[isalist] Re: RCP over HTTP Assistance needed
- From: "Steve Moffat" <steve@xxxxxxxxxx>
- To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 29 May 2006 15:44:11 -0300
http://www.ISAserver.org
-------------------------------------------------------
Don't your dates get certificated??
S...:)
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, May 29, 2006 3:37 PM
To: ISA Mailing List
Subject: [isalist] Re: RCP over HTTP Assistance needed
http://www.ISAserver.org
-------------------------------------------------------
I would hope that a valid certificate date wouldn't cause a 500 ;)
t
On 5/29/06 11:32 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Dunno - C&P from a previous post...
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
> God)
> Sent: Monday, May 29, 2006 11:09
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: RCP over HTTP Assistance needed
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You mean 2) The security certificate date is invalid, right?
>
> t
>
>
> On 5/29/06 10:45 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
>
>> http://www.ISAserver.org
>> -------------------------------------------------------
>>
>> You said (and I quote from further down the thread):
>>
>> 1) The security certificate is from an untrusted certifying authority
>> 2) The security certificate date is valid
>> 3) The name on the security certificate is invalid or does not match
>> the name of the site.
>>
>> All of these generate a "500" error in ISA.
>>
>> -------------------------------------------------------
>> Jim Harrison
>> MCP(NT4, W2K), A+, Network+, PCG
>> http://isaserver.org/Jim_Harrison/
>> http://isatools.org
>> Read the help / books / articles!
>> -------------------------------------------------------
>>
>>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
>> Sent: Saturday, May 27, 2006 16:33
>> To: isalist@xxxxxxxxxxxxx
>> Subject: RE: [isalist] Re: RCP over HTTP Assistance needed
>>
>> But Jim, I never saw a "500" error anywhere - if I saw this error
>> message, I would have tracked it down in the documentation. My OWA
>> rule work perfectly fine.
>>
>>
>> ________________________________
>>
>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
>> Sent: Sat 5/27/2006 1:48 AM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>
>>
>>
>> http://www.ISAserver.org <http://www.isaserver.org/>
>> -------------------------------------------------------
>>
>> You haven't followed the advice, books, or articles.
>> If you had, you wouldn't be seeing the errors you're quoting.
>> You've been getting the answers to the questions you ask.
>>
>> Q - Why does ISA produce a "500" error for my OWA rule?
>>
>> A1 - the certificate installed on ISA must be issued by a CA that is
>> in the local machine trusted root store. This is equivalent to the
IE "
>> The security certificate is from an untrusted certifying authority"
>> popup. Install the CA cert in the ISA trusted root store. If ISA
>> the CA certificate installed in the local machine trusted root store,
>> this error will stop. This error will cease if the CA cert is
>> installed in the ISA local machine trusted root store. Install the CA
>> certificate in the local machine trusted roots store and this error
will stop.
>>
>> A2 - the common name in the certificate does not match the data in
>> the "server" field of the "To" tab in the web publishing rule. ISA
>> gives you an "target principle name is incorrect" in this case. This
>> is equivalent to the IE "The name on the security certificate is
>> invalid or does not match the name of the site" error. Change the
>> data in the "server" field of the "To" tab in the web publishing rule
>> to match the common name in the certificate. If you use the same
>> data in the "server field of the "To" tab of the web publishing rule
>> as fond in the Exch cert common name, this error will cease. This
>> error will stop if the "server" field in the "To" tab of the web
>> publishing rule matches the common name of the certificate installed
on the Exchange server.
>>
>> A3 - the certificate errors have *nothing* to do with the path
>> portion of either the client request or the web publishing rule. The
>> path portion of the web publishing rule is not in any way affecting
>> ISA serve's ability to acquire or evaluate the certificate offered by
>> the Exch server. The certificate offered by the Exch server has no
>> relationship to the path data in the web publishing rule. There are
>> no errors related to the certificate offered by the web publishing
>> rule and the path specified in the rule or requested by the client.
>> There is nothing you can do to solve the non-existent errors that
>> have no relationship between these two things.
>>
>> Go back and re-read the relevant sections in the book, articles and
>> KBs related to certificates and ISA server.
