We help IT Professionals succeed at work.

Outlook Anywhere fails Initial configuration from the Internet

wparson
wparson asked
on
4,419 Views
Last Modified: 2013-11-16
How can I get RPC over HTTPS to work initially from outside a watchguard firewall? I have configured Outlook Anywhere on a WIndows 2003/Exchange 2007 server.  Outlook anywhere works fine if it is initially configured on the private side of the firewall but I  am unable to connect "new" clients from outside the firewall.  Once a connection is started the firewall blocks the IP and thats all she wrote.  It will however work perfectly if the client connecting from outside was initially connected and configured inside the firewall.

Any Ideas?
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
Is the HTTPS service configured to allow specific public IPs or authenticated users; or what is the configuration on the incoming og the HTTPS service.
Can you paste the denied log entry so we know what on the firewall is blocking the packets.
Can you also check if the "new" client IP is listed under blocked hosts; if so, you might want to disable "Auto block source of packets not handled" under Setup > Intrusion Prevention > Default Packet Handling.

Please provide details.

Author

Commented:
HTTPS is NATed to the server to allow all incomming traffic over 80 and 443.  The exchange server is set to use basic authentication over SSL.  I have watched the port traffic on the firewall and as far as I can see 135 gets blocked first then the IP is added to blocked sites.  An internally configured client moved outside the firewall to the exact same IP communicates fine with RPC/HTTPS so it is an initial configuration issue.  I will post the log entries in the morning when I get back on the internal network as there is no way for me to unblock the IP from this side once I attempt a RPC/HTTPS connection.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Port 135 is needed for communication for OWA [http://support.microsoft.com/kb/259240]; as the port is not opened explicitly for the exchange server and further "Auto block source of packets not handled" under Setup > Intrusion Prevention > Default Packet Handling" is enabled; the IP is blacklisted and hence all communication fails.
By default the IP is put for 10 minutes in the auto-block list.

The possible reason why a client pre-authenticated behind firewall works is it might not be sending request on port 135. I am not 100% sure why that is happening, but more logs on the issue when authenticated users are connecting would help.
Expert of the Year 2007
Expert of the Year 2006

Commented:
Which method are you trying to use to configure the clients?
Are you configuring them by hand, or using AutoDiscover?
If the client works correctly outside after configuration then it could just be your process for configuring the feature. If you don't do it correctly then the client will attempt to make a standard MAPI connection, which will fail as the ports are not open.

Simon.

Author

Commented:
I turned off the auto block.  There are three block syn to port 135 and the process quits on the client and says the exchange server cannot be reached.

I am manually configuring them, however automatic does not work either in outlook 2007 it sets up a pop account instead of exchange for some reason.  Probably because the normal exchange ports are not open and you have to manually configure rpc/https.

As i stated previously they are correctly connecting to exchange via rpc/https if they are first configured inside the firewall, the mapi service is not on at all and the rpc connections are correctly working over https.  It is the initial config from outside that fails.

Author

Commented:
Also the newer versions of OWA do not require port 135, that was pre-exchange2000.  OWA works fine with only 443open.
Expert of the Year 2007
Expert of the Year 2006

Commented:
The auto configuration not working probably means you haven't got Autodiscover to work correctly.

You haven't gone in to enough detail on how you are setting up the clients.
The method I use I have outlined here: http://www.amset.info/exchange/rpc-http-client2.asp
It is for Outlook 2003, but identical for Outlook 2007.

If you attempt to connect too early then things don't work correctly.

Simon.

Author

Commented:
I use almost the same method exept basic instead of NTLM authentication as that is how the exchange2007 server is set to authenticate.  I added msstd:mail.domain.com which doesnt help.  I still get three polls on 135 after entering basic domain\username and password then the client says "The action cannot be completed.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."

The mail server is on a local domain domain.local the certificate is a valid internet domain and I am usind split DNS.

I put the ip on the block exception list so at least I can watch the logs but it still fails after 3 polls to 135 so rpc over https does not seem to be connecting properly on the first connection attempt.
Expert of the Year 2007
Expert of the Year 2006

Commented:
If it is hitting port 135 then that would tend to indicate the client is unable to make the initial HTTPS connection. Something not resolving correctly for example.
Do you set Outlook to use http for both fast and slow connections? It gets easily confused with LANs otherwise.

Simon.

Author

Commented:
That would be my assement but it resolves correctly for both OWA and for internally initiated clients who are moved outside the firewall.  Both fast and slow are checked
Expert of the Year 2007
Expert of the Year 2006

Commented:
Have you tried the PRF method of configuration, rather than the manual method?
Have you looked at getting AutoDiscover to work?

Simon.

Author

Commented:
I have remote users and would be unable to distribute a standard installation.  They are using everything from Office xp to 2007.

I have looked into the automatic configuration but I cannot find anyway to edit it?  When I use it from a client it configures POP access. How would I change it to configure exchange rpc/https?
Expert of the Year 2007
Expert of the Year 2006

Commented:
Outlook Anywhere only works for Outlook 2003 and higher - so if you have anyone using Outlook 2002 they will be unable to use Outlook Anywhere.

If you haven't configured Auto Discovery then it would configure POP3 only, because that is all that it can find. You would need to look at the Microsoft Technet articles on autodiscover to get it to work correctly. You have to use a specific URL for it to work correctly, with redirects if you use multiple domains. It can look complicated, but in reality is not.

Exchange maintains the autodiscover XML file, based on settings that you have put in to Exchange such as the external URL for various folders. You don't edit it yourself at all.

A prf file for Outlook 2003 should also work for 2007, although I haven't tried it.
Another option would be to simply have three PRF files - one for each version of Outlook.

Simon.

Commented:
Did anyone get this working properly?

I have 80 and 443 open on the firewall.  From behind the firewall, I can get to the Outlook Anywhere/Client Access (Exchange 2007) server and connect.  When I attempt to connect from outside the firewall, I see SYN_SENT messages and seem to be hanging on a port communication to 135.  I have walked through the RPC over HTTP configuration with my Outlook 2003 and 2007 client a hundred times and tried a variety of combinations.  Right now, I have Outlook configured just as described in the link above (http://www.amset.info/exchange/rpc-http-client2.asp).  Additionally, I have set the Outlook Anywhere configuration to require NTLM authentication and verified that is the setting on the Mail account.

I can't understand why I still see connection requests to port 135!!!

When I run outlook /rpcdiag theres little information other than it times out...I am assuming its because I am trying to connect to a closed firewall port.  What am I missing here in getting Outlook to talk over port 443?

 

Author

Commented:
I found the answer elsewhere actually.  You need to configure a seperate or combined SSL certificate for "autodiscover.domain.com" that points to the same place as OWA.  Outlook has this URL built in when it tries to connect http/rpc to the exchange server and it will fail during autodiscover if it is not set right.  That was the final straw in my configuration.

Commented:
Will a wildcard certificate work?  I already purchased one of those for the domain...then I read a post somewhere that they will not work for Outlook Anywhere...So now I have *.mydomain.com and webmail.mydomain.com.  Do I need a third and to create the DNS alias?
Expert of the Year 2007
Expert of the Year 2006
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Commented:
First...let me say I appreciate all of the help...next, let me say...I apologize if I sound like a dummy...

I currently have a single Default Web Site with the SSL certs I mentioned above.  This is where OWA, Exchange, Exchweb, etc are installed.  Is the recommendation for me to create a new web site (autodiscover.mydomain.com) that listens on a different IP address and same ports (80/443) and have the document root be the OWA folder?  Or should I create a virtual host under the existing Default Web Site (same IP, ports, etc)?  I assume the first method as that way I can perform a new CSR request, send it to GeoTrust and go from there.

A little clarification would be great!

Author

Commented:
Yes it is a UCC certificate.  If the sitename does not match the certificate autodiscover fails in the background with no prompt.  Wildcards won't work to my knowledge.

Author

Commented:
I should add I turned off IP adress blocking on the firewall and RPC over HTTP works for outlook 2003 but for 2007 you need the autodiscovery cert.  I have not gotten one yet as I only have a few users on 07 but I imagine you might be able to turm blocking back on once you getthe proper cert.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.