http://www.ISAserver.org ------------------------------------------------------- Tom, Do you have another router in front of ISA like a linksys? Or ISA is directly connected to your ISP? -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers Sent: Friday, May 26, 2006 1:11 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: RCP over HTTP Assistance needed http://www.ISAserver.org ------------------------------------------------------- OWA is working fine - no issues at all. The certificate for the EXCHANGE box is installed on the ISA box - I exported it from EXCHANGE and imported it into ISA. Is this not good enough? And I was not recv'ing any error messages, not in the Event logs, not on the screen, etc. The ONLY error I recv'd was "Your Exchange Server is offline or not available." Not even any error messages in the Outlook Client Connections box. If I had error messages coming at me, I would be looking at the docs and KBs - no problem. I'm not totally pathetic. ISA is the ONLY software I have had any trouble mastering. I have read TShinders books, MS TechNet, White Papers, etc and ISA know-how still eludes me for some reason. So basically, in order to use RPC over HTTP from the outside I need to obtain a 3rd party certificate from VeriSign or someone like that in order for this to work? If that is the case, I will also have to get a static IP because Dynip.com will not allow certificates to be assigned to their customer DNS records. -TRogers > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Friday, May 26, 2006 3:47 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: RCP over HTTP Assistance needed > > http://www.ISAserver.org > ------------------------------------------------------- > > There are *lots* of documents describing how to configure OWA with > ISA. > You're hitting the most common failures; that of not matching the > certificate name to the request. > > There are *lots* of documents & kbs that address the errors ISA is > throwing at you - you're ignoring them by playing in the path when the > errors are specifying "certififcate". > > All those errors are what ISA considers to be a bogus cert. > ISA will not accept a certificate that: > - is not from a CA that ISA can find in the local machine trusted > roots store > - does not match the hostname used in the "To" tab of the publishing > rule > > ISA has no way to "ask the user" if he wants to allow a bogus > certificate. > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Tom Rogers > Sent: Friday, May 26, 2006 12:37 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: RCP over HTTP Assistance needed > > http://www.ISAserver.org > ------------------------------------------------------- > > Ok, I was not able to create a 2nd listener as the IP port used was > the same (443). So I added the /Rpc/* folder onto the original secure > OWA ISA rule - again. > > Still cannot get it to connect from the outside world. Client setup is > verified accurate. Once again, with ISA 2004, I am clueless. > > This is the hardest to use/configure piece of software I have ever > used in my life. > > I don't get it, RPC over HTTP works fine from the inside, which means > it's ISA 2004, but what, where, how, when, why? > I've no idea. > > Maybe - because I am using an SSL Certificate that was issued by a CA > *INSIDE* my internal network, not a public CA, could this be the > issue? > When I use OWA, I have to click YES on the security alert pop up > message. This says: > > 1) The security certificate is from an untrusted certifying authority > 2) The security certificate date is valid > 3) The name on the security certificate is invalid or does not match > the name of the site. > > On item #3, the Certificate has been issued to an internal server > called EXCHANGE (name on the certificate) and in order to get to this > box via the Internet/ISA 2004, the URL I use is company.dynip.com - > which of course is not the same name as EXCHANGE. > > I'm lost... > > -TRogers > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Friday, May 26, 2006 2:16 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: RCP over HTTP Assistance needed > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Yes. > > >From my boat somewhere in Texas > > > > -----Original Message----- > > From: "Tom Rogers"<trogers@xxxxxxxxxxxxxxxxxx> > > Sent: 5/26/06 1:00:04 PM > > To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx> > > Subject: [isalist] Re: RCP over HTTP Assistance needed > > > > Tom, > > > > Should the Authentication on the new listener be BASIC? > > > > -TRogers > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Friday, May 26, 2006 9:55 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: RCP over HTTP Assistance needed > > > > > > You can't use FBA on the same listener that the > RPC/HTTP WPR uses. > > > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org <http://www.isaserver.org/> > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > > MVP -- ISA Firewalls > > > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers > > Sent: Friday, May 26, 2006 8:19 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: RCP over HTTP Assistance needed > > > > > > Ok - duh had a brain cramp. > > > > Anyway - it works fine internally - so it has > to be my ISA rule. > > Now, how do I correct that? Is it possible for me to use > the current > > OWA