RE: ISA Server 2004 / Publish RPC over HTTPS
- From: "Aman Bedi" <gurkirpal.bedi@xxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 16 Sep 2004 16:10:21 -0400
Wow!!! ,
And I thought my problems were big.
I have hope in our experts !
Scanbuy Inc
Aman Bedi | Systems/Network Administrator
54 West 39th Street, 4th Floor, New York, NY 10018 | Fax +1(212) 202-4318 |
Phone +1(212) 278-0178 ext 234 | www.scanbuy.com
PRIVILEGED & CONFIDENTIAL
The information contained in this email message is intended only for use of
the person or entity to whom it is addressed. The contained information is
CONFIDENTIAL and LEGALLY PRIVILEGED and exempt from disclosure under
applicable laws. If you read this message and are not the addressee, you are
notified that use, dissemination or reproduction of this message is
prohibited. If you have received this message in error, please notify the
sender immediately.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
-------------------------------------
-----Original Message-----
From: Mustafa Cicek [mailto:mbcicek@xxxxxxxxx]
Sent: Thursday, September 16, 2004 5:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA Server 2004 / Publish RPC over HTTPS
http://www.ISAserver.org
Hi all!
I have a big problem with RPC over HTTPS.
I want to say first off all that I have checked all certificate
configuration. There is no problem with certificates.
I have the following network for my test lab:
INTERNET <> NETSCREEEN FIREWALL 1 <> ISA Server 2004 <> NETSCREEN
FIREWALL 2 <>
INTERNAL NETWORK with Exchange front-end + Exchange back-end and Global
Catalog server.
My steps were:
1) I installed exchange front-end as RPC-proxy
2) All mailboxes and public folders are on exchange back-end
3) I installed an own Certificate Authority on Global Catalog server
(also
Domain Controller). It is Enterpreise Root Certificate Authority.
4) I created a certificate for the web site on front-end becauese of
OWA
and RPC over HTTPS. The common name on certificate is
owa.intra.exchtest.net.
5) I copied the same certificate to ISA server and exported also
private
key.
6) On ISA server I created publishing for OWA and RPC over HTTPS.
7) I installed CA certificate and and owa.intra.exchtest.net
certificate
on the client computers which will access Exchange services.
8) The clients are located in Internet, not in LAN!
9) I have also internal clients in lab.
10) I configured front-end (not back-end) for RPC over HTTPS and also
for
OWA.
11) NETSCREEN FIREWALL 2 has NAT for Exchange front-end. Exchange
front-end has the NAT IP address: 213.183.4.116.
12) I configured the HOSTS file on the ISA server that makes mapping on
the NAT IP address of front-end:
213.183.4.116 owa.intra.exchtest.net
13) The external DNS has the name record owa.intra.exchtest.net that
points the external IP address of ISA server: 213.183.4.125.
Tests:
I have tested until now only two client access: Outlook Web Access
(OWA)
and RPC over HTTPS.
1) I tried on external and internal clients OWA to connect Exchange:
THey
are SUCCESSFULL. No certificate Warning, nor error!
2) I tried on internal clients RPC over HTTPS to connect Exchange: It
is
SUCCESSFULL.
3) I tried on external clients RPC over HTTPS to connect Exchange: It
is
NOT successfull.
My configuration for RPC over HTTPS on client:
1) On client computer I typed as Exchange Server
owa.intra.exchtest.net.
2) On client computer, in proxy field I have typed also
owa.intra.exchtest.net. Also under msstd I have written
owa.intra.exchtest.net.
Protocols:
If I try on external client computer RPC over HTTPS to connect
Exchange, I
cannot connect to Exchange server. I have listed below the ISA server
protocol for this connection:
https..Initiated Connection.. (Here is standard rule applied!!! Why? I
have Publishing for RPC over HTTPS)
https..Denied ((Here is standard rule applied!!! Why? I have Publishing
for RPC over HTTPS)
Connection..RPC_OUT_DATA..http://owa.intra.exchtest.net:443/rpc/rpcproxy.dll
?owa.intra.exchtest.net:[593
or 6001-6004 depending on attempt]
https..Deneid (Here is standard rule applied!!! Why? I have Publishing
for
RPC over HTTPS)
Attempt..RPC_IN_DATA..http://owa.intra.exchtest.net:443/rpc/rpcproxy.dll?owa
.intra.exchtest.net:[593
or 6001-6004 depending on attempt]
It is perhaps interesting to know:
EXCHBE: Exchange back-end.
W3KDC: Global Catalog/Domain Controller.
On Exchange front-end I looked at the ValidPorts in registry:
exchbe.intra.exchtest.net:6001-6002;EXCHBE:6004;exchbe.intra.exchtest.net:60
04;
Then I added the following ports to ValidPorts, but I don't know if I
need
them really?!:
EXCHBE:593;exchbe.intra.exchtest.net:593;W3KDC:6004;w3kdc.intra.exchtest.net
:6004;W3KDC:593;w3kdc.intra.exchtest.net:593;
If I stop and start the the Exchange services on front-end, the
modified
ports (ValidPorts) are overwritten with the default ValidPorts above.
Now , here are the questions for experts:
1) Why doesn't apply ISA the Publishing rule? Why does standard rule
deny
the connection?
2) Is the name of server where is typed on the field of Exchange Server
(on client computer) correct? Must this name be back-end or frond-end
server?
3) Why are modified ValidPorts overwritten? Do I need ports 593 under
ValidPorts?
4) Is my entry in the HOSTS file on ISA correct?
I hope the problem is clear for you.
I HOPE also soulution tipps!!!!
Best Regards
Mustafa
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gurkirpal.bedi@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
