Services
section of Exceptions
tab. For example, you might see the
following path in the Programs and Services
This path is the default installation path of the System
Attendant service. This path is not valid if your Exchange 2003 computer is
installed in C:\Exchsrvr or in another location.
Programs and Services
section of Exceptions
tab lists a path of a service .exe file that is not valid, follow these steps:
- Click Start, point to
Settings, and then click Control
- Double-click Windows Firewall.
- Click the Exceptions tab.
- Under Programs and Services, select the
path that is not valid, and then click Delete.
- Click Yes when you are prompted to delete
the path from the Exceptions tab.
- On the Exceptions tab, click Add
- Click Browse, locate the .exe file for the
service that you are trying to add to the Exceptions tab, and
then click Open.
For example, locate the correct
path of Mad.exe, and then click Open.
- Click OK.
- Review the Exceptions tab.
name of the service that you added in step 7 is listed, but it does not appear
with the full path of the .exe file. To verify the path, select the name of the
service, and then click Edit. The full path of the .exe file
of the service is displayed.
Perform this procedure for any other Exchange 2003 services that
appear on the Exceptions
tab as a path that is not a valid
path. Frequently, one of the following services will be in the list:
- EMicrosoft Exchange MTA Stacks (Emsmta.exe)
- Microsoft Exchange Information Store (Store.exe)
- Microsoft Exchange System Attendant (Mad.exe)
- Microsoft Exchange Site Replication Service
The Network Configuration section of the Security
Configuration Wizard enables the Windows firewall and configures the firewall
exceptions. This section makes sure that programs and services that are exempt
will have their ports opened in the firewall policy. The Windows Server 2003
SP1 Security Configuration Wizard assumes that you installed Exchange 2003 by
using the default installation path. The wizard does not automatically detect
the paths of service .exe files.
If Exchange 2003 is installed by
using an installation path that is not the default installation path, the
Security Configuration Wizard notifies you that there is a problem during the
Network Configuration section. To resolve these problems, follow these steps:
- On the Open Ports and Approve Applications page, select the
service that is listed as Not found, and then click
- Locate, and then click the correct location of the .exe
file for the service, and then click Open.
- Click OK.
- Repeat step 1 to step 3 for any services that are listed as
Not found on the Open Ports and Approve Applications page.
If you ignore the Security Configuration Wizard notification,
the services will start, but their ports will be blocked by Windows
To avoid configuration problems when you use Windows
Firewall on Exchange 2003 computers, consider the following information:
- The Network Configuration section of the Security
Configuration Wizard turns on the Windows firewall and adds exceptions to its
policy. If you skip the Network Configuration section, the problems that are
described in this article do not occur, but the Windows firewall will be
- To harden Exchange 2003 computers, we recommended that you
perform the procedures that are described in the Microsoft Exchange Server 2003
Security Hardening Guide. You should perform these procedures instead of
running the Security Configuration Wizard on the Exchange 2003 computer. To
view the Microsoft Exchange Server 2003 Security Hardening Guide, visit the
following Microsoft Web site:
- The version of Windows Firewall that is included with
Windows Server 2003 SP1 is a software firewall. If you enable more services on
the existing Exchange 2003 computer after you run the Security Configuration
Wizard, you cannot access these services. For example, if you configure the
POP3 service and the IMAP4 service after you configure the Security
Configuration Wizard, you must run the Security Configuration Wizard again to
approve these new services in the Network Configuration section of the wizard.
Or, you must manually change the list on the Windows Firewall