Solved

RPC over HTTP Pix firewall troubles

Posted on 2009-06-29
9
709 Views
Last Modified: 2012-05-07
Our company is trying to enable RPC over HTTP on our SBS. I have the HTTPS portion working internally but as soon as I move to an external network Outlook isn't able to connect any longer. I am guessing this has to do with our Pix firewall and the settings there. I have went through several of the troubleshooting questions here and tried different settings on the pix but can't get it to work. I can access https://mail.ourserver.com with a web browser externally and internally with no problems so I don't know where the issue could be.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *
passwd *
hostname firewall
domain-name *.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 80 permit ip 10.10.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list acl_out permit tcp any host ourserver eq smtp
access-list acl_out permit tcp any host ourserver eq www
access-list acl_out permit tcp any host ourserver eq https
access-list test permit esp any any
access-list test permit udp any any eq isakmp
pager lines 24
logging console debugging
logging buffered debugging
logging queue 0
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside ouripaddy1 255.255.255.192
ip address inside 10.10.10.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool nirsa-pool 192.168.1.1-192.168.1.10
pdm history enable
arp timeout 14400
global (outside) 1 ouripaddy2 netmask 255.255.255.192
nat (inside) 0 access-list 80
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
static (inside,outside) ourserver 10.10.80.2 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 204.13.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set nirsa esp-3des esp-sha-hmac
crypto dynamic-map nirsa-dynamic 5 set transform-set nirsa
crypto map nirsa 20 ipsec-isakmp dynamic nirsa-dynamic
crypto map nirsa client configuration address initiate
crypto map nirsa interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local nirsa-pool outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
vpngroup nirsa address-pool *-pool
vpngroup nirsa dns-server 10.10.80.2
vpngroup nirsa wins-server 10.10.80.2
vpngroup nirsa default-domain *.org
vpngroup nirsa split-tunnel 80
vpngroup nirsa idle-time 1800
vpngroup nirsa password ********
telnet 192.168.1.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 64.215.252.0 255.255.255.248 outside
ssh 67.250.103.45 255.255.255.255 outside
ssh timeout 60
terminal width 80
Cryptochecksum:*
: end

Open in new window

0
Comment
Question by:ginnipig41
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 9

Expert Comment

by:Raghuv
ID: 24739416
Basically, the only port which is required to be open on the firewall for RPC over HTTPs is 443. But since you said you are able to acess your webmail with https, so the port should not be a problem.

How did you test RPC over HTTP is working fine internally ?

Can you try and confirm -> Open Outlook (using Rpc over http) -> Press & hold Ctrl key on keyboard -> Right click on Outlook icon on the system tray (besides time) and then choose Connection Status. Now verify of the column which says Conn has all HTTPS only and no TCP/IP..
0
 
LVL 27

Expert Comment

by:shauncroucher
ID: 24739433
The certificate refers to https://mail.ourserver.com yes and not an internal name?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24739685
You didn't remove all of your passwords. I have hit request attention to get a mod to remove the enable password at the top of your config file.

If OWA works on port 443, it isn't the firewall at fault. RPC over HTTPS goes straight through the PIX. I know as I have been using one for years.

Did you run the Configure Email and connect to the internet wizard to enable the Outlook over the Internet feature (as that is what SBS 2003 calls it).

If you did, I would suggest creating a test account and then using the Microsoft test site to confirm if it is working correctly or not: https://testexchangeconnectivity.com/

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:ginnipig41
ID: 24740273
Raghuv - I can confirm that on my account here that I get HTTPS all the way down with no TCP/IP. I spent a day getting it to work internally now it is time to move it outside our network since that is where the real benefit is for our users.

shauncrocher- The certificate is generated by our CA here in the office and it does match our MX record. The only error I get when accessing the https: is that the certificate isn't from a trusted provider. Which doesn't matter since I will setup the certificate manually on the laptops.

Mestha - I saw you post that link in another Pix thread so I tried it and everything tests fine except the certificate since it is from an unknown provider since our CA generated it.
0
 
LVL 27

Expert Comment

by:shauncroucher
ID: 24740657
it is important that the certificate is added to trusted root authorities on the laptops (you should be able to open owa without any errors). does the issue remain after you have imported the certificate onto laptops so that owa does not show a warning at all.

shaun
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24740686
Trying to get RPC over HTTPS to work with your own CA has a very high failure rate. I actually don't bother. I can get the feature working in less than an hour using a US$30 certificate. Means I do not have to install something on every device, particularly when the certificate expires.

Simon.
0
 
LVL 27

Expert Comment

by:shauncroucher
ID: 24740746
I have to agree with simon that it is far far better to use a commercial certificate. however if you ensure the certificate name matches your fqdn and your CA is in the trusted root authority list on your devices, it should work ok.
0
 
LVL 12

Expert Comment

by:Saakar
ID: 24741412
Hope this helps

How to configure RPC over HTTP in Exchange Server 2003
http://support.microsoft.com/kb/833401
How can I configure RPC over HTTP/S on Exchange 2003 (single server scenario)?
http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm

- Dream
0
 

Accepted Solution

by:
ginnipig41 earned 0 total points
ID: 24746341
Thanks for the help guys but it didn't have to do with the PIX after all. The issue was with the laptop that I was using there where 3 entries in the hosts file that referred to some VPN settings. As soon as I removed those Outlook kicked right over to HTTPS.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question