access rule that I have in place and just add the > /RPC/* folder to > > the list or what? > > Below is how my rule is setup for OWA and RPC over HTTP... > > > > General - Company OWA (Enable) > > Action - Allow (Log Requests) > > From - Anywhere > > To - EXCHANGE (Forward the original host > > header) (Requests appear to come from ISA) > > Traffic - HTTPS (Require 128 bit encryption) > (Filtering, configure > > HTTP - all defaults) > > Listener - Secure HTTPS Listener Exchange > (Networks - external; HTTP > > disabled; HTTPS 443; Certificate - Exchange; Authentication - OWA > > Forms Based; Always Authenticate - No; Domain - > > Company.net) > > Public Name - company.dynip.com (Requests for > the following > > websites) > > Paths - /exchange/* /exchweb/* /public/* /Rpc* > > /RpcWithCert* > > Bridging - Web Server, Redirect SSL to 443 (Only) > > Users - All Users > > Schedule - Always > > Link Translation - Defaults > > > > Thanx, > > > > -TRogers > > > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat > > Sent: Thursday, May 25, 2006 4:06 PM > > To: ISA Mailing List > > Subject: [isalist] Re: RCP over HTTP > Assistance needed > > > > > > > > You change the connection type within > the properties of the Outlook > > profile. > > > > > > > > S > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers > > Sent: Thursday, May 25, 2006 4:59 PM > > To: ISA Mailing List > > Subject: RE: [isalist] Re: RCP over > HTTP Assistance needed > > > > > > > > Not sure how to connect internally > using HTTPS with Outlook 2003. > > OWA works fine internally. I can browse to the RPC virtual > server on > > the intranet and I can connect fine (as per Microsoft's > instructions) > > > > > > > > Security policies are fine. > > > > > > > > -TRogers > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx on > behalf of Young, Gerald G > > Sent: Thu 5/25/2006 3:40 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: RCP over HTTP > Assistance needed > > > > http://www.ISAserver.org > > <http://www.isaserver.org/> > > > > ------------------------------------------------------- > > > > Tom, > > > > Did you try connecting internally to > your mailbox using RPC/HTTPS? > > Does > > that work? > > > > Also, check the Network security: LAN > Manager authentication level > > in > > the security policy on both the server > and the client(s). Are they > > compatible? > > > > Cordially yours, > > Jerry G. Young II > > MCSE (4.0/W2K) > > Atlanta EES Implementation Team Lead > > ECNS Microsoft Engineering > > Unisys > > > > 11493 Sunset Hills Rd. > > Reston, VA 20190 > > Office: 703-579-2727 > > Cell: 703-625-1468 > > > > THIS COMMUNICATION MAY CONTAIN > > CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > > MATERIAL and is thus for use only by > the intended recipient. If you > > received this in error, please contact > the sender and delete the > > e-mail > > and its attachments from all computers. > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Tom Rogers > > Sent: Thursday, May 25, 2006 11:49 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] RCP over HTTP > > Assistance needed > > > > http://www.ISAserver.org > > <http://www.isaserver.org/> > > > > ------------------------------------------------------- > > > > Ok, I have been trying to implement RPC > over HTTP so that my road > > warrior users can connect to the > > internet then use Outlook 2003 without > > VPN. Things have not gone as expected, > I keep getting a "Microsoft > > Exchange Server is unavailable" error message. > > Looking at the Connection > > Status when trying to connect Outlook > > 2003 to the Exchange server, I get > > the following... > > > > SERVER TYPE CON > > STATUS > > ------ ---- --- > > ------ > > > > ---- Directory ---- > > Connecting > > server.internal.net Referral ---- > > Connecting > > > > Then these disappear and I get the > "Microsoft Exchange Server is > > unavailable" error. > > > > > > I walked through all of Microsoft's > troubleshooting steps and using > > RPCDUMP.EXE on the Exchange box, this > is what I found... > > > > ncacn_http(Connection-oriented TCP/IP > using Microsoft Internet > > Information Server as HTTP proxy.) > > > > 192.168.1.5[6002] > > [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange > > Directory RFR Interface :ACCESS_DENIED > > 192.168.1.5[6002] > > [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange > > System Attendant Cluster Interface :ACCESS_DENIED > > 192.168.1.5[6002] > > [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange > > System Attendant Private Interface :ACCESS_DENIED > > 192.168.1.5[6002] > > [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange > > System Attendant Public Interface :ACCESS_DENIED > > > > 192.168.1.5[6004] > > [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange > > Directory NSPI Proxy :ACCESS_DENIED > > 192.168.1.5[6001] > > [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003 > > Server STORE EMSMDB Interface :ACCESS_DENIED > > 192.168.1.5[6001] > > [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server > > STORE ADMIN Interface :ACCESS_DENIED > > 192.168.1.5[6001] > > [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server > > STORE ADMIN Interface :ACCESS_DENIED > > 192.168.1.5[6001] > > [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server > > STORE ADMIN Interface :ACCESS_DENIED > > 