Solved

Having trouble setting up exchange RPC over HTTPS

Posted on 2006-11-20
23
283 Views
Last Modified: 2010-04-18
Hi All

I'm having some difficulty getting RPC over HTTPS working on my server. We have SBS 2003 prem, installed. SSL is setup and configured on the server. i used the following URL in setting up the procedure.  http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

i've done all the steps explained in the document. internally (Local Network) when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.

I think my problem lies with the ISA (2004) side of the configuration. i did the following:

1: Export a Web server certificate from the IIS-based computer that hosts the RPC proxy site
2: On the ISA Server 2004-based computer, import the Web server certificate from the IIS-based computer that hosts the RPC proxy site, and then install the certificate
3: Create a new Web publishing rule on the ISA Server 2004-based computer.

Hope this is enough info.

Regards,

Johan



 



 
0
Comment
Question by:technolutions
  • 8
  • 7
  • 5
23 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17977962
Hi technolutions,

> when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.

What does it say?  Are you connecting with TCP/IP or HTTPS?

From a machine having problems from inside the LAN, browse to https://server.domain.com/rpc - does it pop up with a certificate question?

Hope that helps,

-red
0
 

Author Comment

by:technolutions
ID: 17978004
I'm connecting with TCP/IP. when i run the above url i get the certificate pop up and the Basic logon box apears.
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17978030
Ding!

That is your problem.

TCP/IP means that it is NOT working.

That certificate pop-up is WHY it isnt working.

You should buy a certificate for the server, but if you do not want to do that (which is fine) you need to install the certificate.

These are poor instructions, but they will do the job -> http://support.globalsign.net/en/serversign/IIS.cfm

Click the "view certificate" button on that certificate pop-up, and then install the certificate to the "physical store" "trusted root certificate autority/local computer" (it is the first set of photos)

-red
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:technolutions
ID: 17978246
ok now i don't understand!!

i did import the certifcate on both the DC and the Local computer (client). surely if i test this internaly it should connect via TCP/IP??
0
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 250 total points
ID: 17978278
You INSTALL it on the server, but you IMPORT it on the local computer.

If you configure the connection properly, it will connect via HTTPS internally.

The fact that you are getting a certificate prompt is not good, what is the prompt complaining about?

There are 3 reasons for it to fail, untrusted, expired or wrong name

-red
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17984277
The actual instructions for this are located in your Remote Web Workplace Main Menu by clicking on the link, "Configure Outlook via the Internet"

You should use these specific instructions because they are dynamically created for your specific servers configuration.

You shouldn't have done any of the steps you listed above, because with SBS, RPC over HTTPS is configured automatically by the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email)  which also makes the necessary changes in ISA.

A visual how-to is here:  http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw

Within that wizard you'll see a "more information" button on each screen that has invaluable help in deciding which options to select.  
Be sure to check those out as well.

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17985247
Hi Jeff

i can't use windows firewall because i have ISA 2004 installed and we have a netgear router on the outside that forwards request to the internal server/DMZ which is ISA.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17985322
Who said anything about you using the Windows Firewall?

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17985353
In that article you gave me it shows to enable the firewall. I don't want to use the Wizard. surely its possible doing it without the wizard?
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17985400
>>surely its possible doing it without the wizard?

It is, but you should still use the wizard.

Using the wizard is the proper way to do it - if you do not do it the proper way, then it can make future troubleshooting more difficult.

Being more of an exchange person than an SBS person, I used to do everything manually - However, it is far easier to just run the wizard and do it that way.

Not only is that a quicker solution, it is also the most thorough way to do it.

The Petri guide you posted above would work for SBS (I know, I have done it) but the CEICW would be faster :)

-red
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17985402
Okay... you HAVE to use the wizard.  And the firewall that it mentions in the Wizard is NOT the Windows Firewall (I know... it's confusing, but it's referring to ISA in this case).  

The CEICW issues over 500 command lines and is absolutely necessary to run because you really cannot otherwise configure all of the components in your SBS so that they are properly synchronized.

You can ask most anyone... but if you don't use the wizards to configure your SBS... ALL of the Wizards, you'll run into more problems than you can imagine.  I have no idea why people are so opposed to them but everyone I've ever known that was opposed to the wizards at first would never try to configure an SBS without them today.  If you think you're smarter than that, then please spend as much time as you like trying to do things manually.

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17985449
I got it going without using the Wizard. i used the documentation on Microsoft site. along with configuring the HTTP filter in ISA to allow only RPC traffic via the web publishing rule.


Thanks for all the help

Johan
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17985456
You may have... but I wonder how many other things aren't working right on your server... why are you so opposed to using it?

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17985493
everything else is still working as normal, thats the first thing i checked after making hte changes. no errors reported in ISA logs and no errors in event logs.

why am i so apposed to using it is because our users travel alot and having connecting to their email this way is better that OWA and VPN.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17992242
I was asking why you are opposed to using the wizard.  If your users travel a lot, you can certainly configure RPC over HTTPS for them in addition to the standard Exchange configuration.  That's how I set up all laptops that are part of SBS Networks.  Your situation is not unique.

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17993773
How much different does HTTPS over RPC work from the standard exchange configuration?
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17996264
As far as the end user is concerned?  There is almost no difference... a bit longer to update folders when first logging on.  But only when connecting remotely.  When connected normally on the LAN, RPC over HTTPS will not be used.  (The user doesn't even have to know this, it will happen automatically if you configure both).

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18388020
The answer to his question was provided here:  http:Q_22066511.html#17984277

Jeff
TechSoEasy
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 18389984
I respectfully disagree, as the asker has apparently not been following the wizard anyway, and resolved it without following Jeff's instructions.

Without using the CEICW, the auto generated guide will not be accurate.

It looks like the whole problem was a certificate issue, which was diagnosed and instructed on by me.

Either way, accept or delete: no refund is fine by me.

-red
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18403932
The answer is that you have to use the wizard.  If they haven't been using it then they need to... which is what I suggested.

Jeff
TechSoEasy
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Allowing users to save certain file extesions using FSRM on a windows 2003 server 2 104
Trasfering FSMO roles 8 110
Can’t delete a file 14 196
Raising Forest Functional Level 9 56
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Learn about cloud computing and its benefits for small business owners.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question