Outlook Anywhere fails Initial configuration from the Internet

HTTPS is NATed to the server to allow all incomming traffic over 80 and 443.  The exchange server is set to use basic authentication over SSL.  I have watched the port traffic on the firewall and as far as I can see 135 gets blocked first then the IP is added to blocked sites.  An internally configured client moved outside the firewall to the exact same IP communicates fine with RPC/HTTPS so it is an initial configuration issue.  I will post the log entries in the morning when I get back on the internal network as there is no way for me to unblock the IP from this side once I attempt a RPC/HTTPS connection.

Port 135 is needed for communication for OWA [http://support.microsoft.com/kb/259240]; as the port is not opened explicitly for the exchange server and further "Auto block source of packets not handled" under Setup > Intrusion Prevention > Default Packet Handling" is enabled; the IP is blacklisted and hence all communication fails.
By default the IP is put for 10 minutes in the auto-block list.

The possible reason why a client pre-authenticated behind firewall works is it might not be sending request on port 135. I am not 100% sure why that is happening, but more logs on the issue when authenticated users are connecting would help.

Which method are you trying to use to configure the clients?
Are you configuring them by hand, or using AutoDiscover?
If the client works correctly outside after configuration then it could just be your process for configuring the feature. If you don't do it correctly then the client will attempt to make a standard MAPI connection, which will fail as the ports are not open.

Simon.

I turned off the auto block.  There are three block syn to port 135 and the process quits on the client and says the exchange server cannot be reached.

I am manually configuring them, however automatic does not work either in outlook 2007 it sets up a pop account instead of exchange for some reason.  Probably because the normal exchange ports are not open and you have to manually configure rpc/https.

As i stated previously they are correctly connecting to exchange via rpc/https if they are first configured inside the firewall, the mapi service is not on at all and the rpc connections are correctly working over https.  It is the initial config from outside that fails.

Also the newer versions of OWA do not require port 135, that was pre-exchange2000.  OWA works fine with only 443open.

The auto configuration not working probably means you haven't got Autodiscover to work correctly.

You haven't gone in to enough detail on how you are setting up the clients.
The method I use I have outlined here: http://www.amset.info/exchange/rpc-http-client2.asp
It is for Outlook 2003, but identical for Outlook 2007.

If you attempt to connect too early then things don't work correctly.

Simon.

I use almost the same method exept basic instead of NTLM authentication as that is how the exchange2007 server is set to authenticate.  I added msstd:mail.domain.com which doesnt help.  I still get three polls on 135 after entering basic domain\username and password then the client says "The action cannot be completed.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."

The mail server is on a local domain domain.local the certificate is a valid internet domain and I am usind split DNS.

I put the ip on the block exception list so at least I can watch the logs but it still fails after 3 polls to 135 so rpc over https does not seem to be connecting properly on the first connection attempt.

If it is hitting port 135 then that would tend to indicate the client is unable to make the initial HTTPS connection. Something not resolving correctly for example.
Do you set Outlook to use http for both fast and slow connections? It gets easily confused with LANs otherwise.

Simon.

That would be my assement but it resolves correctly for both OWA and for internally initiated clients who are moved outside the firewall.  Both fast and slow are checked

Have you tried the PRF method of configuration, rather than the manual method?
Have you looked at getting AutoDiscover to work?

Simon.

I have remote users and would be unable to distribute a standard installation.  They are using everything from Office xp to 2007.

I have looked into the automatic configuration but I cannot find anyway to edit it?  When I use it from a client it configures POP access. How would I change it to configure exchange rpc/https?

Outlook Anywhere only works for Outlook 2003 and higher - so if you have anyone using Outlook 2002 they will be unable to use Outlook Anywhere.

If you haven't configured Auto Discovery then it would configure POP3 only, because that is all that it can find. You would need to look at the Microsoft Technet articles on autodiscover to get it to work correctly. You have to use a specific URL for it to work correctly, with redirects if you use multiple domains. It can look complicated, but in reality is not.

Exchange maintains the autodiscover XML file, based on settings that you have put in to Exchange such as the external URL for various folders. You don't edit it yourself at all.

A prf file for Outlook 2003 should also work for 2007, although I haven't tried it.
Another option would be to simply have three PRF files - one for each version of Outlook.

Simon.

Did anyone get this working properly?

I have 80 and 443 open on the firewall.  From behind the firewall, I can get to the Outlook Anywhere/Client Access (Exchange 2007) server and connect.  When I attempt to connect from outside the firewall, I see SYN_SENT messages and seem to be hanging on a port communication to 135.  I have walked through the RPC over HTTP configuration with my Outlook 2003 and 2007 client a hundred times and tried a variety of combinations.  Right now, I have Outlook configured just as described in the link above (http://www.amset.info/exchange/rpc-http-client2.asp).  Additionally, I have set the Outlook Anywhere configuration to require NTLM authentication and verified that is the setting on the Mail account.

I can't understand why I still see connection requests to port 135!!!

When I run outlook /rpcdiag theres little information other than it times out...I am assuming its because I am trying to connect to a closed firewall port.  What am I missing here in getting Outlook to talk over port 443?

 

I found the answer elsewhere actually.  You need to configure a seperate or combined SSL certificate for "autodiscover.domain.com" that points to the same place as OWA.  Outlook has this URL built in when it tries to connect http/rpc to the exchange server and it will fail during autodiscover if it is not set right.  That was the final straw in my configuration.

Will a wildcard certificate work?  I already purchased one of those for the domain...then I read a post somewhere that they will not work for Outlook Anywhere...So now I have *.mydomain.com and webmail.mydomain.com.  Do I need a third and to create the DNS alias?

First...let me say I appreciate all of the help...next, let me say...I apologize if I sound like a dummy...

I currently have a single Default Web Site with the SSL certs I mentioned above.  This is where OWA, Exchange, Exchweb, etc are installed.  Is the recommendation for me to create a new web site (autodiscover.mydomain.com) that listens on a different IP address and same ports (80/443) and have the document root be the OWA folder?  Or should I create a virtual host under the existing Default Web Site (same IP, ports, etc)?  I assume the first method as that way I can perform a new CSR request, send it to GeoTrust and go from there.

A little clarification would be great!

Yes it is a UCC certificate.  If the sitename does not match the certificate autodiscover fails in the background with no prompt.  Wildcards won't work to my knowledge.