We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Cannot connect to user mailbox using RPC over HTTPS

hanisaif
hanisaif asked
on
Medium Priority
278 Views
Last Modified: 2010-03-06
Hi; in our organization we have 3 Exchange Servers BE1, BE2 & BE3 in 3 different locations A, B & C respectively, all of these locations are interconnected to each other through WAN links, also we have 1 Exchange Server RE1 acting as an RPC over HTTPS server in location A placed inside a DMZ, this server has a public IP Address & is accesible over the internet. We can connect from the server RE1 to all of the BE1, BE2 & BE3 server over http & https.

Now when we configure a client computer to connect through the internet to the RE1 server over the internet for email access, it works only for the users having mailboxes hosted on the BE1 exchange server, but when we configure RPC over HTTPS for a user who is having his mailbox on BE2 or BE3 server, it gives an error that the Exchange Server is not available.

ANY HELP .....?
Comment
Watch Question

Expert of the Year 2007
Expert of the Year 2006

Commented:
Almost certainly the problem is having the frontend server in the DMZ. Frontend servers do not belong in the DMZ. You should not have any firewalls between the Exchange servers. I would suggest that you move the frontend server on the production domain where it belongs.

If you don't want to expose the Exchange servers to the internet, deploy an ISA server.

This is not a problem with Exchange, but a problem with the topology of a DMZ and firewalls. When you are opening a port on a firewall you should be restricting that port to either an IP address or a subnet. If the servers are on different subnets then you cannot restrict that port down in that way. Therefore it can only communicate with one of the Exchange servers.
Bring the server inside and the only port that you need to open is 443.

Simon.

Author

Commented:
How about if we have the IP communication opened for these other subnets over the firewall. Would that help; only IP not TCP not UDP & by doing this what are the things that we are putting to risk.
Expert of the Year 2007
Expert of the Year 2006
Commented:
Whatever you do will be a fudge.
Exchange is not designed to be separated from users or other Exchange servers by a firewall. Once you accept that fact and design the site accordingly, your life will be much easier.
Whatever you consider the "benefits" of having an Exchange server in the DMZ, they will not be providing those benefits that you think they are. I have had many security consultants come to me and tell me to put the Exchange server in the DMZ, but when I ask them why, they cannot come up with a good reason to do so.
I blogged on why it was a bad idea here: http://www.sembee.co.uk/archive/2006/02/23/Exchange-in-a-DMZ.aspx

You are going to go round in circles until one of two things happen...

1. You bring the Exchange servers inside the firewall.
2. You have the firewall open so much that it is effectively useless.

Simon.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.