>>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Tom Rogers
>> Sent: Friday, May 26, 2006 7:53 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: RE: [isalist] Re: RCP over HTTP Assistance needed
>>
>> Dynip.com will not allow me to obtain a Certificate from VeriSign or
>> any other public, trusted CA and apply it to our DDNS name
>> (company.dynip.com)
>>
>> If I have to get a certificate from VeriSign or any other public,
>> trusted CA, I will have to get a static IP.
>>
>> BTW, I'm just wondering why most of the help I get on this discussion
>> list is so convoluted? When I ask a question, I never get a direct
>> answer, it's always some obscure, sometimes pretentious, sarcastic
statement.
>>
>> I really appreciate the free advice given here by you highly trained
>> experts on ISA, but for those of us who are rookies and are just
>> trying to get ISA working like it should, those of use who do not
>> have an IQ of 200, need something more. If someone asks, "How do you
>> get such and such a function to work right?", someone should be able
>> to say, "Do this, this, this, then that, then you should be fine." Or
>> at least give a direct link to a tutorial, whitepaper, tech note,
>> whatever. Instead of getting an answer like, "It's right there on the
>> website."
>>
>> This is what I need to know:
>> The certificate for my EXCHANGE box is installed on the ISA box - I
>> exported it from the EXCHANGE box and imported it into ISA. Is this
>> not good enough?
>> All I want to know at this point is - can I use a certificate created
>> by an internal network CA for RPC over HTTP from the outside world,
>> or not. Do I have to have a 3rd party (ie: VeriSign) certificate to
>> get RPC over HTTP working from the outside? If so, I will go get a
>> static IP, get a registered domain name for that IP, get the
>> certificate, and be done with it.
>>
>> But since OWA works fine with a certificate issued on my internal
>> network CA, why can't RPC over HTTP? I would like to know the WHY.
>>
>> Thanx,
>>
>> -TRogers
>>
>>
>> ________________________________
>>
>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
>> Sent: Fri 5/26/2006 4:44 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>
>>
>>
>> http://www.ISAserver.org <http://www.isaserver.org/>
>> <http://www.isaserver.org/>
>> -------------------------------------------------------
>>
>> "Dynip.com will not allow certificates to be assigned to their
>> customer DNS records"?!?
>>
>> Can you clarify this?
>> Certificates are not assigned to DNS records at all.
>> Are you saying that they don't support redirection to HTTPS?
>>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Tom Rogers
>> Sent: Friday, May 26, 2006 1:11 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>
>> http://www.ISAserver.org <http://www.isaserver.org/>
>> <http://www.isaserver.org/>
>> -------------------------------------------------------
>>
>> OWA is working fine - no issues at all.
>>
>> The certificate for the EXCHANGE box is installed on the ISA box - I
>> exported it from EXCHANGE and imported it into ISA. Is this not good
enough?
>>
>> And I was not recv'ing any error messages, not in the Event logs, not
>> on the screen, etc. The ONLY error I recv'd was "Your Exchange Server
>> is offline or not available." Not even any error messages in the
>> Outlook Client Connections box. If I had error messages coming at me,
>> I would be looking at the docs and KBs - no problem.
>>
>> I'm not totally pathetic. ISA is the ONLY software I have had any
>> trouble mastering. I have read TShinders books, MS TechNet, White
>> Papers, etc and ISA know-how still eludes me for some reason.
>>
>> So basically, in order to use RPC over HTTP from the outside I need
>> to obtain a 3rd party certificate from VeriSign or someone like that
>> in order for this to work?
>>
>> If that is the case, I will also have to get a static IP because
>> Dynip.com will not allow certificates to be assigned to their
>> customer DNS records.
>>
>> -TRogers
>>
>>
>>> -----Original Message-----
>>> From: isalist-bounce@xxxxxxxxxxxxx
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: Friday, May 26, 2006 3:47 PM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>
>>> http://www.ISAserver.org <http://www.isaserver.org/>
>>> <http://www.isaserver.org/>
>>> -------------------------------------------------------
>>>
>>> There are *lots* of documents describing how to configure OWA with
>>> ISA.
>>> You're hitting the most common failures; that of not matching the
>>> certificate name to the request.
>>>
>>> There are *lots* of documents & kbs that address the errors ISA is
>>> throwing at you - you're ignoring them by playing in the path when
>>> the errors are specifying "certififcate".
>>>
>>> All those errors are what ISA considers to be a bogus cert.
>>> ISA will not accept a certificate that:
>>> - is not from a CA that ISA can find in the local machine trusted
>>> roots store
>>> - does not match the hostname used in the "To" tab of the publishing
>>> rule
>>>
>>> ISA has no way to "ask the user" if he wants to allow a bogus
>>> certificate.
>>>
>>> -----Original Message-----
>>> From: isalist-bounce@xxxxxxxxxxxxx
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Tom Rogers
>>> Sent: Friday, May 26, 2006 12:37 PM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>
>>> http://www.ISAserver.org <http://www.isaserver.org/>
>>> <http://www.isaserver.org/>
>>> -------------------------------------------------------
>>>
>>> Ok, I was not able to create a 2nd listener as the IP port used was
>>> the same (443). So I added the /Rpc/* folder onto the original
>>> secure OWA ISA rule - again.
>>>
>>> Still cannot get it to connect from the outside world. Client setup
>>> is verified accurate. Once again, with ISA 2004, I am clueless.
>>>
>>> This is the hardest to use/configure piece of software I have ever
>>> used in my life.
>>>
>>> I don't get it, RPC over HTTP works fine from the inside, which
>>> means it's ISA 2004, but what, where, how, when, why?
>>> I've no idea.
>>>
>>> Maybe - because I am using an SSL Certificate that was issued by a
>>> CA
>>> *INSIDE* my internal network, not a public CA, could this be the
>>> issue?
>>> When I use OWA, I have to click YES on the security alert pop up
>>> message. This says:
>>>
>>> 1) The security certificate is from an untrusted certifying
>>> authority
>>> 2) The security certificate date is valid
>>> 3) The name on the security certificate is invalid or does not match
>>> the name of the site.
>>>
>>> On item #3, the Certificate has been issued to an internal server
>>> called EXCHANGE (name on the certificate) and in order to get to
>>> this box via the Internet/ISA 2004, the URL I use is
>>> company.dynip.com - which of course is not the same name as
EXCHANGE.
>>>
>>> I'm lost...
>>>
>>> -TRogers
>>>
>>>
>>>> -----Original Message-----
>>>> From: isalist-bounce@xxxxxxxxxxxxx
>>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>>>> Sent: Friday, May 26, 2006 2:16 PM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>>
>>>> http://www.ISAserver.org <http://www.isaserver.org/>
>>>> <http://www.isaserver.org/>
>>>> -------------------------------------------------------
>>>>
>>>> Yes.
>>>>> From my boat somewhere in Texas
>>>>
>>>> -----Original Message-----
>>>> From: "Tom Rogers"<trogers@xxxxxxxxxxxxxxxxxx>
>>>> Sent: 5/26/06 1:00:04 PM
>>>> To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx>
>>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>>
>>>> Tom,
>>>>
>>>> Should the Authentication on the new listener be BASIC?
>>>>
>>>> -TRogers
>>>>
>>>>
>>>>
>>>> ________________________________
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx
>>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>>>> Sent: Friday, May 26, 2006 9:55 AM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>>
>>>>
>>>> You can't use FBA on the same listener that the
>>> RPC/HTTP WPR uses.
>>>>
>>>> Tom
>>>>
>>>> Thomas W Shinder, M.D.
>>>> Site: www.isaserver.org <http://www.isaserver.org/>
>>>> Blog: http://blogs.isaserver.org/shinder/
>>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>>> MVP -- ISA Firewalls
>>>>
>>>>
>>>>
>>>>
>>>> ________________________________
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx
>>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
>>>> Sent: Friday, May 26, 2006 8:19 AM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: [isalist] Re: RCP over HTTP Assistance needed
>>>>
>>>>
>>>> Ok - duh had a brain cramp.
>>>>
>>>> Anyway - it works fine internally - so it has
>>> to be my ISA rule.
>>>> Now, how do I correct that? Is it possible for me to use
>>> the current
>>>> OWA access rule that I have in place and just add the
>>> /RPC/* folder to
>>>> the list or what?
>>>> Below is how my rule is setup for OWA and RPC over HTTP...
>>>>
>>>> General - Company OWA (Enable)
>>>> Action - Allow (Log Requests)
>>>> From - Anywhere
>>>> To - EXCHANGE (Forward the original host
>>>> header) (Requests appear to come from ISA)
>>>> Traffic - HTTPS (Require 128 bit encryption)
>>> (Filtering, configure
>>>> HTTP - all defaults)
>>>> Listener - Secure HTTPS Listener Exchange
>>> (Networks - external; HTTP
>>>> disabled; HTTPS 443; Certificate - Exchange; Authentication - OWA
>>>> Forms Based; Always Authenticate - No; Domain -
>>>> Company.net)
>>>> Public Name - company.dynip.com (Requests for
>>> the following
>>>> websites)
>>>> Paths - /exchange/* /exchweb/* /public/* /Rpc*
>>>> /RpcWithCert*
>>>> Bridging - Web Server, Redirect SSL to 443 (Only)
>>>> Users - All Users
>>>> Schedule - Always
>>>> Link Translation - Defaults
>>>>
>>>> Thanx,
>>>>
>>>> -TRogers
>>>>
>>>>
>>>>
>>>>
>>>> ________________________________
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx
>>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
>>>> Sent: Thursday, May 25, 2006 4:06 PM
>>>> To: ISA Mailing List
>>>> Subject: [isalist] Re: RCP over HTTP
>>> Assistance needed
>>>>
>>>>
>>>>
>>>> You change the connection type within
>>> the properties of the Outlook
>>>> profile.
>>>>
>>>>
>>>>
>>>> S
>>>>
>>>>
>>>>
>>>> ________________________________
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx
>>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
>>>> Sent: Thursday, May 25, 2006 4:59 PM
>>>> To: ISA Mailing List
>>>> Subject: RE: [isalist] Re: RCP over
>>> HTTP Assistance needed
>>>>
>>>>
>>>>
>>>> Not sure how to connect internally
>>> using HTTPS with Outlook 2003.
>>>> OWA works fine internally. I can browse to the RPC virtual
>>> server on
>>>> the intranet and I can connect fine (as per Microsoft's
>>> instructions)
>>>>
>>>>
>>>>
>>>> Security policies are fine.
>>>>
>>>>
>>>>
>>>> -TRogers
>>>>
>>>>
>>>>
>>>> ________________________________
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx on
>>> behalf of Young, Gerald G
>>>> Sent: Thu 5/25/2006 3:40 PM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: [isalist] Re: RCP over HTTP
>>> Assistance needed
>>>>
>>>> http://www.ISAserver.org
>>>> <http://www.isaserver.org/>
>> <http://www.isaserver.org/>
>>>> <http://www.isaserver.org/>
>>>>
>>>> -------------------------------------------------------
>>>>
>>>> Tom,
>>>>
>>>> Did you try connecting internally to
>>> your mailbox using RPC/HTTPS?
>>>> Does
>>>> that work?
>>>>
>>>> Also, check the Network security: LAN
>>> Manager authentication level
>>>> in
>>>> the security policy on both the server
>>> and the client(s). Are they
>>>> compatible?
>>>>
>>>> Cordially yours,
>>>> Jerry G. Young II
>>>> MCSE (4.0/W2K)
>>>> Atlanta EES Implementation Team Lead
>>>> ECNS Microsoft Engineering
>>>> Unisys
>>>>
>>>> 11493 Sunset Hills Rd.
>>>> Reston, VA 20190
>>>> Office: 703-579-2727
>>>> Cell: 703-625-1468
>>>>
>>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL
>>>> AND/OR OTHERWISE PROPRIETARY
>>>> MATERIAL and is thus for use only by
>>> the intended recipient. If you
>>>> received this in error, please contact
>>> the sender and delete the
>>>> e-mail
>>>> and its attachments from all computers.
>>>>
>>>> -----Original Message-----
>>>> From: isalist-bounce@xxxxxxxxxxxxx
>>>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>>> On Behalf Of Tom Rogers
>>>> Sent: Thursday, May 25, 2006 11:49 AM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: [isalist] RCP over HTTP Assistance
>>>> needed
>>>>
>>>> http://www.ISAserver.org
>>>> <http://www.isaserver.org/>
>> <http://www.isaserver.org/>
>>>> <http://www.isaserver.org/>
>>>>
>>>> -------------------------------------------------------
>>>>
>>>> Ok, I have been trying to implement RPC
>>> over HTTP so that my road
>>>> warrior users can connect to the internet then
>>>> use Outlook 2003 without
>>>> VPN. Things have not gone as expected,
>>> I keep getting a "Microsoft
>>>> Exchange Server is unavailable" error message.
>>>> Looking at the Connection
>>>> Status when trying to connect Outlook
>>>> 2003 to the Exchange server, I get
>>>> the following...
>>>>
>>>> SERVER TYPE CON
>>>> STATUS
>>>> ------ ---- ---
>>>> ------
>>>>
>>>> ---- Directory ----
>>>> Connecting
>>>> server.internal.net Referral ----
>>>> Connecting
>>>>
>>>> Then these disappear and I get the
>>> "Microsoft Exchange Server is
>>>> unavailable" error.
>>>>
>>>>
>>>> I walked through all of Microsoft's
>>> troubleshooting steps and using
>>>> RPCDUMP.EXE on the Exchange box, this
>>> is what I found...
>>>>
>>>> ncacn_http(Connection-oriented TCP/IP
>>> using Microsoft Internet
>>>> Information Server as HTTP proxy.)
>>>>
>>>> 192.168.1.5[6002]
>>>> [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange
>>>> Directory RFR Interface :ACCESS_DENIED
>>>> 192.168.1.5[6002]
>>>> [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange
>>>> System Attendant Cluster Interface
>>>> :ACCESS_DENIED
>>>> 192.168.1.5[6002]
>>>> [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange
>>>> System Attendant Private Interface
>>>> :ACCESS_DENIED
>>>> 192.168.1.5[6002]
>>>> [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange
>>>> System Attendant Public Interface
>>>> :ACCESS_DENIED
>>>>
>>>> 192.168.1.5[6004]
>>>> [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange
>>>> Directory NSPI Proxy :ACCESS_DENIED
>>>> 192.168.1.5[6001]
>>>> [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003
>>>> Server STORE EMSMDB Interface :ACCESS_DENIED
>>>> 192.168.1.5[6001]
>>>> [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
>>>> STORE ADMIN Interface :ACCESS_DENIED
>>>> 192.168.1.5[6001]
>>>> [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
>>>> STORE ADMIN Interface :ACCESS_DENIED
>>>> 192.168.1.5[6001]
>>>> [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server
>>>> STORE ADMIN Interface :ACCESS_DENIED
>>>> 192.168.1.5[6001]
>>>> [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server
>>>> STORE ADMIN Interface :ACCESS_DENIED
>>>>
>>>> Ok so let me start at the beginning now...
>>>>
>>>> ENVIRONMENT
>>>> -----------
>>>> (OUTSIDE WORLD) (PERIMETER)
>>>> (INTERNAL NETWORK - SEPARATE PHYSICAL SERVERS
>>>> EACH)
>>>>
>>>> Client PC ---> INTERNET ---> ISA 2004 SP2
>>>> Server
>>>> ---> Exchange Server
>>>> 2003 SP2 -----> W2K3 SP-1 Domain
>>>> Controller/Global Catalog Server 1
>>>> XP SP-2 W2K3 SP-1
>>>> W2K3 SP-1
>>>> \
>>>>
>>>> --> W2K3 SP-1 Domain Controller/Global
>>> Catalog Server 2
>>>>
>>>> How I setup RPC over HTTP (Server Side)...
>>>> ---------------------------------------
>>>> 1) CONFIGURE A SERVER AS AN RPC PROXY SERVER
>>>> On my Exchange server (my ONLY
>>>> one) I installed the RPC over
>>>> HTTP component from the Add/Remove
>>> Programs - Windows Components
>>>>
>>>> 2) CONFIGURE THE RPC VIRTUAL DIRECTORY IN IIS
>>>> In Internet Information Services (IIS)
>>>> Manager, right-click the
>>>> RPC virtual directory, and then click
>>> Properties.
>>>> In the RPC Virtual Directory
>>> Properties page, on the
>>>> Directory
>>>> Security tab, in the Authentication and
>>> access control pane, click
>>>> Edit.
>>>>
>>>> In the Authentication Methods
>>> window, verify that the check
>>>> box
>>>> next to Enable anonymous access is cleared.
