Solved

Problems configuring Outlook - Exchange for Wan & Lan at same time

Posted on 2006-06-10
22
837 Views
Last Modified: 2008-02-01
Hi all,

I have problems trying to configure Outlook for Wan & Lan at the same time.

I have these things running ok
- W2003 Server
- Exchange 2003 Enterprise SP2 (using third party pop3 connector "Popcon") while we are implementing the mail server at all.
- RPC over HTTPS configured OK with own certificate (I can connect to OWA from outside my office via https://84.59.13.xxx/exchange OK (I have 443 and 80 ports opened to 192.168.0.1).  
- RCP over HTTP proxy service windows component installed  (following this tutorial http://www.msexchange.org/tutorials/Outlook_2003_Connect_Exchange_2003.html).
- Router is resolving my DCHP dynamic ips, not my server.
- No domain name links to my server.

If I am at the office I can connect to my server, configuring outlook to server.mydomain without problems. But If I am out of the office I try to configure Outlook like 84.59.13.xxx. but it fails at the first step when Outlook is checking AD User Name. Then I can't go to the next step

I think maybe I need to create some hosts at my DNS? It must be valid if I try to connect to 84.59.13.xxx ip from my office and outside? I am not sure how or what is wrong. I have followed several questions here and external links but I can't find what is wrong for me.

Thank you very much for your suggestions!

0
Comment
Question by:isaacmateo
  • 12
  • 10
22 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16877359
When you are configuring RPC over HTTPS the key thing is to ADD the entries, not change them.
With LAN clients, what I suggest is that you configure the client as normal. Once you are sure it works, add the RPC over HTTPS settings to the client - without changing anything.

With external clients, you must put in the internal Exchange server address in to the Exchange server box, then click on More Settings and add in the RPC over HTTPS settings. Only then can you click Check Names.
It is a common misconception that you have to change the Exchange server address.

However, are you are sure that the feature is working correctly? Outlook will fall back to LAN connection if the HTTPS fails. You need to use the RPCDIAG switch to check if it is working.
Close Outlook completely, then click start, run and type

outlook.exe /rpcdiag

That will show you whether the feature is working correctly.

Simon.
0
 

Author Comment

by:isaacmateo
ID: 16878487
Sembee, Thank you for your reply.

I just have configured my Outlook with lan ip address, Ip name: 192.168.0.1 and it checked the name OK, I have configured RPC over HTTPS too to 192.168.0.1 and tryed outlook.exe /rpcdiag... I can see that I am connecting only using TCP/IP, none HTTPS connexion...

But HTTPS is working because I can access to OWA by Iexplorer like https://192.168.0.1/exchange. Then my HTTPS is not working well?

Thank you
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16879113
You can't use an IP address with an SSL certificate. You must be getting a warning when you browse to OWA.
Furthermore, the SSL certificate address that you have entered will not work on the Internet as the address cannot be resolved.
As rpcdiag is not showing HTTPS then the feature is not working.

Your best options are...

1. Establish what the Exchange server is known as on the Internet - if you already have MX records pointing to the Exchange server then you can use the same name. mail.domain.com for example.

2. Remove the existing self signed SSL certificate from the server and get a free trial certificate from RapidSSL. Their certificates are only US$69 per year and work very well for this feature.

3. Configure split DNS on your network so that the external name of the Exchange server (mail.domain.com using the same example as above) works internally as well as externally. When you ping mail.domain.com you get a response from the internal IP address of the Exchange server.

4. Then review the registry entries for RPC over HTTPS and ensure that they are correct for the names of your server.

All of the above is covered on my web site at http://www.amset.info/exchange/rpc-http.asp

I stress again - you cannot use this feature using IP addresses, it must be host names. The names used must also resolve on the Internet, as well as internally.

Simon.
0
 

Author Comment

by:isaacmateo
ID: 16880601
Hi again

1 - I can assure that my SSL certificate works in internet https://84.59.13.xxx/exchange... The browser ask me for this, I accept and I can access to OWA perfectly. But I think the rest is not working. I just have setup mail.mycompany.com DNS (a) entry pointing for my static ip 84.59.13.xxx. Why do you think is working well via browser and not via Outlook?

2 - I will buy one, I have read here in some post and on your website (congrats it is the very complete!) that this is strongly recommended

3 - This is the very difficult point for me..., because I am a bit confusing about it.. I just have configured at my DNS admin mail.mydomain.com (FORWARD ZONE) and then I can't access to our external hosting website from my LAN mydomain.com is not found, if I put www. the same... I have deleted it but I still can not acces to our web from my lan, I suppose that I must wait some minutes for refreshing. I try to connect from my Mobile cellular and I connect well via www. or mydomain.com. I do not understall at all splitzone dns tutorial from your site :(

4 - I think my RPC is not working at all. I followed http://84.59.13.xxx/rpc from browser and ask me credentials but askme for sure channel and it doesn't accept my credentials

I think I must restart and begin all this from zero again. I really don't know where to start... Any suggestions again, I think I have lost me more than my first question... Thanks again!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16881067
If you are getting a prompt for a certificate - then RPC over HTTPS will NOT work. The system cannot handle certificate prompts.

Furthermore you cannot have an SSL certificate on an IP address, so stop trying to make it work that way. SSL certificate ONLY work on host names. Any tests carried out on an IP address will not work. Any tests from inside your firewall using external IP addresses will also fail, as your firewall will not allow the connection.

When you are setting up the split DNS, you have to put in both internal and external IP address information.
Therefore if your web site is hosted externally, then you have to put that information in to the DNS zone as well. If you don't, then you will be unable to connect to the external resources because the DNS lookup fails.

Simon.
0
 

Author Comment

by:isaacmateo
ID: 16884539
Hi again and thank you for trying to help me.

I have bought one new RapidSSL certificate and I have installed ok (phone and email confirmed). I have check from internet "mail.mydomain.com") and it works and I can access to OWA. As I explained I created a DNS name at my hosting mail. that points to 84.59.... one day ago, and I think it's propagated enough arround Internet, because If I try "mail.mydomain.com" I jump to my "must be secure channel" screen web root.

Then the next things I must to work is setup correctly the DNS split zone (for Outlook resolving mail.mydomain.com configuration in and out of the office) and setup correctly RPC over HTTPs

About the second one, I setup Outlook to connect HTTPS via mail.mydomain.com but it prompts me about User and pass iddentrification. Of course If I test outlook /rpcdiag it shows my a lot of TCP IP connection. Then I suppose that my second problem is due the first one (DNS zones) that are not solved. (Anyway I have uninstalled and re-installed again and I have followed your tutorials http://www.amset.info/exchange/rpc-http-problems.asp and common problems http://support.microsoft.com/default.aspx?kbid=820281, http://support.microsoft.com/default.aspx?kbid=886205.

I know that it must be a domain name, even for checking this internally. Sorry but I am a bit worried about to deny domain.com access to our website from our office if I make some wrong like yesterday. Yesterday it was a weekend day and I would like to make this things with care because I am not very good as well with this... Then must I set up my DNS split zones before, isn't it?

Thank you for your patience
0
 

Author Comment

by:isaacmateo
ID: 16887323
Hi again,

I have the split DNS zones configured yet!. If I am on my LAN and try to go mail.mydomain.com I am redirected to 192.168.0.1 and I see "must be secure channel" message. If I am on WAN and try to go mail.mydomain.com I am redirected to "must be secure channel" root. Then I understand that it works (this part)

But the second problem about "RPC over HTTPs", I can't get it :( I have followed several times tutorials how to set up again RPC over HTTPs and I have configured Outlook like some tutorials forcing to connect via "mail.mydomain.com" but it ask me for the AD User Name and Pass... (on Wan and Lan) If I try outlook /rpcdiag I can see a lot of TCP/IP connections, then it doesn't work...

I have running well my new RapidSSL certificate as I can login to OWA via LAN and WAN without accepting any promtp (but the site is secured).

Then friends, I don't know where to investigate, I am a lot confussing about this difficult matter. I don't really understand why RPC doesn't work at all? Could you help me?

Thanks!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16889874
If you are getting TCP/IP connections then the system isn't working.

Take a step back.

If you browse to https://servername.domain.com/rpc (where servername.domain.com is the name on your certificate)
Do you
a. Get any certificate warnings?
b. Get an authentication prompt?

If you get the authentication prompt, it should fail on you, no matter what you put in. That is fine.

Next.
Registry entries.
What have you configured for the registry entries? Did you follow my guidelines or one of the others? Have you configured the registry entries at all?

I am of course presuming here that you meet the requirements for RPC over HTTPS - Exchange 2003 on Windows 2003 as part of at least a Windows 2003 mixed domain with at least one Windows 2003 GC/DC.

Simon.
0
 

Author Comment

by:isaacmateo
ID: 16893053
Hi Simon,

Yes, we have 2003 server with 1 DC and Exchange 2003 enterprise SP2 running well (I can access via Owa and Outlook via TCP/IP)

If I browse https://mail.mydomain.com/rpc I get prompted by authentication only (no certificate warning). But it fails like you said.

Next step. I have follow step by step your http://www.amset.info/exchange/rpc-http-server.asp tutorial, including addind Valid ports as Single Server Configuration modified as my owns with my servername, domain, etc... These values was not in registry, only first one (server:100-5000) I added the rest ... server:6001-6002;server:6004;server.domain.local:6001-6002;server.domain.local:6004;mail.external.com:6001-6002;
mail.external.com:6004;). That's OK, I have rebooted the server

I also have configured my Oulook 2003 (http://www.amset.info/exchange/rpc-http-client.asp) step by step, close configuration screen... and I make the outlook.exe /rpcdiag and two things
a) Mutually authentificate doesn't work (I put the same that "Use this URL proxy..." mail.mydomain.com"). It can't access to my personal store, ask again and again my user and pass, and does not accept it. Then I have checked all options except "mutually authentificate". But it still connects under TCP/IP only
b) Authentify method (basic or NTLM) doesn't not matter, because I can connect to my personal store using any method. But it connects under TCP/IP only

What do you think I must to check? I hope we are very closer to get it! :)

Thank you again!
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 16893694
The mutually authenticate is key. Microsoft make it look like these settings are optional, but they aren't.

You need to enable all the options, make sure that the address is in the format of msstd:servername.domain.com (where servername.domain.com is the EXTERNAL name of the server and matches what is in the URL box above and on the SSL certificate).

Without that option set, then the RPC over HTTPS feature isn't being used.

Is the machine that you are using a member of the domain? If so, you shouldn't be getting authentication prompts.
What are the authentication settings on the /rpc virtual server in IIS Manager? They should be basic and integrated only, with anonymous disabled.

Simon.
0
 

Author Comment

by:isaacmateo
ID: 16894238
Hi,

At the first screen Oulook configuration: I put MAIL.mydomain.com and I press "check names". And it do perfectly and it changes to SERVER.mydomain underlined (like my user name)

-> More Settings: General Tab, the same... Secutity Tab, none checked and NTLM and Kerberos as method, Conexion Tab, connect via Lan, and Connect using HTTP checked -> Settings:

https://[ MAIL.mydomain.com ]
[v] Connect using SSL only
[v] Mutually authentify msstd:MAIL.mydomain.com
[v] Fast networks
[v] Slow networks
NTLM Authentify

I must to say that MAIL.mydomain.com is the name of the external resource that points to mi IP, and in my DNS forward zone for that name points to 192.168.0.1 server IP address... Then if I browse https://MAIL.mydomain.com from LAN or WAN I am going to the same place (It must be secure "channel")...  This is also the same domain name MAIL.mydomain.com related with the SSL certificate I purchased 2 days ago.

I tried my test from the same Server, from another computer AD member loged, and from another computer non AD member. All connect using TCP/IP

IIS Manager, I have two services:
/Rpc settings: basic only authentification / default domain: mydomain
/RpcWithCert settings: basic only / default domain: mydomain
I have stoped ISS Manager and Exchange... and restart again all services (no server rebooted)

I made this changes (RPC) and Outlook shows me a prompt User name and Password that it does not accept... unless I put again Authentify to basic at Connexion Tab / Exchange proxy settings. Then it accepts me the user name and connects to my store (TCP/IP).

