• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 794
  • Last Modified:

RPC over HTTP on a single server in Exchange Server through firewall

I am having a hell of a time getting Outlook 2003 to connect to Exchange
2003 over the internet. I have no problem at all connecting over the
intranet. The server is sitting behind a firewall/router with the following
ports forwarded:

80, 443, 135, 5000-5004,6000-6004,53,88,123,389,3268

I have configured the RPC-HTTP back-end server. I am deploying a
single-server version.

I was told to follow this article and I have: http://support.microsoft.com/?id=833401 with no luck.

I've made a lot of registry entries as well. Does anyone have any suggestion
on how I can get Outlook 2003 to connect to Exchange 2003 over HTTP through
a firewall?
0
black0ps
Asked:
black0ps
  • 13
  • 9
1 Solution
 
SembeeCommented:
Are you sure that it is working internally?

Close Outlook completely, verifying that it is gone from task manager.

Then click on start, then run and enter:

outlook.exe /rpcdiag

All entries in the diagnostic log should say HTTPS. If any say TCP/IP then it isn't working.

You don't need all of those ports open on the firewall. The only ports that you need are 25 (SMTP for inbound email) and 443 (HTTPS). Close the rest - they are not needed and you have left your network badly exposed.

Simon.
0
 
ddrewtxCommented:
Also make sure you have installed Exchange 2003 Service Pack 1.  There are a number of improvements with this service pack, namely the tab on the server properties to help you setup the new feature.  I agree with Sembee's steps, as it should connect without problem internally.  

HTH,

Dale Drew
0
 
black0psAuthor Commented:
I will try Sembee's suggestion when I get to work tomorrow. I have installed E2k3 sp1 already. That gave me the option to enable RPC over HTTP, but I still haven't be able to.

The server is behind a linksys firewall/router and doesn't act as DHCP. The router does.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
black0psAuthor Commented:
I had 6 activity logs with rpcdiag. 3 are Directory, 3 are Mail. They all establish a connection via TCP/IP and all are Established. Does this mean I'm not connecting via RPC?
0
 
SembeeCommented:
All TCP/IP?
RCP/HTTPS is not working.
If you want to see a screenshot of a working configuration, then take a look at my web site here:

http://www.amset.info/exchange/rpc-http-diag.asp

Therefore you need to go back to your configuration and see where mistakes have been made. Even on the LAN you should get all six connections being made to HTTPS.

As you have installed SP1, the next question is have you tested RPC?
Open a web browser and go to
https://certificatename/rpc

Where certificatename is the name on your SSL certificate.
You should get an error message "403.2 - Forbidden: Read access denied". Anything else and the proxy isn't working correctly.

Next - is the certificate a purchased one or homegrown?
If it is homegrown then I would suggest you purchase one. Go to freessl.com and get one of their 30 trial certificates while you get this working. While a homegrown one is fine for web sites, Outlook is a lot more picky and for the small amount of money that freessl are now asking for a certificate it makes sense to just purchase one. It makes life so much easier.

Simon.
0
 
black0psAuthor Commented:
So I guess the first thing to do is install a certificate. I haven't done so yet. I'd like to issue my own certificates, as they don't cost anything. I will install a certificate and get back to you with some more diagnostics.
0
 
SembeeCommented:
I used to agree with you about using own certificates.
However a number of things changed my mind.
1. I keep drumming in to users about security and the padlock. Getting a prompt when they use a non-domain machine doesn't look very professional and I then have to say "but that doesn't apply to us".

2. Users then got wise to install the certificate and they were all over the place. I didn't like the information in the certificate being left on machines I didn't have control over.

3. I went through a lot of pain getting RPC/HTTPS to work using a homegrown certificate. I was in a test environment. I eventually got it working, but I couldn't replicate it or tell you how. Reset the environment (I love VMWARE) and installed a trial certificate and I had it working in less than an hour, in a way that I can replicate. This was before the SP1 GUI, so I documented it (on my web site above if you want to see).

4. The final thing that swayed me was FreeSSL doing very cheap certificates. They are so cheap that I have even swapped the certificate I have on my home system for one of theirs.

Simon.
0
 
black0psAuthor Commented:
Alright, that pretty much sells it on the FreeSSL. I'm trying to get the selfssl.exe to install and work with Outlook properly. Tell me this (and I truely am appreciative of your assistance - If I figure out how to give more points, I'm going to), as soon as HTTPS is configured properly on the Exchange Server, will the outlook.exe /rpcdiag respond with HTTPS without any configuration on the client-side?
0
 
SembeeCommented:
No.
All RPCDIAG tells you is what Outlook is doing. It will use the current configuration within Outlook.
Therefore you need to configure Outlook correctly and then test it.

Selfssl.exe was what I used when I first tried to use RPC/HTTPS. You need to get the certificate installed on the client machine so that Outlook recognises it. Get it to work with OWA and then install the certificate - Outlook should then accept it.

Simon.
0
 
black0psAuthor Commented:
I posted a question about certificates. I opened up a new question to give some more points. Maybe you know the answer: http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21174607.html
0
 
black0psAuthor Commented:
Ok, I got my secured certificate installed. I can go to https://mydomain and it works. When I try to connect Outlook 2k3 via outlook.exe /rpcdiag it is still connecting via TCP/IP. Is there anything I need to do with Outlook to tell it to connect via HTTPS?
0
 
SembeeCommented:
Have you configured anything in Outlook at all? There is some additional settings that need to be entered.
Make sure that the client machine is Windows XP SP2 (or SP1 and a hotfix - SP2 is prefered).

Then adjust the Outlook settings in accounts. However rather than repeat myself, take a look here: http://www.amset.info/exchange/rpc-http-client.asp
I have placed screenshots of the configuration to make things easy.

Simon.
0
 
black0psAuthor Commented:
Ok, update:
FreeSSL certificate installed. I can connect to the server through a web browser (root directory) using HTTPS.
I can also connect to the OWA from both intranet and internet using HTTPS (https://myserver/public/).
I installed RPC Hotfix (because I'm waiting a while on SP2) and configured it like your screenshots displayed.

outlook.exe /rpcdiag gives me TCP/IP connections down the board. Do you have any other suggestions?

0
 
black0psAuthor Commented:
Are there some ports I need to forward through the firewall? I removed all but 80, 443 and 25.
0
 
SembeeCommented:
The rule with doing RPC/HTTPS is to do it on the network first, then move off-net.
The only ports that you need on the firewall are 443 and 25. That is the whole point of the application.

However, lets step back a bit.

http://fqdn/rpc
where fqdn is the full name as on the certificate.
When you connect to that path you should get an error. "403.2 - Forbidden: Read access denied". If yes, then the RPC proxy is working.
If no then it is server configuration.

Have you configured RPC/HTTPS via the GUI in SP1 ESM or are you doing it manually via registry entries?

Simon.
0
 
black0psAuthor Commented:
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)

When I remove Require SSL, I get:
HTTP Error 403.2 - Forbidden: Read access is denied.
Internet Information Services (IIS)

I've tried configuring RPC/HTTPS in both ESM and RegEdit.
0
 
SembeeCommented:
My mistake above. Sorry.

Check it using the url
https://fqdn/rpc 
with the certificate installed.

Simon.
0
 
black0psAuthor Commented:
When I go to the following:

https://localdomain/rpc/
Done - No error

https://externaldomain/rpc/
Done - No error
0
 
SembeeCommented:
By "Done - no error" do you mean you are getting the error message I outlined above? If not then it isn't working properly. You may have to switch off friendly error messages in Internet Explorer to see the error.

If you are getting the error message, and you have attempted to set the ports by registry keys, then you need to ensure that you have them all. There is quite a list. I have compiled the full list of the combinations required here:
http://www.amset.info/exchange/rpc-http-server.asp

Simon.
0
 
black0psAuthor Commented:
Sorry it's been so long with this question. I've been working on installing win2k3 and E2k3 on a newer (faster) server. This is a fresh install, so I want to do everything correct and in order. I'm setting it up as a single server deployment. Here are the steps I've gone through:

1. Installed win2k3
2. Updated to latest and greatest on windowsupdate
3. Completed list of stuff to do when installing E2k3
4. Installed E2k3
5. Installed E2k3SP1
6. Installed GFI Mail Essentials
7. Installed 30 FreeSSL Trial Certificate
8. Setup Components
9. Added ValidPorts to HKLM/Software/MS/RPC/RPCProxy and domain controller
10. Restarted

I browsed to http://<server>/rpc and https. I received a 403.2 error, howeve,r I wasn't prompted to enter my creditials. Does this mean it's working?
0
 
black0psAuthor Commented:
Nevermind. I didn't have the permissions set right for anonymous access. It looks like it's working now. I'm going to try and connect Outlook to it. I'll post an update.
0
 
black0psAuthor Commented:
Using the notes on your web site Sembee, I was able to do a fresh install and clean everything up. Two things I forgot to do on the client side:

Install WinXP SP1 and the RPC Hotfix. Thanks for your help.

-- Ian
0
 
SembeeCommented:
You could go straight to SP2 for Windows XP. It contains the hot fix.

Simon.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 13
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now