Link to home
Start Free TrialLog in
Avatar of zagnutttt4
zagnutttt4Flag for United States of America

asked on

Need a COMPLETE step by step guide to enabling RPC over HTTP on the SBS2003 server and correctly connecting Outlook clients over the internet.

Hi guys..   I've been working on this for weeks, to no avail.  I've read nearly every white paper, tutorial, and website out there relating to this...   Here is my goal:

Correctly configure RCPoHTTP on the SBS2003 server and correctly connect Outlook clients via the internet.  I need a step by step, detailed tutorial from start to finish.  Here is my setup:

One single server:  SBS2003 premium edition.  2 Network cards.  External connects directly to internet.  Internal connects (obviously) to internal network.  ISA server 2000 running as the firewall (on the same server obviously.)  I can connect via POP3 from the internet, but all of my attempts at getting RPCoHTTP to work over the internet have failed.  Please help!!!  Thanks guys...

Chris Myers
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Actually... you will find a SPECIFIC how-to that is customized for YOUR SBS by going to the Remote Web Workplace main menu, (http://localhost/remote on your SBS) and clicking on the "Configure Outlook via the Internet" link.

I suggest you follow only this set of instructions... the one that is linked above is not specific to SBS.

Jeff
TechSoEasy
Avatar of zagnutttt4

ASKER

Jeff..  You are correct, the previous post is not specific to SBS2003, and I have read it MANY times.  :)  The link that you mention does not exist on my Remote Web workplace...  Where can I find the exact link in IIS?  Or..  why is it not listed there?   Thanks


Chris
Rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email), and select "Enable Firewall" on the Firewall Screen, on the following screen click Next, and then on the Web Services Configuration check the Outlook via the Internet box.  Click next until finished.

Jeff
TechSoEasy
P. S.  You can't access it directly via IIS, because it's not created until you run the CEICW to enable it, just FYI... as with all things SBS, if you don't find it where it's supposed to be, you haven't configured it yet.  :-)

Jeff
TechSoEasy
Jeff, that's the thing..   Every time I run the CEICW, I never get a Web Services Configuration page.  It just goes straight from the page where you check 'enable' or 'disable' firewall, to the email settings... after that, it just runs the end part of the wizard and then finishes.  I never get the chance to pick "Outlook via the Internet".   Strange..         Thoughts??
Did you enable the firewall?
Nevermind.. I kept clicking on "keep the firewall settings the same" or whatever it says..   I'd hate to change any firewall settings until I'm back at the server tomorrow in person.  I may inadvertently cut about 50 users off from using the internet.  :)  So after I enable "Outlook via the Internet" service, what else really remains to get me to connect to the exchange server remotely using RPC over HTTP?  I've basically completed every other step.  (I think.)   Most of the articles that SAY they are geared towards SBS2003 for RPCoHTTP are actually written for multipe exchange-server scenarios, or scenarios where the ISA server is on a different machine that exchange.  Can you even enable RPC over HTTP on a single server running exchange and ISA2000 at the same time?  And if so, what am I missing?  I've created a web certificate.  Now what?  Do I have to do anything with the certificate in ISA?  Since it's on the same machine I assumed not...  What if I don't want to use SSL for my RPCoHTTP connection?   Then do I even need a certificate?  Sorry for all the questions..  Been working on this for a while..  

Chris
Jeff...
I forgot to mention..  When I go into ISA and run the "Mail Server Security Wizard" to publish my mail server rules, it always tells me..  "Exchange RPC cannot work with local host mail server.  If you continue, Exchange RPC will not work for this mail server."    So..   what can I do?  Is this normal?  

Chris
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dhoustonie
dhoustonie

I am not familiar with ISA 200 on an SBS box so I can not be a complete answer, but rerunning the Internet connection wizard, selecting the Outlook over the Internet option should set ISa up with the correct settings.

But you asked about not using SSL, one of the options in setting up outlook over http is to select Basic Authentication, if you do not use SSL to encrypt the packets, if someone was snooping they would see your Username password and address of server in the packets, as clear text.

David Houston

With regards the certificate, install it on every machine you want to connect in this way.
One point, as you are running SBS 2003 Premium, you are entitled to get the Service Pack One on Media, which includes an upgrade to ISA 2004, a better product then 2000.

One other thought are you running any service packs on the system? With service pack one there was a greatly improved in reliability and RPC over HTTP was one area that become more reliable.
Sorry, I missed commenting on the SSL thing... you really don't want to NOT use SSL since this is all configured already for you.  As you'll see in the configuration instructions there are steps to download and install the self-signed certificate, which is pretty easy to do.

In regards to all of the other questions about being on the same server, etc... ignore all of that... RPC over HTTP is already configured on your SBS... there's no need to do ANYTHING other than run the CEICW, and then follow the instructions from the link in RWW.

Those enterprise guys always make things so complicated!

