• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 476
  • Last Modified:

Connecting to Exchange Server over the internet from Outlook 2003

Hi,

I have sucessfully set up my exchange server and have created all the neccasery accounts for it. I have one problem which i ma finding hard to deal with at the moment.

I have a computer outside the network (In someone elses house) which i am trying to use to connect to the exchange server. Now the domain im using to connect to the exchange server is mail.pixision.co.uk with the account wikitest

When i enter all that information and click check account i get the following error...

'The action could not be completed. The connection to the Microsoft Exchange Server is unavailable. Oulook must be online and connected to complete this action.'

Now i do have the internet connected so i am assuming i have a problem with my server or the ports that i forward to the server.

Im not sure if this has anything to do with using RPC over HTTP but i have got this enbaled. Im thinking that i need to forward ports to my server.

If someone could help i would be most greatful

Thanks

Scott
0
swalker_southend
Asked:
swalker_southend
  • 30
  • 21
  • 10
  • +3
1 Solution
 
adamdrayerCommented:
I would NOT recommend trying to access an exchange server over the intetrnet.  I'm not sure its even possible without a VPN of some kind.  The necessary ports are most definately blocked by ISPs.  There is a feature of exchange that allows you to login to a particular mailbox account over the internet and it looks just like Outlook.  It's called Outlook Web Access.  After configuring this on your exchange server (with SSL recommended), then you can access it like a webserver and it will prompt you for username and password, and then look like outlook and have a lot of the functionality.
0
 
Keith AlabasterCommented:
What are you using as your firewall between the server and the internet?
0
 
Keith AlabasterCommented:
and which ports have you forwarded?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
swalker_southendAuthor Commented:
Hi,

I have forwarded the following ports to my server...

port 25
port 110
port 6001
port 6002
port 6003
port 135

I hope this helps... Im not running any firewall yet, i need to get this working before i implemt anything like that.

Scott
0
 
adamdrayerCommented:
You'll have to also forward port 80 and port 443 to get OWA working properly.  A Firewall is a must, in my opinion.
0
 
swalker_southendAuthor Commented:
Yes port 80 and 443 have been forwarded but still nothing has come about it and i still cant get it to work.

Scott
0
 
adamdrayerCommented:
Well that's just the preparation.  Then you have to install/configure OWA.
0
 
swalker_southendAuthor Commented:
ok...

Right this is where i am at, at the moment. I have exchange server installed and working inside my network. I can access the exchange server from outlook and outlook web access internally on the network. I can also access outlook web access outside the network. I have got SSL working and have a server certificate. You have to connect to the server using HTTPS.

When i try to connect to the server using outlook confguring the account to use the HTTP proxy it prompts me for the accounts username and password. Upon entering this information the programme locks up and then after a few minutes i get a message asking me if im connected to the internet and stating that it could not connect to the exchange server. Now it must be able to connect to the server if it prompts for a username and password.

please help. Im depsperate.

Thanks

Scott
0
 
adamdrayerCommented:
I'm not sur you can acces OWA through HTTP proxy.  You have to just treat it like a website.  That's really what its for.  A webpage that allows you access to your exchange mailbox and some outlook features.  You don't actually use outlook with OWA.
0
 
swalker_southendAuthor Commented:
Sorry,

Thats not what im trying to say... What im saying is i have got all that working but i cant seem to get outlook to connect to the exchange server over the internet. Thats what i need help with.
0
 
adamdrayerCommented:
I don't believe you can do that.  To use outlook to access an exchange server over the internet, you would first have to establish a vpn.  LAN traffic will not pass over the internet, and that what Outlook/Exchange is meant for.
0
 
swalker_southendAuthor Commented:
Why would thay have invented RPC over HTTP if you were not allowed to do it.  

I know it works becuase its used on my works network but i just cant see what im doing wrong.

Scott
0
 
adamdrayerCommented:
I apologize, I forgot about the RPC over HTTP feature.  My mistake.

first, you'll need to create the outlook 2003 profile on the client computer while the client computer is attached to the internal network.  You must setup outlook while its on the internal network before you can take it off-site.
0
 
adamdrayerCommented:
Here's what looks like a good resource:
http://www.msexchange.org/tutorials/outlookrpchttp.html
0
 
Exchange_AdminCommented:
Scott,
You probably would have been better off posting this question in the Exchange TA.
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/

Check out this link to see if it will help you any:
http://www.amset.info/exchange/rpc-http.asp

This was created by Sembee.
You may also want to post a 20 point "pointer question in the Exchange TA directing peoples attention to this question.

Hope this helps.
0
 
swalker_southendAuthor Commented:
I have looked at all 3 links and have done everything said but i still cant get it to work. I have been told that i need the client to have connected to the exchange server on the internal network first before it will work over the internet.

Is this the case?

Scott
0
 
adamdrayerCommented:
I thought so, but from the link I posted above, is this:

Of course, there are always exceptions to the rule. The article Configuring Outlook 2003 for RPC over HTTP indicates that you should be able to use the Office Resource Kit to configure an Outlook 2003 profile that allows access to the RPC over HTTP severs without requiring RPC access to the Exchange Server. We have not tested this configuration. If you have used the ORK to configure such a profile, please let us know about your experiences on the message board at http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=002315.

0
 
adamdrayerCommented:
0
 
SembeeCommented:
It is possible to configure the client off the network. How do you think the hosted Exchange providers do it? They all work exclusively with RPC over HTTPS - it was that feature that has enabled the explosion in hosted Exchange to take place.
I have a set of instructions for doing so on my web site.

First - firewall.
With RPC over HTTPS you only need ONE port open - 443. Therefore you can close the others.
SMTP etc would need to be open for support of that protocol, but for this particular feature the only port you need is 443.

Second - certificate.
While it technically possible to deploy without an SSL certificate, I don't recommend it.
The certificate should ideally be a purchased certificate, otherwise you have to deploy the certificate to the clients first.
Therefore, browse to https://servername.domain.com/rpc (where servername.domain.com is the name on your certificate). Do you get a certificate prompt? If so, the feature will not work.
I use RapidSSL certificates on my deployments - $70/year, I have them in 30 minutes. Get one of their FreeSSL certificates to start with as a proof of concept.

Third - registry entries.
This is where most people have the problems. You have the link to my web site already, so you can check the entries are correct.

Fourth - testing.
If you have seen my web site you will note that I have some best practises. One of those is to test on LAN first, making heavy use of the /rpcdiag switch in Outlook. This may require the deployment of a split DNS system. You should be deploying one of those anyway so that users on RPC over HTTPS can come and go between the LAN and the outside world without having to worry about the Outlook configuration. I find that the detection of whether Outlook is on the LAN or the Internet is close to useless at the best of times, so it is best to configure it as if it was on the Internet at all times, and make the required changes inside your LAN where you can control them.

Only once you have it working inside do you go outside the firewall. Trying to go straight outside doesn't help as you don't know if the feature is working or whether the firewall is causing the problem.

Again in testing, take a machine that works correctly for Exchange without RPC over HTTPS and then add the RPC over HTTPS settings to the existing configuration. Don't change anything else in the config - add only, don't change.

Simon.
0
 
swalker_southendAuthor Commented:
Sembee,

Thank you for posting your comments and removing my e-mail address from the other post. I was unaware of thoes rules.

You mention above that i have a link to your website but if im mistaken there is no link in your post unless the link is in a different post. Please can you post the address again.

You also asked me to test RPC over HTTP on the internal network. The way my network is set up i cant browse to mail.pixision.co.uk becuase it points to an external ip address and i cant get external requests to enter the network again.

If im assuming correct the certificate has to be 100% perfect with the correct domain name that the exchange server is connecting to for it to work?

You mentioned above that i needed to have already installed the certificate on the client machine before RPC over HTTP willl work. This i have not done. Would that also be why i can connect to the exchange server using RPC over HTTP as it prompts me for a password but it will not let me continue because the certificate has not been accepted?

I will try everything you have told me and post if i can get it to work internally.

Thanks

Scott
0
 
SembeeCommented:
It was in Exchange_Admin's post above.

http://www.amset.info/exchange/rpc-http.asp

I have a lot of information about setting up this feature there.

To get the name to resolve internally, you need to use a split DNS system.
I have that on my web site as well... http://www.amset.info/netadmin/split-dns.asp which is also mentioned in my tips on a successful deployment.

Outlook cannot cope with the certificate prompt. The authentication fails and you are prompted for credentials.
The certificate has to match the name that you are using to access the server. However it does NOT have to match the name of the server. For example, you could have a certificate with the common name of mail.domain.com but the server is called exchange01.domain.local.
As long as the DNS resolution is correct, then it will work. I usually recommend that a generic name is used on the certificate, so that you can move the name around without it being tied to one server. If you have a two year certificate you might upgrade the server in that time and need to use a different name for the server.

Simon.
0
 
swalker_southendAuthor Commented:
Sembee,

How do i make RPC over HTTP work internally as it keeps using TCP/IP to connect?

Thanks

Scott
0
 
SembeeCommented:
If you have set Outlook to use http for both high and low speed connections (which you should) and it falls back to TCP/IP then the feature is not working correctly.

Simon.
0
 
swalker_southendAuthor Commented:
What can i now do to trobleshoot the problem becuase that is whats happening?

Scott
0
 
SembeeCommented:
Do you have both options set? On fast networks use.. on slow networks use...
If so, then it comes down to the usual suspects.

- certificates
- registry settings.

RPC over HTTPS either works or it doesn't - no half measures. A single semi-colon in the registry that is wrong will stop the feature from working.

I posted above how to test the certificate.
Have you checked the registry settings against what I have on my web site?

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

Got a different problem now...

I dont know how its come about but when i go to https://mydomainname.com/rpc after entering my password i should get this page does not have read access. Now all it does is continually prompt me for my username and password which it has never done before.

Any ideas?

Scott
0
 
SembeeCommented:
That is authentication settings being incorrect.

Make sure that on the /rpc virtual directory in IIS Manager that integrated and basic authentication are enabled.

Simon.

0
 
swalker_southendAuthor Commented:
Both are ticked and still i have the problem.
0
 
SembeeCommented:
In that case you may have to remove the RPC Proxy from add/remove programs and start again. With all the fiddling around there is no way of knowing what state the settings are in.

Simon.
0
 
swalker_southendAuthor Commented:
OK...

I have removed it and re-installed it, rebooted the server and i still can no longer get to thet page it is also still prompting me to accept the certificate even though i have followed the instructions on your web site on how to trust it.

What next?
0
 
adamdrayerCommented:
I'm going to unsubcsribe from this question unless there are any objections.

Apologies to the author for the confusion in the beginning, and much thanks to Sembee who is one of the best experts I've seen here.
0
 
SembeeCommented:
Make sure that you haven't got client certificates enabled on the virtual directory.
You may also have to go in to certificates in Internet Explorer and remove the certificate, so that you can import it again.

It is important that the address you are entering in to the browser matches the name on the certificate - otherwise you will get prompts.

I only use commercial certificates for this feature - I don't use home grown for anything outside of the lab.

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

Im trying everything you have suggested but nothing is working. It still prompts me for certificates and it also still wont let me have access to /rpc but will let me access /exchange.

I dont know what eles to try?

Your suggestions

Scott
0
 
SembeeCommented:
When it prompts for certificates, which element is it failing on?

There are three possibles.

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

It fails on, this certificate has not been provided by a trusted source or something like that. The very first on in the list.

I gave up on the problem that i was having becuase i think i messed about with the server a bit to much as i have blowen it away. Once i get the server back up again would you recomend that the server have the same name as my internet domain name or seperate.

I think im going to follow the instructions that you have got on your website first before i come and ask for help.

Thanks

Scott
0
 
SembeeCommented:
The server should have a different name than it is known as on the Internet. It makes it easier to distinguish where the problem is. Also means that the name can live on past the server - so if you have to replace or migrate from the server then the name can be reused.

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

Not sure what i am doing wrong now. I really need help. I have followed your intructions from the begining till the end, double checking what i have done but i am still unable to get my client computer to connect to the exchange server inside the network and i cant get IE6 to stop prompting me for a certificate and i am still unable to navigate to the /rpc page.

Is there any chance we can initiate a remote connection to the server so you can check my settings over?

Scott
0
 
SembeeCommented:
Stop using a home grown certificate and go and get a FreeSSL certificate from http://www.rapidssl.com/ 
See if that makes any difference.

I cannot assist outside of EE as it is against the rules... http://www.experts-exchange.com/help.jsp#hi99

Simon.
0
 
swalker_southendAuthor Commented:
I cant use a certificate from rapidssl.com because they require it be aproved by a selected range of addresses. The selected range of addresses are not set up in exchange and never will be.

What do i do now?
0
 
SembeeCommented:
Why don't you just set the address it wants up in Exchange as an alias. You are the administrator of the server, just give it what it needs.

I have been through all of this in the past - when RPC over HTTPS first came out I spent many hours trying to get it to work with a home grown certificate. I put a purchased (trial, but commercial) certificate on to same server and had it working in less than 20 minutes.

I was then able to replicate that and create the web pages that you have seen above. Since that point I have stopped using home grown certificates.

Home home grown certificates have another nail in the coffin coming up real soon. Get hold of Internet Explorer 7 and put it on a new machine. See what happens when you browse to a site with an untrusted certificate - your users will know about it.

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

I have manged to set up that address but i have another problem. They are asking for documents to identify my business. I dont have a business. What do i do if i cant provide them with that information?

Scott
0
 
SembeeCommented:
You will need to speak to them.
I have used RapidSSL for three years and have a certificate from them at home. They haven't asked me for any documentation, anything like that. I have had the certificate in less than 20 minutes.

Are you using your own domain name, not a subdomain of someone else's domain or your ISPs?

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

Got some really good news. It turns out that it was a home grown certificate casuing the problems. I have now got a trial certificate from Rapidssl and i dont get prompted for the certificate any more when using OWA. I have got the internal client connecting using HTTPS which i was so pleased about.

My only problem is now, when i try and connect outside of the netwok using outlook it prompts me for my username and password and in some cases it continually prompts and in others it just says that the Microsoft Exchange Server may not be avaliable.

Whats most likely the problem here?

This information might help you in telling me how i should be logging on...

Internal Domain Name webhost.local
External Domain Name myexchangeserver.co.uk

When it prompts me for my password outside the network what should i be putting 'here'\username?

Scott
0
 
SembeeCommented:
With regards to OWA, make things easy. If you are on Service Pack 2 for Exchange then enable forms based authentication.

ESM, Servers, <your server>, Protocols, HTTP. Right click on the Exchange Virtual Server and choose Properties. Click on the second tab Settings and enable the option.

When you connect to the OWA site you should now get a web page to login. Despite what it says, you can simply enter the username and password, no domain required.

When you are comfortable that OWA is working correctly, you can look at RPC over HTTPS again - following my recommendation to get it working inside first.

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

Im happy that this is working inside and outside the network.

I can get rpc over https working inside the network.

Getting it to work outside the network isnt so easy. It just continually prompts for my username and password or tells me the exchange server is not available

Scott
0
 
SembeeCommented:
Are you sure that it is working inside? If you use the rpcdiag switch on Outlook does it show the connections being made over https?

Is the machine that you are using a member of the domain?

You may also want to look at this MS KB article: http://support.microsoft.com/default.aspx?kbid=820281

Simon.
0
 
swalker_southendAuthor Commented:
im 100% sure that it is working inside my network. I used the oulook.exe /rpcdiag to test it and yes it did show that it was using it over HTTPS.

And the computer i was doing it on is not a member of the domain. The computer external to the network is also not a member of the domain but that should not make any difference.

That artical does not help me...

Scott
0
 
SembeeCommented:
Ignore the symptoms.
Look at the fixes.

If the machine is constantly prompting for a username and password then the authentication is failing.
That article outlines what changes can be made to ensure the authentication works correctly.

If you browse to the /rpc directory from outside, can you authenticate and get the error message?

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

I can not browes outside or inside the network to /rpc but i can use rpc over https inside the network. Im simply duplicating everything i do inside the network outside the network and i dont understand why it will not let me log in.

I have tried to install all the hotfixes in the artical you gave me but it is telling me that my computer already has them becuase im running windows service pack2.

Any more suggestions?

0
 
swalker_southendAuthor Commented:
Simon,

Seems im having the same problem as the user here http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21749130.html?qid=21749130

He managed to fix it himself but i cant fix my problem.
0
 
SembeeCommented:
Does it work on a machine that is a member of the domain?
What do you mean that you cannot browse to the /rpc virtual directory. That is what Outlook is doing, so if Outlook works, then you should be able to connect to and browse that directory?

What is your firewall? Is it a real firewall like a Cisco PIX or something on top of Windows like ISA?

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

Sorry, i mad a mistake in the post that said i cant browse to the rpc directory. I can browse to that dir but with an error as expected becuase i do not have read rights for that dir.

At this moment in time im not using any firewall as i need to get this to work. I forward ports onto my server from my router.

None of my machines are members of the domain. It works inisde the network. Why will it not work outside the network?

So he is the situation

INTERNAL: RPC over HTTP works fine, no problems
EXTERNAL RPC ober HTTP continually prompts for password and then says the exchange server is not available.

Scott
0
 
SembeeCommented:
In that case you have to suspect the router. It is the only thing that is different.
Can you browse to the directory from outside?

Simon.
0
 
swalker_southendAuthor Commented:
Yes,

I can browse to the directory outside the network.
0
 
swalker_southendAuthor Commented:
Simon,

Any more comments?
I still cant get RPC over HTTPS to work outside the network

Scott
0
 
swalker_southendAuthor Commented:
Simon,

Can you offer me any more support.

Maybe you could do some troble shooting for me if i give you my test account detials and you might be able to tell me whats not working.

I HAVE STILL NOT RESOLVED THIS PROBLEM. PLEASE HELP
0
 
SembeeCommented:
Assistance outside of EE is not allowed under the rules.

What else have you done to rule out the router as being the cause of the problem? If it works inside, but doesn't work outside, but you can browse to the folder and get access, then by a process of elimination you have to suspect the router, or that the ISP is filtering traffic.

Simon.
0
 
CetusMODCommented:
PAQed with no points refunded (of 125)

CetusMOD
Community Support Moderator
0
 
swalker_southendAuthor Commented:
This has not been resolved, points should not have been rewarded!
0
 
swalker_southendAuthor Commented:
No Worries,

I was abandoned by 'sembee' and was not able to complete my support. As long as no points have been rewarded it doesnt matter

Scott
0
 
SembeeCommented:
I did not abandon you.

My last post has a number of questions which you did not bother to answer.

I think an apology for accusing me of abandoning you is in order.

Simon.
0
 
swalker_southendAuthor Commented:
There is nothing wrong with my router, I have had it for ages.

Everything esle works ok...

I did how ever try my laptop outside the network and it seemed to connect fine but if you have never been conneted to the network before then it doesnt work!

Any suggestions?

Scott

P.S. Sorry for accusing you of abandoning me!
0
 
SembeeCommented:
Let me see if I have the current status correct.

1. RPC over HTTPS works if you are inside? That has been confirmed using the /rpcdiag switch?
2. RPC over HTTPS works if you are outside, and it was previously configured inside the firewall? Again, that has been confirmed with the /rpcdiag switch?
3. If you try to use a machine that has not been configured inside the LAN, then it doesn't work.

If you have had the router for ages, then there could well be an issue with it. RPC over HTTPS is a fairly new thing and some hardware maybe blocking the type of traffic that it is passing through.
When a feature works in one location but not in another you have to go through a process of elimination to pinpoint the issue. If you don't, then you are attempting to resolve a problem without all the facts.

Simon.
0
 
swalker_southendAuthor Commented:
Simon,

I confirm that points 1 through 3 above are all correct.

So believeing that my laptop who had been on the LAN for ages could access https over RPC from the WAN suggests that the router is fine.

Whats the next step?

Thank you for re-opening the question.

Scott
0
 
SembeeCommented:
In theory, there should be no reason why a machine that has been on the LAN is any different than a machine off the LAN. As long as the machine can resolve the names that you are putting in to the HTTP proxy settings, it should connect.

When you are setting up the external clients, what are you putting in as the Exchange server? It should be the server's INTERNAL name, even if this cannot be resolved. However when you are setting up an external client, you then must go in to the More Settings so that you can enter the HTTP proxy information. Do not attempt to complete the wizard or choose "Check Names" as that will fail until the HTTP proxy information has been put in.

Simon.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 30
  • 21
  • 10
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now