[isalist] Re: RPC over HTTP (Almost there...)
- From: "Tom Rogers" <trogers@xxxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 25 Jun 2006 17:49:18 -0400
Yep, fully trusted, properly dated, etc. (All 3 sections are a go on the client)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
Sent: Sun 6/25/2006 5:37 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
Is the CA certificate installed on the clients?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Sunday, June 25, 2006 4:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: RPC over HTTP (Almost there...)
>...make sure you specify '*.companyname.biz' as FQDN in the 'Principal
name for proxy server' (msstd:*.companyname.biz) in the Outlook >2003 Exchange
Proxy Settings.
I did this - no luck.
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
Sent: Sun 6/25/2006 5:17 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
You'll need to use different listeners for the RPC/HTTP Web Publishing
Rule and the other Web sites, if Outlook 2003 doesn't like wildcard certs
(which is something I didn't know about before)
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Sunday, June 25, 2006 3:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: RPC over HTTP (Almost there...)
So if that's the case, the only thing we can publish securely
via ISA 2004 is RPC over HTTP / OWA. I need to publish websites from other
servers as well.
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Stefaan Pouseele
Sent: Sun 6/25/2006 11:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
Hi Tom,
Outlook 2003 does *not* support wildcard certificates for RPC
over HTTPS. So, to solve that problem either use a normal certificate or make
sure you specify '*.companyname.biz' as FQDN in the 'Principal name for proxy
server' (msstd:*.companyname.biz) in the Outlook 2003 Exchange Proxy Settings.
HTH,
Stefaan
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: zondag 25 juni 2006 17:34
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
Sent: Sun 6/25/2006 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)
>Hi Tom,
>OK,
> 1. What is the ACTUAL common/subject name on the Web site
certificate bound to the Web listener?
*.companyname.biz
>2. What is the ACTUAL common/subject name on the Exchange Web
site?
owa.companyname.biz
>3. What is the ACTUAL name on the Public Name tab?
owa.companyname.com
>4. What is the ACTUAL name on the To tab?
owa.companyname.com
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Sunday, June 25, 2006 12:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] RPC over HTTP (Almost there...)
I ran a filter on the ISA monitoring for the OWA rule.
This is what happens when I tried to authenticate 3 times...
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name Transport MIME Type
Object Source Source Proxy Destination Proxy Bidirectional Client Host Name
Filter Information Network Interface Raw IP Header Raw Payload Source Port
Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache
Information Error Information Log Record Type Log Time Destination IP
Destination Port Protocol Action Rule Client IP Client Username Source Network
Destination Network HTTP Method URL
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 312 0 326
10054 0x4000008 0xc02 Web Proxy Filter 06/25/2006 1:21:46 AM 192.168.1.5 443
https Failed Connection Attempt companyname OWA 74.67.214.74 anonymous External
RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 1 1933 306
401 0x44000008 0xc00 Web Proxy Filter 06/25/2006 1:21:49 AM 192.168.1.5 443
https Allowed Connection companyname OWA 74.67.214.74 anonymous External
RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 1 1933 307
401 0x44000008 0xc00 Web Proxy Filter 06/25/2006 1:21:49 AM 192.168.1.5 443
https Allowed Connection companyname OWA 74.67.214.74 anonymous External
RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 15 1933 306
401 0x44000008 0xc00 Web Proxy Filter 06/25/2006 1:21:52 AM 192.168.1.5 443
https Allowed Connection companyname OWA 74.67.214.74 anonymous External
RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 1 0 307 10054
0x4000008 0xc02 Web Proxy Filter 06/25/2006 1:21:52 AM 192.168.1.5 443 https
Failed Connection Attempt companyname OWA 74.67.214.74 anonymous External
RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 1 1933 306
401 0x44000008 0xc00 Web Proxy Filter 06/25/2006 1:22:00 AM 192.168.1.5 443
https Allowed Connection companyname OWA 74.67.214.74 anonymous External
RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 1 1933 307
401 0x44000008 0xc00 Web Proxy Filter 06/25/2006 1:22:00 AM 192.168.1.5 443
https Allowed Connection companyname OWA 74.67.214.74 anonymous External
RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 1 1933 306
401 0x44000008 0xc00 Web Proxy Filter 06/25/2006 1:22:03 AM 192.168.1.5 443
https Allowed Connection companyname OWA 74.67.214.74 anonymous External
RPC_IN_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 156 1933 327
401 0x44000008 0xc00 Web Proxy Filter 06/25/2006 1:21:46 AM 192.168.1.5 443
https Allowed Connection companyname OWA 74.67.214.74 anonymous External
RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
0.0.0.0 MSRPC No Reverse Proxy SPISA
owa.companyname.biz TCP text/html Internet - - - Compression: client=No,
server=No, cache=No, compress rate=0% decompress rate=0% - - - 0 1 0 307 10054
0x4000008 0xc02 Web Proxy Filter 06/25/2006 1:22:03 AM 192.168.1.5 443 https
Failed Connection Attempt companyname OWA 74.67.214.74 anonymous External
RPC_OUT_DATA
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
-TRogers
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim
Harrison
Sent: Sat 6/24/2006 9:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] RPC over HTTP (Almost there...)
Don't
Do
It
<period>
It's a disaster waiting to happen.
What's in the ISA logs for those attempts?
What's in the IIS logs for those attempts?
How did you create the OWA pub rule; manually or via
the Exch publishing weirdzard?
BTW, I reviewed the case logs and spoke with the
engineer you worked with.
At no time was there any mention of making your Exch
server a DC/GC.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Tom
Rogers
Sent: Sat 6/24/2006 5:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] RPC over HTTP (Almost there...)
I think I am so close to having this work that I can
taste it....anyway, my Outlook 2003 SP2 client (on Win XP Pro SP2) keeps asking
for user credentials - I can type them in a hundred times (not that I did), but
it keeps asking for my login credentials.
My RPC Proxy is set for ONLY Basic Authentication also.
Any ideas? Everything is setup according to all the docs you all have sent me.
The only thing that I have not tried yet, is to make my Exch box a DC/GC. That
is next if no solution now.
And I know you all said this is a BAD idea (Exch box as
DC/DC, but I have seen documentation from Microsoft AND Tom Shinder's
documentation (his lab example - although he does point out it is not
recommended).
TIA,
-TRogers
Other related posts:
