RE: RPC over HTTP using ISA Server 2004 SP1 and Exchange 2003 SP1

Something else.

Is this your own CA?

Did you also import the root cert as well as the server cert?

You said that this works when you are VPN'd in....that could say that
the root cert is available and not when the VPN is not connected.

 

Ted Doholis
SaltSpring Software Inc.

________________________________

From: Chris Foster [mailto:Chris.Foster@xxxxxxxxxxxxxxxxxxxxx] 
Sent: Sunday, April 24, 2005 5:13 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP using ISA Server 2004 SP1 and
Exchange 2003 SP1

 

http://www.ISAserver.org

Hi Ted,

 

I am connecting to the same backend box (no front-end server in this
scenario).  I can connect over the internet using OWA via the ISA box
and all is good...  I also verified my certs too, all is good there...
I can connect using OWA and not get any cert prompts, etc.  Everything
works with the exception of RPC over HTTP when I am coming in from the
internet (unless I am vpn'd in) external DNS uses the same name as
internal DNS, external dns for exchange.domain.com points to the ISA
2004 SSL listener running on 443.  The listener is using the same cert
as the exchange server, I exported it from the exchange server and
imported it into the ISA 2004 box for the SSL listener to use...  

 

Werid...  

 

Thanks for you response and help...!!

 

Chris.

 

________________________________

From: Ted Doholis [mailto:tdoholis@xxxxxxxxxxxxx]
Sent: Sat 4/23/2005 2:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP using ISA Server 2004 SP1 and
Exchange 2003 SP1

http://www.ISAserver.org

The issue sounds like it happens because you are connecting internally
and over VPN to a back end server and then when coming over the net you
are trying to connect to a different (front end) server.

Also the certificate would be different for the front end and back end
server...so if this works inside and not outside then you may have a
problem with a certificate mis-match.

I would try using the same server whether inside and outside.

Ted Doholis
SaltSpring Software Inc.

-----Original Message-----
From: Chris [mailto:chris@xxxxxxxxxxxxxxxxxxxxx]
Sent: Saturday, April 23, 2005 2:04 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RPC over HTTP using ISA Server 2004 SP1 and Exchange
2003 SP1

http://www.ISAserver.org

Hi All,

I am having issues with RPC over HTTP working properly through my ISA
2004
server.  I have my ISA 2004 server configured as an edge firewall with
two
NIC's, one Public WAN NIC, and one private LAN NIC.  NAT is enabled on
the
box to provide internet access to LAN clients.  I have a box setup that
is
acting as a DC/GC, Exchange 2003 SP1 mailbox server, RPC Proxy Server,
and
RPC over HTTP Backend Exchange server. HTTP over RPC works fine via VPN
and internally, so I think my backend box is provisioning RPC over HTTP
properly.   When I attempt to connect over the internet using RPC over
HTTP via my ISA 2004 box, it takes about 90 seconds to be presented with
an authentication box, then the connection simply fails.  OWA (using
SSL)
works fine going through the ISA 2004 box.  I can also hit the /rpc
virtual directory using SSL going through my ISA box too.  Upon
reviewing
the ISA logs I am receiving "Failed Connection Attempt" and "0xa03"
error
information codes.  Here are some entries from my ISA log file showing
the
activity over ports 593, 6002, and 6004.

4/23/2005 12:03 68.53.163.32    192.168.10.1    443     https   Failed
Connection
Attempt RPC over
HTTP    Domain\Username External                RPC_IN_DATA
http://server.domain.com:443/rpc/rpcproxy.dll?server.domain.com:593
0xa03   0.0.0.0 ISA     server.domain.com       TCP     -       -
Yes     Reverse
Proxy                   -       -       0       64      MSRPC
Internet        -       -               350     0       413
0x8     Web Proxy Filter

4/23/2005 12:01 68.53.163.32    192.168.10.1    443     https   Failed
Connection
Attempt RPC over
HTTP    Domain\Username External                RPC_IN_DATA
http://server.domain.com:443/rpc/rpcproxy.dll?server.domain.com:6002
0x203   0.0.0.0 ISA     server.domain.com       TCP     -       -
Yes     Reverse
Proxy                   -       -       0       64      MSRPC
Internet        -       -               1422    0       414
0x8     Web Proxy Filter

4/23/2005 12:03 68.53.163.32    192.168.10.1    443     https   Failed
Connection
Attempt RPC over
HTTP    Domain\Username External                RPC_IN_DATA
http://server.domain.com:443/rpc/rpcproxy.dll?server.domain.com:6004
0xa03   0.0.0.0 ISA     server.domain.com       TCP     -       -
Yes     Reverse
Proxy                   -       -       0       64      MSRPC
Internet        -       -               341     0       414
0x8     Web Proxy Filter



Traffic is getting to the Exchange/RPC Proxy server as indicated by it's
log files:

2005-04-23 02:51:53 192.168.10.1 RPC_IN_DATA /rpc/rpcproxy.dll
server.domain.com:6002 443 domain\username 68.53.163.32 MSRPC 200 0 0

2005-04-23 02:51:53 192.168.10.1 RPC_OUT_DATA /rpc/rpcproxy.dll
server.domain.com:6002 443 domain\username 68.53.163.32 MSRPC 200 0 0

Again, both OWA and RPC over HTTP work just fine when connecting via a
VPN
connection.  OWA works fine when connecting over the internet with or
without a VPN connection.  Everthing works great with the exception of
RPC
over HTTP when coming in over the internet witout using a VPN
connection.
I am bridging SSL, not terminiating and redirecting to port 80.  I can
use
the same laptop computer and connect to RPC over HTTP internally and via
VPN, but using this same laptop the connection fails when coming in over
the internet when a VPN connection is not used..???

Thanks in advance for the help, I have log files and a diagram of my
network that i can send you.  This is a test lab where I am kicking the
tires around on ISA 2004.

Chris.



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tdoholis@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
chris@xxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tdoholis@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: