Solved

RPC over HTTPS, Multiple Server enviorment

Posted on 2008-06-18
31
233 Views
Last Modified: 2008-11-17
I've been charged by our database company to configure Exhcnage 2003  to allow RPC over HTTPS.

We currently use the VPN for offsite E-mail use and OWA. We do not have a security certificate for OWA. Exchange is on it's own server apart from the main DC/AD/File Server. Exchange is publising OWA.

I've done some reading already on the subject, but want to learn more before I undertake the job. Any help will be very much appreciated.
0
Comment
Question by:pstiffsae
  • 15
  • 13
  • 3
31 Comments
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
http://www.msexchange.org/tutorials/outlookrpchttp.html for the client side

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm for the server side on single machine.

and the link from Microsoft themselves... http://support.microsoft.com/kb/833401
good luck and have fun
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
The first thing I would say is get a 3rd party SSL certificate from a trusted authority such as godaddy.com. It will save alot of problems. In particular if your remote users require to connect to exchange via activesync.

With regards to actually publishing Exchange via ISA you would will find the following technet article very informative when configuring your publishing rule.
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx

Also for an additional walkthrough see the isaserver.org tutorial below for publishing exchange
http://www.isaserver.org/tutorials/2004owafba.html

As far as client configuration goes the link provided in the post above will guide you through this

Regards
Steve

0
 

Author Comment

by:pstiffsae
Comment Utility
We aren't using ISA, though. Is that a major hang up?
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
Why post it in the ISA zone ? :-)

You can publish it without ISA yes, but at a price its alot less secure. The key is that ISA provides pre-authentication

ISA is able to pre-authenticate and pre-authorize the connecting user BEFORE allowing the OWA connection. Only then after the user is pre-authenticated and pre-authorized the connection is then passed to the OWA site. Aswell as this, ISA firewall can also close the SSL connection from the remote user. The traffic is also subjected to HTTP inspection via the HTTP filters builtin. The traffic is also re-encrypted to give an end to end SSL connection.

Also ISA gives excellent reporting on failed connection attempts and also provides lockout from the failed IP trying to connect such that if a a wrong password is provided too many times that remote IP can be blocked from further attempts to gain unauthorised access.

So in short I feel much better knowing that I have this extra protection when remote users try to access my servers remotly.

Regards
Steve
0
 
LVL 17

Accepted Solution

by:
Andres Perales earned 500 total points
Comment Utility
A pix firewall or any hardware firewall would be just  as secure as ISA...ISA is just the microsoft soluton that would fit in with all of the rest of the product line
0
 

Author Comment

by:pstiffsae
Comment Utility
I'm at the part before you lock it down with SSL cert, but it can't connect and find the Exchange Server while in Outlook on the client computer. What am I doing wrong?

What is that website to get a free, temp SSL cert to try it out?
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
Yes there are a few companies that offer trial SSL Certificates here are a few that I have used and would use again.

https://www.thawte.com/ssl-digital-certificates/free-trial/
http://www.verisign.com/products-services/index.html

The verisign certs can be quite expensive so only ideal for testing, as I said earlier godaddy would do the job and they only cost about $20


Peralesa

A pix simply cannot offer the security of a site published via ISA, A direct port forward of 443 to the exchange server would be required. So your assumption that any hardware firewall would offer the same protection is far from the truth.



0
 

Author Comment

by:pstiffsae
Comment Utility
Well, here's what I got:

I followed the above How To's and can access OWA both from HTTP and HTTPS.

However, when I force the Require SSL under Directory Security under Default Website, no messages will display under HTTP, but they will under HTTPS.

I followed the How To on how to set it up on the client computer, and am setting it up remotely. It can't find the exchange server and I get errors that there isn't any communication with the Exchange Server. What am I doing wrong?

'Outlook could not log on. Check to make sure you are connected to the netwrok and are using the proper server and mailbox name. The connection to the Exchange Server is unavailable. Outlook must be online or connected to complete this action.'
0
 
LVL 17

Assisted Solution

by:Andres Perales
Andres Perales earned 500 total points
Comment Utility
So you can get to OWA from the outside just fine right?

On the client you just need to enter the url for the exchange proxy, not the same url as when you connect to OWA

so for owa you would use example only - mail.myserver.com/exchange
for client you just need - mail.myserver.com

without the exchange after it...
0
 

Author Comment

by:pstiffsae
Comment Utility
Yeah, I got that and have that entered correctly. Is there anything in Exchange System Manage I'm supposed to do?
0
 
LVL 17

Assisted Solution

by:Andres Perales
Andres Perales earned 500 total points
Comment Utility
are your users enabled for that type of connection?  in ADUC?
0
 

Author Comment

by:pstiffsae
Comment Utility
Yes, they are, I believe. How can I cehck? But it acts exactly like setting up the client on a computer not connected to the network. I'm getting 'Exchange server is offline, Work offline or retry' or no connectoin found.
0
 
LVL 17

Assisted Solution

by:Andres Perales
Andres Perales earned 500 total points
Comment Utility
a firewall somewhere between there and the server...?  nah you can get to OWA?  hmmm...
http://www.microsoft.com/downloads/details.aspx?FamilyId=F7D2D6E5-579F-4779-A6B8-7EF931EC02A5&displaylang=en

here is another link with the exact steps...go over and double check it all...
0
 

Author Comment

by:pstiffsae
Comment Utility
http://technet.microsoft.com/en-us/library/aa997038(EXCHG.65).aspx

Currently 'Not Part of Exchange RPC-HTTP Topology' is checked with the only choice to make the Exchange Server a RPC-HTTP back-end server. Is this the problem?
0
 
LVL 17

Assisted Solution

by:Andres Perales
Andres Perales earned 500 total points
Comment Utility
so this is a single server configuration?  The their are some registry edits you have to do, did you verify those?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:pstiffsae
Comment Utility
By single server, do you mean we have one exchange server or one server that does it all, exchange, AD, File Server, etc. Because we have our main file server with AD and our Exchange Server.
0
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
Exchange server, you have one exchange server doing OWA and proxy and serving mail?
0
 

Author Comment

by:pstiffsae
Comment Utility
Yes, that's correct. It would be doing Exchange functionality, OWA, and RCP-HTTPS proxy from one box.
0
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
Were these steps done?  Just verifing...so please do not think I am insulting you...

To install this component, follow these steps:

On the Exchange Server 2003 computer that is running Windows Server 2003, click Start, point to Control Panel, and then click Add or Remove Programs.

Click Add Remove Windows Components, click Networking Services, and then click Details.

Click to select the RPC over HTTP Proxy check box, click OK, and then click Next. Note that you must have either the Windows Server 2003 installation CD ready, or the i386 folder from that CD accessible while installing this component.



When Windows Component Wizard has completed configuring components, click Finish.

0
 

Author Comment

by:pstiffsae
Comment Utility
By NO means do I find that insulting. I am learning how to do it and you are GRACIOUSLY teaching me.

To answer your question, yes. I did do that. I did the following:

The RPC proxy server processes the Outlook 2003 RPC requests that arrive from the Internet. To successfully process RPC over HTTP requests, you must install the Windows Server 2003 RPC over HTTP Proxy networking component on your Exchange computer

After you configure the Exchange computer to use RPC over HTTP/S, you must configure the RPC virtual directory in Internet Information Services (IIS).

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
0
 

Author Comment

by:pstiffsae
Comment Utility
And I'm rocking Service Pack 2, not one, is that a huge issue?
0
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
Thanks, just do not want to insult anyone...

When it came down to the regedit part did you do it manually or did you use that tool?
0
 

Author Comment

by:pstiffsae
Comment Utility
I didn't use that tool. What exactly does that tool do? What are the ports currently set at? What will this do with our OWA users if I change the ports? Just a little nervous to modify registry items if I dn't know the result.
0
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
No, SP2 should be fine...
0
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
It should not effect your OWA...if you have a lab or test box you can try it there first.

You should always back up your registry keys prior to making any changes too...

the tool verifies and validates your registry setting according to what they should be sent for a single server implementation...

that maybe why your setup is not working.

you rpc proxy may not know the valid external address to proxy to the internal address.
0
 

Author Comment

by:pstiffsae
Comment Utility
Is this something I should do afterhours?
0
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
yes, I would do it after hours.
0
 

Author Comment

by:pstiffsae
Comment Utility
Well, I did all that and now HTTPS for OWA is no longer working. By did all this, I updated the ports and made the server a back end server? what's the deal?
0
 

Author Comment

by:pstiffsae
Comment Utility
Additionally, when I attempt to visit the https owa site, I get a certificate warning with IE7 and it going to a page cannot be displayed.
0
 

Author Comment

by:pstiffsae
Comment Utility
well, when I RDP into my work computer, I can access HTTPS, outside of that, I get a page cannot be displayed.
0
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
I all working?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now