RE: [isapros] Re: ISA and SAN Certs
- From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 31 Aug 2007 14:54:02 +0100
This is a multi-part message in MIME format.
------_=3D_NextPart_001_01C7EBD6.64A8D3BB
Content-Type: multipart/alternative;
boundary=3D"----_=3D_NextPart_002_01C7EBD6.64A8D3BB"
------_=3D_NextPart_002_01C7EBD6.64A8D3BB
Content-Type: text/plain;
charset=3D"us-ascii"
Content-Transfer-Encoding: quoted-printable
Probably semantics, but I am doing it with three rules:
=3D20
* 1 for OWA using NTLM delegation (/OWA/*)
* 1 for OWA Legacy Folders using Basic delegation (/Exhange/*
/publix/* etc)
* 1 for all other Exchange connectivity using Basic delegation
(/rpc/* /autodiscover/* etc)
=3D20
The other thing you need to check is that the right authentication types
are defined for the Exchange virtual directories on the CAS. One that
caught me out was adding basic to the EWS virtual directory...ISA nicely
logs this in monitoring though as a delegation failure J
=3D20
All rules use the same listener...
=3D20
Yep I agree about the /autodiscover as part the wizard, not sure this is
included...
=3D20
Confused about the SRV solving all the issues - can you elaborate?
=3D20
Cheers
=3D20
JJ
=3D20
Jason Jones | Security | Silversands Limited | Desk: +44 (0)1202 360489
| Mobile: +44 (0)7971 500312 | Email: jason.jones@xxxxxxxxxxxxxxxxx=3D20
=3D20
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: 31 August 2007 14:42
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA and SAN Certs
=3D20
Hi Jason,
=3D20
OK, that makes perfect sense and it's the scenario I'm testing today.
One listener, one rule for Outlook Anywhere and one rule for
Autodiscovery, correct?
=3D20
So I was right that you can't use the /AutoDiscover path that is
included in the Outlook Anywhere rule since the Outlook Anywhere rule
doesn't respond to the public name autodiscover.domain.com. The Outlook
Autodiscover rule would respond to autodiscover.domain.com and forward
to the /AutoDiscover path.
=3D20
The SRV record solution will solve ALL of this complexity because it
will bypass the need for a second URL and second IP address and second
certificate. However, its a hotfix that you have to call PSS to download
and will be included with Office 2007 SP1.
=3D20
Thanks!
Tom
=3D20
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>=3D20
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
=3D20
=3D20
=3D09
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
Sent: Friday, August 31, 2007 8:15 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA and SAN Certs
Yep - one listener, two IPs, each IP assigned a different SSL
cert.
=3D20
Not sure if the SRV record will negate the need for the
autodiscover URL and hence allow us to get away with a single SSL cert -
have to check this...
=3D20
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: 31 August 2007 14:13
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA and SAN Certs
=3D20
Hi Jason,
=3D20
One Web listener, but two IP addresses are being used by the Web
listener, correct?
=3D20
Thanks!
Tom
=3D20
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>=3D20
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
=3D20
=3D20
=3D09
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
Sent: Friday, August 31, 2007 6:50 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA and SAN Certs
Hi Tom,
=3D20
Managed to get this working today too, although I am
using two individual certs on the same external web listener. The
internal cert on Exchange is SAN'd up and ISA publishes everything to
the internal cert common name irrespective of the public URL.
=3D20
The key to most of it working is defining correct URLs
in Exchange where is defines "External URLs" for things like OOF, OAB,
EWS etc.
=3D20
Now we have all exchange 2k7 services (and all the new
funky stuff) working externally...had to do a lot of it by investigation
and cobbling blog entries together, not ideal, but go there at last.
=3D20
We currently have it working without SRV records, but
just waiting for the ISP to add these records to test if that is a
better solution...
=3D20
Cheers
=3D20
JJ
=3D20
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: 31 August 2007 00:32
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA and SAN Certs
=3D20
I'd think that Jim might need to update his SAN article.
The article implies that ISA doesn't support SANs on the Web listener,
however I have a guy who has the autodiscover FQDN as a second SAN on
the certificate bound to his Web listener and he's shown me strong
evidence that it actually works, even though it shouldn't.
=3D20
I wish the Exchange or ISA UE teams could get it
together to explain how to get autodiscovery working correctly and more
importantly, show us how it works with and without DNS SRV records. It
looks like once you have DNS SRV records, its a no brainer.=3D20
=3D20
Tom
=3D20
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>=3D20
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
=3D20
=3D20
=3D09
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Wednesday, August 29, 2007 2:38 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA and SAN Certs
Never mind :)
=3D20
I found it:
=3D20
http://support.microsoft.com/kb/940881
=3D20
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>=3D20
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
=3D20
=3D20
=3D09
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Wednesday, August 29, 2007 2:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA and SAN Certs
OK, that's an interesting sentence in a
KB OL update article. But there's no mention of this anywhere else on
the ms.com site.
=3D20
In addition, how do we configure the SRV
records?
=3D20
Service?
Protocol?
Priority?
Weight?
Port number?
Host offering this service?
=3D20
=3D20
=3D20
I try to read minds best as I can, but
I'm flailing on this one :))
=3D20
=3D20
=3D20
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog:=3D20
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
=3D09
=3D09
=3D09
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
> Sent: Wednesday, August 29, 2007 2:27
PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA and SAN
Certs
>
> DatzDeWun! O'curse it works in real
life; I tested it.
>
> http://support.microsoft.com/kb/939184
> OL 2K7 seeks a "autodiscovery" SRV
record first, and only if
> that fails,
> it'll seek the A record. This is
based on the same domain suffix as
> specified in the mail domain.
> If your OL client is behind a CERN
proxy (and it knows it), it can't
> specify that the proxy should look up
a SRV record for
> autodiscover.sfx.
> The proxy assumes that any CERN
request will be for a "host"
> and makes a
> DNS query for an A record.
>
> OL 2K7 uses the SRV record to discover
the host
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Wednesday, August 29, 2007 12:15
PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA and SAN
Certs
>
> BAM!!!!
>
> I think I get it. On the TO tab for
the autodiscover.msfirewall.org, I
> can still use owa.msfirewall.org since
it resolves to the same IP
> address as autodiscover.msfirewall.org
on the internal network -- and
> the path is going to /autodiscover, so
that's cool. It's all making
> sense on paper -- now to see if it
works in real life :)
>
> BTW -- why do I need a SRV record for
OL autodiscovery? I haven't seen
> any documentation on that requirement
on the Exchange side.
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog:=3D20
http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>=3D20
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [
mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Wednesday, August 29, 2007
2:09 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA and SAN
Certs
> >
> > Yes; I'd forgotten about the OL
client's "SAN problem".
> > It amazed me how much noise the Exch
folks make about the same
> > limitation for ISA.. ..but I
digress.
> >
> > "Web Publishing Rule that is
publishing the
> >
autodiscover.msfirewall.org/autodiscover path must be
> > configured on the
> > TO tab to use
autodiscover.msfirewall.org " - how do you
> cone to that
> > contusion?
> > Why do you think you need to use
"autodiscover" in the ISA rule
> > published hostname? Use whatever
works for ISA and let the
> > client be as
> > stupid as you want.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [
mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Wednesday, August 29, 2007
12:05 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA and SAN
Certs
> >
> > Hi Jim,
> >
> > CIL...
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog:=3D20
http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >=3D20
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [
mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Wednesday, August 29, 2007
1:49 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA and SAN
Certs
> > >
> > > All good points, but really
orthogonal to the question of how ISA
> > > handles SAN certs. Actually, I
wrote that because some folks were
> > > whining about how ISA handled SAN
certs in general. In
> > fact, I tried
> > > not to delve into the variant
forms of self-inflicted ISA
> manglement
> > > pain that were filling other
blogs.
> > >
> > > Q1 - Why do you need a second
listener? Use your DNS to point
> > > autodiscover to the same Exch
listener. The public name is a
> > > rule; not
> > > a listener arttribute.
> >
> > TOM: We need a second listener
because we can't have two
> certificates
> > with different common names
listening on the same listener using the
> > same IP address. OK, in ISA 2006 I
*can* use multiple
> > certificates using
> > the same listener, but each of the
certificates must be
> assigned to a
> > different IP address, so no big deal
there -- so I create two
> > different
> > Web Publishing Rules -- one for
owa.msfirewall.org and a second Web
> > Publishing Rule for
autodiscover.msfirewall.org. So far so
> > good and SANs
> > aren't even an issue.
> >
> > > Q2 - why does the external OL
client give a rats bahootie
> > > what's listed
> > > in the cert used at the CAS? It
never sees it.
> >
> > TOM: That's true and I didn't mean
to imply that it did. The
> > concern is
> > that common name and the first SAN
on the Web site
> > certificate bound to
> > the Client Access Server site is
owa.msfirewall.org. The
> second SAN is
> > autodiscover.msfirewall.org
> >
> >
> > > Q3 - why is the lack of the
autodiscover.suffix public
> name make the
> > > /autodiscover path "useless"?
"Incomplete" perhaps, but
> > > hardly useless.
> >
> > TOM: Because the OWA publishing rule
is listening for
> > owa.msfirewall.org, NOT
autodiscover.msfirewall.org. Since
> > there are two
> > certificates involved here, one with
the common name
> > owa.msfirewall.org
> > and a second with
autodiscover.msfirewall.org -- we have to use two
> > different IP addresses, and
owa.msfirewall.org is NOT going
> to resolve
> > to the same IP address as
autodiscover.msfirewall.org. Thus,
> > adding the
> > /autodiscover path to the
owa.msfirewall.org Web Publishing
> Rule won't
> > work and is extraneous. The
/autodiscover path only applies to the
> > autodiscover.msfirewall.org Web
Publishing Rule.
> >
> > >
> > > IOW, create your SRV and A records
for autodiscover.suffix, add
> > > "autodiscover.suffix" to the
public names (ISA 2006 only) and
> > > make sure
> > > the cert used in the ISA web
listener includes
> > > "autodiscover.suffix" in
> > > the SAN.
> >
> > Again, the issue isn't with the Web
listeners, I have no
> problem with
> > that. The issue is with the
connection between the ISA
> > Firewall and the
> > Client Access Server. The Web site
certificate bound to the Client
> > Access Server has a common name and
a first SAN name of
> > owa.msfirewall.org and a second SAN
name of
> > autodiscover.msfirewall.org.
> >
> > Given that, the Web Publishing Rule
that is publishing the
> >
autodiscover.msfirewall.org/autodiscover path must be
> > configured on the
> > TO tab to use
autodiscover.msfirewall.org -- HOWEVER, and
> this is THE
> > QUESTION -- with the ISA Firewall
when establishing the SSL channel
> > between itself and the Client Access
Server, be able to use
> the SECOND
> > SAN on the Client Access Server Web
site certificate to allow the
> > connection?
> >
> > Make sense?
> >
> >
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [
mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thomas W Shinder
> > > Sent: Wednesday, August 29, 2007
11:33 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA and SAN
Certs
> > >
> > > This is a good step in
understanding some of the issues,
> > but I suspect
> > > the major problems people are
running into relates to
> publishing the
> > > autodisocvery site. You'll notice
that when you run the Exchange
> > > Publishing Wizard in ISA 2006 that
is includes an
> > /autodiscover path,
> > > which is completely useless, since
the client is looking for
> > >
autodiscover.domain.com/autodiscover and not the Client
> > Access Server
> > > Public Name, which would be
something like owa.domain.com.
> > >
> > > OK, easy problem to solve, right?
All we need to do is
> > create a second
> > > Web listener on a second IP
address and configure it to listen for
> > > public name
autodiscover.company.com. HOWEVER, the Client Access
> > > Server's common/subject name and
first SAN is owa.company.com. The
> > > second SAN is
autodiscover.company.com.
> > >
> > > So, if we put on the TO tab
autodiscover.company.com, will
> > ISA 2006 be
> > > able to "consume" the second SAN
to support to the Outlook 2007
> > > autodiscovery service?
> > >
> > > Thanks!
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog:=3D20
http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >=3D20
> > >
> > > > -----Original Message-----
> > > > From:
isapros-bounce@xxxxxxxxxxxxx
> > > > [
mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Wednesday, August 29, 2007
1:10 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] ISA and SAN
Certs
> > > >
> > > >
> > > > Another isablog for your reading
pleasure.
> > > >
> > > >
> > > >=3D20
http://blogs.technet.com/isablog/archive/2007/08/29/certificat
> > > > es-with-mu
> > > >
ltiple-san-entries-may-break-isa-server-web-publishing.aspx
> > > >
> > > > All mail to and from this domain
is GFI-scanned.
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > All mail to and from this domain
is GFI-scanned.
> > >
> > >
> > >
> > >
> >
> >
> > All mail to and from this domain is
GFI-scanned.
> >
> >
> >
> >
>
>
> All mail to and from this domain is
GFI-scanned.
>
>
>
>=3D20
------_=3D_NextPart_002_01C7EBD6.64A8D3BB
Content-Type: text/html;
charset=3D"us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D3D"urn:schemas-microsoft-com:vml" =3D
xmlns:o=3D3D"urn:schemas-microsoft-com:office:office" =3D
xmlns:w=3D3D"urn:schemas-microsoft-com:office:word" =3D
xmlns:m=3D3D"http://schemas.microsoft.com/office/2004/12/omml"; =3D
xmlns=3D3D"http://www.w3.org/TR/REC-html40";>
<head>
<meta http-equiv=3D3DContent-Type content=3D3D"text/html; =3D
charset=3D3Dus-ascii">
<meta name=3D3DGenerator content=3D3D"Microsoft Word 12 (filtered =
medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:427314599;
mso-list-type:hybrid;
mso-list-template-ids:1995078498 134807553 134807555 134807557 =3D
134807553 134807555 134807557 134807553 134807555 134807557;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D3D"edit" spidmax=3D3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D3D"edit">
<o:idmap v:ext=3D3D"edit" data=3D3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D3DEN-GB link=3D3Dblue vlink=3D3Dpurple>
<div class=3D3DSection1>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Probably semantics, but I am doing it with three =3D
rules:<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoListParagraph style=3D3D'text-indent:-18.0pt;mso-list:l0 =
=3D
level1 lfo1'><![if !supportLists]><span
style=3D3D'font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style=3D3D'mso-list:Ignore'>·<span style=3D3D'font:7.0pt "Times =
New =3D
Roman"'>
</span></span></span><![endif]><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>1 for OWA using NTLM delegation =3D
(/OWA/*)<o:p></o:p></span></p>
<p class=3D3DMsoListParagraph style=3D3D'text-indent:-18.0pt;mso-list:l0 =
=3D
level1 lfo1'><![if !supportLists]><span
style=3D3D'font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style=3D3D'mso-list:Ignore'>·<span style=3D3D'font:7.0pt "Times =
New =3D
Roman"'>
</span></span></span><![endif]><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>1 for OWA Legacy Folders using Basic delegation =3D
(/Exhange/* /publix/*
etc)<o:p></o:p></span></p>
<p class=3D3DMsoListParagraph style=3D3D'text-indent:-18.0pt;mso-list:l0 =
=3D
level1 lfo1'><![if !supportLists]><span
style=3D3D'font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style=3D3D'mso-list:Ignore'>·<span style=3D3D'font:7.0pt "Times =
New =3D
Roman"'>
</span></span></span><![endif]><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>1 for all other Exchange connectivity using Basic =3D
delegation
(/rpc/* /autodiscover/* etc)<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The other thing you need to check is that the right
authentication types are defined for the Exchange virtual directories on
=3D
the
CAS. One that caught me out was adding basic to the EWS virtual =3D
directory…ISA
nicely logs this in monitoring though as a delegation failure =3D
</span><span
style=3D3D'font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span>=
<
s=3D
pan
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F4=
9
7=3D
D'><o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>All rules use the same =3D
listener…<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Yep I agree about the /autodiscover as part the wizard, =
=3D
not sure
this is included…<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Confused about the SRV solving all the issues – can
=3D
you
elaborate?<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Cheers<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>JJ<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=3D3DMsoNormal><b><span =3D
style=3D3D'font-size:9.0pt;font-family:"Arial","sans-serif";
color:gray'>Jason Jones</span></b><span =3D
style=3D3D'font-size:9.0pt;font-family:
"Arial","sans-serif";color:gray'> | Security | Silversands Limited | =3D
Desk: +44
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Email:
jason.jones@xxxxxxxxxxxxxxxxx</span><span =3D
style=3D3D'font-size:9.0pt;font-family:
"Arial","sans-serif";color:#1F497D'> </span><span lang=3D3DEN-US =3D
style=3D3D'font-size:
9.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p></o:p></span>
<=3D
/p>
</div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style=3D3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
=3D
0cm 0cm 0cm'>
<p class=3D3DMsoNormal><b><span lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On Behalf Of </b>Thomas W =3D
Shinder<br>
<b>Sent:</b> 31 August 2007 14:42<br>
<b>To:</b> isapros@xxxxxxxxxxxxx<br>
<b>Subject:</b> [isapros] Re: ISA and SAN Certs<o:p></o:p></span></p>
</div>
</div>
<p class=3D3DMsoNormal><o:p> </o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Hi Jason,</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>OK, that makes perfect sense and it's the scenario I'm =3D
testing
today. One listener, one rule for Outlook Anywhere and one rule for
Autodiscovery, correct?</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>So I was right that you can't use the /AutoDiscover path =3D
that is
included in the Outlook Anywhere rule since the Outlook Anywhere rule =
=3D
doesn't
respond to the public name autodiscover.domain.com. The Outlook =3D
Autodiscover
rule would respond to autodiscover.domain.com and forward to the =3D
/AutoDiscover
path.</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>The SRV record solution will solve ALL of this complexity =
=3D
because
it will bypass the need for a second URL and second IP address and =3D
second certificate.
