[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 357
  • Last Modified:

RPC over HTTP question - directory not connecting via HTTPS

I am trying to complete configuration of RPC over RPC.  I have it mostly working, the Mail and Public Folders types show HTTPS.  However, the Directory does not connect via HTTPS - on the internet it just never connects, on the LAN it fails over to TCP/IP.  This seems to only affect the speed of the initial connection to the RPC Proxy when on the internet - it can take several minutes to connect the first time, but thereafter all functions seem to work.

Our setup is one Exchange 2003 FE OWA server in the DMZ, one Exchange 2003 BE server in the LAN hosting mailboxes, and two Windows 2003 DCs in the LAN - both GCs.  We are using a cert from GoDaddy.  In the course of trying to get this working I have implemented registry changes on the GCs and both Exchange servers to specify the ports as shown in several frequently linked guides (Sembee's being one of them).  The firewall has now been configured to allow all traffic from the FE/OWA box to both the BE and the GCs, though I would rather limit the open ports if possible.
0
wcstrategy
Asked:
wcstrategy
  • 4
  • 3
1 Solution
 
SembeeCommented:
Why is the frontend server in the DMZ? Do you think that improves your network security?
It does not belong there. Bring it inside where it belongs and I expect it will work correctly.

The directory not connecting usually means the proxy cannot connect to the domain controllers or the domain controllers do not have the required registry key on them.

Simon.
0
 
wcstrategyAuthor Commented:
I don't think it is that unusual to put a public facing box running IIS in the DMZ when you don't have ISA.  However, given that we currently have rules allowing all traffic from the FE to the DCs through the firewall, shouldn't that accomplish the same thing as moving it inside (not that opening all ports was the original plan)?

I have run dcdiag from the FE to both DCs wirth no errors.  On both DCs I have put the REG_MULTI_SZ key of "NSPI interface protocol sequences" with a value of "ncacn_http:6004" in HKLM\SYSTEM\CurrentControlSet\Services\ntds\parameters
0
 
SembeeCommented:
While I agree that putting an IIS machine in the DMZ is not unusual, putting an Exchange server in the DMZ is a different matter altogether.

Answer this question then.
How does having an Exchange server in the DMZ improve your security?
If you can answer that question then you are doing very well, because no one else can.

I can give you plenty of reasons why it is a bad idea:
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

When there is a firewall in the way, evening opening all the ports may not be enough due to the way that the firewall handles the traffic. Putting the server inside is really the only way to confirm everything is working correctly.

Simon.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
wcstrategyAuthor Commented:
Fair enough, its easy enough to patch it into the LAN and NAT the address over for testing purposes.  This isn't a killer issue as the essential functionality is there, but it bugs me not to have it right.  I'll test it on the LAN and see if anything changes.
0
 
wcstrategyAuthor Commented:
Unfortunately, moving the FE server to the LAN didn't change anything.  Mail and Public folders connect via HTTPS and Directory fails over to TCP/IP.  Funcitonality remains the same (as in it works, but the lack of connectivity for Directory bugs me).
0
 
SembeeCommented:
The lack of directory connectivity will cause you a problem at some point. Outlook needs to connect to both.
That means either you have an error in the registry settings and are referencing an invalid domain controller, or the domain controller doesn't have the required registry key on it.

Simon.
0
 
wcstrategyAuthor Commented:
Interestingly, remote connections now show all resources connecting via HTTPS.  When I connect form inside the LAN, Mail and Public Folders connect via HTTPS and Directory connects via TCP/IP - and that was what I had seen when I said it wasn't working.  When I tried it from the internet later in the day everything was using HTTPS.  Since its the remote connectivity we are interested in, I'm ok with the way it currently works.  I think you have also pusuaded me to keep OWA on the LAN.  Thanks for the help!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now