Solved

Having trouble setting up exchange RPC over HTTPS

Posted on 2006-11-20
23
279 Views
Last Modified: 2010-04-18
Hi All

I'm having some difficulty getting RPC over HTTPS working on my server. We have SBS 2003 prem, installed. SSL is setup and configured on the server. i used the following URL in setting up the procedure.  http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

i've done all the steps explained in the document. internally (Local Network) when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.

I think my problem lies with the ISA (2004) side of the configuration. i did the following:

1: Export a Web server certificate from the IIS-based computer that hosts the RPC proxy site
2: On the ISA Server 2004-based computer, import the Web server certificate from the IIS-based computer that hosts the RPC proxy site, and then install the certificate
3: Create a new Web publishing rule on the ISA Server 2004-based computer.

Hope this is enough info.

Regards,

Johan



 



 
0
Comment
Question by:technolutions
  • 8
  • 7
  • 5
23 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17977962
Hi technolutions,

> when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.

What does it say?  Are you connecting with TCP/IP or HTTPS?

From a machine having problems from inside the LAN, browse to https://server.domain.com/rpc - does it pop up with a certificate question?

Hope that helps,

-red
0
 

Author Comment

by:technolutions
ID: 17978004
I'm connecting with TCP/IP. when i run the above url i get the certificate pop up and the Basic logon box apears.
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17978030
Ding!

That is your problem.

TCP/IP means that it is NOT working.

That certificate pop-up is WHY it isnt working.

You should buy a certificate for the server, but if you do not want to do that (which is fine) you need to install the certificate.

These are poor instructions, but they will do the job -> http://support.globalsign.net/en/serversign/IIS.cfm

Click the "view certificate" button on that certificate pop-up, and then install the certificate to the "physical store" "trusted root certificate autority/local computer" (it is the first set of photos)

-red
0
 

Author Comment

by:technolutions
ID: 17978246
ok now i don't understand!!

i did import the certifcate on both the DC and the Local computer (client). surely if i test this internaly it should connect via TCP/IP??
0
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 250 total points
ID: 17978278
You INSTALL it on the server, but you IMPORT it on the local computer.

If you configure the connection properly, it will connect via HTTPS internally.

The fact that you are getting a certificate prompt is not good, what is the prompt complaining about?

There are 3 reasons for it to fail, untrusted, expired or wrong name

-red
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17984277
The actual instructions for this are located in your Remote Web Workplace Main Menu by clicking on the link, "Configure Outlook via the Internet"

You should use these specific instructions because they are dynamically created for your specific servers configuration.

You shouldn't have done any of the steps you listed above, because with SBS, RPC over HTTPS is configured automatically by the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email)  which also makes the necessary changes in ISA.

A visual how-to is here:  http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw

Within that wizard you'll see a "more information" button on each screen that has invaluable help in deciding which options to select.  
Be sure to check those out as well.

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17985247
Hi Jeff

i can't use windows firewall because i have ISA 2004 installed and we have a netgear router on the outside that forwards request to the internal server/DMZ which is ISA.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17985322
Who said anything about you using the Windows Firewall?

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17985353
In that article you gave me it shows to enable the firewall. I don't want to use the Wizard. surely its possible doing it without the wizard?
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17985400
>>surely its possible doing it without the wizard?

It is, but you should still use the wizard.

Using the wizard is the proper way to do it - if you do not do it the proper way, then it can make future troubleshooting more difficult.

Being more of an exchange person than an SBS person, I used to do everything manually - However, it is far easier to just run the wizard and do it that way.

Not only is that a quicker solution, it is also the most thorough way to do it.

The Petri guide you posted above would work for SBS (I know, I have done it) but the CEICW would be faster :)

-red
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17985402
Okay... you HAVE to use the wizard.  And the firewall that it mentions in the Wizard is NOT the Windows Firewall (I know... it's confusing, but it's referring to ISA in this case).  

The CEICW issues over 500 command lines and is absolutely necessary to run because you really cannot otherwise configure all of the components in your SBS so that they are properly synchronized.

You can ask most anyone... but if you don't use the wizards to configure your SBS... ALL of the Wizards, you'll run into more problems than you can imagine.  I have no idea why people are so opposed to them but everyone I've ever known that was opposed to the wizards at first would never try to configure an SBS without them today.  If you think you're smarter than that, then please spend as much time as you like trying to do things manually.

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17985449
I got it going without using the Wizard. i used the documentation on Microsoft site. along with configuring the HTTP filter in ISA to allow only RPC traffic via the web publishing rule.


Thanks for all the help

Johan
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17985456
You may have... but I wonder how many other things aren't working right on your server... why are you so opposed to using it?

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17985493
everything else is still working as normal, thats the first thing i checked after making hte changes. no errors reported in ISA logs and no errors in event logs.

why am i so apposed to using it is because our users travel alot and having connecting to their email this way is better that OWA and VPN.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17992242
I was asking why you are opposed to using the wizard.  If your users travel a lot, you can certainly configure RPC over HTTPS for them in addition to the standard Exchange configuration.  That's how I set up all laptops that are part of SBS Networks.  Your situation is not unique.

Jeff
TechSoEasy
0
 

Author Comment

by:technolutions
ID: 17993773
How much different does HTTPS over RPC work from the standard exchange configuration?
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17996264
As far as the end user is concerned?  There is almost no difference... a bit longer to update folders when first logging on.  But only when connecting remotely.  When connected normally on the LAN, RPC over HTTPS will not be used.  (The user doesn't even have to know this, it will happen automatically if you configure both).

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18388020
The answer to his question was provided here:  http:Q_22066511.html#17984277

Jeff
TechSoEasy
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 18389984
I respectfully disagree, as the asker has apparently not been following the wizard anyway, and resolved it without following Jeff's instructions.

Without using the CEICW, the auto generated guide will not be accurate.

It looks like the whole problem was a certificate issue, which was diagnosed and instructed on by me.

Either way, accept or delete: no refund is fine by me.

-red
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18403932
The answer is that you have to use the wizard.  If they haven't been using it then they need to... which is what I suggested.

Jeff
TechSoEasy
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now