Jeff
TechSoEasy
Agreed Jeff

SBS is the best practice for Small Businesses, but reversing it to the enterprise it is a worst case, and trying to get that across can be arduous.

Follow what Jeff has said and you can not go wrong.

David
Thanks guys.. I got everything working properly following your suggestions.  However, I did lost the capability to use POP3 to retrieve my email for some reason..  :)  RPCoHTTP is working well from the internet, and my certificate as well as SSL are now working properly.  Any tips on troubleshooting the POP3 service besides the obvious ones?  Thanks guys...

Chris
Did you have POP3 configured in Outlook or using the POP3 connector in Exchange?

Jeff
TechSoEasy
Oh, do you mean that you were using POP3 retreival from the SBS?  Why would you want to continue using that?  It's really not a good idea to use it, especially since RPCoverHTTP is preconfigured and you have OWA as well.

POP3 uses a lot of resources and is a security issue as well.  Additionally, messages downloaded from the server and not retained at the server cannot be accessed elsewhere, nor are they available for access by the company should that be necessary.

Jeff
TechSoEasy
Jeff..   Yes, I meant that retrieving mail via POP3 from the SBS server was no longer functioning correctly.  I'm aware that as long as my RPCoHTTP is working correctly, there's really no need for the inferior POP3 methods, but it's still strange that it quit working correctly.  I'd like to have a backup method of retrieval, and there are several clients that really need to use the POP3 method for various reasons.  Seems strange that it quit working now..   SMTP still works fine, I can send out over SMTP find..   but upon trying to recieve using POP3, the Outlook client always reports  "the connection to the server has been interrupted".  Any ideas?  

Chris
Sure... you've now added an Exchange Account to that Outlook and it's created a proxied connection to the SBS which would not be compatible with your POP3 settings to the same server.  I would suspect that POP3 still works from Outlook that is not configured with the RPCoverHTTP settings.

Jeff
TechSoEasy
Nope, actually my POP3 quit working from any client outside of the firewall.  Works fine on the internal network.  Made no changes at all in the firewall regarding POP3.  Also, my OWA quit working too for no reason all of the sudden.  (outside of the firewall.)  Prompted to install certificate, then I do so, then nothing..  
Rerun your CEICW... make sure that you have the certificate name correct, and that OWA and POP3 are enabled.

http://blogs.msdn.com/sbsdocsteam/archive/2006/02/24/538808.aspx  <<<==== see why the CEICW is your friend!

Jeff
TechSoEasy
You were right..  reran the CEICW several times again and now everything is working fine again.  It seems like the certificates do get messed up sometimes however.  Sometimes the server tries to issue a different cert. to the client than the one I've created for the webserver.  Sometimes it tries to offer a cert. in the "publishing" name, even though I never created one with that name.  After that happens, it seems like I have to delete all of my created cert's on the server and on the clients, then create a new cert. on the server in the proper name again, and then re-install the correct cert. on the clients again to get everything to sync properly again.  Any thoughts on this?  

Chris
Yeah, you have it analyzed exactly as it is... that's a documented problem, which is noted in Harry Brelsford's SBS Best Practices Book (http://sbsurl.com/best).  The publishing certificate is what IIS uses internally.  You corrected it properly... the other way to do it would be to just manually assign the correct certificate in IIS.

Jeff
TechSoEasy
Now another problem has arrisen.. without changing anything (once again), connection to http://server.domain.com/exchange and http://server.domain.com/remote is not working correctly again from the internet..   ISA SERVER REPORTS:

"The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot be displayed.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

Open the Web site home page, and then look for links to the information you want.
If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the Web site home page.
500 Internal Server Error - The target principal name is incorrect. (-2146893022)
Internet Security and Acceleration Server "

this is without changing ANY settings on the server since the point where everything was working flawlessly...

Chris
Okay... you need to realize that you had made a number of changes before we got you on the right track... or even if you didn't make them... things like this can always pop up... it's time to teach you to GOOGLE your ERRORS.

http://www.google.com/search?q=500+Internal+Server+Error+-+The+target+principal+name+is+incorrect.+%28-2146893022%29

Jeff
TechSoEasy
Hi Jeff..  I'm actually reading up on it right now..   I'll keep you updated on my progress..   I did at least get POP3 working again, also my RPCoHTTP is still working very well..   stay tuned  :)

Chris
Update..  I changed a setting in ISA to get OWA working again.  I went into my web publishing rule for OWA and disabled "Send original host header to the published server instead of the original one ".  Then I changed the "Redirect the request to this internal Web server" so that it matched the common name on the Web Server Certificate.  Seems to be working okay so far.  Can I do this for only one publishing rule, or any of them that pertain to directories in the Default Web Site?  

Chris
you shouldn't have to... take a look at C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW\IcwdetailsXX.htm (where XX is the latest incremental number assigned when you ran the last CEICW).

This will show you exactly what was configured by it... and if something isn't getting set right you may need to now set it properly (such as /remote ).

Jeff
TechSoEasy