Having trouble setting up exchange RPC over HTTPS
Hi All
I'm having some difficulty getting RPC over HTTPS working on my server. We have SBS 2003 prem, installed. SSL is setup and configured on the server. i used the following URL in setting up the procedure. http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
i've done all the steps explained in the document. internally (Local Network) when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.
I think my problem lies with the ISA (2004) side of the configuration. i did the following:
1: Export a Web server certificate from the IIS-based computer that hosts the RPC proxy site
2: On the ISA Server 2004-based computer, import the Web server certificate from the IIS-based computer that hosts the RPC proxy site, and then install the certificate
3: Create a new Web publishing rule on the ISA Server 2004-based computer.
Hope this is enough info.
Regards,
Johan
I'm having some difficulty getting RPC over HTTPS working on my server. We have SBS 2003 prem, installed. SSL is setup and configured on the server. i used the following URL in setting up the procedure. http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
i've done all the steps explained in the document. internally (Local Network) when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.
I think my problem lies with the ISA (2004) side of the configuration. i did the following:
1: Export a Web server certificate from the IIS-based computer that hosts the RPC proxy site
2: On the ISA Server 2004-based computer, import the Web server certificate from the IIS-based computer that hosts the RPC proxy site, and then install the certificate
3: Create a new Web publishing rule on the ISA Server 2004-based computer.
Hope this is enough info.
Regards,
Johan
ASKER
I'm connecting with TCP/IP. when i run the above url i get the certificate pop up and the Basic logon box apears.
Ding!
That is your problem.
TCP/IP means that it is NOT working.
That certificate pop-up is WHY it isnt working.
You should buy a certificate for the server, but if you do not want to do that (which is fine) you need to install the certificate.
These are poor instructions, but they will do the job -> http://support.globalsign.net/en/serversign/IIS.cfm
Click the "view certificate" button on that certificate pop-up, and then install the certificate to the "physical store" "trusted root certificate autority/local computer" (it is the first set of photos)
-red
That is your problem.
TCP/IP means that it is NOT working.
That certificate pop-up is WHY it isnt working.
You should buy a certificate for the server, but if you do not want to do that (which is fine) you need to install the certificate.
These are poor instructions, but they will do the job -> http://support.globalsign.net/en/serversign/IIS.cfm
Click the "view certificate" button on that certificate pop-up, and then install the certificate to the "physical store" "trusted root certificate autority/local computer" (it is the first set of photos)
-red
ASKER
ok now i don't understand!!
i did import the certifcate on both the DC and the Local computer (client). surely if i test this internaly it should connect via TCP/IP??
i did import the certifcate on both the DC and the Local computer (client). surely if i test this internaly it should connect via TCP/IP??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The actual instructions for this are located in your Remote Web Workplace Main Menu by clicking on the link, "Configure Outlook via the Internet"
You should use these specific instructions because they are dynamically created for your specific servers configuration.
You shouldn't have done any of the steps you listed above, because with SBS, RPC over HTTPS is configured automatically by the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) which also makes the necessary changes in ISA.
A visual how-to is here: http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw
Within that wizard you'll see a "more information" button on each screen that has invaluable help in deciding which options to select.
Be sure to check those out as well.
Jeff
TechSoEasy
You should use these specific instructions because they are dynamically created for your specific servers configuration.
You shouldn't have done any of the steps you listed above, because with SBS, RPC over HTTPS is configured automatically by the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) which also makes the necessary changes in ISA.
A visual how-to is here: http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw
Within that wizard you'll see a "more information" button on each screen that has invaluable help in deciding which options to select.
Be sure to check those out as well.
Jeff
TechSoEasy
ASKER
Hi Jeff
i can't use windows firewall because i have ISA 2004 installed and we have a netgear router on the outside that forwards request to the internal server/DMZ which is ISA.
i can't use windows firewall because i have ISA 2004 installed and we have a netgear router on the outside that forwards request to the internal server/DMZ which is ISA.
Who said anything about you using the Windows Firewall?
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
In that article you gave me it shows to enable the firewall. I don't want to use the Wizard. surely its possible doing it without the wizard?
>>surely its possible doing it without the wizard?
It is, but you should still use the wizard.
Using the wizard is the proper way to do it - if you do not do it the proper way, then it can make future troubleshooting more difficult.
Being more of an exchange person than an SBS person, I used to do everything manually - However, it is far easier to just run the wizard and do it that way.
Not only is that a quicker solution, it is also the most thorough way to do it.
The Petri guide you posted above would work for SBS (I know, I have done it) but the CEICW would be faster :)
-red
It is, but you should still use the wizard.
Using the wizard is the proper way to do it - if you do not do it the proper way, then it can make future troubleshooting more difficult.
Being more of an exchange person than an SBS person, I used to do everything manually - However, it is far easier to just run the wizard and do it that way.
Not only is that a quicker solution, it is also the most thorough way to do it.
The Petri guide you posted above would work for SBS (I know, I have done it) but the CEICW would be faster :)
-red
Okay... you HAVE to use the wizard. And the firewall that it mentions in the Wizard is NOT the Windows Firewall (I know... it's confusing, but it's referring to ISA in this case).
The CEICW issues over 500 command lines and is absolutely necessary to run because you really cannot otherwise configure all of the components in your SBS so that they are properly synchronized.
You can ask most anyone... but if you don't use the wizards to configure your SBS... ALL of the Wizards, you'll run into more problems than you can imagine. I have no idea why people are so opposed to them but everyone I've ever known that was opposed to the wizards at first would never try to configure an SBS without them today. If you think you're smarter than that, then please spend as much time as you like trying to do things manually.
Jeff
TechSoEasy
The CEICW issues over 500 command lines and is absolutely necessary to run because you really cannot otherwise configure all of the components in your SBS so that they are properly synchronized.
You can ask most anyone... but if you don't use the wizards to configure your SBS... ALL of the Wizards, you'll run into more problems than you can imagine. I have no idea why people are so opposed to them but everyone I've ever known that was opposed to the wizards at first would never try to configure an SBS without them today. If you think you're smarter than that, then please spend as much time as you like trying to do things manually.
Jeff
TechSoEasy
ASKER
I got it going without using the Wizard. i used the documentation on Microsoft site. along with configuring the HTTP filter in ISA to allow only RPC traffic via the web publishing rule.
Thanks for all the help
Johan
Thanks for all the help
Johan
You may have... but I wonder how many other things aren't working right on your server... why are you so opposed to using it?
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
everything else is still working as normal, thats the first thing i checked after making hte changes. no errors reported in ISA logs and no errors in event logs.
why am i so apposed to using it is because our users travel alot and having connecting to their email this way is better that OWA and VPN.
why am i so apposed to using it is because our users travel alot and having connecting to their email this way is better that OWA and VPN.
I was asking why you are opposed to using the wizard. If your users travel a lot, you can certainly configure RPC over HTTPS for them in addition to the standard Exchange configuration. That's how I set up all laptops that are part of SBS Networks. Your situation is not unique.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
How much different does HTTPS over RPC work from the standard exchange configuration?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I respectfully disagree, as the asker has apparently not been following the wizard anyway, and resolved it without following Jeff's instructions.
Without using the CEICW, the auto generated guide will not be accurate.
It looks like the whole problem was a certificate issue, which was diagnosed and instructed on by me.
Either way, accept or delete: no refund is fine by me.
-red
Without using the CEICW, the auto generated guide will not be accurate.
It looks like the whole problem was a certificate issue, which was diagnosed and instructed on by me.
Either way, accept or delete: no refund is fine by me.
-red
The answer is that you have to use the wizard. If they haven't been using it then they need to... which is what I suggested.
Jeff
TechSoEasy
Jeff
TechSoEasy
> when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.
What does it say? Are you connecting with TCP/IP or HTTPS?
From a machine having problems from inside the LAN, browse to https://server.domain.com/rpc - does it pop up with a certificate question?
Hope that helps,
-red