[isalist] Re: RCP over HTTP Assistance needed
- From: "Tom Rogers" <trogers@xxxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 26 May 2006 13:55:52 -0400
Tom,
Should the Authentication on the new listener be BASIC?
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Friday, May 26, 2006 9:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance needed
You can't use FBA on the same listener that the RPC/HTTP WPR
uses.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Friday, May 26, 2006 8:19 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance needed
Ok - duh had a brain cramp.
Anyway - it works fine internally - so it has to be my
ISA rule. Now, how do I correct that? Is it possible for me to use the
current OWA access rule that I have in place and just add the /RPC/*
folder to the list or what? Below is how my rule is setup for OWA and
RPC over HTTP...
General - Company OWA (Enable)
Action - Allow (Log Requests)
From - Anywhere
To - EXCHANGE (Forward the original host header)
(Requests appear to come from ISA)
Traffic - HTTPS (Require 128 bit encryption) (Filtering,
configure HTTP - all defaults)
Listener - Secure HTTPS Listener Exchange (Networks -
external; HTTP disabled; HTTPS 443; Certificate - Exchange;
Authentication - OWA Forms Based; Always Authenticate - No; Domain -
Company.net)
Public Name - company.dynip.com (Requests for the
following websites)
Paths - /exchange/* /exchweb/* /public/* /Rpc*
/RpcWithCert*
Bridging - Web Server, Redirect SSL to 443 (Only)
Users - All Users
Schedule - Always
Link Translation - Defaults
Thanx,
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Thursday, May 25, 2006 4:06 PM
To: ISA Mailing List
Subject: [isalist] Re: RCP over HTTP Assistance
needed
You change the connection type within the
properties of the Outlook profile.
S
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Thursday, May 25, 2006 4:59 PM
To: ISA Mailing List
Subject: RE: [isalist] Re: RCP over HTTP
Assistance needed
Not sure how to connect internally using HTTPS
with Outlook 2003. OWA works fine internally. I can browse to the RPC
virtual server on the intranet and I can connect fine (as per
Microsoft's instructions)
Security policies are fine.
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of
Young, Gerald G
Sent: Thu 5/25/2006 3:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance
needed
http://www.ISAserver.org
<http://www.isaserver.org/>
-------------------------------------------------------
Tom,
Did you try connecting internally to your
mailbox using RPC/HTTPS? Does
that work?
Also, check the Network security: LAN Manager
authentication level in
the security policy on both the server and the
client(s). Are they
compatible?
Cordially yours,
Jerry G. Young II
MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL
AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the
intended recipient. If you
received this in error, please contact the
sender and delete the e-mail
and its attachments from all computers.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Thursday, May 25, 2006 11:49 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] RCP over HTTP Assistance
needed
http://www.ISAserver.org
<http://www.isaserver.org/>
-------------------------------------------------------
Ok, I have been trying to implement RPC over
HTTP so that my road
warrior users can connect to the internet then
use Outlook 2003 without
VPN. Things have not gone as expected, I keep
getting a "Microsoft
Exchange Server is unavailable" error message.
Looking at the Connection
Status when trying to connect Outlook 2003 to
the Exchange server, I get
the following...
SERVER TYPE CON
STATUS
------ ---- ---
------
---- Directory ----
Connecting
server.internal.net Referral ----
Connecting
Then these disappear and I get the "Microsoft
Exchange Server is
unavailable" error.
I walked through all of Microsoft's
troubleshooting steps and using
RPCDUMP.EXE on the Exchange box, this is what I
found...
ncacn_http(Connection-oriented TCP/IP using
Microsoft Internet
Information Server as HTTP proxy.)
192.168.1.5[6002]
[1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange
Directory RFR Interface :ACCESS_DENIED
192.168.1.5[6002]
[f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange
System Attendant Cluster Interface
:ACCESS_DENIED
192.168.1.5[6002]
[83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange
System Attendant Private Interface
:ACCESS_DENIED
192.168.1.5[6002]
[469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange
System Attendant Public Interface :ACCESS_DENIED
192.168.1.5[6004]
[f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange
Directory NSPI Proxy :ACCESS_DENIED
192.168.1.5[6001]
[a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003
Server STORE EMSMDB Interface :ACCESS_DENIED
192.168.1.5[6001]
[99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
STORE ADMIN Interface :ACCESS_DENIED
192.168.1.5[6001]
[99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
STORE ADMIN Interface :ACCESS_DENIED
192.168.1.5[6001]
[89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server
STORE ADMIN Interface :ACCESS_DENIED
192.168.1.5[6001]
[a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server
STORE ADMIN Interface :ACCESS_DENIED
Ok so let me start at the beginning now...
ENVIRONMENT
-----------
(OUTSIDE WORLD) (PERIMETER)
(INTERNAL NETWORK - SEPARATE PHYSICAL SERVERS
EACH)
Client PC ---> INTERNET ---> ISA 2004 SP2 Server
---> Exchange Server
2003 SP2 -----> W2K3 SP-1 Domain
Controller/Global Catalog Server 1
XP SP-2 W2K3 SP-1
W2K3 SP-1
\
--> W2K3 SP-1 Domain Controller/Global Catalog
Server 2
How I setup RPC over HTTP (Server Side)...
---------------------------------------
1) CONFIGURE A SERVER AS AN RPC PROXY SERVER
On my Exchange server (my ONLY one) I
installed the RPC over
HTTP component from the Add/Remove Programs -
Windows Components
2) CONFIGURE THE RPC VIRTUAL DIRECTORY IN IIS
In Internet Information Services (IIS)
Manager, right-click the
RPC virtual directory, and then click
Properties.
In the RPC Virtual Directory Properties
page, on the Directory
Security tab, in the Authentication and access
control pane, click Edit.
In the Authentication Methods window,
verify that the check box
next to Enable anonymous access is cleared.
In the Authentication Methods window,
under Authenticated
access, select the check box next to Basic
authentication and click OK
to warning
I did NOT choose Integrated Windows
authentication (NTLM)
because of the following:
It is recommended that you use
Basic authentication over
NTLM because of two reasons. First, RPC over
HTTP currently supports
only NTLM - it
doesn't support Kerberos.
Second, if there is an HTTP
Proxy or a firewall between the RPC over HTTP
client and the RPC Proxy,
which inserts
via the pragma in the HTTP
header, NTLM authentication
will not work.
I saved my settings
I have a valid SSL certificate installed
on the virtual server
(for OWA in the first place)
3) CONFIGURE RPC VIRTUAL DIRECTORY TO USE SSL
Expand Web Sites, expand Default Web
Site, right-click RPC, and
then click Properties.
Click the Directory Security tab, and
then click Edit under
Secure communications.
Click to select the Require secure
channel (SSL) check box and
the Require 128-bit encryption check box.
Click OK, click Apply, and then click OK
4) CONFIGURE THE RPC PROXY SERVER TO USE
SPECIFIED PORTS FOR RPC OVER
HTTP
On the RPC proxy server, (my only
Exchange Server box) start
Registry Editor (Regedit).
In the console tree, locate the
following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
In the details pane, right-click the
ValidPorts subkey, and then
click Modify.
In Edit String, in the Value data box,
type the following
information:
ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:600
4;ExchangeServerFQDN:6004;
If the FQDN that is used
to access the server
from the Internet differs from the internal
FQDN, you must use the
internal FQDN.
(My external FQDN is
company.DYNIP.COM (We use
Dynip.com Dynamic DNS service)
5) I added this Multi-String Key to the GLOBAL
CATALOG/DC #1's registry
(NSPI interface protocol sequences -
ncacn_http:6004)
5) CONFIURE THE OUTLOOK 2003 CLIENT PROFILE
Done according to instructions in this
link -
//tinyurl.com/frarn
6) Finally I changed my current OWA SSL ISA 2004
rule to include to
/RPC* folders (along with the /exchange/*;
/exchweb/*; /public/*
folders.
I did this because OWA and RPC over HTTP
are on the SAME server
using the same SSL certificate (I installed an
internal CA to issue the
certificate
for the OWA server. User have to click
YES to accept (Trust) the
certificate, but it works fine.)
I am thinking it is either my ISA 2004 rule or
that I may need to move
my RPC over HTTP Proxy (IIS) to the ISA 2004
box. No matter which one it
is, could someone explain in detail, the steps
to do either? I do not
have IIS installed on my ISA 2004 box. Please
let me know if there are
any "Gotcha's" also.
Thanks for any help in solving this.
-Tom Rogers
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about
our other sites:
http://www.techgenix.com
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about
our other sites:
http://www.techgenix.com
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
