?
Solved

Cannot connect to user mailbox using RPC over HTTPS

Posted on 2006-10-29
5
Medium Priority
?
253 Views
Last Modified: 2010-03-06
Hi; in our organization we have 3 Exchange Servers BE1, BE2 & BE3 in 3 different locations A, B & C respectively, all of these locations are interconnected to each other through WAN links, also we have 1 Exchange Server RE1 acting as an RPC over HTTPS server in location A placed inside a DMZ, this server has a public IP Address & is accesible over the internet. We can connect from the server RE1 to all of the BE1, BE2 & BE3 server over http & https.

Now when we configure a client computer to connect through the internet to the RE1 server over the internet for email access, it works only for the users having mailboxes hosted on the BE1 exchange server, but when we configure RPC over HTTPS for a user who is having his mailbox on BE2 or BE3 server, it gives an error that the Exchange Server is not available.

ANY HELP .....?
0
Comment
Question by:hanisaif
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17829214
Almost certainly the problem is having the frontend server in the DMZ. Frontend servers do not belong in the DMZ. You should not have any firewalls between the Exchange servers. I would suggest that you move the frontend server on the production domain where it belongs.

If you don't want to expose the Exchange servers to the internet, deploy an ISA server.

This is not a problem with Exchange, but a problem with the topology of a DMZ and firewalls. When you are opening a port on a firewall you should be restricting that port to either an IP address or a subnet. If the servers are on different subnets then you cannot restrict that port down in that way. Therefore it can only communicate with one of the Exchange servers.
Bring the server inside and the only port that you need to open is 443.

Simon.
0
 

Author Comment

by:hanisaif
ID: 17905493
How about if we have the IP communication opened for these other subnets over the firewall. Would that help; only IP not TCP not UDP & by doing this what are the things that we are putting to risk.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 17908073
Whatever you do will be a fudge.
Exchange is not designed to be separated from users or other Exchange servers by a firewall. Once you accept that fact and design the site accordingly, your life will be much easier.
Whatever you consider the "benefits" of having an Exchange server in the DMZ, they will not be providing those benefits that you think they are. I have had many security consultants come to me and tell me to put the Exchange server in the DMZ, but when I ask them why, they cannot come up with a good reason to do so.
I blogged on why it was a bad idea here: http://www.sembee.co.uk/archive/2006/02/23/Exchange-in-a-DMZ.aspx

You are going to go round in circles until one of two things happen...

1. You bring the Exchange servers inside the firewall.
2. You have the firewall open so much that it is effectively useless.

Simon.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question