This is a multi-part message in MIME format. ------_=3D_NextPart_001_01C7EBD6.64A8D3BB Content-Type: multipart/alternative; boundary=3D"----_=3D_NextPart_002_01C7EBD6.64A8D3BB" ------_=3D_NextPart_002_01C7EBD6.64A8D3BB Content-Type: text/plain; charset=3D"us-ascii" Content-Transfer-Encoding: quoted-printable Probably semantics, but I am doing it with three rules: =3D20 * 1 for OWA using NTLM delegation (/OWA/*) * 1 for OWA Legacy Folders using Basic delegation (/Exhange/* /publix/* etc) * 1 for all other Exchange connectivity using Basic delegation (/rpc/* /autodiscover/* etc) =3D20 The other thing you need to check is that the right authentication types are defined for the Exchange virtual directories on the CAS. One that caught me out was adding basic to the EWS virtual directory...ISA nicely logs this in monitoring though as a delegation failure J =3D20 All rules use the same listener... =3D20 Yep I agree about the /autodiscover as part the wizard, not sure this is included... =3D20 Confused about the SRV solving all the issues - can you elaborate? =3D20 Cheers =3D20 JJ =3D20 Jason Jones | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email: jason.jones@xxxxxxxxxxxxxxxxx=3D20 =3D20 From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: 31 August 2007 14:42 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA and SAN Certs =3D20 Hi Jason, =3D20 OK, that makes perfect sense and it's the scenario I'm testing today. One listener, one rule for Outlook Anywhere and one rule for Autodiscovery, correct? =3D20 So I was right that you can't use the /AutoDiscover path that is included in the Outlook Anywhere rule since the Outlook Anywhere rule doesn't respond to the public name autodiscover.domain.com. The Outlook Autodiscover rule would respond to autodiscover.domain.com and forward to the /AutoDiscover path. =3D20 The SRV record solution will solve ALL of this complexity because it will bypass the need for a second URL and second IP address and second certificate. However, its a hotfix that you have to call PSS to download and will be included with Office 2007 SP1. =3D20 Thanks! Tom =3D20 Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/>=3D20 Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) =3D20 =3D20 =3D09 ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Friday, August 31, 2007 8:15 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA and SAN Certs Yep - one listener, two IPs, each IP assigned a different SSL cert. =3D20 Not sure if the SRV record will negate the need for the autodiscover URL and hence allow us to get away with a single SSL cert - have to check this... =3D20 From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: 31 August 2007 14:13 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA and SAN Certs =3D20 Hi Jason, =3D20 One Web listener, but two IP addresses are being used by the Web listener, correct? =3D20 Thanks! Tom =3D20 Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/>=3D20 Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) =3D20 =3D20 =3D09 ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Friday, August 31, 2007 6:50 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA and SAN Certs Hi Tom, =3D20 Managed to get this working today too, although I am using two individual certs on the same external web listener. The internal cert on Exchange is SAN'd up and ISA publishes everything to the internal cert common name irrespective of the public URL. =3D20 The key to most of it working is defining correct URLs in Exchange where is defines "External URLs" for things like OOF, OAB, EWS etc. =3D20 Now we have all exchange 2k7 services (and all the new funky stuff) working externally...had to do a lot of it by investigation and cobbling blog entries together, not ideal, but go there at last. =3D20 We currently have it working without SRV records, but just waiting for the ISP to add these records to test if that is a better solution... =3D20 Cheers =3D20 JJ =3D20 From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: 31 August 2007 00:32 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA and SAN Certs =3D20 I'd think that Jim might need to update his SAN article. The article implies that ISA doesn't support SANs on the Web listener, however I have a guy who has the autodiscover FQDN as a second SAN on the certificate bound to his Web listener and he's shown me strong evidence that it actually works, even though it shouldn't. =3D20 I wish the Exchange or ISA UE teams could get it together to explain how to get autodiscovery working correctly and more importantly, show us how it works with and without DNS SRV records. It looks like once you have DNS SRV records, its a no brainer.=3D20 =3D20 Tom =3D20 Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/>=3D20 Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) =3D20 =3D20 =3D09 ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Wednesday, August 29, 2007 2:38 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA and SAN Certs Never mind :) =3D20 I found it: =3D20 http://support.microsoft.com/kb/940881 =3D20 Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/>=3D20 Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) =3D20 =3D20 =3D09 ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Wednesday, August 29, 2007 2:35 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA and SAN Certs OK, that's an interesting sentence in a KB OL update article. But there's no mention of this anywhere else on the ms.com site. =3D20 In addition, how do we configure the SRV records? =3D20 Service? Protocol? Priority? Weight? Port number? Host offering this service? =3D20 =3D20 =3D20 I try to read minds best as I can, but I'm flailing on this one :)) =3D20 =3D20 =3D20 Thomas W Shinder, M.D. Site: www.isaserver.org Blog:=3D20 http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) =3D09 =3D09 =3D09 > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Wednesday, August 29, 2007 2:27 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > DatzDeWun! O'curse it works in real life; I tested it. > > http://support.microsoft.com/kb/939184 > OL 2K7 seeks a "autodiscovery" SRV record first, and only if > that fails, > it'll seek the A record. This is based on the same domain suffix as > specified in the mail domain. > If your OL client is behind a CERN proxy (and it knows it), it can't > specify that the proxy should look up a SRV record for > autodiscover.sfx. > The proxy assumes that any CERN request will be for a "host" > and makes a > DNS query for an A record. > > OL 2K7 uses the SRV record to discover the host > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Wednesday, August 29, 2007 12:15 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA and SAN Certs > > BAM!!!! > > I think I get it. On the TO tab for the autodiscover.msfirewall.org, I > can still use owa.msfirewall.org since it resolves to the same IP > address as autodiscover.msfirewall.org on the internal network -- and > the path is going to /autodiscover, so that's cool. It's all making > sense on paper -- now to see if it works in real life :) > > BTW -- why do I need a SRV record for OL autodiscovery? I haven't seen > any documentation on that requirement on the Exchange side. > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog:=3D20 http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > >=3D20 > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [ mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Wednesday, August 29, 2007 2:09 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA and SAN Certs > > > > Yes; I'd forgotten about the OL client's "SAN problem". > > It amazed me how much noise the Exch folks make about the same > > limitation for ISA.. ..but I digress. > > > > "Web Publishing Rule that is publishing the > > autodiscover.msfirewall.org/autodiscover path must be > > configured on the > > TO tab to use autodiscover.msfirewall.org " - how do you > cone to that > > contusion? > > Why do you think you need to use "autodiscover" in the ISA rule > > published hostname? Use whatever works for ISA and let the > > client be as > > stupid as you want. > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [ mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thomas W Shinder > > Sent: Wednesday, August 29, 2007 12:05 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA and SAN Certs > > > > Hi Jim, > > > > CIL... > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog:=3D20 http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > >=3D20 > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [ mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: Wednesday, August 29, 2007 1:49 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > All good points, but really orthogonal to the question of how ISA > > > handles SAN certs. Actually, I wrote that because some folks were > > > whining about how ISA handled SAN certs in general. In > > fact, I tried > > > not to delve into the variant forms of self-inflicted ISA > manglement > > > pain that were filling other blogs. > > > > > > Q1 - Why do you need a second listener? Use your DNS to point > > > autodiscover to the same Exch listener. The public name is a > > > rule; not > > > a listener arttribute. > > > > TOM: We need a second listener because we can't have two > certificates > > with different common names listening on the same listener using the > > same IP address. OK, in ISA 2006 I *can* use multiple > > certificates using > > the same listener, but each of the certificates must be > assigned to a > > different IP address, so no big deal there -- so I create two > > different > > Web Publishing Rules -- one for owa.msfirewall.org and a second Web > > Publishing Rule for autodiscover.msfirewall.org. So far so > > good and SANs > > aren't even an issue. > > > > > Q2 - why does the external OL client give a rats bahootie > > > what's listed > > > in the cert used at the CAS? It never sees it. > > > > TOM: That's true and I didn't mean to imply that it did. The > > concern is > > that common name and the first SAN on the Web site > > certificate bound to > > the Client Access Server site is owa.msfirewall.org. The > second SAN is > > autodiscover.msfirewall.org > > > > > > > Q3 - why is the lack of the autodiscover.suffix public > name make the > > > /autodiscover path "useless"? "Incomplete" perhaps, but > > > hardly useless. > > > > TOM: Because the OWA publishing rule is listening for > > owa.msfirewall.org, NOT autodiscover.msfirewall.org. Since > > there are two > > certificates involved here, one with the common name > > owa.msfirewall.org > > and a second with autodiscover.msfirewall.org -- we have to use two > > different IP addresses, and owa.msfirewall.org is NOT going > to resolve > > to the same IP address as autodiscover.msfirewall.org. Thus, > > adding the > > /autodiscover path to the owa.msfirewall.org Web Publishing > Rule won't > > work and is extraneous. The /autodiscover path only applies to the > > autodiscover.msfirewall.org Web Publishing Rule. > > > > > > > > IOW, create your SRV and A records for autodiscover.suffix, add > > > "autodiscover.suffix" to the public names (ISA 2006 only) and > > > make sure > > > the cert used in the ISA web listener includes > > > "autodiscover.suffix" in > > > the SAN. > > > > Again, the issue isn't with the Web listeners, I have no > problem with > > that. The issue is with the connection between the ISA > > Firewall and the > > Client Access Server. The Web site certificate bound to the Client > > Access Server has a common name and a first SAN name of > > owa.msfirewall.org and a second SAN name of > > autodiscover.msfirewall.org. > > > > Given that, the Web Publishing Rule that is publishing the > > autodiscover.msfirewall.org/autodiscover path must be > > configured on the > > TO tab to use autodiscover.msfirewall.org -- HOWEVER, and > this is THE > > QUESTION -- with the ISA Firewall when establishing the SSL channel > > between itself and the Client Access Server, be able to use > the SECOND > > SAN on the Client Access Server Web site certificate to allow the > > connection? > > > > Make sense? > > > > > > > > > > Jim > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [ mailto:isapros-bounce@xxxxxxxxxxxxx] > > > On Behalf Of Thomas W Shinder > > > Sent: Wednesday, August 29, 2007 11:33 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA and SAN Certs > > > > > > This is a good step in understanding some of the issues, > > but I suspect > > > the major problems people are running into relates to > publishing the > > > autodisocvery site. You'll notice that when you run the Exchange > > > Publishing Wizard in ISA 2006 that is includes an > > /autodiscover path, > > > which is completely useless, since the client is looking for > > > autodiscover.domain.com/autodiscover and not the Client > > Access Server > > > Public Name, which would be something like owa.domain.com. > > > > > > OK, easy problem to solve, right? All we need to do is > > create a second > > > Web listener on a second IP address and configure it to listen for > > > public name autodiscover.company.com. HOWEVER, the Client Access > > > Server's common/subject name and first SAN is owa.company.com. The > > > second SAN is autodiscover.company.com. > > > > > > So, if we put on the TO tab autodiscover.company.com, will > > ISA 2006 be > > > able to "consume" the second SAN to support to the Outlook 2007 > > > autodiscovery service? > > > > > > Thanks! > > > Tom > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog:=3D20 http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- Microsoft Firewalls (ISA) > > > > > >=3D20 > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [ mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: Wednesday, August 29, 2007 1:10 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] ISA and SAN Certs > > > > > > > > > > > > Another isablog for your reading pleasure. > > > > > > > > > > > >=3D20 http://blogs.technet.com/isablog/archive/2007/08/29/certificat > > > > es-with-mu > > > > ltiple-san-entries-may-break-isa-server-web-publishing.aspx > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > >=3D20 ------_=3D_NextPart_002_01C7EBD6.64A8D3BB Content-Type: text/html; charset=3D"us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D3D"urn:schemas-microsoft-com:vml" =3D xmlns:o=3D3D"urn:schemas-microsoft-com:office:office" =3D xmlns:w=3D3D"urn:schemas-microsoft-com:office:word" =3D xmlns:m=3D3D"http://schemas.microsoft.com/office/2004/12/omml"; =3D xmlns=3D3D"http://www.w3.org/TR/REC-html40";> <head> <meta http-equiv=3D3DContent-Type content=3D3D"text/html; =3D charset=3D3Dus-ascii"> <meta name=3D3DGenerator content=3D3D"Microsoft Word 12 (filtered = medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} @font-face {font-family:"Trebuchet MS"; panose-1:2 11 6 3 2 2 2 2 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p {mso-style-priority:99; mso-margin-top-alt:auto; margin-right:0cm; mso-margin-bottom-alt:auto; margin-left:0cm; font-size:12.0pt; font-family:"Times New Roman","serif";} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0cm; margin-right:0cm; margin-bottom:0cm; margin-left:36.0pt; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif";} span.EmailStyle18 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:#1F497D;} span.EmailStyle19 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:#1F497D;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.Section1 {page:Section1;} /* List Definitions */ @list l0 {mso-list-id:427314599; mso-list-type:hybrid; mso-list-template-ids:1995078498 134807553 134807555 134807557 =3D 134807553 134807555 134807557 134807553 134807555 134807557;} @list l0:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Symbol;} ol {margin-bottom:0cm;} ul {margin-bottom:0cm;} --> </style> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D3D"edit" spidmax=3D3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D3D"edit"> <o:idmap v:ext=3D3D"edit" data=3D3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3D3DEN-GB link=3D3Dblue vlink=3D3Dpurple> <div class=3D3DSection1> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Probably semantics, but I am doing it with three =3D rules:<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoListParagraph style=3D3D'text-indent:-18.0pt;mso-list:l0 = =3D level1 lfo1'><![if !supportLists]><span style=3D3D'font-size:11.0pt;font-family:Symbol;color:#1F497D'><span style=3D3D'mso-list:Ignore'>·<span style=3D3D'font:7.0pt "Times = New =3D Roman"'> </span></span></span><![endif]><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>1 for OWA using NTLM delegation =3D (/OWA/*)<o:p></o:p></span></p> <p class=3D3DMsoListParagraph style=3D3D'text-indent:-18.0pt;mso-list:l0 = =3D level1 lfo1'><![if !supportLists]><span style=3D3D'font-size:11.0pt;font-family:Symbol;color:#1F497D'><span style=3D3D'mso-list:Ignore'>·<span style=3D3D'font:7.0pt "Times = New =3D Roman"'> </span></span></span><![endif]><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>1 for OWA Legacy Folders using Basic delegation =3D (/Exhange/* /publix/* etc)<o:p></o:p></span></p> <p class=3D3DMsoListParagraph style=3D3D'text-indent:-18.0pt;mso-list:l0 = =3D level1 lfo1'><![if !supportLists]><span style=3D3D'font-size:11.0pt;font-family:Symbol;color:#1F497D'><span style=3D3D'mso-list:Ignore'>·<span style=3D3D'font:7.0pt "Times = New =3D Roman"'> </span></span></span><![endif]><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>1 for all other Exchange connectivity using Basic =3D delegation (/rpc/* /autodiscover/* etc)<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>The other thing you need to check is that the right authentication types are defined for the Exchange virtual directories on =3D the CAS. One that caught me out was adding basic to the EWS virtual =3D directory…ISA nicely logs this in monitoring though as a delegation failure =3D </span><span style=3D3D'font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span>= < s=3D pan style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F4= 9 7=3D D'><o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>All rules use the same =3D listener…<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Yep I agree about the /autodiscover as part the wizard, = =3D not sure this is included…<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Confused about the SRV solving all the issues – can =3D you elaborate?<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Cheers<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>JJ<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <div> <p class=3D3DMsoNormal><b><span =3D style=3D3D'font-size:9.0pt;font-family:"Arial","sans-serif"; color:gray'>Jason Jones</span></b><span =3D style=3D3D'font-size:9.0pt;font-family: "Arial","sans-serif";color:gray'> | Security | Silversands Limited | =3D Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email: jason.jones@xxxxxxxxxxxxxxxxx</span><span =3D style=3D3D'font-size:9.0pt;font-family: "Arial","sans-serif";color:#1F497D'> </span><span lang=3D3DEN-US =3D style=3D3D'font-size: 9.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p></o:p></span> <=3D /p> </div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <div> <div style=3D3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt = =3D 0cm 0cm 0cm'> <p class=3D3DMsoNormal><b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt;font-family: "Tahoma","sans-serif"'>From:</span></b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt; font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On Behalf Of </b>Thomas W =3D Shinder<br> <b>Sent:</b> 31 August 2007 14:42<br> <b>To:</b> isapros@xxxxxxxxxxxxx<br> <b>Subject:</b> [isapros] Re: ISA and SAN Certs<o:p></o:p></span></p> </div> </div> <p class=3D3DMsoNormal><o:p> </o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Hi Jason,</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>OK, that makes perfect sense and it's the scenario I'm =3D testing today. One listener, one rule for Outlook Anywhere and one rule for Autodiscovery, correct?</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>So I was right that you can't use the /AutoDiscover path =3D that is included in the Outlook Anywhere rule since the Outlook Anywhere rule = =3D doesn't respond to the public name autodiscover.domain.com. The Outlook =3D Autodiscover rule would respond to autodiscover.domain.com and forward to the =3D /AutoDiscover path.</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>The SRV record solution will solve ALL of this complexity = =3D because it will bypass the need for a second URL and second IP address and =3D second certificate. However, its a hotfix that you have to call PSS to download and will be included with Office 2007 SP1.</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Thanks!</span><o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Tom</span><o:p></o:p></p> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <p><b><span style=3D3D'font-size:10.0pt;font-family:"Trebuchet =3D MS","sans-serif"'>Thomas W Shinder, M.D.<br> Site:<span style=3D3D'color:blue'> <u><a =3D href=3D3D"http://www.isaserver.org/"; title=3D3D"http://www.isaserver.org/";>www.isaserver.org</a></u></span><br= > Blog:<span style=3D3D'color:blue'> <u><a =3D href=3D3D"http://blogs.isaserver.org/shinder/"; title=3D3D"http://spaces.msn.com/members/drisa/";>http://blogs.isaserver.o= r g=3D /shinder/</a></u></span><br> <span style=3D3D'color:#004000'>Book:</span> <a =3D href=3D3D"http://tinyurl.com/3xqb7"; title=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br> MVP -- Microsoft Firewalls (ISA)</span></b><o:p></o:p></p> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <blockquote style=3D3D'border:none;border-left:solid blue =3D 1.5pt;padding:0cm 0cm 0cm 4.0pt; margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt '=3D > <p class=3D3DMsoNormal><o:p> </o:p></p> <div class=3D3DMsoNormal align=3D3Dcenter = style=3D3D'text-align:center'><span =3D lang=3D3DEN-US> <hr size=3D3D2 width=3D3D"100%" align=3D3Dcenter> </span></div> <p class=3D3DMsoNormal style=3D3D'margin-bottom:12.0pt'><b><span =3D lang=3D3DEN-US style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</spa= n >=3D </b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On =3D Behalf Of </b>Jason Jones<br> <b>Sent:</b> Friday, August 31, 2007 8:15 AM<br> <b>To:</b> isapros@xxxxxxxxxxxxx<br> <b>Subject:</b> [isapros] Re: ISA and SAN Certs</span><span =3D lang=3D3DEN-US><o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Yep – one listener, two IPs, each IP assigned a =3D different SSL cert.<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Not sure if the SRV record will negate the need for the autodiscover URL and hence allow us to get away with a single SSL cert = =3D – have to check this…<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <div> <div style=3D3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt = =3D 0cm 0cm 0cm'> <p class=3D3DMsoNormal><b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt;font-family: "Tahoma","sans-serif"'>From:</span></b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt; font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx =3D [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On Behalf Of </b>Thomas W Shinder<br> <b>Sent:</b> 31 August 2007 14:13<br> <b>To:</b> isapros@xxxxxxxxxxxxx<br> <b>Subject:</b> [isapros] Re: ISA and SAN Certs<o:p></o:p></span></p> </div> </div> <p class=3D3DMsoNormal><o:p> </o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Hi Jason,</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>One Web listener, but two IP addresses are being used by the =3D Web listener, correct?</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Thanks!</span><o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Tom</span><o:p></o:p></p> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <p><b><span style=3D3D'font-size:10.0pt;font-family:"Trebuchet =3D MS","sans-serif"'>Thomas W Shinder, M.D.<br> Site:<span style=3D3D'color:blue'> <u><a =3D href=3D3D"http://www.isaserver.org/"; title=3D3D"http://www.isaserver.org/";>www.isaserver.org</a></u></span><br= > Blog:<span style=3D3D'color:blue'> <u><a =3D href=3D3D"http://blogs.isaserver.org/shinder/"; title=3D3D"http://spaces.msn.com/members/drisa/";>http://blogs.isaserver.o= r g=3D /shinder/</a></u></span><br> <span style=3D3D'color:#004000'>Book:</span> <a =3D href=3D3D"http://tinyurl.com/3xqb7"; title=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br> MVP -- Microsoft Firewalls (ISA)</span></b><o:p></o:p></p> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <blockquote style=3D3D'border:none;border-left:solid blue =3D 1.5pt;padding:0cm 0cm 0cm 4.0pt; margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt '=3D > <p class=3D3DMsoNormal><o:p> </o:p></p> <div class=3D3DMsoNormal align=3D3Dcenter = style=3D3D'text-align:center'><span =3D lang=3D3DEN-US> <hr size=3D3D2 width=3D3D"100%" align=3D3Dcenter> </span></div> <p class=3D3DMsoNormal style=3D3D'margin-bottom:12.0pt'><b><span =3D lang=3D3DEN-US style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</spa= n >=3D </b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On =3D Behalf Of </b>Jason Jones<br> <b>Sent:</b> Friday, August 31, 2007 6:50 AM<br> <b>To:</b> isapros@xxxxxxxxxxxxx<br> <b>Subject:</b> [isapros] Re: ISA and SAN Certs</span><span =3D lang=3D3DEN-US><o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Hi Tom,<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Managed to get this working today too, although I am =3D using two individual certs on the same external web listener. The internal cert on Exchange is SAN’d up and ISA publishes everything to the internal =3D cert common name irrespective of the public URL.<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>The key to most of it working is defining correct URLs in Exchange where is defines “External URLs” for things like = =3D OOF, OAB, EWS etc.<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Now we have all exchange 2k7 services (and all the new = =3D funky stuff) working externally…had to do a lot of it by investigation = =3D and cobbling blog entries together, not ideal, but go there at =3D last.<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>We currently have it working without SRV records, but =3D just waiting for the ISP to add these records to test if that is a better solution…<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Cheers<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>JJ<o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <div> <div style=3D3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt = =3D 0cm 0cm 0cm'> <p class=3D3DMsoNormal><b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt;font-family: "Tahoma","sans-serif"'>From:</span></b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt; font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On Behalf Of </b>Thomas W =3D Shinder<br> <b>Sent:</b> 31 August 2007 00:32<br> <b>To:</b> isapros@xxxxxxxxxxxxx<br> <b>Subject:</b> [isapros] Re: ISA and SAN Certs<o:p></o:p></span></p> </div> </div> <p class=3D3DMsoNormal><o:p> </o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>I'd think that Jim might need to update his SAN article. The article implies that ISA doesn't support SANs on the Web listener, =3D however I have a guy who has the autodiscover FQDN as a second SAN on the =3D certificate bound to his Web listener and he's shown me strong evidence that it =3D actually works, even though it shouldn't.</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>I wish the Exchange or ISA UE teams could get it together to explain how to get autodiscovery working correctly and more importantly, =3D show us how it works with and without DNS SRV records. It looks like once you =3D have DNS SRV records, its a no brainer. </span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Tom</span><o:p></o:p></p> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <p><b><span style=3D3D'font-size:10.0pt;font-family:"Trebuchet =3D MS","sans-serif"'>Thomas W Shinder, M.D.<br> Site:<span style=3D3D'color:blue'> <u><a =3D href=3D3D"http://www.isaserver.org/"; title=3D3D"http://www.isaserver.org/";>www.isaserver.org</a></u></span><br= > Blog:<span style=3D3D'color:blue'> <u><a =3D href=3D3D"http://blogs.isaserver.org/shinder/"; title=3D3D"http://spaces.msn.com/members/drisa/";>http://blogs.isaserver.o= r g=3D /shinder/</a></u></span><br> <span style=3D3D'color:#004000'>Book:</span> <a =3D href=3D3D"http://tinyurl.com/3xqb7"; title=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br> MVP -- Microsoft Firewalls (ISA)</span></b><o:p></o:p></p> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <blockquote style=3D3D'border:none;border-left:solid blue =3D 1.5pt;padding:0cm 0cm 0cm 4.0pt; margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt '=3D > <p class=3D3DMsoNormal><o:p> </o:p></p> <div class=3D3DMsoNormal align=3D3Dcenter = style=3D3D'text-align:center'><span =3D lang=3D3DEN-US> <hr size=3D3D2 width=3D3D"100%" align=3D3Dcenter> </span></div> <p class=3D3DMsoNormal style=3D3D'margin-bottom:12.0pt'><b><span =3D lang=3D3DEN-US style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</spa= n >=3D </b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On =3D Behalf Of </b>Thomas W Shinder<br> <b>Sent:</b> Wednesday, August 29, 2007 2:38 PM<br> <b>To:</b> isapros@xxxxxxxxxxxxx<br> <b>Subject:</b> [isapros] Re: ISA and SAN Certs</span><span =3D lang=3D3DEN-US><o:p></o:p></span></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Never mind :)</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>I found it:</span><o:p></o:p></p> <p class=3D3DMsoNormal> <o:p></o:p></p> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'><a =3D href=3D3D"http://support.microsoft.com/kb/940881";>http://support.microsof= t .=3D com/kb/940881</a></span><o:p></o:p></p> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <p><b><span style=3D3D'font-size:10.0pt;font-family:"Trebuchet =3D MS","sans-serif"'>Thomas W Shinder, M.D.<br> Site:<span style=3D3D'color:blue'> <u><a =3D href=3D3D"http://www.isaserver.org/"; title=3D3D"http://www.isaserver.org/";>www.isaserver.org</a></u></span><br= > Blog:<span style=3D3D'color:blue'> <u><a =3D href=3D3D"http://blogs.isaserver.org/shinder/"; title=3D3D"http://spaces.msn.com/members/drisa/";>http://blogs.isaserver.o= r g=3D /shinder/</a></u></span><br> <span style=3D3D'color:#004000'>Book:</span> <a =3D href=3D3D"http://tinyurl.com/3xqb7"; title=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br> MVP -- Microsoft Firewalls (ISA)</span></b><o:p></o:p></p> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <blockquote style=3D3D'border:none;border-left:solid blue =3D 1.5pt;padding:0cm 0cm 0cm 4.0pt; margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt '=3D > <p class=3D3DMsoNormal><o:p> </o:p></p> <div class=3D3DMsoNormal align=3D3Dcenter = style=3D3D'text-align:center'><span =3D lang=3D3DEN-US> <hr size=3D3D2 width=3D3D"100%" align=3D3Dcenter> </span></div> <p class=3D3DMsoNormal style=3D3D'margin-bottom:12.0pt'><b><span =3D lang=3D3DEN-US style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</spa= n >=3D </b><span lang=3D3DEN-US =3D style=3D3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <b>On =3D Behalf Of </b>Thomas W Shinder<br> <b>Sent:</b> Wednesday, August 29, 2007 2:35 PM<br> <b>To:</b> isapros@xxxxxxxxxxxxx<br> <b>Subject:</b> [isapros] Re: ISA and SAN Certs</span><span =3D lang=3D3DEN-US><o:p></o:p></span></p> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>OK, that's an interesting sentence in a KB OL update =3D article. But there's no mention of this anywhere else on the ms.com =3D site.</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>In addition, how do we configure the SRV =3D records?</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Service?</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Protocol?</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Priority?</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Weight?</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Port number?</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>Host offering this service?</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><img border=3D3D0 width=3D3D404 height=3D3D448 = =3D id=3D3D"_x0000_i1027" src=3D3D"cid:image001.jpg@01C7EBDE.77399D00"><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal><span =3D style=3D3D'font-size:10.0pt;font-family:"Arial","sans-serif"; color:blue'>I try to read minds best as I can, but I'm flailing on this =3D one :))</span><o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal> <o:p></o:p></p> </div> <div> <p class=3D3DMsoNormal =3D style=3D3D'margin-bottom:12.0pt'><o:p> </o:p></p> </div> <p><span style=3D3D'font-size:10.0pt'>Thomas W Shinder, M.D.<br> Site: www.isaserver.org<br> Blog: <a =3D href=3D3D"http://blogs.isaserver.org/shinder/";>http://blogs.isaserver.org= / s=3D hinder/</a><br> Book: <a =3D href=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br> MVP -- Microsoft Firewalls (ISA)<br> <br> <br> <br> > -----Original Message-----<br> > From: isapros-bounce@xxxxxxxxxxxxx<br> > [<a =3D href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free= l i=3D sts.org</a>] On Behalf Of Jim Harrison<br> > Sent: Wednesday, August 29, 2007 2:27 PM<br> > To: isapros@xxxxxxxxxxxxx<br> > Subject: [isapros] Re: ISA and SAN Certs<br> ><br> > DatzDeWun! O'curse it works in real life; I tested it.<br> ><br> > <a =3D href=3D3D"http://support.microsoft.com/kb/939184";>http://support.microsof= t .=3D com/kb/939184</a><br> > OL 2K7 seeks a "autodiscovery" SRV record first, and only =3D if<br> > that fails,<br> > it'll seek the A record. This is based on the same domain =3D suffix as<br> > specified in the mail domain.<br> > If your OL client is behind a CERN proxy (and it knows it), it =3D can't<br> > specify that the proxy should look up a SRV record for<br> > autodiscover.sfx.<br> > The proxy assumes that any CERN request will be for a =3D "host"<br> > and makes a<br> > DNS query for an A record.<br> ><br> > OL 2K7 uses the SRV record to discover the host<br> ><br> > -----Original Message-----<br> > From: isapros-bounce@xxxxxxxxxxxxx<br> > [<a =3D href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free= l i=3D sts.org</a>]<br> > On Behalf Of Thomas W Shinder<br> > Sent: Wednesday, August 29, 2007 12:15 PM<br> > To: isapros@xxxxxxxxxxxxx<br> > Subject: [isapros] Re: ISA and SAN Certs<br> ><br> > BAM!!!!<br> ><br> > I think I get it. On the TO tab for the =3D autodiscover.msfirewall.org, I<br> > can still use owa.msfirewall.org since it resolves to the same =3D IP<br> > address as autodiscover.msfirewall.org on the internal network -- = =3D and<br> > the path is going to /autodiscover, so that's cool. It's all =3D making<br> > sense on paper -- now to see if it works in real life :)<br> ><br> > BTW -- why do I need a SRV record for OL autodiscovery? I haven't = =3D seen<br> > any documentation on that requirement on the Exchange side.<br> ><br> > Thanks!<br> > Tom<br> ><br> > Thomas W Shinder, M.D.<br> > Site: www.isaserver.org<br> > Blog: <a =3D href=3D3D"http://blogs.isaserver.org/shinder/";>http://blogs.isaserver.org= / s=3D hinder/</a><br> > Book: <a =3D href=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br> > MVP -- Microsoft Firewalls (ISA)<br> ><br> > <br> ><br> > > -----Original Message-----<br> > > From: isapros-bounce@xxxxxxxxxxxxx<br> > > [<a =3D href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free= l i=3D sts.org</a>] On Behalf Of Jim Harrison<br> > > Sent: Wednesday, August 29, 2007 2:09 PM<br> > > To: isapros@xxxxxxxxxxxxx<br> > > Subject: [isapros] Re: ISA and SAN Certs<br> > ><br> > > Yes; I'd forgotten about the OL client's "SAN =3D problem".<br> > > It amazed me how much noise the Exch folks make about the =3D same<br> > > limitation for ISA.. ..but I digress.<br> > ><br> > > "Web Publishing Rule that is publishing the<br> > > autodiscover.msfirewall.org/autodiscover path must be<br> > > configured on the<br> > > TO tab to use autodiscover.msfirewall.org " - how do =3D you<br> > cone to that<br> > > contusion?<br> > > Why do you think you need to use "autodiscover" in = =3D the ISA rule<br> > > published hostname? Use whatever works for ISA and let = =3D the<br> > > client be as<br> > > stupid as you want.<br> > ><br> > > -----Original Message-----<br> > > From: isapros-bounce@xxxxxxxxxxxxx<br> > > [<a =3D href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free= l i=3D sts.org</a>]<br> > > On Behalf Of Thomas W Shinder<br> > > Sent: Wednesday, August 29, 2007 12:05 PM<br> > > To: isapros@xxxxxxxxxxxxx<br> > > Subject: [isapros] Re: ISA and SAN Certs<br> > ><br> > > Hi Jim,<br> > ><br> > > CIL...<br> > ><br> > > Thomas W Shinder, M.D.<br> > > Site: www.isaserver.org<br> > > Blog: <a =3D href=3D3D"http://blogs.isaserver.org/shinder/";>http://blogs.isaserver.org= / s=3D hinder/</a><br> > > Book: <a =3D href=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br> > > MVP -- Microsoft Firewalls (ISA)<br> > ><br> > > <br> > ><br> > > > -----Original Message-----<br> > > > From: isapros-bounce@xxxxxxxxxxxxx<br> > > > [<a =3D href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free= l i=3D sts.org</a>] On Behalf Of Jim Harrison<br> > > > Sent: Wednesday, August 29, 2007 1:49 PM<br> > > > To: isapros@xxxxxxxxxxxxx<br> > > > Subject: [isapros] Re: ISA and SAN Certs<br> > > ><br> > > > All good points, but really orthogonal to the question of =3D how ISA<br> > > > handles SAN certs. Actually, I wrote that because = =3D some folks were<br> > > > whining about how ISA handled SAN certs in general. =3D In<br> > > fact, I tried<br> > > > not to delve into the variant forms of self-inflicted =3D ISA<br> > manglement<br> > > > pain that were filling other blogs.<br> > > ><br> > > > Q1 - Why do you need a second listener? Use your = =3D DNS to point<br> > > > autodiscover to the same Exch listener. The public =3D name is a<br> > > > rule; not<br> > > > a listener arttribute.<br> > ><br> > > TOM: We need a second listener because we can't have two<br> > certificates<br> > > with different common names listening on the same listener =3D using the<br> > > same IP address. OK, in ISA 2006 I *can* use multiple<br> > > certificates using<br> > > the same listener, but each of the certificates must be<br> > assigned to a<br> > > different IP address, so no big deal there -- so I create =3D two<br> > > different<br> > > Web Publishing Rules -- one for owa.msfirewall.org and a =3D second Web<br> > > Publishing Rule for autodiscover.msfirewall.org. So far so<br> > > good and SANs<br> > > aren't even an issue.<br> > ><br> > > > Q2 - why does the external OL client give a rats =3D bahootie<br> > > > what's listed<br> > > > in the cert used at the CAS? It never sees it.<br> > ><br> > > TOM: That's true and I didn't mean to imply that it did. =3D The<br> > > concern is<br> > > that common name and the first SAN on the Web site<br> > > certificate bound to<br> > > the Client Access Server site is owa.msfirewall.org. The<br> > second SAN is<br> > > autodiscover.msfirewall.org<br> > ><br> > ><br> > > > Q3 - why is the lack of the autodiscover.suffix =3D public<br> > name make the<br> > > > /autodiscover path "useless"? "Incomplete" perhaps, but<br> > > > hardly useless.<br> > ><br> > > TOM: Because the OWA publishing rule is listening for<br> > > owa.msfirewall.org, NOT autodiscover.msfirewall.org. Since<br> > > there are two<br> > > certificates involved here, one with the common name<br> > > owa.msfirewall.org<br> > > and a second with autodiscover.msfirewall.org -- we have to = =3D use two<br> > > different IP addresses, and owa.msfirewall.org is NOT =3D going<br> > to resolve<br> > > to the same IP address as autodiscover.msfirewall.org. =3D Thus,<br> > > adding the<br> > > /autodiscover path to the owa.msfirewall.org Web =3D Publishing<br> > Rule won't<br> > > work and is extraneous. The /autodiscover path only applies to =3D the<br> > > autodiscover.msfirewall.org Web Publishing Rule.<br> > ><br> > > ><br> > > > IOW, create your SRV and A records for =3D autodiscover.suffix, add<br> > > > "autodiscover.suffix" to the public names (ISA =3D 2006 only) and<br> > > > make sure<br> > > > the cert used in the ISA web listener includes<br> > > > "autodiscover.suffix" in<br> > > > the SAN.<br> > ><br> > > Again, the issue isn't with the Web listeners, I have no<br> > problem with<br> > > that. The issue is with the connection between the ISA<br> > > Firewall and the<br> > > Client Access Server. The Web site certificate bound to the = =3D Client<br> > > Access Server has a common name and a first SAN name of<br> > > owa.msfirewall.org and a second SAN name of<br> > > autodiscover.msfirewall.org.<br> > ><br> > > Given that, the Web Publishing Rule that is publishing the<br> > > autodiscover.msfirewall.org/autodiscover path must be<br> > > configured on the<br> > > TO tab to use autodiscover.msfirewall.org -- HOWEVER, and<br> > this is THE<br> > > QUESTION -- with the ISA Firewall when establishing the SSL = =3D channel<br> > > between itself and the Client Access Server, be able to =3D use<br> > the SECOND<br> > > SAN on the Client Access Server Web site certificate to allow =3D the<br> > > connection?<br> > ><br> > > Make sense?<br> > ><br> > ><br> > > ><br> > > > Jim<br> > > ><br> > > > -----Original Message-----<br> > > > From: isapros-bounce@xxxxxxxxxxxxx<br> > > > [<a =3D href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free= l i=3D sts.org</a>]<br> > > > On Behalf Of Thomas W Shinder<br> > > > Sent: Wednesday, August 29, 2007 11:33 AM<br> > > > To: isapros@xxxxxxxxxxxxx<br> > > > Subject: [isapros] Re: ISA and SAN Certs<br> > > ><br> > > > This is a good step in understanding some of the =3D issues,<br> > > but I suspect<br> > > > the major problems people are running into relates to<br> > publishing the<br> > > > autodisocvery site. You'll notice that when you run the = =3D Exchange<br> > > > Publishing Wizard in ISA 2006 that is includes an<br> > > /autodiscover path,<br> > > > which is completely useless, since the client is looking =3D for<br> > > > autodiscover.domain.com/autodiscover and not the =3D Client<br> > > Access Server<br> > > > Public Name, which would be something like =3D owa.domain.com.<br> > > ><br> > > > OK, easy problem to solve, right? All we need to do =3D is<br> > > create a second<br> > > > Web listener on a second IP address and configure it to = =3D listen for<br> > > > public name autodiscover.company.com. HOWEVER, the =3D Client Access<br> > > > Server's common/subject name and first SAN is =3D owa.company.com. The<br> > > > second SAN is autodiscover.company.com.<br> > > ><br> > > > So, if we put on the TO tab autodiscover.company.com, =3D will<br> > > ISA 2006 be<br> > > > able to "consume" the second SAN to support to =3D the Outlook 2007<br> > > > autodiscovery service?<br> > > ><br> > > > Thanks!<br> > > > Tom<br> > > ><br> > > > Thomas W Shinder, M.D.<br> > > > Site: www.isaserver.org<br> > > > Blog: <a =3D href=3D3D"http://blogs.isaserver.org/shinder/";>http://blogs.isaserver.org= / s=3D hinder/</a><br> > > > Book: <a =3D href=3D3D"http://tinyurl.com/3xqb7";>http://tinyurl.com/3xqb7</a><br> > > > MVP -- Microsoft Firewalls (ISA)<br> > > ><br> > > > <br> > > ><br> > > > > -----Original Message-----<br> > > > > From: isapros-bounce@xxxxxxxxxxxxx<br> > > > > [<a =3D href=3D3D"mailto:isapros-bounce@xxxxxxxxxxxxx";>mailto:isapros-bounce@free= l i=3D sts.org</a>] On Behalf Of Jim Harrison<br> > > > > Sent: Wednesday, August 29, 2007 1:10 PM<br> > > > > To: isapros@xxxxxxxxxxxxx<br> > > > > Subject: [isapros] ISA and SAN Certs<br> > > > ><br> > > > ><br> > > > > Another isablog for your reading pleasure.<br> > > > ><br> > > > ><br> > > > > <a href=3D3D"http://blogs.technet.com/isablog/archive/2007/08/29/certificat"= > h=3D ttp://blogs.technet.com/isablog/archive/2007/08/29/certificat</a><br> > > > > es-with-mu<br> > > > > =3D ltiple-san-entries-may-break-isa-server-web-publishing.aspx<br> > > > ><br> > > > > All mail to and from this domain is GFI-scanned.