Link to home
Start Free TrialLog in
Avatar of petesulli
petesulliFlag for United Kingdom of Great Britain and Northern Ireland

asked on

RPC-HTTP not communicating - single server enviroment

I am trying to give Outlook users remote access to exchange via RPC-HTTP.

I believe I have settings correct.
RPC ports have been set for the NetBIOS and FQDN
RPC is installed
OWA works.
The remote machine I am using as a test is a domain member.
My internal domain is of the type abcd.local, the server being named as wxyz.abcd.local.  (names changed!)

I have a DNS record for the server from outside wxyz.domain.net

The addressing works, as I can use the above FQDN for both OWA and TS.

Hope someone knows where I have gone wrong, it might be certs?  Is there a way of testing without the security - get that to work first and then add it on after?

Thanks
Avatar of avogini
avogini

Just a few checks:

1) You have the correct environment?
  a) Windows 2k3 Domain
  b) Exchange 2k3 on Windows 2k3 box
  c) Outlook 2k3
  d) Windows XP SP2 on client

2) Firewall -> Allow port 80 inbound with direct 1 to 1 with exchange server
Avatar of petesulli

ASKER

Everything is as your list, and ther server is a GC
Are you receiving any error messages to go off of?

Try a quick check to make sure RPC Proxy is running:
Open IE and try https://wxyz.domain.net/rpc

If you get a 403.2 error, then thats good...if you get a 404 then there is a DNS problem.

Also, double check your SSL cert matches the FQDN  or your server exactly. (Typos can happen, trust me i know!)
Btw, a good idea just to narrow down the issue is to test without a firewall.

Use the info on this page as a guide (has pretty pics, which I can't do here). ;-)
http://www.petri.co.il/testing_rpc_over_http_connection.htm
OK ,  if i try my machine at
http://wxyz.domain.net /rpc
i get 403.4 - forbidden - go away and try httpS:// - so I do, and instead i get IE cannot display the web page, no error numbers, but it cracks on about DNS errors / checking browser supports SSL/TLS.

I have checked that the browser is set to allow SSL etc.
Nor does it matter wether I use a FQDN or IP address.
The test machine makes no difference wether it be on the local cable or the outside line.

I have been all over petri and used his notes to configure this thing in the first place.

Could there be a reason why it won't serve HTTPS pages?

Thanks for input so far


Ok, let me do some checking, but it now definitely sounds like there is an issue with your SSL...did you check your certificate to make sure the name on it and the FQDN match exactly?
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I know what Simon is refering to with the registry keys (RPCProxy i'm assuming?) but I'm convinced its an SSL. problem.

You noted that OWA works, do you use and/or force HTTPS usage for that? Is it also an internal CA? No problems?

If it is the registry, just answer is this a front/back end config, or single server? If single, (and you don't have AD running on this thing too right?) then make sure registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\RPC\RpcProxy -> ValidPoints entry;change the Value Data to:
<SERVERNAME>:6001-6002;<server.company.net>:6001-6002;
<SERVERNAME>:6004;<server.company.net>:6004;

SERVERNAME is the netbios name; server.company.net is the FQDN of the server in ref to RPC.
OK :)

Thanks for the pointers - it was certs.

I now have a valid (self produced) cert for my website.  Boy do I feel a bit meek.

I still cant get Outlook to connect.

Https to the site/rpc gave an untrusted cert error - so i imported it, now it keeps asking for a user name and password.

Any ideas on where to go from here

Once AGAIN - thank you all for your help so far - I'm learning a lot here.
First - I would suggest NOT using a self generated certificate. I have no success with those. When you can get commercial certificates for less than US$20 if you know where to look it doesn't make sense to spend hours getting the solution to work with self generated certificates.

Repeated authentication prompts usually means an authentication mismatch. Anonymous enabled on the /rpc virtual directory, integrated selected and trying to use basic in Outlook, or vice versa.

Simon.

--
Once your question has been answered, please remember to accept an answer and close the question.
I agree, but its 5:15 on friday night - and i just want to make this work.. I will be getting a propper cert later.

anon is not enabled in the rpc security.
Basic authentication is ticked in the RPC authentication methods, should integrated authentication be ticked also?

The client is set for basic authentication.

As soon as i try to connect to the server accross the internet, i.e. as soon as i start outlook it prompts:
Connecting to wxyz.abcd.local

asking for u/n and p/w, should the username be jsmith or abcd\jsmith ?

Sorry for all the questions, I realy feel I am close now

You need to use domain\username, b/c its through a proxy, UPN won't work.
I also agree with Simon, an commercial cert is the way to go. Godaddy.com is a good site for inexpensive certs, and their customer service is good too. I have purchased several certs through them.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for all your help chaps,

Unfortunately time has beaten me, the cleaner is leaving, and so must I.

I will get a cert on Monday morn, and have another go then.

Once again - thanks
Good morning

I now have a verisign test cert installed, and the RA on the test laptop.

https://ukndex.itwuk.net/rpc reults in a couple of login prompts followed by 401.3 ACL permissions

Outlook still doesnt like it - but i'm not surprised given the advice from above.
Further testing has shown that I can get to OWA on HTTPS.

Being a temp cert I get a red address bar, but after clicking on the cert error bit, i have installed the cert successfully

Any ideas where to go now chaps?
What is the 'Cert error bit' you referred to?

And do you get this every time you attempt to log in with OWA right now?
Hi Avogini, thanks for getting back
Hope you had a nice weekend

When i use OWA with HTTP://serv.dom.net  it works fine, comes up, asks for U/N and P/W for which I provide my U/N without a preceding internal domain name/  it works fine.

However when using HTTPS://serv.dom.net it comes up with an error page:  There is a problem with this website's security certificate.
/snip/
Click to close
Continue to this website (not recomended)
More info

Clicking continue takes me into OWA, but makes the address bar turn red, ans the far right end of the address bar (right even of the drop down arrow) shows a red shield and Certificate Error.

I think the cert error is because it is only a Verisign test cert - but i dont know.

Thanks - Mark
Verisign's test certificates are not trusted by anything, which personally I feel makes them close to useless. RapidSSL's test certificates are trusted and work immediately, without having to install anything.

Although most of Verisign's certificate products are overpriced and under specified, so the fact their test certificate is crippled doesn't surprise me.

Simon.

--
Once your question has been answered, please remember to accept an answer and close the question.
I agree with Simon, the test certificate is causing almost the same problems as the internal CA was causing. The Outlook client basically isn't smart enough to accept the certificate, such as you can manually through IE. I haven't tried RapidSSL's test certs but I trust Simon's judgment on using them in this instance.
Gentlemen you are both on the money.

Rapids cert fixed the problem - so job done.

I feel that you have both been fantastic help - i feel it only fair to split the points, as it was avogini that pointed out my silly mistake of not giving the server a cert in the first place, and simon that pointed me away from Verisign and their daft crippled cert towards RapidSSL.

I will in future be using rapid, their system seems excelant.

Drop a quick note if you both think half each is fair, or fight it out.... and i'll do it. :)

Mark
Mark - Definitely fair and your welcome...but you just split the points and gave them both to Simon! lol