[isalist] Re: RCP over HTTP Assistance needed
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 29 May 2006 11:32:40 -0700
http://www.ISAserver.org
-------------------------------------------------------
Dunno - C&P from a previous post...
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Monday, May 29, 2006 11:09
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance needed
http://www.ISAserver.org
-------------------------------------------------------
You mean 2) The security certificate date is invalid, right?
t
On 5/29/06 10:45 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You said (and I quote from further down the thread):
>
> 1) The security certificate is from an untrusted certifying authority
> 2) The security certificate date is valid
> 3) The name on the security certificate is invalid or does not match
> the name of the site.
>
> All of these generate a "500" error in ISA.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> Sent: Saturday, May 27, 2006 16:33
> To: isalist@xxxxxxxxxxxxx
> Subject: RE: [isalist] Re: RCP over HTTP Assistance needed
>
> But Jim, I never saw a "500" error anywhere - if I saw this error
> message, I would have tracked it down in the documentation. My OWA
> rule work perfectly fine.
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
> Sent: Sat 5/27/2006 1:48 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: RCP over HTTP Assistance needed
>
>
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> You haven't followed the advice, books, or articles.
> If you had, you wouldn't be seeing the errors you're quoting.
> You've been getting the answers to the questions you ask.
>
> Q - Why does ISA produce a "500" error for my OWA rule?
>
> A1 - the certificate installed on ISA must be issued by a CA that is
> in the local machine trusted root store. This is equivalent to the IE "
> The security certificate is from an untrusted certifying authority"
> popup. Install the CA cert in the ISA trusted root store. If ISA the
> CA certificate installed in the local machine trusted root store, this
> error will stop. This error will cease if the CA cert is installed in
> the ISA local machine trusted root store. Install the CA certificate
> in the local machine trusted roots store and this error will stop.
>
> A2 - the common name in the certificate does not match the data in the
> "server" field of the "To" tab in the web publishing rule. ISA gives
> you an "target principle name is incorrect" in this case. This is
> equivalent to the IE "The name on the security certificate is invalid
> or does not match the name of the site" error. Change the data in the
> "server" field of the "To" tab in the web publishing rule to match the
> common name in the certificate. If you use the same data in the
> "server field of the "To" tab of the web publishing rule as fond in
> the Exch cert common name, this error will cease. This error will
> stop if the "server" field in the "To" tab of the web publishing rule matches
> the common name of the certificate installed on the Exchange server.
>
> A3 - the certificate errors have *nothing* to do with the path portion
> of either the client request or the web publishing rule. The path
> portion of the web publishing rule is not in any way affecting ISA
> serve's ability to acquire or evaluate the certificate offered by the
> Exch server. The certificate offered by the Exch server has no
> relationship to the path data in the web publishing rule. There are
> no errors related to the certificate offered by the web publishing
> rule and the path specified in the rule or requested by the client.
> There is nothing you can do to solve the non-existent errors that have no
> relationship between these two things.
>
> Go back and re-read the relevant sections in the book, articles and
> KBs related to certificates and ISA server.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Friday, May 26, 2006 7:53 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: RE: [isalist] Re: RCP over HTTP Assistance needed
>
> Dynip.com will not allow me to obtain a Certificate from VeriSign or
> any other public, trusted CA and apply it to our DDNS name
> (company.dynip.com)
>
> If I have to get a certificate from VeriSign or any other public,
> trusted CA, I will have to get a static IP.
>
> BTW, I'm just wondering why most of the help I get on this discussion
> list is so convoluted? When I ask a question, I never get a direct
> answer, it's always some obscure, sometimes pretentious, sarcastic statement.
>
> I really appreciate the free advice given here by you highly trained
> experts on ISA, but for those of us who are rookies and are just
> trying to get ISA working like it should, those of use who do not have
> an IQ of 200, need something more. If someone asks, "How do you get
> such and such a function to work right?", someone should be able to
> say, "Do this, this, this, then that, then you should be fine." Or at
> least give a direct link to a tutorial, whitepaper, tech note,
> whatever. Instead of getting an answer like, "It's right there on the
> website."
>
> This is what I need to know:
> The certificate for my EXCHANGE box is installed on the ISA box - I
> exported it from the EXCHANGE box and imported it into ISA. Is this not good
> enough?
> All I want to know at this point is - can I use a certificate created
> by an internal network CA for RPC over HTTP from the outside world, or
> not. Do I have to have a 3rd party (ie: VeriSign) certificate to get
> RPC over HTTP working from the outside? If so, I will go get a static
> IP, get a registered domain name for that IP, get the certificate, and be
> done with it.
>
> But since OWA works fine with a certificate issued on my internal
> network CA, why can't RPC over HTTP? I would like to know the WHY.
>
> Thanx,
>
> -TRogers
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
> Sent: Fri 5/26/2006 4:44 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: RCP over HTTP Assistance needed
>
>
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> <http://www.isaserver.org/>
> -------------------------------------------------------
>
> "Dynip.com will not allow certificates to be assigned to their
> customer DNS records"?!?
>
> Can you clarify this?
> Certificates are not assigned to DNS records at all.
> Are you saying that they don't support redirection to HTTPS?
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Friday, May 26, 2006 1:11 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: RCP over HTTP Assistance needed
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> <http://www.isaserver.org/>
> -------------------------------------------------------
>
> OWA is working fine - no issues at all.
>
> The certificate for the EXCHANGE box is installed on the ISA box - I
> exported it from EXCHANGE and imported it into ISA. Is this not good enough?
>
> And I was not recv'ing any error messages, not in the Event logs, not
> on the screen, etc. The ONLY error I recv'd was "Your Exchange Server
> is offline or not available." Not even any error messages in the
> Outlook Client Connections box. If I had error messages coming at me,
> I would be looking at the docs and KBs - no problem.
>
> I'm not totally pathetic. ISA is the ONLY software I have had any
> trouble mastering. I have read TShinders books, MS TechNet, White
> Papers, etc and ISA know-how still eludes me for some reason.
>
> So basically, in order to use RPC over HTTP from the outside I need to
> obtain a 3rd party certificate from VeriSign or someone like that in
> order for this to work?
>
> If that is the case, I will also have to get a static IP because
> Dynip.com will not allow certificates to be assigned to their customer DNS
> records.
>
> -TRogers
>
>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>> Sent: Friday, May 26, 2006 3:47 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>
>> http://www.ISAserver.org <http://www.isaserver.org/>
>> <http://www.isaserver.org/>
>> -------------------------------------------------------
>>
>> There are *lots* of documents describing how to configure OWA with
>> ISA.
>> You're hitting the most common failures; that of not matching the
>> certificate name to the request.
>>
>> There are *lots* of documents & kbs that address the errors ISA is
>> throwing at you - you're ignoring them by playing in the path when
>> the errors are specifying "certififcate".
>>
>> All those errors are what ISA considers to be a bogus cert.
>> ISA will not accept a certificate that:
>> - is not from a CA that ISA can find in the local machine trusted
>> roots store
>> - does not match the hostname used in the "To" tab of the publishing
>> rule
>>
>> ISA has no way to "ask the user" if he wants to allow a bogus
>> certificate.
>>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Tom Rogers
>> Sent: Friday, May 26, 2006 12:37 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>
>> http://www.ISAserver.org <http://www.isaserver.org/>
>> <http://www.isaserver.org/>
>> -------------------------------------------------------
>>
>> Ok, I was not able to create a 2nd listener as the IP port used was
>> the same (443). So I added the /Rpc/* folder onto the original secure
>> OWA ISA rule - again.
>>
>> Still cannot get it to connect from the outside world. Client setup
>> is verified accurate. Once again, with ISA 2004, I am clueless.
>>
>> This is the hardest to use/configure piece of software I have ever
>> used in my life.
>>
>> I don't get it, RPC over HTTP works fine from the inside, which means
>> it's ISA 2004, but what, where, how, when, why?
>> I've no idea.
>>
>> Maybe - because I am using an SSL Certificate that was issued by a CA
>> *INSIDE* my internal network, not a public CA, could this be the
>> issue?
>> When I use OWA, I have to click YES on the security alert pop up
>> message. This says:
>>
>> 1) The security certificate is from an untrusted certifying authority
>> 2) The security certificate date is valid
>> 3) The name on the security certificate is invalid or does not match
>> the name of the site.
>>
>> On item #3, the Certificate has been issued to an internal server
>> called EXCHANGE (name on the certificate) and in order to get to this
>> box via the Internet/ISA 2004, the URL I use is company.dynip.com -
>> which of course is not the same name as EXCHANGE.
>>
>> I'm lost...
>>
>> -TRogers
>>
>>
>>> -----Original Message-----
>>> From: isalist-bounce@xxxxxxxxxxxxx
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>>> Sent: Friday, May 26, 2006 2:16 PM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>
>>> http://www.ISAserver.org <http://www.isaserver.org/>
>>> <http://www.isaserver.org/>
>>> -------------------------------------------------------
>>>
>>> Yes.
>>>> From my boat somewhere in Texas
>>>
>>> -----Original Message-----
>>> From: "Tom Rogers"<trogers@xxxxxxxxxxxxxxxxxx>
>>> Sent: 5/26/06 1:00:04 PM
>>> To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx>
>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>
>>> Tom,
>>>
>>> Should the Authentication on the new listener be BASIC?
>>>
>>> -TRogers
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>>> Sent: Friday, May 26, 2006 9:55 AM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>
>>>
>>> You can't use FBA on the same listener that the
>> RPC/HTTP WPR uses.
>>>
>>> Tom
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org <http://www.isaserver.org/>
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
>>> Sent: Friday, May 26, 2006 8:19 AM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>
>>>
>>> Ok - duh had a brain cramp.
>>>
>>> Anyway - it works fine internally - so it has
>> to be my ISA rule.
>>> Now, how do I correct that? Is it possible for me to use
>> the current
>>> OWA access rule that I have in place and just add the
>> /RPC/* folder to
>>> the list or what?
>>> Below is how my rule is setup for OWA and RPC over HTTP...
>>>
>>> General - Company OWA (Enable)
>>> Action - Allow (Log Requests)
>>> From - Anywhere
>>> To - EXCHANGE (Forward the original host
>>> header) (Requests appear to come from ISA)
>>> Traffic - HTTPS (Require 128 bit encryption)
>> (Filtering, configure
>>> HTTP - all defaults)
>>> Listener - Secure HTTPS Listener Exchange
>> (Networks - external; HTTP
>>> disabled; HTTPS 443; Certificate - Exchange; Authentication - OWA
>>> Forms Based; Always Authenticate - No; Domain -
>>> Company.net)
>>> Public Name - company.dynip.com (Requests for
>> the following
>>> websites)
>>> Paths - /exchange/* /exchweb/* /public/* /Rpc*
>>> /RpcWithCert*
>>> Bridging - Web Server, Redirect SSL to 443 (Only)
>>> Users - All Users
>>> Schedule - Always
>>> Link Translation - Defaults
>>>
>>> Thanx,
>>>
>>> -TRogers
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
>>> Sent: Thursday, May 25, 2006 4:06 PM
>>> To: ISA Mailing List
>>> Subject: [isalist] Re: RCP over HTTP
>> Assistance needed
>>>
>>>
>>>
>>> You change the connection type within
>> the properties of the Outlook
>>> profile.
>>>
>>>
>>>
>>> S
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
>>> Sent: Thursday, May 25, 2006 4:59 PM
>>> To: ISA Mailing List
>>> Subject: RE: [isalist] Re: RCP over
>> HTTP Assistance needed
>>>
>>>
>>>
>>> Not sure how to connect internally
>> using HTTPS with Outlook 2003.
>>> OWA works fine internally. I can browse to the RPC virtual
>> server on
>>> the intranet and I can connect fine (as per Microsoft's
>> instructions)
>>>
>>>
>>>
>>> Security policies are fine.
>>>
>>>
>>>
>>> -TRogers
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx on
>> behalf of Young, Gerald G
>>> Sent: Thu 5/25/2006 3:40 PM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: RCP over HTTP
>> Assistance needed
>>>
>>> http://www.ISAserver.org
>>> <http://www.isaserver.org/>
> <http://www.isaserver.org/>
>>> <http://www.isaserver.org/>
>>>
>>> -------------------------------------------------------
>>>
>>> Tom,
>>>
>>> Did you try connecting internally to
>> your mailbox using RPC/HTTPS?
>>> Does
>>> that work?
>>>
>>> Also, check the Network security: LAN
>> Manager authentication level
>>> in
>>> the security policy on both the server
>> and the client(s). Are they
>>> compatible?
>>>
>>> Cordially yours,
>>> Jerry G. Young II
>>> MCSE (4.0/W2K)
>>> Atlanta EES Implementation Team Lead
>>> ECNS Microsoft Engineering
>>> Unisys
>>>
>>> 11493 Sunset Hills Rd.
>>> Reston, VA 20190
>>> Office: 703-579-2727
>>> Cell: 703-625-1468
>>>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL
>>> AND/OR OTHERWISE PROPRIETARY
>>> MATERIAL and is thus for use only by
>> the intended recipient. If you
>>> received this in error, please contact
>> the sender and delete the
>>> e-mail
>>> and its attachments from all computers.
>>>
>>> -----Original Message-----
>>> From: isalist-bounce@xxxxxxxxxxxxx
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Tom Rogers
>>> Sent: Thursday, May 25, 2006 11:49 AM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] RCP over HTTP Assistance
>>> needed
>>>
>>> http://www.ISAserver.org
>>> <http://www.isaserver.org/>
> <http://www.isaserver.org/>
>>> <http://www.isaserver.org/>
>>>
>>> -------------------------------------------------------
>>>
>>> Ok, I have been trying to implement RPC
>> over HTTP so that my road
>>> warrior users can connect to the internet then
>>> use Outlook 2003 without
>>> VPN. Things have not gone as expected,
>> I keep getting a "Microsoft
>>> Exchange Server is unavailable" error message.
>>> Looking at the Connection
>>> Status when trying to connect Outlook
>>> 2003 to the Exchange server, I get
>>> the following...
>>>
>>> SERVER TYPE CON
>>> STATUS
>>> ------ ---- ---
>>> ------
>>>
>>> ---- Directory ----
>>> Connecting
>>> server.internal.net Referral ----
>>> Connecting
>>>
>>> Then these disappear and I get the
>> "Microsoft Exchange Server is
>>> unavailable" error.
>>>
>>>
>>> I walked through all of Microsoft's
>> troubleshooting steps and using
>>> RPCDUMP.EXE on the Exchange box, this
>> is what I found...
>>>
>>> ncacn_http(Connection-oriented TCP/IP
>> using Microsoft Internet
>>> Information Server as HTTP proxy.)
>>>
>>> 192.168.1.5[6002]
>>> [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange
>>> Directory RFR Interface :ACCESS_DENIED
>>> 192.168.1.5[6002]
>>> [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange
>>> System Attendant Cluster Interface
>>> :ACCESS_DENIED
>>> 192.168.1.5[6002]
>>> [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange
>>> System Attendant Private Interface
>>> :ACCESS_DENIED
>>> 192.168.1.5[6002]
>>> [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange
>>> System Attendant Public Interface :ACCESS_DENIED
>>>
>>> 192.168.1.5[6004]
>>> [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange
>>> Directory NSPI Proxy :ACCESS_DENIED
>>> 192.168.1.5[6001]
>>> [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003
>>> Server STORE EMSMDB Interface :ACCESS_DENIED
>>> 192.168.1.5[6001]
>>> [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
>>> STORE ADMIN Interface :ACCESS_DENIED
>>> 192.168.1.5[6001]
>>> [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
>>> STORE ADMIN Interface :ACCESS_DENIED
>>> 192.168.1.5[6001]
>>> [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server
>>> STORE ADMIN Interface :ACCESS_DENIED
>>> 192.168.1.5[6001]
>>> [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server
>>> STORE ADMIN Interface :ACCESS_DENIED
>>>
>>> Ok so let me start at the beginning now...
>>>
>>> ENVIRONMENT
>>> -----------
>>> (OUTSIDE WORLD) (PERIMETER)
>>> (INTERNAL NETWORK - SEPARATE PHYSICAL SERVERS
>>> EACH)
>>>
>>> Client PC ---> INTERNET ---> ISA 2004 SP2 Server
>>> ---> Exchange Server
>>> 2003 SP2 -----> W2K3 SP-1 Domain
>>> Controller/Global Catalog Server 1
>>> XP SP-2 W2K3 SP-1
>>> W2K3 SP-1
>>> \
>>>
>>> --> W2K3 SP-1 Domain Controller/Global
>> Catalog Server 2
>>>
>>> How I setup RPC over HTTP (Server Side)...
