We help IT Professionals succeed at work.

RPC over HTTP question - directory not connecting via HTTPS

wcstrategy
wcstrategy asked
on
373 Views
Last Modified: 2010-03-06
I am trying to complete configuration of RPC over RPC.  I have it mostly working, the Mail and Public Folders types show HTTPS.  However, the Directory does not connect via HTTPS - on the internet it just never connects, on the LAN it fails over to TCP/IP.  This seems to only affect the speed of the initial connection to the RPC Proxy when on the internet - it can take several minutes to connect the first time, but thereafter all functions seem to work.

Our setup is one Exchange 2003 FE OWA server in the DMZ, one Exchange 2003 BE server in the LAN hosting mailboxes, and two Windows 2003 DCs in the LAN - both GCs.  We are using a cert from GoDaddy.  In the course of trying to get this working I have implemented registry changes on the GCs and both Exchange servers to specify the ports as shown in several frequently linked guides (Sembee's being one of them).  The firewall has now been configured to allow all traffic from the FE/OWA box to both the BE and the GCs, though I would rather limit the open ports if possible.
Comment
Watch Question

Expert of the Year 2007
Expert of the Year 2006

Commented:
Why is the frontend server in the DMZ? Do you think that improves your network security?
It does not belong there. Bring it inside where it belongs and I expect it will work correctly.

The directory not connecting usually means the proxy cannot connect to the domain controllers or the domain controllers do not have the required registry key on them.

Simon.

Author

Commented:
I don't think it is that unusual to put a public facing box running IIS in the DMZ when you don't have ISA.  However, given that we currently have rules allowing all traffic from the FE to the DCs through the firewall, shouldn't that accomplish the same thing as moving it inside (not that opening all ports was the original plan)?

I have run dcdiag from the FE to both DCs wirth no errors.  On both DCs I have put the REG_MULTI_SZ key of "NSPI interface protocol sequences" with a value of "ncacn_http:6004" in HKLM\SYSTEM\CurrentControlSet\Services\ntds\parameters
Expert of the Year 2007
Expert of the Year 2006
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Fair enough, its easy enough to patch it into the LAN and NAT the address over for testing purposes.  This isn't a killer issue as the essential functionality is there, but it bugs me not to have it right.  I'll test it on the LAN and see if anything changes.

Author

Commented:
Unfortunately, moving the FE server to the LAN didn't change anything.  Mail and Public folders connect via HTTPS and Directory fails over to TCP/IP.  Funcitonality remains the same (as in it works, but the lack of connectivity for Directory bugs me).
Expert of the Year 2007
Expert of the Year 2006

Commented:
The lack of directory connectivity will cause you a problem at some point. Outlook needs to connect to both.
That means either you have an error in the registry settings and are referencing an invalid domain controller, or the domain controller doesn't have the required registry key on it.

Simon.

Author

Commented:
Interestingly, remote connections now show all resources connecting via HTTPS.  When I connect form inside the LAN, Mail and Public Folders connect via HTTPS and Directory connects via TCP/IP - and that was what I had seen when I said it wasn't working.  When I tried it from the internet later in the day everything was using HTTPS.  Since its the remote connectivity we are interested in, I'm ok with the way it currently works.  I think you have also pusuaded me to keep OWA on the LAN.  Thanks for the help!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.