After you run the Security Configuration Wizard in Windows Server 2003 SP1, Outlook users may not be able to connect to their accounts

After you run the Security Configuration Wizard in Microsoft Windows Server 2003 Service Pack 1 (SP1), the following symptoms may occur after you restart the server:

• Microsoft Outlook users may not be able to connect to their accounts.
• Microsoft Exchange Server 2003 may not respond on the required ports even though all the services are running.
  
  Note Microsoft Outlook Web Access (OWA) users may be able to connect to their accounts.

The symptoms for client machines that cannot connect to their accounts are as follows:

• Microsoft Outlook 2003 running in Online Mode

  You receive an error message that is similar to the following:
  Connecting to Microsoft Exchange Server. Your Microsoft Exchange Server is unavailable.

• Microsoft Outlook 2003 running in Cached Exchange Mode

  The status icon that is located in the bottom right corner of the Outlook window will alternately change from the Trying to connect state to the Disconnected state.

• Outlook Web Access

  You receive an error message that is similar to the following:
  The page cannot be displayed. The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.
  Note If the OWA client tries to access the back-end Exchange 2003 server through the front-end server, the OWA client receives the following error message:
  HTTP/1.1 503 Service Unavailable

These problems may occur if the following conditions are true:

• Exchange 2003 was not installed by using the default installation path. The following path is the default folder path that is used by Exchange 2003 Setup:
  %ProgramFiles%\Exchsrvr
• You ran the Windows Server 2003 SP1 Security Configuration Wizard, and you did not manually configure the services that were not found during the Network Configuration section of the wizard.

These problems can also occur if the Security Configuration Wizard policy that you created on one Exchange 2003 computer is imported to an Exchange 2003 computer that has a different installation path.

To resolve these problems, use either of the following methods:

• Roll back the Security Configuration Wizard policy.
• Manually change the list on the Windows Firewall Exceptions tab.

Method 1: Roll back the Security Configuration Wizard policy

The Security Configuration Wizard includes a feature to roll back the last policy that was applied to the server. To roll back the Security Configuration Wizard policy, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Security Configuration Wizard.
2. On the Welcome page, click Next.
3. On the Configuration Action page, click Roll back the last applied security policy, and then click Next.
4. On the Select Server page, type the name of the server or select the server on which you applied the security policy that you want to roll back.
   
   Note By default, the Select Server page is already populated with the name of the local server.
5. Click Next.
6. On the Rollback Security Configuration page, click Next.
7. On the Rolling Back Security Configuration page, confirm that the policy roll back in complete, and then click Next.
8. On the Completing the Security Configuration Wizard page, click Finish.
9. Restart the server on which the policy was rolled back.

After the server restarts, the services are in the same state as they were before the last Security Configuration Wizard policy was applied.

Method 2: Manually change the list on the Windows Firewall Exceptions tab

The Exceptions tab of the Windows Firewall tool lists all the programs and the ports that are defined as exempt from Windows Firewall port blocking. When Exchange 2003 services are added to the Exceptions tab, the location of the service executable file (.exe) is listed. If a Security Configuration Wizard policy is applied that defines a path of a service .exe file that is not a valid path on the local server, this path is listed in the Programs and Services section of Exceptions tab. For example, you might see the following path in the Programs and Services section of Exceptions tab: This path is the default installation path of the System Attendant service. This path is not valid if your Exchange 2003 computer is installed in C:\Exchsrvr or in another location.

If the Programs and Services section of Exceptions tab lists a path of a service .exe file that is not valid, follow these steps:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Windows Firewall.
3. Click the Exceptions tab.
4. Under Programs and Services, select the path that is not valid, and then click Delete.
5. Click Yes when you are prompted to delete the path from the Exceptions tab.
6. On the Exceptions tab, click Add Program.
7. Click Browse, locate the .exe file for the service that you are trying to add to the Exceptions tab, and then click Open.
   
   For example, locate the correct path of Mad.exe, and then click Open.
8. Click OK.
9. Review the Exceptions tab.
   
   The name of the service that you added in step 7 is listed, but it does not appear with the full path of the .exe file. To verify the path, select the name of the service, and then click Edit. The full path of the .exe file of the service is displayed.

Perform this procedure for any other Exchange 2003 services that appear on the Exceptions tab as a path that is not a valid path. Frequently, one of the following services will be in the list:

• EMicrosoft Exchange MTA Stacks (Emsmta.exe)
• Microsoft Exchange Information Store (Store.exe)
• Microsoft Exchange System Attendant (Mad.exe)
• Microsoft Exchange Site Replication Service (Srsmain.exe)

The Network Configuration section of the Security Configuration Wizard enables the Windows firewall and configures the firewall exceptions. This section makes sure that programs and services that are exempt will have their ports opened in the firewall policy. The Windows Server 2003 SP1 Security Configuration Wizard assumes that you installed Exchange 2003 by using the default installation path. The wizard does not automatically detect the paths of service .exe files.

If Exchange 2003 is installed by using an installation path that is not the default installation path, the Security Configuration Wizard notifies you that there is a problem during the Network Configuration section. To resolve these problems, follow these steps:

1. On the Open Ports and Approve Applications page, select the service that is listed as Not found, and then click Edit.
2. Locate, and then click the correct location of the .exe file for the service, and then click Open.
3. Click OK.
4. Repeat step 1 to step 3 for any services that are listed as Not found on the Open Ports and Approve Applications page.

If you ignore the Security Configuration Wizard notification, the services will start, but their ports will be blocked by Windows Firewall.

To avoid configuration problems when you use Windows Firewall on Exchange 2003 computers, consider the following information:

• The Network Configuration section of the Security Configuration Wizard turns on the Windows firewall and adds exceptions to its policy. If you skip the Network Configuration section, the problems that are described in this article do not occur, but the Windows firewall will be disabled.
• To harden Exchange 2003 computers, we recommended that you perform the procedures that are described in the Microsoft Exchange Server 2003 Security Hardening Guide. You should perform these procedures instead of running the Security Configuration Wizard on the Exchange 2003 computer. To view the Microsoft Exchange Server 2003 Security Hardening Guide, visit the following Microsoft Web site:
  http://technet.microsoft.com/en-us/library/300d578b-c7ec-4ff0-978b-da0d6bb89ab1.aspx
• The version of Windows Firewall that is included with Windows Server 2003 SP1 is a software firewall. If you enable more services on the existing Exchange 2003 computer after you run the Security Configuration Wizard, you cannot access these services. For example, if you configure the POP3 service and the IMAP4 service after you configure the Security Configuration Wizard, you must run the Security Configuration Wizard again to approve these new services in the Network Configuration section of the wizard. Or, you must manually change the list on the Windows Firewall Exceptions tab.