Configure RPC over HTTP for remote Outlook access

sirbounty
sirbounty used Ask the Experts™
on
Hi experts - I'm being asked to help configure an Exchange server in this manner and I'm admittedly no Exchange admin, so I'm hoping someone can provide some guidance on how to begin.  
Apparently they were looking at obtaining/creating an SSL certificate to implement the solution, but got stuck there.
Presumably this is a common practice - if not, please advise the best way to set up this capability.
I'm not sure at this point what version of Exchange, but if it's critical, I can find that out along with any other necessary information.  As I said this is new to me and I don't have enough experience with Exchange to know where to begin nor how much/what information to include, so feel free to ask anything that's necessary.


Additionally, they're wanting to allow Active Sync connections with iPhone - I only mention that in case it sways the above solution one way or another.  This will probably be a second question once the above is complete.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Yes, this is a common thing to do.  RPC over HTTPS has no bearing on your phones...it is used primarily so Outlook can connect to the Exchange server from outside the network.

http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm
Top Expert 2007

Author

Commented:
Reading through the article now...
I see that I'll need port 443 open if using SSL, and presumably they are, but will they need some certificate solution?
Also... what is the version of Exchange?
Is it Outlook Anywhere that you are configuring on Exchange 2007 server?
Reference: http://technet.microsoft.com/en-us/library/cc179036.aspx
http://technet.microsoft.com/en-us/library/bb123741.aspx
http://technet.microsoft.com/en-us/library/bb123513.aspx

Now in case of Exchange 2007, certificate will play an important role it is required for Autodiscover as well...
Recommended is you go for a UCC (SAN) certificate...
References: http://technet.microsoft.com/en-us/library/bb851505.aspx
http://msexchangeteam.com/archive/2007/04/30/438249.aspx

For Exchange 2003 Scenario,
http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm

Also check this to help you with the Outlook settings:
http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm

Also a good website to test your configuration is https://testexchangeconnectivity.com
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

You only need to open port 443 on the firewall.... no certificate requirement....
Top Expert 2007

Author

Commented:
Doesn't look like the account I was given has access to Exchange - any other way to determine the version?

I don't think it's Outlook Anywhere - I believe it's simply Outlook 2k3.
The server is Win2k3.  I already went through the petri steps and apparently since they've already been done before I was asked to lend a hand, it's not working with those instructions alone...

Supposedly a local cert was attempted to be issued, but I'm not sure how far off the ground that made it.  It may have been an attempt directly from the Exchange server, but I'm not certain that's the best decision either...
Top Expert 2007

Author

Commented:
Ok, it's Exchange 2003.
How would I go about setting up the certificate?  Presumably that's the more secure route?
Open up the IIS manager....

Expand 'Web Sites' and go to properties of Default Web Site...

Under Directory Security Tab, check the certificate you have... you can click on View Certificate and see the certificate... make sure this is the certificate that you would like to use for RPC over HTTPS....

Also run a connectivity test at http://testexchangeconnectivity.com and let us know the results...
Top Expert 2007

Author

Commented:
Ok, there wasn't one there, but I chose an existing one - doesn't expire until 2015, so presumably that's the best option.
However, now under "Edit" in that section, should I also 'require SSL' and subsequently 128-bit encryption?
There are other options on that page as well, with the only one selected being "Ignore client certificates".
Top Expert 2007

Author

Commented:
I'll have to have someone locally check the connectivity site.  I'll let you know the results...
Top Expert 2007

Author

Commented:
Here are the results...how shall we proceed?
Testing RPC/HTTP connectivity
 	RPC/HTTP test failed
 
Test Steps
 	 
Attempting to Resolve the host name xx.xxxxxx.com in DNS.
 	Host successfully Resolved
 
Additional Details
 
 
 
 
 
Testing TCP Port 443 on host xx.xxxxx.com to ensure it is listening/open.
 	The port was opened successfully.
 
 
Testing SSL Certificate for validity.
 	The SSL Certificate failed one or more certificate validation checks.
 	 
Tell me more about this issue and how to resolve it
 
 
 
Additional Details
 	A network error occurred while communicating with remote host: 
Exception Details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack Trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()

Open in new window

Jian An LimSolutions Architect
Top Expert 2016
Commented:
ok

Testing SSL Certificate for validity.
        The SSL Certificate failed one or more certificate validation checks.


this means your SSL certificate is self signed (which is not really optimal for outlook) but iphone usually don care so much

u might want to try http://externameURL/owa and http://externameURL/oma to see whether you can view them or not.

then setup your iphone

usually your username is <domain>\<username>




try and see whther you get it working.


Commented:
limjianan -- Sorry, have to throw in my $.02 worth.  Why would you say that a self-signed certificate is not optimal for outlook?  It is secure and best of all it is free -- I have never run into any phone that will not function with a self-signed certificate (though on a few phones, like the old Verizon Motorola Q, you have to install the root certificate install app and the certificate itself which takes a few minutes).  Only time I can see bending over to let the certificate sellers ream you is if you are providing Exchange e-mail as a service and have customers hitting web access (don't want paying customers to see the stupid "there is a problem with this certificate" message!).

sirbounty -- Could you clarify the question a bit?  Are you setting up RPC over HTTPS, or are you trying to set up OMA?  They are two different things... one is for Outlook connectivity and the other for smart phone connectivity.  Some of the elements of setting up do overlap (like getting the certificate functional), but for troubleshooting it would be good to know exactly which piece we are working on.
Subash SundharanIT Infrastructure Architect
Commented:
Verify the SSL Certificate and Trusts.. This may help..
Troubleshooting-RPC-over-HTTPS
Top Expert 2007

Author

Commented:
mds-cos - initially setting up rpc over https - I think the idea was to eventually add the smart phone connectivity, but I realize there may be extra steps involved, just added that for extra detail to cover any overlaps and not visit that piece twice - hope it doesn't add confusion to the mix.  For this question, let's just stick to the rpc setup and keep that in the back of our minds...

So, it looks like the Exchange server is a cert server.
My questions:
  -Is this necessarily a bad thing?  I have another server that I can use for that, but it would mean putting this question on hold while I had help in another question to set that up on a new server and presumably remove it from this one.
  -Would it help at all to try and create a new certificate?  The owner is willing to pay a small fee for a cert service, but free is better in my mind.

I have remote access to the server, but no access to Exchange nor a valid email account on it, so I'll have to defer those tests to the owner.  If there's any further tests I can run without that, let me know and I'll be glad to get results...
Subash SundharanIT Infrastructure Architect

Commented:
If you have a self signed SSL certificates you should import the certificates to your local store. This should resolve the issue.

If you are purchasing a certificate, no need to manually import and install the certificate.. the root certificate of certification authorities will be there in store..
Many small/mid sized organisations install CA on Exchange servers, I feel it is absolutely fine..
Commented:
Necessarily a bad thing?  No, not necessarily...especially if the only thing you are generating certs for is Exchange.  If it is already set up that way and you aren't having problems I don't see any reason to change.  For what it's worth, setting up a cert server is a piece of cake, you just want to understand the different options before doing it (quick read on the subject covers that).  This is not SBS, right?  If it is there are some nice wizards you can use rather than running through this stuff manually.

If you think your certificate is expired or having problems then generating a new certificate would help.  You can check the status of your certificate easily in IIS manager.  Drill down to the default website, right-click and choose properties.  Go to the Directory Security Tab.  Click the "View Certificate..." button.  Make sure the certificate is still valid, and that the bottom says "You have a private key that corresponds to theis certificate".  Also be sure that the certificate is "Issued to" the right name (for example, the external url that will be used to access the server).

If you have Outlook Web Access going with secure access you can very easily validate if this is a certificate problem.  Just hit https://<your server>/exchange.  OWA and RPC over HTTPS use the same certificate....so if you can get a secure connection to OWA your certificate is good.

Here is a good article on troubleshooting RPC over HTTP(S)

http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part1.html
http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part2.html
Top Expert 2007

Author

Commented:
Nope - not SBS.
There are 3 certs - only one that's expired, but I never imported them (presumably you mean through IE's certificate content?  Or how else would I import it into the local store?)

Tried the https://servername/exchange but page could not be displayed...
Top Expert 2007

Author

Commented:
Viewing the cert in IIS shows "you have a private key that corresponds...) and shows valid through 9/2015...
Subash SundharanIT Infrastructure Architect

Commented:
Is this CA used to issue certificates to users?

Regarding cert import : I was talking about importing to client PC
This article explains it..
http://www.msexchange.org/tutorials/Outlook_2003_Connect_Exchange_2003.html
Site Reliability Engineer
Most Valuable Expert 2011
Commented:
Hi sirbounty,

RPC over HTTPS in Exchange 2003 can be a little convoluted to enable in Exchange 2003 - I am not surprised you are having problems.

The most important step is to ensure you have already installed a valid, working certificate. I personally prefer to use a certificate from a trusted authority, because it avoids the unnecessary step of needing to manually import the certificate or its root certificate into each machine where the function is used from. If this was an Exchange 2007 Server, you would have to buy a third-party certificate because self-signed certificates are not supported in that version.

I use Certificates for Exchange (http://certificatesforexchange.com/) for purchasing my SSL certificates. They are cheap, and trusted by IE/Firefox and most major Smartphones/PDAs. For a Single Domain Standard SSL certificate, that site is charging GBP£18.17/yr (USD$29.99/yr). They are not charging through-the-roof like Verisign or Thawte, and if your customer can stretch to this as a "small fee" I would recommend they do.

When you configure the certificate, you'll be asked for a CSR. This is generated by the Exchange Server. You would need to open IIS Management Console from Administrative Tools, go to the Default Web Site's security properties and click the 'Server Certificate' button. Remove any existing SSL certificate, then run the wizard and choose to create a new certificate request which will be sent to a third-party. Step through the wizard, providing all the details. The most important step is providing the server name - this MUST be the name which the server is known as externally. If the client connects to OWA using mail.company.com, that address must be entered as the Common Name on the certificate. At the end of the procedure, you'll get a CSR which can be posted to Certificates for Exchange for approval.

Once you get hold of the certificate, follow the instructions from the provider to import the root (.p7b) certificate into the server. Once that is complete, go back to the wizard in IIS, choose to complete a pending request and then point the wizard to the certificate (.crt) file you downloaded. This should import the certificate. Provided port 443 is open to the server through the firewall, and the correct IP is mapped to the DNS record listed on the certificate, you should now be able to go to an external machine, enter https://mail.company.com and get the page come up *without any certificate warning*.

If you do want to go down the self-signed route, I can understand that. However, you need to remember that the Common Name must still be the same name as is used to access the server externally - and the certificate must be imported (easiest way is via IE) on every machine RPC over HTTPS will be used from.

Verify the RPC/HTTPS proxy feature is installed under Windows Components in Add/Remove programs. Then, provided the certificate is in, go to Exchange System Manager, locate the server and edit its properties to set it as an RPC/HTTPS back-end server... this step often isn't actually necessary, but is nice to put in place.  Finally, follow Sembee/Mestha's great guide at http://www.amset.info/exchange/rpc-http-server.asp for making the necessary registry changes - both to the RPC configuration on the Exchange Server and on the Domain Controller. That guide is relatively self-explanatory.

You may need to restart some services (IIS Admin) or just restart the server, then RPC/HTTPS should be available. I believe someone above mentioned TestExchangeConnectivity.com. Use that site and do an 'Outlook 2003 RPC' test. Enter all the required info (certificate mutual authentication name should be msstd:mail.domain.com - same name as on the SSL certificate). Ensure you get the green tick as a go ahead, then attempt to configure Outlook: http://www.amset.info/exchange/rpc-http.asp.

I hope this answers your questions on RPC over HTTPS. Smartphones use a different technology - they would generally use Exchange Activesync to sync data over the air from the server. This, again, uses SSL technology to encrypt the data session.

Let me know if you need any more help,

Thanks

-Matt
Top Expert 2007

Author

Commented:
Great info Matt.
I'm waiting on the last test results from them before I proceed, but will post those results and step through some of these troubleshooting links once I hear back.  I'll keep you all posted and I very much appreciate the assistance! :^)
Top Expert 2007

Author

Commented:
Ok, this last test still fails - same results.
Checking with him on http://certificatesforexchange.com
And looking through some of these links.
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:
Hi sirbounty,

Was that the TestExchangeConnectivity test which failed? If so, it's probably an SSL issue. I'll wait to hear from you regarding the certificate.
Top Expert 2007

Author

Commented:
Yes, same results from http:#24916572
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:
Probably not got a valid certificate yet installed. What did they say regarding the SSL cert?
Top Expert 2007

Author

Commented:
Not sure what you mean?

I can try generating a new one from the server if that will help?
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:

I was referring to whether they did anything moving toward getting a third-party, trusted certificate, such as from CertificatesForExchange.com.

If they can get one of them (for an Exchange 2003 Server, you're looking at the cheapest certificate - no more than $30/year) that will greatly help you with this.

Alternatively, we can go down the route of generating a new self-signed certificate and then install it to those machines you are using Outlook on.

-Matt
Top Expert 2007

Author

Commented:
Well, he'd mentioned he had found one from go daddy for I think less than $15/year - is that an option or have you heard anything bad about that route?
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:

If he can get one from GoDaddy, that would work just the same. GoDaddy and Certificates for Exchange use the same certification authority (Starfield Technologies) to generate their SSL certificates.

Which GoDaddy certificate was it?
Top Expert 2007

Author

Commented:
Here's the latest response from the owner:
GlobeSSL  has a standard cert for $12/yr. Seems like its comparable to the big boys: https://www.globessl.com/documents/comparison.pdf
The internal IP is static as specified by the router. Externally, we use dyndns  xxxxxxxx.xxxxxxx.com points to our IP and then we use port forwarding.
Do we need to get a static IP and then use an icann registered domain as the servers external name?

Not being as familiar with this as you guys are - I'm unsure how to respond to that...?
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:

It looks like the GlobeSSL certificate is as good as any other.

With regards to Dynamic DNS and a static IP, you would (preferably) want to get the server onto a static IP. Running on a dynamic one with DynDNS can be done, but it causes problems for outbound mail flow and for setting up SSL certificates if the DNS isn't set properly.

If you get it on a static IP, and create a record such as mail.company.com which maps to that static IP, you can then go about creating the SSL certificate with mail.company.com as the Common Name.

Does that explain things a bit better? :)

-Matt
Top Expert 2007

Author

Commented:
Somewhat I suppose. ;)
I'll forward this info over and see what the response is.
Thanks again!
Please confirm the version of Exchange.
Anyway if you have a Exchange Server 2003 SP2 you can go through the links carefully before u implement the steps:--
I would recommend to use a UCC certificate:--
http://technet.microsoft.com/en-us/library/bb851505.aspx
If you are having a Exchange Server 2003 SP2:-- use the link:--
Exchange Server 2003 RPC over HTTP Deployment Scenarios
http://technet.microsoft.com/en-us/library/aa998950(EXCHG.65).aspx
If you are having a Exchange Server 2007 SP1:--
Outlook Anywhere
http://technet.microsoft.com/en-us/library/bb123741.aspx
If you are having a Exchange Server 2007 SP1 on WIndows Server 2008 and it is a member server please make sure that you disable the IPv6 from the NIC card and the registry:--
http://support.microsoft.com/kb/952842
and add the entries in the hosts file:-
ade the required changes to the hosts file under the location "c:\drivers\etc"
Commented Out the line "  ::1       localhost" by adding the " # " sign
Added the Internal IP address of the Exchange Server with the NETBIOS name of the Exchange Server.
Added the Internal IP address of the Exchange Server with the FQDN name of the Exchange Server.
Thanks


tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:
anuragshankar,

sirbounty confirmed in an earlier post this was Exchange 2003. Therefore a Unified Communications Certificate is not required. A standard certificate with the external name of the Exchange Server would suffice.
Top Expert 2007

Author

Commented:
Latest from the owner:

Not sure of the answer...

We should have our static IPs on Thursday.
As for mailserver.companyname.com, incoming mail for the domain xxxxxxx.com is not really handled by the Exchange server, and so we have the MX record pointing to our web hosts pop server where we manage our mail accounts. We use the Exchange server for synchronization and Outlook functionality (mail is polled from the pop boxes by Outlook and then synched to Exchange). Do you think we should create a sub-domain to which the static IP could be matched? Or could we just use one of the xxxxxxxx.org or xxxxxxxxx.us domains which we are not really doing anything with yet?
tigermattSite Reliability Engineer
Most Valuable Expert 2011
Commented:

"...mail is polled from the pop boxes by Outlook and then synched to Exchange..."

That's bad - a POP3 connector. If I got my hands on that config that would be the first thing I would remove! That's besides the point, but you might mention it to the client.

Okay, mailserver.company doesn't map to the Exchange Server, so you can't use that for the SSL certificate. I'd create a subdomain instead - say webmail.company.com. Map that as an A record to the static IP, then use webmail.company.com as the Common Name on your SSL certificate request.

-Matt
Top Expert 2007

Author

Commented:
Just dropping in to say " no update yet"...
I'll keep you posted.  Thanks.
Top Expert 2007

Author

Commented:
Sorry gang - still no word.
I'll email him again and find out where we're at.
If I can't get any further at this point, I'll close this one and open a part 2...
Thank you for your patience.  
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:
No worries. Thanks for posting back.
Top Expert 2007

Author

Commented:
Sorry it took so long - just heard back that he got it working, so we're all set.
Thanks for the help gang - I learned a bit here.  I appreciate your patience and willingness to overlook my ignorance. :^)
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:
Glad you got there in the end. Thanks :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial