• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

RPC over HTTP question - directory not connecting via HTTPS

I am trying to complete configuration of RPC over RPC.  I have it mostly working, the Mail and Public Folders types show HTTPS.  However, the Directory does not connect via HTTPS - on the internet it just never connects, on the LAN it fails over to TCP/IP.  This seems to only affect the speed of the initial connection to the RPC Proxy when on the internet - it can take several minutes to connect the first time, but thereafter all functions seem to work.

Our setup is one Exchange 2003 FE OWA server in the DMZ, one Exchange 2003 BE server in the LAN hosting mailboxes, and two Windows 2003 DCs in the LAN - both GCs.  We are using a cert from GoDaddy.  In the course of trying to get this working I have implemented registry changes on the GCs and both Exchange servers to specify the ports as shown in several frequently linked guides (Sembee's being one of them).  The firewall has now been configured to allow all traffic from the FE/OWA box to both the BE and the GCs, though I would rather limit the open ports if possible.
0
wcstrategy
Asked:
wcstrategy
  • 4
  • 3
1 Solution
 
SembeeCommented:
Why is the frontend server in the DMZ? Do you think that improves your network security?
It does not belong there. Bring it inside where it belongs and I expect it will work correctly.

The directory not connecting usually means the proxy cannot connect to the domain controllers or the domain controllers do not have the required registry key on them.

Simon.
0
 
wcstrategyAuthor Commented:
I don't think it is that unusual to put a public facing box running IIS in the DMZ when you don't have ISA.  However, given that we currently have rules allowing all traffic from the FE to the DCs through the firewall, shouldn't that accomplish the same thing as moving it inside (not that opening all ports was the original plan)?

I have run dcdiag from the FE to both DCs wirth no errors.  On both DCs I have put the REG_MULTI_SZ key of "NSPI interface protocol sequences" with a value of "ncacn_http:6004" in HKLM\SYSTEM\CurrentControlSet\Services\ntds\parameters
0
 
SembeeCommented:
While I agree that putting an IIS machine in the DMZ is not unusual, putting an Exchange server in the DMZ is a different matter altogether.

Answer this question then.
How does having an Exchange server in the DMZ improve your security?
If you can answer that question then you are doing very well, because no one else can.

I can give you plenty of reasons why it is a bad idea:
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

When there is a firewall in the way, evening opening all the ports may not be enough due to the way that the firewall handles the traffic. Putting the server inside is really the only way to confirm everything is working correctly.

Simon.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
wcstrategyAuthor Commented:
Fair enough, its easy enough to patch it into the LAN and NAT the address over for testing purposes.  This isn't a killer issue as the essential functionality is there, but it bugs me not to have it right.  I'll test it on the LAN and see if anything changes.
0
 
wcstrategyAuthor Commented:
Unfortunately, moving the FE server to the LAN didn't change anything.  Mail and Public folders connect via HTTPS and Directory fails over to TCP/IP.  Funcitonality remains the same (as in it works, but the lack of connectivity for Directory bugs me).
0
 
SembeeCommented:
The lack of directory connectivity will cause you a problem at some point. Outlook needs to connect to both.
That means either you have an error in the registry settings and are referencing an invalid domain controller, or the domain controller doesn't have the required registry key on it.

Simon.
0
 
wcstrategyAuthor Commented:
Interestingly, remote connections now show all resources connecting via HTTPS.  When I connect form inside the LAN, Mail and Public Folders connect via HTTPS and Directory connects via TCP/IP - and that was what I had seen when I said it wasn't working.  When I tried it from the internet later in the day everything was using HTTPS.  Since its the remote connectivity we are interested in, I'm ok with the way it currently works.  I think you have also pusuaded me to keep OWA on the LAN.  Thanks for the help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now