<br> > > > ><br> > > > ><br> > > > ><br> > > > ><br> > > ><br> > > ><br> > > > All mail to and from this domain is GFI-scanned.<br> > > ><br> > > ><br> > > ><br> > > ><br> > ><br> > ><br> > > All mail to and from this domain is GFI-scanned.<br> > ><br> > ><br> > ><br> > ><br> ><br> ><br> > All mail to and from this domain is GFI-scanned.<br> ><br> ><br> ><br> > </span><o:p></o:p></p> </blockquote> </blockquote> </blockquote> </blockquote> </div> </body> </html> ------_=3D_NextPart_002_01C7EBD6.64A8D3BB-- ------_=3D_NextPart_001_01C7EBD6.64A8D3BB Content-Type: image/jpeg; name=3D"image001.jpg" Content-Transfer-Encoding: base64 Content-ID: <image001.jpg@xxxxxxxxxxxxxxxxx> Content-Description: image001.jpg Content-Location: image001.jpg /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQY GBcU FhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgo KCgo KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAHAAZQD ASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUF BAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0 NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKj pKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QA HwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEE BSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZH SElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0 tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDT +Knx C8T+HPGuneH/AApo9hqL3GnxXCwmwaeZ2IbdgKckYTPQ964H/henjn+zP7S/sLRv7O877P8A av7N fyvN27tm/djdjnGc45r0W/8A+TrvBf8A2B//AG3uKwfFZ8OeKfhlo+pwT/2fpPiPxrDc6jEZ l3ae 7wmO4BkYkdVaUMwUbZF+UDivosPCgo04zpp3S19W/wDIxbfc47/hoTxZ/wBA7w7/AOAJ/wDi qP8A hoTxZ/0DvDv/AIAn/wCKrsb3wL4FtPG2iWOq+G9R02zn1240xTN5kEV5H5bCLapuJJpMSmHE yBIy H+YDgVmfEfwL4A0D4bazqGkXH2rVrKa20ISbLhMajE5a5bDMV+eM9MFF2fKSTXTH6jKUYqk9 bdO7 t3F73ci0b4t/EzW7VrnRfCNlqNurmNpbTRpZkDAAlSVJGcEHHuKy7r4+eMrS6mtrvSNCguIX McsU unsrowOCrAtkEEYINVdGl0yL9m9m1qzvbu3PiwhUtLpbdw32MYJZo5ARjPGB1HPGD3fivwxp WtfF P4oXevWsmsapp6WD2VhZ28kryRyLGrOIEmjkkKL5alhIqjcWI5VQOlhYTanSVlf8Gl38/L5h d9zi f+GhPFn/AEDvDv8A4An/AOKo/wCGhPFn/QO8O/8AgCf/AIqt7T/APhm61Dx3FbeG7h49PmIh W71i JfsgFuzvC0kLusDKwYrLMJIj5XlsUfJNX/hA/Df/AAhP2v8As3/Qf+EQ/tf+3/Pl/wCQn5uP su/d 5PX935ezf2zu5quXAXt7Pt2669/66CvLuZf/AA0J4s/6B3h3/wAAT/8AFUf8NCeLP+gd4d/8 AT/8 VXdy/CXw2NZ8R3qaLu8OPqWhwaPOt3KY5YppIBclGD5dWEuN5yMk7SCDjnY/BWiyyeIpdC8H x69f 2niz+x/7Iju7gC3slVgJdyybkLspBlkLICDgAAipj9Qkrqn27dbefnqP3u5jf8NCeLP+gd4d /wDA E/8AxVX9G+Nnj/W7prbRfDulajcKhkaK00p5nCggFiFYnGSBn3FX/CvgPwhP4R068uNF1HU2 uptS S/ns7mOf+zhCSIw10J4reLam2QNIjiTJIwCork/gE0K3XjtruOSW3HhO/MqROEdlzHkKxDBS R0JB x6HpVujg3CbhTV4/527ivLubus/Gzx/ol0ttrXh3StOuGQSLFd6U8LlSSAwDMDjIIz7GqH/D Qniz /oHeHf8AwBP/AMVXR6fo2h+JrP4K6dqHmWnhi7fVEW2nuAZvMWYnY04CBhI4jUKqKwyQCSQR FH4F 8L3Gp2wPhvUbPU/7C1C9h0i83W39oXETYhC2/wBoluVyDJld67/KBXgNUKODjpOlrr+Da7+X /B6j vLuYP/DQniz/AKB3h3/wBP8A8VR/w0J4s/6B3h3/AMAT/wDFVasfBljLb+KLiTwZs8R2Wm6f Pa+G /t0tzuMsgWaXyo3E6YXa3lu5KeZlsgrjZ8Y/D/wRpMF6ltHGtq/jK30Z9Qe9YmytngilmVTu 8sFG Mi5kViBkNkjIrlwPNy+z/Ly8/MV5dzG/4Xp45/sz+0v7C0b+zvO+z/av7NfyvN27tm/djdjn Gc45 qr/w0J4s/wCgd4d/8AT/APFVvfFrSV0P4P6lp8Og/wBi2cHjWWO1jxP/AKRCtu6pNmVmLbgO qkKc cDrXz/W2GwmFrxc1TW4OTXU9i/4aE8Wf9A7w7/4An/4qj/hoTxZ/0DvDv/gCf/iq8doro/s3 C/8A PtC52exf8NCeLP8AoHeHf/AE/wDxVH/DQniz/oHeHf8AwBP/AMVXjtFH9m4X/n2g52exf8NC eLP+ gd4d/wDAE/8AxVH/AA0J4s/6B3h3/wAAT/8AFV47RR/ZuF/59oOdnsX/AA0J4s/6B3h3/wAA T/8A FUf8NCeLP+gd4d/8AT/8VXjtFH9m4X/n2g52exf8NCeLP+gd4d/8AT/8VR/w0J4s/wCgd4d/ 8AT/ APFV47RR/ZuF/wCfaDnZ7F/w0J4s/wCgd4d/8AT/APFUf8NCeLP+gd4d/wDAE/8AxVeO0Uf2 bhf+ faDnZ7F/w0J4s/6B3h3/AMAT/wDFUf8ADQniz/oHeHf/AABP/wAVXjtFH9m4X/n2g52exf8A DQni z/oHeHf/AABP/wAVR/w0J4s/6B3h3/wBP/xVeO0Uf2bhf+faDnZ7F/w0J4s/6B3h3/wBP/xV H/DQ niz/AKB3h3/wBP8A8VXjtFH9m4X/AJ9oOdnsX/DQniz/AKB3h3/wBP8A8VR/w0J4s/6B3h3/ AMAT /wDFV47RR/ZuF/59oOdnsX/DQniz/oHeHf8AwBP/AMVR/wANCeLP+gd4d/8AAE//ABVeO0Uf 2bhf +faDnZ7F/wANCeLP+gd4d/8AAE//ABVH/DQniz/oHeHf/AE//FV47RR/ZuF/59oOdnsX/DQn iz/o HeHf/AE//FUf8NCeLP8AoHeHf/AE/wDxVeO0Uf2bhf8An2g52exf8NCeLP8AoHeHf/AE/wDx VdR8 P/ij478catc6fplv4RtpLe2N073dnIE2h0TA2bjnLjt618617F+y/wD8jlrn/YHf/wBKbeub G4LD 0aEqkIK6Q4ybdj1O81/xxZahBYXmvfC63vp9vlW8qzpJJuO1dqlMnJBAx1NZPiPxt8QNB8Se H9En /wCEJuLzWpxBAYLSbZGS6IC5YLgZcdATwfbMvjfw/pl74s07TJJILeHxJKZNUj3S+dfLaxho 0QgF EUHBblGIAwc5rL+Jn/JZ/hl/2EIf/SmKvnMPVVSooyhG3oatWR2vm/E3/n7+Hn/gLdf/ABus Pxp4 q+IXhHw9Pq+oS+BZ4ImRPKtrS4MjFmCjG5VHfPJHAPfin/ETT9Svtb03/hEYJ7XxOkTY1Yrs tobf vHMxRll3NjbGASp+f5QPm4/x3bwWvwOuIYtNvtOulvY/tqX2WmkuPMHmSNLjE248iQcEYxjG 0RTr qU1Fwjq+w2jzb46apca34m0jUrwRrPdaNaTMkS7UUspYhR2GSaKofFf/AI/vDn/YAsf/AEXR XPVS U5Jd2NbHu3xu+GuseMvFlnqGmXOnxQxadBAVuJHVtwBbPyoRjDDvXn3/AAojxP8A8/2jf9/p f/jd fTuo/wDHwn/XGL/0WtIlsNoMs8UJIyFcMTjseAcf59q7qObYijBU4tWXkS4J6nzH/wAKI8T/ APP9 o3/f6X/43R/wojxP/wA/2jf9/pf/AI3X079mi/5/bf8A75k/+Jo+zRf8/tv/AN8yf/E1r/be K7r7 hezifMX/AAojxP8A8/2jf9/pf/jdH/CiPE//AD/aN/3+l/8AjdfTv2aL/n9t/wDvmT/4mj7N F/z+ 2/8A3zJ/8TR/beK7r7g9nE+Yv+FEeJ/+f7Rv+/0v/wAbo/4UR4n/AOf7Rv8Av9L/APG6+nfs 0X/P 7b/98yf/ABNH2aL/AJ/bf/vmT/4mj+28V3X3B7OJ8xf8KI8T/wDP9o3/AH+l/wDjdH/CiPE/ /P8A aN/3+l/+N19O/Zov+f23/wC+ZP8A4mj7NF/z+2//AHzJ/wDE0f23iu6+4PZxPmL/AIUR4n/5 /tG/ 7/S//G6P+FEeJ/8An+0b/v8AS/8Axuvp37NF/wA/tv8A98yf/E0fZov+f23/AO+ZP/iaP7bx Xdfc Hs4nzF/wojxP/wA/2jf9/pf/AI3R/wAKI8T/APP9o3/f6X/43X079mi/5/bf/vmT/wCJo+zR f8/t v/3zJ/8AE0f23iu6+4PZxPmL/hRHif8A5/tG/wC/0v8A8bo/4UR4n/5/tG/7/S//ABuvp37N F/z+ 2/8A3zJ/8TR9mi/5/bf/AL5k/wDiaP7bxXdfcHs4nzF/wojxP/z/AGjf9/pf/jdH/CiPE/8A z/aN /wB/pf8A43X0dNd2iar/AGct1HJd+SLjYAwym4rkbgM4IGcZxuXONwzLR/beK7r7g9nE+bP+ FEeJ /wDn+0b/AL/S/wDxuj/hRHif/n+0b/v9L/8AG6+k6KP7bxXdfcHs4nzZ/wAKI8T/APP9o3/f 6X/4 3R/wojxP/wA/2jf9/pf/AI3X0nRR/beK7r7g9nE+bP8AhRHif/n+0b/v9L/8bo/4UR4n/wCf 7Rv+ /wBL/wDG6+k6KP7bxXdfcHs4nzZ/wojxP/z/AGjf9/pf/jdH/CiPE/8Az/aN/wB/pf8A43X0 nRR/ beK7r7g9nE+bP+FEeJ/+f7Rv+/0v/wAbo/4UR4n/AOf7Rv8Av9L/APG6+k6KP7bxXdfcHs4n zZ/w ojxP/wA/2jf9/pf/AI3R/wAKI8T/APP9o3/f6X/43X0nRR/beK7r7g9nE+bP+FEeJ/8An+0b /v8A S/8Axuj/AIUR4n/5/tG/7/S//G6+k6KP7bxXdfcHs4nzZ/wojxP/AM/2jf8Af6X/AON0f8KI 8T/8 /wBo3/f6X/43X0nRR/beK7r7g9nE+bP+FEeJ/wDn+0b/AL/S/wDxuj/hRHif/n+0b/v9L/8A G6+k 6KP7bxXdfcHs4nzZ/wAKI8T/APP9o3/f6X/43R/wojxP/wA/2jf9/pf/AI3X0nRR/beK7r7g 9nE+ bP8AhRHif/n+0b/v9L/8bo/4UR4n/wCf7Rv+/wBL/wDG6+k6KP7bxXdfcHs4nzZ/wojxP/z/ AGjf 9/pf/jdH/CiPE/8Az/aN/wB/pf8A43X0nRR/beK7r7g9nE+bP+FEeJ/+f7Rv+/0v/wAbo/4U R4n/ AOf7Rv8Av9L/APG6+k6KP7bxXdfcHs4nzZ/wojxP/wA/2jf9/pf/AI3Wr4e+FXjzw5cXE+h6 3pNn PcQ+RI6O7Fk3K+PmiOPmRTkc8ehNe/UVE84xFSLhOzT8hqmkeNf8Il8Wf+hvsf8Av4f/AIzW fd/D j4j3mr6bql34i0ue/wBNkE1pK7EmJwysDjycHlQcHIr3WiuaOLcHeMY39B8p41/wiXxZ/wCh vsf+ /h/+M1R1n4efErW9Pex1XxNpt1aOVZo3kbBIII6Q56ivc6KSxTTuoR+4OU+QvjdYS6V4j0nT 7hka a00e1gdkJKlkUqSMgHGR6UVp/tKf8lHH/XlF/NqK5pScm5PqUfWmo/8AHwn/AFxi/wDRa0aj /wAf Cf8AXGL/ANFrRqP/AB8J/wBcYv8A0WtGo/8AHwn/AFxi/wDRa0gOFfxJc2erXja1cwadYW3n uYJN OnLPHGrMGS53eW7FF83Yqlgu5cZViI7H4i6TfBEtbe6nunnW3W3tnhuGLPHI6EtFIyAHyXHL DbgF tq/NWpfeF4dTnl/ti/vtQtG83ZZy+WkcXmI8Z2mNFc/JI6jcx4bPUAiS38PBbqzub3VNRv7i 1n8+ N7howP8AVSR7diIq4xM5yAGJxkkKAACnrXi+1stLvJkSdbqD7WrRGISPD5EbOZHj3qfLIEZB yM+d Fyu8GpLzxdaWdrf3s9rdJplozRfbmaJYpJVlERjXLhlPmZXc4VPlJLbcE2NT8MafqD6u8wdH 1OzN lM0e0FVZSrOvHDsNgJOciKMY+UVHJ4XhZbqJb++SzmlNylsvl7IJ/NE3moSm8t5gL4ZmXkjb twAA Uz4xt77wRreuaNseXToJ2McjpKqypF5gUtE7KwIKn5WPXGQQQNjV9YGn3FvbQ2V1f3k6vIlv bGMN 5aFQzkyMq4BdBjOfmGAQCRHLoSXGgahpV7fX12t/FJFPcSuvmEOmw7QFCLhcYCqBnkgkkmu/ hyZ/ JlbXtVN/D5ipe7LfzBG+wtHt8rZtJjQ527sj72CRQBJpXiS31i6jXSra6urNlRnvlCJFGXiW VVYM wkyUeM8IR84BIIbHPxfEODUJbFNFs3vJ3vBBcWsU9vLJ5bQTyKyukxiB3QnhnzgHjlSdiLwf p8EM 1pbTXUOkzwfZ7jTlZTFMohEILMymQHy1QfK4+4D1JJj/AOEQVruS9n1rVZ9SPleVduLcPB5Y lA2q sQQ5WeUHcrfe4wQCACMeM7eKK6eS3urhLNp3vJYYkRbWFJ5Yw7hpMsP3Mn3NzHYTtXcq1c0/ xRDe agtu1hfW8Mt1PZwXUvlmOeaIyB1UK5ccRSEFlUYXrkgGvN4LsXW5RLu+ihvPNW9jRoyLqOSW WUxs ShKqDPKAUKthuWJAI0IPD9rD9i2yTn7JfT6gmWHMk3nbgePujz3x34Xk85AM+/1bUmu9bk01 PMh0 3yrUReXvJlcJJJKVHzOscUiFUUqzHzFxkoRh3Hi67guNPguPEWgWYnW5eS4vtOlttjRmDbEY pJ1Z XIlZ+Tyu0gY5PUSaPdLqepSWV69nb6gqSSPCFMsVwmF3qHV1IeNUUggBfLBAJckR2fhSxhu3 urqW e/uJop4rlroRkXIlEKtvVVC8LbxqAABgHIJJNAGXeeK9QgsTJLYpaXl3pMNzp9rOGLNdu3lt C54w FkltV5C/fY5wDt3NKvJ/7b1bTLuTzWg8u6gkwAfIl3hVbGPmV45R0+55eSW3Gh/D9rL/AGYb mSe4 bT5TJE87B2ZedqOxGWVT5bDJ3Foo2JLLkyaXp8sOp6lqF4yNcXTLHGEJIjt48+WmcDJy0jk4 yDIV ywUGgDJuf+Sqad/2Bbn/ANHwV1Vcrc/8lU07/sC3P/o+CuqoAKKKKACiiigAooooAKKKKACi iigA ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPlX9pT/ko4/wCv KL+b UUftKf8AJRx/15RfzaigD601H/j4T/rjF/6LWjUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4 T/rj F/6LWgCrRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRXO6h438M6dezWl/rdjb3ULbZIpZNrK fcGg DbjtLdNXj1QQo19HA9ssjjcBGzKzDaeOqLzjPHua0ft0v9y3/wDAeP8A+Jri/wDhYng//oY9 N/7/ AAo/4WJ4P/6GPTf+/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v 8KP+ FieD/wDoY9N/7/CgDtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/ AAo/ 4WJ4P/6GPTf+/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+ FieD /wDoY9N/7/CgDtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/ 4WJ4 P/6GPTf+/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD /wDo Y9N/7/CgDtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4 P/6G PTf+/wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD/wDo Y9N/ 7/CgDtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4P/6G PTf+ /wAKAO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD/wDoY9N/ 7/Cg DtPt0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4P/6GPTf+ /wAK AO0+3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD/wDoY9N/7/Cg DtPt 0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4P/6GPTf+/wAK AO0+ 3S/3Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8KP+FieD/wDoY9N/7/CgDtPt 0v8A ct//AAHj/wDiaPt0v9y3/wDAeP8A+Jri/wDhYng//oY9N/7/AAo/4WJ4P/6GPTf+/wAKAO0+ 3S/3 Lf8A8B4//iaPt0v9y3/8B4//AImuL/4WJ4P/AOhj03/v8K29D1jT9esprvRryG9tYpBE8sLb lDkZ 259cc/l6igDZ+3S/3Lf/AMB4/wD4muU8K31zfap4qN1KZPJ1YxRrgBY0FvBhVA4AySeO5J6k 10Nc r4G/5CPi/wD7DTf+k8FAHz/+0p/yUcf9eUX82oo/aU/5KOP+vKL+bUUAfWmo/wDHwn/XGL/0 WtGo /wDHwn/XGL/0WtGo/wDHwn/XGL/0WtGo/wDHwn/XGL/0WtAFWsfQ/Emma5s/s+Wc+ZEJ4vPt ZYPN j4+ePzFXevzLkrkDcueozsV5va6Lr2peDdG0oWc+i32k2JRLieeP57j7JJbr5ZiZiFBkLFzg jaoC nJKgHpFFeV6jo+nW+oWF1qukadoXhk3kW+w1BrWOIyLb3YaXYrmMljJABglj5eSAFBrP0WJN R0w6 bYT6dqQn06xk1O1s7m0uZ5bhfN+0ShJGaNpDIbbdJICGUHBLBcAHsCzK1w8ID70VXJKMFwSQ MNjB PynIByOM4yMyV5Pong3UJ9Q0wa5pfn6bFKoeK+MEm2JDqXlqyISnyrPbAKo2jICgBTjsPDWl z2M9 mtzp+3yP7QjhnEwxbwNdK0MSoDja0aoR/cEQXjOKAOoooooAKKKKACiiigArkfB88Vtc+NJ7 mVIY ItXd5JJGCqii2gJJJ4AA7111cb4Xt/tbeObbbA3narLHieLzYzm1gHzpkbl55GRkcZFAE1x4 yt49 Y0+JbbUfsdxBcs2dKuvOEkbQBcJs3bMStltuMgDOeDYPjLSlupIfNe4JY+T9gt57syIIoZC5 8uMg DE6cgkEMvOSQI/DvhV9J1C2u5L7zmiiuIhAkbLDGJTBhYVZ2McaiAYTJGXONowor+EfBf/CP Xttc fb/tHk2pttvk7M/ubSLdncf+fTOP9vH8OSAWNb8XWdstqmmSfa5p7qzi8yKCSWBUmljU5lQb Fby5 NwBYfeQ4IYZsN4x0GOCSea+8i3TaRNPDJHHIrOqB43ZQske50y6kqA6kkAg1j2Hgi6sNPs9P tdWg +wpLYz3Iksy0kslsIFGxhIAisLdOCrEEtycgCPS/h3b6dFFFbvp0KW7Wwikt9NSKaRIp4pf3 8m4m Rz5KjcNgyzMVPyhQDcbxfpCzyQl77zo9oKDT7gsWZFkCAbOZNjhigywUMSAFbFx9e05Li0iM zsl2 qPDcJC7W7hzhP3wHlgscAAtkllx94Zp/8I5/xOv7Q+1f8xP+0fL8v/py+zbM5/4Fn8Md65+L 4d+V /ZC/bLGb7B9iPn3Gn+ZcL9n8v5YZPMHlRt5WSuGwZJDk7uADoPB2vP4ggvrgiAQxywiEwliG R7WC bOWAJ5lbBKrwBkA5osvGGiXlobmK5nWExLNGZrSaIzoxABiV0BlyWQDYG5dB1Zc1/Cnhefw7 Z29t BqfmRrLC8w+zgeakdmluE5J25aNZMj029Mmqd34Eiu9G0bT57tJU03TlsgJLcMkzK9u6s6Fu UzbA MmeQ5G4daANBfF9jJrGnWUEV1ILxZsn7NMJIJEaEBZI9m6METBtz7QBtPRga6SuT0jwk2k3F ndWU 2nW1xE0qyx22nLDbtFIYt6pGrAq/7iPDsz8luCNoXrKACiiigAooooAKKKKACiiigAooooAK KKKA CiiigAooooAKKKKACiiigAq1H/yDLj/rtH/6C9VatR/8gy4/67R/+gvQBVrlfA3/ACEfF/8A 2Gm/ 9J4K6quV8Df8hHxf/wBhpv8A0ngoA+f/ANpT/ko4/wCvKL+bUUftKf8AJRx/15RfzaigD601 H/j4 T/rjF/6LWjUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWgCrRRRQAUUUUAFFFFAB RRRQ AUUUUAFFFFABVbRdG0/TH1GVbq7aW/ujdygwqVVyiJhfmHGEXr3yeOgs0UAWtll/z8XH/fhf /i6N ll/z8XH/AH4X/wCLqrRQBa2WX/Pxcf8Afhf/AIujZZf8/Fx/34X/AOLqrRQBa2WX/Pxcf9+F /wDi 6Nll/wA/Fx/34X/4uqtFAFrZZf8APxcf9+F/+Lo2WX/Pxcf9+F/+LqrRQBa2WX/Pxcf9+F/+ Lo2W X/Pxcf8Afhf/AIuqtFAFrZZf8/Fx/wB+F/8Ai6Nll/z8XH/fhf8A4uqtFAFrZZf8/Fx/34X/ AOLo 2WX/AD8XH/fhf/i6q0UAWtll/wA/Fx/34X/4ujZZf8/Fx/34X/4uqtFAFrZZf8/Fx/34X/4u jZZf 8/Fx/wB+F/8Ai6q0UAWtll/z8XH/AH4X/wCLo2WX/Pxcf9+F/wDi6q0UAWtll/z8XH/fhf8A 4ujZ Zf8APxcf9+F/+LqrRQBa2WX/AD8XH/fhf/i6Nll/z8XH/fhf/i6q0UAWtll/z8XH/fhf/i6N ll/z 8XH/AH4X/wCLqrRQBa2WX/Pxcf8Afhf/AIujZZf8/Fx/34X/AOLqrRQBa2WX/Pxcf9+F/wDi 6Nll /wA/Fx/34X/4uqtFAFrZZf8APxcf9+F/+LpZHt0s3iheV2eRWy8YUAAMOzH+9VSigArlfA3/ ACEf F/8A2Gm/9J4K6quV8Df8hHxf/wBhpv8A0ngoA+f/ANpT/ko4/wCvKL+bUUftKf8AJRx/15Rf zaig D601H/j4T/rjF/6LWjUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWgCrRRXkcV3b 6NFe P4Wn0DVbkwKJNYtI0E1uhnhRmu5wZAzsjvKZGUDMDsUYZAAPXKK878Marreo6xpdpJrNrNZs t1M0 9rtuPtCRta7QJvKjQndLIpZExtyv3xvUudS1iWCOG9dD/Zl5Y2N27xRuLq4e8gxJtx+7Pk7J ABkA 3IAIaKgD0SivL5fEmoHw3aXMHiCA6hcSwjU455oIE0ctFI7IW8pzF+8UR/vlc/w8Md1dR4X1 G6ul 0gX+pQSTzWt0/lQRlkuVSWNUmEpRM4Vl5VVV/N3KNoFAHUUUUUAFFFFABRRRQAVyMI8QX+ne MdZj 1+1sNN0G4mjMH9lfaZXSO3jmJDecgz85AB9BzzXXVz2j/wDJMfjF/wBfF/8A+m+GrpxUpqL6 sT0R 5jpnxOudVvo7LS9W1i9vJc7ILfwrHJI+AScKt6ScAE/QVV/4W/H/ANDDf/8AhNRf/Jtee/D6 5is9 N8ZT3Fjb38SaOmbe4aQRvm+tByY2VuM54YcjuOK7aXQ9FlufB1ld6VHdza9c2eny3k9zcNNb xtYa ccxfvAgINxIQGVlGFGNo219NPLcLCbi4v7+yuzHnkXP+Fvx/9DDf/wDhNRf/ACbR/wALfj/6 GG// APCai/8Ak2s7QvB2kXmnhb/RfI0D7Hpsx8TeZMv72a4tFuF8wt9n+TzrhMbMr5fzZKsSa1oH hvT7 XUr648L6ja3Fppr3Asb2KXT1ZhdWkcb+W1xNMVPmyqxLKrAYTa6s4n6jgnLlUZX9Q55HtHgX SfEX jTwtZa/pfi+1is7syBEudACyDZIyHIW5I6oe/TFb3/CAeMP+h003/wAER/8Akil/Zk/5Ih4c /wB6 6/8ASqWvUa+aqLlm4rozW55b/wAIB4w/6HTTf/BEf/kij/hAPGH/AEOmm/8AgiP/AMkV6lRU Bc8t /wCEA8Yf9Dppv/giP/yRR/wgHjD/AKHTTf8AwRH/AOSK9SooC55b/wAIB4w/6HTTf/BEf/ki j/hA PGH/AEOmm/8AgiP/AMkV6lRQFzy3/hAPGH/Q6ab/AOCI/wDyRR/wgHjD/odNN/8ABEf/AJIr 1Kig Lnlv/CAeMP8AodNN/wDBEf8A5Io/4QDxh/0Omm/+CI//ACRXqVFAXPLf+EA8Yf8AQ6ab/wCC I/8A yRR/wgHjD/odNN/8ER/+SK9SooC55b/wgHjD/odNN/8ABEf/AJIo/wCEA8Yf9Dppv/giP/yR XqVF AXPLf+EA8Yf9Dppv/giP/wAkUf8ACAeMP+h003/wRH/5Ir1KigLnlv8AwgHjD/odNN/8ER/+ SKP+ EA8Yf9Dppv8A4Ij/APJFepUUBc8t/wCEA8Yf9Dppv/giP/yRR/wgHjD/AKHTTf8AwRH/AOSK 9Soo C55b/wAIB4w/6HTTf/BEf/kij/hAPGH/AEOmm/8AgiP/AMkV6lRQFzy3/hAPGH/Q6ab/AOCI /wDy RWdqPhLxfZylW8ZaSEAUln0Rxy27AwJj/dNex1ynjWNpbe4jjmeB3WNVljClkJEvzDcCMjry CPUG gdzzv+wfFX/Q66J/4JZf/jlSeCbm+urXxFHqt5De3Gnamtkk8MHkKy+Srk7NzHq3c9AOBzWB 4J0n xzb69fSeLPESXemQMUtYobaFPtII4kfCZQDONoOdwPO0Dft+Avu+N/8AsPr/AOksdMZ0Ncr4 G/5C Pi//ALDTf+k8FdVXK+Bv+Qj4v/7DTf8ApPBQB8//ALSn/JRx/wBeUX82oo/aU/5KOP8Aryi/ m1FA H1pqP/Hwn/XGL/0WtGo/8fCf9cYv/Ra0aj/x8J/1xi/9FrRqP/Hwn/XGL/0WtAFWsew8O2Vj dx3M E+qtImcCfVLmZDkEco8hU9e49+tbFFABRRRQAUUUUAFFFFABRRRQAUUUUAFTeA9PXS7HxLBr ENrc W2r6jJciEyxOrQtBFEVkVmHXy2yvPBGe4ENc9a6zrepXmpxaH4UvtShsLk2ks8V3bRr5gRXw BJIr fdde2OaAOl1nwF8PNXtVt7vwnpUaK4cG08m1fOCOWidWI56E46ccCsf/AIVB8L/+ha/8qkn/ AMfp nmeMf+hC1L/wYWX/AMeo8zxj/wBCFqX/AIMLL/49W8cXXirRm182Tyo1/wDhXvw+Gif2TH4b t4rM 8OYroRyyjdv2ySrKJHXdg7WYjKrx8q4y/wDhUHwv/wCha/8AKpJ/8fpnmeMf+hC1L/wYWX/x 6jzP GP8A0IWpf+DCy/8Aj1NYuutqj+9hyo73wxDovhfQ7bR9CtPsunW+/wAqH7Uj7dzF2+ZpCTlm J5Pe tT+2YP7v/kaL/wCLry7zPGP/AEIWpf8Agwsv/j1HmeMf+hC1L/wYWX/x6udu7ux2R6j/AGzB /d/8 jRf/ABdH9swf3f8AyNF/8XXl3meMf+hC1L/wYWX/AMeo8zxj/wBCFqX/AIMLL/49SA9R/tmD +7/5 Gi/+Lo/tmD+7/wCRov8A4uvLvM8Y/wDQhal/4MLL/wCPUeZ4x/6ELUv/AAYWX/x6gD1H+2YP 7v8A 5Gi/+Lo/tmD+7/5Gi/8Ai68u8zxj/wBCFqX/AIMLL/49R5njH/oQtS/8GFl/8eoA9R/tmD+7 /wCR ov8A4uj+2YP7v/kaL/4uvLvM8Y/9CFqX/gwsv/j1HmeMf+hC1L/wYWX/AMeoA9R/tmD+7/5G i/8A i6P7Zg/u/wDkaL/4uvLvM8Y/9CFqX/gwsv8A49R5njH/AKELUv8AwYWX/wAeoA9R/tmD+7/5 Gi/+ Lo/tmD+7/wCRov8A4uvLvM8Y/wDQhal/4MLL/wCPUeZ4x/6ELUv/AAYWX/x6gD1H+2YP7v8A 5Gi/ +Lo/tmD+7/5Gi/8Ai68u8zxj/wBCFqX/AIMLL/49R5njH/oQtS/8GFl/8eoA9R/tmD+7/wCR ov8A 4uj+2YP7v/kaL/4uvLvM8Y/9CFqX/gwsv/j1HmeMf+hC1L/wYWX/AMeoA9R/tmD+7/5Gi/8A i6P7 Zg/u/wDkaL/4uvLvM8Y/9CFqX/gwsv8A49R5njH/AKELUv8AwYWX/wAeoA9R/tmD+7/5Gi/+ Lo/t mD+7/wCRov8A4uvLvM8Y/wDQhal/4MLL/wCPUeZ4x/6ELUv/AAYWX/x6gD1H+2YP7v8A5Gi/ +Lo/ tmD+7/5Gi/8Ai68u8zxj/wBCFqX/AIMLL/49R5njH/oQtS/8GFl/8eoA9R/tmD+7/wCRov8A 4uuL 8cXfiO8vYx4ctNDktDGpke/1Hyn3gvwFRWGMN1znPYY5wvM8Y/8AQhal/wCDCy/+PVBNf+LI pfLb wDqxfAYhLy0fAOcdJT6GmAzyPHv/AD4+Ev8Awbv/APGqueD9H1LSNN12TWzpy3epamt4sdlc +eqr 5KoeSFPVPTuOap/2l4s/6J/rf/gRbf8AxyrvhjVJtZtdUe50+bTrjTrxbKa3mkR2DmMSHlCV 4DL3 znIOMUDNSuV8Df8AIR8X/wDYab/0ngrqq5XwN/yEfF//AGGm/wDSeCgD5/8A2lP+Sjj/AK8o v5tR R+0p/wAlHH/XlF/NqKAPrTUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP +uMX /otaAKteX+HPFerRaFpupynVdajuLW2+1Jc2qWuy4mlgjRYGMcaup8yU5yw+RPmUNlvUK5fT fD2o w2lhp19eaVNpFn5Pl28FjNE48kq0WJDcN91kQ8g5xg9aAB/Et1Fdus2nwC1trq3sLyRLol0u JhFt Ea7AHjBnjyxZD975eAGz/DXiPXLvQPDyS2NjcavqFiLwM940cbxKkO52KwnbIWmX5ApUDPzc AHpJ 9B06fUxfywuZ9yyMomcRO642u8QOx3GFwzKSNi4Pyriu3hXSvs6QpHdQpGzNEYL2eJogwAMa Mrgp H8q/u1IT5V+XgUAZdt40+2abd6xa2GdEsrUXNzJJNtuBm2W4CpEFKt8siDJkXnd2AJjuNb1C TxNo mmX0CWV2l4skqWt000UsMlrebQWKISd8BJUrgYQ5J6bn/CNaSJ96WnlxmLyXto5HS3kTZ5eH gBEb /JhfmU8Ko6KMFn4b0y0nhnSKeS4hl85Jri6lnkDBHQDe7FioWWTCk7QXYgZOaANDTpZ59Ptp ry2+ y3UkSvLb7w/lOQCybhw2DkZHXFWKr6dZwadp9tZWcfl2ttEsMSZJ2ooAUZPJ4A61YoAKKKKA Ciii gAqb4Lfd8af9h9//AEltqhpPhY0lrZeNB58NncXGsyvayXSEof8ARoFD7dyl1DKQcMM7SMg9 ATOl 8c6nq+nXfhiLQY7aae91NreSC5l8mOWMWlzJgyCNyuGjVshckqBwCaz77xlqiWF5qNhotlNp 66gu l2zTag8Ustx9tWzbeghYIgcuwYM5KqvygsQs39n3OqfufFWu6Le2qfPD/ZtvNYXEMvQOkwuW ZflL qduCQ5GcEgxeIPCWgarBcpb6lLYtc3MFxKsOozLF8lzHO5SJZAkbuYzmRAGDOzZJJyhG/wCG dYn1 VdRgv7SO01DTrn7LcxwzGaLeYo5VKOVQsNkqZyq4bcOQATtVi6LBo2i2rwWFxGFdzJJJNdtP LK+A NzySMzucBVBYnCqoHAAGh/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A 39X/ ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z9 2/8A 39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aF l/z9 2/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/j R/aF l/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7 +r/j R/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCf u3/7 +r/jR/aFl/z92/8A39X/ABoAtUVV/tCy/wCfu3/7+r/jR/aFl/z92/8A39X/ABoAtVynjUyr b3Bt kSScLGY0kcorNiXALAEgZ74OPQ10P9oWX/P3b/8Af1f8a4H4h+LLHTb1Lb7Nql68kccm+wsZ blFA MgwWRSAeemc464yMgI898E+Mte8Ra9fWF94SfSYLBjHdXE15u2yYyEQeWA5IIOQcbSDnlQ23 4C+7 43/7D6/+ksdVv+E3s/8AoD+Jf/BNcf8AxFT/AA6aSbT/ABXdva3dtFd62s0S3Vu8Dsn2ZBna 4Bxl WGfY0yjo65XwN/yEfF//AGGm/wDSeCuqrlfA3/IR8X/9hpv/AEngoA+f/wBpT/ko4/68ov5t RR+0 p/yUcf8AXlF/NqKAPrTUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP+uM X/ot aAKtFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFWUvrtFCpdTqoGABIQAKrVzngvwl4d14+M9U8 Ttch LHVpI/O/tO4tooYVt4XOQkiqACzsSfU5NAHW/wBoXv8Az93H/f1v8aP7Qvf+fu4/7+t/jVDQ /APw /wBb88WNpraSwbTJBd3+pWsqhs7W8uV1badrANjBKsAcqcav/CovB3/PnqX/AIOb3/49QK5D /aF7 /wA/dx/39b/Gj+0L3/n7uP8Av63+NTf8Ki8Hf8+epf8Ag5vf/j1H/CovB3/PnqX/AIOb3/49 SC5D /aF7/wA/dx/39b/Gj+0L3/n7uP8Av63+NTf8Ki8Hf8+epf8Ag5vf/j1H/CovB3/PnqX/AIOb 3/49 QFyH+0L3/n7uP+/rf40f2he/8/dx/wB/W/xqb/hUXg7/AJ89S/8ABze//HqP+FReDv8Anz1L /wAH N7/8eoC5D/aF7/z93H/f1v8AGj+0L3/n7uP+/rf41N/wqLwd/wA+epf+Dm9/+PUf8Ki8Hf8A PnqX /g5vf/j1AXIf7Qvf+fu4/wC/rf40f2he/wDP3cf9/W/xpb2xt9MitLGyQpbW8bRRqXLkKJXA yzEk n1JJJ6k1UpjLX9oXv/P3cf8Af1v8aP7Qvf8An7uP+/rf41VooAtf2he/8/dx/wB/W/xo/tC9 /wCf u4/7+t/jVWigC1/aF7/z93H/AH9b/Gj+0L3/AJ+7j/v63+NVaKALX9oXv/P3cf8Af1v8aP7Q vf8A n7uP+/rf41VooAtf2he/8/dx/wB/W/xo/tC9/wCfu4/7+t/jVWigC1/aF7/z93H/AH9b/Gj+ 0L3/ AJ+7j/v63+NVaKALX9oXv/P3cf8Af1v8aP7Qvf8An7uP+/rf41VooAtf2he/8/dx/wB/W/xo /tC9 /wCfu4/7+t/jVWigC1/aF7/z93H/AH9b/Gj+0L3/AJ+7j/v63+NVaKALX9oXv/P3cf8Af1v8 ajmu ridQs08sig5w7kjP41DRQAVyvgb/AJCPi/8A7DTf+k8FdVXK+Bv+Qj4v/wCw03/pPBQB8/8A 7Sn/ ACUcf9eUX82oo/aU/wCSjj/ryi/m1FAH1pqP/Hwn/XGL/wBFrRqP/Hwn/XGL/wBFrRqP/Hwn /XGL /wBFrRqP/Hwn/XGL/wBFrQBVrx/wzp+paT4M0LVtKg0rRpJrXT7XdbL532wzz2y+bOuxPmVd 4xuY /vnwynk+wUUAeby6pNZa/qVjf67/AGTp63TCTVGS3ieSVLWy2I7vH5ZZxJK33dx8sBcKpFR2 era3 qOmT3urSpEY9R0mD7A1ooELy/YXkzvBbIaRtvQqSxJJCbO81bSLbVPK+0yXyeXnb9lvZrbOc dfLd d3TvnHOOpqxYWkdjaR20DTtGmcGed5nOSTy7ksevc+3SgDzvwzqN9ofgjQZ7W7fVhbwLYXVh I8Mb W900UaxQllUFCsoWLawLDz9znCV2mkNPFqD2V5qv226gsbYyp9nEfzkyhpsjj94UPyD7vl/7 VaFz ZwXU9pNPHuktJTNCckbHKMhPHX5XYc+vrirFABRRRQAUUUUAFFFFABWX4M0qfXfBXxT0i0eN Lm/1 C7tYmlJCB5LGBQWIBOMkZwDWpVv4cW8mgR6+195J/tHVGvYRHPHlYzDFGAwLDBzGTj0I75AB M2fD UN/d+KdX1y+0y50uK5srSyjtruSJpSYXuHZ/3Tuu0+eoHzZyrZAGCeqrL/tmD+7/AORov/i6 P7Zg /u/+Rov/AIukI1KKy/7Zg/u/+Rov/i6P7Zg/u/8AkaL/AOLoA1KKy/7Zg/u/+Rov/i6P7Zg/ u/8A kaL/AOLoA1KKy/7Zg/u/+Rov/i6P7Zg/u/8AkaL/AOLoA1KKy/7Zg/u/+Rov/i6P7Zg/u/8A kaL/ AOLoA5nxB/x9r/20/wDRslZdaOtuslxGyspyGJCsGxmRyASCRnBFZ1MoKKKKACiiigAooooA KKKK ACiiigAooooAKKKKACiiigAooooAKKKKACuV8Df8hHxf/wBhpv8A0ngrqq5XwN/yEfF//Yab /wBJ 4KAPn/8AaU/5KOP+vKL+bUUftKf8lHH/AF5RfzaigD601H/j4T/rjF/6LWjUf+PhP+uMX/ot aNR/ 4+E/64xf+i1o1H/j4T/rjF/6LWgCrRRWPpfiC11L+x/IjnX+1LFtQh3qBtjHlZDYPDfvl6ZH B56Z ANiisfS/EmlajFpfl3kEV1qVql3b2c0qLO0bLuB2ZyeAc4yODzxRF4l0c/2ek+pWNtdX8Ucs FtLd ReY4f7u0BiGyeAVJBPQmgDYork9O8eaLd+FrfWmvLUJttTdxRXKSGzadlUCQ5G0KWOSccK3H GK6S 1vbW72/ZbmCfdEk48uQNmN87H4/hba2D0ODjpQBYooooAKKKKACiiigArnX8V25vLy2ttK16 9a0m MEz2WlzXCK+A23cikZwynGc4IroqoeAdX/sDwr8TdZ8j7R/Z2p3V35O/Z5nl2UD7d2DjOMZw fpQB m/8ACTn/AKFzxb/4Irr/AOIo/wCEnP8A0Lni3/wRXX/xFeleHNR1T+39T0TW5rK6ubS2trxb mzt3 t0ZJnmQIY2kkOVMBO7dzvAwNuW6WkK54h/wk5/6Fzxb/AOCK6/8AiKP+EnP/AELni3/wRXX/ AMRX t9FFwueIf8JOf+hc8W/+CK6/+Io/4Sc/9C54t/8ABFdf/EV7fRRcLniH/CTn/oXPFv8A4Irr /wCI o/4Sc/8AQueLf/BFdf8AxFe30UXC54h/wk5/6Fzxb/4Irr/4ij/hJz/0Lni3/wAEV1/8RXt9 FFwu eYQFpLO1uHhmg+0R+YIpkKSIMkYZTyp46Hkd8HilrU8Qf8fa/wDbT/0bJWXTGFFFFABRRRQA UUUU AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXK+Bv+Qj4v/7DTf8ApPBXVVyvgb/kI+L/ APsN N/6TwUAfP/7Sn/JRx/15Rfzaij9pT/ko4/68ov5tRQB9aaj/AMfCf9cYv/Ra0aj/AMfCf9cY v/Ra 0aj/AMfCf9cYv/Ra0aj/AMfCf9cYv/Ra0AVa8f1LTNOvP7T41sfabo+X/wASe94t5PP87P7j /Wf6 bd7McfLDnOGz7BRQBwcfh59U16TVoY3ewvLyG9Juri7tWhaERqFNphVc5gBDuRjcDtYKA2Pb aNq2 iW+meHYrZLwzz6ZdTzxiYLD9nFukgDeV5ZGLUt80iMd2ApO3d6pRQBwb+D9QOleGIVmtfP0f To4G BZtsk0c1pKoB25CMbZlLYyNwO09K6yyiuv7Qlubq3sYvMtYUJhJaTzAZC6lyBujG5dvAOS5I Ga0K KACiiigAooooAKKKKACo/hZp9rq2k/EDTtQi86yvNZmt549xXfG9nbqwyCCMgnkHNSVZ0CS2 0KO8 Gnx3EbXlwbq4Pmqd8pVVJwUOBtRRgenrkkEzq9B0AaVdXd5caje6pqFykcMl1eCJX8qMuUjC xIiY BkkOdu47zkkBQNquO/4SGX1uP++4/wD43R/wkMvrcf8Afcf/AMbpCsdjRXHf8JDL63H/AH3H /wDG 6P8AhIZfW4/77j/+N0BY7GiuO/4SGX1uP++4/wD43R/wkMvrcf8Afcf/AMboCx2NFcd/wkMv rcf9 9x//ABuj/hIZfW4/77j/APjdAWOxorjv+Ehl9bj/AL7j/wDjdH/CQy+tx/33H/8AG6AsVvEH /H2v /bT/ANGyVl1av7oXUiMFZdoIO5gSSWLE8Ad29Kq0ygooooAKKKKACiiigAooooAKKKKACiii gAoo ooAKKKKACiiigAooooAK5XwN/wAhHxf/ANhpv/SeCuqrlfA3/IR8X/8AYab/ANJ4KAPn/wDa U/5K