RPC over HTTP Pix firewall troubles

Posted on 2009-06-29
Last Modified: 2012-05-07
Our company is trying to enable RPC over HTTP on our SBS. I have the HTTPS portion working internally but as soon as I move to an external network Outlook isn't able to connect any longer. I am guessing this has to do with our Pix firewall and the settings there. I have went through several of the troubleshooting questions here and tried different settings on the pix but can't get it to work. I can access with a web browser externally and internally with no problems so I don't know where the issue could be.
PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password *

passwd *

hostname firewall

domain-name *.org

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list 80 permit ip

access-list acl_out permit tcp any host ourserver eq smtp

access-list acl_out permit tcp any host ourserver eq www

access-list acl_out permit tcp any host ourserver eq https

access-list test permit esp any any

access-list test permit udp any any eq isakmp

pager lines 24

logging console debugging

logging buffered debugging

logging queue 0

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside ouripaddy1

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool nirsa-pool

pdm history enable

arp timeout 14400

global (outside) 1 ouripaddy2 netmask

nat (inside) 0 access-list 80

nat (inside) 1 0 0

static (inside,outside) ourserver netmask 0 0

access-group acl_out in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set nirsa esp-3des esp-sha-hmac

crypto dynamic-map nirsa-dynamic 5 set transform-set nirsa

crypto map nirsa 20 ipsec-isakmp dynamic nirsa-dynamic

crypto map nirsa client configuration address initiate

crypto map nirsa interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp client configuration address-pool local nirsa-pool outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

vpngroup nirsa address-pool *-pool

vpngroup nirsa dns-server

vpngroup nirsa wins-server

vpngroup nirsa default-domain *.org

vpngroup nirsa split-tunnel 80

vpngroup nirsa idle-time 1800

vpngroup nirsa password ********

telnet outside

telnet inside

telnet timeout 5

ssh outside

ssh outside

ssh timeout 60

terminal width 80


: end

Open in new window

Question by:ginnipig41
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 24739416
Basically, the only port which is required to be open on the firewall for RPC over HTTPs is 443. But since you said you are able to acess your webmail with https, so the port should not be a problem.

How did you test RPC over HTTP is working fine internally ?

Can you try and confirm -> Open Outlook (using Rpc over http) -> Press & hold Ctrl key on keyboard -> Right click on Outlook icon on the system tray (besides time) and then choose Connection Status. Now verify of the column which says Conn has all HTTPS only and no TCP/IP..
LVL 27

Expert Comment

ID: 24739433
The certificate refers to yes and not an internal name?
LVL 65

Expert Comment

ID: 24739685
You didn't remove all of your passwords. I have hit request attention to get a mod to remove the enable password at the top of your config file.

If OWA works on port 443, it isn't the firewall at fault. RPC over HTTPS goes straight through the PIX. I know as I have been using one for years.

Did you run the Configure Email and connect to the internet wizard to enable the Outlook over the Internet feature (as that is what SBS 2003 calls it).

If you did, I would suggest creating a test account and then using the Microsoft test site to confirm if it is working correctly or not:


Author Comment

ID: 24740273
Raghuv - I can confirm that on my account here that I get HTTPS all the way down with no TCP/IP. I spent a day getting it to work internally now it is time to move it outside our network since that is where the real benefit is for our users.

shauncrocher- The certificate is generated by our CA here in the office and it does match our MX record. The only error I get when accessing the https: is that the certificate isn't from a trusted provider. Which doesn't matter since I will setup the certificate manually on the laptops.

Mestha - I saw you post that link in another Pix thread so I tried it and everything tests fine except the certificate since it is from an unknown provider since our CA generated it.
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 27

Expert Comment

ID: 24740657
it is important that the certificate is added to trusted root authorities on the laptops (you should be able to open owa without any errors). does the issue remain after you have imported the certificate onto laptops so that owa does not show a warning at all.

LVL 65

Expert Comment

ID: 24740686
Trying to get RPC over HTTPS to work with your own CA has a very high failure rate. I actually don't bother. I can get the feature working in less than an hour using a US$30 certificate. Means I do not have to install something on every device, particularly when the certificate expires.

LVL 27

Expert Comment

ID: 24740746
I have to agree with simon that it is far far better to use a commercial certificate. however if you ensure the certificate name matches your fqdn and your CA is in the trusted root authority list on your devices, it should work ok.
LVL 12

Expert Comment

ID: 24741412
Hope this helps

How to configure RPC over HTTP in Exchange Server 2003
How can I configure RPC over HTTP/S on Exchange 2003 (single server scenario)?

- Dream

Accepted Solution

ginnipig41 earned 0 total points
ID: 24746341
Thanks for the help guys but it didn't have to do with the PIX after all. The issue was with the laptop that I was using there where 3 entries in the hosts file that referred to some VPN settings. As soon as I removed those Outlook kicked right over to HTTPS.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now