>>>> In the Authentication Methods
>>> window, under Authenticated
>>>> access, select the check box next to
>>> Basic authentication and click
>>>> OK
>>>> to warning
>>>> I did NOT choose Integrated
>>> Windows authentication (NTLM)
>>>> because of the following:
>>>> It is recommended that
>>> you use Basic authentication
>>>> over
>>>> NTLM because of two reasons. First, RPC
>>> over HTTP currently
>>>> supports
>>>> only NTLM - it
>>>> doesn't support Kerberos.
>>>> Second, if there is an HTTP
>>>> Proxy or a firewall between the RPC
>>> over HTTP client and the RPC
>>>> Proxy,
>>>> which inserts
>>>> via the pragma in the
>>> HTTP header, NTLM
>>>> authentication
>>>> will not work.
>>>> I saved my settings
>>>> I have a valid SSL certificate
>>> installed on the virtual
>>>> server
>>>> (for OWA in the first place)
>>>>
>>>> 3) CONFIGURE RPC VIRTUAL DIRECTORY TO USE SSL
>>>> Expand Web Sites, expand Default Web
>>>> Site, right-click RPC, and
>>>> then click Properties.
>>>> Click the Directory Security
>>> tab, and then click Edit under
>>>> Secure communications.
>>>> Click to select the Require
>>> secure channel (SSL) check box
>>>> and
>>>> the Require 128-bit encryption check box.
>>>> Click OK, click Apply, and then click
>>>> OK
>>>>
>>>> 4) CONFIGURE THE RPC PROXY SERVER TO
>>> USE SPECIFIED PORTS FOR RPC
>>>> OVER
>>>> HTTP
>>>> On the RPC proxy server, (my
>>> only Exchange Server box)
>>>> start
>>>> Registry Editor (Regedit).
>>>> In the console tree, locate the
>>> following registry key:
>>>>
>>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
>>>> In the details pane, right-click the
>>>> ValidPorts subkey, and then
>>>> click Modify.
>>>> In Edit String, in the Value
>>> data box, type the following
>>>> information:
>>>>
>>>>
>>>> ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;Exchange
>>>> Server:600
>>>> 4;ExchangeServerFQDN:6004;
>>>> If the FQDN that is
>>>> used to access the server
>>>> from the Internet differs from the internal
>>>> FQDN, you must use the
>>>> internal FQDN.
>>>> (My external FQDN is
>>>> company.DYNIP.COM (We use
>>>> Dynip.com Dynamic DNS service)
>>>>
>>>> 5) I added this Multi-String Key to the GLOBAL
>>>> CATALOG/DC #1's registry
>>>> (NSPI interface protocol sequences -
>>>> ncacn_http:6004)
>>>>
>>>> 5) CONFIURE THE OUTLOOK 2003 CLIENT PROFILE
>>>> Done according to instructions in this
>>>> link -
>>>> //tinyurl.com/frarn
>>>>
>>>> 6) Finally I changed my current OWA SSL ISA
>>>> 2004 rule to include to
>>>> /RPC* folders (along with the /exchange/*;
>>>> /exchweb/*; /public/*
>>>> folders.
>>>> I did this because OWA and RPC over
>>>> HTTP are on the SAME server
>>>> using the same SSL certificate (I installed an
>>>> internal CA to issue the
>>>> certificate
>>>> for the OWA server. User have to click
>>>> YES to accept (Trust) the
>>>> certificate, but it works fine.)
>>>>
>>>> I am thinking it is either my ISA 2004 rule or
>>>> that I may need to move
>>>> my RPC over HTTP Proxy (IIS) to the ISA
>>>> 2004 box. No matter which one it
>>>> is, could someone explain in detail, the steps
>>>> to do either? I do not
>>>> have IIS installed on my ISA 2004 box.
>>>> Please let me know if there are
>>>> any "Gotcha's" also.
>>>>
>>>> Thanks for any help in solving this.
>>>>
>>>> -Tom Rogers
>>
>> All mail to and from this domain is GFI-scanned.
>>
>> ------------------------------------------------------
>> List Archives: //www.freelists.org/archives/isalist/
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server Articles and Tutorials:
>> http://www.isaserver.org/articles_tutorials/
>> ISA Server Blogs: http://blogs.isaserver.org/
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>>
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
