[isalist] Re: RCP over HTTP Assistance needed

From: "Steve Moffat" <steve@xxxxxxxxxx>
To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
Date: Thu, 25 May 2006 17:05:51 -0300
You change the connection type within the properties of the Outlook
profile.

 

S

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Thursday, May 25, 2006 4:59 PM
To: ISA Mailing List
Subject: RE: [isalist] Re: RCP over HTTP Assistance needed

 

Not sure how to connect internally using HTTPS with Outlook 2003. OWA
works fine internally. I can browse to the RPC virtual server on the
intranet and I can connect fine (as per Microsoft's instructions)

 

Security policies are fine.

 

-TRogers

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Young, Gerald G
Sent: Thu 5/25/2006 3:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RCP over HTTP Assistance needed

http://www.ISAserver.org <http://www.isaserver.org/> 
-------------------------------------------------------
 
Tom,

Did you try connecting internally to your mailbox using RPC/HTTPS?  Does
that work?

Also, check the Network security: LAN Manager authentication level in
the security policy on both the server and the client(s).  Are they
compatible?

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys

11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Thursday, May 25, 2006 11:49 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] RCP over HTTP Assistance needed

http://www.ISAserver.org <http://www.isaserver.org/> 
-------------------------------------------------------
 
Ok, I have been trying to implement RPC over HTTP so that my road
warrior users can connect to the internet then use Outlook 2003 without
VPN. Things have not gone as expected, I keep getting a "Microsoft
Exchange Server is unavailable" error message. Looking at the Connection
Status when trying to connect Outlook 2003 to the Exchange server, I get
the following...

SERVER                  TYPE          CON          STATUS
------                  ----          ---          ------

----                    Directory     ----         Connecting
server.internal.net     Referral      ----         Connecting

Then these disappear and I get the "Microsoft Exchange Server is
unavailable" error.


I walked through all of Microsoft's troubleshooting steps and using
RPCDUMP.EXE on the Exchange box, this is what I found...

ncacn_http(Connection-oriented TCP/IP using Microsoft Internet
Information Server as HTTP proxy.)  

192.168.1.5[6002] [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange
Directory RFR Interface :ACCESS_DENIED
192.168.1.5[6002] [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange
System Attendant Cluster Interface :ACCESS_DENIED  
192.168.1.5[6002] [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange
System Attendant Private Interface :ACCESS_DENIED  
192.168.1.5[6002] [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange
System Attendant Public Interface :ACCESS_DENIED  
192.168.1.5[6004] [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange
Directory NSPI Proxy :ACCESS_DENIED  
192.168.1.5[6001] [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange 2003
Server STORE EMSMDB Interface :ACCESS_DENIED  
192.168.1.5[6001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
STORE ADMIN Interface :ACCESS_DENIED  
192.168.1.5[6001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server
STORE ADMIN Interface :ACCESS_DENIED  
192.168.1.5[6001] [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server
STORE ADMIN Interface :ACCESS_DENIED  
192.168.1.5[6001] [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server
STORE ADMIN Interface :ACCESS_DENIED

Ok so let me start at the beginning now...

ENVIRONMENT
-----------
     (OUTSIDE WORLD)             (PERIMETER)
(INTERNAL NETWORK - SEPARATE PHYSICAL SERVERS EACH)

Client PC ---> INTERNET ---> ISA 2004 SP2 Server ---> Exchange Server
2003 SP2 -----> W2K3 SP-1 Domain Controller/Global Catalog Server 1
 XP SP-2                          W2K3 SP-1                  W2K3 SP-1
\

--> W2K3 SP-1 Domain Controller/Global Catalog Server 2

How I setup RPC over HTTP (Server Side)...
---------------------------------------
1) CONFIGURE A SERVER AS AN RPC PROXY SERVER
        On my Exchange server (my ONLY one) I installed the RPC over
HTTP component from the Add/Remove Programs - Windows Components

2) CONFIGURE THE RPC VIRTUAL DIRECTORY IN IIS
        In Internet Information Services (IIS) Manager, right-click the
RPC virtual directory, and then click Properties.
        In the RPC Virtual Directory Properties page, on the Directory
Security tab, in the Authentication and access control pane, click Edit.

        In the Authentication Methods window, verify that the check box
next to Enable anonymous access is cleared.
        In the Authentication Methods window, under Authenticated
access, select the check box next to Basic authentication and click OK
to warning
        I did NOT choose Integrated Windows authentication (NTLM)
because of the following:
                It is recommended that you use Basic authentication over
NTLM because of two reasons. First, RPC over HTTP currently supports
only NTLM - it
                doesn't support Kerberos. Second, if there is an HTTP
Proxy or a firewall between the RPC over HTTP client and the RPC Proxy,
which inserts
                via the pragma in the HTTP header, NTLM authentication
will not work.
        I saved my settings
        I have a valid SSL certificate installed on the virtual server
(for OWA in the first place)

3) CONFIGURE RPC VIRTUAL DIRECTORY TO USE SSL
        Expand Web Sites, expand Default Web Site, right-click RPC, and
then click Properties.
        Click the Directory Security tab, and then click Edit under
Secure communications.
        Click to select the Require secure channel (SSL) check box and
the Require 128-bit encryption check box.
        Click OK, click Apply, and then click OK

4) CONFIGURE THE RPC PROXY SERVER TO USE SPECIFIED PORTS FOR RPC OVER
HTTP
        On the RPC proxy server, (my only Exchange Server box) start
Registry Editor (Regedit).
        In the console tree, locate the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
        In the details pane, right-click the ValidPorts subkey, and then
click Modify.
        In Edit String, in the Value data box, type the following
information:
       
ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:600
4;ExchangeServerFQDN:6004;
                        If the FQDN that is used to access the server
from the Internet differs from the internal FQDN, you must use the
internal FQDN.
                        (My external FQDN is company.DYNIP.COM (We use
Dynip.com Dynamic DNS service)

5) I added this Multi-String Key to the GLOBAL CATALOG/DC #1's registry
(NSPI interface protocol sequences - ncacn_http:6004)

5) CONFIURE THE OUTLOOK 2003 CLIENT PROFILE
        Done according to instructions in this link -
//tinyurl.com/frarn

6) Finally I changed my current OWA SSL ISA 2004 rule to include to
/RPC* folders (along with the /exchange/*; /exchweb/*; /public/*
folders.
        I did this because OWA and RPC over HTTP are on the SAME server
using the same SSL certificate (I installed an internal CA to issue the
certificate
        for the OWA server. User have to click YES to accept (Trust) the
certificate, but it works fine.)

I am thinking it is either my ISA 2004 rule or that I may need to move
my RPC over HTTP Proxy (IIS) to the ISA 2004 box. No matter which one it
is, could someone explain in detail, the steps to do either? I do not
have IIS installed on my ISA 2004 box. Please let me know if there are
any "Gotcha's" also.

Thanks for any help in solving this.

-Tom Rogers
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/ 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/> 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/ 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/> 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
References:
- [isalist] Re: RCP over HTTP Assistance needed
  - From: Young, Gerald G
- [isalist] Re: RCP over HTTP Assistance needed
  - From: Tom Rogers
[isalist] Re: RCP over HTTP Assistance needed

Other related posts:
