Avatar of petesulli
petesulliFlag for United Kingdom of Great Britain and Northern Ireland asked on

RPC-HTTP not communicating - single server enviroment

I am trying to give Outlook users remote access to exchange via RPC-HTTP.

I believe I have settings correct.
RPC ports have been set for the NetBIOS and FQDN
RPC is installed
OWA works.
The remote machine I am using as a test is a domain member.
My internal domain is of the type abcd.local, the server being named as wxyz.abcd.local.  (names changed!)

I have a DNS record for the server from outside wxyz.domain.net

The addressing works, as I can use the above FQDN for both OWA and TS.

Hope someone knows where I have gone wrong, it might be certs?  Is there a way of testing without the security - get that to work first and then add it on after?

Thanks
ExchangeEmail SoftwareMicrosoft IIS Web Server

Avatar of undefined
Last Comment
avogini

8/22/2022 - Mon
avogini

Just a few checks:

1) You have the correct environment?
  a) Windows 2k3 Domain
  b) Exchange 2k3 on Windows 2k3 box
  c) Outlook 2k3
  d) Windows XP SP2 on client

2) Firewall -> Allow port 80 inbound with direct 1 to 1 with exchange server
ASKER
petesulli

Everything is as your list, and ther server is a GC
avogini

Are you receiving any error messages to go off of?

Try a quick check to make sure RPC Proxy is running:
Open IE and try https://wxyz.domain.net/rpc

If you get a 403.2 error, then thats good...if you get a 404 then there is a DNS problem.

Also, double check your SSL cert matches the FQDN  or your server exactly. (Typos can happen, trust me i know!)
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
avogini

Btw, a good idea just to narrow down the issue is to test without a firewall.

Use the info on this page as a guide (has pretty pics, which I can't do here). ;-)
http://www.petri.co.il/testing_rpc_over_http_connection.htm
ASKER
petesulli

OK ,  if i try my machine at
http://wxyz.domain.net /rpc
i get 403.4 - forbidden - go away and try httpS:// - so I do, and instead i get IE cannot display the web page, no error numbers, but it cracks on about DNS errors / checking browser supports SSL/TLS.

I have checked that the browser is set to allow SSL etc.
Nor does it matter wether I use a FQDN or IP address.
The test machine makes no difference wether it be on the local cable or the outside line.

I have been all over petri and used his notes to configure this thing in the first place.

Could there be a reason why it won't serve HTTPS pages?

Thanks for input so far


avogini

Ok, let me do some checking, but it now definitely sounds like there is an issue with your SSL...did you check your certificate to make sure the name on it and the FQDN match exactly?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Sembee

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
avogini

I know what Simon is refering to with the registry keys (RPCProxy i'm assuming?) but I'm convinced its an SSL. problem.

You noted that OWA works, do you use and/or force HTTPS usage for that? Is it also an internal CA? No problems?

If it is the registry, just answer is this a front/back end config, or single server? If single, (and you don't have AD running on this thing too right?) then make sure registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\RPC\RpcProxy -> ValidPoints entry;change the Value Data to:
<SERVERNAME>:6001-6002;<server.company.net>:6001-6002;
<SERVERNAME>:6004;<server.company.net>:6004;

SERVERNAME is the netbios name; server.company.net is the FQDN of the server in ref to RPC.
ASKER
petesulli

OK :)

Thanks for the pointers - it was certs.

I now have a valid (self produced) cert for my website.  Boy do I feel a bit meek.

I still cant get Outlook to connect.

Https to the site/rpc gave an untrusted cert error - so i imported it, now it keeps asking for a user name and password.

Any ideas on where to go from here

Once AGAIN - thank you all for your help so far - I'm learning a lot here.
Sembee

First - I would suggest NOT using a self generated certificate. I have no success with those. When you can get commercial certificates for less than US$20 if you know where to look it doesn't make sense to spend hours getting the solution to work with self generated certificates.

Repeated authentication prompts usually means an authentication mismatch. Anonymous enabled on the /rpc virtual directory, integrated selected and trying to use basic in Outlook, or vice versa.

Simon.

--
Once your question has been answered, please remember to accept an answer and close the question.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
petesulli

I agree, but its 5:15 on friday night - and i just want to make this work.. I will be getting a propper cert later.

anon is not enabled in the rpc security.
Basic authentication is ticked in the RPC authentication methods, should integrated authentication be ticked also?

The client is set for basic authentication.

As soon as i try to connect to the server accross the internet, i.e. as soon as i start outlook it prompts:
Connecting to wxyz.abcd.local

asking for u/n and p/w, should the username be jsmith or abcd\jsmith ?

Sorry for all the questions, I realy feel I am close now

avogini

You need to use domain\username, b/c its through a proxy, UPN won't work.
avogini

I also agree with Simon, an commercial cert is the way to go. Godaddy.com is a good site for inexpensive certs, and their customer service is good too. I have purchased several certs through them.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
petesulli

Thanks for all your help chaps,

Unfortunately time has beaten me, the cleaner is leaving, and so must I.

I will get a cert on Monday morn, and have another go then.

Once again - thanks
ASKER
petesulli

Good morning

I now have a verisign test cert installed, and the RA on the test laptop.

https://ukndex.itwuk.net/rpc reults in a couple of login prompts followed by 401.3 ACL permissions

Outlook still doesnt like it - but i'm not surprised given the advice from above.
ASKER
petesulli

Further testing has shown that I can get to OWA on HTTPS.

Being a temp cert I get a red address bar, but after clicking on the cert error bit, i have installed the cert successfully

Any ideas where to go now chaps?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
avogini

What is the 'Cert error bit' you referred to?

And do you get this every time you attempt to log in with OWA right now?
ASKER
petesulli

Hi Avogini, thanks for getting back
Hope you had a nice weekend

When i use OWA with HTTP://serv.dom.net  it works fine, comes up, asks for U/N and P/W for which I provide my U/N without a preceding internal domain name/  it works fine.

However when using HTTPS://serv.dom.net it comes up with an error page:  There is a problem with this website's security certificate.
/snip/
Click to close
Continue to this website (not recomended)
More info

Clicking continue takes me into OWA, but makes the address bar turn red, ans the far right end of the address bar (right even of the drop down arrow) shows a red shield and Certificate Error.

I think the cert error is because it is only a Verisign test cert - but i dont know.

Thanks - Mark
Sembee

Verisign's test certificates are not trusted by anything, which personally I feel makes them close to useless. RapidSSL's test certificates are trusted and work immediately, without having to install anything.

Although most of Verisign's certificate products are overpriced and under specified, so the fact their test certificate is crippled doesn't surprise me.

Simon.

--
Once your question has been answered, please remember to accept an answer and close the question.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
avogini

I agree with Simon, the test certificate is causing almost the same problems as the internal CA was causing. The Outlook client basically isn't smart enough to accept the certificate, such as you can manually through IE. I haven't tried RapidSSL's test certs but I trust Simon's judgment on using them in this instance.
ASKER
petesulli

Gentlemen you are both on the money.

Rapids cert fixed the problem - so job done.

I feel that you have both been fantastic help - i feel it only fair to split the points, as it was avogini that pointed out my silly mistake of not giving the server a cert in the first place, and simon that pointed me away from Verisign and their daft crippled cert towards RapidSSL.

I will in future be using rapid, their system seems excelant.

Drop a quick note if you both think half each is fair, or fight it out.... and i'll do it. :)

Mark
avogini

Mark - Definitely fair and your welcome...but you just split the points and gave them both to Simon! lol
Your help has saved me hundreds of hours of internet surfing.
fblack61