[isalist] Re: RPC over HTTP (Almost there...)

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 25 Jun 2006 16:17:12 -0500

You'll need to use different listeners for the RPC/HTTP Web Publishing
Rule and the other Web sites, if Outlook 2003 doesn't like wildcard
certs (which is something I didn't know about before)
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 


________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
        Sent: Sunday, June 25, 2006 3:44 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: RE: [isalist] Re: RPC over HTTP (Almost there...)
        
        
        So if that's the case, the only thing we can publish securely
via ISA 2004 is RPC over HTTP / OWA. I need to publish websites from
other servers as well.
         
        -TRogers
         

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx on behalf of Stefaan Pouseele
        Sent: Sun 6/25/2006 11:44 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: RPC over HTTP (Almost there...)
        
        
        Hi Tom, 
         
        Outlook 2003 does *not* support wildcard certificates for RPC
over HTTPS. So, to solve that problem either use a normal certificate or
make sure you specify '*.companyname.biz' as FQDN in the 'Principal name
for proxy server' (msstd:*.companyname.biz) in the Outlook 2003 Exchange
Proxy Settings. 
         
        HTH, 
        Stefaan

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
        Sent: zondag 25 juni 2006 17:34
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: RPC over HTTP (Almost there...)
        
        
         

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
        Sent: Sun 6/25/2006 10:06 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: RPC over HTTP (Almost there...)
        
        
        >Hi Tom,
         
        >OK, 
         
        > 1. What is the ACTUAL common/subject name on the Web site
certificate bound to the Web listener?
        *.companyname.biz
         
        >2. What is the ACTUAL common/subject name on the Exchange Web
site?
        owa.companyname.biz
         
        >3. What is the ACTUAL name on the Public Name tab?
        owa.companyname.com
         
        >4. What is the ACTUAL name on the To tab?
        owa.companyname.com
         
        Thomas W Shinder, M.D.
        Site: www.isaserver.org <http://www.isaserver.org/> 
        Blog: http://blogs.isaserver.org/shinder/
        Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
        MVP -- ISA Firewalls

         


________________________________

                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
                Sent: Sunday, June 25, 2006 12:32 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: RE: [isalist] RPC over HTTP (Almost there...)
                
                
                I ran a filter on the ISA monitoring for the OWA rule.
This is what happens when I tried to authenticate 3 times...
                 
                Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name Transport
MIME Type Object Source Source Proxy Destination Proxy Bidirectional
Client Host Name Filter Information Network Interface Raw IP Header Raw
Payload Source Port Processing Time Bytes Sent Bytes Received Result
Code HTTP Status Code Cache Information Error Information Log Record
Type Log Time Destination IP Destination Port Protocol Action Rule
Client IP Client Username Source Network Destination Network HTTP Method
URL
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 312 0 326  10054  0x4000008 0xc02 Web Proxy Filter 06/25/2006
1:21:46 AM 192.168.1.5 443 https Failed Connection Attempt companyname
OWA 74.67.214.74 anonymous External  RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 306  401  0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:21:49 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External  RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 307  401  0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:21:49 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External  RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 15 1933 306  401  0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:21:52 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External  RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 0 307  10054  0x4000008 0xc02 Web Proxy Filter 06/25/2006 1:21:52
AM 192.168.1.5 443 https Failed Connection Attempt companyname OWA
74.67.214.74 anonymous External  RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 306  401  0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:22:00 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External  RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 307  401  0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:22:00 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External  RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 1933 306  401  0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:22:03 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External  RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 156 1933 327  401  0x44000008 0xc00 Web Proxy Filter 06/25/2006
1:21:46 AM 192.168.1.5 443 https Allowed Connection companyname OWA
74.67.214.74 anonymous External  RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - -  - Compression:
client=No, server=No, cache=No, compress rate=0% decompress rate=0% - -
- 0 1 0 307  10054  0x4000008 0xc02 Web Proxy Filter 06/25/2006 1:22:03
AM 192.168.1.5 443 https Failed Connection Attempt companyname OWA
74.67.214.74 anonymous External  RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:600
2> 
                
                -TRogers

                 
________________________________

                From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim
Harrison
                Sent: Sat 6/24/2006 9:04 PM
                To: isalist@xxxxxxxxxxxxx
                Subject: RE: [isalist] RPC over HTTP (Almost there...)
                
                
                Don't
                Do 
                It
                <period>
                It's a disaster waiting to happen.
                 
                What's in the ISA logs for those attempts?
                What's in the IIS logs for those attempts?
                How did you create the OWA pub rule; manually or via the
Exch publishing weirdzard?
                 
                BTW, I reviewed the case logs and spoke with the
engineer you worked with.
                At no time was there any mention of making your Exch
server a DC/GC.

________________________________

                From: isalist-bounce@xxxxxxxxxxxxx on behalf of Tom
Rogers
                Sent: Sat 6/24/2006 5:29 PM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] RPC over HTTP (Almost there...)
                
                
                I think I am so close to having this work that I can
taste it....anyway, my Outlook 2003 SP2 client (on Win XP Pro SP2) keeps
asking for user credentials - I can type them in a hundred times (not
that I did), but it keeps asking for my login credentials.
                 
                My RPC Proxy is set for ONLY Basic Authentication also.
Any ideas? Everything is setup according to all the docs you all have
sent me. The only thing that I have not tried yet, is to make my Exch
box a DC/GC. That is next if no solution now.
                 
                And I know you all said this is a BAD idea (Exch box as
DC/DC, but I have seen documentation from Microsoft AND Tom Shinder's
documentation (his lab example - although he does point out it is not
recommended).
                 
                TIA,
                 
                -TRogers
                 

Other related posts: