Patrick
asked on
RPC over HTTPS, Multiple Server enviorment
I've been charged by our database company to configure Exhcnage 2003 to allow RPC over HTTPS.
We currently use the VPN for offsite E-mail use and OWA. We do not have a security certificate for OWA. Exchange is on it's own server apart from the main DC/AD/File Server. Exchange is publising OWA.
I've done some reading already on the subject, but want to learn more before I undertake the job. Any help will be very much appreciated.
We currently use the VPN for offsite E-mail use and OWA. We do not have a security certificate for OWA. Exchange is on it's own server apart from the main DC/AD/File Server. Exchange is publising OWA.
I've done some reading already on the subject, but want to learn more before I undertake the job. Any help will be very much appreciated.
The first thing I would say is get a 3rd party SSL certificate from a trusted authority such as godaddy.com. It will save alot of problems. In particular if your remote users require to connect to exchange via activesync.
With regards to actually publishing Exchange via ISA you would will find the following technet article very informative when configuring your publishing rule.
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx
Also for an additional walkthrough see the isaserver.org tutorial below for publishing exchange
http://www.isaserver.org/tutorials/2004owafba.html
As far as client configuration goes the link provided in the post above will guide you through this
Regards
Steve
With regards to actually publishing Exchange via ISA you would will find the following technet article very informative when configuring your publishing rule.
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx
Also for an additional walkthrough see the isaserver.org tutorial below for publishing exchange
http://www.isaserver.org/tutorials/2004owafba.html
As far as client configuration goes the link provided in the post above will guide you through this
Regards
Steve
ASKER
We aren't using ISA, though. Is that a major hang up?
Why post it in the ISA zone ? :-)
You can publish it without ISA yes, but at a price its alot less secure. The key is that ISA provides pre-authentication
ISA is able to pre-authenticate and pre-authorize the connecting user BEFORE allowing the OWA connection. Only then after the user is pre-authenticated and pre-authorized the connection is then passed to the OWA site. Aswell as this, ISA firewall can also close the SSL connection from the remote user. The traffic is also subjected to HTTP inspection via the HTTP filters builtin. The traffic is also re-encrypted to give an end to end SSL connection.
Also ISA gives excellent reporting on failed connection attempts and also provides lockout from the failed IP trying to connect such that if a a wrong password is provided too many times that remote IP can be blocked from further attempts to gain unauthorised access.
So in short I feel much better knowing that I have this extra protection when remote users try to access my servers remotly.
Regards
Steve
You can publish it without ISA yes, but at a price its alot less secure. The key is that ISA provides pre-authentication
ISA is able to pre-authenticate and pre-authorize the connecting user BEFORE allowing the OWA connection. Only then after the user is pre-authenticated and pre-authorized the connection is then passed to the OWA site. Aswell as this, ISA firewall can also close the SSL connection from the remote user. The traffic is also subjected to HTTP inspection via the HTTP filters builtin. The traffic is also re-encrypted to give an end to end SSL connection.
Also ISA gives excellent reporting on failed connection attempts and also provides lockout from the failed IP trying to connect such that if a a wrong password is provided too many times that remote IP can be blocked from further attempts to gain unauthorised access.
So in short I feel much better knowing that I have this extra protection when remote users try to access my servers remotly.
Regards
Steve
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm at the part before you lock it down with SSL cert, but it can't connect and find the Exchange Server while in Outlook on the client computer. What am I doing wrong?
What is that website to get a free, temp SSL cert to try it out?
What is that website to get a free, temp SSL cert to try it out?
Yes there are a few companies that offer trial SSL Certificates here are a few that I have used and would use again.
https://www.thawte.com/ssl-digital-certificates/free-trial/
http://www.verisign.com/products-services/index.html
The verisign certs can be quite expensive so only ideal for testing, as I said earlier godaddy would do the job and they only cost about $20
Peralesa
A pix simply cannot offer the security of a site published via ISA, A direct port forward of 443 to the exchange server would be required. So your assumption that any hardware firewall would offer the same protection is far from the truth.
https://www.thawte.com/ssl-digital-certificates/free-trial/
http://www.verisign.com/products-services/index.html
The verisign certs can be quite expensive so only ideal for testing, as I said earlier godaddy would do the job and they only cost about $20
Peralesa
A pix simply cannot offer the security of a site published via ISA, A direct port forward of 443 to the exchange server would be required. So your assumption that any hardware firewall would offer the same protection is far from the truth.
ASKER
Well, here's what I got:
I followed the above How To's and can access OWA both from HTTP and HTTPS.
However, when I force the Require SSL under Directory Security under Default Website, no messages will display under HTTP, but they will under HTTPS.
I followed the How To on how to set it up on the client computer, and am setting it up remotely. It can't find the exchange server and I get errors that there isn't any communication with the Exchange Server. What am I doing wrong?
'Outlook could not log on. Check to make sure you are connected to the netwrok and are using the proper server and mailbox name. The connection to the Exchange Server is unavailable. Outlook must be online or connected to complete this action.'
I followed the above How To's and can access OWA both from HTTP and HTTPS.
However, when I force the Require SSL under Directory Security under Default Website, no messages will display under HTTP, but they will under HTTPS.
I followed the How To on how to set it up on the client computer, and am setting it up remotely. It can't find the exchange server and I get errors that there isn't any communication with the Exchange Server. What am I doing wrong?
'Outlook could not log on. Check to make sure you are connected to the netwrok and are using the proper server and mailbox name. The connection to the Exchange Server is unavailable. Outlook must be online or connected to complete this action.'
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, I got that and have that entered correctly. Is there anything in Exchange System Manage I'm supposed to do?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, they are, I believe. How can I cehck? But it acts exactly like setting up the client on a computer not connected to the network. I'm getting 'Exchange server is offline, Work offline or retry' or no connectoin found.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
http://technet.microsoft.com/en-us/library/aa997038(EXCHG.65).aspx
Currently 'Not Part of Exchange RPC-HTTP Topology' is checked with the only choice to make the Exchange Server a RPC-HTTP back-end server. Is this the problem?
Currently 'Not Part of Exchange RPC-HTTP Topology' is checked with the only choice to make the Exchange Server a RPC-HTTP back-end server. Is this the problem?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
By single server, do you mean we have one exchange server or one server that does it all, exchange, AD, File Server, etc. Because we have our main file server with AD and our Exchange Server.
Exchange server, you have one exchange server doing OWA and proxy and serving mail?
ASKER
Yes, that's correct. It would be doing Exchange functionality, OWA, and RCP-HTTPS proxy from one box.
Were these steps done? Just verifing...so please do not think I am insulting you...
To install this component, follow these steps:
On the Exchange Server 2003 computer that is running Windows Server 2003, click Start, point to Control Panel, and then click Add or Remove Programs.
Click Add Remove Windows Components, click Networking Services, and then click Details.
Click to select the RPC over HTTP Proxy check box, click OK, and then click Next. Note that you must have either the Windows Server 2003 installation CD ready, or the i386 folder from that CD accessible while installing this component.
When Windows Component Wizard has completed configuring components, click Finish.
To install this component, follow these steps:
On the Exchange Server 2003 computer that is running Windows Server 2003, click Start, point to Control Panel, and then click Add or Remove Programs.
Click Add Remove Windows Components, click Networking Services, and then click Details.
Click to select the RPC over HTTP Proxy check box, click OK, and then click Next. Note that you must have either the Windows Server 2003 installation CD ready, or the i386 folder from that CD accessible while installing this component.
When Windows Component Wizard has completed configuring components, click Finish.
ASKER
By NO means do I find that insulting. I am learning how to do it and you are GRACIOUSLY teaching me.
To answer your question, yes. I did do that. I did the following:
The RPC proxy server processes the Outlook 2003 RPC requests that arrive from the Internet. To successfully process RPC over HTTP requests, you must install the Windows Server 2003 RPC over HTTP Proxy networking component on your Exchange computer
After you configure the Exchange computer to use RPC over HTTP/S, you must configure the RPC virtual directory in Internet Information Services (IIS).
http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
To answer your question, yes. I did do that. I did the following:
The RPC proxy server processes the Outlook 2003 RPC requests that arrive from the Internet. To successfully process RPC over HTTP requests, you must install the Windows Server 2003 RPC over HTTP Proxy networking component on your Exchange computer
After you configure the Exchange computer to use RPC over HTTP/S, you must configure the RPC virtual directory in Internet Information Services (IIS).
http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
ASKER
And I'm rocking Service Pack 2, not one, is that a huge issue?
Thanks, just do not want to insult anyone...
When it came down to the regedit part did you do it manually or did you use that tool?
When it came down to the regedit part did you do it manually or did you use that tool?
ASKER
I didn't use that tool. What exactly does that tool do? What are the ports currently set at? What will this do with our OWA users if I change the ports? Just a little nervous to modify registry items if I dn't know the result.
No, SP2 should be fine...
It should not effect your OWA...if you have a lab or test box you can try it there first.
You should always back up your registry keys prior to making any changes too...
the tool verifies and validates your registry setting according to what they should be sent for a single server implementation...
that maybe why your setup is not working.
you rpc proxy may not know the valid external address to proxy to the internal address.
You should always back up your registry keys prior to making any changes too...
the tool verifies and validates your registry setting according to what they should be sent for a single server implementation...
that maybe why your setup is not working.
you rpc proxy may not know the valid external address to proxy to the internal address.
ASKER
Is this something I should do afterhours?
yes, I would do it after hours.
ASKER
Well, I did all that and now HTTPS for OWA is no longer working. By did all this, I updated the ports and made the server a back end server? what's the deal?
ASKER
Additionally, when I attempt to visit the https owa site, I get a certificate warning with IE7 and it going to a page cannot be displayed.
ASKER
well, when I RDP into my work computer, I can access HTTPS, outside of that, I get a page cannot be displayed.
I all working?
http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm for the server side on single machine.
and the link from Microsoft themselves... http://support.microsoft.com/kb/833401
good luck and have fun