• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1812
  • Last Modified:

Unable to Connect to Remote Exchange Server

My office in Malaysia able to access MS exchange that is located in US. My office is working perfectly with MS exchange. However, some users on the run and home office users not able to establish connection to Exchange server. During the outlook setup, I am not able to get authenticated.

I did some common connection test like ping , nslookup, online port scan, and etc.
I even tried with https proxy, however, no good.
I saw an MS acticle about Cox communication block port 135-139, is there a work-arround ? bypass ? port mapping ?
Please help.
0
nexusmedia
Asked:
nexusmedia
  • 9
  • 8
1 Solution
 
SembeeCommented:
Some version information would be helpful here.

However most ISPs will block port 135 and it is certainly not something that you want open to the internet.

You need to speak to whoever admins the server in the US that you want to connect to and see what they have setup for remote access. For Exchange functionality it will be either RPC over HTTPS or VPN access.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
nexusmediaAuthor Commented:
Hi sembee,

Https and vpn is not working. They are using web access currently.
Our Exchange is currently at DMZ zone, I know its not a good pratice.
I am planning to deploy the ISA in DMZ zone. Will it solve the current situation ?
what are the enterprise best practice ? can share with me ?
0
 
SembeeCommented:
Enterprise best practise would be to get a good Exchange consultant to come in and sort out your environment. Unfortunately I don't answer such wide ranging comments as I have to provide paying customers with something they cannot get for free off the internet.

If the Exchange environment is not configured correctly, including putting Exchange in the DMZ then you should sort that out first. An ISA server is not required for remote access for Exchange - it should be considered an enhancement.


Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
nexusmediaAuthor Commented:
Hi Sembee,

I should update you on the Exchange Server version and some details here:-
Exchange 2003

I would like to ask whether will there be any reasons that some users in my office could not connect to Exchange due to ISP port block or relevant altenative to solve that problem?

Will it be a good idea to change the Outlook and exchange's connection port? I would like to know will these solve the ISP port block and solve my user's connection problem?

I also like to know will there be any way to check the outlook connection status when it start connecting to exchange?I could not detect what was wrong on the exchange connection side or the outlook side of the connection.

If you could point me to relevant information and places, I will be very much appreciated.

Thank you.

0
 
SembeeCommented:
Exchange is hard coded to use certain ports and changing those ports will cause other problems. You need to look at using the standard tools for remote access to Exchange, which is usually either VPN or RPC over HTTPS. Nothing else will work reliably.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
nexusmediaAuthor Commented:
Thank you ,Sembee.
I would like to know whether will there be any checklist I could refer to whether my configurations are correct or not?
I need some guidance on  RPC over HTTPS in case i setup something wrong over it. I assumed that it will not require any change on current outlook 2007 clients? Everything under the exchange features will work as usual?

Thank you for your input.
0
 
SembeeCommented:
The only change you have to make to Outlook clients is to add the additional settings for RPC over HTTPS. It doesn't work transparently.
There are many articles on RPC over HTTPS, mine is here: http://www.amset.info/exchange/rpc-http.asp

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
nexusmediaAuthor Commented:
Hi Sembee,
I have following this links:-
http://www.msexchange.org/tutorials/Implementing-RPC-over-HTTPS-single-Exchange-Server-2003-environment.html

I created a new profile for testing purpose.
It gives me this error "There is a problem with the proxy server's security certificate. The name on the security cerificate is invalid or does not match the name of the target site webmail.mydomain.com. Outlook is unable to connect to the proxy server. (error Code 0)"
 
0
 
SembeeCommented:
The error means what it says.
The certificate doesn't match. You need to check the SSL certificate for errors.
Browse to https://host.domain.com/rpc (where host.domain.com is the name that you have entered in to Outlook). Do you get a certificate prompt? If you do, then look to see which element it is failing. It will be either trust, name or date. You need to fix it so that you don't get an error. This could be by purchasing another certificate or using another name.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.

0
 
nexusmediaAuthor Commented:
Hi Sembee,

I get a http error 401.3 - unathorized.
Any idea ? I am able to get response from rpcping.
what am i missing ?
By the way, If i select exchange proxy with basic authentication, it prompt for credential all the time.
If I select NTLM, it will use TCP/IP.
0
 
SembeeCommented:
I didn't say to try to enter a username and password, as that will always fail. The browser test is to confirm whether the machine accepts the SSL certificate.

What setting do you have on the /rpc virtual directory for authentication? That needs to match what you have in Outlook.
If you have just basic enabled then you need to use basic in Outlook.
If you have integrated authentication then you need to use NTLM in Outlook.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
nexusmediaAuthor Commented:
Hi Sembee,

I get this when from rpcping to msstd:myproxy
The proxy setting is disabled.
I get a return error 12007 winhttpsendrequest.
ping failed.
0
 
nexusmediaAuthor Commented:
Hi Sembee,

I have just update my ssl certificate, now the rpcping is reponse positively.
However, I am still not able to login to outlook using https. I have configure both outlook and RPC virtual server using basica authentication. =(
0
 
SembeeCommented:
Are you testing this on or off the local LAN?
If you are testing it from outside then stop and try it form inside. Enable both Basic and Integrated authentication on the virtual directory.
Then configure Outlook on a client machine as normal, check it works before adding the additional information for RPC over HTTPS to the client. Ensure that NTLM authentication is enabled. Then restart Outlook. It should connect and when you look at the diagnostics tab it is https for all connection types.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
nexusmediaAuthor Commented:
Hi Sembee,

I have stop testing from outside and start testing from inside.
the problem still the same. It prompt for https authentication, but somehow, it return fail all the time even i entered valid username and password, will this caused by the IIS authentication ?
I am almost there....
Just another add-on, I am using single platform, RPC, Exchange is under 1 server.
0
 
nexusmediaAuthor Commented:
Hi Sembee,

I am using exchange 2003 sp2, should i downgrade to sp1 ?
0
 
SembeeCommented:
You cannot downgrade to SP1. Once you have installed SP2 it cannot be removed.

Authentication failure is very common.
To clarify what you are actually doing - if you doing the web browser test then authentication will always fail. The web browser test is to confirm acceptance of the certificate.

If you are testing this internally, then ensure that you are using a machine that is a member of the domain and that integrated authentication is enabled on the /rpc virtual directory and NTLM is enabled in Outlook. You should not get any authentication prompts in that scenario.
If you do, then it is most likely the registry settings are incorrect

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now