• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

Having trouble setting up exchange RPC over HTTPS

Hi All

I'm having some difficulty getting RPC over HTTPS working on my server. We have SBS 2003 prem, installed. SSL is setup and configured on the server. i used the following URL in setting up the procedure.  http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

i've done all the steps explained in the document. internally (Local Network) when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.

I think my problem lies with the ISA (2004) side of the configuration. i did the following:

1: Export a Web server certificate from the IIS-based computer that hosts the RPC proxy site
2: On the ISA Server 2004-based computer, import the Web server certificate from the IIS-based computer that hosts the RPC proxy site, and then install the certificate
3: Create a new Web publishing rule on the ISA Server 2004-based computer.

Hope this is enough info.

Regards,

Johan



 



 
0
technolutions
Asked:
technolutions
  • 8
  • 7
  • 5
2 Solutions
 
redseatechnologiesCommented:
Hi technolutions,

> when i run the following command outlook /rpcdiag i'm successful and i can connect to the RPC server.

What does it say?  Are you connecting with TCP/IP or HTTPS?

From a machine having problems from inside the LAN, browse to https://server.domain.com/rpc - does it pop up with a certificate question?

Hope that helps,

-red
0
 
technolutionsAuthor Commented:
I'm connecting with TCP/IP. when i run the above url i get the certificate pop up and the Basic logon box apears.
0
 
redseatechnologiesCommented:
Ding!

That is your problem.

TCP/IP means that it is NOT working.

That certificate pop-up is WHY it isnt working.

You should buy a certificate for the server, but if you do not want to do that (which is fine) you need to install the certificate.

These are poor instructions, but they will do the job -> http://support.globalsign.net/en/serversign/IIS.cfm

Click the "view certificate" button on that certificate pop-up, and then install the certificate to the "physical store" "trusted root certificate autority/local computer" (it is the first set of photos)

-red
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
technolutionsAuthor Commented:
ok now i don't understand!!

i did import the certifcate on both the DC and the Local computer (client). surely if i test this internaly it should connect via TCP/IP??
0
 
redseatechnologiesCommented:
You INSTALL it on the server, but you IMPORT it on the local computer.

If you configure the connection properly, it will connect via HTTPS internally.

The fact that you are getting a certificate prompt is not good, what is the prompt complaining about?

There are 3 reasons for it to fail, untrusted, expired or wrong name

-red
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The actual instructions for this are located in your Remote Web Workplace Main Menu by clicking on the link, "Configure Outlook via the Internet"

You should use these specific instructions because they are dynamically created for your specific servers configuration.

You shouldn't have done any of the steps you listed above, because with SBS, RPC over HTTPS is configured automatically by the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email)  which also makes the necessary changes in ISA.

A visual how-to is here:  http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw

Within that wizard you'll see a "more information" button on each screen that has invaluable help in deciding which options to select.  
Be sure to check those out as well.

Jeff
TechSoEasy
0
 
technolutionsAuthor Commented:
Hi Jeff

i can't use windows firewall because i have ISA 2004 installed and we have a netgear router on the outside that forwards request to the internal server/DMZ which is ISA.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Who said anything about you using the Windows Firewall?

Jeff
TechSoEasy
0
 
technolutionsAuthor Commented:
In that article you gave me it shows to enable the firewall. I don't want to use the Wizard. surely its possible doing it without the wizard?
0
 
redseatechnologiesCommented:
>>surely its possible doing it without the wizard?

It is, but you should still use the wizard.

Using the wizard is the proper way to do it - if you do not do it the proper way, then it can make future troubleshooting more difficult.

Being more of an exchange person than an SBS person, I used to do everything manually - However, it is far easier to just run the wizard and do it that way.

Not only is that a quicker solution, it is also the most thorough way to do it.

The Petri guide you posted above would work for SBS (I know, I have done it) but the CEICW would be faster :)

-red
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Okay... you HAVE to use the wizard.  And the firewall that it mentions in the Wizard is NOT the Windows Firewall (I know... it's confusing, but it's referring to ISA in this case).  

The CEICW issues over 500 command lines and is absolutely necessary to run because you really cannot otherwise configure all of the components in your SBS so that they are properly synchronized.

You can ask most anyone... but if you don't use the wizards to configure your SBS... ALL of the Wizards, you'll run into more problems than you can imagine.  I have no idea why people are so opposed to them but everyone I've ever known that was opposed to the wizards at first would never try to configure an SBS without them today.  If you think you're smarter than that, then please spend as much time as you like trying to do things manually.

Jeff
TechSoEasy
0
 
technolutionsAuthor Commented:
I got it going without using the Wizard. i used the documentation on Microsoft site. along with configuring the HTTP filter in ISA to allow only RPC traffic via the web publishing rule.


Thanks for all the help

Johan
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You may have... but I wonder how many other things aren't working right on your server... why are you so opposed to using it?

Jeff
TechSoEasy
0
 
technolutionsAuthor Commented:
everything else is still working as normal, thats the first thing i checked after making hte changes. no errors reported in ISA logs and no errors in event logs.

why am i so apposed to using it is because our users travel alot and having connecting to their email this way is better that OWA and VPN.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I was asking why you are opposed to using the wizard.  If your users travel a lot, you can certainly configure RPC over HTTPS for them in addition to the standard Exchange configuration.  That's how I set up all laptops that are part of SBS Networks.  Your situation is not unique.

Jeff
TechSoEasy
0
 
technolutionsAuthor Commented:
How much different does HTTPS over RPC work from the standard exchange configuration?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
As far as the end user is concerned?  There is almost no difference... a bit longer to update folders when first logging on.  But only when connecting remotely.  When connected normally on the LAN, RPC over HTTPS will not be used.  (The user doesn't even have to know this, it will happen automatically if you configure both).

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The answer to his question was provided here:  http:Q_22066511.html#17984277

Jeff
TechSoEasy
0
 
redseatechnologiesCommented:
I respectfully disagree, as the asker has apparently not been following the wizard anyway, and resolved it without following Jeff's instructions.

Without using the CEICW, the auto generated guide will not be accurate.

It looks like the whole problem was a certificate issue, which was diagnosed and instructed on by me.

Either way, accept or delete: no refund is fine by me.

-red
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The answer is that you have to use the wizard.  If they haven't been using it then they need to... which is what I suggested.

Jeff
TechSoEasy
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now