OP8Aryi/m1FH7Sn/ACUcf9eUX82ooA+tNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP+uMX /ota NR/4+E/64xf+i1oAq0UV5n4V8T6oNG07UJ5tR1RLqzg883toLVI7uZ4UiWJxEm6NjJIWYCTA RSOo DgHplFcnaeKb2fXodGbSU+3BpVumjut0MIQW7lgxQM4KXK/wg7xtxtJcR6H4g1KP4Yp4g1m3 gluo tMF9iKbP2gCEPlvkUIzHOVAYDsTQB2FFcvD4luotdtNH1PT4Ib6eVATb3RljWN4rh1bcyIS2 bVwV wAAynJ5Azz43unvLqO30mBobeVYGd7wqxke8mtIsKIz8peEFjnKqxwHIwQDuKK87TxZqCatr OpLZ pJp9hp0b3sDXjAwtDPeJMYV2ESE+ScFjHkKmcfw2Lz4gSQPq0kWi3U1nZLdhZgkwDPbq+7ex i8pU LRMoZZHOSuVBLBQDvKKz7O6v5ZbUXOnfZ45YpJJGM6sYWDKI0YDqzKzE7SVUoRlgQx0KACii igAr A8NaX4m8V3niCSw8RWOm2un6i1lHFLpf2hiBFFJuLCVP+emMY7da36X4Q20F5Z+Ora7hjntp tclj lilUMkiG0tgVYHgggkEGgTIv+EA8Yf8AQ6ab/wCCI/8AyRR/wgHjD/odNN/8ER/+SKyY/DWi L4Wu PFFtY+G9O0a+vYrsWF5ssrC6sVSSK2WdghX5mm+1AvGWDMkZGUVl774YwX1v4LtE1O1+xytN cyRW oLFYIGuJGgjUMqsqrEY1VSqlQApVSNoQXOX/AOEA8Yf9Dppv/giP/wAkUf8ACAeMP+h003/w RH/5 Ir1KigVzy3/hAPGH/Q6ab/4Ij/8AJFH/AAgHjD/odNN/8ER/+SK9SooC55b/AMIB4w/6HTTf /BEf /kij/hAPGH/Q6ab/AOCI/wDyRXqVFAXPLf8AhAPGH/Q6ab/4Ij/8kUf8IB4w/wCh003/AMER /wDk ivUqKAueby2Ulhb2sFzOLm5WMiacJ5YkcOylguTtHHAycep61DWp4g/4+1/7af8Ao2SsumUF FFFA BRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXK+Bv8AkI+L/wDsNN/6TwV1 Vcr4 G/5CPi//ALDTf+k8FAHz/wDtKf8AJRx/15Rfzaij9pT/AJKOP+vKL+bUUAfWmo/8fCf9cYv/ AEWt Go/8fCf9cYv/AEWtGo/8fCf9cYv/AEWtGo/8fCf9cYv/AEWtAFWs8aNYDRIdIEGLCGJIYow7 ZRUx sKtncGXapDA7gQCDkZrQooAy9O0HTtPuI7i2hf7QiyJ50szyyMHKbtzOSXP7qMZYkgIAMAYq OXw/ ZjQNQ0m1TZa3cUkXlSvJJGgdNu1V3grGBwEQqAOm3rWxRQBy6eGrm81Ca5166sblpIo0D2Nv PZzI ULlCsgnYrgSyg7QCQ5BOODcs/Cmj2kTRw2r4ZonZpLiSRmaOd50JZmJJEsjtknnODkcVuUUA c/J4 P0SS5edracNJuEqLdzLHMGkklZZIw+11LyyHawIwxGMcVJdeFNHunuzcWrulysiyRG4k8oeY pWRk j3bUdgz5dQGO9ufmOdyigCu9nA+oQ3rR5uoYpIUfJ4RyhYY6cmNPy9zViiigAooooAKk+ELp Zp4u N2ywCbXJJIvNO3zE+z267lz1G5WGR3UjtUdWUvrtFCpdTqoGABIQAKAO7/tCy/5+7f8A7+r/ AI0f 2hZf8/dv/wB/V/xrhf7Qvf8An7uP+/rf40f2he/8/dx/39b/ABpCsd1/aFl/z92//f1f8aP7 Qsv+ fu3/AO/q/wCNcL/aF7/z93H/AH9b/Gj+0L3/AJ+7j/v63+NAWO6/tCy/5+7f/v6v+NH9oWX/ AD92 /wD39X/GuF/tC9/5+7j/AL+t/jR/aF7/AM/dx/39b/GgLHdf2hZf8/dv/wB/V/xo/tCy/wCf u3/7 +r/jXC/2he/8/dx/39b/ABo/tC9/5+7j/v63+NAWO6/tCy/5+7f/AL+r/jR/aFl/z92//f1f 8a4X +0L3/n7uP+/rf40f2he/8/dx/wB/W/xoCxY11le5RkIZSHIIOQR5r1m1JNNLOwaaR5GAxl2J OPxq OmMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACuV8Df8AIR8X/wDY ab/0 ngrqq5XwN/yEfF//AGGm/wDSeCgD5/8A2lP+Sjj/AK8ov5tRR+0p/wAlHH/XlF/NqKAPrTUf +PhP +uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP+uMX/otaAKtcXpvxE0W+tNBkjvdO 8/UF 33MC3yM1kot3mcv3wpTaSQuM5OOldpXm7aPdaj4d8P8Ah680TW4bWyiFrLc5sxuQ2slszYE7 FcCU vwG+7jBoA6xfFWlG3eUyXSOrKn2d7KdLhiwJG2Ep5jAhXOQpGEf+62DRPEUGrarqNjHb3UT2 jJte S3lVXVoYpMksgCP+9x5ZO75ckemXf+FL7UPPuL690qfUpfJQStp0gjiSLzSjRqJ96ShpnPmB xgYw Aea1NA0OXRbqfyr97m0nWNpPtSl7h5kiji3mXIBBSJSQVyWJO7HygAr614w07TrPVJIy889l BPKq mN0imeJGZokmK7GcbGBVSSNrZHytjP0/xTO2sQWd9cJHBFZ/bLm5k0q4t1ZS0wGd7Ytgohzm Qnfn 5cUat4Jl1Gzu7BtSRNPdrye3UWxMsc1ykyuXffh0H2iQhQqn7uWODu2NS8PRalca2bmdxBqm nR6d IkYAZFUzZYMcjJE3pxt75oAjfxhokUSvcXM9uzyiFYbi0milZ2V2UCNkDncI3C4HzMpVctxU aeMt KWaWG5ldZImk8xoreeSKFFmki3ySeWFjGYnyWIA2tyVG409G8Fpp97Z3YOlW8lvdCcx6bpi2 kcgE M0YBG5mLfvycliMKAFBLEi+C8WXiS3+3/wDIYtZrbd5P+p8ya6l3Y3fNj7VjHH3M98AA2F8S aY+r R6css7XEsrQI4tZTC8iqzMgm2+WWAR8jdkFWHUEVj6z4yFlLqsEdrP52n31pbswtpZUkjla3 3FSq 48wCcgRgljtBwQcVXg0bVo/FllDEmNCsr6fURLLEgZ3mjm3KrrKScPcNgGJPlX7xIG/UvvDc txeX jRXqR2l3eWt/JG0BZxNC8B+V9wAQpAowVJBYnOPloAk/4SzTPNj/AH+yMxSu6SxSxzqyNEoT ySm7 c3nJhThjvTarBsjQ/tizGk/2lIZ4bXoBNbyRyE7toURsocsWwFXGWJGAcjPP6n4M+2atqN/5 9jN9 r8z/AEe+sftEI3LaL8y713Y+yZHTlx/d50P+Eff/AIRP+x5biC/kPLSapC13GxMm8goz7mUd FBck ALksRyASS+KtKhSF5pLqISL5jeZZTqYU3Fd8wKZhTKthpNoIViDgEiS08S6TeXf2a2u/Mm+1 PZYE b4E6CQtGWxgMBE5xnptPR1zzdx8PIpzbvcXNrfT+QLeefU7IXsiqJJHzA0rExkGVgN/m8LGD u2nd uP4cz4cvNMW62zS3U95DceXnyZmuGuI225+bY5U4Jw23kYOKAA+LNMFzdR+fvWHagWKKWSZ5 PMmj ZVjVMtg28n3dxwrEgKAxsDxJphu4bYyzrJJsGXtZVSNnAKJI5XbHIdy4RyG+ZRjLDOXN4PWG +tbv SLpLR7GC2gs45YmmjjEK3EfzfOGcFLlh94EFQSTyKjPgtJPEI1a4OlS3EksNzcTPpitP5saI v7mR mPlxny1O0hmGXwwJBUA6ixvIL6BprWTzI1lkhJwRh43ZHHPoysPw44qxVexinhgZbq5+0yGW Rw+w JhGdiiYH91Sq577cnk1YoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK KKAC iiigAooooAKKKKACiiigArlfA3/IR8X/APYab/0ngrqq5XwN/wAhHxf/ANhpv/SeCgD5/wD2 lP8A ko4/68ov5tRR+0p/yUcf9eUX82ooA+tNR/4+E/64xf8AotaNR/4+E/64xf8AotaNR/4+E/64 xf8A otaNR/4+E/64xf8AotaAKtYPw88G3HirwtFq974t8SW8011dx+VbSW4jRY7mSNQN0LN91B1J 5zW9 Wh8C/wDkmtn/ANfuof8ApbPQJlX/AIVWP+h08W/9/bX/AOMUf8KrH/Q6eLf+/tr/APGK9Iop Cueb /wDCqx/0Oni3/v7a/wDxij/hVY/6HTxb/wB/bX/4xXpFFAXPN/8AhVY/6HTxb/39tf8A4xR/ wqsf 9Dp4t/7+2v8A8Yr0iigLnm//AAqsf9Dp4t/7+2v/AMYo/wCFVj/odPFv/f21/wDjFekUUBc8 3/4V WP8AodPFv/f21/8AjFH/AAqsf9Dp4t/7+2v/AMYr0iigLnm//Cqx/wBDp4t/7+2v/wAYo/4V WP8A odPFv/f21/8AjFekUUBc83/4VWP+h08W/wDf21/+MUf8KrH/AEOni3/v7a//ABivSKKAueb/ APCq x/0Oni3/AL+2v/xij/hVY/6HTxb/AN/bX/4xXpFFAXPN/wDhVY/6HTxb/wB/bX/4xR/wqsf9 Dp4t /wC/tr/8Yr0iigLnm/8Awqsf9Dp4t/7+2v8A8Yo/4VWP+h08W/8Af21/+MV6RRQFzzf/AIVW P+h0 8W/9/bX/AOMUf8KrH/Q6eLf+/tr/APGK9IooC55v/wAKrH/Q6eLf+/tr/wDGKP8AhVY/6HTx b/39 tf8A4xXpFFAXPN/+FVj/AKHTxb/39tf/AIxR/wAKrH/Q6eLf+/tr/wDGK9IooC55v/wqsf8A Q6eL f+/tr/8AGKP+FVj/AKHTxb/39tf/AIxXpFFAXPN/+FVj/odPFv8A39tf/jFH/Cqx/wBDp4t/ 7+2v /wAYr0iigLnm/wDwqsf9Dp4t/wC/tr/8Yo/4VWP+h08W/wDf21/+MV6RRQFzzf8A4VWP+h08 W/8A f21/+MUf8KrH/Q6eLf8Av7a//GK9IooC55v/AMKrH/Q6eLf+/tr/APGKP+FVj/odPFv/AH9t f/jF ekUUBc83/wCFVj/odPFv/f21/wDjFH/Cqx/0Oni3/v7a/wDxivSKKAueb/8ACqx/0Oni3/v7 a/8A xij/AIVWP+h08W/9/bX/AOMV6RRQFzzf/hVY/wCh08W/9/bX/wCMUf8ACqx/0Oni3/v7a/8A xivS KKAueb/8KrH/AEOni3/v7a//ABipB4cTw5ZTwf2lqOpu8kb+ffujOoIkG0bEUAfLnpnPU8DH olcx 4t/j/wC2X/tWgaOYrlfA3/IR8X/9hpv/AEngrqq5XwN/yEfF/wD2Gm/9J4KYz5//AGlP+Sjj /ryi /m1FH7Sn/JRx/wBeUX82ooA+tNR/4+E/64xf+i1o1H/j4T/rjF/6LWjUf+PhP+uMX/otaNR/ 4+E/ 64xf+i1oAq1qfCW3uNE8C2ljqlrc290tzdymMwuSFkupZEPAPVWU46jODg1l0UAeifbov7lx /wCA 8n/xNH26L+5cf+A8n/xNed0UrCseifbov7lx/wCA8n/xNH26L+5cf+A8n/xNed0UWCx6J9ui /uXH /gPJ/wDE0fbov7lx/wCA8n/xNed0UWCx6J9ui/uXH/gPJ/8AE0fbov7lx/4Dyf8AxNed0UWC x6J9 ui/uXH/gPJ/8TR9ui/uXH/gPJ/8AE153RRYLHon26L+5cf8AgPJ/8TR9ui/uXH/gPJ/8TXnd FFgs eifbov7lx/4Dyf8AxNH26L+5cf8AgPJ/8TXndFFgseifbov7lx/4Dyf/ABNH26L+5cf+A8n/ AMTX ndFFgseifbov7lx/4Dyf/E0fbov7lx/4Dyf/ABNed0UWCx6J9ui/uXH/AIDyf/E0fbov7lx/ 4Dyf /E153RRYLHon26L+5cf+A8n/AMTR9ui/uXH/AIDyf/E153RRYLHon26L+5cf+A8n/wATR9ui /uXH /gPJ/wDE153RRYLHon26L+5cf+A8n/xNH26L+5cf+A8n/wATXndFFgseifbov7lx/wCA8n/x NH26 L+5cf+A8n/xNed0UWCx6J9ui/uXH/gPJ/wDE0fbov7lx/wCA8n/xNed0UWCx6J9ui/uXH/gP J/8A E0fbov7lx/4Dyf8AxNed0UWCx6J9ui/uXH/gPJ/8TR9ui/uXH/gPJ/8AE153RRYLHon26L+5 cf8A gPJ/8TR9ui/uXH/gPJ/8TXndFFgseifbov7lx/4Dyf8AxNH26L+5cf8AgPJ/8TXndFFgseif bov7 lx/4Dyf/ABNH26L+5cf+A8n/AMTXndFFgseifbov7lx/4Dyf/E0fbov7lx/4Dyf/ABNed0UW Cx6J 9ui/uXH/AIDyf/E1geJ382J5FWQJmJQXjZMkeZnqB6iuaophYK5XwN/yEfF//Yab/wBJ4K6q uV8D f8hHxf8A9hpv/SeCgZ8//tKf8lHH/XlF/NqKP2lP+Sjj/ryi/m1FAH1pqP8Ax8J/1xi/9FrR qP8A x8J/1xi/9FrRqP8Ax8J/1xi/9FrRqP8Ax8J/1xi/9FrQBVrB+Hng248VeFotXvfFviS3mmur uPyr aS3EaLHcyRqBuhZvuoOpPOa3q0PAWzwt4Yt9Je6trlo5p5jIPMQZlmeXGNh6b8Z74zgZxQJk I8OJ 4csp4P7S1HU3eSN/Pv3RnUESDaNiKAPlz0znqeBjjbrxLdW17rMkmnwf2NpMojuroXR85V8m OVnE WzBVRIM/PuwrYBOFPoeuX8V5EzK8ZclAFQseF35OSo/vCvJNZsNXGsa7arp19eaFqkqyXKW8 Nury L5EcTIsr3KkKRHg/uw3LbSDtYAzY8R+LrOw0vWXspN99Z2txJEZYJBBLLFGzGMSYCOwKtlVb cNr9 NpxJrXjDTtOs9UkjLzz2UE8qqY3SKZ4kZmiSYrsZxsYFVJI2tkfK2MOT4fw3kWoyBbGzbUIr pt76 dG17FJcq+8SThyGVTK2Am04VRvIB3WJPh5Yy3eomT7Ctvefai0sVhGL3NwHDg3BzlR5rYAVS AEBJ AYMAbkvirSoUheaS6iEi+Y3mWU6mFNxXfMCmYUyrYaTaCFYg4BIk1LXY9P1/TNMlgnf7dFK6 yRRP JsZHiUBgqnap83JckKNvPWsPV/BTazeR3upyaPc3jwLbTyTaSsoVFd2UwLI7CN8SHJbzASFO 3AIP Qajpks+safqVpcJDPbLJA6yxGRXhkaNnAwylXzEmGyQOcqcjABh+H/GttqPh7S7q4/c39zFa tJFN bzW6M0rxoxiLId6hpAAVyvzJlgGDV0Gk6xZ6t5psDO8ceCJWt5EjkBzho3ZQsinGdyEjBBzg jPPt 4LzZeG7f7f8A8ge1htt3k/67y5rWXdjd8ufsuMc/fz2wdDwn4ffQvtRe4gKzbAltZwtb2sIX PMcJ dwjMWJYqQDgHGclgAg8YaJc6fb3tpcz3UFxkw/ZrSaZpAApZlRELFV3KrNjCsdpIbirH/CS6 SZ9i XfmRiLznuY43e3jTZ5mXnAMafJhvmYcMp6MM4d54Gin0fw/as2nXU+kWf2JTqNgLmF1Kxhn8 vepV 8xLg7jgFhg5yLA8INHaahpsN8i6PqMHk3UX2ZRNn7OsGY3UrGg2xodvlkZ3YwCAoBcfxhokU SvcX M9uzyiFYbi0milZ2V2UCNkDncI3C4HzMpVctxUd54og/4SDStMsQ8puLyS2nlNtL5QCQSuQk uBGX DxhSASRhhjIOI4fDV1LrtprGp6hBNfQSoSLe1MUbRpFcIq7WdyGzdOS2SCFUYHJJB4auodWs pF1C A6ZaX0+oJbm1PnGSZZtwMu/btDTuR8mcBRk8kgGx/bNh9t+yef8A6R9q+x7Njf67yfP25xj/ AFfz Z6ds54rD0PxpY6jqF5CzuLczwrZ3AtZlieOW3hkTfKV2K7NKQFJUnKjGSMyar4QgvtQ1K9jn 8m6u YkMD7C32e4UofOxuw3MFr8h4/c/7bZIPCEFrp9xZWc/k2r31ndxJsLeUluLcLHktlsi2HzHp u745 ALDeMNEWCSY3M/lptKEWkx88M6orQ/J++Us6DdHuHzrzhhmxL4gszoGoarbv+7sopHlS4SSF oyib sSKULpxg/cJ2kEAgjPN6X8O7fTooord9OhS3a2EUlvpqRTSJFPFL+/k3EyOfJUbhsGWZip+U LuX3 hz7Vpvim0+1bP7c3/P5efI3W0cHTPzf6vd26496ALHhzXY9aW9CQTwyWl1NbPvicI2yV4wyu VCvn ZkhSducHmsvwz40sdR8OWV7qDvbXb2cVxLG1rNEHZgoIhDLmUb3VRs3ZLoOSy52ND0yXSzeR C4SW zlnkuIU8oiSNpJHkkDPuww3OduFXAGDuPNcvH4Bln0az0/V9RtbxNPs0s7QLYlEKq8L/AL5G kbzA TbxAgFOC47gqAdA3irShbpKJLp3ZmT7OllO9wpUAndCE8xQAyHJUDDp/eXJdeK9HtXuxcXTo lssj SSm3k8o+WpaRUk27XdQr5RSWGxuPlOMuw8Iz6X5FxpNzpVnfx+crCLSwlrsk8rcFiSRWDfuI zuZ2 6t2KhY9W8Ey6jZ3dg2pImnu15PbqLYmWOa5SZXLvvw6D7RIQoVT93LHB3AGxB4r0eVyrXT2+ 1WZz d28luqbVLFWMiqFcIC+w4bZ8+NvNC+KtKNu8pkukdWVPs72U6XDFgSNsJTzGBCuchSMI/wDd bGfr PgyLVmvlubx1gvLyS5kWNAGCvYm0KgkkZwd+7HtjvVNPA3l6fNFCnh2C4kljcNBovkxx7A4V 0CSi RZQXOJPM+UD5QpJYgHUXmsWdnp8F5cGdY59oijFvI0zkjdtEQXeWwCSu3ICsSAAcZ+meKLa+ vdWt /st8n2Da+77JMfMQwxS9NnEn73HlcvxnHOAax4fe80Cy02K4glktdm251KFrmTKoVEgZXjZZ ec+Y CCDnHJyKf/CIyx2d9ZRao8lpdrE8hu4zNLJNGkSZkfcA8bpCodCoLbn+YA4ABJJ4us/7UtUW TbYt a3EkwlgkSdJUkt1SPyyA4ZhPwu3c25NvUZ3NL1K11S3aazdyEbY6SxNFJG2AcMjgMpwQcEDI IPQg 1w8Xw0iKXInn04JKzyC2ttOEVsGLWjKDEXbKZsxuXI3CRuV611nhfRU0LT5LdFsUaWUyutjZ rawg 4C/KgJPRRkszEnPIGFABsUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVyv gb/k I+L/APsNN/6TwV1Vcr4G/wCQj4v/AOw03/pPBQB8/wD7Sn/JRx/15Rfzaij9pT/ko4/68ov5 tRQB 9aaj/wAfCf8AXGL/ANFrRqP/AB8J/wBcYv8A0WtGo/8AHwn/AFxi/wDRa0aj/wAfCf8AXGL/ ANFr QBVooooAKKKz/wC29K/tb+yv7Tsf7T/58/tCed93d9zO77vPTpzQBoUUUUAFFFUxqdljUGa4 RE09 tl08nyLEfLWQ5JwMbHU56c+xoAuUVGs8TXDwLKhnRVdoww3KrEhSR1AJVsHvtPpUlABRRUaz xNcP AsqGdFV2jDDcqsSFJHUAlWwe+0+lAElFFFABRRRQAUUUUAFVf7Ssf+f22/7+r/jVqvPfAHhf QNR8 N/atQ0PSrq6kvb3fNPaRu7YupQMsRk8AD8KAO4/tKx/5/bb/AL+r/jR/aVj/AM/tt/39X/Gs n/hC vCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r/jR/aVj/AM/tt/39 X/Gs n/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r/jR/aVj/AM/t t/39 X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r/jR/aVj/ AM/t t/39X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r/jR/ aVj/ AM/tt/39X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/AL+r /jR/ aVj/AM/tt/39X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5/bb/ AL+r /jR/aVj/AM/tt/39X/Gsn/hCvCv/AELOif8AgBF/8TR/whXhX/oWdE/8AIv/AImgDW/tKx/5 /bb/ AL+r/jVx1ZGKuCrA4IIwQawbfwh4atriKe28PaPDPEweOSOyiVkYHIIIXIIPeum1T/kJ3f8A 12f/ ANCNAFWiiigAooooAKKKKACiiigAooooAK5XwN/yEfF//Yab/wBJ4K6quV8Df8hHxf8A9hpv /SeC gD5//aU/5KOP+vKL+bUUftKf8lHH/XlF/NqKAPrTUf8Aj4T/AK4xf+i1o1H/AI+E/wCuMX/o taNR /wCPhP8ArjF/6LWjUf8Aj4T/AK4xf+i1oAq0UUUAFef3un6qdY1yZ03aINYtruWGO2c3LrFB bMJI m3YdRJGoZAhYhZApLYWvQKx7/wAL6BqN3JdahoelXV1JjfNPaRu7YAAyxGTwAPwoA4eWLxV/ a2ry Wd7ff2n/AKb5Nv8AZJfJ2bZPs372SX7N/wA8D8ib88N/y1NaE/2T/QvK/wCEp/sD9/5//IR+ 0faf 3Plf9N/L2ed0/d56/Niu8t4Ira3igtokhgiUJHHGoVUUDAAA4AA7VJQB5vp1t4kOjandatPq p1AS 