Solved

RPC over HTTPS Almost working...

Posted on 2008-10-01
1
419 Views
Last Modified: 2012-05-05
I have set up several Exchange servers over the past year for RPC over HTTPS connections and they have all gone up without a hitch.  This one however, is only working part way.  This time it's kicking my butt.  I hope I've provided enough information for someone to help me track down the problem.

In the past I have been working with a single server that was the DC and Exchange all in one.  This time I still have a single Exchange server, but have a seperate DC.

I use Petri's setup guide to a T and have also referenced Amset now after finding this experts-exchange article:  http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21603584.html

The Petri article:  http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

The Amset article:  http://www.amset.info/exchange/rpc-http-server.asp

What I saw at Amset lead me to believe that maybe I'm missing something.  Do I need to be setting up RPC proxy on the DC instead of Exchange this time??

As it stands, I have RPC proxy set up on the Exchange server.  I have a valid SSL cert in place and can connect to OWA without problems both inside and outside the LAN.  I can navigate to the server/rpc directory and be prompted for credentials.  If I log in, I get a 403 error which I've read is normal.  No certificate errors is the key.

If I try to connect with an outlook client from outside our network (through a NAT'd port 443 directly to our exchange server) outlook prompts for a login, but then just hangs.  RPCDiag shows connections attempted to my server's netbios name, but never shows one completed.  Internally on the LAN when I limit my server to port 443 connections and use a profile in outlook that is set to use an RPC Proxy, outlook simply hangs, although RPCDiag shows a successful connection to my DC while connections to the Exchange server attempt and drop every so often.

Everyone focuses on the registry port settings and the SSL cert as the primary glitches, and I think I've proven that my SSL cert is ok with the OWA connection and the /rpc connection working without a cert error.

As for registry settings, at first I used the tool from Petri to set them, but after reading the Amset article I've modified the rpcproxy key manually to this: (server names and such changed)

ex:6001-6002;ex:6004;ex.domain:6001-6002;ex.domain:6004;dc:6001-6002;dc:6004;dc.domain:6001-6002;dc.domain:6004;mail.ext.com:6001-6002;mail.ext.com:6004

ex = exchange server's netbios name
dc = domain controller's netbios name
mail.ext.com = our external dns entry pointing to our exchange server

Things that work:
https://mail.ext.com (under construction page)
https://mail.ext.com/exchange (owa login - works completely)
https://mail.ext.com/rpc (prompt for login, then 403 after login)

I don't know enough about rpcping to test much, but I did one suggested ping and got this:

rpcping -t ncacn_http -s myserver -o RpcProxy=myserver -P "myuser,mydomain,*" -I "myuser,mydomain,*" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none

RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 5.1, Service Pack 3
Enter password for server:
Enter password for RPC/HTTP proxy:

RPCPinging proxy server exchange2k3 with Echo Request Packet
Sending ping to server
Error 12175 returned in the WinHttpSendRequest.
Ping failed.

Thank you in advance!
0
Comment
Question by:archaic0
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
archaic0 earned 0 total points
ID: 22625779
OK, this is working now.

I don't have a clear answer as to why.

I changed my port assignments acording to the Amset article but left a couple out that he suggested (port 593) because this port did not show up on anyone elses examples.  My connection did not work last night when I gave up but this morning it works.  The server has not been rebooted since that change, but maybe a replication kind of thing needed to happen since I have a seperate DC?

Here is my current registry setting for RPC Ports:

ex:6001-6002;
ex:6004;
ex.domain.com:6001-6002;
ex.domain.com:6004;
dc:6001-6002;
dc:6004;
dc.domain.com:6001-6002;
dc.domain.com:6004;
mail.ext.com:6001-6002;
mail.ext.com:6004

This is the only thing I have been editing in for the last day between a time when it did not work and now when it does work.

One last note, my RPCPing failed at least partly because I was connecting with the internal netbios name instead of the external address that is registered to the certificate.  I did that because internally I cannot use the external DNS name.  I made a local host entry to fix that, and when I used the DNS name to ping, the RPCPing was successful.

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question