?
Solved

RPC over HTTP

Posted on 2006-04-04
21
Medium Priority
?
700 Views
Last Modified: 2008-03-17
Sembee where are you??

Here is my layout

DC GC 2K3 SP1
Exchange 2003 SP2 on 2K3 SP1 (Back-end Only)
SSL Cert installed on Exchange Box

My RPC Proxy is setup on Exchange box
Registry keys modified per http://www.amset.info/exchange/rpc-http-server.asp

when I test using outlook /rpcdiag on internal client RPC profile, I get the following:

exch.domain.com  Directory   TCP/IP
exch.domain.com  Directory   TCP/IP
exch.domain.com  Mail          HTTPS
exch.domain.com  Mail          HTTPS
exch.domain.com  Mail          HTTPS

I know this means that RPC is not working correctly.  I have read and tried just about every link I've found to no avail.  Can anyone shed some light on what might be wrong.


Thanks Again
0
Comment
Question by:darrennelson
  • 8
  • 8
  • 5
21 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16379401
At 11.30 at night in the UK, I am in bed (normally).

Have you made the registry change on the domain controller?
Are the correct entries for the domain controller in the registry?

Simon.
0
 
LVL 18

Assisted Solution

by:carl_legere
carl_legere earned 375 total points
ID: 16380280
my new guide to this: (note the link to Simon's company)

I've had best luck tweaking the instructions found here
 
http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
http://www.amset.info/exchange/rpc-http-server.asp
http://www.msexchange.org/tutorials/outlookrpchttp.html

download IIS resource kit, use selfSSL to create a server side cert, make sure CN is what you want to call the site from the outside, ie mail.company.net
you have to convert this to a .cer file also
you have to download the cer file to all clients and import it into XP
when you are done with this you have to test with OWA
CAN YOU OWA and not receive a securty prompt? if so then move on , if not find out why.
enable RPC proxy in ESM
RPC proxy reg tweak, make sure to name them by several names internal, internal FQDN and external FQDN.
 
port foward 443
 
on client hosts file tweaks:
external IP address  plainhostname
external IP address  plainhostname.internal(AD)domain.internal
external IP address  realinternethosname.company.net

client logon prompts are always answered with DOMAIN\username
 
Outlook profile:
exchange servername = plainhostname.internal(AD)domain.internaltmaexch1.tma.internal**
connection tab
exchange over the internet check box on for connect with HTTP
proxy settings:
use this url realinternethosname.company.net
tick mutually authenticate
proxy principal name
msstd:realinternethosname.company.net
tick both boxes on fast on slow
change to basic authentication.
troubleshooting-
from outside can you do https://ipaddress_or_hostname/rpc without a security prompt.
can you OWA...
hold down control and right click on the outlook tray icon, a new option connection status is there, use it.
things are going well for the proxy system and the RPC if you see two or more lines for directory service and a couple of mail tunnels.  Proxy is up but not RPC if you see only directory service or no conections.
0
 

Author Comment

by:darrennelson
ID: 16383967
Simon

I believe I got the keys right based on your site.  The DC settings I'm sure of.  The exchange settings are where it gets fuzzy.  I went to freessl.com and got a .cer with server.domain.com.  The registry settings call for server.domain.local and mail.external.com.  When I set up a user internally, I use server.domain.com so in the registry I entered server.domain.com wherever I saw server.domain.local or mail.external.com.

Another question.  Why does everyone say you need to open port 443 for RPC if the whole idea behind RPC over HTTP is to deal with firewall issues?  If RPC is wrapped in HTTP, why the need to port forward 433?


Carl

I am going to go over your information, as well.  It looks like you have listed some testing tools I have been looking for to test individual components of the whole picture.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 104

Accepted Solution

by:
Sembee earned 375 total points
ID: 16384072
RPC over HTTP uses https traffic - that comes across in port 443 - not port 80. You don't need port 80 to be open. It should be more accurately named RPC over HTTPS.

I think you have got the registry settings wrong.
If you have got the certificate in the same name as the server is known as internally - ie server.domain.com is its name on the AD domain and on the internet (which is highly unusual - I tend to use a common name like mail.domain.com for this feature so that the certificate and configuration isn't tied to one server) then you just change everything to the same name - you don't need to use two different names.

The most common problem with this feature is the registry changes.

Simon.
0
 
LVL 18

Expert Comment

by:carl_legere
ID: 16384083
the technique for outlook access should be called RPC via HTTPS
RPC is wrapped inside of HTTPS
port 443 and only port 443 (for this purpose) must be opened and forwarded appropriately

OWA via https://realdomainname.domain.com/exchange MUST work prior to doing this.
0
 
LVL 18

Expert Comment

by:carl_legere
ID: 16384097
damn Simon with quick fingers, sorry to overpost, or under in this case.  Please for the record you are my Hero and please do not take anything I say as a slight.
0
 
LVL 18

Expert Comment

by:carl_legere
ID: 16384114
Simon do you prefer these to be using real certs from a CA or self signed?  can't beat the speed of using self signed.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16384194
Real certificates - 100%.
I never use self signed. While they are cheap and easy to get, they increase the administrative burden, are a sod to manage, look cheap, generate warnings etc.

I blogged my rant last month: http://msmvps.com/blogs/sembee/archive/2006/03/05/85588.aspx

Even using a purchased certificate, I get mine from RapidSSL and I can have the entire thing deployed in a hour.

Simon.
0
 

Author Comment

by:darrennelson
ID: 16384990
I got a cert from rapidSSl as well.

Can you clear this up a bit Simon

"I think you have got the registry settings wrong.
If you have got the certificate in the same name as the server is known as internally - ie server.domain.com is its name on the AD domain and on the internet (which is highly unusual - I tend to use a common name like mail.domain.com for this feature so that the certificate and configuration isn't tied to one server) then you just change everything to the same name - you don't need to use two different names."

The way I read this, I have done exactly as you stated.  The cert name is server.domain.com, my server is seen by this both internally and externally, and this is the way I set registry keys.

A little more info:  We have web access enabled on exchange.  Internally, i can access it via https://server.domain.com/exchange or http://server.domain.com/exchange.  However, externally I can only get to it via http://server.domain.com/exchange.  I didn't set up any of this but I believe they (web access and RPC) are running from the same web server on the exchange box, are they not?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16385039
Sounds like you have a split DNS configuration setup. That allows the name resolution internally to resolve to the internal IP address of the server, and the name resolution externally to resolve to the external IP address. Very common and is how I do most of my deployments as it allows the users to bounce between inside and outside without any changes.

Have you made an error above?
Do you mean to say that you are unable to use the https variant from outside of your network? The more common scenario is that http and https works internally, but https ONLY works from outside (that is certainly how I have done it in the past).

Re-reading the question, and based on what you put in your original query, this looks like the problem is with the registry settings for the domain controller, not the Exchange part.
Ensure that the domain controller being referenced in the registry settings has had the small change made to its registry.

Simon.
0
 
LVL 18

Expert Comment

by:carl_legere
ID: 16385309
not to conflict with Simon-

Can you explain your firewall and port forwarding, so we can help you get  https://server.domain.com/exchange to work?
0
 

Author Comment

by:darrennelson
ID: 16386017
firewall is a Cisco PIX 501, ports forwarded to server.domain.com are HTTP, HTTPS and RPC.  The interface doesnt allow you to specify port numbers, only protocols
0
 

Author Comment

by:darrennelson
ID: 16386066
Simon

No error, internally i can use https or http -- externally i can only access via http
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16386229
You need to look at your firewall configuration.
It does with work the Cisco PIX 501, I have lost count the number of times I have setup rpc over https with a PIX - it is my preferred firewall.

Simon.
0
 

Author Comment

by:darrennelson
ID: 16393767
ok, I checked the firewall settings last night.  I was able to get my OWA to work externally only via https://.  The orginal access rule for https was like this:

Source:  Outside/0.0.0.0
Protocol/Source Port:  HTTPS

Destination:  Inside/x.x.x.x (internal Exchange IP)
Protocol/Source Port:  HTTPS

I changed to:

Source:  Outside/0.0.0.0
Protocol/Source Port:  Any

Destination:  Inside/x.x.x.x(Internal Exchange IP)
Protocol/Source Port:  HTTPS

Changing the Outside protocol to Any allowed my OWA to be accesible via HTTPS://.

Question:  For RPC over HTTPS to work, do I have to do this?

Source:  Outside/0.0.0.0
Protocol/Source Port:  RPC

Destination:  Inside/x.x.x.x(Internal Exchange IP)
Protocol/Source Port:  RPC

Or

Source:  Outside/0.0.0.0
Protocol/Source Port:  Any

Destination:  Inside/x.x.x.x(Internal Exchange IP)
Protocol/Source Port:  RPC

Or should the RPC be HTTPS?  As I stated before, when I create rules, I dont have the option to enter port numbers, only protocols.  I actually tried using RPC for both without success.

Another question, I read somewhere that for RPC to work, you have to set up the client profile while on the LAN.  Is there any truth to this.  I actually tried to set up the profile while connected via VPN and it validated username, but once I disconnected from VPN, I couldn't connect under that profile.

Also, I still think I have something configured wrong because when I on LAN and test RPC profile using outlook /rpcdiag, I still get the following:

server.domain.com          directory          TCP/IP
server.domain.com          directory          TCP/IP
server.domain.com          mail                 HTTPS
server.domain.com          mail                 HTTPS
server.domain.com          mail                 HTTPS

Thanks again for all your guys help
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16393981
The whole point of setting up RPC over HTTPS is that the traffic goes across the HTTPS protocol. No other port has to be opened other than 443. In most cases if you have OWA working correctly with an SSL certificate, then RPC over HTTPS will also work correctly - no further changes required.

As for setting up the feature - you don't have to setup the Outlook client on the LAN. It does make things easier, but can be set off the network. If you look at my web site (http://www.amset.info/exchange/rpc-http.asp) then I have instructions on how it can be set when there is no connection available to the LAN.

What I do recommend is that you get it working inside first, to avoid the firewall being the cause of any problems.

Simon.
0
 

Author Comment

by:darrennelson
ID: 16398144
HOLY TOLEDO....so I'm laying in bed mulling this over and a thought occured to me....I have been making the DC registry changes on the exchange box.  I've talked about this so much that I've confused myself.  My DC GC is a seperate box than my exchange server.  I had to get up and write this so I wouldn't think I was dreaming.......

I'll let you guys know how it goes.

Darren
0
 

Author Comment

by:darrennelson
ID: 16402620
well, I guess I was dreaming because I did have the NSPI key on the DC and not the exchange box like I was thinking I did
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16402671
It wouldn't matter if you had it on your Exchange server anyway - Exchange would just ignore it.

Sometimes it comes down to simply undoing what you have done and starting again. Removing the registry entries from all machines, removing the RPC proxy and then rebooting the machine and starting from scratch.

Simon.
0
 

Author Comment

by:darrennelson
ID: 16403201
I think I've resigend to that solution, but before I close this topic, one more question on ssl certs.  I have created about 4 certs now from rapidssl and when I go http://exchange-server/rpc I get the warning stating that the 'name on the security certificate is invalid or does not match the name of the site'.  The other two are checked green.

My RPC vitrual directory is under the Default Web Site dir.  My Exchange virtual directory is also under this directory.  I access my OWA via http://server.domain.com/exchange.

When i create a new cert, the first option is to 'type a name for the new cert' and by default, it already entered 'Default Web Site'.  Then a couple windows later, it asks for the common name of the site.  I'm confused as to what to enter in these fields.  I've tried using server, server.domain.com and even left Default Web Site, but i get the same warning.  I know you said to use something generic like mail.domain.com, but the machine name and the exchange server are already named the same thing, server1.

I know Im probably driving you nuts, but I really appreciate all your help
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16404637
Common name is the name that the server responds to.

Therefore if you want to enter https://mail.domain.com/exchange in to the URL bar, then the common name will be mail.domain.com

I usually recommend that a generic name is used, rather than the server's real name. In the event that you have to move the certificate to another server you can simply adjust the DNS.

Once you have the certificate, you have to access the server with the name on the certificate to avoid the warnings. That usually means some DNS tweaks so that the name works both internally and outside.

Simon.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question