>>> ---------------------------------------
>>> 1) CONFIGURE A SERVER AS AN RPC PROXY SERVER
>>> On my Exchange server (my ONLY
>>> one) I installed the RPC over
>>> HTTP component from the Add/Remove
>> Programs - Windows Components
>>>
>>> 2) CONFIGURE THE RPC VIRTUAL DIRECTORY IN IIS
>>> In Internet Information Services (IIS)
>>> Manager, right-click the
>>> RPC virtual directory, and then click
>> Properties.
>>> In the RPC Virtual Directory
>> Properties page, on the
>>> Directory
>>> Security tab, in the Authentication and
>> access control pane, click
>>> Edit.
>>>
>>> In the Authentication Methods
>> window, verify that the check
>>> box
>>> next to Enable anonymous access is cleared.
>>> In the Authentication Methods
>> window, under Authenticated
>>> access, select the check box next to
>> Basic authentication and click
>>> OK
>>> to warning
>>> I did NOT choose Integrated
>> Windows authentication (NTLM)
>>> because of the following:
>>> It is recommended that
>> you use Basic authentication
>>> over
>>> NTLM because of two reasons. First, RPC
>> over HTTP currently
>>> supports
>>> only NTLM - it
>>> doesn't support Kerberos.
>>> Second, if there is an HTTP
>>> Proxy or a firewall between the RPC
>> over HTTP client and the RPC
>>> Proxy,
>>> which inserts
>>> via the pragma in the
>> HTTP header, NTLM
>>> authentication
>>> will not work.
>>> I saved my settings
>>> I have a valid SSL certificate
>> installed on the virtual
>>> server
>>> (for OWA in the first place)
>>>
>>> 3) CONFIGURE RPC VIRTUAL DIRECTORY TO USE SSL
>>> Expand Web Sites, expand Default Web
>>> Site, right-click RPC, and
>>> then click Properties.
>>> Click the Directory Security
>> tab, and then click Edit under
>>> Secure communications.
>>> Click to select the Require
>> secure channel (SSL) check box
>>> and
>>> the Require 128-bit encryption check box.
>>> Click OK, click Apply, and then click OK
>>>
>>> 4) CONFIGURE THE RPC PROXY SERVER TO
>> USE SPECIFIED PORTS FOR RPC
>>> OVER
>>> HTTP
>>> On the RPC proxy server, (my
>> only Exchange Server box)
>>> start
>>> Registry Editor (Regedit).
>>> In the console tree, locate the
>> following registry key:
>>>
>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
>>> In the details pane, right-click the
>>> ValidPorts subkey, and then
>>> click Modify.
>>> In Edit String, in the Value
>> data box, type the following
>>> information:
>>>
>>>
>>> ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;Exchange
>>> Server:600
>>> 4;ExchangeServerFQDN:6004;
>>> If the FQDN that is used
>>> to access the server
>>> from the Internet differs from the internal
>>> FQDN, you must use the
>>> internal FQDN.
>>> (My external FQDN is
>>> company.DYNIP.COM (We use
>>> Dynip.com Dynamic DNS service)
>>>
>>> 5) I added this Multi-String Key to the GLOBAL
>>> CATALOG/DC #1's registry
>>> (NSPI interface protocol sequences -
>>> ncacn_http:6004)
>>>
>>> 5) CONFIURE THE OUTLOOK 2003 CLIENT PROFILE
>>> Done according to instructions in this
>>> link -
>>> //tinyurl.com/frarn
>>>
>>> 6) Finally I changed my current OWA SSL ISA 2004
>>> rule to include to
>>> /RPC* folders (along with the /exchange/*;
>>> /exchweb/*; /public/*
>>> folders.
>>> I did this because OWA and RPC over HTTP
>>> are on the SAME server
>>> using the same SSL certificate (I installed an
>>> internal CA to issue the
>>> certificate
>>> for the OWA server. User have to click
>>> YES to accept (Trust) the
>>> certificate, but it works fine.)
>>>
>>> I am thinking it is either my ISA 2004 rule or
>>> that I may need to move
>>> my RPC over HTTP Proxy (IIS) to the ISA
>>> 2004 box. No matter which one it
>>> is, could someone explain in detail, the steps
>>> to do either? I do not
>>> have IIS installed on my ISA 2004 box.
>>> Please let me know if there are
>>> any "Gotcha's" also.
>>>
>>> Thanks for any help in solving this.
>>>
>>> -Tom Rogers
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