However, its a hotfix that you have to call PSS to download and will be
included with Office 2007 SP1.</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Thanks!</span><o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Tom</span><o:p></o:p></p>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<p><b><span style=3D3D'font-size:10.0pt;font-family:"Trebuchet =3D
MS","sans-serif"'>Thomas
W Shinder, M.D.<br>
Site:<span style=3D3D'color:blue'> <u><a =3D
href=3D3D"http://www.isaserver.org/";
title=3D3D"http://www.isaserver.org/";>www.isaserver.org</a></u></span><br=
>
Blog:<span style=3D3D'color:blue'> <u><a =3D
href=3D3D"http://blogs.isaserver.org/shinder/";
title=3D3D"http://spaces.msn.com/members/drisa/";>http://blogs.isaserver.o=
r
g=3D
/shinder/</a></u></span><br>
<span style=3D3D'color:#004000'>Book:</span> <a =3D
href=3D3D"http://tinyurl.com/3xqb7";
title=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br>
MVP -- Microsoft Firewalls (ISA)</span></b><o:p></o:p></p>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<blockquote style=3D3D'border:none;border-left:solid blue =3D
1.5pt;padding:0cm 0cm 0cm 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt
'=3D
>
<p class=3D3DMsoNormal><o:p> </o:p></p>
<div class=3D3DMsoNormal align=3D3Dcenter =
style=3D3D'text-align:center'><span
=3D
lang=3D3DEN-US>
<hr size=3D3D2 width=3D3D"100%" align=3D3Dcenter>
</span></div>
<p class=3D3DMsoNormal style=3D3D'margin-bottom:12.0pt'><b><span =3D
lang=3D3DEN-US
style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</spa=
n
>=3D
</b><span
lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On
=3D
Behalf
Of </b>Jason Jones<br>
<b>Sent:</b> Friday, August 31, 2007 8:15 AM<br>
<b>To:</b> isapros@xxxxxxxxxxxxx<br>
<b>Subject:</b> [isapros] Re: ISA and SAN Certs</span><span =3D
lang=3D3DEN-US><o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Yep – one listener, two IPs, each IP assigned a =3D
different
SSL cert.<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Not sure if the SRV record will negate the need for the
autodiscover URL and hence allow us to get away with a single SSL cert =
=3D
–
have to check this…<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style=3D3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
=3D
0cm 0cm 0cm'>
<p class=3D3DMsoNormal><b><span lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx =3D
[mailto:isapros-bounce@xxxxxxxxxxxxx]
<b>On Behalf Of </b>Thomas W Shinder<br>
<b>Sent:</b> 31 August 2007 14:13<br>
<b>To:</b> isapros@xxxxxxxxxxxxx<br>
<b>Subject:</b> [isapros] Re: ISA and SAN Certs<o:p></o:p></span></p>
</div>
</div>
<p class=3D3DMsoNormal><o:p> </o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Hi Jason,</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>One Web listener, but two IP addresses are being used by the
=3D
Web
listener, correct?</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Thanks!</span><o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Tom</span><o:p></o:p></p>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<p><b><span style=3D3D'font-size:10.0pt;font-family:"Trebuchet =3D
MS","sans-serif"'>Thomas
W Shinder, M.D.<br>
Site:<span style=3D3D'color:blue'> <u><a =3D
href=3D3D"http://www.isaserver.org/";
title=3D3D"http://www.isaserver.org/";>www.isaserver.org</a></u></span><br=
>
Blog:<span style=3D3D'color:blue'> <u><a =3D
href=3D3D"http://blogs.isaserver.org/shinder/";
title=3D3D"http://spaces.msn.com/members/drisa/";>http://blogs.isaserver.o=
r
g=3D
/shinder/</a></u></span><br>
<span style=3D3D'color:#004000'>Book:</span> <a =3D
href=3D3D"http://tinyurl.com/3xqb7";
title=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br>
MVP -- Microsoft Firewalls (ISA)</span></b><o:p></o:p></p>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<blockquote style=3D3D'border:none;border-left:solid blue =3D
1.5pt;padding:0cm 0cm 0cm 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt
'=3D
>
<p class=3D3DMsoNormal><o:p> </o:p></p>
<div class=3D3DMsoNormal align=3D3Dcenter =
style=3D3D'text-align:center'><span
=3D
lang=3D3DEN-US>
<hr size=3D3D2 width=3D3D"100%" align=3D3Dcenter>
</span></div>
<p class=3D3DMsoNormal style=3D3D'margin-bottom:12.0pt'><b><span =3D
lang=3D3DEN-US
style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</spa=
n
>=3D
</b><span
lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On
=3D
Behalf
Of </b>Jason Jones<br>
<b>Sent:</b> Friday, August 31, 2007 6:50 AM<br>
<b>To:</b> isapros@xxxxxxxxxxxxx<br>
<b>Subject:</b> [isapros] Re: ISA and SAN Certs</span><span =3D
lang=3D3DEN-US><o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Tom,<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Managed to get this working today too, although I am =3D
using two
individual certs on the same external web listener. The internal cert on
Exchange is SAN’d up and ISA publishes everything to the internal
=3D
cert
common name irrespective of the public URL.<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The key to most of it working is defining correct URLs in
Exchange where is defines “External URLs” for things like =
=3D
OOF, OAB,
EWS etc.<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Now we have all exchange 2k7 services (and all the new =
=3D
funky
stuff) working externally…had to do a lot of it by investigation =
=3D
and
cobbling blog entries together, not ideal, but go there at =3D
last.<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>We currently have it working without SRV records, but =3D
just
waiting for the ISP to add these records to test if that is a better
solution…<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Cheers<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>JJ<o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style=3D3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
=3D
0cm 0cm 0cm'>
<p class=3D3DMsoNormal><b><span lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On Behalf Of </b>Thomas W =3D
Shinder<br>
<b>Sent:</b> 31 August 2007 00:32<br>
<b>To:</b> isapros@xxxxxxxxxxxxx<br>
<b>Subject:</b> [isapros] Re: ISA and SAN Certs<o:p></o:p></span></p>
</div>
</div>
<p class=3D3DMsoNormal><o:p> </o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>I'd think that Jim might need to update his SAN article. The
article implies that ISA doesn't support SANs on the Web listener, =3D
however I
have a guy who has the autodiscover FQDN as a second SAN on the =3D
certificate
bound to his Web listener and he's shown me strong evidence that it =3D
actually
works, even though it shouldn't.</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>I wish the Exchange or ISA UE teams could get it together to
explain how to get autodiscovery working correctly and more importantly,
=3D
show
us how it works with and without DNS SRV records. It looks like once you
=3D
have
DNS SRV records, its a no brainer. </span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Tom</span><o:p></o:p></p>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<p><b><span style=3D3D'font-size:10.0pt;font-family:"Trebuchet =3D
MS","sans-serif"'>Thomas
W Shinder, M.D.<br>
Site:<span style=3D3D'color:blue'> <u><a =3D
href=3D3D"http://www.isaserver.org/";
title=3D3D"http://www.isaserver.org/";>www.isaserver.org</a></u></span><br=
>
Blog:<span style=3D3D'color:blue'> <u><a =3D
href=3D3D"http://blogs.isaserver.org/shinder/";
title=3D3D"http://spaces.msn.com/members/drisa/";>http://blogs.isaserver.o=
r
g=3D
/shinder/</a></u></span><br>
<span style=3D3D'color:#004000'>Book:</span> <a =3D
href=3D3D"http://tinyurl.com/3xqb7";
title=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br>
MVP -- Microsoft Firewalls (ISA)</span></b><o:p></o:p></p>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<blockquote style=3D3D'border:none;border-left:solid blue =3D
1.5pt;padding:0cm 0cm 0cm 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt
'=3D
>
<p class=3D3DMsoNormal><o:p> </o:p></p>
<div class=3D3DMsoNormal align=3D3Dcenter =
style=3D3D'text-align:center'><span
=3D
lang=3D3DEN-US>
<hr size=3D3D2 width=3D3D"100%" align=3D3Dcenter>
</span></div>
<p class=3D3DMsoNormal style=3D3D'margin-bottom:12.0pt'><b><span =3D
lang=3D3DEN-US
style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</spa=
n
>=3D
</b><span
lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On
=3D
Behalf
Of </b>Thomas W Shinder<br>
<b>Sent:</b> Wednesday, August 29, 2007 2:38 PM<br>
<b>To:</b> isapros@xxxxxxxxxxxxx<br>
<b>Subject:</b> [isapros] Re: ISA and SAN Certs</span><span =3D
lang=3D3DEN-US><o:p></o:p></span></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Never mind :)</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>I found it:</span><o:p></o:p></p>
<p class=3D3DMsoNormal> <o:p></o:p></p>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'><a =3D
href=3D3D"http://support.microsoft.com/kb/940881";>http://support.microsof=
t
.=3D
com/kb/940881</a></span><o:p></o:p></p>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<p><b><span style=3D3D'font-size:10.0pt;font-family:"Trebuchet =3D
MS","sans-serif"'>Thomas
W Shinder, M.D.<br>
Site:<span style=3D3D'color:blue'> <u><a =3D
href=3D3D"http://www.isaserver.org/";
title=3D3D"http://www.isaserver.org/";>www.isaserver.org</a></u></span><br=
>
Blog:<span style=3D3D'color:blue'> <u><a =3D
href=3D3D"http://blogs.isaserver.org/shinder/";
title=3D3D"http://spaces.msn.com/members/drisa/";>http://blogs.isaserver.o=
r
g=3D
/shinder/</a></u></span><br>
<span style=3D3D'color:#004000'>Book:</span> <a =3D
href=3D3D"http://tinyurl.com/3xqb7";
title=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br>
MVP -- Microsoft Firewalls (ISA)</span></b><o:p></o:p></p>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<blockquote style=3D3D'border:none;border-left:solid blue =3D
1.5pt;padding:0cm 0cm 0cm 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt
'=3D
>
<p class=3D3DMsoNormal><o:p> </o:p></p>
<div class=3D3DMsoNormal align=3D3Dcenter =
style=3D3D'text-align:center'><span
=3D
lang=3D3DEN-US>
<hr size=3D3D2 width=3D3D"100%" align=3D3Dcenter>
</span></div>
<p class=3D3DMsoNormal style=3D3D'margin-bottom:12.0pt'><b><span =3D
lang=3D3DEN-US
style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</spa=
n
>=3D
</b><span
lang=3D3DEN-US =3D
style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On
=3D
Behalf
Of </b>Thomas W Shinder<br>
<b>Sent:</b> Wednesday, August 29, 2007 2:35 PM<br>
<b>To:</b> isapros@xxxxxxxxxxxxx<br>
<b>Subject:</b> [isapros] Re: ISA and SAN Certs</span><span =3D
lang=3D3DEN-US><o:p></o:p></span></p>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>OK, that's an interesting sentence in a KB OL update =3D
article. But
there's no mention of this anywhere else on the ms.com =3D
site.</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>In addition, how do we configure the SRV =3D
records?</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Service?</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Protocol?</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Priority?</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Weight?</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Port number?</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Host offering this service?</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><img border=3D3D0 width=3D3D404 height=3D3D448 =
=3D
id=3D3D"_x0000_i1027"
src=3D3D"cid:image001.jpg@01C7EBDE.77399D00"><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal><span =3D
style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>I try to read minds best as I can, but I'm flailing on this
=3D
one :))</span><o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3D3DMsoNormal =3D
style=3D3D'margin-bottom:12.0pt'><o:p> </o:p></p>
</div>
<p><span style=3D3D'font-size:10.0pt'>Thomas W Shinder, M.D.<br>
Site: www.isaserver.org<br>
Blog: <a =3D
href=3D3D"http://blogs.isaserver.org/shinder/";>http://blogs.isaserver.org=
/
s=3D
hinder/</a><br>
Book: <a =3D
href=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br>
MVP -- Microsoft Firewalls (ISA)<br>
<br>
<br>
<br>
> -----Original Message-----<br>
> From: isapros-bounce@xxxxxxxxxxxxx<br>
> [<a =3D
href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free=
l
i=3D
sts.org</a>]
On Behalf Of Jim Harrison<br>
> Sent: Wednesday, August 29, 2007 2:27 PM<br>
> To: isapros@xxxxxxxxxxxxx<br>
> Subject: [isapros] Re: ISA and SAN Certs<br>
><br>
> DatzDeWun! O'curse it works in real life; I tested it.<br>
><br>
> <a =3D
href=3D3D"http://support.microsoft.com/kb/939184";>http://support.microsof=
t
.=3D
com/kb/939184</a><br>
> OL 2K7 seeks a "autodiscovery" SRV record first, and only
=3D
if<br>
> that fails,<br>
> it'll seek the A record. This is based on the same domain =3D
suffix as<br>
> specified in the mail domain.<br>
> If your OL client is behind a CERN proxy (and it knows it), it =3D
can't<br>
> specify that the proxy should look up a SRV record for<br>
> autodiscover.sfx.<br>
> The proxy assumes that any CERN request will be for a =3D
"host"<br>
> and makes a<br>
> DNS query for an A record.<br>
><br>
> OL 2K7 uses the SRV record to discover the host<br>
><br>
> -----Original Message-----<br>
> From: isapros-bounce@xxxxxxxxxxxxx<br>
> [<a =3D
href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free=
l
i=3D
sts.org</a>]<br>
> On Behalf Of Thomas W Shinder<br>
> Sent: Wednesday, August 29, 2007 12:15 PM<br>
> To: isapros@xxxxxxxxxxxxx<br>
> Subject: [isapros] Re: ISA and SAN Certs<br>
><br>
> BAM!!!!<br>
><br>
> I think I get it. On the TO tab for the =3D
autodiscover.msfirewall.org, I<br>
> can still use owa.msfirewall.org since it resolves to the same =3D
IP<br>
> address as autodiscover.msfirewall.org on the internal network -- =
=3D
and<br>
> the path is going to /autodiscover, so that's cool. It's all =3D
making<br>
> sense on paper -- now to see if it works in real life :)<br>
><br>
> BTW -- why do I need a SRV record for OL autodiscovery? I haven't =
=3D
seen<br>
> any documentation on that requirement on the Exchange side.<br>
><br>
> Thanks!<br>
> Tom<br>
><br>
> Thomas W Shinder, M.D.<br>
> Site: www.isaserver.org<br>
> Blog: <a =3D
href=3D3D"http://blogs.isaserver.org/shinder/";>http://blogs.isaserver.org=
/
s=3D
hinder/</a><br>
> Book: <a =3D
href=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br>
> MVP -- Microsoft Firewalls (ISA)<br>
><br>
> <br>
><br>
> > -----Original Message-----<br>
> > From: isapros-bounce@xxxxxxxxxxxxx<br>
> > [<a =3D
href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free=
l
i=3D
sts.org</a>]
On Behalf Of Jim Harrison<br>
> > Sent: Wednesday, August 29, 2007 2:09 PM<br>
> > To: isapros@xxxxxxxxxxxxx<br>
> > Subject: [isapros] Re: ISA and SAN Certs<br>
> ><br>
> > Yes; I'd forgotten about the OL client's "SAN =3D
problem".<br>
> > It amazed me how much noise the Exch folks make about the =3D
same<br>
> > limitation for ISA.. ..but I digress.<br>
> ><br>
> > "Web Publishing Rule that is publishing the<br>
> > autodiscover.msfirewall.org/autodiscover path must be<br>
> > configured on the<br>
> > TO tab to use autodiscover.msfirewall.org " - how do =3D
you<br>
> cone to that<br>
> > contusion?<br>
> > Why do you think you need to use "autodiscover" in =
=3D
the ISA
rule<br>
> > published hostname? Use whatever works for ISA and let =
=3D
the<br>
> > client be as<br>
> > stupid as you want.<br>
> ><br>
> > -----Original Message-----<br>
> > From: isapros-bounce@xxxxxxxxxxxxx<br>
> > [<a =3D
href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free=
l
i=3D
sts.org</a>]<br>
> > On Behalf Of Thomas W Shinder<br>
> > Sent: Wednesday, August 29, 2007 12:05 PM<br>
> > To: isapros@xxxxxxxxxxxxx<br>
> > Subject: [isapros] Re: ISA and SAN Certs<br>
> ><br>
> > Hi Jim,<br>
> ><br>
> > CIL...<br>
> ><br>
> > Thomas W Shinder, M.D.<br>
> > Site: www.isaserver.org<br>
> > Blog: <a =3D
href=3D3D"http://blogs.isaserver.org/shinder/";>http://blogs.isaserver.org=
/
s=3D
hinder/</a><br>
> > Book: <a =3D
href=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br>
> > MVP -- Microsoft Firewalls (ISA)<br>
> ><br>
> > <br>
> ><br>
> > > -----Original Message-----<br>
> > > From: isapros-bounce@xxxxxxxxxxxxx<br>
> > > [<a =3D
href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free=
l
i=3D
sts.org</a>]
On Behalf Of Jim Harrison<br>
> > > Sent: Wednesday, August 29, 2007 1:49 PM<br>
> > > To: isapros@xxxxxxxxxxxxx<br>
> > > Subject: [isapros] Re: ISA and SAN Certs<br>
> > ><br>
> > > All good points, but really orthogonal to the question of
=3D
how
ISA<br>
> > > handles SAN certs. Actually, I wrote that because =
=3D
some
folks were<br>
> > > whining about how ISA handled SAN certs in general.
=3D
In<br>
> > fact, I tried<br>
> > > not to delve into the variant forms of self-inflicted =3D
ISA<br>
> manglement<br>
> > > pain that were filling other blogs.<br>
> > ><br>
> > > Q1 - Why do you need a second listener? Use your =
=3D
DNS to
point<br>
> > > autodiscover to the same Exch listener. The public
=3D
name is
a<br>
> > > rule; not<br>
> > > a listener arttribute.<br>
> ><br>
> > TOM: We need a second listener because we can't have two<br>
> certificates<br>
> > with different common names listening on the same listener =3D
using the<br>
> > same IP address. OK, in ISA 2006 I *can* use multiple<br>
> > certificates using<br>
> > the same listener, but each of the certificates must be<br>
> assigned to a<br>
> > different IP address, so no big deal there -- so I create =3D
two<br>
> > different<br>
> > Web Publishing Rules -- one for owa.msfirewall.org and a =3D
second Web<br>
> > Publishing Rule for autodiscover.msfirewall.org. So far so<br>
> > good and SANs<br>
> > aren't even an issue.<br>
> ><br>
> > > Q2 - why does the external OL client give a rats =3D
bahootie<br>
> > > what's listed<br>
> > > in the cert used at the CAS? It never sees it.<br>
> ><br>
> > TOM: That's true and I didn't mean to imply that it did. =3D
The<br>
> > concern is<br>
> > that common name and the first SAN on the Web site<br>
> > certificate bound to<br>
> > the Client Access Server site is owa.msfirewall.org. The<br>
> second SAN is<br>
> > autodiscover.msfirewall.org<br>
> ><br>
> ><br>
> > > Q3 - why is the lack of the autodiscover.suffix =3D
public<br>
> name make the<br>
> > > /autodiscover path "useless"?
"Incomplete" perhaps, but<br>
> > > hardly useless.<br>
> ><br>
> > TOM: Because the OWA publishing rule is listening for<br>
> > owa.msfirewall.org, NOT autodiscover.msfirewall.org. Since<br>
> > there are two<br>
> > certificates involved here, one with the common name<br>
> > owa.msfirewall.org<br>
> > and a second with autodiscover.msfirewall.org -- we have to =
=3D
use two<br>
> > different IP addresses, and owa.msfirewall.org is NOT =3D
going<br>
> to resolve<br>
> > to the same IP address as autodiscover.msfirewall.org. =3D
Thus,<br>
> > adding the<br>
> > /autodiscover path to the owa.msfirewall.org Web =3D
Publishing<br>
> Rule won't<br>
> > work and is extraneous. The /autodiscover path only applies to
=3D
the<br>
> > autodiscover.msfirewall.org Web Publishing Rule.<br>
> ><br>
> > ><br>
> > > IOW, create your SRV and A records for =3D
autodiscover.suffix, add<br>
> > > "autodiscover.suffix" to the public names (ISA
=3D
2006
only) and<br>
> > > make sure<br>
> > > the cert used in the ISA web listener includes<br>
> > > "autodiscover.suffix" in<br>
> > > the SAN.<br>
> ><br>
> > Again, the issue isn't with the Web listeners, I have no<br>
> problem with<br>
> > that. The issue is with the connection between the ISA<br>
> > Firewall and the<br>
> > Client Access Server. The Web site certificate bound to the =
=3D
Client<br>
> > Access Server has a common name and a first SAN name of<br>
> > owa.msfirewall.org and a second SAN name of<br>
> > autodiscover.msfirewall.org.<br>
> ><br>
> > Given that, the Web Publishing Rule that is publishing the<br>
> > autodiscover.msfirewall.org/autodiscover path must be<br>
> > configured on the<br>
> > TO tab to use autodiscover.msfirewall.org -- HOWEVER, and<br>
> this is THE<br>
> > QUESTION -- with the ISA Firewall when establishing the SSL =
=3D
channel<br>
> > between itself and the Client Access Server, be able to =3D
use<br>
> the SECOND<br>
> > SAN on the Client Access Server Web site certificate to allow
=3D
the<br>
> > connection?<br>
> ><br>
> > Make sense?<br>
> ><br>
> ><br>
> > ><br>
> > > Jim<br>
> > ><br>
> > > -----Original Message-----<br>
> > > From: isapros-bounce@xxxxxxxxxxxxx<br>
> > > [<a =3D
href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free=
l
i=3D
sts.org</a>]<br>
> > > On Behalf Of Thomas W Shinder<br>
> > > Sent: Wednesday, August 29, 2007 11:33 AM<br>
> > > To: isapros@xxxxxxxxxxxxx<br>
> > > Subject: [isapros] Re: ISA and SAN Certs<br>
> > ><br>
> > > This is a good step in understanding some of the =3D
issues,<br>
> > but I suspect<br>
> > > the major problems people are running into relates to<br>
> publishing the<br>
> > > autodisocvery site. You'll notice that when you run the =
=3D
Exchange<br>
> > > Publishing Wizard in ISA 2006 that is includes an<br>
> > /autodiscover path,<br>
> > > which is completely useless, since the client is looking
=3D
for<br>
> > > autodiscover.domain.com/autodiscover and not the =3D
Client<br>
> > Access Server<br>
> > > Public Name, which would be something like =3D
owa.domain.com.<br>
> > ><br>
> > > OK, easy problem to solve, right? All we need to do =3D
is<br>
> > create a second<br>
> > > Web listener on a second IP address and configure it to =
=3D
listen
for<br>
> > > public name autodiscover.company.com. HOWEVER, the
=3D
Client
Access<br>
> > > Server's common/subject name and first SAN is =3D
owa.company.com.
The<br>
> > > second SAN is autodiscover.company.com.<br>
> > ><br>
> > > So, if we put on the TO tab autodiscover.company.com, =3D
will<br>
> > ISA 2006 be<br>
> > > able to "consume" the second SAN to support to
=3D
the
Outlook 2007<br>
> > > autodiscovery service?<br>
> > ><br>
> > > Thanks!<br>
> > > Tom<br>
> > ><br>
> > > Thomas W Shinder, M.D.<br>
> > > Site: www.isaserver.org<br>
> > > Blog: <a =3D
href=3D3D"http://blogs.isaserver.org/shinder/";>http://blogs.isaserver.org=
/
s=3D
hinder/</a><br>
> > > Book: <a =3D
href=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br>
> > > MVP -- Microsoft Firewalls (ISA)<br>
> > ><br>
> > > <br>
> > ><br>
> > > > -----Original Message-----<br>
> > > > From: isapros-bounce@xxxxxxxxxxxxx<br>
> > > > [<a =3D
href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free=
l
i=3D
sts.org</a>]
On Behalf Of Jim Harrison<br>
> > > > Sent: Wednesday, August 29, 2007 1:10 PM<br>
> > > > To: isapros@xxxxxxxxxxxxx<br>
> > > > Subject: [isapros] ISA and SAN Certs<br>
> > > ><br>
> > > ><br>
> > > > Another isablog for your reading pleasure.<br>
> > > ><br>
> > > ><br>
> > > > <a
href=3D3D"http://blogs.technet.com/isablog/archive/2007/08/29/certificat"=
>
h=3D
ttp://blogs.technet.com/isablog/archive/2007/08/29/certificat</a><br>
> > > > es-with-mu<br>
> > > > =3D
ltiple-san-entries-may-break-isa-server-web-publishing.aspx<br>
> > > ><br>
> > > > All mail to and from this domain is GFI-scanned.<br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> > ><br>
> > ><br>
> > > All mail to and from this domain is GFI-scanned.<br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> ><br>
> ><br>
> > All mail to and from this domain is GFI-scanned.<br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
> All mail to and from this domain is GFI-scanned.<br>
><br>
><br>
><br>
> </span><o:p></o:p></p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</div>
</body>
</html>
------_=3D_NextPart_002_01C7EBD6.64A8D3BB--
------_=3D_NextPart_001_01C7EBD6.64A8D3BB
Content-Type: image/jpeg;
name=3D"image001.jpg"
Content-Transfer-Encoding: base64
Content-ID: <image001.jpg@xxxxxxxxxxxxxxxxx>
Content-Description: image001.jpg
Content-Location: image001.jpg
/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQY
GBcU
FhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgo
KCgo
KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAHAAZQD
ASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUF
BAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0
NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKj
pKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QA
HwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEE
BSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZH
SElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0
tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDT
+Knx
C8T+HPGuneH/AApo9hqL3GnxXCwmwaeZ2IbdgKckYTPQ964H/henjn+zP7S/sLRv7O877P8A
av7N
fyvN27tm/djdjnGc45r0W/8A+TrvBf8A2B//AG3uKwfFZ8OeKfhlo+pwT/2fpPiPxrDc6jEZ
l3ae
7wmO4BkYkdVaUMwUbZF+UDivosPCgo04zpp3S19W/wDIxbfc47/hoTxZ/wBA7w7/AOAJ/wDi
qP8A
hoTxZ/0DvDv/AIAn/wCKrsb3wL4FtPG2iWOq+G9R02zn1240xTN5kEV5H5bCLapuJJpMSmHE
yBIy
H+YDgVmfEfwL4A0D4bazqGkXH2rVrKa20ISbLhMajE5a5bDMV+eM9MFF2fKSTXTH6jKUYqk9
bdO7
t3F73ci0b4t/EzW7VrnRfCNlqNurmNpbTRpZkDAAlSVJGcEHHuKy7r4+eMrS6mtrvSNCguIX
McsU
unsrowOCrAtkEEYINVdGl0yL9m9m1qzvbu3PiwhUtLpbdw32MYJZo5ARjPGB1HPGD3fivwxp
WtfF
P4oXevWsmsapp6WD2VhZ28kryRyLGrOIEmjkkKL5alhIqjcWI5VQOlhYTanSVlf8Gl38/L5h
d9zi
f+GhPFn/AEDvDv8A4An/AOKo/wCGhPFn/QO8O/8AgCf/AIqt7T/APhm61Dx3FbeG7h49PmIh
W71i
JfsgFuzvC0kLusDKwYrLMJIj5XlsUfJNX/hA/Df/AAhP2v8As3/Qf+EQ/tf+3/Pl/wCQn5uP
su/d
5PX935ezf2zu5quXAXt7Pt2669/66CvLuZf/AA0J4s/6B3h3/wAAT/8AFUf8NCeLP+gd4d/8
AT/8
VXdy/CXw2NZ8R3qaLu8OPqWhwaPOt3KY5YppIBclGD5dWEuN5yMk7SCDjnY/BWiyyeIpdC8H
x69f
2niz+x/7Iju7gC3slVgJdyybkLspBlkLICDgAAipj9Qkrqn27dbefnqP3u5jf8NCeLP+gd4d
/wDA
E/8AxVX9G+Nnj/W7prbRfDulajcKhkaK00p5nCggFiFYnGSBn3FX/CvgPwhP4R068uNF1HU2
uptS
S/ns7mOf+zhCSIw10J4reLam2QNIjiTJIwCork/gE0K3XjtruOSW3HhO/MqROEdlzHkKxDBS
R0JB
x6HpVujg3CbhTV4/527ivLubus/Gzx/ol0ttrXh3StOuGQSLFd6U8LlSSAwDMDjIIz7GqH/D
Qniz
/oHeHf8AwBP/AMVXR6fo2h+JrP4K6dqHmWnhi7fVEW2nuAZvMWYnY04CBhI4jUKqKwyQCSQR
FH4F
8L3Gp2wPhvUbPU/7C1C9h0i83W39oXETYhC2/wBoluVyDJld67/KBXgNUKODjpOlrr+Da7+X
/B6j
vLuYP/DQniz/AKB3h3/wBP8A8VR/w0J4s/6B3h3/AMAT/wDFVasfBljLb+KLiTwZs8R2Wm6f
Pa+G
/t0tzuMsgWaXyo3E6YXa3lu5KeZlsgrjZ8Y/D/wRpMF6ltHGtq/jK30Z9Qe9YmytngilmVTu
8sFG
Mi5kViBkNkjIrlwPNy+z/Ly8/MV5dzG/4Xp45/sz+0v7C0b+zvO+z/av7NfyvN27tm/djdjn
Gc45
qr/w0J4s/wCgd4d/8AT/APFVvfFrSV0P4P6lp8Og/wBi2cHjWWO1jxP/AKRCtu6pNmVmLbgO
qkKc
cDrXz/W2GwmFrxc1TW4OTXU9i/4aE8Wf9A7w7/4An/4qj/hoTxZ/0DvDv/gCf/iq8doro/s3
C/8A
PtC52exf8NCeLP8AoHeHf/AE/wDxVH/DQniz/oHeHf8AwBP/AMVXjtFH9m4X/n2g52exf8NC
eLP+
gd4d/wDAE/8AxVH/AA0J4s/6B3h3/wAAT/8AFV47RR/ZuF/59oOdnsX/AA0J4s/6B3h3/wAA
T/8A
FUf8NCeLP+gd4d/8AT/8VXjtFH9m4X/n2g52exf8NCeLP+gd4d/8AT/8VR/w0J4s/wCgd4d/
8AT/
APFV47RR/ZuF/wCfaDnZ7F/w0J4s/wCgd4d/8AT/APFUf8NCeLP+gd4d/wDAE/8AxVeO0Uf2
bhf+
faDnZ7F/w0J4s/6B3h3/AMAT/wDFUf8ADQniz/oHeHf/AABP/wAVXjtFH9m4X/n2g52exf8A
DQni
z/oHeHf/AABP/wAVR/w0J4s/6B3h3/wBP/xVeO0Uf2bhf+faDnZ7F/w0J4s/6B3h3/wBP/xV
H/DQ
niz/AKB3h3/wBP8A8VXjtFH9m4X/AJ9oOdnsX/DQniz/AKB3h3/wBP8A8VR/w0J4s/6B3h3/
AMAT
/wDFV47RR/ZuF/59oOdnsX/DQniz/oHeHf8AwBP/AMVR/wANCeLP+gd4d/8AAE//ABVeO0Uf
2bhf
+faDnZ7F/wANCeLP+gd4d/8AAE//ABVH/DQniz/oHeHf/AE//FV47RR/ZuF/59oOdnsX/DQn
iz/o
HeHf/AE//FUf8NCeLP8AoHeHf/AE/wDxVeO0Uf2bhf8An2g52exf8NCeLP8AoHeHf/AE/wDx
VdR8
P/ij478catc6fplv4RtpLe2N073dnIE2h0TA2bjnLjt618617F+y/wD8jlrn/YHf/wBKbeub
G4LD
0aEqkIK6Q4ybdj1O81/xxZahBYXmvfC63vp9vlW8qzpJJuO1dqlMnJBAx1NZPiPxt8QNB8Se
H9En
/wCEJuLzWpxBAYLSbZGS6IC5YLgZcdATwfbMvjfw/pl74s07TJJILeHxJKZNUj3S+dfLaxho
0QgF
EUHBblGIAwc5rL+Jn/JZ/hl/2EIf/SmKvnMPVVSooyhG3oatWR2vm/E3/n7+Hn/gLdf/ABus
Pxp4
q+IXhHw9Pq+oS+BZ4ImRPKtrS4MjFmCjG5VHfPJHAPfin/ETT9Svtb03/hEYJ7XxOkTY1Yrs
tobf
vHMxRll3NjbGASp+f5QPm4/x3bwWvwOuIYtNvtOulvY/tqX2WmkuPMHmSNLjE248iQcEYxjG
0RTr
qU1Fwjq+w2jzb46apca34m0jUrwRrPdaNaTMkS7UUspYhR2GSaKofFf/AI/vDn/YAsf/AEXR
XPVS
U5Jd2NbHu3xu+GuseMvFlnqGmXOnxQxadBAVuJHVtwBbPyoRjDDvXn3/AAojxP8A8/2jf9/p
f/jd
fTuo/wDHwn/XGL/0WtIlsNoMs8UJIyFcMTjseAcf59q7qObYijBU4tWXkS4J6nzH/wAKI8T/
APP9
o3/f6X/43R/wojxP/wA/2jf9/pf/AI3X079mi/5/bf8A75k/+Jo+zRf8/tv/AN8yf/E1r/be
K7r7
hezifMX/AAojxP8A8/2jf9/pf/jdH/CiPE//AD/aN/3+l/8AjdfTv2aL/n9t/wDvmT/4mj7N
F/z+
2/8A3zJ/8TR/beK7r7g9nE+Yv+FEeJ/+f7Rv+/0v/wAbo/4UR4n/AOf7Rv8Av9L/APG6+nfs
0X/P
7b/98yf/ABNH2aL/AJ/bf/vmT/4mj+28V3X3B7OJ8xf8KI8T/wDP9o3/AH+l/wDjdH/CiPE/
/P8A
aN/3+l/+N19O/Zov+f23/wC+ZP8A4mj7NF/z+2//AHzJ/wDE0f23iu6+4PZxPmL/AIUR4n/5
/tG/
7/S//G6P+FEeJ/8An+0b/v8AS/8Axuvp37NF/wA/tv8A98yf/E0fZov+f23/AO+ZP/iaP7bx
Xdfc
Hs4nzF/wojxP/wA/2jf9/pf/AI3R/wAKI8T/APP9o3/f6X/43X079mi/5/bf/vmT/wCJo+zR
f8/t
v/3zJ/8AE0f23iu6+4PZxPmL/hRHif8A5/tG/wC/0v8A8bo/4UR4n/5/tG/7/S//ABuvp37N
F/z+
2/8A3zJ/8TR9mi/5/bf/AL5k/wDiaP7bxXdfcHs4nzF/wojxP/z/AGjf9/pf/jdH/CiPE/8A
z/aN
/wB/pf8A43X0dNd2iar/AGct1HJd+SLjYAwym4rkbgM4IGcZxuXONwzLR/beK7r7g9nE+bP+
FEeJ
/wDn+0b/AL/S/wDxuj/hRHif/n+0b/v9L/8AG6+k6KP7bxXdfcHs4nzZ/wAKI8T/APP9o3/f
6X/4
3R/wojxP/wA/2jf9/pf/AI3X0nRR/beK7r7g9nE+bP8AhRHif/n+0b/v9L/8bo/4UR4n/wCf
7Rv+
/wBL/wDG6+k6KP7bxXdfcHs4nzZ/wojxP/z/AGjf9/pf/jdH/CiPE/8Az/aN/wB/pf8A43X0
nRR/
beK7r7g9nE+bP+FEeJ/+f7Rv+/0v/wAbo/4UR4n/AOf7Rv8Av9L/APG6+k6KP7bxXdfcHs4n
zZ/w
ojxP/wA/2jf9/pf/AI3R/wAKI8T/APP9o3/f6X/43X0nRR/beK7r7g9nE+bP+FEeJ/8An+0b
/v8A
S/8Axuj/AIUR4n/5/tG/7/S//G6+k6KP7bxXdfcHs4nzZ/wojxP/AM/2jf8Af6X/AON0f8KI
8T/8
/wBo3/f6X/43X0nRR/beK7r7g9nE+bP+FEeJ/wDn+0b/AL/S/wDxuj/hRHif/n+0b/v9L/8A
G6+k
6KP7bxXdfcHs4nzZ/wAKI8T/APP9o3/f6X/43R/wojxP/wA/2jf9/pf/AI3X0nRR/beK7r7g
9nE+
bP8AhRHif/n+0b/v9L/8bo/4UR4n/wCf7Rv+/wBL/wDG6+k6KP7bxXdfcHs4nzZ/wojxP/z/
AGjf
9/pf/jdH/CiPE/8Az/aN/wB/pf8A43X0nRR/beK7r7g9nE+bP+FEeJ/+f7Rv+/0v/wAbo/4U
R4n/
AOf7Rv8Av9L/APG6+k6KP7bxXdfcHs4nzZ/wojxP/wA/2jf9/pf/AI3Wr4e+FXjzw5cXE+h6
3pNn
PcQ+RI6O7Fk3K+PmiOPmRTkc8ehNe/UVE84xFSLhOzT8hqmkeNf8Il8Wf+hvsf8Av4f/AIzW
fd/D
j4j3mr6bql34i0ue/wBNkE1pK7EmJwysDjycHlQcHIr3WiuaOLcHeMY39B8p41/wiXxZ/wCh
vsf+
/h/+M1R1n4efErW9Pex1XxNpt1aOVZo3kbBIII6Q56ivc6KSxTTuoR+4OU+QvjdYS6V4j0nT
7hka
a00e1gdkJKlkUqSMgHGR6UVp/tKf8lHH/XlF/NqK5pScm5PqUfWmo/8AHwn/AFxi/wDRa0aj
/wAf
Cf8AXGL/ANFrRqP/AB8J/wBcYv8A0WtGo/8AHwn/AFxi/wDRa0gOFfxJc2erXja1cwadYW3n
uYJN
OnLPHGrMGS53eW7FF83Yqlgu5cZViI7H4i6TfBEtbe6nunnW3W3tnhuGLPHI6EtFIyAHyXHL
DbgF
tq/NWpfeF4dTnl/ti/vtQtG83ZZy+WkcXmI8Z2mNFc/JI6jcx4bPUAiS38PBbqzub3VNRv7i
1n8+
N7howP8AVSR7diIq4xM5yAGJxkkKAACnrXi+1stLvJkSdbqD7WrRGISPD5EbOZHj3qfLIEZB
yM+d
Fyu8GpLzxdaWdrf3s9rdJplozRfbmaJYpJVlERjXLhlPmZXc4VPlJLbcE2NT8MafqD6u8wdH
1OzN
lM0e0FVZSrOvHDsNgJOciKMY+UVHJ4XhZbqJb++SzmlNylsvl7IJ/NE3moSm8t5gL4ZmXkjb
twAA
Uz4xt77wRreuaNseXToJ2McjpKqypF5gUtE7KwIKn5WPXGQQQNjV9YGn3FvbQ2V1f3k6vIlv
bGMN
5aFQzkyMq4BdBjOfmGAQCRHLoSXGgahpV7fX12t/FJFPcSuvmEOmw7QFCLhcYCqBnkgkkmu/
hyZ/
JlbXtVN/D5ipe7LfzBG+wtHt8rZtJjQ527sj72CRQBJpXiS31i6jXSra6urNlRnvlCJFGXiW
VVYM
wkyUeM8IR84BIIbHPxfEODUJbFNFs3vJ3vBBcWsU9vLJ5bQTyKyukxiB3QnhnzgHjlSdiLwf
p8EM
1pbTXUOkzwfZ7jTlZTFMohEILMymQHy1QfK4+4D1JJj/AOEQVruS9n1rVZ9SPleVduLcPB5Y
lA2q
sQQ5WeUHcrfe4wQCACMeM7eKK6eS3urhLNp3vJYYkRbWFJ5Yw7hpMsP3Mn3NzHYTtXcq1c0/
xRDe
agtu1hfW8Mt1PZwXUvlmOeaIyB1UK5ccRSEFlUYXrkgGvN4LsXW5RLu+ihvPNW9jRoyLqOSW
WUxs
ShKqDPKAUKthuWJAI0IPD9rD9i2yTn7JfT6gmWHMk3nbgePujz3x34Xk85AM+/1bUmu9bk01
PMh0
3yrUReXvJlcJJJKVHzOscUiFUUqzHzFxkoRh3Hi67guNPguPEWgWYnW5eS4vtOlttjRmDbEY
pJ1Z
XIlZ+Tyu0gY5PUSaPdLqepSWV69nb6gqSSPCFMsVwmF3qHV1IeNUUggBfLBAJckR2fhSxhu3
urqW
e/uJop4rlroRkXIlEKtvVVC8LbxqAABgHIJJNAGXeeK9QgsTJLYpaXl3pMNzp9rOGLNdu3lt
C54w
FkltV5C/fY5wDt3NKvJ/7b1bTLuTzWg8u6gkwAfIl3hVbGPmV45R0+55eSW3Gh/D9rL/AGYb
mSe4
bT5TJE87B2ZedqOxGWVT5bDJ3Foo2JLLkyaXp8sOp6lqF4yNcXTLHGEJIjt48+WmcDJy0jk4
yDIV
ywUGgDJuf+Sqad/2Bbn/ANHwV1Vcrc/8lU07/sC3P/o+CuqoAKKKKACiiigAooooAKKKKACi
iigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPlX9pT/ko4/wCv
KL+b
UUftKf8AJRx/15RfzaigD601H/j4T/rjF/6LWjUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4
T/rj
F/6LWgCrRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRXO6h438M6dezWl/rdjb3ULbZIpZNrK
fcGg
DbjtLdNXj1QQo19HA9ssjjcBGzKzDaeOqLzjPHua0ft0v9y3/wDAeP8A+Jri/wDhYng//oY9
N/7/
AAo/4WJ4P/6GPTf+/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v
8KP+
FieD/wDoY9N/7/CgDtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/
AAo/
4WJ4P/6GPTf+/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+
FieD
/wDoY9N/7/CgDtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/
4WJ4
P/6GPTf+/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD
/wDo
Y9N/7/CgDtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4
P/6G
PTf+/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD/wDo
Y9N/
7/CgDtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4P/6G
PTf+
/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD/wDoY9N/
7/Cg
DtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4P/6GPTf+
/wAK
AO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD/wDoY9N/7/Cg
DtPt
0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4P/6GPTf+/wAK
AO0+
3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD/wDoY9N/7/CgDtPt
0v8A
ct//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4P/6GPTf+/wAKAO0+
3S/3
Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8K29D1jT9esprvRryG9tYpBE8sLb
lDkZ
259cc/l6igDZ+3S/3Lf/AMB4/wD4muU8K31zfap4qN1KZPJ1YxRrgBY0FvBhVA4AySeO5J6k
10Nc
r4G/5CPi/wD7DTf+k8FAHz/+0p/yUcf9eUX82oo/aU/5KOP+vKL+bUUAfWmo/wDHwn/XGL/0
WtGo
/wDHwn/XGL/0WtGo/wDHwn/XGL/0WtGo/wDHwn/XGL/0WtAFWsfQ/Emma5s/s+Wc+ZEJ4vPt
ZYPN
j4+ePzFXevzLkrkDcueozsV5va6Lr2peDdG0oWc+i32k2JRLieeP57j7JJbr5ZiZiFBkLFzg
jaoC
nJKgHpFFeV6jo+nW+oWF1qukadoXhk3kW+w1BrWOIyLb3YaXYrmMljJABglj5eSAFBrP0WJN
R0w6
bYT6dqQn06xk1O1s7m0uZ5bhfN+0ShJGaNpDIbbdJICGUHBLBcAHsCzK1w8ID70VXJKMFwSQ
MNjB
PynIByOM4yMyV5Pong3UJ9Q0wa5pfn6bFKoeK+MEm2JDqXlqyISnyrPbAKo2jICgBTjsPDWl
z2M9
mtzp+3yP7QjhnEwxbwNdK0MSoDja0aoR/cEQXjOKAOoooooAKKKKACiiigArkfB88Vtc+NJ7
mVIY
ItXd5JJGCqii2gJJJ4AA7111cb4Xt/tbeObbbA3narLHieLzYzm1gHzpkbl55GRkcZFAE1x4
yt49
Y0+JbbUfsdxBcs2dKuvOEkbQBcJs3bMStltuMgDOeDYPjLSlupIfNe4JY+T9gt57syIIoZC5
8uMg
DE6cgkEMvOSQI/DvhV9J1C2u5L7zmiiuIhAkbLDGJTBhYVZ2McaiAYTJGXONowor+EfBf/CP
Xttc
fb/tHk2pttvk7M/ubSLdncf+fTOP9vH8OSAWNb8XWdstqmmSfa5p7qzi8yKCSWBUmljU5lQb
Fby5
NwBYfeQ4IYZsN4x0GOCSea+8i3TaRNPDJHHIrOqB43ZQske50y6kqA6kkAg1j2Hgi6sNPs9P
tdWg
+wpLYz3Iksy0kslsIFGxhIAisLdOCrEEtycgCPS/h3b6dFFFbvp0KW7Wwikt9NSKaRIp4pf3
8m4m
Rz5KjcNgyzMVPyhQDcbxfpCzyQl77zo9oKDT7gsWZFkCAbOZNjhigywUMSAFbFx9e05Li0iM
zsl2
qPDcJC7W7hzhP3wHlgscAAtkllx94Zp/8I5/xOv7Q+1f8xP+0fL8v/py+zbM5/4Fn8Md65+L
4d+V
/ZC/bLGb7B9iPn3Gn+ZcL9n8v5YZPMHlRt5WSuGwZJDk7uADoPB2vP4ggvrgiAQxywiEwliG
R7WC
bOWAJ5lbBKrwBkA5osvGGiXlobmK5nWExLNGZrSaIzoxABiV0BlyWQDYG5dB1Zc1/Cnhefw7
Z29t
BqfmRrLC8w+zgeakdmluE5J25aNZMj029Mmqd34Eiu9G0bT57tJU03TlsgJLcMkzK9u6s6Fu
UzbA
MmeQ5G4daANBfF9jJrGnWUEV1ILxZsn7NMJIJEaEBZI9m6METBtz7QBtPRga6SuT0jwk2k3F
ndWU
2nW1xE0qyx22nLDbtFIYt6pGrAq/7iPDsz8luCNoXrKACiiigAooooAKKKKACiiigAooooAK
KKKA
CiiigAooooAKKKKACiiigAq1H/yDLj/rtH/6C9VatR/8gy4/67R/+gvQBVrlfA3/ACEfF/8A
2Gm/
9J4K6quV8Df8hHxf/wBhpv8A0ngoA+f/ANpT/ko4/wCvKL+bUUftKf8AJRx/15RfzaigD601
H/j4
T/rjF/6LWjUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWgCrRRRQAUUUUAFFFFAB
RRRQ
AUUUUAFFFFABVbRdG0/TH1GVbq7aW/ujdygwqVVyiJhfmHGEXr3yeOgs0UAWtll/z8XH/fhf
/i6N
ll/z8XH/AH4X/wCLqrRQBa2WX/Pxcf8Afhf/AIujZZf8/Fx/34X/AOLqrRQBa2WX/Pxcf9+F
/wDi
6Nll/wA/Fx/34X/4uqtFAFrZZf8APxcf9+F/+Lo2WX/Pxcf9+F/+LqrRQBa2WX/Pxcf9+F/+
Lo2W
X/Pxcf8Afhf/AIuqtFAFrZZf8/Fx/wB+F/8Ai6Nll/z8XH/fhf8A4uqtFAFrZZf8/Fx/34X/
AOLo
2WX/AD8XH/fhf/i6q0UAWtll/wA/Fx/34X/4ujZZf8/Fx/34X/4uqtFAFrZZf8/Fx/34X/4u
jZZf
8/Fx/wB+F/8Ai6q0UAWtll/z8XH/AH4X/wCLo2WX/Pxcf9+F/wDi6q0UAWtll/z8XH/fhf8A
4ujZ
Zf8APxcf9+F/+LqrRQBa2WX/AD8XH/fhf/i6Nll/z8XH/fhf/i6q0UAWtll/z8XH/fhf/i6N
ll/z
8XH/AH4X/wCLqrRQBa2WX/Pxcf8Afhf/AIujZZf8/Fx/34X/AOLqrRQBa2WX/Pxcf9+F/wDi
6Nll
/wA/Fx/34X/4uqtFAFrZZf8APxcf9+F/+LpZHt0s3iheV2eRWy8YUAAMOzH+9VSigArlfA3/
ACEf
F/8A2Gm/9J4K6quV8Df8hHxf/wBhpv8A0ngoA+f/ANpT/ko4/wCvKL+bUUftKf8AJRx/15Rf
zaig
D601H/j4T/rjF/6LWjUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWgCrRRXkcV3b
6NFe
P4Wn0DVbkwKJNYtI0E1uhnhRmu5wZAzsjvKZGUDMDsUYZAAPXKK878Marreo6xpdpJrNrNZs
t1M0
9rtuPtCRta7QJvKjQndLIpZExtyv3xvUudS1iWCOG9dD/Zl5Y2N27xRuLq4e8gxJtx+7Pk7J
ABkA
3IAIaKgD0SivL5fEmoHw3aXMHiCA6hcSwjU455oIE0ctFI7IW8pzF+8UR/vlc/w8Md1dR4X1
G6ul
0gX+pQSTzWt0/lQRlkuVSWNUmEpRM4Vl5VVV/N3KNoFAHUUUUUAFFFFABRRRQAVyMI8QX+ne
MdZj
1+1sNN0G4mjMH9lfaZXSO3jmJDecgz85AB9BzzXXVz2j/wDJMfjF/wBfF/8A+m+GrpxUpqL6
sT0R
5jpnxOudVvo7LS9W1i9vJc7ILfwrHJI+AScKt6ScAE/QVV/4W/H/ANDDf/8AhNRf/Jtee/D6
5is9
N8ZT3Fjb38SaOmbe4aQRvm+tByY2VuM54YcjuOK7aXQ9FlufB1ld6VHdza9c2eny3k9zcNNb
xtYa
ccxfvAgINxIQGVlGFGNo219NPLcLCbi4v7+yuzHnkXP+Fvx/9DDf/wDhNRf/ACbR/wALfj/6
GG//
APCai/8Ak2s7QvB2kXmnhb/RfI0D7Hpsx8TeZMv72a4tFuF8wt9n+TzrhMbMr5fzZKsSa1oH
hvT7
XUr648L6ja3Fppr3Asb2KXT1ZhdWkcb+W1xNMVPmyqxLKrAYTa6s4n6jgnLlUZX9Q55HtHgX
SfEX
jTwtZa/pfi+1is7syBEudACyDZIyHIW5I6oe/TFb3/CAeMP+h003/wAER/8Akil/Zk/5Ih4c
/wB6
6/8ASqWvUa+aqLlm4rozW55b/wAIB4w/6HTTf/BEf/kij/hAPGH/AEOmm/8AgiP/AMkV6lRU
Bc8t
/wCEA8Yf9Dppv/giP/yRR/wgHjD/AKHTTf8AwRH/AOSK9SooC55b/wAIB4w/6HTTf/BEf/ki
j/hA
PGH/AEOmm/8AgiP/AMkV6lRQFzy3/hAPGH/Q6ab/AOCI/wDyRR/wgHjD/odNN/8ABEf/AJIr
1Kig
Lnlv/CAeMP8AodNN/wDBEf8A5Io/4QDxh/0Omm/+CI//ACRXqVFAXPLf+EA8Yf8AQ6ab/wCC
I/8A
yRR/wgHjD/odNN/8ER/+SK9SooC55b/wgHjD/odNN/8ABEf/AJIo/wCEA8Yf9Dppv/giP/yR
XqVF
AXPLf+EA8Yf9Dppv/giP/wAkUf8ACAeMP+h003/wRH/5Ir1KigLnlv8AwgHjD/odNN/8ER/+
SKP+
EA8Yf9Dppv8A4Ij/APJFepUUBc8t/wCEA8Yf9Dppv/giP/yRR/wgHjD/AKHTTf8AwRH/AOSK
9Soo
C55b/wAIB4w/6HTTf/BEf/kij/hAPGH/AEOmm/8AgiP/AMkV6lRQFzy3/hAPGH/Q6ab/AOCI
/wDy
RWdqPhLxfZylW8ZaSEAUln0Rxy27AwJj/dNex1ynjWNpbe4jjmeB3WNVljClkJEvzDcCMjry
CPUG
gdzzv+wfFX/Q66J/4JZf/jlSeCbm+urXxFHqt5De3Gnamtkk8MHkKy+Srk7NzHq3c9AOBzWB
4J0n
xzb69fSeLPESXemQMUtYobaFPtII4kfCZQDONoOdwPO0Dft+Avu+N/8AsPr/AOksdMZ0Ncr4
G/5C
Pi//ALDTf+k8FdVXK+Bv+Qj4v/7DTf8ApPBQB8//ALSn/JRx/wBeUX82oo/aU/5KOP8Aryi/
m1FA
H1pqP/Hwn/XGL/0WtGo/8fCf9cYv/Ra0aj/x8J/1xi/9FrRqP/Hwn/XGL/0WtAFWsew8O2Vj
dx3M
E+qtImcCfVLmZDkEco8hU9e49+tbFFABRRRQAUUUUAFFFFABRRRQAUUUUAFTeA9PXS7HxLBr
ENrc
W2r6jJciEyxOrQtBFEVkVmHXy2yvPBGe4ENc9a6zrepXmpxaH4UvtShsLk2ks8V3bRr5gRXw
BJIr
fdde2OaAOl1nwF8PNXtVt7vwnpUaK4cG08m1fOCOWidWI56E46ccCsf/AIVB8L/+ha/8qkn/
AMfp
nmeMf+hC1L/wYWX/AMeo8zxj/wBCFqX/AIMLL/49W8cXXirRm182Tyo1/wDhXvw+Gif2TH4b
t4rM
8OYroRyyjdv2ySrKJHXdg7WYjKrx8q4y/wDhUHwv/wCha/8AKpJ/8fpnmeMf+hC1L/wYWX/x
6jzP
GP8A0IWpf+DCy/8Aj1NYuutqj+9hyo73wxDovhfQ7bR9CtPsunW+/wAqH7Uj7dzF2+ZpCTlm
J5Pe
tT+2YP7v/kaL/wCLry7zPGP/AEIWpf8Agwsv/j1HmeMf+hC1L/wYWX/x6udu7ux2R6j/AGzB
/d/8
jRf/ABdH9swf3f8AyNF/8XXl3meMf+hC1L/wYWX/AMeo8zxj/wBCFqX/AIMLL/49SA9R/tmD
+7/5
Gi/+Lo/tmD+7/wCRov8A4uvLvM8Y/wDQhal/4MLL/wCPUeZ4x/6ELUv/AAYWX/x6gD1H+2YP
7v8A
5Gi/+Lo/tmD+7/5Gi/8Ai68u8zxj/wBCFqX/AIMLL/49R5njH/oQtS/8GFl/8eoA9R/tmD+7
/wCR
ov8A4uj+2YP7v/kaL/4uvLvM8Y/9CFqX/gwsv/j1HmeMf+hC1L/wYWX/AMeoA9R/tmD+7/5G
i/8A
i6P7Zg/u/wDkaL/4uvLvM8Y/9CFqX/gwsv8A49R5njH/AKELUv8AwYWX/wAeoA9R/tmD+7/5
Gi/+
Lo/tmD+7/wCRov8A4uvLvM8Y/wDQhal/4MLL/wCPUeZ4x/6ELUv/AAYWX/x6gD1H+2YP7v8A
5Gi/
+Lo/tmD+7/5Gi/8Ai68u8zxj/wBCFqX/AIMLL/49R5njH/oQtS/8GFl/8eoA9R/tmD+7/wCR
ov8A
4uj+2YP7v/kaL/4uvLvM8Y/9CFqX/gwsv/j1HmeMf+hC1L/wYWX/AMeoA9R/tmD+7/5Gi/8A
i6P7
Zg/u/wDkaL/4uvLvM8Y/9CFqX/gwsv8A49R5njH/AKELUv8AwYWX/wAeoA9R/tmD+7/5Gi/+
Lo/t
mD+7/wCRov8A4uvLvM8Y/wDQhal/4MLL/wCPUeZ4x/6ELUv/AAYWX/x6gD1H+2YP7v8A5Gi/
+Lo/
tmD+7/5Gi/8Ai68u8zxj/wBCFqX/AIMLL/49R5njH/oQtS/8GFl/8eoA9R/tmD+7/wCRov8A
4uuL
8cXfiO8vYx4ctNDktDGpke/1Hyn3gvwFRWGMN1znPYY5wvM8Y/8AQhal/wCDCy/+PVBNf+LI
pfLb
wDqxfAYhLy0fAOcdJT6GmAzyPHv/AD4+Ev8Awbv/APGqueD9H1LSNN12TWzpy3epamt4sdlc
+eqr
5KoeSFPVPTuOap/2l4s/6J/rf/gRbf8AxyrvhjVJtZtdUe50+bTrjTrxbKa3mkR2DmMSHlCV
4DL3
znIOMUDNSuV8Df8AIR8X/wDYab/0ngrqq5XwN/yEfF//AGGm/wDSeCgD5/8A2lP+Sjj/AK8o
v5tR
R+0p/wAlHH/XlF/NqKAPrTUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP
+uMX
/otaAKteX+HPFerRaFpupynVdajuLW2+1Jc2qWuy4mlgjRYGMcaup8yU5yw+RPmUNlvUK5fT
fD2o
w2lhp19eaVNpFn5Pl28FjNE48kq0WJDcN91kQ8g5xg9aAB/Et1Fdus2nwC1trq3sLyRLol0u
JhFt
Ea7AHjBnjyxZD975eAGz/DXiPXLvQPDyS2NjcavqFiLwM940cbxKkO52KwnbIWmX5ApUDPzc
AHpJ
9B06fUxfywuZ9yyMomcRO642u8QOx3GFwzKSNi4Pyriu3hXSvs6QpHdQpGzNEYL2eJogwAMa
Mrgp
H8q/u1IT5V+XgUAZdt40+2abd6xa2GdEsrUXNzJJNtuBm2W4CpEFKt8siDJkXnd2AJjuNb1C
TxNo
mmX0CWV2l4skqWt000UsMlrebQWKISd8BJUrgYQ5J6bn/CNaSJ96WnlxmLyXto5HS3kTZ5eH
gBEb
/JhfmU8Ko6KMFn4b0y0nhnSKeS4hl85Jri6lnkDBHQDe7FioWWTCk7QXYgZOaANDTpZ59Ptp
ry2+
y3UkSvLb7w/lOQCybhw2DkZHXFWKr6dZwadp9tZWcfl2ttEsMSZJ2ooAUZPJ4A61YoAKKKKA
Ciii
gAqb4Lfd8af9h9//AEltqhpPhY0lrZeNB58NncXGsyvayXSEof8ARoFD7dyl1DKQcMM7SMg9
ATOl
8c6nq+nXfhiLQY7aae91NreSC5l8mOWMWlzJgyCNyuGjVshckqBwCaz77xlqiWF5qNhotlNp
66gu
l2zTag8Ustx9tWzbeghYIgcuwYM5KqvygsQs39n3OqfufFWu6Le2qfPD/ZtvNYXEMvQOkwuW
ZflL
qduCQ5GcEgxeIPCWgarBcpb6lLYtc3MFxKsOozLF8lzHO5SJZAkbuYzmRAGDOzZJJyhG/wCG
dYn1
VdRgv7SO01DTrn7LcxwzGaLeYo5VKOVQsNkqZyq4bcOQATtVi6LBo2i2rwWFxGFdzJJJNdtP
LK+A
NzySMzucBVBYnCqoHAAGh/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A
39X/
ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z9
2/8A
39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aF
l/z9
2/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/j
R/aF
l/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7
+r/j
R/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCf
u3/7
+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtVynjUyr
b3Bt
kSScLGY0kcorNiXALAEgZ74OPQ10P9oWX/P3b/8Af1f8a4H4h+LLHTb1Lb7Nql68kccm+wsZ
blFA
MgwWRSAeemc464yMgI898E+Mte8Ra9fWF94SfSYLBjHdXE15u2yYyEQeWA5IIOQcbSDnlQ23
4C+7
43/7D6/+ksdVv+E3s/8AoD+Jf/BNcf8AxFT/AA6aSbT/ABXdva3dtFd62s0S3Vu8Dsn2ZBna
4Bxl
WGfY0yjo65XwN/yEfF//AGGm/wDSeCuqrlfA3/IR8X/9hpv/AEngoA+f/wBpT/ko4/68ov5t
RR+0
p/yUcf8AXlF/NqKAPrTUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP+uM
X/ot
aAKtFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFWUvrtFCpdTqoGABIQAKrVzngvwl4d14+M9U8
Ttch
LHVpI/O/tO4tooYVt4XOQkiqACzsSfU5NAHW/wBoXv8Az93H/f1v8aP7Qvf+fu4/7+t/jVDQ
/APw
/wBb88WNpraSwbTJBd3+pWsqhs7W8uV1badrANjBKsAcqcav/CovB3/PnqX/AIOb3/49QK5D
/aF7
/wA/dx/39b/Gj+0L3/n7uP8Av63+NTf8Ki8Hf8+epf8Ag5vf/j1H/CovB3/PnqX/AIOb3/49
SC5D
/aF7/wA/dx/39b/Gj+0L3/n7uP8Av63+NTf8Ki8Hf8+epf8Ag5vf/j1H/CovB3/PnqX/AIOb
3/49
QFyH+0L3/n7uP+/rf40f2he/8/dx/wB/W/xqb/hUXg7/AJ89S/8ABze//HqP+FReDv8Anz1L
/wAH
N7/8eoC5D/aF7/z93H/f1v8AGj+0L3/n7uP+/rf41N/wqLwd/wA+epf+Dm9/+PUf8Ki8Hf8A
PnqX
/g5vf/j1AXIf7Qvf+fu4/wC/rf40f2he/wDP3cf9/W/xpb2xt9MitLGyQpbW8bRRqXLkKJXA
yzEk
n1JJJ6k1UpjLX9oXv/P3cf8Af1v8aP7Qvf8An7uP+/rf41VooAtf2he/8/dx/wB/W/xo/tC9
/wCf
u4/7+t/jVWigC1/aF7/z93H/AH9b/Gj+0L3/AJ+7j/v63+NVaKALX9oXv/P3cf8Af1v8aP7Q
vf8A
n7uP+/rf41VooAtf2he/8/dx/wB/W/xo/tC9/wCfu4/7+t/jVWigC1/aF7/z93H/AH9b/Gj+
0L3/
AJ+7j/v63+NVaKALX9oXv/P3cf8Af1v8aP7Qvf8An7uP+/rf41VooAtf2he/8/dx/wB/W/xo
/tC9
/wCfu4/7+t/jVWigC1/aF7/z93H/AH9b/Gj+0L3/AJ+7j/v63+NVaKALX9oXv/P3cf8Af1v8
ajmu
ridQs08sig5w7kjP41DRQAVyvgb/AJCPi/8A7DTf+k8FdVXK+Bv+Qj4v/wCw03/pPBQB8/8A
7Sn/
ACUcf9eUX82oo/aU/wCSjj/ryi/m1FAH1pqP/Hwn/XGL/wBFrRqP/Hwn/XGL/wBFrRqP/Hwn
/XGL
/wBFrRqP/Hwn/XGL/wBFrQBVrx/wzp+paT4M0LVtKg0rRpJrXT7XdbL532wzz2y+bOuxPmVd
4xuY
/vnwynk+wUUAeby6pNZa/qVjf67/AGTp63TCTVGS3ieSVLWy2I7vH5ZZxJK33dx8sBcKpFR2
era3
qOmT3urSpEY9R0mD7A1ooELy/YXkzvBbIaRtvQqSxJJCbO81bSLbVPK+0yXyeXnb9lvZrbOc
dfLd
d3TvnHOOpqxYWkdjaR20DTtGmcGed5nOSTy7ksevc+3SgDzvwzqN9ofgjQZ7W7fVhbwLYXVh
I8Mb
W900UaxQllUFCsoWLawLDz9znCV2mkNPFqD2V5qv226gsbYyp9nEfzkyhpsjj94UPyD7vl/7
VaFz
ZwXU9pNPHuktJTNCckbHKMhPHX5XYc+vrirFABRRRQAUUUUAFFFFABWX4M0qfXfBXxT0i0eN
Lm/1
C7tYmlJCB5LGBQWIBOMkZwDWpVv4cW8mgR6+195J/tHVGvYRHPHlYzDFGAwLDBzGTj0I75AB
M2fD
UN/d+KdX1y+0y50uK5srSyjtruSJpSYXuHZ/3Tuu0+eoHzZyrZAGCeqrL/tmD+7/AORov/i6
P7Zg
/u/+Rov/AIukI1KKy/7Zg/u/+Rov/i6P7Zg/u/8AkaL/AOLoA1KKy/7Zg/u/+Rov/i6P7Zg/
u/8A
kaL/AOLoA1KKy/7Zg/u/+Rov/i6P7Zg/u/8AkaL/AOLoA1KKy/7Zg/u/+Rov/i6P7Zg/u/8A
kaL/
AOLoA5nxB/x9r/20/wDRslZdaOtuslxGyspyGJCsGxmRyASCRnBFZ1MoKKKKACiiigAooooA
KKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACuV8Df8hHxf/wBhpv8A0ngrqq5XwN/yEfF//Yab
/wBJ
4KAPn/8AaU/5KOP+vKL+bUUftKf8lHH/AF5RfzaigD601H/j4T/rjF/6LWjUf+PhP+uMX/ot
aNR/
4+E/64xf+i1o1H/j4T/rjF/6LWgCrRRWPpfiC11L+x/IjnX+1LFtQh3qBtjHlZDYPDfvl6ZH
B56Z
ANiisfS/EmlajFpfl3kEV1qVql3b2c0qLO0bLuB2ZyeAc4yODzxRF4l0c/2ek+pWNtdX8Ucs
FtLd
ReY4f7u0BiGyeAVJBPQmgDYork9O8eaLd+FrfWmvLUJttTdxRXKSGzadlUCQ5G0KWOSccK3H
GK6S
1vbW72/ZbmCfdEk48uQNmN87H4/hba2D0ODjpQBYooooAKKKKACiiigArnX8V25vLy2ttK16
9a0m
MEz2WlzXCK+A23cikZwynGc4IroqoeAdX/sDwr8TdZ8j7R/Z2p3V35O/Z5nl2UD7d2DjOMZw
fpQB
m/8ACTn/AKFzxb/4Irr/AOIo/wCEnP8A0Lni3/wRXX/xFeleHNR1T+39T0TW5rK6ubS2trxb
mzt3
t0ZJnmQIY2kkOVMBO7dzvAwNuW6WkK54h/wk5/6Fzxb/AOCK6/8AiKP+EnP/AELni3/wRXX/
AMRX
t9FFwueIf8JOf+hc8W/+CK6/+Io/4Sc/9C54t/8ABFdf/EV7fRRcLniH/CTn/oXPFv8A4Irr
/wCI
o/4Sc/8AQueLf/BFdf8AxFe30UXC54h/wk5/6Fzxb/4Irr/4ij/hJz/0Lni3/wAEV1/8RXt9
FFwu
eYQFpLO1uHhmg+0R+YIpkKSIMkYZTyp46Hkd8HilrU8Qf8fa/wDbT/0bJWXTGFFFFABRRRQA
UUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXK+Bv+Qj4v/7DTf8ApPBXVVyvgb/kI+L/
APsN
N/6TwUAfP/7Sn/JRx/15Rfzaij9pT/ko4/68ov5tRQB9aaj/AMfCf9cYv/Ra0aj/AMfCf9cY
v/Ra
0aj/AMfCf9cYv/Ra0aj/AMfCf9cYv/Ra0AVa8f1LTNOvP7T41sfabo+X/wASe94t5PP87P7j
/Wf6
bd7McfLDnOGz7BRQBwcfh59U16TVoY3ewvLyG9Juri7tWhaERqFNphVc5gBDuRjcDtYKA2Pb
aNq2
iW+meHYrZLwzz6ZdTzxiYLD9nFukgDeV5ZGLUt80iMd2ApO3d6pRQBwb+D9QOleGIVmtfP0f
To4G
BZtsk0c1pKoB25CMbZlLYyNwO09K6yyiuv7Qlubq3sYvMtYUJhJaTzAZC6lyBujG5dvAOS5I
Ga0K
KACiiigAooooAKKKKACo/hZp9rq2k/EDTtQi86yvNZmt549xXfG9nbqwyCCMgnkHNSVZ0CS2
0KO8
Gnx3EbXlwbq4Pmqd8pVVJwUOBtRRgenrkkEzq9B0AaVdXd5caje6pqFykcMl1eCJX8qMuUjC
xIiY
BkkOdu47zkkBQNquO/4SGX1uP++4/wD43R/wkMvrcf8Afcf/AMbpCsdjRXHf8JDL63H/AH3H
/wDG
6P8AhIZfW4/77j/+N0BY7GiuO/4SGX1uP++4/wD43R/wkMvrcf8Afcf/AMboCx2NFcd/wkMv
rcf9
9x//ABuj/hIZfW4/77j/APjdAWOxorjv+Ehl9bj/AL7j/wDjdH/CQy+tx/33H/8AG6AsVvEH
/H2v
/bT/ANGyVl1av7oXUiMFZdoIO5gSSWLE8Ad29Kq0ygooooAKKKKACiiigAooooAKKKKACiii
gAoo
ooAKKKKACiiigAooooAK5XwN/wAhHxf/ANhpv/SeCuqrlfA3/IR8X/8AYab/ANJ4KAPn/wDa
U/5K
OP8Aryi/m1FH7Sn/ACUcf9eUX82ooA+tNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP+uMX
/ota
NR/4+E/64xf+i1oAq0UV5n4V8T6oNG07UJ5tR1RLqzg883toLVI7uZ4UiWJxEm6NjJIWYCTA
RSOo
DgHplFcnaeKb2fXodGbSU+3BpVumjut0MIQW7lgxQM4KXK/wg7xtxtJcR6H4g1KP4Yp4g1m3
gluo
tMF9iKbP2gCEPlvkUIzHOVAYDsTQB2FFcvD4luotdtNH1PT4Ib6eVATb3RljWN4rh1bcyIS2
bVwV
wAAynJ5Azz43unvLqO30mBobeVYGd7wqxke8mtIsKIz8peEFjnKqxwHIwQDuKK87TxZqCatr
OpLZ
pJp9hp0b3sDXjAwtDPeJMYV2ESE+ScFjHkKmcfw2Lz4gSQPq0kWi3U1nZLdhZgkwDPbq+7ex
i8pU
LRMoZZHOSuVBLBQDvKKz7O6v5ZbUXOnfZ45YpJJGM6sYWDKI0YDqzKzE7SVUoRlgQx0KACii
igAr
A8NaX4m8V3niCSw8RWOm2un6i1lHFLpf2hiBFFJuLCVP+emMY7da36X4Q20F5Z+Ora7hjntp
tclj
lilUMkiG0tgVYHgggkEGgTIv+EA8Yf8AQ6ab/wCCI/8AyRR/wgHjD/odNN/8ER/+SKyY/DWi
L4Wu
PFFtY+G9O0a+vYrsWF5ssrC6sVSSK2WdghX5mm+1AvGWDMkZGUVl774YwX1v4LtE1O1+xytN
cyRW
oLFYIGuJGgjUMqsqrEY1VSqlQApVSNoQXOX/AOEA8Yf9Dppv/giP/wAkUf8ACAeMP+h003/w
RH/5
Ir1KigVzy3/hAPGH/Q6ab/4Ij/8AJFH/AAgHjD/odNN/8ER/+SK9SooC55b/AMIB4w/6HTTf
/BEf
/kij/hAPGH/Q6ab/AOCI/wDyRXqVFAXPLf8AhAPGH/Q6ab/4Ij/8kUf8IB4w/wCh003/AMER
/wDk
ivUqKAueby2Ulhb2sFzOLm5WMiacJ5YkcOylguTtHHAycep61DWp4g/4+1/7af8Ao2SsumUF
FFFA
BRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXK+Bv8AkI+L/wDsNN/6TwV1
Vcr4
G/5CPi//ALDTf+k8FAHz/wDtKf8AJRx/15Rfzaij9pT/AJKOP+vKL+bUUAfWmo/8fCf9cYv/
AEWt
Go/8fCf9cYv/AEWtGo/8fCf9cYv/AEWtGo/8fCf9cYv/AEWtAFWs8aNYDRIdIEGLCGJIYow7
ZRUx
sKtncGXapDA7gQCDkZrQooAy9O0HTtPuI7i2hf7QiyJ50szyyMHKbtzOSXP7qMZYkgIAMAYq
OXw/
ZjQNQ0m1TZa3cUkXlSvJJGgdNu1V3grGBwEQqAOm3rWxRQBy6eGrm81Ca5166sblpIo0D2Nv
PZzI
ULlCsgnYrgSyg7QCQ5BOODcs/Cmj2kTRw2r4ZonZpLiSRmaOd50JZmJJEsjtknnODkcVuUUA
c/J4
P0SS5edracNJuEqLdzLHMGkklZZIw+11LyyHawIwxGMcVJdeFNHunuzcWrulysiyRG4k8oeY
pWRk
j3bUdgz5dQGO9ufmOdyigCu9nA+oQ3rR5uoYpIUfJ4RyhYY6cmNPy9zViiigAooooAKk+ELp
Zp4u
N2ywCbXJJIvNO3zE+z267lz1G5WGR3UjtUdWUvrtFCpdTqoGABIQAKAO7/tCy/5+7f8A7+r/
AI0f
2hZf8/dv/wB/V/xrhf7Qvf8An7uP+/rf40f2he/8/dx/39b/ABpCsd1/aFl/z92//f1f8aP7
Qsv+
fu3/AO/q/wCNcL/aF7/z93H/AH9b/Gj+0L3/AJ+7j/v63+NAWO6/tCy/5+7f/v6v+NH9oWX/
AD92
/wD39X/GuF/tC9/5+7j/AL+t/jR/aF7/AM/dx/39b/GgLHdf2hZf8/dv/wB/V/xo/tCy/wCf
u3/7
+r/jXC/2he/8/dx/39b/ABo/tC9/5+7j/v63+NAWO6/tCy/5+7f/AL+r/jR/aFl/z92//f1f
8a4X
+0L3/n7uP+/rf40f2he/8/dx/wB/W/xoCxY11le5RkIZSHIIOQR5r1m1JNNLOwaaR5GAxl2J
OPxq
OmMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACuV8Df8AIR8X/wDY
ab/0
ngrqq5XwN/yEfF//AGGm/wDSeCgD5/8A2lP+Sjj/AK8ov5tRR+0p/wAlHH/XlF/NqKAPrTUf
+PhP
+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP+uMX/otaAKtcXpvxE0W+tNBkjvdO
8/UF
33MC3yM1kot3mcv3wpTaSQuM5OOldpXm7aPdaj4d8P8Ah680TW4bWyiFrLc5sxuQ2slszYE7
FcCU
vwG+7jBoA6xfFWlG3eUyXSOrKn2d7KdLhiwJG2Ep5jAhXOQpGEf+62DRPEUGrarqNjHb3UT2
jJte
S3lVXVoYpMksgCP+9x5ZO75ckemXf+FL7UPPuL690qfUpfJQStp0gjiSLzSjRqJ96ShpnPmB
xgYw
Aea1NA0OXRbqfyr97m0nWNpPtSl7h5kiji3mXIBBSJSQVyWJO7HygAr614w07TrPVJIy889l
BPKq
mN0imeJGZokmK7GcbGBVSSNrZHytjP0/xTO2sQWd9cJHBFZ/bLm5k0q4t1ZS0wGd7Ytgohzm
Qnfn
5cUat4Jl1Gzu7BtSRNPdrye3UWxMsc1ykyuXffh0H2iQhQqn7uWODu2NS8PRalca2bmdxBqm
nR6d
IkYAZFUzZYMcjJE3pxt75oAjfxhokUSvcXM9uzyiFYbi0milZ2V2UCNkDncI3C4HzMpVctxU
aeMt
KWaWG5ldZImk8xoreeSKFFmki3ySeWFjGYnyWIA2tyVG409G8Fpp97Z3YOlW8lvdCcx6bpi2
kcgE
M0YBG5mLfvycliMKAFBLEi+C8WXiS3+3/wDIYtZrbd5P+p8ya6l3Y3fNj7VjHH3M98AA2F8S
aY+r
R6css7XEsrQI4tZTC8iqzMgm2+WWAR8jdkFWHUEVj6z4yFlLqsEdrP52n31pbswtpZUkjla3
3FSq
48wCcgRgljtBwQcVXg0bVo/FllDEmNCsr6fURLLEgZ3mjm3KrrKScPcNgGJPlX7xIG/UvvDc
txeX
jRXqR2l3eWt/JG0BZxNC8B+V9wAQpAowVJBYnOPloAk/4SzTPNj/AH+yMxSu6SxSxzqyNEoT
ySm7
c3nJhThjvTarBsjQ/tizGk/2lIZ4bXoBNbyRyE7toURsocsWwFXGWJGAcjPP6n4M+2atqN/5
9jN9
r8z/AEe+sftEI3LaL8y713Y+yZHTlx/d50P+Eff/AIRP+x5biC/kPLSapC13GxMm8goz7mUd
FBck
ALksRyASS+KtKhSF5pLqISL5jeZZTqYU3Fd8wKZhTKthpNoIViDgEiS08S6TeXf2a2u/Mm+1
PZYE
b4E6CQtGWxgMBE5xnptPR1zzdx8PIpzbvcXNrfT+QLeefU7IXsiqJJHzA0rExkGVgN/m8LGD
u2nd
uP4cz4cvNMW62zS3U95DceXnyZmuGuI225+bY5U4Jw23kYOKAA+LNMFzdR+fvWHagWKKWSZ5
PMmj
ZVjVMtg28n3dxwrEgKAxsDxJphu4bYyzrJJsGXtZVSNnAKJI5XbHIdy4RyG+ZRjLDOXN4PWG
+tbv
SLpLR7GC2gs45YmmjjEK3EfzfOGcFLlh94EFQSTyKjPgtJPEI1a4OlS3EksNzcTPpitP5saI
v7mR
mPlxny1O0hmGXwwJBUA6ixvIL6BprWTzI1lkhJwRh43ZHHPoysPw44qxVexinhgZbq5+0yGW
Rw+w
JhGdiiYH91Sq577cnk1YoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKAC
iiigAooooAKKKKACiiigArlfA3/IR8X/APYab/0ngrqq5XwN/wAhHxf/ANhpv/SeCgD5/wD2
lP8A
ko4/68ov5tRR+0p/yUcf9eUX82ooA+tNR/4+E/64xf8AotaNR/4+E/64xf8AotaNR/4+E/64
xf8A
otaNR/4+E/64xf8AotaAKtYPw88G3HirwtFq974t8SW8011dx+VbSW4jRY7mSNQN0LN91B1J
5zW9
Wh8C/wDkmtn/ANfuof8ApbPQJlX/AIVWP+h08W/9/bX/AOMUf8KrH/Q6eLf+/tr/APGK9Iop
Cueb
/wDCqx/0Oni3/v7a/wDxij/hVY/6HTxb/wB/bX/4xXpFFAXPN/8AhVY/6HTxb/39tf8A4xR/
wqsf
9Dp4t/7+2v8A8Yr0iigLnm//AAqsf9Dp4t/7+2v/AMYo/wCFVj/odPFv/f21/wDjFekUUBc8
3/4V
WP8AodPFv/f21/8AjFH/AAqsf9Dp4t/7+2v/AMYr0iigLnm//Cqx/wBDp4t/7+2v/wAYo/4V
WP8A
odPFv/f21/8AjFekUUBc83/4VWP+h08W/wDf21/+MUf8KrH/AEOni3/v7a//ABivSKKAueb/
APCq
x/0Oni3/AL+2v/xij/hVY/6HTxb/AN/bX/4xXpFFAXPN/wDhVY/6HTxb/wB/bX/4xR/wqsf9
Dp4t
/wC/tr/8Yr0iigLnm/8Awqsf9Dp4t/7+2v8A8Yo/4VWP+h08W/8Af21/+MV6RRQFzzf/AIVW
P+h0
8W/9/bX/AOMUf8KrH/Q6eLf+/tr/APGK9IooC55v/wAKrH/Q6eLf+/tr/wDGKP8AhVY/6HTx
b/39
tf8A4xXpFFAXPN/+FVj/AKHTxb/39tf/AIxR/wAKrH/Q6eLf+/tr/wDGK9IooC55v/wqsf8A
Q6eL
f+/tr/8AGKP+FVj/AKHTxb/39tf/AIxXpFFAXPN/+FVj/odPFv8A39tf/jFH/Cqx/wBDp4t/
7+2v
/wAYr0iigLnm/wDwqsf9Dp4t/wC/tr/8Yo/4VWP+h08W/wDf21/+MV6RRQFzzf8A4VWP+h08
W/8A
f21/+MUf8KrH/Q6eLf8Av7a//GK9IooC55v/AMKrH/Q6eLf+/tr/APGKP+FVj/odPFv/AH9t
f/jF
ekUUBc83/wCFVj/odPFv/f21/wDjFH/Cqx/0Oni3/v7a/wDxivSKKAueb/8ACqx/0Oni3/v7
a/8A
xij/AIVWP+h08W/9/bX/AOMV6RRQFzzf/hVY/wCh08W/9/bX/wCMUf8ACqx/0Oni3/v7a/8A
xivS
KKAueb/8KrH/AEOni3/v7a//ABipB4cTw5ZTwf2lqOpu8kb+ffujOoIkG0bEUAfLnpnPU8DH
olcx
4t/j/wC2X/tWgaOYrlfA3/IR8X/9hpv/AEngrqq5XwN/yEfF/wD2Gm/9J4KYz5//AGlP+Sjj
/ryi
/m1FH7Sn/JRx/wBeUX82ooA+tNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP+uMX/otaNR/
4+E/
64xf+i1oAq1qfCW3uNE8C2ljqlrc290tzdymMwuSFkupZEPAPVWU46jODg1l0UAeifbov7lx
/wCA
8n/xNH26L+5cf+A8n/xNed0UrCseifbov7lx/wCA8n/xNH26L+5cf+A8n/xNed0UWCx6J9ui
/uXH
/gPJ/wDE0fbov7lx/wCA8n/xNed0UWCx6J9ui/uXH/gPJ/8AE0fbov7lx/4Dyf8AxNed0UWC
x6J9
ui/uXH/gPJ/8TR9ui/uXH/gPJ/8AE153RRYLHon26L+5cf8AgPJ/8TR9ui/uXH/gPJ/8TXnd
FFgs
eifbov7lx/4Dyf8AxNH26L+5cf8AgPJ/8TXndFFgseifbov7lx/4Dyf/ABNH26L+5cf+A8n/
AMTX
ndFFgseifbov7lx/4Dyf/E0fbov7lx/4Dyf/ABNed0UWCx6J9ui/uXH/AIDyf/E0fbov7lx/
4Dyf
/E153RRYLHon26L+5cf+A8n/AMTR9ui/uXH/AIDyf/E153RRYLHon26L+5cf+A8n/wATR9ui
/uXH
/gPJ/wDE153RRYLHon26L+5cf+A8n/xNH26L+5cf+A8n/wATXndFFgseifbov7lx/wCA8n/x
NH26
L+5cf+A8n/xNed0UWCx6J9ui/uXH/gPJ/wDE0fbov7lx/wCA8n/xNed0UWCx6J9ui/uXH/gP
J/8A
E0fbov7lx/4Dyf8AxNed0UWCx6J9ui/uXH/gPJ/8TR9ui/uXH/gPJ/8AE153RRYLHon26L+5
cf8A
gPJ/8TR9ui/uXH/gPJ/8TXndFFgseifbov7lx/4Dyf8AxNH26L+5cf8AgPJ/8TXndFFgseif
bov7
lx/4Dyf/ABNH26L+5cf+A8n/AMTXndFFgseifbov7lx/4Dyf/E0fbov7lx/4Dyf/ABNed0UW
Cx6J
9ui/uXH/AIDyf/E1geJ382J5FWQJmJQXjZMkeZnqB6iuaophYK5XwN/yEfF//Yab/wBJ4K6q
uV8D
f8hHxf8A9hpv/SeCgZ8//tKf8lHH/XlF/NqKP2lP+Sjj/ryi/m1FAH1pqP8Ax8J/1xi/9FrR
qP8A
x8J/1xi/9FrRqP8Ax8J/1xi/9FrRqP8Ax8J/1xi/9FrQBVrB+Hng248VeFotXvfFviS3mmur
uPyr
aS3EaLHcyRqBuhZvuoOpPOa3q0PAWzwt4Yt9Je6trlo5p5jIPMQZlmeXGNh6b8Z74zgZxQJk
I8OJ
4csp4P7S1HU3eSN/Pv3RnUESDaNiKAPlz0znqeBjjbrxLdW17rMkmnwf2NpMojuroXR85V8m
OVnE
WzBVRIM/PuwrYBOFPoeuX8V5EzK8ZclAFQseF35OSo/vCvJNZsNXGsa7arp19eaFqkqyXKW8
Nury
L5EcTIsr3KkKRHg/uw3LbSDtYAzY8R+LrOw0vWXspN99Z2txJEZYJBBLLFGzGMSYCOwKtlVb
cNr9
NpxJrXjDTtOs9UkjLzz2UE8qqY3SKZ4kZmiSYrsZxsYFVJI2tkfK2MOT4fw3kWoyBbGzbUIr
pt76
dG17FJcq+8SThyGVTK2Am04VRvIB3WJPh5Yy3eomT7Ctvefai0sVhGL3NwHDg3BzlR5rYAVS
AEBJ
AYMAbkvirSoUheaS6iEi+Y3mWU6mFNxXfMCmYUyrYaTaCFYg4BIk1LXY9P1/TNMlgnf7dFK6
yRRP
JsZHiUBgqnap83JckKNvPWsPV/BTazeR3upyaPc3jwLbTyTaSsoVFd2UwLI7CN8SHJbzASFO
3AIP
Qajpks+safqVpcJDPbLJA6yxGRXhkaNnAwylXzEmGyQOcqcjABh+H/GttqPh7S7q4/c39zFa
tJFN
bzW6M0rxoxiLId6hpAAVyvzJlgGDV0Gk6xZ6t5psDO8ceCJWt5EjkBzho3ZQsinGdyEjBBzg
jPPt
4LzZeG7f7f8A8ge1htt3k/67y5rWXdjd8ufsuMc/fz2wdDwn4ffQvtRe4gKzbAltZwtb2sIX
PMcJ
dwjMWJYqQDgHGclgAg8YaJc6fb3tpcz3UFxkw/ZrSaZpAApZlRELFV3KrNjCsdpIbirH/CS6
SZ9i
XfmRiLznuY43e3jTZ5mXnAMafJhvmYcMp6MM4d54Gin0fw/as2nXU+kWf2JTqNgLmF1Kxhn8
vepV
8xLg7jgFhg5yLA8INHaahpsN8i6PqMHk3UX2ZRNn7OsGY3UrGg2xodvlkZ3YwCAoBcfxhokU
SvcX
M9uzyiFYbi0milZ2V2UCNkDncI3C4HzMpVctxUd54og/4SDStMsQ8puLyS2nlNtL5QCQSuQk
uBGX
DxhSASRhhjIOI4fDV1LrtprGp6hBNfQSoSLe1MUbRpFcIq7WdyGzdOS2SCFUYHJJB4auodWs
pF1C
A6ZaX0+oJbm1PnGSZZtwMu/btDTuR8mcBRk8kgGx/bNh9t+yef8A6R9q+x7Njf67yfP25xj/
AFfz
Z6ds54rD0PxpY6jqF5CzuLczwrZ3AtZlieOW3hkTfKV2K7NKQFJUnKjGSMyar4QgvtQ1K9jn
8m6u
YkMD7C32e4UofOxuw3MFr8h4/c/7bZIPCEFrp9xZWc/k2r31ndxJsLeUluLcLHktlsi2HzHp
u745
ALDeMNEWCSY3M/lptKEWkx88M6orQ/J++Us6DdHuHzrzhhmxL4gszoGoarbv+7sopHlS4SSF
oyib
sSKULpxg/cJ2kEAgjPN6X8O7fTooord9OhS3a2EUlvpqRTSJFPFL+/k3EyOfJUbhsGWZip+U
LuX3
hz7Vpvim0+1bP7c3/P5efI3W0cHTPzf6vd26496ALHhzXY9aW9CQTwyWl1NbPvicI2yV4wyu
VCvn
ZkhSducHmsvwz40sdR8OWV7qDvbXb2cVxLG1rNEHZgoIhDLmUb3VRs3ZLoOSy52ND0yXSzeR
C4SW
zlnkuIU8oiSNpJHkkDPuww3OduFXAGDuPNcvH4Bln0az0/V9RtbxNPs0s7QLYlEKq8L/AL5G
kbzA
TbxAgFOC47gqAdA3irShbpKJLp3ZmT7OllO9wpUAndCE8xQAyHJUDDp/eXJdeK9HtXuxcXTo
lssj
SSm3k8o+WpaRUk27XdQr5RSWGxuPlOMuw8Iz6X5FxpNzpVnfx+crCLSwlrsk8rcFiSRWDfuI
zuZ2
6t2KhY9W8Ey6jZ3dg2pImnu15PbqLYmWOa5SZXLvvw6D7RIQoVT93LHB3AGxB4r0eVyrXT2+
1WZz
d28luqbVLFWMiqFcIC+w4bZ8+NvNC+KtKNu8pkukdWVPs72U6XDFgSNsJTzGBCuchSMI/wDd
bGfr
PgyLVmvlubx1gvLyS5kWNAGCvYm0KgkkZwd+7HtjvVNPA3l6fNFCnh2C4kljcNBovkxx7A4V
0CSi
RZQXOJPM+UD5QpJYgHUXmsWdnp8F5cGdY59oijFvI0zkjdtEQXeWwCSu3ICsSAAcZ+meKLa+
vdWt
/st8n2Da+77JMfMQwxS9NnEn73HlcvxnHOAax4fe80Cy02K4glktdm251KFrmTKoVEgZXjZZ
ec+Y
CCDnHJyKf/CIyx2d9ZRao8lpdrE8hu4zNLJNGkSZkfcA8bpCodCoLbn+YA4ABJJ4us/7UtUW
TbYt
a3EkwlgkSdJUkt1SPyyA4ZhPwu3c25NvUZ3NL1K11S3aazdyEbY6SxNFJG2AcMjgMpwQcEDI
IPQg
1w8Xw0iKXInn04JKzyC2ttOEVsGLWjKDEXbKZsxuXI3CRuV611nhfRU0LT5LdFsUaWUyutjZ
rawg
4C/KgJPRRkszEnPIGFABsUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVyv
gb/k
I+L/APsNN/6TwV1Vcr4G/wCQj4v/AOw03/pPBQB8/wD7Sn/JRx/15Rfzaij9pT/ko4/68ov5
tRQB
9aaj/wAfCf8AXGL/ANFrRqP/AB8J/wBcYv8A0WtGo/8AHwn/AFxi/wDRa0aj/wAfCf8AXGL/
ANFr
QBVooooAKKKz/wC29K/tb+yv7Tsf7T/58/tCed93d9zO77vPTpzQBoUUUUAFFFUxqdljUGa4
RE09
tl08nyLEfLWQ5JwMbHU56c+xoAuUVGs8TXDwLKhnRVdoww3KrEhSR1AJVsHvtPpUlABRRUaz
xNcP
AsqGdFV2jDDcqsSFJHUAlWwe+0+lAElFFFABRRRQAUUUUAFVf7Ssf+f22/7+r/jVqvPfAHhf
QNR8
N/atQ0PSrq6kvb3fNPaRu7YupQMsRk8AD8KAO4/tKx/5/bb/AL+r/jR/aVj/AM/tt/39X/Gs
n/hC
vCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r/jR/aVj/AM/tt/39
X/Gs
n/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r/jR/aVj/AM/t
t/39
X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r/jR/aVj/
AM/t
t/39X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r/jR/
aVj/
AM/tt/39X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r
/jR/
aVj/AM/tt/39X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/
AL+r
/jR/aVj/AM/tt/39X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5
/bb/
AL+r/jVx1ZGKuCrA4IIwQawbfwh4atriKe28PaPDPEweOSOyiVkYHIIIXIIPeum1T/kJ3f8A
12f/
ANCNAFWiiigAooooAKKKKACiiigAooooAK5XwN/yEfF//Yab/wBJ4K6quV8Df8hHxf8A9hpv
/SeC
gD5//aU/5KOP+vKL+bUUftKf8lHH/XlF/NqKAPrTUf8Aj4T/AK4xf+i1o1H/AI+E/wCuMX/o
taNR
/wCPhP8ArjF/6LWjUf8Aj4T/AK4xf+i1oAq0UUUAFef3un6qdY1yZ03aINYtruWGO2c3LrFB
bMJI
m3YdRJGoZAhYhZApLYWvQKx7/wAL6BqN3JdahoelXV1JjfNPaRu7YAAyxGTwAPwoA4eWLxV/
a2ry
Wd7ff2n/AKb5Nv8AZJfJ2bZPs372SX7N/wA8D8ib88N/y1NaE/2T/QvK/wCEp/sD9/5//IR+
0faf
3Plf9N/L2ed0/d56/Niu8t4Ira3igtokhgiUJHHGoVUUDAAA4AA7VJQB5vp1t4kOjandatPq
p1AS
2UUsKOQqw+TaG7aFY+rHEwBTJDA+Xhi26Sx0yS88I+PLXSrfUSL9pksxqHnLLKWsoU63GHxv
DKCx
xx6CvRKKAPN3tLi+8Q6bbWTeIl0B/I3mSe8hcYTUC+53IkHziDOT/wA8x021nuniVtLslebV
YIbi
1sbvUZHhuJnSaSO484KsbLKv7xbbMcTKEz90KXB9YooA4/ZqK/DzZNqN9HddBc/YJnmMRm+U
eSjm
bmPC53+aAdzFXBxj6JDeW2qf2pLpGqrePpgSwtTf3MqTSRyXTFZpXxjcskRXz1BXfgAMpA9I
ooA8
n0a11W81i30+W71ubRjdQvJKItQsSMwXe8F5pGl27kt+j7MlRgEnMbT6jAfDya5Lr6Wl6tnc
Xiwt
dea1y9teNMi+V+8UBo4SYkwqYB2gE59cqOWCKV4XliR3hbfGzKCUbaVyvocMwyOxI70Ac34Z
+1b9
N+3f2ru8q98nzM+X5H2hPJ87d83m+Vs27vmx5u75s11FFFABRRRQAVyvww/5FCP/AK/b7/0r
mrqq
peFfD6aHoqWL6nbTMJppiwSQDMkryY+7234z3xnA6UAXaKtfZov+f23/AO+ZP/iaPs0X/P7b
/wDf
Mn/xNAFWirX2aL/n9t/++ZP/AImj7NF/z+2//fMn/wATQBVoq19mi/5/bf8A75k/+Jo+zRf8
/tv/
AN8yf/E0AVaKtfZov+f23/75k/8AiaPs0X/P7b/98yf/ABNAFWirX2aL/n9t/wDvmT/4mj7N
F/z+
2/8A3zJ/8TQBVoq19mi/5/bf/vmT/wCJo+zRf8/tv/3zJ/8AE0AVaKtfZov+f23/AO+ZP/ia
Ps0X
/P7b/wDfMn/xNAFWrWqf8hO7/wCuz/8AoRo+zRf8/tv/AN8yf/E02/kWW+uZIzlHkZlPqCTQ
BXoo
ooAKKKKACiiigAooooAKKKKACuV8Df8AIR8X/wDYab/0ngrqq5XwN/yEfF//AGGm/wDSeCgD
5/8A
2lP+Sjj/AK8ov5tRR+0p/wAlHH/XlF/NqKAPrTUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4
T/rj
F/6LWjUf+PhP+uMX/otaAKtFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVyv
gb/k
I+L/APsNN/6TwV1Vcr4G/wCQj4v/AOw03/pPBQB8/wD7Sn/JRx/15Rfzaij9pT/ko4/68ov5
tRQB
9aaj/wAfCf8AXGL/ANFrRqP/AB8J/wBcYv8A0WtGo/8AHwn/AFxi/wDRa0aj/wAfCf8AXGL/
ANFr
QBVooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA
KKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACuV8Df8hHxf/wBhpv8A0ngr
qq5X
wN/yEfF//Yab/wBJ4KAPn/8AaU/5KOP+vKL+bUUftKf8lHH/AF5RfzaigD601H/j4T/rjF/6
LWjU
f+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWgCrRRXF2mta1b3Gqf2readJBZ6jbac
v2bT
3RnaY2x3HdOQBicr3xgNzjYQDtKK5PS/HFpfpZyNp2o20VysEgeYREJHcNtgdgsjHEj5UAAk
EEsF
GCZPC/jjR/EuoSWmmy7pBEZ4z5sT+bGCAW2o7Mn3k+WQI3zdMhsAHUUVyeneK55LWdrrSrp5
zqNx
Y2iweUBdmOWYfJuk4KxwksX2AkHbnIFWNU1xpfDttf6czwO+o2trIsiqWQm8SGaM9RkfOuQS
O6k8
GgDpKK5fRfF9re6XZzOk7XU/2RViEQjebz41cSJHvY+WAZCTk48mXlthNHhfxxo/iXUJLTTZ
d0gi
M8Z82J/NjBALbUdmT7yfLIEb5umQ2ADqKK4vVda1dfDniLXdNuLWOOxa4EEFzbmRWS2DrJna
ykO0
qPhtxARU+UMWqxrFx4lsrrQ7eLUdHL307W0jtpsuAwiml3KPP6YjVdpJ5JOf4aAOsorn7O81
LV/D
l9NZSQW+pJdXcNuSP3ZMNxIiB85O1hGA2OcFtu04xc0PWotZt7ee2trqOCezgvY5JUAUrKGI
TIJG
9QvzDtuXk5oA1KKKKAOf0dvF3iG81kaDZ6CbTTr02Re9u5ondhHHJnasTDGJAOvUHitP/hH/
AIif
8+fhL/wY3H/xiue+H+nWOt+PNV0zWbO21DTWvdTuTaXcSyxGVItKVJNjAjcqySANjIDsB1Ne
r/DO
5nvPhx4UubuaSe5m0m0klllYs8jmFCWYnkkkkkmkK5xP/CP/ABE/58/CX/gxuP8A4xR/wj/x
E/58
/CX/AIMbj/4xXrdFArnkn/CP/ET/AJ8/CX/gxuP/AIxR/wAI/wDET/nz8Jf+DG4/+MV63RQF
zyT/
AIR/4if8+fhL/wAGNx/8Yo/4R/4if8+fhL/wY3H/AMYrofiTp5m0fSru9nke5tdc08xfZ5ZY
Yij6
jAAHiDlZCF2jLA/MCyhc4HdUDueSf8I/8RP+fPwl/wCDG4/+MUf8I/8AET/nz8Jf+DG4/wDj
Feq3
KztGBayRxyb0JMkZcFAw3DAI5K5AOeCQcNjB8s0S2gTWfD2rpDGuq33inVrK6vQoE9xbx/2h
shkk
+8yL5MOFJIHlJgfKMAXG/wDCP/ET/nz8Jf8AgxuP/jFH/CP/ABE/58/CX/gxuP8A4xXrdch8
SVnO
g+XJJG1jc6hpdq8HlnLpJfRJMrnOGR0cIU2jjcCWDYAFzk/+Ef8AiJ/z5+Ev/Bjcf/GKtabo
3iuC
5LeI4dDhsvLcg2F1LLIXCFgMPGgA4OTkntjnI6LwBbQWF/4u06whjttPs9WSO2tYVCRQI1la
yMqI
OFBd3YgAZZmPUmtvxB/x6L/20/8ARUlAXOFooopjCiisfVbyf+29J0y0k8pp/Mup5MAnyItg
ZVzn
5meSIdPueZghtpoA2KK87bxdrWn+CrXXNR/s64fUdOe5tUgt3iEMwtXuArgyNvQiNhuBUggc
HcSu
hreua1ooisLibTp9Qu2iNtcx2rpEqm5ggkDxGUkkeerAh+eQQu0FgDtKK4u+1zWoNVstCWbT
hqks
8Ya7Nq7QtC8Ny6kReaGV91sykbyMYbPO1Qa5rV5r0WiWc2nW15brcC7nltXmjkaMWzKY1EqF
Qy3I
JBJ2kFcsBuIB2lFcnf8AiuWPwtqGoQWLrd21nfSksC8CTWrFGQuMEhnBK8AsqscKRis/XvHn
2S/t
I7C2uvIZVef7VptzE+DdWsP7tWVS52zyHChjkL9CAd5RXP6H4hGr6/qVpBFPHa2trbyqbi0l
t5C8
jzBvlkCkriNcEDru5Pbk9T8da1a6NrzxWVq2oW8909ixicwG1geVXMnzZ3jyGBK/KGmgBxv4
APTK
K8z1Px1rVro2vPFZWrahbz3T2LGJzAbWB5VcyfNnePIYEr8oaaAHG/jtPFF9fWGnxyafFlml
CSzf
ZpLnyEwTv8mMh5MsFXCkY37jwpoA2KK4e58Q6okFo4v7GK1aIu+onSLiWEuHYOjosoNt5YVd
xlbq
zfd2MK6DSryf+29W0y7k81oPLuoJMAHyJd4VWxj5leOUdPueXkltxoA2KKKKACuV8Df8hHxf
/wBh
pv8A0ngrqq5XwN/yEfF//Yab/wBJ4KAPn/8AaU/5KOP+vKL+bUUftKf8lHH/AF5RfzaigD60
1H/j
4T/rjF/6LWjUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWgCrXH2+j6rdXd0up2F
jb2t
5fQahNJb6m8rpJCItgVTbqCpMEectnlsHoK7CigDm7bwfp9va28CTXRSCCwt1JZclbOUyRE/
L1JP
zeo6Y61c0PQk0fYkN9fTWsMQgtraV18u3jGMKoVQWwFUBpC7ADg/M2diigDn5PC8J3+Rf31v
i6a8
tvL8s/ZJn8zzGTchzv8ANkyH3gbvlC4GLA8P2o0eHTjJOY0ukvGkLDfJMs4nLNxj5pASQABy
QAox
jYooAw9M8Mafp76Q8Id30yzFlC0m0llVQqu3HLqN4BGMCWQY+Y1JoehJo+xIb6+mtYYhBbW0
rr5d
vGMYVQqgtgKoDSF2AHB+Zs7FFAHP/wDCP+Zp+v6TPJjSdS80x+W2JIvOB85eQc/OWkDEnmQr
gBBn
UvtPivbrTp5WcPYzm4jCkYLGKSPDcdMSN0xyB9KuUUAc2ugX2n2uoro2sXQe6aZ4orhYTFay
TSl2
lXEe5ipZiFZiD90kdRqaXpMGl7Es3nS1jtYbSK2MhaOJIt20qDzuIYAkk5Cr6VoUUAFFFFAF
X4Ya
Lpeu2fjK21vTbLUrZPEbyLFeQJMgcWluAwDAjOCRn3NesV5xFdPEgSOO3Cj/AKd4/wA+nJ96
f9ul
/uW//gPH/wDE0CseiUV539ul/uW//gPH/wDE0fbpf7lv/wCA8f8A8TSsFj0SivO/t0v9y3/8
B4//
AImj7dL/AHLf/wAB4/8A4miwWO5/s6x+z/Z/sdt5HnfafL8pdvm+Z5vmYxjd5nz7uu7nrzVu
vO/t
0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+JosFjvrm2guoxHdQxzRq6SBZFDAOjBlbB7hlDA9
iAe1
VYdF0uDWZ9Xh02yj1W4QRzXqQIJ5EG35WkA3EfKvBP8ACPSuL+3S/wBy3/8AAeP/AOJo+3S/
3Lf/
AMB4/wD4mgLHolVLnTrG6+1fabO2m+1wi2uPMiVvOiG7Eb5HzL87/KePmb1NcN9ul/uW/wD4
Dx//
ABNH26X+5b/+A8f/AMTRYLHc6Xp1jpNjFZaVZ21lZRZ8u3toljjTJJOFUADJJP1Jqt4g/wCP
Rf8A
tp/6Kkrj/t0v9y3/APAeP/4mj7dNhgBCu4FSVhQHBGDyB6UBYq0UUUxhWXqmnyzanpuoWbIt
xas0
cgckCS3kx5iZwcHKxuDjJMYXKhia1KKAOTg8D2i6GdJu9R1G+tEs2sbYTmIG1jaMxkpsjUF9
hxuY
MQMgYDMGsXPhSO8tXW91XUbm8LRNHfSeSJYBHKkqqgEYjALxqT8hLYAJIVcdJRQBzdx4UjmF
vKdV
1FdThnFx/aI8kzMRHJGFIMZjCBZXwoQDJLfeZiSXwpH9otrq01XUbO+iWVZLqLyXkuDKYy7S
eZGw
z+5TG0AKAFACgAdJRQBh3vhmyudMk09ZbqCzks7izeKKXhxNjfI27JaTIJDtk5dycljUmteH
7XV7
6yurmSdZLTGwRsADieCbnIP8Vug+hbvgjYooAy7nRYp9RnvVubqGeZbZGMLhflgleRR0zhi7
Kw7q
ccdary+GNPl0a+01w5S7W8Rp/l81FuXZ5QrY4GW4GP4VznFblFAGHL4Y0+XRr7TXDlLtbxGn
+XzU
W5dnlCtjgZbgY/hXOcVYu9KnlFz9m1fUbR55xOWiMT7AI1Ty1EiMFQ7d2MZ3EnPJFalFAHNz
eFI5
bH7B/auorp8iyLdWy+TtujIzNKzsY9yly7Z2MgGflC1oaXp8sOp6lqF4yNcXTLHGEJIjt48+
WmcD
Jy0jk4yDIVywUGtSigAooooAK5XwN/yEfF//AGGm/wDSeCuqrlfA3/IR8X/9hpv/AEngoA+f
/wBp
T/ko4/68ov5tRR+0p/yUcf8AXlF/NqKAPrTUf+PhP+uMX/otar6te2sN4EluYEcQxZVpACP3
a9qs
aj/x8J/1xi/9FrXM3HhDw1c3Es9z4e0eaeVi8kkllEzOxOSSSuSSe9AGl/aVj/z+23/f1f8A
Gj+0
rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK8K/9Czon/gBF/wDE0Aa39pWP/P7bf9/V
/wAa
P7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+Jo/4Qrwr/0LOif+AEX/AMTQBrf2lY/8/tt/
39X/
ABo/tKx/5/bb/v6v+NZP/CFeFf8AoWdE/wDACL/4mj/hCvCv/Qs6J/4ARf8AxNAGt/aVj/z+
23/f
1f8AGj+0rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK8K/9Czon/gBF/wDE0Aa39pWP
/P7b
f9/V/wAaP7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+Jo/4Qrwr/0LOif+AEX/AMTQBrf2
lY/8
/tt/39X/ABo/tKx/5/bb/v6v+NZP/CFeFf8AoWdE/wDACL/4mj/hCvCv/Qs6J/4ARf8AxNAG
t/aV
j/z+23/f1f8AGj+0rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK8K/9Czon/gBF/wDE
0Aa3
9pWP/P7bf9/V/wAaP7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+Jo/4Qrwr/0LOif+AEX/
AMTQ
Brf2lY/8/tt/39X/ABo/tKx/5/bb/v6v+NZP/CFeFf8AoWdE/wDACL/4mj/hCvCv/Qs6J/4A
Rf8A
xNAGt/aVj/z+23/f1f8AGj+0rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK8K/9Czon
/gBF
/wDE0Aa39pWP/P7bf9/V/wAaP7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+Jo/4Qrwr/0L
Oif+
AEX/AMTQBrf2lY/8/tt/39X/ABo/tKx/5/bb/v6v+NZP/CFeFf8AoWdE/wDACL/4mj/hCvCv
/Qs6
J/4ARf8AxNAGt/aVj/z+23/f1f8AGj+0rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK
8K/9
Czon/gBF/wDE0Aa39pWP/P7bf9/V/wAaP7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+JqO
48Ie
ELa3lnufD2gQwRKXkkksoVVFAySSVwAB3oA2v7Ssf+f22/7+r/jR/aVj/wA/tt/39X/GuJ/4
tX/1
JH/krR/xav8A6kj/AMlaAO2/tKx/5/bb/v6v+NH9pWP/AD+23/f1f8a4n/i1f/Ukf+StH/Fq
/wDq
SP8AyVoA7b+0rH/n9tv+/q/40f2lY/8AP7bf9/V/xrif+LV/9SR/5K0f8Wr/AOpI/wDJWgDt
v7Ss
f+f22/7+r/jR/aVj/wA/tt/39X/GuJ/4tX/1JH/krR/xav8A6kj/AMlaAO2/tKx/5/bb/v6v
+NH9
pWP/AD+23/f1f8a4n/i1f/Ukf+StbFh4X8F6jaR3Wn6H4durWTOyaC0hdGwSDhgMHkEfhQBv
f2lY
/wDP7bf9/V/xo/tKx/5/bb/v6v8AjVP/AIV1oX/QnaZ/4K4//iaP+FdaF/0J2mf+CuP/AOJo
Auf2
lY/8/tt/39X/ABo/tKx/5/bb/v6v+NU/+FdaF/0J2mf+CuP/AOJo/wCFdaF/0J2mf+CuP/4m
gC5/
aVj/AM/tt/39X/Gj+0rH/n9tv+/q/wCNU/8AhXWhf9Cdpn/grj/+Jo/4V1oX/QnaZ/4K4/8A
4mgC
5/aVj/z+23/f1f8AGj+0rH/n9tv+/q/41T/4V1oX/QnaZ/4K4/8A4mj/AIV1oX/QnaZ/4K4/
/iaA
Ln9pWP8Az+23/f1f8a53wIyvf+LmRgytrLEEHII+zQVrf8K60L/oTtM/8Fcf/wATVnS9O03S
Rc2W
lWdnZCKX9/b20Sx7JCqn5lUDDFSh55wV7YoA+Yv2lP8Ako4/68ov5tRR+0p/yUcf9eUX82oo
A+tN
R/4+E/64xf8Aotaq1a1H/j4T/rjF/wCi1qrQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFc/wDEP/kQPE3/AGDLn/0U1dBXP/EP/kQPE3/YMuf/
AEU1
AHZalfXaajdKl1OqiVgAJCABk1X/ALQvf+fu4/7+t/jRqn/ITu/+uz/+hGqtAFr+0L3/AJ+7
j/v6
3+NV7/XJdPtJLm7v7hIUwCQ7MSSQAqqOWYkgBQCSSAASabWP4is5520y9tI/Om026N0LcEKZ
gYpI
iqseA2JSRnglQCVB3AAvWni6O6Ft5Wo3ivcTm2SOVZY5BKI2k2sjAMh2KW+YDIwR94ZuWGuS
6haR
3Vnf3ElvJkpIHYBwCRuXPVTjIYcEEEEgg15z4g8M6j4m1Wz1GW3fT0eeFXt5mSQpFDDd8zBW
2ujv
cBGjVjlOrDcQneWEs81pG95bfZrjkPEHDgEEjKsOqnGQSAcEZCnIABpf2he/8/dx/wB/W/xo
/tC9
/wCfu4/7+t/jVWigBdT1K+TTbtkvblWWFyCJWBB2n3rz74Cf8km0L/tv/wCj5K7bVv8AkFXv
/XF/
/QTXE/AT/kk2hf8Abf8A9HyUAelap/yE7v8A67P/AOhGqtWtU/5Cd3/12f8A9CNVaAK9/eQa
faSX
N3JshTAJALEkkAKqjlmJIAUAkkgAEmo9L1GDU7dprZLpEVthFzay27ZwDwsiqSOeuMdfQ1T8
RWc8
7aZe2kfnTabdG6FuCFMwMUkRVWPAbEpIzwSoBKg7hz/iy2vvEen2qXOgXy2aSuZLYx2E1xvA
Gx1E
rPD5eGlB53524+XdkA7iivM9B8J6jDpwvr/T0PiT7Zpr/bXZGuPKSK0S4/e5Jx8lwCM/MC3X
dzHL
4WupfDdpZNok8N1BLCdVngWzd9XKxSKXHmFlk/essn78Kf4h84xQB6JFqEUmsXOmqr+fbwRX
DMQN
pWRpFUDnOcxNnjuPwuVx/gfRLzSb64e4inS3ext4ovPljd12z3T+WRGFVdqyxjao2L91SwXN
dhQA
Vyvgb/kI+L/+w03/AKTwV1Vcr4G/5CPi/wD7DTf+k8FAHz/+0p/yUcf9eUX82oo/aU/5KOP+
vKL+
bUUAfWmo/wDHwn/XGL/0WtVa53UPiN4Oa5+XxJpjbY0QkTgjIQA89+Qar/8ACxPB/wD0Mem/
9/hQ
B1VFcr/wsTwf/wBDHpv/AH+FH/CxPB//AEMem/8Af4UAdVRXK/8ACxPB/wD0Mem/9/hR/wAL
E8H/
APQx6b/3+FAHVUVyv/CxPB//AEMem/8Af4Uf8LE8H/8AQx6b/wB/hQB1VFcr/wALE8H/APQx
6b/3
+FH/AAsTwf8A9DHpv/f4UAdVRXK/8LE8H/8AQx6b/wB/hR/wsTwf/wBDHpv/AH+FAHVUVyv/
AAsT
wf8A9DHpv/f4Uf8ACxPB/wD0Mem/9/hQB1VFcr/wsTwf/wBDHpv/AH+FH/CxPB//AEMem/8A
f4UA
dVRXK/8ACxPB/wD0Mem/9/hR/wALE8H/APQx6b/3+FAHVUVyv/CxPB//AEMem/8Af4Uf8LE8
H/8A
Qx6b/wB/hQB1VFcr/wALE8H/APQx6b/3+FH/AAsTwf8A9DHpv/f4UAdVRXK/8LE8H/8AQx6b
/wB/
hR/wsTwf/wBDHpv/AH+FAHVUVyv/AAsTwf8A9DHpv/f4Uf8ACxPB/wD0Mem/9/hQB1VFcr/w
sTwf
/wBDHpv/AH+FH/CxPB//AEMem/8Af4UAdVWP4ys59R8Ia5ZWcfmXVzYzwxJkDc7RsFGTwOSO
tZv/
AAsTwf8A9DHpv/f4Uf8ACxPB/wD0Mem/9/hQBi3viv4j3F5PMnw/t0WSRnCnVoWKgnOM5Gfy
qH/h
JfiT/wBCFbf+DSH/AOKroP8AhYng/wD6GPTf+/wo/wCFieD/APoY9N/7/CgDn/8AhJfiT/0I
Vt/4
NIf/AIqj/hJfiT/0IVt/4NIf/iq6D/hYng//AKGPTf8Av8KP+FieD/8AoY9N/wC/woA5/wD4
SX4k
/wDQhW3/AINIf/iqP+El+JP/AEIVt/4NIf8A4qug/wCFieD/APoY9N/7/Cj/AIWJ4P8A+hj0
3/v8
KAOf/wCEl+JP/QhW3/g0h/8AiqP+El+JP/QhW3/g0h/+KroP+FieD/8AoY9N/wC/wo/4WJ4P
/wCh
j03/AL/CgDm7jxB8R57eWF/AVuFkUoSNVhzgjHrW98I9Gv8Aw/8ADzSdM1eD7PfQeb5ke9X2
7pnY
cqSDwQetTf8ACxPB/wD0Mem/9/hR/wALE8H/APQx6b/3+FAE9/4m1ya+uZYfBeqGN5GZd15a
A4JJ
GR5pwfxqD/hItf8A+hK1L/wNtP8A47R/wsTwf/0Mem/9/hR/wsTwf/0Mem/9/hQAf8JFr/8A
0JWp
f+Btp/8AHaP+Ei1//oStS/8AA20/+O0f8LE8H/8AQx6b/wB/hR/wsTwf/wBDHpv/AH+FAB/w
kWv/
APQlal/4G2n/AMdo/wCEi1//AKErUv8AwNtP/jtH/CxPB/8A0Mem/wDf4Uf8LE8H/wDQx6b/
AN/h
QAf8JFr/AP0JWpf+Btp/8do/4SLX/wDoStS/8DbT/wCO0f8ACxPB/wD0Mem/9/hR/wALE8H/
APQx
6b/3+FAB/wAJFr//AEJWpf8Agbaf/Had4Ftb+H+3rnU7CWwe+1I3McMskbsE8mJckozDqjd+
1N/4
WJ4P/wChj03/AL/Cj/hYng//AKGPTf8Av8KAPn/9pT/ko4/68ov5tRVH4+6tYaz47W70m8gv
LY2k
a+ZC4YZBbI470UAf/9k=3D
------_=3D_NextPart_001_01C7EBD6.64A8D3BB--
// eompost 46D81477:744B.1:vfncebf
Other related posts:
- » RE: [isapros] Re: ISA and SAN Certs
