• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 387
  • Last Modified:

RPC/HTTP Configuration Parameters

I have our RPC over HTTPS working with an internal client.  With an external client, I get the "Outlook must be online or connected" message.  I think I've tried all the suggestions in the posts here, at amset, and elsewhere, but still need help.  One thing I'm not sure about: I have a single Exchange 2003 server, so I have been using the single-server configurations.  However, this is a single Exchange server, but the domain controllers, and web servers are separate.  Is this still the correct configuration, or do I need to use different registry settings?  We have a Netgear firewall with port 443 open and pointed to the mail server.
Next: Some configuration pages I've read indicate that the ValidPorts key should include 100-5000, but others do not.
I have purchased and registered a certificate to our mail server, mail1.company.com.  Do I actually need the mail server registered?  I haven't seen anything which indicates so.
The only change I've made on the domain controllers (since they are also GC servers) is the NSPI interface protocol sequences key.
More information will be provided as requested.
Thanks in advance!
0
AFlowers
Asked:
AFlowers
  • 11
  • 8
5 Solutions
 
weareitCommented:
Did you add the ports for your DC to the registry?

At the bottom of this page is an example:  http://www.amset.info/exchange/rpc-http-server.asp

-saige-
0
 
AFlowersAuthor Commented:
I think so, but am verifying that now.  My internal and external domains are the same.  Will that make a difference?
0
 
SembeeCommented:
Basically RPC over HTTPS fails on three points....

- SSL certificate acceptance
- Authentication
- Registry settings.

Did you go through my trouble shooting page, which includes the SSL certificate test?
Have you confirmed the authentication settings are the same on the client and in IIS?

You do meet the requirements for RPC over HTTPS? There have been posts where people don't.

Simon.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
AFlowersAuthor Commented:
Windows 2003 domain, Exchange Server 2003 sp2, clients are XP Pro with Outlook 2003.

I *think* I've went through the troubleshooting steps, but please remind me what to do.  I'd rather do it again than miss something.

With an internal client the HTTPS connection works (outlook /rpcdiag shows HTTPS connection).

Thanks for all the quick replies!
0
 
SembeeCommented:
If an internal client shows https working for all connection types then the feature is working correctly.
You have to look at what is different outside.

When you use the rpc diag switch outside the network, which element fails?

Simon.
0
 
AFlowersAuthor Commented:
I can't get that far.  The setup fails immediately at the "Check Name", even after checking/setting the HTTP settings.
0
 
SembeeCommented:
What happens if you take a client that is already configured and use it outside the firewall? Prove that connectivity first, before you start trying to setup clients externally.

Simon.
0
 
AFlowersAuthor Commented:
Thanks Sembee, we'll do that next and keep y'all posted.

Update: I've noticed that the error message pops up immediately during the Check Name stage (after setting up the RPC settings).  There is no traffic to the dial-up connection.  My guess is something on the client itself, since it generates the error without even trying the connection.  Hope this extra information helps.
0
 
AFlowersAuthor Commented:
Update: I've connected the client to the LAN, and Outlook HTTPS works properly.  If I disconnect from the LAN and try dial-up, it fails.

We've tried the same tests on another laptop (Vista with Outlook 2007) - same results.

Both laptops fail immediately - that is, they do not even try to access the dial-up connection, they just fail.
0
 
SembeeCommented:
If you are getting https on the LAN but it drops off when you go over the internet then something is blocking the connection. Firewall, NAT redirection, something like that.

If the client is configured correctly and you haven't placed connection restrictions on the web server, then it is something outside of Exchange that is causing the failure off site.

Simon.
0
 
AFlowersAuthor Commented:
Still have problems.  I've verified that port 443 is opened on the firewall, and is pointing to the exchange server.  From the test computer (connected via dialup and not the LAN), I use IE to navigate to https://www.companyname.com, I am taken to the default web page on the mail server which shows the active certificate.

What can/should I check next?

Thanks!
0
 
SembeeCommented:
What happens if you go to https://host.domain.com/rpc 
Do you get any errors? Ignore an authentication prompt.

Is there more than one web site on this server?

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
AFlowersAuthor Commented:
Using the dialup, if I browse to https://mail1.company.com, I get a standard "can't find it" error from the browser.  However, if I browse to https://www.company.com, I get the three prompts to login, then the ACL error.

Configuration: Two Windows 2003 domain controllers, 1 Exchange 2003 server, 1 Windows 2003 web server hosting company domain (www.company.com).
0
 
AFlowersAuthor Commented:
More Info.: I do not have the CA installed in the domain.  Do I need a CA server for this to function?
0
 
SembeeCommented:
The three prompts to login is normal.
What the browser test is for it to confirm if the SSL certificate is accepted by the machine or not. If you get an SSL prompt then RPC over HTTPS will not work as Outlook cannot cope with the prompt.

Are you using a home grown or a commercial SSL certificate? If you are trying to use a home grown certificate then I would suggest that you don't bother. Those are more hassle than they are worth, particularly when you can get SSL certificates for US$20 - $60, depending on the source.

If you want to check it with a commercial certificate then get hold of a trial 30 day certificate from RapidSSL. That is trusted by most browsers - certainly Internet Explorer for this feature.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
AFlowersAuthor Commented:
The certificate is VeriSign.  Notice that when I browse to https://mailserver.company.com, I get the browser error.  If I browse to https://www.company.com, I get the login prompts.  Should I not get these when I browse to the mail server?

Thanks in advance!

PS - Previous question: Do I need CA installed in the domain?
0
 
SembeeCommented:
If you are using a commercial certificate then you don't need a certificate authority. That is only required if you are using your own certificates.

Whatever name is on the certificate that is the name you must use in Outlook.
You will get authentication prompts when browsing the /rpc virtual directory - that is normal behaviour and is to be expected.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
AFlowersAuthor Commented:
Thanks for the reply regarding the CA.
What are your thoughts on the issue of when I browse to https://mailserver.company.com, I get the browser error.  If I browse to https://www.company.com, I get the login prompts.  Should I not get these when I browse to the mail server?

I keep rechecking all the information on this, yet still have problem.  Now I'm trying to find out specifics to see what's wrong.
0
 
SembeeCommented:
Presuming that the URLs point to the same IP address, you can only have one certificate on each virtual web server. Therefore working on one address and not on the other would be expected. You do need to ensure that the names resolve to the correct IP address.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
AFlowersAuthor Commented:
Problem solved: I hired a local consultant to come in and see what was wrong.  An nslookup revealed that the mail server's name would not resolve.  We called our ISP and had them add the mail server's name to our DNS record.  All is well now.

I want to award the points anyway.  All of the responses contributed to the final solution.

Thanks!
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 11
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now