[isalist] Re: RPC over HTTP (Almost there...)
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 25 Jun 2006 17:01:49 -0500
Hi Stefaan,
OK, so wildcard certs on the Web listener work. Got it.
They don't work on the back-end with ISA2004, but they do work in ISA
2006.
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
Sent: Sunday, June 25, 2006 4:52 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
Hi Tom,
it is documented in
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx:
I am publishing remote procedure call (RPC) over HTTPand getting
the error: 500Internal Server Error - The target principal name is
incorrect,even though the name in the client request matches the name of
the certificate on the ISA Server computer.
When you create a new Outlook profile, on the Connection tab of
Exchange Server Settings, you click Exchange Proxy Settings to specify
RPC over HTTP settings. In Use this URL to connect to my proxy server
for Exchange, ensure that you have typed the same name that appears on
the certificate. Select Mutually authenticate the session when
connecting with SSL, and then in Principal name for proxy server, again
type the name that appears on the common name of the certificate. For
example, if the common name is the FQDN used by clients to reach the
site, you will type it in the form msstd:common name.
If this error occurs and you are using a wildcard certificate,
ensure that the Principal name for proxy server Outlook setting is
defined as msstd:*.domain.com, and not server.domain.com.
HTH,
Stefaan
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: zondag 25 juni 2006 23:17
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
You'll need to use different listeners for the RPC/HTTP Web
Publishing Rule and the other Web sites, if Outlook 2003 doesn't like
wildcard certs (which is something I didn't know about before)
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Sunday, June 25, 2006 3:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: RPC over HTTP (Almost
there...)
So if that's the case, the only thing we can publish
securely via ISA 2004 is RPC over HTTP / OWA. I need to publish websites
from other servers as well.
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Stefaan
Pouseele
Sent: Sun 6/25/2006 11:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
Hi Tom,
Outlook 2003 does *not* support wildcard certificates
for RPC over HTTPS. So, to solve that problem either use a normal
certificate or make sure you specify '*.companyname.biz' as FQDN in the
'Principal name for proxy server' (msstd:*.companyname.biz) in the
Outlook 2003 Exchange Proxy Settings.
HTH,
Stefaan
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: zondag 25 juni 2006 17:34
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W
Shinder
Sent: Sun 6/25/2006 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
>Hi Tom,
>OK,
> 1. What is the ACTUAL common/subject name on the Web
site certificate bound to the Web listener?
*.companyname.biz
>2. What is the ACTUAL common/subject name on the
Exchange Web site?
owa.companyname.biz
>3. What is the ACTUAL name on the Public Name tab?
owa.companyname.com
>4. What is the ACTUAL name on the To tab?
owa.companyname.com
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Sunday, June 25, 2006 12:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] RPC over HTTP (Almost
there...)
I ran a filter on the ISA monitoring for the OWA
rule. This is what happens when I tried to authenticate 3 times...
Original Client IP Client Agent Authenticated
Client Service Server Name Referring Server Destination Host Name
Transport MIME Type Object Source Source Proxy Destination Proxy
Bidirectional Client Host Name Filter Information Network Interface Raw
IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes
Received Result Code HTTP Status Code Cache Information Error
Information Log Record Type Log Time Destination IP Destination Port
Protocol Action Rule Client IP Client Username Source Network
Destination Network HTTP Method URL
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 312 0 326 10054 0x4000008 0xc02 Web Proxy Filter 06/25/2006
1:21:46 AM 192.168.1.5 443 https Failed Connection Attempt companyname
OWA 74.67.214.74 anonymous External RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 306 401 0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:21:49 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 307 401 0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:21:49 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 15 1933 306 401 0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:21:52 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 0 307 10054 0x4000008 0xc02 Web Proxy Filter 06/25/2006 1:21:52
AM 192.168.1.5 443 https Failed Connection Attempt companyname OWA
74.67.214.74 anonymous External RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 306 401 0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:22:00 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 307 401 0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:22:00 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 306 401 0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:22:03 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 156 1933 327 401 0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:21:46 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 0 307 10054 0x4000008 0xc02 Web Proxy Filter 06/25/2006 1:22:03
AM 192.168.1.5 443 https Failed Connection Attempt companyname OWA
74.67.214.74 anonymous External RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2>
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of
Jim Harrison
Sent: Sat 6/24/2006 9:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] RPC over HTTP (Almost
there...)
Don't
Do
It
<period>
It's a disaster waiting to happen.
What's in the ISA logs for those attempts?
What's in the IIS logs for those attempts?
How did you create the OWA pub rule; manually or
via the Exch publishing weirdzard?
BTW, I reviewed the case logs and spoke with the
engineer you worked with.
At no time was there any mention of making your
Exch server a DC/GC.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of
Tom Rogers
Sent: Sat 6/24/2006 5:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] RPC over HTTP (Almost
there...)
I think I am so close to having this work that I
can taste it....anyway, my Outlook 2003 SP2 client (on Win XP Pro SP2)
keeps asking for user credentials - I can type them in a hundred times
(not that I did), but it keeps asking for my login credentials.
My RPC Proxy is set for ONLY Basic
Authentication also. Any ideas? Everything is setup according to all the
docs you all have sent me. The only thing that I have not tried yet, is
to make my Exch box a DC/GC. That is next if no solution now.
And I know you all said this is a BAD idea (Exch
box as DC/DC, but I have seen documentation from Microsoft AND Tom
Shinder's documentation (his lab example - although he does point out it
is not recommended).
TIA,
-TRogers
Other related posts:
