http://www.ISAserver.org ------------------------------------------------------- Cap'n Pugwash sails again!!! -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, May 26, 2006 3:16 PM To: ISA Mailing List Subject: [isalist] Re: RCP over HTTP Assistance needed http://www.ISAserver.org ------------------------------------------------------- Yes. From my boat somewhere in Texas -----Original Message----- From: "Tom Rogers"<trogers@xxxxxxxxxxxxxxxxxx> Sent: 5/26/06 1:00:04 PM To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: RCP over HTTP Assistance needed Tom, Should the Authentication on the new listener be BASIC? -TRogers ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, May 26, 2006 9:55 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: RCP over HTTP Assistance needed You can't use FBA on the same listener that the RPC/HTTP WPR uses. Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers Sent: Friday, May 26, 2006 8:19 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: RCP over HTTP Assistance needed Ok - duh had a brain cramp. Anyway - it works fine internally - so it has to be my ISA rule. Now, how do I correct that? Is it possible for me to use the current OWA access rule that I have in place and just add the /RPC/* folder to the list or what? Below is how my rule is setup for OWA and RPC over HTTP... General - Company OWA (Enable) Action - Allow (Log Requests) From - Anywhere To - EXCHANGE (Forward the original host header) (Requests appear to come from ISA) Traffic - HTTPS (Require 128 bit encryption) (Filtering, configure HTTP - all defaults) Listener - Secure HTTPS Listener Exchange (Networks - external; HTTP disabled; HTTPS 443; Certificate - Exchange; Authentication - OWA Forms Based; Always Authenticate - No; Domain - Company.net) Public Name - company.dynip.com (Requests for the following websites) Paths - /exchange/* /exchweb/* /public/* /Rpc* /RpcWithCert* Bridging - Web Server, Redirect SSL to 443 (Only) Users - All Users Schedule - Always Link Translation - Defaults Thanx, -TRogers ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Thursday, May 25, 2006 4:06 PM To: ISA Mailing List Subject: [isalist] Re: RCP over HTTP Assistance needed You change the connection type within the properties of the Outlook profile. S ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers Sent: Thursday, May 25, 2006 4:59 PM To: ISA Mailing List Subject: RE: [isalist] Re: RCP over HTTP Assistance needed Not sure how to connect internally using HTTPS with Outlook 2003. OWA works fine internally. I can browse to the RPC virtual server on the intranet and I can connect fine (as per Microsoft's instructions) Security policies are fine. -TRogers ________________________________ From: isalist-bounce@xxxxxxxxxxxxx on behalf of Young, Gerald G Sent: Thu 5/25/2006 3:40 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: RCP over HTTP Assistance needed http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- Tom, Did you try connecting internally to your mailbox using RPC/HTTPS? Does that work? Also, check the Network security: LAN Manager authentication level in the security policy on both the server and the client(s). Are they compatible? Cordially yours, Jerry G. Young II MCSE (4.0/W2K) Atlanta EES Implementation Team Lead ECNS Microsoft Engineering Unisys 11493 Sunset Hills Rd. Reston, VA 20190 Office: 703-579-2727 Cell: 703-625-1468 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers Sent: Thursday, May 25, 2006 11:49 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] RCP over HTTP Assistance needed http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- Ok, I have been trying to implement RPC over HTTP so that my road warrior users can connect to the internet then use Outlook 2003 without VPN. Things have not gone as expected, I keep getting a "Microsoft Exchange Server is unavailable" error message. Looking at the Connection Status when trying to connect Outlook 2003 to the Exchange server, I get the following... SERVER TYPE CON STATUS ------ ---- --- ------ ---- Directory ---- Connecting server.internal.net Referral ---- Connecting Then these disappear and I get the "Microsoft Exchange Server is unavailable" error. I walked through all of Microsoft's troubleshooting steps and using RPCDUMP.EXE on the Exchange box, this is what I found... ncacn_http(Connection-oriented TCP/IP using Microsoft Internet Information Server as HTTP proxy.) 192.168.1.5[6002] [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange Directory RFR Interface :ACCESS_DENIED 192.168.1.5[6002] [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange System Attendant Cluster Interface :ACCESS_DENIED 192.168.1.5[6002] [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange System Attendant Private Interface :ACCESS_DENIED 192.168.1.5[6002] [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange System Attendant Public Interface :ACCESS_DENIED 192.168.1.5[6004] [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange Directory NSPI Proxy :ACCESS_DENIED 192.168.1.5[6001] [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003 Server STORE EMSMDB Interface :ACCESS_DENIED 192.168.1.5[6001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :ACCESS_DENIED 192.168.1.5[6001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :ACCESS_DENIED 192.168.1.5[6001] [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server STORE ADMIN Interface :ACCESS_DENIED 192.168.1.5[6001] [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server STORE ADMIN Interface :ACCESS_DENIED Ok so let me start at the beginning now... ENVIRONMENT ----------- (OUTSIDE WORLD) (PERIMETER) (INTERNAL NETWORK - SEPARATE PHYSICAL SERVERS EACH) Client PC ---> INTERNET ---> ISA 2004 SP2 Server ---> Exchange Server 2003 SP2 -----> W2K3 SP-1 Domain Controller/Global Catalog Server 1 XP SP-2 W2K3 SP-1 W2K3 SP-1 \ --> W2K3 SP-1 Domain Controller/Global Catalog Server 2 How I setup RPC over HTTP (Server Side)... --------------------------------------- 1) CONFIGURE A SERVER AS AN RPC PROXY SERVER On my Exchange server (my ONLY one) I installed the RPC over HTTP component from the Add/Remove Programs - Windows Components 2) CONFIGURE THE RPC VIRTUAL DIRECTORY IN IIS In Internet Information Services (IIS) Manager, right-click the RPC virtual directory, and then click Properties. In the RPC Virtual Directory Properties page, on the Directory Security tab, in the Authentication and access control pane, click Edit. In the Authentication Methods window, verify that the check box next to Enable anonymous access is cleared. In the Authentication Methods window, under Authenticated access, select the check box next to Basic authentication and click OK to warning I did NOT choose Integrated Windows authentication (NTLM) because of the following: It is recommended that you use Basic authentication over NTLM because of two reasons. First, RPC over HTTP currently supports only NTLM - it doesn't support Kerberos. Second, if there is an HTTP Proxy or a firewall between the RPC over HTTP client and the RPC Proxy, which inserts via the pragma in the HTTP header, NTLM authentication will not work. I saved my settings I have a valid SSL certificate installed on the virtual server (for OWA in the first place) 3) CONFIGURE RPC VIRTUAL DIRECTORY TO USE SSL Expand Web Sites, expand Default Web Site, right-click RPC, and then click Properties. Click the Directory Security tab, and then click Edit under Secure communications. Click to select the Require secure channel (SSL) check box and the Require 128-bit encryption check box. Click OK, click Apply, and then click OK 4) CONFIGURE THE RPC PROXY SERVER TO USE SPECIFIED PORTS FOR RPC OVER HTTP On the RPC proxy server, (my only Exchange Server box) start Registry Editor (Regedit). In the console tree, locate the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy In the details pane, right-click the ValidPorts subkey, and then click Modify. In Edit String, in the Value data box, type the following information: ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:600 4;ExchangeServerFQDN:6004; If the FQDN that is used to access the server from the Internet differs from the internal FQDN, you must use the internal FQDN. (My external FQDN is company.DYNIP.COM (We use Dynip.com Dynamic DNS service) 5) I added this Multi-String Key to the GLOBAL CATALOG/DC #1's registry (NSPI interface protocol sequences - ncacn_http:6004) 5) CONFIURE THE OUTLOOK 2003 CLIENT PROFILE Done according to instructions in this link - //tinyurl.com/frarn 6) Finally I changed my current OWA SSL ISA 2004 rule to include to /RPC* folders (along with the /exchange/*; /exchweb/*; /public/* folders. I did this because OWA and RPC over HTTP are on the SAME server using the same SSL certificate (I installed an internal CA to issue the certificate for the OWA server. User have to click YES to accept (Trust) the certificate, but it works fine.) I am thinking it is either my ISA 2004 rule or that I may need to move my RPC over HTTP Proxy (IIS) to the ISA 2004 box. No matter which one it is, could someone explain in detail, the steps to do either? I do not have IIS installed on my ISA 2004 box. Please let me know if there are any "Gotcha's" also. Thanks for any help in solving this. -Tom Rogers ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx