[isalist] Re: RCP over HTTP Assistance needed
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sat, 3 Jun 2006 08:31:45 -0500
Hi Joseph,
You have it down to a science!
You are correct.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of ISA
Sent: Saturday, June 03, 2006 8:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] RCP over HTTP Assistance needed
Tom:
I believe you have mistaken with the use of the 'Common Name' of
the Cert. and with your rule.
1) You need to 'reissue' the Cert with the FQDN Common Name
(i.e. mail.domain.com) used by internet clients attempting to connect to
your Exchange.
2) Install this cert on the Exchange box and ISA box as you did
before.
3) This name also needs to be used in the TO field of the web
publishing rule.
4) ISA box needs to resolve the FQDN of (mail.domain.com) to the
Exchange server (HOSTS). Configure your internal DNS to allow internal
clients to resolve mail.domain.com to your Exchange box (HOSTS).
5) External Clients resolve mail.domain.com to the ISA external
interface (DNS). Internal Clients and ISA resolve mail.domain.com to
Exchange (DNS/HOSTS).
Hope this help; more importantly - I hope I'm right. :-)
Joseph Danielsen, MCSA-Messaging, MCP
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Sunday, May 28, 2006 12:22 AM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: RCP over HTTP Assistance needed
OK, the CA Cert (from my internal network CA) is installed in
the ISA Local Machine Trusted Root Store, same with the Exchange server
Cert.
The Common Name on the Exchange box cert DOES match the server
name in the TO field of the web publishing rule - EXACTLY.
RPC over HTTP still does NOT work from the outside via ISA 2004.
It still works fine from the INSIDE. OWA still works fine from the
outside and inside with the cert issued by the internal network CA.
What should I do now? I have done what you said and I have
re-read the book and made sure everything was done there.
Is it ok to just add the /RPC* path to the current OWA rule? Do
I have to get a cert from VeriSign? What could be holding this up?
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Sat 5/27/2006 1:48 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance needed
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
You haven't followed the advice, books, or articles.
If you had, you wouldn't be seeing the errors you're quoting.
You've been getting the answers to the questions you ask.
Q - Why does ISA produce a "500" error for my OWA rule?
A1 - the certificate installed on ISA must be issued by a CA
that is in
the local machine trusted root store. This is equivalent to the
IE "
The security certificate is from an untrusted certifying
authority"
popup. Install the CA cert in the ISA trusted root store. If
ISA the
CA certificate installed in the local machine trusted root
store, this
error will stop. This error will cease if the CA cert is
installed in
the ISA local machine trusted root store. Install the CA
certificate in
the local machine trusted roots store and this error will stop.
A2 - the common name in the certificate does not match the data
in the
"server" field of the "To" tab in the web publishing rule. ISA
gives
you an "target principle name is incorrect" in this case. This
is
equivalent to the IE "The name on the security certificate is
invalid or
does not match the name of the site" error. Change the data in
the
"server" field of the "To" tab in the web publishing rule to
match the
common name in the certificate. If you use the same data in the
"server
field of the "To" tab of the web publishing rule as fond in the
Exch
cert common name, this error will cease. This error will stop
if the
"server" field in the "To" tab of the web publishing rule
matches the
common name of the certificate installed on the Exchange server.
A3 - the certificate errors have *nothing* to do with the path
portion
of either the client request or the web publishing rule. The
path
portion of the web publishing rule is not in any way affecting
ISA
serve's ability to acquire or evaluate the certificate offered
by the
Exch server. The certificate offered by the Exch server has no
relationship to the path data in the web publishing rule. There
are no
errors related to the certificate offered by the web publishing
rule and
the path specified in the rule or requested by the client.
There is
nothing you can do to solve the non-existent errors that have no
relationship between these two things.
Go back and re-read the relevant sections in the book, articles
and KBs
related to certificates and ISA server.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Friday, May 26, 2006 7:53 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: RCP over HTTP Assistance needed
Dynip.com will not allow me to obtain a Certificate from
VeriSign or any
other public, trusted CA and apply it to our DDNS name
(company.dynip.com)
If I have to get a certificate from VeriSign or any other
public,
trusted CA, I will have to get a static IP.
BTW, I'm just wondering why most of the help I get on this
discussion
list is so convoluted? When I ask a question, I never get a
direct
answer, it's always some obscure, sometimes pretentious,
sarcastic
statement.