192.168.1.5[6001] > > [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server > > STORE ADMIN Interface :ACCESS_DENIED > > > > Ok so let me start at the beginning now... > > > > ENVIRONMENT > > ----------- > > (OUTSIDE WORLD) (PERIMETER) > > (INTERNAL NETWORK - SEPARATE PHYSICAL SERVERS > > EACH) > > > > Client PC ---> INTERNET ---> ISA 2004 SP2 Server > > ---> Exchange Server > > 2003 SP2 -----> W2K3 SP-1 Domain > > Controller/Global Catalog Server 1 > > XP SP-2 W2K3 SP-1 > > W2K3 SP-1 > > \ > > > > --> W2K3 SP-1 Domain Controller/Global > Catalog Server 2 > > > > How I setup RPC over HTTP (Server Side)... > > --------------------------------------- > > 1) CONFIGURE A SERVER AS AN RPC PROXY SERVER > > On my Exchange server (my ONLY > > one) I installed the RPC over > > HTTP component from the Add/Remove > Programs - Windows Components > > > > 2) CONFIGURE THE RPC VIRTUAL DIRECTORY IN IIS > > In Internet Information > > Services (IIS) Manager, right-click the > > RPC virtual directory, and then click > Properties. > > In the RPC Virtual Directory > Properties page, on the > > Directory > > Security tab, in the Authentication and > access control pane, click > > Edit. > > > > In the Authentication Methods > window, verify that the check > > box > > next to Enable anonymous access is cleared. > > In the Authentication Methods > window, under Authenticated > > access, select the check box next to > Basic authentication and click > > OK > > to warning > > I did NOT choose Integrated > Windows authentication (NTLM) > > because of the following: > > It is recommended that > you use Basic authentication > > over > > NTLM because of two reasons. First, RPC > over HTTP currently > > supports > > only NTLM - it > > doesn't support Kerberos. > > Second, if there is an HTTP > > Proxy or a firewall between the RPC > over HTTP client and the RPC > > Proxy, > > which inserts > > via the pragma in the > HTTP header, NTLM > > authentication > > will not work. > > I saved my settings > > I have a valid SSL certificate > installed on the virtual > > server > > (for OWA in the first place) > > > > 3) CONFIGURE RPC VIRTUAL DIRECTORY TO USE SSL > > Expand Web Sites, expand > > Default Web Site, right-click RPC, and > > then click Properties. > > Click the Directory Security > tab, and then click Edit under > > Secure communications. > > Click to select the Require > secure channel (SSL) check box > > and > > the Require 128-bit encryption check box. > > Click OK, click Apply, and then click OK > > > > 4) CONFIGURE THE RPC PROXY SERVER TO > USE SPECIFIED PORTS FOR RPC > > OVER > > HTTP > > On the RPC proxy server, (my > only Exchange Server box) > > start > > Registry Editor (Regedit). > > In the console tree, locate the > following registry key: > > > > HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy > > In the details pane, > > right-click the ValidPorts subkey, and then > > click Modify. > > In Edit String, in the Value > data box, type the following > > information: > > > > > > ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;Exchange > > Server:600 > > 4;ExchangeServerFQDN:6004; > > If the FQDN that is used to access the > > server > > from the Internet differs from the internal FQDN, you must use > > the > > internal FQDN. > > (My external FQDN is company.DYNIP.COM > > (We use > > Dynip.com Dynamic DNS service) > > > > 5) I added this Multi-String Key to the GLOBAL CATALOG/DC #1's > > registry > > (NSPI interface protocol sequences - > > ncacn_http:6004) > > > > 5) CONFIURE THE OUTLOOK 2003 CLIENT PROFILE > > Done according to instructions in this link - > > //tinyurl.com/frarn > > > > 6) Finally I changed my current OWA SSL ISA 2004 rule to include > > to > > /RPC* folders (along with the > > /exchange/*; /exchweb/*; /public/* > > folders. > > I did this because OWA and RPC over HTTP are on the SAME > > server > > using the same SSL certificate (I installed an internal CA to > > issue the > > certificate > > for the OWA server. User have to click YES to accept > > (Trust) the > > certificate, but it works fine.) > > > > I am thinking it is either my ISA 2004 rule or that I may need to > > move > > my RPC over HTTP Proxy (IIS) to the ISA > > 2004 box. No matter which one it > > is, could someone explain in detail, the steps to do either? I do > > not > > have IIS installed on my ISA 2004 box. > > Please let me know if there are > > any "Gotcha's" also. > > > > Thanks for any help in solving this. > > > > -Tom Rogers > > > > ------------------------------------------------------ > > List Archives: > > //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > > > ------------------------------------------------------ > > Visit TechGenix.com for more > > information about our other sites: > > http://www.techgenix.com > > <http://www.techgenix.com/> > > > > ------------------------------------------------------ > > To unsubscribe visit > > http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > List Archives: > > //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > > > ------------------------------------------------------ > > Visit TechGenix.com for more > > information about our other sites: > > http://www.techgenix.com > > <http://www.techgenix.com/> > > > > ------------------------------------------------------ > > To unsubscribe visit > > http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx