Question

Outlook Anywhere fails Initial configuration from the Internet

Asked by: wparson

How can I get RPC over HTTPS to work initially from outside a watchguard firewall? I have configured Outlook Anywhere on a WIndows 2003/Exchange 2007 server.  Outlook anywhere works fine if it is initially configured on the private side of the firewall but I  am unable to connect "new" clients from outside the firewall.  Once a connection is started the firewall blocks the IP and thats all she wrote.  It will however work perfectly if the client connecting from outside was initially connected and configured inside the firewall.

Any Ideas?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-06-04 at 18:15:18ID22612665
Tags

outlook

,

anywhere

Topics

Watchguard Firewall

,

Exchange Email Server

Participating Experts
3
Points
500
Comments
21

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Outlook XP and RPC HTTP
    Is there an add on to get the RPC over HTTP to work with Outlook XP?
  2. Outlook via RPC/HTTP different time zone on shared calan…
    One user in a different time zone using Outlook 03 that connects directly with our Exchange 03 server via RPC/HTTP. We're having issues with shared calanders. She makes an appointment, and it's Eastern time rather than Central. You can change the time zone in Outlook but ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: dpk_walPosted on 2007-06-04 at 19:33:10ID: 19213936

Is the HTTPS service configured to allow specific public IPs or authenticated users; or what is the configuration on the incoming og the HTTPS service.
Can you paste the denied log entry so we know what on the firewall is blocking the packets.
Can you also check if the "new" client IP is listed under blocked hosts; if so, you might want to disable "Auto block source of packets not handled" under Setup > Intrusion Prevention > Default Packet Handling.

Please provide details.

 

by: wparsonPosted on 2007-06-04 at 22:44:18ID: 19214748

HTTPS is NATed to the server to allow all incomming traffic over 80 and 443.  The exchange server is set to use basic authentication over SSL.  I have watched the port traffic on the firewall and as far as I can see 135 gets blocked first then the IP is added to blocked sites.  An internally configured client moved outside the firewall to the exact same IP communicates fine with RPC/HTTPS so it is an initial configuration issue.  I will post the log entries in the morning when I get back on the internal network as there is no way for me to unblock the IP from this side once I attempt a RPC/HTTPS connection.

 

by: dpk_walPosted on 2007-06-05 at 00:28:53ID: 19215159

Port 135 is needed for communication for OWA [http://support.microsoft.com/kb/259240]; as the port is not opened explicitly for the exchange server and further "Auto block source of packets not handled" under Setup > Intrusion Prevention > Default Packet Handling" is enabled; the IP is blacklisted and hence all communication fails.
By default the IP is put for 10 minutes in the auto-block list.

The possible reason why a client pre-authenticated behind firewall works is it might not be sending request on port 135. I am not 100% sure why that is happening, but more logs on the issue when authenticated users are connecting would help.

 

by: SembeePosted on 2007-06-05 at 03:02:09ID: 19215746

Which method are you trying to use to configure the clients?
Are you configuring them by hand, or using AutoDiscover?
If the client works correctly outside after configuration then it could just be your process for configuring the feature. If you don't do it correctly then the client will attempt to make a standard MAPI connection, which will fail as the ports are not open.

Simon.

 

by: wparsonPosted on 2007-06-05 at 09:34:42ID: 19218274

I turned off the auto block.  There are three block syn to port 135 and the process quits on the client and says the exchange server cannot be reached.

I am manually configuring them, however automatic does not work either in outlook 2007 it sets up a pop account instead of exchange for some reason.  Probably because the normal exchange ports are not open and you have to manually configure rpc/https.

As i stated previously they are correctly connecting to exchange via rpc/https if they are first configured inside the firewall, the mapi service is not on at all and the rpc connections are correctly working over https.  It is the initial config from outside that fails.

 

by: wparsonPosted on 2007-06-05 at 09:38:41ID: 19218297

Also the newer versions of OWA do not require port 135, that was pre-exchange2000.  OWA works fine with only 443open.

 

by: SembeePosted on 2007-06-05 at 09:53:11ID: 19218392

The auto configuration not working probably means you haven't got Autodiscover to work correctly.

You haven't gone in to enough detail on how you are setting up the clients.
The method I use I have outlined here: http://www.amset.info/exchange/rpc-http-client2.asp
It is for Outlook 2003, but identical for Outlook 2007.

If you attempt to connect too early then things don't work correctly.

Simon.

 

by: wparsonPosted on 2007-06-05 at 10:32:42ID: 19218735

I use almost the same method exept basic instead of NTLM authentication as that is how the exchange2007 server is set to authenticate.  I added msstd:mail.domain.com which doesnt help.  I still get three polls on 135 after entering basic domain\username and password then the client says "The action cannot be completed.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."

The mail server is on a local domain domain.local the certificate is a valid internet domain and I am usind split DNS.

I put the ip on the block exception list so at least I can watch the logs but it still fails after 3 polls to 135 so rpc over https does not seem to be connecting properly on the first connection attempt.

 

by: SembeePosted on 2007-06-05 at 10:50:50ID: 19218916

If it is hitting port 135 then that would tend to indicate the client is unable to make the initial HTTPS connection. Something not resolving correctly for example.
Do you set Outlook to use http for both fast and slow connections? It gets easily confused with LANs otherwise.

Simon.

 

by: wparsonPosted on 2007-06-05 at 11:03:11ID: 19219027

That would be my assement but it resolves correctly for both OWA and for internally initiated clients who are moved outside the firewall.  Both fast and slow are checked

 

by: SembeePosted on 2007-06-05 at 14:54:04ID: 19221127

Have you tried the PRF method of configuration, rather than the manual method?
Have you looked at getting AutoDiscover to work?

Simon.

 

by: wparsonPosted on 2007-06-06 at 09:14:19ID: 19226300

I have remote users and would be unable to distribute a standard installation.  They are using everything from Office xp to 2007.

I have looked into the automatic configuration but I cannot find anyway to edit it?  When I use it from a client it configures POP access. How would I change it to configure exchange rpc/https?

 

by: SembeePosted on 2007-06-07 at 16:56:51ID: 19238539

Outlook Anywhere only works for Outlook 2003 and higher - so if you have anyone using Outlook 2002 they will be unable to use Outlook Anywhere.

If you haven't configured Auto Discovery then it would configure POP3 only, because that is all that it can find. You would need to look at the Microsoft Technet articles on autodiscover to get it to work correctly. You have to use a specific URL for it to work correctly, with redirects if you use multiple domains. It can look complicated, but in reality is not.

Exchange maintains the autodiscover XML file, based on settings that you have put in to Exchange such as the external URL for various folders. You don't edit it yourself at all.

A prf file for Outlook 2003 should also work for 2007, although I haven't tried it.
Another option would be to simply have three PRF files - one for each version of Outlook.

Simon.

 

by: artisitPosted on 2007-12-20 at 04:23:36ID: 20506075

Did anyone get this working properly?

I have 80 and 443 open on the firewall.  From behind the firewall, I can get to the Outlook Anywhere/Client Access (Exchange 2007) server and connect.  When I attempt to connect from outside the firewall, I see SYN_SENT messages and seem to be hanging on a port communication to 135.  I have walked through the RPC over HTTP configuration with my Outlook 2003 and 2007 client a hundred times and tried a variety of combinations.  Right now, I have Outlook configured just as described in the link above (http://www.amset.info/exchange/rpc-http-client2.asp).  Additionally, I have set the Outlook Anywhere configuration to require NTLM authentication and verified that is the setting on the Mail account.

I can't understand why I still see connection requests to port 135!!!

When I run outlook /rpcdiag theres little information other than it times out...I am assuming its because I am trying to connect to a closed firewall port.  What am I missing here in getting Outlook to talk over port 443?

 

 

by: wparsonPosted on 2007-12-20 at 13:55:39ID: 20510215

I found the answer elsewhere actually.  You need to configure a seperate or combined SSL certificate for "autodiscover.domain.com" that points to the same place as OWA.  Outlook has this URL built in when it tries to connect http/rpc to the exchange server and it will fail during autodiscover if it is not set right.  That was the final straw in my configuration.

 

by: artisitPosted on 2007-12-20 at 15:43:41ID: 20510834

Will a wildcard certificate work?  I already purchased one of those for the domain...then I read a post somewhere that they will not work for Outlook Anywhere...So now I have *.mydomain.com and webmail.mydomain.com.  Do I need a third and to create the DNS alias?

 

by: SembeePosted on 2007-12-20 at 16:21:48ID: 20510975

Technically you should use a UC or SAN certificate. This can contain the multiple names. It can be done with multiple certificates and multiple web sites. A wildcard certificate will often not work correctly - certainly will not work with any Windows Mobile 5 device.

Simon.

 

by: artisitPosted on 2007-12-20 at 18:14:49ID: 20511348

First...let me say I appreciate all of the help...next, let me say...I apologize if I sound like a dummy...

I currently have a single Default Web Site with the SSL certs I mentioned above.  This is where OWA, Exchange, Exchweb, etc are installed.  Is the recommendation for me to create a new web site (autodiscover.mydomain.com) that listens on a different IP address and same ports (80/443) and have the document root be the OWA folder?  Or should I create a virtual host under the existing Default Web Site (same IP, ports, etc)?  I assume the first method as that way I can perform a new CSR request, send it to GeoTrust and go from there.

A little clarification would be great!

 

by: wparsonPosted on 2007-12-20 at 19:28:49ID: 20511596

Yes it is a UCC certificate.  If the sitename does not match the certificate autodiscover fails in the background with no prompt.  Wildcards won't work to my knowledge.

 

by: wparsonPosted on 2007-12-20 at 19:33:24ID: 20511616

I should add I turned off IP adress blocking on the firewall and RPC over HTTP works for outlook 2003 but for 2007 you need the autodiscovery cert.  I have not gotten one yet as I only have a few users on 07 but I imagine you might be able to turm blocking back on once you getthe proper cert.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...