I really appreciate the free advice given here by you highly
trained
experts on ISA, but for those of us who are rookies and are just
trying
to get ISA working like it should, those of use who do not have
an IQ of
200, need something more. If someone asks, "How do you get such
and such
a function to work right?", someone should be able to say, "Do
this,
this, this, then that, then you should be fine." Or at least
give a
direct link to a tutorial, whitepaper, tech note, whatever.
Instead of
getting an answer like, "It's right there on the website."
This is what I need to know:
The certificate for my EXCHANGE box is installed on the ISA box
- I
exported it from the EXCHANGE box and imported it into ISA. Is
this not
good enough? All I want to know at this point is - can I use a
certificate created by an internal network CA for RPC over HTTP
from the
outside world, or not. Do I have to have a 3rd party (ie:
VeriSign)
certificate to get RPC over HTTP working from the outside? If
so, I will
go get a static IP, get a registered domain name for that IP,
get the
certificate, and be done with it.
But since OWA works fine with a certificate issued on my
internal
network CA, why can't RPC over HTTP? I would like to know the
WHY.
Thanx,
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Fri 5/26/2006 4:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance needed
http://www.ISAserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
-------------------------------------------------------
"Dynip.com will not allow certificates to be assigned to their
customer
DNS records"?!?
Can you clarify this?
Certificates are not assigned to DNS records at all.
Are you saying that they don't support redirection to HTTPS?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Friday, May 26, 2006 1:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance needed
http://www.ISAserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
-------------------------------------------------------
OWA is working fine - no issues at all.
The certificate for the EXCHANGE box is installed on the ISA box
- I
exported it from EXCHANGE and imported it into ISA. Is this not
good
enough?
And I was not recv'ing any error messages, not in the Event
logs, not on
the screen, etc. The ONLY error I recv'd was "Your Exchange
Server is
offline or not available." Not even any error messages in the
Outlook
Client Connections box. If I had error messages coming at me, I
would be
looking at the docs and KBs - no problem.
I'm not totally pathetic. ISA is the ONLY software I have had
any
trouble mastering. I have read TShinders books, MS TechNet,
White
Papers, etc and ISA know-how still eludes me for some reason.
So basically, in order to use RPC over HTTP from the outside I
need to
obtain a 3rd party certificate from VeriSign or someone like
that in
order for this to work?
If that is the case, I will also have to get a static IP because
Dynip.com will not allow certificates to be assigned to their
customer
DNS records.
-TRogers
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim
Harrison
> Sent: Friday, May 26, 2006 3:47 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: RCP over HTTP Assistance needed
>
> http://www.ISAserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
> -------------------------------------------------------
>
> There are *lots* of documents describing how to configure OWA
> with ISA.
> You're hitting the most common failures; that of not matching
> the certificate name to the request.
>
> There are *lots* of documents & kbs that address the errors
> ISA is throwing at you - you're ignoring them by playing in
> the path when the errors are specifying "certififcate".
>
> All those errors are what ISA considers to be a bogus cert.
> ISA will not accept a certificate that:
> - is not from a CA that ISA can find in the local machine
> trusted roots store
> - does not match the hostname used in the "To" tab of the
> publishing rule
>
> ISA has no way to "ask the user" if he wants to allow a bogus
> certificate.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Friday, May 26, 2006 12:37 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: RCP over HTTP Assistance needed
>
> http://www.ISAserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
> -------------------------------------------------------
>
> Ok, I was not able to create a 2nd listener as the IP port
> used was the same (443). So I added the /Rpc/* folder onto
> the original secure OWA ISA rule - again.
>
> Still cannot get it to connect from the outside world. Client
> setup is verified accurate. Once again, with ISA 2004, I am
clueless.
>
> This is the hardest to use/configure piece of software I have
> ever used in my life.
>
> I don't get it, RPC over HTTP works fine from the inside,
> which means it's ISA 2004, but what, where, how, when, why?
> I've no idea.
>
> Maybe - because I am using an SSL Certificate that was issued
by a CA
> *INSIDE* my internal network, not a public CA, could this be
> the issue?
> When I use OWA, I have to click YES on the security alert pop
> up message. This says:
>
> 1) The security certificate is from an untrusted certifying
authority
> 2) The security certificate date is valid
> 3) The name on the security certificate is invalid or does
> not match the name of the site.