2UUsKOQqw+TaG7aFY+rHEwBTJDA+Xhi26Sx0yS88I+PLXSrfUSL9pksxqHnLLKWsoU63GHxv DKCx xx6CvRKKAPN3tLi+8Q6bbWTeIl0B/I3mSe8hcYTUC+53IkHziDOT/wA8x021nuniVtLslebV YIbi 1sbvUZHhuJnSaSO484KsbLKv7xbbMcTKEz90KXB9YooA4/ZqK/DzZNqN9HddBc/YJnmMRm+U eSjm bmPC53+aAdzFXBxj6JDeW2qf2pLpGqrePpgSwtTf3MqTSRyXTFZpXxjcskRXz1BXfgAMpA9I ooA8 n0a11W81i30+W71ubRjdQvJKItQsSMwXe8F5pGl27kt+j7MlRgEnMbT6jAfDya5Lr6Wl6tnc Xiwt dea1y9teNMi+V+8UBo4SYkwqYB2gE59cqOWCKV4XliR3hbfGzKCUbaVyvocMwyOxI70Ac34Z +1b9 N+3f2ru8q98nzM+X5H2hPJ87d83m+Vs27vmx5u75s11FFFABRRRQAVyvww/5FCP/AK/b7/0r mrqq peFfD6aHoqWL6nbTMJppiwSQDMkryY+7234z3xnA6UAXaKtfZov+f23/AO+ZP/iaPs0X/P7b /wDf Mn/xNAFWirX2aL/n9t/++ZP/AImj7NF/z+2//fMn/wATQBVoq19mi/5/bf8A75k/+Jo+zRf8 /tv/ AN8yf/E0AVaKtfZov+f23/75k/8AiaPs0X/P7b/98yf/ABNAFWirX2aL/n9t/wDvmT/4mj7N F/z+ 2/8A3zJ/8TQBVoq19mi/5/bf/vmT/wCJo+zRf8/tv/3zJ/8AE0AVaKtfZov+f23/AO+ZP/ia Ps0X /P7b/wDfMn/xNAFWrWqf8hO7/wCuz/8AoRo+zRf8/tv/AN8yf/E02/kWW+uZIzlHkZlPqCTQ BXoo ooAKKKKACiiigAooooAKKKKACuV8Df8AIR8X/wDYab/0ngrqq5XwN/yEfF//AGGm/wDSeCgD 5/8A 2lP+Sjj/AK8ov5tRR+0p/wAlHH/XlF/NqKAPrTUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4 T/rj F/6LWjUf+PhP+uMX/otaAKtFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF FFAB RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVyv gb/k I+L/APsNN/6TwV1Vcr4G/wCQj4v/AOw03/pPBQB8/wD7Sn/JRx/15Rfzaij9pT/ko4/68ov5 tRQB 9aaj/wAfCf8AXGL/ANFrRqP/AB8J/wBcYv8A0WtGo/8AHwn/AFxi/wDRa0aj/wAfCf8AXGL/ ANFr QBVooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA KKKK ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACuV8Df8hHxf/wBhpv8A0ngr qq5X wN/yEfF//Yab/wBJ4KAPn/8AaU/5KOP+vKL+bUUftKf8lHH/AF5RfzaigD601H/j4T/rjF/6 LWjU f+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWgCrRRXF2mta1b3Gqf2readJBZ6jbac v2bT 3RnaY2x3HdOQBicr3xgNzjYQDtKK5PS/HFpfpZyNp2o20VysEgeYREJHcNtgdgsjHEj5UAAk EEsF GCZPC/jjR/EuoSWmmy7pBEZ4z5sT+bGCAW2o7Mn3k+WQI3zdMhsAHUUVyeneK55LWdrrSrp5 zqNx Y2iweUBdmOWYfJuk4KxwksX2AkHbnIFWNU1xpfDttf6czwO+o2trIsiqWQm8SGaM9RkfOuQS O6k8 GgDpKK5fRfF9re6XZzOk7XU/2RViEQjebz41cSJHvY+WAZCTk48mXlthNHhfxxo/iXUJLTTZ d0gi M8Z82J/NjBALbUdmT7yfLIEb5umQ2ADqKK4vVda1dfDniLXdNuLWOOxa4EEFzbmRWS2DrJna ykO0 qPhtxARU+UMWqxrFx4lsrrQ7eLUdHL307W0jtpsuAwiml3KPP6YjVdpJ5JOf4aAOsorn7O81 LV/D l9NZSQW+pJdXcNuSP3ZMNxIiB85O1hGA2OcFtu04xc0PWotZt7ee2trqOCezgvY5JUAUrKGI TIJG 9QvzDtuXk5oA1KKKKAOf0dvF3iG81kaDZ6CbTTr02Re9u5ondhHHJnasTDGJAOvUHitP/hH/ AIif 8+fhL/wY3H/xiue+H+nWOt+PNV0zWbO21DTWvdTuTaXcSyxGVItKVJNjAjcqySANjIDsB1Ne r/DO 5nvPhx4UubuaSe5m0m0klllYs8jmFCWYnkkkkkmkK5xP/CP/ABE/58/CX/gxuP8A4xR/wj/x E/58 /CX/AIMbj/4xXrdFArnkn/CP/ET/AJ8/CX/gxuP/AIxR/wAI/wDET/nz8Jf+DG4/+MV63RQF zyT/ AIR/4if8+fhL/wAGNx/8Yo/4R/4if8+fhL/wY3H/AMYrofiTp5m0fSru9nke5tdc08xfZ5ZY Yij6 jAAHiDlZCF2jLA/MCyhc4HdUDueSf8I/8RP+fPwl/wCDG4/+MUf8I/8AET/nz8Jf+DG4/wDj Feq3 KztGBayRxyb0JMkZcFAw3DAI5K5AOeCQcNjB8s0S2gTWfD2rpDGuq33inVrK6vQoE9xbx/2h shkk +8yL5MOFJIHlJgfKMAXG/wDCP/ET/nz8Jf8AgxuP/jFH/CP/ABE/58/CX/gxuP8A4xXrdch8 SVnO g+XJJG1jc6hpdq8HlnLpJfRJMrnOGR0cIU2jjcCWDYAFzk/+Ef8AiJ/z5+Ev/Bjcf/GKtabo 3iuC 5LeI4dDhsvLcg2F1LLIXCFgMPGgA4OTkntjnI6LwBbQWF/4u06whjttPs9WSO2tYVCRQI1la yMqI OFBd3YgAZZmPUmtvxB/x6L/20/8ARUlAXOFooopjCiisfVbyf+29J0y0k8pp/Mup5MAnyItg ZVzn 5meSIdPueZghtpoA2KK87bxdrWn+CrXXNR/s64fUdOe5tUgt3iEMwtXuArgyNvQiNhuBUggc HcSu hreua1ooisLibTp9Qu2iNtcx2rpEqm5ggkDxGUkkeerAh+eQQu0FgDtKK4u+1zWoNVstCWbT hqks 8Ya7Nq7QtC8Ny6kReaGV91sykbyMYbPO1Qa5rV5r0WiWc2nW15brcC7nltXmjkaMWzKY1EqF Qy3I JBJ2kFcsBuIB2lFcnf8AiuWPwtqGoQWLrd21nfSksC8CTWrFGQuMEhnBK8AsqscKRis/XvHn 2S/t I7C2uvIZVef7VptzE+DdWsP7tWVS52zyHChjkL9CAd5RXP6H4hGr6/qVpBFPHa2trbyqbi0l t5C8 jzBvlkCkriNcEDru5Pbk9T8da1a6NrzxWVq2oW8909ixicwG1geVXMnzZ3jyGBK/KGmgBxv4 APTK K8z1Px1rVro2vPFZWrahbz3T2LGJzAbWB5VcyfNnePIYEr8oaaAHG/jtPFF9fWGnxyafFlml CSzf ZpLnyEwTv8mMh5MsFXCkY37jwpoA2KK4e58Q6okFo4v7GK1aIu+onSLiWEuHYOjosoNt5YVd xlbq zfd2MK6DSryf+29W0y7k81oPLuoJMAHyJd4VWxj5leOUdPueXkltxoA2KKKKACuV8Df8hHxf /wBh pv8A0ngrqq5XwN/yEfF//Yab/wBJ4KAPn/8AaU/5KOP+vKL+bUUftKf8lHH/AF5RfzaigD60 1H/j 4T/rjF/6LWjUf+PhP+uMX/otaNR/4+E/64xf+i1o1H/j4T/rjF/6LWgCrXH2+j6rdXd0up2F jb2t 5fQahNJb6m8rpJCItgVTbqCpMEectnlsHoK7CigDm7bwfp9va28CTXRSCCwt1JZclbOUyRE/ L1JP zeo6Y61c0PQk0fYkN9fTWsMQgtraV18u3jGMKoVQWwFUBpC7ADg/M2diigDn5PC8J3+Rf31v i6a8 tvL8s/ZJn8zzGTchzv8ANkyH3gbvlC4GLA8P2o0eHTjJOY0ukvGkLDfJMs4nLNxj5pASQABy QAox jYooAw9M8Mafp76Q8Id30yzFlC0m0llVQqu3HLqN4BGMCWQY+Y1JoehJo+xIb6+mtYYhBbW0 rr5d vGMYVQqgtgKoDSF2AHB+Zs7FFAHP/wDCP+Zp+v6TPJjSdS80x+W2JIvOB85eQc/OWkDEnmQr gBBn UvtPivbrTp5WcPYzm4jCkYLGKSPDcdMSN0xyB9KuUUAc2ugX2n2uoro2sXQe6aZ4orhYTFay TSl2 lXEe5ipZiFZiD90kdRqaXpMGl7Es3nS1jtYbSK2MhaOJIt20qDzuIYAkk5Cr6VoUUAFFFFAF X4Ya Lpeu2fjK21vTbLUrZPEbyLFeQJMgcWluAwDAjOCRn3NesV5xFdPEgSOO3Cj/AKd4/wA+nJ96 f9ul /uW//gPH/wDE0CseiUV539ul/uW//gPH/wDE0fbpf7lv/wCA8f8A8TSsFj0SivO/t0v9y3/8 B4// AImj7dL/AHLf/wAB4/8A4miwWO5/s6x+z/Z/sdt5HnfafL8pdvm+Z5vmYxjd5nz7uu7nrzVu vO/t 0v8Act//AAHj/wDiaPt0v9y3/wDAeP8A+JosFjvrm2guoxHdQxzRq6SBZFDAOjBlbB7hlDA9 iAe1 VYdF0uDWZ9Xh02yj1W4QRzXqQIJ5EG35WkA3EfKvBP8ACPSuL+3S/wBy3/8AAeP/AOJo+3S/ 3Lf/ AMB4/wD4mgLHolVLnTrG6+1fabO2m+1wi2uPMiVvOiG7Eb5HzL87/KePmb1NcN9ul/uW/wD4 Dx// ABNH26X+5b/+A8f/AMTRYLHc6Xp1jpNjFZaVZ21lZRZ8u3toljjTJJOFUADJJP1Jqt4g/wCP Rf8A tp/6Kkrj/t0v9y3/APAeP/4mj7dNhgBCu4FSVhQHBGDyB6UBYq0UUUxhWXqmnyzanpuoWbIt xas0 cgckCS3kx5iZwcHKxuDjJMYXKhia1KKAOTg8D2i6GdJu9R1G+tEs2sbYTmIG1jaMxkpsjUF9 hxuY MQMgYDMGsXPhSO8tXW91XUbm8LRNHfSeSJYBHKkqqgEYjALxqT8hLYAJIVcdJRQBzdx4UjmF vKdV 1FdThnFx/aI8kzMRHJGFIMZjCBZXwoQDJLfeZiSXwpH9otrq01XUbO+iWVZLqLyXkuDKYy7S eZGw z+5TG0AKAFACgAdJRQBh3vhmyudMk09ZbqCzks7izeKKXhxNjfI27JaTIJDtk5dycljUmteH 7XV7 6yurmSdZLTGwRsADieCbnIP8Vug+hbvgjYooAy7nRYp9RnvVubqGeZbZGMLhflgleRR0zhi7 Kw7q ccdary+GNPl0a+01w5S7W8Rp/l81FuXZ5QrY4GW4GP4VznFblFAGHL4Y0+XRr7TXDlLtbxGn +XzU W5dnlCtjgZbgY/hXOcVYu9KnlFz9m1fUbR55xOWiMT7AI1Ty1EiMFQ7d2MZ3EnPJFalFAHNz eFI5 bH7B/auorp8iyLdWy+TtujIzNKzsY9yly7Z2MgGflC1oaXp8sOp6lqF4yNcXTLHGEJIjt48+ WmcD Jy0jk4yDIVywUGtSigAooooAK5XwN/yEfF//AGGm/wDSeCuqrlfA3/IR8X/9hpv/AEngoA+f /wBp T/ko4/68ov5tRR+0p/yUcf8AXlF/NqKAPrTUf+PhP+uMX/otar6te2sN4EluYEcQxZVpACP3 a9qs aj/x8J/1xi/9FrXM3HhDw1c3Es9z4e0eaeVi8kkllEzOxOSSSuSSe9AGl/aVj/z+23/f1f8A Gj+0 rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK8K/9Czon/gBF/wDE0Aa39pWP/P7bf9/V /wAa P7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+Jo/4Qrwr/0LOif+AEX/AMTQBrf2lY/8/tt/ 39X/ ABo/tKx/5/bb/v6v+NZP/CFeFf8AoWdE/wDACL/4mj/hCvCv/Qs6J/4ARf8AxNAGt/aVj/z+ 23/f 1f8AGj+0rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK8K/9Czon/gBF/wDE0Aa39pWP /P7b f9/V/wAaP7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+Jo/4Qrwr/0LOif+AEX/AMTQBrf2 lY/8 /tt/39X/ABo/tKx/5/bb/v6v+NZP/CFeFf8AoWdE/wDACL/4mj/hCvCv/Qs6J/4ARf8AxNAG t/aV j/z+23/f1f8AGj+0rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK8K/9Czon/gBF/wDE 0Aa3 9pWP/P7bf9/V/wAaP7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+Jo/4Qrwr/0LOif+AEX/ AMTQ Brf2lY/8/tt/39X/ABo/tKx/5/bb/v6v+NZP/CFeFf8AoWdE/wDACL/4mj/hCvCv/Qs6J/4A Rf8A xNAGt/aVj/z+23/f1f8AGj+0rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK8K/9Czon /gBF /wDE0Aa39pWP/P7bf9/V/wAaP7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+Jo/4Qrwr/0L Oif+ AEX/AMTQBrf2lY/8/tt/39X/ABo/tKx/5/bb/v6v+NZP/CFeFf8AoWdE/wDACL/4mj/hCvCv /Qs6 J/4ARf8AxNAGt/aVj/z+23/f1f8AGj+0rH/n9tv+/q/41k/8IV4V/wChZ0T/AMAIv/iaP+EK 8K/9 Czon/gBF/wDE0Aa39pWP/P7bf9/V/wAaP7Ssf+f22/7+r/jWT/whXhX/AKFnRP8AwAi/+JqO 48Ie ELa3lnufD2gQwRKXkkksoVVFAySSVwAB3oA2v7Ssf+f22/7+r/jR/aVj/wA/tt/39X/GuJ/4 tX/1 JH/krR/xav8A6kj/AMlaAO2/tKx/5/bb/v6v+NH9pWP/AD+23/f1f8a4n/i1f/Ukf+StH/Fq /wDq SP8AyVoA7b+0rH/n9tv+/q/40f2lY/8AP7bf9/V/xrif+LV/9SR/5K0f8Wr/AOpI/wDJWgDt v7Ss f+f22/7+r/jR/aVj/wA/tt/39X/GuJ/4tX/1JH/krR/xav8A6kj/AMlaAO2/tKx/5/bb/v6v +NH9 pWP/AD+23/f1f8a4n/i1f/Ukf+StbFh4X8F6jaR3Wn6H4durWTOyaC0hdGwSDhgMHkEfhQBv f2lY /wDP7bf9/V/xo/tKx/5/bb/v6v8AjVP/AIV1oX/QnaZ/4K4//iaP+FdaF/0J2mf+CuP/AOJo Auf2 lY/8/tt/39X/ABo/tKx/5/bb/v6v+NU/+FdaF/0J2mf+CuP/AOJo/wCFdaF/0J2mf+CuP/4m gC5/ aVj/AM/tt/39X/Gj+0rH/n9tv+/q/wCNU/8AhXWhf9Cdpn/grj/+Jo/4V1oX/QnaZ/4K4/8A 4mgC 5/aVj/z+23/f1f8AGj+0rH/n9tv+/q/41T/4V1oX/QnaZ/4K4/8A4mj/AIV1oX/QnaZ/4K4/ /iaA Ln9pWP8Az+23/f1f8a53wIyvf+LmRgytrLEEHII+zQVrf8K60L/oTtM/8Fcf/wATVnS9O03S Rc2W lWdnZCKX9/b20Sx7JCqn5lUDDFSh55wV7YoA+Yv2lP8Ako4/68ov5tRR+0p/yUcf9eUX82oo A+tN R/4+E/64xf8Aotaq1a1H/j4T/rjF/wCi1qrQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU UAFF FFABRRRQAUUUUAFFFFABRRRQAUUUUAFc/wDEP/kQPE3/AGDLn/0U1dBXP/EP/kQPE3/YMuf/ AEU1 AHZalfXaajdKl1OqiVgAJCABk1X/ALQvf+fu4/7+t/jRqn/ITu/+uz/+hGqtAFr+0L3/AJ+7 j/v6 3+NV7/XJdPtJLm7v7hIUwCQ7MSSQAqqOWYkgBQCSSAASabWP4is5520y9tI/Om026N0LcEKZ gYpI iqseA2JSRnglQCVB3AAvWni6O6Ft5Wo3ivcTm2SOVZY5BKI2k2sjAMh2KW+YDIwR94ZuWGuS 6haR 3Vnf3ElvJkpIHYBwCRuXPVTjIYcEEEEgg15z4g8M6j4m1Wz1GW3fT0eeFXt5mSQpFDDd8zBW 2ujv cBGjVjlOrDcQneWEs81pG95bfZrjkPEHDgEEjKsOqnGQSAcEZCnIABpf2he/8/dx/wB/W/xo /tC9 /wCfu4/7+t/jVWigBdT1K+TTbtkvblWWFyCJWBB2n3rz74Cf8km0L/tv/wCj5K7bVv8AkFXv /XF/ /QTXE/AT/kk2hf8Abf8A9HyUAelap/yE7v8A67P/AOhGqtWtU/5Cd3/12f8A9CNVaAK9/eQa faSX N3JshTAJALEkkAKqjlmJIAUAkkgAEmo9L1GDU7dprZLpEVthFzay27ZwDwsiqSOeuMdfQ1T8 RWc8 7aZe2kfnTabdG6FuCFMwMUkRVWPAbEpIzwSoBKg7hz/iy2vvEen2qXOgXy2aSuZLYx2E1xvA Gx1E rPD5eGlB53524+XdkA7iivM9B8J6jDpwvr/T0PiT7Zpr/bXZGuPKSK0S4/e5Jx8lwCM/MC3X dzHL 4WupfDdpZNok8N1BLCdVngWzd9XKxSKXHmFlk/essn78Kf4h84xQB6JFqEUmsXOmqr+fbwRX DMQN pWRpFUDnOcxNnjuPwuVx/gfRLzSb64e4inS3ext4ovPljd12z3T+WRGFVdqyxjao2L91SwXN dhQA Vyvgb/kI+L/+w03/AKTwV1Vcr4G/5CPi/wD7DTf+k8FAHz/+0p/yUcf9eUX82oo/aU/5KOP+ vKL+ bUUAfWmo/wDHwn/XGL/0WtVa53UPiN4Oa5+XxJpjbY0QkTgjIQA89+Qar/8ACxPB/wD0Mem/ 9/hQ B1VFcr/wsTwf/wBDHpv/AH+FH/CxPB//AEMem/8Af4UAdVRXK/8ACxPB/wD0Mem/9/hR/wAL E8H/ APQx6b/3+FAHVUVyv/CxPB//AEMem/8Af4Uf8LE8H/8AQx6b/wB/hQB1VFcr/wALE8H/APQx 6b/3 +FH/AAsTwf8A9DHpv/f4UAdVRXK/8LE8H/8AQx6b/wB/hR/wsTwf/wBDHpv/AH+FAHVUVyv/ AAsT wf8A9DHpv/f4Uf8ACxPB/wD0Mem/9/hQB1VFcr/wsTwf/wBDHpv/AH+FH/CxPB//AEMem/8A f4UA dVRXK/8ACxPB/wD0Mem/9/hR/wALE8H/APQx6b/3+FAHVUVyv/CxPB//AEMem/8Af4Uf8LE8 H/8A Qx6b/wB/hQB1VFcr/wALE8H/APQx6b/3+FH/AAsTwf8A9DHpv/f4UAdVRXK/8LE8H/8AQx6b /wB/ hR/wsTwf/wBDHpv/AH+FAHVUVyv/AAsTwf8A9DHpv/f4Uf8ACxPB/wD0Mem/9/hQB1VFcr/w sTwf /wBDHpv/AH+FH/CxPB//AEMem/8Af4UAdVWP4ys59R8Ia5ZWcfmXVzYzwxJkDc7RsFGTwOSO tZv/ AAsTwf8A9DHpv/f4Uf8ACxPB/wD0Mem/9/hQBi3viv4j3F5PMnw/t0WSRnCnVoWKgnOM5Gfy qH/h JfiT/wBCFbf+DSH/AOKroP8AhYng/wD6GPTf+/wo/wCFieD/APoY9N/7/CgDn/8AhJfiT/0I Vt/4 NIf/AIqj/hJfiT/0IVt/4NIf/iq6D/hYng//AKGPTf8Av8KP+FieD/8AoY9N/wC/woA5/wD4 SX4k /wDQhW3/AINIf/iqP+El+JP/AEIVt/4NIf8A4qug/wCFieD/APoY9N/7/Cj/AIWJ4P8A+hj0 3/v8 KAOf/wCEl+JP/QhW3/g0h/8AiqP+El+JP/QhW3/g0h/+KroP+FieD/8AoY9N/wC/wo/4WJ4P /wCh j03/AL/CgDm7jxB8R57eWF/AVuFkUoSNVhzgjHrW98I9Gv8Aw/8ADzSdM1eD7PfQeb5ke9X2 7pnY cqSDwQetTf8ACxPB/wD0Mem/9/hR/wALE8H/APQx6b/3+FAE9/4m1ya+uZYfBeqGN5GZd15a A4JJ GR5pwfxqD/hItf8A+hK1L/wNtP8A47R/wsTwf/0Mem/9/hR/wsTwf/0Mem/9/hQAf8JFr/8A 0JWp f+Btp/8AHaP+Ei1//oStS/8AA20/+O0f8LE8H/8AQx6b/wB/hR/wsTwf/wBDHpv/AH+FAB/w kWv/ APQlal/4G2n/AMdo/wCEi1//AKErUv8AwNtP/jtH/CxPB/8A0Mem/wDf4Uf8LE8H/wDQx6b/ AN/h QAf8JFr/AP0JWpf+Btp/8do/4SLX/wDoStS/8DbT/wCO0f8ACxPB/wD0Mem/9/hR/wALE8H/ APQx 6b/3+FAB/wAJFr//AEJWpf8Agbaf/Had4Ftb+H+3rnU7CWwe+1I3McMskbsE8mJckozDqjd+ 1N/4 WJ4P/wChj03/AL/Cj/hYng//AKGPTf8Av8KAPn/9pT/ko4/68ov5tRVH4+6tYaz47W70m8gv LY2k a+ZC4YZBbI470UAf/9k=3D ------_=3D_NextPart_001_01C7EBD6.64A8D3BB-- // eompost 46D81477:744B.1:vfncebf