Solved

RPC over HTTP on a single server in Exchange Server through firewall

Posted on 2004-10-18
23
778 Views
Last Modified: 2008-01-09
I am having a hell of a time getting Outlook 2003 to connect to Exchange
2003 over the internet. I have no problem at all connecting over the
intranet. The server is sitting behind a firewall/router with the following
ports forwarded:

80, 443, 135, 5000-5004,6000-6004,53,88,123,389,3268

I have configured the RPC-HTTP back-end server. I am deploying a
single-server version.

I was told to follow this article and I have: http://support.microsoft.com/?id=833401 with no luck.

I've made a lot of registry entries as well. Does anyone have any suggestion
on how I can get Outlook 2003 to connect to Exchange 2003 over HTTP through
a firewall?
0
Comment
Question by:black0ps
  • 13
  • 9
23 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12343088
Are you sure that it is working internally?

Close Outlook completely, verifying that it is gone from task manager.

Then click on start, then run and enter:

outlook.exe /rpcdiag

All entries in the diagnostic log should say HTTPS. If any say TCP/IP then it isn't working.

You don't need all of those ports open on the firewall. The only ports that you need are 25 (SMTP for inbound email) and 443 (HTTPS). Close the rest - they are not needed and you have left your network badly exposed.

Simon.
0
 
LVL 3

Expert Comment

by:ddrewtx
ID: 12343360
Also make sure you have installed Exchange 2003 Service Pack 1.  There are a number of improvements with this service pack, namely the tab on the server properties to help you setup the new feature.  I agree with Sembee's steps, as it should connect without problem internally.  

HTH,

Dale Drew
0
 
LVL 7

Author Comment

by:black0ps
ID: 12343470
I will try Sembee's suggestion when I get to work tomorrow. I have installed E2k3 sp1 already. That gave me the option to enable RPC over HTTP, but I still haven't be able to.

The server is behind a linksys firewall/router and doesn't act as DHCP. The router does.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12348933
I had 6 activity logs with rpcdiag. 3 are Directory, 3 are Mail. They all establish a connection via TCP/IP and all are Established. Does this mean I'm not connecting via RPC?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12350551
All TCP/IP?
RCP/HTTPS is not working.
If you want to see a screenshot of a working configuration, then take a look at my web site here:

http://www.amset.info/exchange/rpc-http-diag.asp

Therefore you need to go back to your configuration and see where mistakes have been made. Even on the LAN you should get all six connections being made to HTTPS.

As you have installed SP1, the next question is have you tested RPC?
Open a web browser and go to
https://certificatename/rpc

Where certificatename is the name on your SSL certificate.
You should get an error message "403.2 - Forbidden: Read access denied". Anything else and the proxy isn't working correctly.

Next - is the certificate a purchased one or homegrown?
If it is homegrown then I would suggest you purchase one. Go to freessl.com and get one of their 30 trial certificates while you get this working. While a homegrown one is fine for web sites, Outlook is a lot more picky and for the small amount of money that freessl are now asking for a certificate it makes sense to just purchase one. It makes life so much easier.

Simon.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12350737
So I guess the first thing to do is install a certificate. I haven't done so yet. I'd like to issue my own certificates, as they don't cost anything. I will install a certificate and get back to you with some more diagnostics.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12350841
I used to agree with you about using own certificates.
However a number of things changed my mind.
1. I keep drumming in to users about security and the padlock. Getting a prompt when they use a non-domain machine doesn't look very professional and I then have to say "but that doesn't apply to us".

2. Users then got wise to install the certificate and they were all over the place. I didn't like the information in the certificate being left on machines I didn't have control over.

3. I went through a lot of pain getting RPC/HTTPS to work using a homegrown certificate. I was in a test environment. I eventually got it working, but I couldn't replicate it or tell you how. Reset the environment (I love VMWARE) and installed a trial certificate and I had it working in less than an hour, in a way that I can replicate. This was before the SP1 GUI, so I documented it (on my web site above if you want to see).

4. The final thing that swayed me was FreeSSL doing very cheap certificates. They are so cheap that I have even swapped the certificate I have on my home system for one of theirs.

Simon.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12351540
Alright, that pretty much sells it on the FreeSSL. I'm trying to get the selfssl.exe to install and work with Outlook properly. Tell me this (and I truely am appreciative of your assistance - If I figure out how to give more points, I'm going to), as soon as HTTPS is configured properly on the Exchange Server, will the outlook.exe /rpcdiag respond with HTTPS without any configuration on the client-side?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12352099
No.
All RPCDIAG tells you is what Outlook is doing. It will use the current configuration within Outlook.
Therefore you need to configure Outlook correctly and then test it.

Selfssl.exe was what I used when I first tried to use RPC/HTTPS. You need to get the certificate installed on the client machine so that Outlook recognises it. Get it to work with OWA and then install the certificate - Outlook should then accept it.

Simon.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12352405
I posted a question about certificates. I opened up a new question to give some more points. Maybe you know the answer: http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21174607.html
0
 
LVL 7

Author Comment

by:black0ps
ID: 12359730
Ok, I got my secured certificate installed. I can go to https://mydomain and it works. When I try to connect Outlook 2k3 via outlook.exe /rpcdiag it is still connecting via TCP/IP. Is there anything I need to do with Outlook to tell it to connect via HTTPS?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 104

Expert Comment

by:Sembee
ID: 12359829
Have you configured anything in Outlook at all? There is some additional settings that need to be entered.
Make sure that the client machine is Windows XP SP2 (or SP1 and a hotfix - SP2 is prefered).

Then adjust the Outlook settings in accounts. However rather than repeat myself, take a look here: http://www.amset.info/exchange/rpc-http-client.asp
I have placed screenshots of the configuration to make things easy.

Simon.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12361010
Ok, update:
FreeSSL certificate installed. I can connect to the server through a web browser (root directory) using HTTPS.
I can also connect to the OWA from both intranet and internet using HTTPS (https://myserver/public/).
I installed RPC Hotfix (because I'm waiting a while on SP2) and configured it like your screenshots displayed.

outlook.exe /rpcdiag gives me TCP/IP connections down the board. Do you have any other suggestions?

0
 
LVL 7

Author Comment

by:black0ps
ID: 12361019
Are there some ports I need to forward through the firewall? I removed all but 80, 443 and 25.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12361443
The rule with doing RPC/HTTPS is to do it on the network first, then move off-net.
The only ports that you need on the firewall are 443 and 25. That is the whole point of the application.

However, lets step back a bit.

http://fqdn/rpc
where fqdn is the full name as on the certificate.
When you connect to that path you should get an error. "403.2 - Forbidden: Read access denied". If yes, then the RPC proxy is working.
If no then it is server configuration.

Have you configured RPC/HTTPS via the GUI in SP1 ESM or are you doing it manually via registry entries?

Simon.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12361608
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)

When I remove Require SSL, I get:
HTTP Error 403.2 - Forbidden: Read access is denied.
Internet Information Services (IIS)

I've tried configuring RPC/HTTPS in both ESM and RegEdit.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12362009
My mistake above. Sorry.

Check it using the url
https://fqdn/rpc
with the certificate installed.

Simon.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12362458
When I go to the following:

https://localdomain/rpc/
Done - No error

https://externaldomain/rpc/
Done - No error
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 12363126
By "Done - no error" do you mean you are getting the error message I outlined above? If not then it isn't working properly. You may have to switch off friendly error messages in Internet Explorer to see the error.

If you are getting the error message, and you have attempted to set the ports by registry keys, then you need to ensure that you have them all. There is quite a list. I have compiled the full list of the combinations required here:
http://www.amset.info/exchange/rpc-http-server.asp

Simon.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12436344
Sorry it's been so long with this question. I've been working on installing win2k3 and E2k3 on a newer (faster) server. This is a fresh install, so I want to do everything correct and in order. I'm setting it up as a single server deployment. Here are the steps I've gone through:

1. Installed win2k3
2. Updated to latest and greatest on windowsupdate
3. Completed list of stuff to do when installing E2k3
4. Installed E2k3
5. Installed E2k3SP1
6. Installed GFI Mail Essentials
7. Installed 30 FreeSSL Trial Certificate
8. Setup Components
9. Added ValidPorts to HKLM/Software/MS/RPC/RPCProxy and domain controller
10. Restarted

I browsed to http://<server>/rpc and https. I received a 403.2 error, howeve,r I wasn't prompted to enter my creditials. Does this mean it's working?
0
 
LVL 7

Author Comment

by:black0ps
ID: 12436811
Nevermind. I didn't have the permissions set right for anonymous access. It looks like it's working now. I'm going to try and connect Outlook to it. I'll post an update.
0
 
LVL 7

Author Comment

by:black0ps
ID: 12438065
Using the notes on your web site Sembee, I was able to do a fresh install and clean everything up. Two things I forgot to do on the client side:

Install WinXP SP1 and the RPC Hotfix. Thanks for your help.

-- Ian
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12439149
You could go straight to SP2 for Windows XP. It contains the hot fix.

Simon.
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now