[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 264
  • Last Modified:

Cannot connect to user mailbox using RPC over HTTPS

Hi; in our organization we have 3 Exchange Servers BE1, BE2 & BE3 in 3 different locations A, B & C respectively, all of these locations are interconnected to each other through WAN links, also we have 1 Exchange Server RE1 acting as an RPC over HTTPS server in location A placed inside a DMZ, this server has a public IP Address & is accesible over the internet. We can connect from the server RE1 to all of the BE1, BE2 & BE3 server over http & https.

Now when we configure a client computer to connect through the internet to the RE1 server over the internet for email access, it works only for the users having mailboxes hosted on the BE1 exchange server, but when we configure RPC over HTTPS for a user who is having his mailbox on BE2 or BE3 server, it gives an error that the Exchange Server is not available.

ANY HELP .....?
0
hanisaif
Asked:
hanisaif
  • 2
1 Solution
 
SembeeCommented:
Almost certainly the problem is having the frontend server in the DMZ. Frontend servers do not belong in the DMZ. You should not have any firewalls between the Exchange servers. I would suggest that you move the frontend server on the production domain where it belongs.

If you don't want to expose the Exchange servers to the internet, deploy an ISA server.

This is not a problem with Exchange, but a problem with the topology of a DMZ and firewalls. When you are opening a port on a firewall you should be restricting that port to either an IP address or a subnet. If the servers are on different subnets then you cannot restrict that port down in that way. Therefore it can only communicate with one of the Exchange servers.
Bring the server inside and the only port that you need to open is 443.

Simon.
0
 
hanisaifAuthor Commented:
How about if we have the IP communication opened for these other subnets over the firewall. Would that help; only IP not TCP not UDP & by doing this what are the things that we are putting to risk.
0
 
SembeeCommented:
Whatever you do will be a fudge.
Exchange is not designed to be separated from users or other Exchange servers by a firewall. Once you accept that fact and design the site accordingly, your life will be much easier.
Whatever you consider the "benefits" of having an Exchange server in the DMZ, they will not be providing those benefits that you think they are. I have had many security consultants come to me and tell me to put the Exchange server in the DMZ, but when I ask them why, they cannot come up with a good reason to do so.
I blogged on why it was a bad idea here: http://www.sembee.co.uk/archive/2006/02/23/Exchange-in-a-DMZ.aspx

You are going to go round in circles until one of two things happen...

1. You bring the Exchange servers inside the firewall.
2. You have the firewall open so much that it is effectively useless.

Simon.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now