-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, November 17, 2005 7:58 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes
http://www.ISAserver.org
Oh; she is...
..until she starts to tell a story.
It's a verbal roller coaster if ever there was one...
:-0
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, November 17, 2005 17:49
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes
http://www.ISAserver.org
LOL! See, I was convinced that she was a very pleasant and
polite girl.
I'll get you back by enjoying her stories.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 7:39 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> I'll just wait till you come back in Jan and make you listen to my
> daughter tell a story...
> ..it's painful...
> :-p
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 17:27
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> Hi Jeff,
>
> Ho boy.
>
> That is a very old article that I really need to update. It was
> written in the days when you couldn't find information on how to
> confiugre RPC/HTTP anywhere on the Microsoft site, except for some
> cr*p references from the Office team (who understand
networking like I
> understand hog farming).
>
> Anyhow, the client configuration section in that article is weak at
> best, incompetant at closer to the truth. If you look at
the log file
> entries, you'll see that the connection is made to the
EXCHANGE2003BE
> machine, which is the malibox server, not the FE machine. I
showed the
> name of the FE Exchange Server because that is how the
client accesses
> the RPC/HTTP proxy, which was kind enough to find the name
of the BE
> Exchange Server, but I didn't show that process.
>
> So, my bad. The name of the RPC proxy should be put in the proxy
> sections, and the mailbox server should be placed in the
SERVER NAME
> section of the client.
>
> Jim can now beat we a Mullen noodle.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > Sent: Thursday, November 17, 2005 7:01 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: RPC over HTTP authentication woes
> >
> > http://www.ISAserver.org
> >
> > OK, since our favorite firewall has been exonerated, can I
> step into
> > OT land for a second and ask "would my likely suspect be
> the front end
> > exchange server?"
> >
> > I was going by this to configure outlook:
> > http://www.msexchange.org/tutorials/outlookrpchttp.html
> >
> > Thanks,
> > Jeff
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Thursday, November 17, 2005 7:13 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: RPC over HTTP authentication woes
> >
> > http://www.ISAserver.org
> >
> > ARRRGGG!
> >
> > I should have realized the fact that 99% of the time its
not an ISA
> > firewall problem!
> >
> > Thanks for the update.
> >
> > Jim wins again :)
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> > > -----Original Message-----
> > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > Sent: Thursday, November 17, 2005 4:33 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > >
> > > http://www.ISAserver.org
> > >
> > > I got it working, but I'm not sure precisely why it
> wasn't working.
> > >
> > > I noticed that there was nothing in the FE IIS logs going
> to the BE
> > > server.
> > >
> > > In my Outlook profile I changed the mailbox server to the
> > name of the
> > > BE server on which my mailbox physically resides and it worked!
> > > Previously, I
> > > had the FE server listed. I thought the FE would be able
> > to look up
> > > where the mailbox really is and redirect me. Is this what
> > is supposed
> > > to happen?
> > >
> > > Jeff
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Thursday, November 17, 2005 4:08 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > >
> > > http://www.ISAserver.org
> > >
> > > Nah - that's a 500 response from ISA.
> > > What does the IIS log contain for the "RPC_IN_DATA" connections?
> > >
> > > -------------------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Thursday, November 17, 2005 13:03
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > >
> > > http://www.ISAserver.org
> > >
> > > My guess is that the To tab and the certs don't match up.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 2:56 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > That code is a WinError:
> > > > "The specified network name is no longer available"
> > > >
> > > > This means the connection between the ISA and the
Exch has been
> > > > broken.
> > > >
> > > > -------------------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 12:51
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > The ISA log has 64 for HTTP status code and 0xa03 for error
> > > > information.
> > > > there's just a "-" in the filter information field.
> > > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 3:33 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > What's the code for the "failed" connection?
> > > > What's in the "Filter data" field for the failed connection?
> > > >
> > > > -------------------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 12:27
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > I'm seeing 200's in the W3SVC1 logs on the Exchange front
> > > end server.
> > > >
> > > > On the ISA server logs I see two "initated connection"
> > > HTTPS entries
> > > > from ISA to FE.
> > > >
> > > > These are immediately followed by the "allowed connection"
> > > > (RPC_OUT_DATA) and "failed connection" (RPC_IN_DATA)
> attempt log
> > > > entries from my "RPC over HTTP" rule.
> > > >
> > > > Finally, two "Closed connection" entries for the HTTPS
> > connections.
> > > >
> > > > Then the whole thing repeats as it tries to connect again.
> > > >
> > > > I'm thinking something is still screwed up with my ISA
> > > configuration;
> > > > RPC over HTTP is working internally.
> > > >
> > > > Jeff
> > > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 11:44 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > ..maybe - it depends on the error code.
> > > > If you're seeing "200", then it's coming from the Exch server.
> > > >
> > > > -------------------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 07:50
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > same rule; is the data in the error code information column
> > > on the ISA
> > > > logs the value it is getting back from rpcproxy.dll?
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: Wednesday, November 16, 2005 6:15 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Unless you see different rules quoted for each, now you're
> > > > troubleshooting Exchange...
> > > > ..
> > > >
> > > > -------------------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > Sent: Wednesday, November 16, 2005 15:12
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Thanks Jim, I knew 200 was a good thing, so hoped I was
> > making some
> > > > progress.
> > > >
> > > > I'm running outlook with the rpcdiag switch on the client.
> > > > Upon launching, Outlook prompts me for credentials and
> I and see
> > > > status of "connecting" for the exchange proxy and the
> > > directory in the
> > > > server connection status dialog.
> > > > These disappear after a little while and I get the
> "your exchange
> > > > server is unavailable" dialog.
> > > >
> > > > On the proxy server logs, I'm seeing "Failed Connection
> > Attempt" on
> > > > the RPC_IN_DATA queries and "Allowed Connection"
> > > > on the RPC_OUT_DATA URL.
> > > >
> > > > Jeff
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: Wednesday, November 16, 2005 5:39 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Er..
> > > >
> > > > Result codes of "200" are success codes.
> > > > What exactly is the client experience?
> > > > Whjat do you find in the ISA logs for those recent tests?
> > > >
> > > > -------------------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > Sent: Wednesday, November 16, 2005 14:32
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Tom,
> > > >
> > > > I had it set for all users. I tried switching it to only
> > > > authenticated & forward basic authentication and did get
> > 200 result
> > > > codes in the front end server WWW logs, but it is
still failing.
> > > >
> > > > Thanks,
> > > > Jeff
> > > >
> > > > ________________________________
> > > >
> > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > > Sent: Wednesday, November 16, 2005 4:50 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi Jeff,
> > > >
> > > > Are you forcing authentication at the ISA firewall, or
> > does the Web
> > > > Publishing Rule allow access to "all users"?
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org <http://www.isaserver.org/>
> > > > Blog: http://spaces.msn.com/members/drisa/
> > > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP
> > > > -- ISA Firewalls **Who is John Galt?**
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > > >
> > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > Sent: Wednesday, November 16, 2005 3:42 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RPC over HTTP authentication woes
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > I have ISA 2004 sitting on the outside, with rules to
> > > allow RPC over
> > >
> > > > HTTP access to the Exchange FE server. I think this is all
> > > configured
> > > > OK.
> > > > RPC over HTTP is working OK internally. I also have OWA
> > > working using
> > > > a different listener (FBA).
> > > >
> > > > Whenever I try to make an external RPC
> connection it is failing.
> > > > I'm seeing my username shown in the ISA logs, but in the
> > > WWW logs for
> > > > the exchange proxy server I am seeing entries with
> > status 401.2 and
> > > > win32 error 2148074254, so I think something is wrong
> > with the user
> > > > authentication.
> > > > from the logs (with time/date and ip info removed):
> > > >
> > > > RPC_IN_DATA /rpc/rpcproxy.dll
> > > > frontend.andassoc.com:6002 443 - xxx.xxx.xxx.xxx MSRPC 401 2
> > > > 2148074254
> > > > RPC_OUT_DATA /rpc/rpcproxy.dll
> > > > frontend.andassoc.com:6002 443 - xxx.xxx.xxx.xxx MSRPC 401 2
> > > > 2148074254
> > > >
> > > > I have the RPC listener set to use basic authentication
> > > as well as
> > > > the exchange IIS rpc virtual directory. The RPC listener
> > > also has a
> > > > certificate bearing the FQDN of the exchange front end server.
> > > >
> > > > Any help appreciated. This might not be an ISA issue
> > > since I seem to
> > >
> > > > be reaching the internal Exchange proxy.
> > > >
> > > > Jeff
> > > >
> > > >
> > > > ------------------------------------------------------
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
