http://www.ISAserver.org ------------------------------------------------------- Don't your dates get certificated?? S...:) -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, May 29, 2006 3:37 PM To: ISA Mailing List Subject: [isalist] Re: RCP over HTTP Assistance needed http://www.ISAserver.org ------------------------------------------------------- I would hope that a valid certificate date wouldn't cause a 500 ;) t On 5/29/06 11:32 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > http://www.ISAserver.org > ------------------------------------------------------- > > Dunno - C&P from a previous post... > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > God) > Sent: Monday, May 29, 2006 11:09 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: RCP over HTTP Assistance needed > > http://www.ISAserver.org > ------------------------------------------------------- > > You mean 2) The security certificate date is invalid, right? > > t > > > On 5/29/06 10:45 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > >> http://www.ISAserver.org >> ------------------------------------------------------- >> >> You said (and I quote from further down the thread): >> >> 1) The security certificate is from an untrusted certifying authority >> 2) The security certificate date is valid >> 3) The name on the security certificate is invalid or does not match >> the name of the site. >> >> All of these generate a "500" error in ISA. >> >> ------------------------------------------------------- >> Jim Harrison >> MCP(NT4, W2K), A+, Network+, PCG >> http://isaserver.org/Jim_Harrison/ >> http://isatools.org >> Read the help / books / articles! >> ------------------------------------------------------- >> >> >> -----Original Message----- >> From: isalist-bounce@xxxxxxxxxxxxx >> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers >> Sent: Saturday, May 27, 2006 16:33 >> To: isalist@xxxxxxxxxxxxx >> Subject: RE: [isalist] Re: RCP over HTTP Assistance needed >> >> But Jim, I never saw a "500" error anywhere - if I saw this error >> message, I would have tracked it down in the documentation. My OWA >> rule work perfectly fine. >> >> >> ________________________________ >> >> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison >> Sent: Sat 5/27/2006 1:48 AM >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] Re: RCP over HTTP Assistance needed >> >> >> >> http://www.ISAserver.org <http://www.isaserver.org/> >> ------------------------------------------------------- >> >> You haven't followed the advice, books, or articles. >> If you had, you wouldn't be seeing the errors you're quoting. >> You've been getting the answers to the questions you ask. >> >> Q - Why does ISA produce a "500" error for my OWA rule? >> >> A1 - the certificate installed on ISA must be issued by a CA that is >> in the local machine trusted root store. This is equivalent to the IE " >> The security certificate is from an untrusted certifying authority" >> popup. Install the CA cert in the ISA trusted root store. If ISA >> the CA certificate installed in the local machine trusted root store, >> this error will stop. This error will cease if the CA cert is >> installed in the ISA local machine trusted root store. Install the CA >> certificate in the local machine trusted roots store and this error will stop. >> >> A2 - the common name in the certificate does not match the data in >> the "server" field of the "To" tab in the web publishing rule. ISA >> gives you an "target principle name is incorrect" in this case. This >> is equivalent to the IE "The name on the security certificate is >> invalid or does not match the name of the site" error. Change the >> data in the "server" field of the "To" tab in the web publishing rule >> to match the common name in the certificate. If you use the same >> data in the "server field of the "To" tab of the web publishing rule >> as fond in the Exch cert common name, this error will cease. This >> error will stop if the "server" field in the "To" tab of the web >> publishing rule matches the common name of the certificate installed on the Exchange server. >> >> A3 - the certificate errors have *nothing* to do with the path >> portion of either the client request or the web publishing rule. The >> path portion of the web publishing rule is not in any way affecting >> ISA serve's ability to acquire or evaluate the certificate offered by >> the Exch server. The certificate offered by the Exch server has no >> relationship to the path data in the web publishing rule. There are >> no errors related to the certificate offered by the web publishing >> rule and the path specified in the rule or requested by the client. >> There is nothing you can do to solve the non-existent errors that >> have no relationship between these two things. >> >> Go back and re-read the relevant sections in the book, articles and >> KBs related to certificates and ISA server. >> >> -----Original Message----- >> From: isalist-bounce@xxxxxxxxxxxxx >> [mailto:isalist-bounce@xxxxxxxxxxxxx] >> On Behalf Of Tom Rogers >> Sent: Friday, May 26, 2006 7:53 PM >> To: isalist@xxxxxxxxxxxxx >> Subject: RE: [isalist] Re: RCP over HTTP Assistance needed >> >> Dynip.com will not allow me to obtain a Certificate from VeriSign or >> any other public, trusted CA and apply it to our DDNS name >> (company.dynip.com) >> >> If I have to get a certificate from VeriSign or any other public, >> trusted CA, I will have to get a static IP. >> >> BTW, I'm just wondering why most of the help I get on this discussion >> list is so convoluted? When I ask a question, I never get a direct >> answer, it's always some obscure, sometimes pretentious, sarcastic statement. >> >> I really appreciate the free advice given here by you highly trained >> experts on ISA, but for those of us who are rookies and are just >> trying to get ISA working like it should, those of use who do not >> have an IQ of 200, need something more. If someone asks, "How do you >> get such and such a function to work right?", someone should be able >> to say, "Do this, this, this, then that, then you should be fine." Or >> at least give a direct link to a tutorial, whitepaper, tech note, >> whatever. Instead of getting an answer like, "It's right there on the >> website." >> >> This is what I need to know: >> The certificate for my EXCHANGE box is installed on the ISA box - I >> exported it from the EXCHANGE box and imported it into ISA. Is this >> not good enough? >> All I want to know at this point is - can I use a certificate created >> by an internal network CA for RPC over HTTP from the outside world, >> or not. Do I have to have a 3rd party (ie: VeriSign) certificate to >> get RPC over HTTP working from the outside? If so, I will go get a >> static IP, get a registered domain name for that IP, get the >> certificate, and be done with it. >> >> But since OWA works fine with a certificate issued on my internal >> network CA, why can't RPC over HTTP? I would like to know the WHY. >> >> Thanx, >> >> -TRogers >> >> >> ________________________________ >> >> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison >> Sent: Fri 5/26/2006 4:44 PM >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] Re: RCP over HTTP Assistance needed >> >> >> >> http://www.ISAserver.org <http://www.isaserver.org/> >> <http://www.isaserver.org/> >> ------------------------------------------------------- >> >> "Dynip.com will not allow certificates to be assigned to their >> customer DNS records"?!? >> >> Can you clarify this? >> Certificates are not assigned to DNS records at all. >> Are you saying that they don't support redirection to HTTPS? >> >> -----Original Message----- >> From: isalist-bounce@xxxxxxxxxxxxx >> [mailto:isalist-bounce@xxxxxxxxxxxxx] >> On Behalf Of Tom Rogers >> Sent: Friday, May 26, 2006 1:11 PM >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] Re: RCP over HTTP Assistance needed >> >> http://www.ISAserver.org <http://www.isaserver.org/> >> <http://www.isaserver.org/> >> ------------------------------------------------------- >> >> OWA is working fine - no issues at all. >> >> The certificate for the EXCHANGE box is installed on the ISA box - I >> exported it from EXCHANGE and imported it into ISA. Is this not good enough? >> >> And I was not recv'ing any error messages, not in the Event logs, not >> on the screen, etc. The ONLY error I recv'd was "Your Exchange Server >> is offline or not available." Not even any error messages in the >> Outlook Client Connections box. If I had error messages coming at me, >> I would be looking at the docs and KBs - no problem. >> >> I'm not totally pathetic. ISA is the ONLY software I have had any >> trouble mastering. I have read TShinders books, MS TechNet, White >> Papers, etc and ISA know-how still eludes me for some reason. >> >> So basically, in order to use RPC over HTTP from the outside I need >> to obtain a 3rd party certificate from VeriSign or someone like that >> in order for this to work? >> >> If that is the case, I will also have to get a static IP because >> Dynip.com will not allow certificates to be assigned to their >> customer DNS records. >> >> -TRogers >> >> >>> -----Original Message----- >>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: Friday, May 26, 2006 3:47 PM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: RCP over HTTP Assistance needed >>> >>> http://www.ISAserver.org <http://www.isaserver.org/> >>> <http://www.isaserver.org/> >>> ------------------------------------------------------- >>> >>> There are *lots* of documents describing how to configure OWA with >>> ISA. >>> You're hitting the most common failures; that of not matching the >>> certificate name to the request. >>> >>> There are *lots* of documents & kbs that address the errors ISA is >>> throwing at you - you're ignoring them by playing in the path when >>> the errors are specifying "certififcate". >>> >>> All those errors are what ISA considers to be a bogus cert. >>> ISA will not accept a certificate that: >>> - is not from a CA that ISA can find in the local machine trusted >>> roots store >>> - does not match the hostname used in the "To" tab of the publishing >>> rule >>> >>> ISA has no way to "ask the user" if he wants to allow a bogus >>> certificate. >>> >>> -----Original Message----- >>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>> On Behalf Of Tom Rogers >>> Sent: Friday, May 26, 2006 12:37 PM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: RCP over HTTP Assistance needed >>> >>> http://www.ISAserver.org <http://www.isaserver.org/> >>> <http://www.isaserver.org/> >>> ------------------------------------------------------- >>> >>> Ok, I was not able to create a 2nd listener as the IP port used was >>> the same (443). So I added the /Rpc/* folder onto the original >>> secure OWA ISA rule - again. >>> >>> Still cannot get it to connect from the outside world. Client setup >>> is verified accurate. Once again, with ISA 2004, I am clueless. >>> >>> This is the hardest to use/configure piece of software I have ever >>> used in my life. >>> >>> I don't get it, RPC over HTTP works fine from the inside, which >>> means it's ISA 2004, but what, where, how, when, why? >>> I've no idea. >>> >>> Maybe - because I am using an SSL Certificate that was issued by a >>> CA >>> *INSIDE* my internal network, not a public CA, could this be the >>> issue? >>> When I use OWA, I have to click YES on the security alert pop up >>> message. This says: >>> >>> 1) The security certificate is from an untrusted certifying >>> authority >>> 2) The security certificate date is valid >>> 3) The name on the security certificate is invalid or does not match >>> the name of the site. >>> >>> On item #3, the Certificate has been issued to an internal server >>> called EXCHANGE (name on the certificate) and in order to get to >>> this box via the Internet/ISA 2004, the URL I use is >>> company.dynip.com - which of course is not the same name as EXCHANGE. >>> >>> I'm lost... >>> >>> -TRogers >>> >>> >>>> -----Original Message----- >>>> From: isalist-bounce@xxxxxxxxxxxxx >>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder >>>> Sent: Friday, May 26, 2006 2:16 PM >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: [isalist] Re: RCP over HTTP Assistance needed >>>> >>>> http://www.ISAserver.org <http://www.isaserver.org/> >>>> <http://www.isaserver.org/> >>>> ------------------------------------------------------- >>>> >>>> Yes. >>>>> From my boat somewhere in Texas >>>> >>>> -----Original Message----- >>>> From: "Tom Rogers"<trogers@xxxxxxxxxxxxxxxxxx> >>>> Sent: 5/26/06 1:00:04 PM >>>> To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx> >>>> Subject: [isalist] Re: RCP over HTTP Assistance needed >>>> >>>> Tom, >>>> >>>> Should the Authentication on the new listener be BASIC? >>>> >>>> -TRogers >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx >>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder >>>> Sent: Friday, May 26, 2006 9:55 AM >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: [isalist] Re: RCP over HTTP Assistance needed >>>> >>>> >>>> You can't use FBA on the same listener that the >>> RPC/HTTP WPR uses. >>>> >>>> Tom >>>> >>>> Thomas W Shinder, M.D. >>>> Site: www.isaserver.org <http://www.isaserver.org/> >>>> Blog: http://blogs.isaserver.org/shinder/ >>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >>>> MVP -- ISA Firewalls >>>> >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx >>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers >>>> Sent: Friday, May 26, 2006 8:19 AM >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: [isalist] Re: RCP over HTTP Assistance needed >>>> >>>> >>>> Ok - duh had a brain cramp. >>>> >>>> Anyway - it works fine internally - so it has >>> to be my ISA rule. >>>> Now, how do I correct that? Is it possible for me to use >>> the current >>>> OWA access rule that I have in place and just add the >>> /RPC/* folder to >>>> the list or what? >>>> Below is how my rule is setup for OWA and RPC over HTTP... >>>> >>>> General - Company OWA (Enable) >>>> Action - Allow (Log Requests) >>>> From - Anywhere >>>> To - EXCHANGE (Forward the original host >>>> header) (Requests appear to come from ISA) >>>> Traffic - HTTPS (Require 128 bit encryption) >>> (Filtering, configure >>>> HTTP - all defaults) >>>> Listener - Secure HTTPS Listener Exchange >>> (Networks - external; HTTP >>>> disabled; HTTPS 443; Certificate - Exchange; Authentication - OWA >>>> Forms Based; Always Authenticate - No; Domain - >>>> Company.net) >>>> Public Name - company.dynip.com (Requests for >>> the following >>>> websites) >>>> Paths - /exchange/* /exchweb/* /public/* /Rpc* >>>> /RpcWithCert* >>>> Bridging - Web Server, Redirect SSL to 443 (Only) >>>> Users - All Users >>>> Schedule - Always >>>> Link Translation - Defaults >>>> >>>> Thanx, >>>> >>>> -TRogers >>>> >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx >>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat >>>> Sent: Thursday, May 25, 2006 4:06 PM >>>> To: ISA Mailing List >>>> Subject: [isalist] Re: RCP over HTTP >>> Assistance needed >>>> >>>> >>>> >>>> You change the connection type within >>> the properties of the Outlook >>>> profile. >>>> >>>> >>>> >>>> S >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx >>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers >>>> Sent: Thursday, May 25, 2006 4:59 PM >>>> To: ISA Mailing List >>>> Subject: RE: [isalist] Re: RCP over >>> HTTP Assistance needed >>>> >>>> >>>> >>>> Not sure how to connect internally >>> using HTTPS with Outlook 2003. >>>> OWA works fine internally. I can browse to the RPC virtual >>> server on >>>> the intranet and I can connect fine (as per Microsoft's >>> instructions) >>>> >>>> >>>> >>>> Security policies are fine. >>>> >>>> >>>> >>>> -TRogers >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx on >>> behalf of Young, Gerald G >>>> Sent: Thu 5/25/2006 3:40 PM >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: [isalist] Re: RCP over HTTP >>> Assistance needed >>>> >>>> http://www.ISAserver.org >>>> <http://www.isaserver.org/> >> <http://www.isaserver.org/> >>>> <http://www.isaserver.org/> >>>> >>>> ------------------------------------------------------- >>>> >>>> Tom, >>>> >>>> Did you try connecting internally to >>> your mailbox using RPC/HTTPS? >>>> Does >>>> that work? >>>> >>>> Also, check the Network security: LAN >>> Manager authentication level >>>> in >>>> the security policy on both the server >>> and the client(s). Are they >>>> compatible? >>>> >>>> Cordially yours, >>>> Jerry G. Young II >>>> MCSE (4.0/W2K) >>>> Atlanta