Exchange/Outlook RPC over HTTP

I'm trying to configure my DC to support RPC over HTTP but on a non-80 port.  It works fine from the local network but I can't get it to work outside the firewall.  I do have a port opened from the outside to the inside.  I am able to telnet to the port so I know it should not be a firewall issue, but I don't know what else to try.  Inside the firewall I refer by machine name (DC1), inside the firewall I refer by DNS name (mydomain.com).
LVL 4
SkipFireAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SkipFireAuthor Commented:
The first one doesn't apply, I'm not using a proxy on either end.
The second one doesn't apply, I'm not using ISA.
Joseph NyaemaIndependednt ConsultantCommented:
Assuming you have configured Windows 2003 Server as a RPC over HTTP proxy server...

In the outlook 2003 settings...
After Selecting the Connect to Exchange Mailbox using HTTP check box..
For the RPC over HTTP proxy server...
Enter the:
mydomain.com:3128
or
123.123.123.123:81

where 81 is the port on the firewall you have redirected to your RPC over HTTP proxy server's port 80, and 123.123.123.123 is the public ip address of your firewall.
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

SkipFireAuthor Commented:
I setup the web site on the RPCProxy server to run on 81 and firewall forwards port 81 straight through.

I have tried both mydomain.com:81 as well as myip:81, every time it says "The proxy server you have specified is invalid. Correct it and try again.".

Of course I just now discovered that for some reason when I am internal (or VPN'd) I just enter the server name and no port, why is traffic not going over the port assigned to the web site?
SkipFireAuthor Commented:
Ok, I have scrapped the different port forwarding, so I am sticking with 443 and when I run outlook /rpcdiag everything listed shows connecting, the number of lines changes, but it never shows me any other status long enough to read it and outlook never leaves "trying to connect" status.  I followed the instructions to set RPC to operate over 6001-6002, 6004 and have those ports also forwarded but no luck.  I also tried setting the server into the DMZ but that did not help either.
Joseph NyaemaIndependednt ConsultantCommented:
You need to setup the server as per the following link:
http://www.amset.info/exchange/rpc-http-server.asp

If you do not want to use your own certificate authority,
you can use the following link to help you do that.
http://www.microsoft.com/smallbusiness/support/articles/build_ent_root_ca.mspx

The clients must be running at least Windows XP SP1 with the the RPC hotfix (SP2 includes this)
and OUtlook 2003.

Then you need to follow the instrucitons in this link on how to setup the client for RPC over HTTP
http://www.amset.info/exchange/rpc-http-client.asp

The following link will show you how to install a certifcate from your own certificate authority.
http://support.microsoft.com/default.aspx?scid=kb;en-us;323342

For diagnostics use the instructions in this link
http://www.amset.info/exchange/rpc-http-diag.asp

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joseph NyaemaIndependednt ConsultantCommented:
How is it coming SkipFire? =)
SkipFireAuthor Commented:
No luck so far, if I am connected via VPN everything works, but without the VPN nothing seems to work.
SkipFireAuthor Commented:
Actually, I just got it working.
JacquesKrugerCommented:
Which certificate are you using for the server?

As per MSKB article http://support.microsoft.com/kb/833401/#XSLTH3140121122120121120120

Obtain a certificate from a third-party certification authority (CA).

To enable and to require SSL for all communications between the RPC proxy server and the Outlook clients, you must obtain and publish a certificate at the default Web site level. We recommend that you purchase your certificate from a third-party certification authority whose certificates are trusted by a wide variety of Web browsers.

Important As an alternative, you can use the Certification Authority tool in Windows to install your own certification authority. By default, Web browsers do not trust your root certification authority in this scenario. When a user tries to connect in Outlook 2003 by using RPC over HTTP, that user loses the connection to Exchange. The user is not notified. The user loses the connection when one of the following conditions is true:
•      The client does not trust the certificate.
•      The certificate does not match the name that the client tries to connect to.
•      The certificate date is incorrect.
Therefore, you must make sure that the client computers trust the certification authority. For additional information about how to trust a root certification authority, click the following article number to view the article in the Microsoft Knowledge Base:
297681 (http://support.microsoft.com/kb/297681/) Error message: This security certificate was issued by a company that you have not chosen to trust
For additional information, visit the following Microsoft Web site:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_PKPUnCertRoot.asp (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_pkpuncertroot.asp)
Additionally, if you use your own certification authority, when you issue a certificate to your RPC proxy server, you must make sure that the Common Name field or the Issued to field on that certificate contains the same name as the URL of the RPC proxy server that is available on the Internet. For example, the Common Name field or the Issued to field must contain a name that is similar to mail.contoso.com. The Common Name field or the Issued to field cannot contain the internal fully qualified domain name of the computer. For example, those fields cannot contain a name that is similar to mycomputer.contoso.com. For additional information, visit the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3rpc.mspx 
SkipFireAuthor Commented:
I'm using Certificate Services on my own domain.
JacquesKrugerCommented:
Sorry, I missed the fact that you'd already close the question.

What was the issue?
SkipFireAuthor Commented:
The final issue was I forgot to turn my mail server on as a back-end RPC server.  I never did get it working via HTTP over an alternative port, but I didn't have anything running SSL anyway so it wasn't a huge deal.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.