[isalist] Re: RCP over HTTP Assistance needed
- From: "Ara Avvali" <Ara.Avvali@xxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 26 May 2006 13:16:46 -0700
http://www.ISAserver.org
-------------------------------------------------------
Tom,
Do you have another router in front of ISA like a linksys? Or ISA is
directly connected to your ISP?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Friday, May 26, 2006 1:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance needed
http://www.ISAserver.org
-------------------------------------------------------
OWA is working fine - no issues at all.
The certificate for the EXCHANGE box is installed on the ISA box - I
exported it from EXCHANGE and imported it into ISA. Is this not good
enough?
And I was not recv'ing any error messages, not in the Event logs, not on
the screen, etc. The ONLY error I recv'd was "Your Exchange Server is
offline or not available." Not even any error messages in the Outlook
Client Connections box. If I had error messages coming at me, I would be
looking at the docs and KBs - no problem.
I'm not totally pathetic. ISA is the ONLY software I have had any
trouble mastering. I have read TShinders books, MS TechNet, White
Papers, etc and ISA know-how still eludes me for some reason.
So basically, in order to use RPC over HTTP from the outside I need to
obtain a 3rd party certificate from VeriSign or someone like that in
order for this to work?
If that is the case, I will also have to get a static IP because
Dynip.com will not allow certificates to be assigned to their customer
DNS records.
-TRogers
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Friday, May 26, 2006 3:47 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: RCP over HTTP Assistance needed
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> There are *lots* of documents describing how to configure OWA with
> ISA.
> You're hitting the most common failures; that of not matching the
> certificate name to the request.
>
> There are *lots* of documents & kbs that address the errors ISA is
> throwing at you - you're ignoring them by playing in the path when the
> errors are specifying "certififcate".
>
> All those errors are what ISA considers to be a bogus cert.
> ISA will not accept a certificate that:
> - is not from a CA that ISA can find in the local machine trusted
> roots store
> - does not match the hostname used in the "To" tab of the publishing
> rule
>
> ISA has no way to "ask the user" if he wants to allow a bogus
> certificate.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Friday, May 26, 2006 12:37 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: RCP over HTTP Assistance needed
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Ok, I was not able to create a 2nd listener as the IP port used was
> the same (443). So I added the /Rpc/* folder onto the original secure
> OWA ISA rule - again.
>
> Still cannot get it to connect from the outside world. Client setup is
> verified accurate. Once again, with ISA 2004, I am clueless.
>
> This is the hardest to use/configure piece of software I have ever
> used in my life.
>
> I don't get it, RPC over HTTP works fine from the inside, which means
> it's ISA 2004, but what, where, how, when, why?
> I've no idea.
>
> Maybe - because I am using an SSL Certificate that was issued by a CA
> *INSIDE* my internal network, not a public CA, could this be the
> issue?
> When I use OWA, I have to click YES on the security alert pop up
> message. This says:
>
> 1) The security certificate is from an untrusted certifying authority
> 2) The security certificate date is valid
> 3) The name on the security certificate is invalid or does not match
> the name of the site.
>
> On item #3, the Certificate has been issued to an internal server
> called EXCHANGE (name on the certificate) and in order to get to this
> box via the Internet/ISA 2004, the URL I use is company.dynip.com -
> which of course is not the same name as EXCHANGE.
>
> I'm lost...
>
> -TRogers
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Friday, May 26, 2006 2:16 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: RCP over HTTP Assistance needed
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Yes.
> > >From my boat somewhere in Texas
> >
> > -----Original Message-----
> > From: "Tom Rogers"<trogers@xxxxxxxxxxxxxxxxxx>
> > Sent: 5/26/06 1:00:04 PM
> > To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx>
> > Subject: [isalist] Re: RCP over HTTP Assistance needed
> >
> > Tom,
> >
> > Should the Authentication on the new listener be BASIC?
> >
> > -TRogers
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Friday, May 26, 2006 9:55 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: RCP over HTTP Assistance needed
> >
> >
> > You can't use FBA on the same listener that the
> RPC/HTTP WPR uses.
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> > MVP -- ISA Firewalls
> >
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> > Sent: Friday, May 26, 2006 8:19 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: RCP over HTTP Assistance needed
> >
> >
> > Ok - duh had a brain cramp.
> >
> > Anyway - it works fine internally - so it has
> to be my ISA rule.
> > Now, how do I correct that? Is it possible for me to use
> the current
> > OWA access rule that I have in place and just add the
> /RPC/* folder to
> > the list or what?
> > Below is how my rule is setup for OWA and RPC over HTTP...
> >
> > General - Company OWA (Enable)
> > Action - Allow (Log Requests)
> > From - Anywhere
> > To - EXCHANGE (Forward the original host
> > header) (Requests appear to come from ISA)
> > Traffic - HTTPS (Require 128 bit encryption)
> (Filtering, configure
> > HTTP - all defaults)
> > Listener - Secure HTTPS Listener Exchange
> (Networks - external; HTTP
> > disabled; HTTPS 443; Certificate - Exchange; Authentication - OWA
> > Forms Based; Always Authenticate - No; Domain -
> > Company.net)
> > Public Name - company.dynip.com (Requests for
> the following
> > websites)
> > Paths - /exchange/* /exchweb/* /public/* /Rpc*
> > /RpcWithCert*
> > Bridging - Web Server, Redirect SSL to 443 (Only)
> > Users - All Users
> > Schedule - Always
> > Link Translation - Defaults
> >
> > Thanx,
> >
> > -TRogers
> >
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> > Sent: Thursday, May 25, 2006 4:06 PM
> > To: ISA Mailing List
> > Subject: [isalist] Re: RCP over HTTP
> Assistance needed
> >
> >
> >
> > You change the connection type within
> the properties of the Outlook
> > profile.
> >
> >
> >
> > S
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> > Sent: Thursday, May 25, 2006 4:59 PM
> > To: ISA Mailing List
> > Subject: RE: [isalist] Re: RCP over
> HTTP Assistance needed
> >
> >
> >
> > Not sure how to connect internally
> using HTTPS with Outlook 2003.
> > OWA works fine internally. I can browse to the RPC virtual
> server on
> > the intranet and I can connect fine (as per Microsoft's
> instructions)
> >
> >
> >
> > Security policies are fine.
> >
> >
> >
> > -TRogers
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx on
> behalf of Young, Gerald G
> > Sent: Thu 5/25/2006 3:40 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: RCP over HTTP
> Assistance needed
> >
> > http://www.ISAserver.org
> > <http://www.isaserver.org/>
> >
> > -------------------------------------------------------
> >
> > Tom,
> >
> > Did you try connecting internally to
> your mailbox using RPC/HTTPS?
> > Does
> > that work?
> >
> > Also, check the Network security: LAN
> Manager authentication level
> > in
> > the security policy on both the server
> and the client(s). Are they
> > compatible?
> >
> > Cordially yours,
> > Jerry G. Young II
> > MCSE (4.0/W2K)
> > Atlanta EES Implementation Team Lead
> > ECNS Microsoft Engineering
> > Unisys
> >
> > 11493 Sunset Hills Rd.
> > Reston, VA 20190
> > Office: 703-579-2727
> > Cell: 703-625-1468
> >
> > THIS COMMUNICATION MAY CONTAIN
> > CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> > MATERIAL and is thus for use only by
> the intended recipient. If you
> > received this in error, please contact
> the sender and delete the
> > e-mail
> > and its attachments from all computers.
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Tom Rogers
> > Sent: Thursday, May 25, 2006 11:49 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] RCP over HTTP
> > Assistance needed
> >
> > http://www.ISAserver.org
> > <http://www.isaserver.org/>
> >
> > -------------------------------------------------------
> >
> > Ok, I have been trying to implement RPC
> over HTTP so that my road
> > warrior users can connect to the
> > internet then use Outlook 2003 without
> > VPN. Things have not gone as expected,
> I keep getting a "Microsoft
> > Exchange Server is unavailable" error message.
> > Looking at the Connection
> > Status when trying to connect Outlook
> > 2003 to the Exchange server, I get
> > the following...
> >
> > SERVER TYPE CON
> > STATUS
> > ------ ---- ---
> > ------
> >
> > ---- Directory ----
> > Connecting
> > server.internal.net Referral ----
> > Connecting
> >
> > Then these disappear and I get the
> "Microsoft Exchange Server is
> > unavailable" error.
> >
> >
> > I walked through all of Microsoft's
> troubleshooting steps and using
> > RPCDUMP.EXE on the Exchange box, this
> is what I found...
> >
> > ncacn_http(Connection-oriented TCP/IP
> using Microsoft Internet
> > Information Server as HTTP proxy.)
> >
> > 192.168.1.5[6002]
> > [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange
> > Directory RFR Interface :ACCESS_DENIED
> > 192.168.1.5[6002]
> > [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange
> > System Attendant Cluster Interface
:ACCESS_DENIED
> > 192.168.1.5[6002]
> > [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange
> > System Attendant Private Interface
:ACCESS_DENIED
> > 192.168.1.5[6002]
> > [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange
> > System Attendant Public Interface :ACCESS_DENIED
> >
> > 192.168.1.5[6004]
> > [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange
> > Directory NSPI Proxy :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003
> > Server STORE EMSMDB Interface :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
> > STORE ADMIN Interface :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
> > STORE ADMIN Interface :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server
> > STORE ADMIN Interface :ACCESS_DENIED
> > 192.168.1.5[6001]
> > [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server
> > STORE ADMIN Interface :ACCESS_DENIED
> >
> > Ok so let me start at the beginning now...
> >
> > ENVIRONMENT
> > -----------
> > (OUTSIDE WORLD) (PERIMETER)
> > (INTERNAL NETWORK - SEPARATE PHYSICAL SERVERS
> > EACH)
> >
> > Client PC ---> INTERNET ---> ISA 2004 SP2 Server
> > ---> Exchange Server
> > 2003 SP2 -----> W2K3 SP-1 Domain
> > Controller/Global Catalog Server 1
> > XP SP-2 W2K3 SP-1
> > W2K3 SP-1
> > \
> >
> > --> W2K3 SP-1 Domain Controller/Global
> Catalog Server 2
> >
> > How I setup RPC over HTTP (Server Side)...
> > ---------------------------------------
> > 1) CONFIGURE A SERVER AS AN RPC PROXY SERVER
> > On my Exchange server (my ONLY
> > one) I installed the RPC over
> > HTTP component from the Add/Remove
> Programs - Windows Components
> >
> > 2) CONFIGURE THE RPC VIRTUAL DIRECTORY IN IIS
> > In Internet Information
> > Services (IIS) Manager, right-click the
> > RPC virtual directory, and then click
> Properties.
> > In the RPC Virtual Directory
> Properties page, on the
> > Directory
> > Security tab, in the Authentication and
> access control pane, click
> > Edit.
> >
> > In the Authentication Methods
> window, verify that the check
> > box
> > next to Enable anonymous access is cleared.
> > In the Authentication Methods
> window, under Authenticated
> > access, select the check box next to
> Basic authentication and click
> > OK
> > to warning
> > I did NOT choose Integrated
> Windows authentication (NTLM)
> > because of the following:
> > It is recommended that
> you use Basic authentication
> > over
> > NTLM because of two reasons. First, RPC
> over HTTP currently
> > supports
> > only NTLM - it
> > doesn't support Kerberos.
> > Second, if there is an HTTP
> > Proxy or a firewall between the RPC
> over HTTP client and the RPC
> > Proxy,
> > which inserts
> > via the pragma in the
> HTTP header, NTLM
> > authentication
> > will not work.
> > I saved my settings
> > I have a valid SSL certificate
> installed on the virtual
> > server
> > (for OWA in the first place)
> >
> > 3) CONFIGURE RPC VIRTUAL DIRECTORY TO USE SSL
> > Expand Web Sites, expand
> > Default Web Site, right-click RPC, and
> > then click Properties.
> > Click the Directory Security
> tab, and then click Edit under
> > Secure communications.
> > Click to select the Require
> secure channel (SSL) check box
> > and
> > the Require 128-bit encryption check box.
> > Click OK, click Apply, and then click OK
> >
> > 4) CONFIGURE THE RPC PROXY SERVER TO
> USE SPECIFIED PORTS FOR RPC
> > OVER
> > HTTP
> > On the RPC proxy server, (my
> only Exchange Server box)
> > start
> > Registry Editor (Regedit).
> > In the console tree, locate the
> following registry key:
> >
> > HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
> > In the details pane,
> > right-click the ValidPorts subkey, and then
> > click Modify.
> > In Edit String, in the Value
> data box, type the following
> > information:
> >
> >
> > ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;Exchange
> > Server:600
> > 4;ExchangeServerFQDN:6004;
> > If the FQDN that is used
to access the
> > server
> > from the Internet differs from the internal
FQDN, you must use
> > the
> > internal FQDN.
> > (My external FQDN is
company.DYNIP.COM
> > (We use
> > Dynip.com Dynamic DNS service)
> >
> > 5) I added this Multi-String Key to the GLOBAL
CATALOG/DC #1's
> > registry
> > (NSPI interface protocol sequences -
> > ncacn_http:6004)
> >
> > 5) CONFIURE THE OUTLOOK 2003 CLIENT PROFILE
> > Done according to instructions in this
link -
> > //tinyurl.com/frarn
> >
> > 6) Finally I changed my current OWA SSL ISA 2004
rule to include
> > to
> > /RPC* folders (along with the
> > /exchange/*; /exchweb/*; /public/*
> > folders.
> > I did this because OWA and RPC over HTTP
are on the SAME
> > server
> > using the same SSL certificate (I installed an
internal CA to
> > issue the
> > certificate
> > for the OWA server. User have to click
YES to accept
> > (Trust) the
> > certificate, but it works fine.)
> >
> > I am thinking it is either my ISA 2004 rule or
that I may need to
> > move
> > my RPC over HTTP Proxy (IIS) to the ISA
> > 2004 box. No matter which one it
> > is, could someone explain in detail, the steps
to do either? I do
> > not
> > have IIS installed on my ISA 2004 box.
> > Please let me know if there are
> > any "Gotcha's" also.
> >
> > Thanks for any help in solving this.
> >
> > -Tom Rogers
> >
> > ------------------------------------------------------
> > List Archives:
> > //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> >
> > ------------------------------------------------------
> > Visit TechGenix.com for more
> > information about our other sites:
> > http://www.techgenix.com
> > <http://www.techgenix.com/>
> >
> > ------------------------------------------------------
> > To unsubscribe visit
> > http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives:
> > //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> >
> > ------------------------------------------------------
> > Visit TechGenix.com for more
> > information about our other sites:
> > http://www.techgenix.com
> > <http://www.techgenix.com/>
> >
> > ------------------------------------------------------
> > To unsubscribe visit
> > http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