EES Implementation Team Lead >>>> ECNS Microsoft Engineering >>>> Unisys >>>> >>>> 11493 Sunset Hills Rd. >>>> Reston, VA 20190 >>>> Office: 703-579-2727 >>>> Cell: 703-625-1468 >>>> >>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL >>>> AND/OR OTHERWISE PROPRIETARY >>>> MATERIAL and is thus for use only by >>> the intended recipient. If you >>>> received this in error, please contact >>> the sender and delete the >>>> e-mail >>>> and its attachments from all computers. >>>> >>>> -----Original Message----- >>>> From: isalist-bounce@xxxxxxxxxxxxx >>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Tom Rogers >>>> Sent: Thursday, May 25, 2006 11:49 AM >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: [isalist] RCP over HTTP Assistance >>>> needed >>>> >>>> http://www.ISAserver.org >>>> <http://www.isaserver.org/> >> <http://www.isaserver.org/> >>>> <http://www.isaserver.org/> >>>> >>>> ------------------------------------------------------- >>>> >>>> Ok, I have been trying to implement RPC >>> over HTTP so that my road >>>> warrior users can connect to the internet then >>>> use Outlook 2003 without >>>> VPN. Things have not gone as expected, >>> I keep getting a "Microsoft >>>> Exchange Server is unavailable" error message. >>>> Looking at the Connection >>>> Status when trying to connect Outlook >>>> 2003 to the Exchange server, I get >>>> the following... >>>> >>>> SERVER TYPE CON >>>> STATUS >>>> ------ ---- --- >>>> ------ >>>> >>>> ---- Directory ---- >>>> Connecting >>>> server.internal.net Referral ---- >>>> Connecting >>>> >>>> Then these disappear and I get the >>> "Microsoft Exchange Server is >>>> unavailable" error. >>>> >>>> >>>> I walked through all of Microsoft's >>> troubleshooting steps and using >>>> RPCDUMP.EXE on the Exchange box, this >>> is what I found... >>>> >>>> ncacn_http(Connection-oriented TCP/IP >>> using Microsoft Internet >>>> Information Server as HTTP proxy.) >>>> >>>> 192.168.1.5[6002] >>>> [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange >>>> Directory RFR Interface :ACCESS_DENIED >>>> 192.168.1.5[6002] >>>> [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange >>>> System Attendant Cluster Interface >>>> :ACCESS_DENIED >>>> 192.168.1.5[6002] >>>> [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange >>>> System Attendant Private Interface >>>> :ACCESS_DENIED >>>> 192.168.1.5[6002] >>>> [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange >>>> System Attendant Public Interface >>>> :ACCESS_DENIED >>>> >>>> 192.168.1.5[6004] >>>> [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange >>>> Directory NSPI Proxy :ACCESS_DENIED >>>> 192.168.1.5[6001] >>>> [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003 >>>> Server STORE EMSMDB Interface :ACCESS_DENIED >>>> 192.168.1.5[6001] >>>> [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server >>>> STORE ADMIN Interface :ACCESS_DENIED >>>> 192.168.1.5[6001] >>>> [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server >>>> STORE ADMIN Interface :ACCESS_DENIED >>>> 192.168.1.5[6001] >>>> [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server >>>> STORE ADMIN Interface :ACCESS_DENIED >>>> 192.168.1.5[6001] >>>> [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server >>>> STORE ADMIN Interface :ACCESS_DENIED >>>> >>>> Ok so let me start at the beginning now... >>>> >>>> ENVIRONMENT >>>> ----------- >>>> (OUTSIDE WORLD) (PERIMETER) >>>> (INTERNAL NETWORK - SEPARATE PHYSICAL SERVERS >>>> EACH) >>>> >>>> Client PC ---> INTERNET ---> ISA 2004 SP2 >>>> Server >>>> ---> Exchange Server >>>> 2003 SP2 -----> W2K3 SP-1 Domain >>>> Controller/Global Catalog Server 1 >>>> XP SP-2 W2K3 SP-1 >>>> W2K3 SP-1 >>>> \ >>>> >>>> --> W2K3 SP-1 Domain Controller/Global >>> Catalog Server 2 >>>> >>>> How I setup RPC over HTTP (Server Side)... >>>> --------------------------------------- >>>> 1) CONFIGURE A SERVER AS AN RPC PROXY SERVER >>>> On my Exchange server (my ONLY >>>> one) I installed the RPC over >>>> HTTP component from the Add/Remove >>> Programs - Windows Components >>>> >>>> 2) CONFIGURE THE RPC VIRTUAL DIRECTORY IN IIS >>>> In Internet Information Services (IIS) >>>> Manager, right-click the >>>> RPC virtual directory, and then click >>> Properties. >>>> In the RPC Virtual Directory >>> Properties page, on the >>>> Directory >>>> Security tab, in the Authentication and >>> access control pane, click >>>> Edit. >>>> >>>> In the Authentication Methods >>> window, verify that the check >>>> box >>>> next to Enable anonymous access is cleared. >>>> In the Authentication Methods >>> window, under Authenticated >>>> access, select the check box next to >>> Basic authentication and click >>>> OK >>>> to warning >>>> I did NOT choose Integrated >>> Windows authentication (NTLM) >>>> because of the following: >>>> It is recommended that >>> you use Basic authentication >>>> over >>>> NTLM because of two reasons. First, RPC >>> over HTTP currently >>>> supports >>>> only NTLM - it >>>> doesn't support Kerberos. >>>> Second, if there is an HTTP >>>> Proxy or a firewall between the RPC >>> over HTTP client and the RPC >>>> Proxy, >>>> which inserts >>>> via the pragma in the >>> HTTP header, NTLM >>>> authentication >>>> will not work. >>>> I saved my settings >>>> I have a valid SSL certificate >>> installed on the virtual >>>> server >>>> (for OWA in the first place) >>>> >>>> 3) CONFIGURE RPC VIRTUAL DIRECTORY TO USE SSL >>>> Expand Web Sites, expand Default Web >>>> Site, right-click RPC, and >>>> then click Properties. >>>> Click the Directory Security >>> tab, and then click Edit under >>>> Secure communications. >>>> Click to select the Require >>> secure channel (SSL) check box >>>> and >>>> the Require 128-bit encryption check box. >>>> Click OK, click Apply, and then click >>>> OK >>>> >>>> 4) CONFIGURE THE RPC PROXY SERVER TO >>> USE SPECIFIED PORTS FOR RPC >>>> OVER >>>> HTTP >>>> On the RPC proxy server, (my >>> only Exchange Server box) >>>> start >>>> Registry Editor (Regedit). >>>> In the console tree, locate the >>> following registry key: >>>> >>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy >>>> In the details pane, right-click the >>>> ValidPorts subkey, and then >>>> click Modify. >>>> In Edit String, in the Value >>> data box, type the following >>>> information: >>>> >>>> >>>> ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;Exchange >>>> Server:600 >>>> 4;ExchangeServerFQDN:6004; >>>> If the FQDN that is >>>> used to access the server >>>> from the Internet differs from the internal >>>> FQDN, you must use the >>>> internal FQDN. >>>> (My external FQDN is >>>> company.DYNIP.COM (We use >>>> Dynip.com Dynamic DNS service) >>>> >>>> 5) I added this Multi-String Key to the GLOBAL >>>> CATALOG/DC #1's registry >>>> (NSPI interface protocol sequences - >>>> ncacn_http:6004) >>>> >>>> 5) CONFIURE THE OUTLOOK 2003 CLIENT PROFILE >>>> Done according to instructions in this >>>> link - >>>> //tinyurl.com/frarn >>>> >>>> 6) Finally I changed my current OWA SSL ISA >>>> 2004 rule to include to >>>> /RPC* folders (along with the /exchange/*; >>>> /exchweb/*; /public/* >>>> folders. >>>> I did this because OWA and RPC over >>>> HTTP are on the SAME server >>>> using the same SSL certificate (I installed an >>>> internal CA to issue the >>>> certificate >>>> for the OWA server. User have to click >>>> YES to accept (Trust) the >>>> certificate, but it works fine.) >>>> >>>> I am thinking it is either my ISA 2004 rule or >>>> that I may need to move >>>> my RPC over HTTP Proxy (IIS) to the ISA >>>> 2004 box. No matter which one it >>>> is, could someone explain in detail, the steps >>>> to do either? I do not >>>> have IIS installed on my ISA 2004 box. >>>> Please let me know if there are >>>> any "Gotcha's" also. >>>> >>>> Thanks for any help in solving this. >>>> >>>> -Tom Rogers >> >> All mail to and from this domain is GFI-scanned. >> >> ------------------------------------------------------ >> List Archives: //www.freelists.org/archives/isalist/ >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server Articles and Tutorials: >> http://www.isaserver.org/articles_tutorials/ >> ISA Server Blogs: http://blogs.isaserver.org/ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> >> > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx