RPC over HTTP (ROH) Remote Connections To Internal Exchange Server Fail

Outlook 2003 client on XP (SP2) laptop configured to use RPC over HTTP (ROH) can connect to Exchange Server 2003 only when logged in to LAN network but cannot connect from Internet when off site at remote locations. (I assume Outlook's Exchange mailbox access from LAN is verification the config of ROH is correct on both the Exchange 2003 Server & the Outlook 2003 client?)

The goal here is to make Exchange 2003 mailboxes located on internal LAN available to staff from off site locations connecting through Internet.  (I read another ExEx solution saying this is possible).

I have:
1. Added STATIC command to PIX515e FW to translate a public GLOBAL IP (209.43.X.X) to the internal LOCAL IP of Exchange 2003 Server (
2. Modified ACL on outside interface of PIX to allow WWW & HTTPS traffic from any source to the GLOBAL IP of Exchange Server defined in STATIC command (209.43.X.X)
3. Modified ACL on outside interface of Cisco 1720 perimeter router to allow WWW & HTTPS traffic from any source to the GLOBAL IP of Exchange Server defined in PIX STATIC command (209.43.X.X)
4. [When off site at remote location] added entry to HOSTS file on laptop mapping Exchange Server to GLOBAL IP (209.43.X.X  cptexc2003.mydomain.org  #Exchange Server On LAN)

When Outlook 2003 is launched on laptop from off site location a Windows logon dialog box appears to authenticate the connection to Exchange (cptexc2003.mydomain.org) but it never connects.  (Doesn't this prove the http traffic is getting through the perimeter router & the PIX firewall and reaching the Exchange 2003 Server?)

Any thoughts on what I should check next or how I can troubleshoot further?  (I thought ROH was pretty straightforward?)

Who is Participating?
nitadminConnect With a Mentor Commented:
If it doesn't work from outside the LAN, then most likely it is not really running on https from within your LAN. There is a setting in OUtlook 2003, which will cause the outlook to use MAPI protocol when you are inside the LAN, even when you configure your outlook profile to use RPC over HTTPS.

I have two several questions.
1. Did you install a SSL certificate from a Public CA?
2. Did you configure your GC server?

Read this article very carefully, and pay attaention to what it says about configuring your GC server.
Most people who attempt to configure Exchange 2003 RPC over https feature fail to install a SSL certificate from a public CA and they don't even bother to configure the GC server.

Here are links to two webpages from one great website. It will tell you step by step what you need to do. Read it very carefully.
Campare the steps that it gives you and what you have done already. Follow his instructions very carefully and RPC over https will work.


Another thing, if you have single domain forest. Make all your domain controllers are GC (global catalog) servers. This is done from active directory domains and trusts.

I also want to point out to you why this sentence is in BOLD on the first webpage. Make sure you configure the registry key on your GC servers. And also use the rpccfg tool to confirm the port settings like he shows you. Read this sentence very carefully. You will fail if you do not listen to what he is saying. "Configure all your global catalogs to use specific ports for RPC over HTTP for directory services"  quote by Daniel Petri.

Hi dealvis,

If it only works on the internal network, that is usually a clear sign that it is not configured properly.

What happens when you close outlook and go: start > run > outlook /rpcdiag

Does it show it connecting as TCP/IP or HTTP?

dealvisAuthor Commented:
Thank You Very Much for responding.  Please allow me some time to attempt resolution using the info & resources you have provided.  Will post again tomorrow with results.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Before attempting any of the above, I would simply test it inside the network with the /rpcdiag switch.

Then we can figure out what the problem actually is instead of just posting every possible solution and forcing you to work through them all :)

dealvisAuthor Commented:
Problem resolved.  RPC over HTTP successfully providing remote access (through perimeter router & PIX515e Firewall) to Exchange 2003 mailboxes located on internal LAN.  (Single Exchange server installation, no Front End Exchange server).

Wow.  I am blessed today to have had this help.  Exchange has been one of the most challenging aspects of this project and to be pointed to the exact information in such an excellent format as Daniel Petri provides on his web site has made my week.  I can't say Thank You enough NIT ADMIN!

Specifically my configuration gap was precisely what NIT ADMIN questioned me about above, that being failing to install a SSL certificate from a Public CA and not configuring our GC server as necessary for RPC over HTTP to work.  Anyone needing information on RPC over HTTP like I did MUST check out  http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

Thanks Experts!
Thank you for complement.

RPC over HTTPS Expert !
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.