RPC over HTTP on a single server in Exchange Server through firewall

Are you sure that it is working internally?

Close Outlook completely, verifying that it is gone from task manager.

Then click on start, then run and enter:

outlook.exe /rpcdiag

All entries in the diagnostic log should say HTTPS. If any say TCP/IP then it isn't working.

You don't need all of those ports open on the firewall. The only ports that you need are 25 (SMTP for inbound email) and 443 (HTTPS). Close the rest - they are not needed and you have left your network badly exposed.

Simon.

Also make sure you have installed Exchange 2003 Service Pack 1.  There are a number of improvements with this service pack, namely the tab on the server properties to help you setup the new feature.  I agree with Sembee's steps, as it should connect without problem internally.  

HTH,

Dale Drew

I will try Sembee's suggestion when I get to work tomorrow. I have installed E2k3 sp1 already. That gave me the option to enable RPC over HTTP, but I still haven't be able to.

The server is behind a linksys firewall/router and doesn't act as DHCP. The router does.

I had 6 activity logs with rpcdiag. 3 are Directory, 3 are Mail. They all establish a connection via TCP/IP and all are Established. Does this mean I'm not connecting via RPC?

All TCP/IP?
RCP/HTTPS is not working.
If you want to see a screenshot of a working configuration, then take a look at my web site here:

http://www.amset.info/exchange/rpc-http-diag.asp

Therefore you need to go back to your configuration and see where mistakes have been made. Even on the LAN you should get all six connections being made to HTTPS.

As you have installed SP1, the next question is have you tested RPC?
Open a web browser and go to
https://certificatename/rpc

Where certificatename is the name on your SSL certificate.
You should get an error message "403.2 - Forbidden: Read access denied". Anything else and the proxy isn't working correctly.

Next - is the certificate a purchased one or homegrown?
If it is homegrown then I would suggest you purchase one. Go to freessl.com and get one of their 30 trial certificates while you get this working. While a homegrown one is fine for web sites, Outlook is a lot more picky and for the small amount of money that freessl are now asking for a certificate it makes sense to just purchase one. It makes life so much easier.

Simon.

So I guess the first thing to do is install a certificate. I haven't done so yet. I'd like to issue my own certificates, as they don't cost anything. I will install a certificate and get back to you with some more diagnostics.

I used to agree with you about using own certificates.
However a number of things changed my mind.
1. I keep drumming in to users about security and the padlock. Getting a prompt when they use a non-domain machine doesn't look very professional and I then have to say "but that doesn't apply to us".

2. Users then got wise to install the certificate and they were all over the place. I didn't like the information in the certificate being left on machines I didn't have control over.

3. I went through a lot of pain getting RPC/HTTPS to work using a homegrown certificate. I was in a test environment. I eventually got it working, but I couldn't replicate it or tell you how. Reset the environment (I love VMWARE) and installed a trial certificate and I had it working in less than an hour, in a way that I can replicate. This was before the SP1 GUI, so I documented it (on my web site above if you want to see).

4. The final thing that swayed me was FreeSSL doing very cheap certificates. They are so cheap that I have even swapped the certificate I have on my home system for one of theirs.

Simon.

Alright, that pretty much sells it on the FreeSSL. I'm trying to get the selfssl.exe to install and work with Outlook properly. Tell me this (and I truely am appreciative of your assistance - If I figure out how to give more points, I'm going to), as soon as HTTPS is configured properly on the Exchange Server, will the outlook.exe /rpcdiag respond with HTTPS without any configuration on the client-side?

No.
All RPCDIAG tells you is what Outlook is doing. It will use the current configuration within Outlook.
Therefore you need to configure Outlook correctly and then test it.

Selfssl.exe was what I used when I first tried to use RPC/HTTPS. You need to get the certificate installed on the client machine so that Outlook recognises it. Get it to work with OWA and then install the certificate - Outlook should then accept it.

Simon.

I posted a question about certificates. I opened up a new question to give some more points. Maybe you know the answer: https://www.experts-exchange.com/questions/21174607/Issue-a-Certificate.html

Ok, I got my secured certificate installed. I can go to https://mydomain and it works. When I try to connect Outlook 2k3 via outlook.exe /rpcdiag it is still connecting via TCP/IP. Is there anything I need to do with Outlook to tell it to connect via HTTPS?

Have you configured anything in Outlook at all? There is some additional settings that need to be entered.
Make sure that the client machine is Windows XP SP2 (or SP1 and a hotfix - SP2 is prefered).

Then adjust the Outlook settings in accounts. However rather than repeat myself, take a look here: http://www.amset.info/exchange/rpc-http-client.asp
I have placed screenshots of the configuration to make things easy.

Simon.

Ok, update:
FreeSSL certificate installed. I can connect to the server through a web browser (root directory) using HTTPS.
I can also connect to the OWA from both intranet and internet using HTTPS (https://myserver/public/).
I installed RPC Hotfix (because I'm waiting a while on SP2) and configured it like your screenshots displayed.

outlook.exe /rpcdiag gives me TCP/IP connections down the board. Do you have any other suggestions?

Are there some ports I need to forward through the firewall? I removed all but 80, 443 and 25.

The rule with doing RPC/HTTPS is to do it on the network first, then move off-net.
The only ports that you need on the firewall are 443 and 25. That is the whole point of the application.

However, lets step back a bit.

http://fqdn/rpc
where fqdn is the full name as on the certificate.
When you connect to that path you should get an error. "403.2 - Forbidden: Read access denied". If yes, then the RPC proxy is working.
If no then it is server configuration.

Have you configured RPC/HTTPS via the GUI in SP1 ESM or are you doing it manually via registry entries?

Simon.

HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)

When I remove Require SSL, I get:
HTTP Error 403.2 - Forbidden: Read access is denied.
Internet Information Services (IIS)

I've tried configuring RPC/HTTPS in both ESM and RegEdit.

My mistake above. Sorry.

Check it using the url
https://fqdn/rpc 
with the certificate installed.

Simon.

When I go to the following:

https://localdomain/rpc/
Done - No error

https://externaldomain/rpc/
Done - No error

Sorry it's been so long with this question. I've been working on installing win2k3 and E2k3 on a newer (faster) server. This is a fresh install, so I want to do everything correct and in order. I'm setting it up as a single server deployment. Here are the steps I've gone through:

1. Installed win2k3
2. Updated to latest and greatest on windowsupdate
3. Completed list of stuff to do when installing E2k3
4. Installed E2k3
5. Installed E2k3SP1
6. Installed GFI Mail Essentials
7. Installed 30 FreeSSL Trial Certificate
8. Setup Components
9. Added ValidPorts to HKLM/Software/MS/RPC/RPCProxy and domain controller
10. Restarted

I browsed to http://<server>/rpc and https. I received a 403.2 error, howeve,r I wasn't prompted to enter my creditials. Does this mean it's working?

Nevermind. I didn't have the permissions set right for anonymous access. It looks like it's working now. I'm going to try and connect Outlook to it. I'll post an update.

Using the notes on your web site Sembee, I was able to do a fresh install and clean everything up. Two things I forgot to do on the client side:

Install WinXP SP1 and the RPC Hotfix. Thanks for your help.

-- Ian

You could go straight to SP2 for Windows XP. It contains the hot fix.

Simon.