RPC over HTTPS Killing ME!


I have Exchange 2007 working and internal lan based clients can connect beautifully using RPC over HTTPS, verified using RPCDIAG. Port 443 is open on the firewall and you can get to the above web sites beautifully without any certificate errors. I am using an external cert from RAPPIDSSL.COM. So by every TID I have read everything should be working.. But it's not when connecting over the internet. I think all virtual directories and directory security are set correctly as it is working on the LAN.

When I open outlook.exe /rpcdiag externally it does prompt for login but seems to get stopped with only "DIRECTORY" and "REFFERAL" appearing. The refferal dissapears "Directory" stays up  then it seems to time out after about 30 seconds and says the exchange server is unavailable.

External mail server name = mail.integritycsg.com
Certificate is associated with mail.integritycsg.com
internal mail server name = icsg01.integritycsg.com

Note: When connecting internally I set the outlook client to look to mail.integritycsg.com which has a proper internal DNS record. THE RPCDIAG reported back that it was connected to icsg01.integritycsg.com.

I am stumped - any help is welcomed.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

We do the exact same thing and have had no issues with this setup.
In Exchange 2007 RPC over HTTP it is now called "Outlook Anywhere" so for more details search the Exchange Console Help using that term.

Do not know exactly what you are missing so here is our configuration:

External mail server name = mail1.michaelwaltrip.com
Certificate is associated with mail1.michaelwaltrip.com
internal mail server name = exchange1.waltripracing.local

Attached are some screen shoots of our:
IIS settings for the external name           (possibly your issue)
client side Outlook settings
Exchange Server 2007 "Outlook Anywhere" external name settings    (think this may be what you need)

Be aware of this :
Alternatively, you can use the Certification Authority tool in Microsoft Windows to install your own certification authority. By default, applications and Web browsers do not trust your root certification authority when you install your own certification authority. When a user tries to connect in Microsoft Office Outlook 2007 or Outlook 2003 by using Outlook Anywhere, that user loses the connection to Microsoft Exchange. The user is not notified. The user loses the connection when one of the following conditions is true:

The client does not trust the certificate.

The certificate does not match the name to which the client tries to connect.

The certificate date is incorrect.

Therefore, you must make sure that the client computers trust the certification authority. Additionally, if you use your own certification authority, when you issue a certificate to your Client Access server, you must make sure that the Common Name field or the Issued to field on that certificate contains the same name as the URL of the Client Access server that is available on the Internet. For example, the Common Name field or the Issued to field must contain a name that resembles mail.contoso.com. These fields cannot contain the internal fully qualified domain name of the computer. For example, they cannot contain a name that resembles mycomputer.contoso.com.

rtlawAuthor Commented:
ok - I confirmed all of that -
cert is equifax global and is trusted by the client - no errors, name on cert is mail.integritycsg.com, date is fine through Nov 2009. Exchange outlook anywhere settings are enabled and are set to mail.integritycsg.com
IIS settings are in perfect sync with your screenshot above as are client settings.

Still nothing - don't really know where to turn, it works internally, it is obvious the info is getting through the firewall, as I see the login name pop up in event viewer and your can browse to https: website

See screenshots below...

rtlawAuthor Commented:
one other thought - in terms of internal dns since the name is different outside vs inside.

icgs0.integritycsg.com inside =

Should mail.integritycsg.com internally be set to the same? which is has been?

Should their be no entry internally? or should it be the external IP address?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

rtlawAuthor Commented:
one other comment - could it have anything to do with the autodiscover service? or am I barking up a wrong tree?  
We do create an internal DNS zone for our external domain.
Mostly to prevent certificate warnings about the name not matching when users attach from the LAN side to OWA using the external url.

And to make it easy for users to only have to remember one URL or one favorite in IE

If you do that remember to add any other hosts with external domains such as www.integritycsg.com 
As they will fail to resolve otherwise.

I do not believe autodiscover would be related, but I'll double check.

Is this on server 2003 or server 2008?
rtlawAuthor Commented:
server 2003 64 bit sp2 with exchange 2007 sp1..

Remember my internal and external domain names are the same both are integritycsg.com  would you point the internal DNS to the local subnet or the Internet IP?

I will check out the troubleshooting pieces above as well.
On LAN point to internal IP address. You rarely want to route traffic out the gateway router/firewall and try to loopback to the external address. In most router/firewalls it won't even work that way.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rtlawAuthor Commented:
Progress- I found the RPC reg setting did non have mail.integritycsg.com listed .

Thank you very much, not sure how I missed that, but it was included in the document you referenced as a setup to verify that he right settings took. It had been pointing to the internal domain name.
rtlawAuthor Commented:
thank yoU!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.