Wow!!! , And I thought my problems were big. I have hope in our experts ! Scanbuy Inc Aman Bedi | Systems/Network Administrator 54 West 39th Street, 4th Floor, New York, NY 10018 | Fax +1(212) 202-4318 | Phone +1(212) 278-0178 ext 234 | www.scanbuy.com PRIVILEGED & CONFIDENTIAL The information contained in this email message is intended only for use of the person or entity to whom it is addressed. The contained information is CONFIDENTIAL and LEGALLY PRIVILEGED and exempt from disclosure under applicable laws. If you read this message and are not the addressee, you are notified that use, dissemination or reproduction of this message is prohibited. If you have received this message in error, please notify the sender immediately. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------------------- -----Original Message----- From: Mustafa Cicek [mailto:mbcicek@xxxxxxxxx] Sent: Thursday, September 16, 2004 5:07 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA Server 2004 / Publish RPC over HTTPS http://www.ISAserver.org Hi all! I have a big problem with RPC over HTTPS. I want to say first off all that I have checked all certificate configuration. There is no problem with certificates. I have the following network for my test lab: INTERNET <> NETSCREEEN FIREWALL 1 <> ISA Server 2004 <> NETSCREEN FIREWALL 2 <> INTERNAL NETWORK with Exchange front-end + Exchange back-end and Global Catalog server. My steps were: 1) I installed exchange front-end as RPC-proxy 2) All mailboxes and public folders are on exchange back-end 3) I installed an own Certificate Authority on Global Catalog server (also Domain Controller). It is Enterpreise Root Certificate Authority. 4) I created a certificate for the web site on front-end becauese of OWA and RPC over HTTPS. The common name on certificate is owa.intra.exchtest.net. 5) I copied the same certificate to ISA server and exported also private key. 6) On ISA server I created publishing for OWA and RPC over HTTPS. 7) I installed CA certificate and and owa.intra.exchtest.net certificate on the client computers which will access Exchange services. 8) The clients are located in Internet, not in LAN! 9) I have also internal clients in lab. 10) I configured front-end (not back-end) for RPC over HTTPS and also for OWA. 11) NETSCREEN FIREWALL 2 has NAT for Exchange front-end. Exchange front-end has the NAT IP address: 213.183.4.116. 12) I configured the HOSTS file on the ISA server that makes mapping on the NAT IP address of front-end: 213.183.4.116 owa.intra.exchtest.net 13) The external DNS has the name record owa.intra.exchtest.net that points the external IP address of ISA server: 213.183.4.125. Tests: I have tested until now only two client access: Outlook Web Access (OWA) and RPC over HTTPS. 1) I tried on external and internal clients OWA to connect Exchange: THey are SUCCESSFULL. No certificate Warning, nor error! 2) I tried on internal clients RPC over HTTPS to connect Exchange: It is SUCCESSFULL. 3) I tried on external clients RPC over HTTPS to connect Exchange: It is NOT successfull. My configuration for RPC over HTTPS on client: 1) On client computer I typed as Exchange Server owa.intra.exchtest.net. 2) On client computer, in proxy field I have typed also owa.intra.exchtest.net. Also under msstd I have written owa.intra.exchtest.net. Protocols: If I try on external client computer RPC over HTTPS to connect Exchange, I cannot connect to Exchange server. I have listed below the ISA server protocol for this connection: https..Initiated Connection.. (Here is standard rule applied!!! Why? I have Publishing for RPC over HTTPS) https..Denied ((Here is standard rule applied!!! Why? I have Publishing for RPC over HTTPS) Connection..RPC_OUT_DATA..http://owa.intra.exchtest.net:443/rpc/rpcproxy.dll ?owa.intra.exchtest.net:[593 or 6001-6004 depending on attempt] https..Deneid (Here is standard rule applied!!! Why? I have Publishing for RPC over HTTPS) Attempt..RPC_IN_DATA..http://owa.intra.exchtest.net:443/rpc/rpcproxy.dll?owa .intra.exchtest.net:[593 or 6001-6004 depending on attempt] It is perhaps interesting to know: EXCHBE: Exchange back-end. W3KDC: Global Catalog/Domain Controller. On Exchange front-end I looked at the ValidPorts in registry: exchbe.intra.exchtest.net:6001-6002;EXCHBE:6004;exchbe.intra.exchtest.net:60 04; Then I added the following ports to ValidPorts, but I don't know if I need them really?!: EXCHBE:593;exchbe.intra.exchtest.net:593;W3KDC:6004;w3kdc.intra.exchtest.net :6004;W3KDC:593;w3kdc.intra.exchtest.net:593; If I stop and start the the Exchange services on front-end, the modified ports (ValidPorts) are overwritten with the default ValidPorts above. Now , here are the questions for experts: 1) Why doesn't apply ISA the Publishing rule? Why does standard rule deny the connection? 2) Is the name of server where is typed on the field of Exchange Server (on client computer) correct? Must this name be back-end or frond-end server? 3) Why are modified ValidPorts overwritten? Do I need ports 593 under ValidPorts? 4) Is my entry in the HOSTS file on ISA correct? I hope the problem is clear for you. I HOPE also soulution tipps!!!! Best Regards Mustafa ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gurkirpal.bedi@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx