Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

RPC over HTTPS, Multiple Server enviorment

I've been charged by our database company to configure Exhcnage 2003  to allow RPC over HTTPS.

We currently use the VPN for offsite E-mail use and OWA. We do not have a security certificate for OWA. Exchange is on it's own server apart from the main DC/AD/File Server. Exchange is publising OWA.

I've done some reading already on the subject, but want to learn more before I undertake the job. Any help will be very much appreciated.
0
pstiffsae
Asked:
pstiffsae
  • 15
  • 13
  • 3
5 Solutions
 
Andres PeralesCommented:
http://www.msexchange.org/tutorials/outlookrpchttp.html for the client side

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm for the server side on single machine.

and the link from Microsoft themselves... http://support.microsoft.com/kb/833401
good luck and have fun
0
 
Stephen MandersonCommented:
The first thing I would say is get a 3rd party SSL certificate from a trusted authority such as godaddy.com. It will save alot of problems. In particular if your remote users require to connect to exchange via activesync.

With regards to actually publishing Exchange via ISA you would will find the following technet article very informative when configuring your publishing rule.
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx

Also for an additional walkthrough see the isaserver.org tutorial below for publishing exchange
http://www.isaserver.org/tutorials/2004owafba.html

As far as client configuration goes the link provided in the post above will guide you through this

Regards
Steve

0
 
pstiffsaeAuthor Commented:
We aren't using ISA, though. Is that a major hang up?
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
Stephen MandersonCommented:
Why post it in the ISA zone ? :-)

You can publish it without ISA yes, but at a price its alot less secure. The key is that ISA provides pre-authentication

ISA is able to pre-authenticate and pre-authorize the connecting user BEFORE allowing the OWA connection. Only then after the user is pre-authenticated and pre-authorized the connection is then passed to the OWA site. Aswell as this, ISA firewall can also close the SSL connection from the remote user. The traffic is also subjected to HTTP inspection via the HTTP filters builtin. The traffic is also re-encrypted to give an end to end SSL connection.

Also ISA gives excellent reporting on failed connection attempts and also provides lockout from the failed IP trying to connect such that if a a wrong password is provided too many times that remote IP can be blocked from further attempts to gain unauthorised access.

So in short I feel much better knowing that I have this extra protection when remote users try to access my servers remotly.

Regards
Steve
0
 
Andres PeralesCommented:
A pix firewall or any hardware firewall would be just  as secure as ISA...ISA is just the microsoft soluton that would fit in with all of the rest of the product line
0
 
pstiffsaeAuthor Commented:
I'm at the part before you lock it down with SSL cert, but it can't connect and find the Exchange Server while in Outlook on the client computer. What am I doing wrong?

What is that website to get a free, temp SSL cert to try it out?
0
 
Stephen MandersonCommented:
Yes there are a few companies that offer trial SSL Certificates here are a few that I have used and would use again.

https://www.thawte.com/ssl-digital-certificates/free-trial/
http://www.verisign.com/products-services/index.html

The verisign certs can be quite expensive so only ideal for testing, as I said earlier godaddy would do the job and they only cost about $20


Peralesa

A pix simply cannot offer the security of a site published via ISA, A direct port forward of 443 to the exchange server would be required. So your assumption that any hardware firewall would offer the same protection is far from the truth.



0
 
pstiffsaeAuthor Commented:
Well, here's what I got:

I followed the above How To's and can access OWA both from HTTP and HTTPS.

However, when I force the Require SSL under Directory Security under Default Website, no messages will display under HTTP, but they will under HTTPS.

I followed the How To on how to set it up on the client computer, and am setting it up remotely. It can't find the exchange server and I get errors that there isn't any communication with the Exchange Server. What am I doing wrong?

'Outlook could not log on. Check to make sure you are connected to the netwrok and are using the proper server and mailbox name. The connection to the Exchange Server is unavailable. Outlook must be online or connected to complete this action.'
0
 
Andres PeralesCommented:
So you can get to OWA from the outside just fine right?

On the client you just need to enter the url for the exchange proxy, not the same url as when you connect to OWA

so for owa you would use example only - mail.myserver.com/exchange
for client you just need - mail.myserver.com

without the exchange after it...
0
 
pstiffsaeAuthor Commented:
Yeah, I got that and have that entered correctly. Is there anything in Exchange System Manage I'm supposed to do?
0
 
Andres PeralesCommented:
are your users enabled for that type of connection?  in ADUC?
0
 
pstiffsaeAuthor Commented:
Yes, they are, I believe. How can I cehck? But it acts exactly like setting up the client on a computer not connected to the network. I'm getting 'Exchange server is offline, Work offline or retry' or no connectoin found.
0
 
Andres PeralesCommented:
a firewall somewhere between there and the server...?  nah you can get to OWA?  hmmm...
http://www.microsoft.com/downloads/details.aspx?FamilyId=F7D2D6E5-579F-4779-A6B8-7EF931EC02A5&displaylang=en

here is another link with the exact steps...go over and double check it all...
0
 
pstiffsaeAuthor Commented:
http://technet.microsoft.com/en-us/library/aa997038(EXCHG.65).aspx

Currently 'Not Part of Exchange RPC-HTTP Topology' is checked with the only choice to make the Exchange Server a RPC-HTTP back-end server. Is this the problem?
0
 
Andres PeralesCommented:
so this is a single server configuration?  The their are some registry edits you have to do, did you verify those?
0
 
pstiffsaeAuthor Commented:
By single server, do you mean we have one exchange server or one server that does it all, exchange, AD, File Server, etc. Because we have our main file server with AD and our Exchange Server.
0
 
Andres PeralesCommented:
Exchange server, you have one exchange server doing OWA and proxy and serving mail?
0
 
pstiffsaeAuthor Commented:
Yes, that's correct. It would be doing Exchange functionality, OWA, and RCP-HTTPS proxy from one box.
0
 
Andres PeralesCommented:
Were these steps done?  Just verifing...so please do not think I am insulting you...

To install this component, follow these steps:

On the Exchange Server 2003 computer that is running Windows Server 2003, click Start, point to Control Panel, and then click Add or Remove Programs.

Click Add Remove Windows Components, click Networking Services, and then click Details.

Click to select the RPC over HTTP Proxy check box, click OK, and then click Next. Note that you must have either the Windows Server 2003 installation CD ready, or the i386 folder from that CD accessible while installing this component.



When Windows Component Wizard has completed configuring components, click Finish.

0
 
pstiffsaeAuthor Commented:
By NO means do I find that insulting. I am learning how to do it and you are GRACIOUSLY teaching me.

To answer your question, yes. I did do that. I did the following:

The RPC proxy server processes the Outlook 2003 RPC requests that arrive from the Internet. To successfully process RPC over HTTP requests, you must install the Windows Server 2003 RPC over HTTP Proxy networking component on your Exchange computer

After you configure the Exchange computer to use RPC over HTTP/S, you must configure the RPC virtual directory in Internet Information Services (IIS).

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
0
 
pstiffsaeAuthor Commented:
And I'm rocking Service Pack 2, not one, is that a huge issue?
0
 
Andres PeralesCommented:
Thanks, just do not want to insult anyone...

When it came down to the regedit part did you do it manually or did you use that tool?
0
 
pstiffsaeAuthor Commented:
I didn't use that tool. What exactly does that tool do? What are the ports currently set at? What will this do with our OWA users if I change the ports? Just a little nervous to modify registry items if I dn't know the result.
0
 
Andres PeralesCommented:
No, SP2 should be fine...
0
 
Andres PeralesCommented:
It should not effect your OWA...if you have a lab or test box you can try it there first.

You should always back up your registry keys prior to making any changes too...

the tool verifies and validates your registry setting according to what they should be sent for a single server implementation...

that maybe why your setup is not working.

you rpc proxy may not know the valid external address to proxy to the internal address.
0
 
pstiffsaeAuthor Commented:
Is this something I should do afterhours?
0
 
Andres PeralesCommented:
yes, I would do it after hours.
0
 
pstiffsaeAuthor Commented:
Well, I did all that and now HTTPS for OWA is no longer working. By did all this, I updated the ports and made the server a back end server? what's the deal?
0
 
pstiffsaeAuthor Commented:
Additionally, when I attempt to visit the https owa site, I get a certificate warning with IE7 and it going to a page cannot be displayed.
0
 
pstiffsaeAuthor Commented:
well, when I RDP into my work computer, I can access HTTPS, outside of that, I get a page cannot be displayed.
0
 
Andres PeralesCommented:
I all working?
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

  • 15
  • 13
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now