>
> On item #3, the Certificate has been issued to an internal
> server called EXCHANGE (name on the certificate) and in order
> to get to this box via the Internet/ISA 2004, the URL I use
> is company.dynip.com - which of course is not the same name
> as EXCHANGE.
>
> I'm lost...
>
> -TRogers
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W
Shinder
> > Sent: Friday, May 26, 2006 2:16 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: RCP over HTTP Assistance needed
> >
> > http://www.ISAserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
> > -------------------------------------------------------
> >
> > Yes.
> > >From my boat somewhere in Texas
> >
> > -----Original Message-----
> > From: "Tom Rogers"<trogers@xxxxxxxxxxxxxxxxxx>
> > Sent: 5/26/06 1:00:04 PM
> > To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx>
> > Subject: [isalist] Re: RCP over HTTP Assistance needed
> >
> > Tom,
> >
> > Should the Authentication on the new listener be BASIC?
> >
> > -TRogers
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W
Shinder
> > Sent: Friday, May 26, 2006 9:55 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: RCP over HTTP Assistance needed
> >
> >
> > You can't use FBA on the same listener that the
> RPC/HTTP WPR uses.
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
> > MVP -- ISA Firewalls
> >
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom
Rogers
> > Sent: Friday, May 26, 2006 8:19 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: RCP over HTTP Assistance
needed
> >
> >
> > Ok - duh had a brain cramp.
> >
> > Anyway - it works fine internally - so it has
> to be my ISA rule.
> > Now, how do I correct that? Is it possible for me to use
> the current
> > OWA access rule that I have in place and just add the
> /RPC/* folder to
> > the list or what?
> > Below is how my rule is setup for OWA and RPC over HTTP...
> >
> > General - Company OWA (Enable)
> > Action - Allow (Log Requests)
> > From - Anywhere
> > To - EXCHANGE (Forward the original host
> > header) (Requests appear to come from ISA)
> > Traffic - HTTPS (Require 128 bit encryption)
> (Filtering, configure
> > HTTP - all defaults)
> > Listener - Secure HTTPS Listener Exchange
> (Networks - external; HTTP
> > disabled; HTTPS 443; Certificate - Exchange; Authentication
- OWA
> > Forms Based; Always Authenticate - No; Domain -
> > Company.net)
> > Public Name - company.dynip.com (Requests for
> the following
> > websites)
> > Paths - /exchange/* /exchweb/* /public/*
/Rpc*
> > /RpcWithCert*
> > Bridging - Web Server, Redirect SSL to 443
(Only)
> > Users - All Users
> > Schedule - Always
> > Link Translation - Defaults
> >
> > Thanx,
> >
> > -TRogers
> >
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve
Moffat
> > Sent: Thursday, May 25, 2006 4:06 PM
> > To: ISA Mailing List
> > Subject: [isalist] Re: RCP over HTTP
> Assistance needed
> >
> >
> >
> > You change the connection type within
> the properties of the Outlook
> > profile.
> >
> >
> >
> > S
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom
Rogers
> > Sent: Thursday, May 25, 2006 4:59 PM
> > To: ISA Mailing List
> > Subject: RE: [isalist] Re: RCP over
> HTTP Assistance needed
> >
> >
> >
> > Not sure how to connect internally
> using HTTPS with Outlook 2003.
> > OWA works fine internally. I can browse to the RPC virtual
> server on
> > the intranet and I can connect fine (as per Microsoft's
> instructions)
> >
> >
> >
> > Security policies are fine.
> >
> >
> >
> > -TRogers
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx on
> behalf of Young, Gerald G
> > Sent: Thu 5/25/2006 3:40 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: RCP over HTTP
> Assistance needed
> >
> > http://www.ISAserver.org
<http://www.isaserver.org/>
<http://www.isaserver.org/>
> > <http://www.isaserver.org/>
> >
> > -------------------------------------------------------
> >
> > Tom,
> >
> > Did you try connecting internally to
> your mailbox using RPC/HTTPS?
> > Does
> > that work?
> >
> > Also, check the Network security: LAN
> Manager authentication level
> > in
> > the security policy on both the server
> and the client(s). Are they
> > compatible?
> >
> > Cordially yours,
> > Jerry G. Young II
> > MCSE (4.0/W2K)
> > Atlanta EES Implementation Team Lead
> > ECNS Microsoft Engineering
> > Unisys
> >
> > 11493 Sunset Hills Rd.
> > Reston, VA 20190
> > Office: 703-579-2727
> > Cell: 703-625-1468
> >
> > THIS COMMUNICATION MAY CONTAIN
> > CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> > MATERIAL and is thus for use only by
> the intended recipient. If you
> > received this in error, please contact
> the sender and delete the
> > e-mail
> > and its attachments from all computers.
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Tom Rogers
> > Sent: Thursday, May 25, 2006 11:49 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] RCP over HTTP
> > Assistance needed
> >
> > http://www.ISAserver.org
<http://www.isaserver.org/>
<http://www.isaserver.org/>
> > <http://www.isaserver.org/>
> >
> > -------------------------------------------------------
> >
> > Ok, I have been trying to implement RPC
> over HTTP so that my road
> > warrior users can connect to the
> > internet then use Outlook 2003 without
> > VPN. Things have not gone as expected,
> I keep getting a "Microsoft
> > Exchange Server is unavailable" error
message.
> > Looking at the Connection
> > Status when trying to connect Outlook
> > 2003 to the Exchange server, I get
> > the following...
> >
> > SERVER TYPE
CON
> > STATUS
> > ------ ----
---
> > ------
> >
> > ---- Directory
----
> > Connecting
> > server.internal.net Referral
----
> > Connecting
> >
> > Then these disappear and I get the
> "Microsoft Exchange Server is
> > unavailable" error.
> >
> >
> > I walked through all of Microsoft's
> troubleshooting steps and using
> > RPCDUMP.EXE on the Exchange box, this
> is what I found...
> >
> > ncacn_http(Connection-oriented TCP/IP
> using Microsoft Internet
> > Information Server as HTTP proxy.)
> >
> > 192.168.1.5[6002]
> > [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange
> > Directory RFR Interface :ACCESS_DENIED
> > 192.168.1.5[6002]
> > [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange
> > System Attendant Cluster Interface
> > :ACCESS_DENIED
> > 192.168.1.5[6002]
> > [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange
> > System Attendant Private Interface
> > :ACCESS_DENIED
> > 192.168.1.5[6002]
> > [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange
> > System Attendant Public Interface
:ACCESS_DENIED
> >
> > 192.168.1.5[6004]
> > [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange
> > Directory NSPI Proxy :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003
> > Server STORE EMSMDB Interface
:ACCESS_DENIED
> > 192.168.1.5[6001]
> > [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
> > STORE ADMIN Interface :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
> > STORE ADMIN Interface :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server
> > STORE ADMIN Interface :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server
> > STORE ADMIN Interface :ACCESS_DENIED
> >
> > Ok so let me start at the beginning
now...
> >
> > ENVIRONMENT
> > -----------
> > (OUTSIDE WORLD)
(PERIMETER)
> > (INTERNAL NETWORK - SEPARATE PHYSICAL
SERVERS
> > EACH)
> >
> > Client PC ---> INTERNET ---> ISA 2004
SP2 Server
> > ---> Exchange Server
> > 2003 SP2 -----> W2K3 SP-1 Domain
> > Controller/Global Catalog Server 1
> > XP SP-2 W2K3
SP-1
> > W2K3 SP-1
> > \
> >
> > --> W2K3 SP-1 Domain Controller/Global
> Catalog Server 2
> >
> > How I setup RPC over HTTP (Server
Side)...
> > ---------------------------------------
> > 1) CONFIGURE A SERVER AS AN RPC PROXY
SERVER
> > On my Exchange server (my ONLY
> > one) I installed the RPC over
> > HTTP component from the Add/Remove
> Programs - Windows Components
> >
> > 2) CONFIGURE THE RPC VIRTUAL DIRECTORY
IN IIS
> > In Internet Information
> > Services (IIS) Manager, right-click the
> > RPC virtual directory, and then click
> Properties.
> > In the RPC Virtual Directory
> Properties page, on the
> > Directory
> > Security tab, in the Authentication and
> access control pane, click
> > Edit.
> >
> > In the Authentication Methods
> window, verify that the check
> > box
> > next to Enable anonymous access is
cleared.
> > In the Authentication Methods
> window, under Authenticated
> > access, select the check box next to
> Basic authentication and click
> > OK
> > to warning
> > I did NOT choose Integrated
> Windows authentication (NTLM)
> > because of the following:
> > It is recommended that
> you use Basic authentication
> > over
> > NTLM because of two reasons. First, RPC
> over HTTP currently
> > supports
> > only NTLM - it
> > doesn't support
Kerberos.
> > Second, if there is an HTTP
> > Proxy or a firewall between the RPC
> over HTTP client and the RPC
> > Proxy,
> > which inserts
> > via the pragma in the
> HTTP header, NTLM
> > authentication
> > will not work.
> > I saved my settings
> > I have a valid SSL certificate
> installed on the virtual
> > server
> > (for OWA in the first place)
> >
> > 3) CONFIGURE RPC VIRTUAL DIRECTORY TO
USE SSL
> > Expand Web Sites, expand
> > Default Web Site, right-click RPC, and
> > then click Properties.
> > Click the Directory Security
> tab, and then click Edit under
> > Secure communications.
> > Click to select the Require
> secure channel (SSL) check box
> > and
> > the Require 128-bit encryption check
box.
> > Click OK, click Apply, and then
click OK
> >
> > 4) CONFIGURE THE RPC PROXY SERVER TO
> USE SPECIFIED PORTS FOR RPC
> > OVER
> > HTTP
> > On the RPC proxy server, (my
> only Exchange Server box)
> > start
> > Registry Editor (Regedit).
> > In the console tree, locate the
> following registry key:
> >
> > HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
> > In the details pane,
> > right-click the ValidPorts subkey, and then
> > click Modify.
> > In Edit String, in the Value
> data box, type the following
> > information:
> >
> >
> >
ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;Exchange
> > Server:600
> > 4;ExchangeServerFQDN:6004;
> > If the FQDN
> > that is used to access the server
> > from the Internet differs from the
> > internal FQDN, you must use the
> > internal FQDN.
> > (My external
> > FQDN is company.DYNIP.COM (We use
> > Dynip.com Dynamic DNS service)
> >
> > 5) I added this Multi-String Key to the
> > GLOBAL CATALOG/DC #1's registry
> > (NSPI interface protocol sequences -
> > ncacn_http:6004)
> >
> > 5) CONFIURE THE OUTLOOK 2003 CLIENT
PROFILE
> > Done according to instructions
> > in this link -
> > //tinyurl.com/frarn
> >
> > 6) Finally I changed my current OWA SSL
> > ISA 2004 rule to include to
> > /RPC* folders (along with the
> > /exchange/*; /exchweb/*; /public/*
> > folders.
> > I did this because OWA and RPC
> > over HTTP are on the SAME server
> > using the same SSL certificate (I
> > installed an internal CA to issue the
> > certificate
> > for the OWA server. User have
> > to click YES to accept (Trust) the
> > certificate, but it works fine.)
> >
> > I am thinking it is either my ISA 2004
> > rule or that I may need to move
> > my RPC over HTTP Proxy (IIS) to the ISA
> > 2004 box. No matter which one it
> > is, could someone explain in detail,
> > the steps to do either? I do not
> > have IIS installed on my ISA 2004 box.
> > Please let me know if there are
> > any "Gotcha's" also.
> >
> > Thanks for any help in solving this.
> >
> > -Tom Rogers
> >
> > ------------------------------------------------------
> > List Archives:
> > //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> >
http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs:
http://blogs.isaserver.org/
> >
> > ------------------------------------------------------
> > Visit TechGenix.com for more
> > information about our other sites:
> > http://www.techgenix.com
<http://www.techgenix.com/>
<http://www.techgenix.com/>
> > <http://www.techgenix.com/>
> >
> > ------------------------------------------------------
> > To unsubscribe visit
> > http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives:
> > //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs:
http://blogs.isaserver.org/
> >
> > ------------------------------------------------------
> > Visit TechGenix.com for more
> > information about our other sites:
> > http://www.techgenix.com
<http://www.techgenix.com/>
<http://www.techgenix.com/>
> > <http://www.techgenix.com/>
> >
> > ------------------------------------------------------
> > To unsubscribe visit
> > http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other
sites:
> > http://www.techgenix.com <http://www.techgenix.com/>
<http://www.techgenix.com/>
> > ------------------------------------------------------
> > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
sites:
> http://www.techgenix.com <http://www.techgenix.com/>
<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
sites:
> http://www.techgenix.com <http://www.techgenix.com/>
<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