What do you think Simon? I don't understand why it does not accept my user/pass if I have "mutually authen..." checked.

Thank you again,

0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 104

Expert Comment

by:Sembee
ID: 16896944
Change the /rpc authentication to include integrated AND basic authentication.
When you make changes to the IIS configuration, the command that you need to run is

iisreset

Nothing else - you don't need to restart Exchange.

Simon.
0
 

Author Comment

by:isaacmateo
ID: 16897672
Sorry Simon, I did not read correctly your past post. I have changed /rpc and /rpcWebCert to include inegrated AND basic authentication and stopped / reestarted server (I can't find issreset command you said me)

IT WORKS! (at least in one case)

Here my tests:

1 - If I try from WAN (non ad member) it asks me for User / Pass, it accepts but it turn self very slow and it seems that it does not connect at all with rpc service... but finally it connects (3 minutes or more) and it comes very slow, but I can see a lot of HTTPS connections... It is very slow but finally it connects...

2 - If I try from WAN (non ad member) + VPN tunnel it ask me for User / Pass but it connects very fast under TCP/IP

3 - If I try from LAN I get the same fail: it asks me for User / Pass and it accepts its, but it connects TCP/IP

4 - If I try from WAN via Browser OWA access the service https//MAIL.mydomain.com works perfectly :( (very fast)

I don't know at all why it is too slow and unstable? any things to improve?

Cheers,
Isaac



PS. In fact I have stopped and restarted ISS because I can't find issreset command
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16907696
There is no iisreset command to press, it is a command prompt.

and it is I I S R E S E T not, issreset that you typed.

Have you got Outlook configured to use HTTPS for both fast and slow connections?

Simon.
0
 

Author Comment

by:isaacmateo
ID: 16918871
Hi again,

Ok It's issreset and it works :)

Yes I have both option selected (fast and slow). If I connect via WAN I connect through HTTPS (very slow to connect but it works) and I try LAN I connect through TCP/IP.

Thanks
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16923756
Have you got your network setup so that the name on the SSL certificate works inside as well as outside?

Simon.
0
 

Author Comment

by:isaacmateo
ID: 16929638
Hi,

If I browse https://MAIL.mydomain.com from LAN or WAN I am going to the same place (It must be secure "channel")... I have a Split zone created ok. I also must to create a "control", "ftp", "www", "stats" (a) host records for alowing my LAN people access to our external hosting web.
0
 

Author Comment

by:isaacmateo
ID: 16985448
Sorry all, I have been out a week for job...

I have still the same problem. If I connect via WAN I get HTTPS messages ok. But If I connect via LAN I connect TCPIP... I have both slow and fast options selected.

Thanks!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16996277
I haven't seen that before.
This feature either works or doesn't. With both options enable it usually falls over totally if the HTTPS doesn't work.

Simon.
0
 

Author Comment

by:isaacmateo
ID: 17000155
Hi Simon,
I can confirm again this. I have tried again with another different laptop connecting to the Internet using mobile 3G UMTS connection. It connects under HTTPS (after a long 45-60 seconds it connects). It is using 386 Kbytes/sec connection. It finally connects and I can see a lot of HTTPS connections... (I can navigate into Outlook very well)

Then I plug this laptop to our network connection LAN and I try it: it connects using TCP/IP

In fact my problem is solved because I can connect via HTTPS from out of my Office (WAN) but I preffer it too via LAN due security reasons...

What do you think?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17001242
It should work on HTTPS internally as well. I deploy it that way as well.
It doesn't do anything for security - the connection over TCP/IP is encrypted as well. The reason I deploy it so that it works on https in both configurations is because with both slow and fast options enabled Outlook will try and use HTTPS then fail.

As I posted above - I haven't seen Outlook make a TCP/IP connection when both connections are set to https.

Simon.
0
 

Author Comment

by:isaacmateo
ID: 17007815
I appreaciate a lot your effort for trying to help me... Anyway I am still connecting via TCP on Lan, but HTTPS for Wan... If anyone know about it would be very good to hear your ideas

Thank you all
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now