c1w1ortiz
asked on
Outlook 2003 Remote/OWA Issues
I have a FE/BE setup. Exchange 2003 SP2/Exchange 2003 SP2. FE and BE are behind the internal firewall and port 80/443 are open.
Users are trying to connect remotely to read their emails using Outlook 2003. They are been prompted continuesly to enter their user name/password but it is not taking. Trying to troubleshoot this issue, I ran the command Outlook /rpcdiag and I can see it is hitting the DC/GC server and the BE server. The same users get to their mailboxes when connected to the network. RPC over HTTPS is configured in those Outlook clients.
Also I am having problems with OWA, my users are getting prompted to enter their credentials to then get the message "440 login time out".
We confirmed traffic thru the firewall.
Users are trying to connect remotely to read their emails using Outlook 2003. They are been prompted continuesly to enter their user name/password but it is not taking. Trying to troubleshoot this issue, I ran the command Outlook /rpcdiag and I can see it is hitting the DC/GC server and the BE server. The same users get to their mailboxes when connected to the network. RPC over HTTPS is configured in those Outlook clients.
Also I am having problems with OWA, my users are getting prompted to enter their credentials to then get the message "440 login time out".
We confirmed traffic thru the firewall.
Has this just started happening? If you reboot the FE how long till OWA dies again?
ASKER
MegaNuk3,
I am just setting up the new FE/BE. I got the BE to work for the internal users but I am struggling with the rest of the setup.
I am just setting up the new FE/BE. I got the BE to work for the internal users but I am struggling with the rest of the setup.
why setup new FE/BE? surely it will be quicker just to get the old ones working?
Does a reboot of the FE resolve the issue for a short period of time or not?
Does a reboot of the FE resolve the issue for a short period of time or not?
Have a look at Step4 on here: http://support.microsoft.com/kb/917686 this is probably your problem...
ASKER
Our old email system was on blades which were sold. We created a new FE/BE servers and migrate the accounts over. I will reboot the server shortly and report back.
ASKER
MegaNuk3:
I checked step 4 and the only difference is that intead of our domain name, there is a "\". What is the difference and how I change it? Right now it is greyed out.
I checked step 4 and the only difference is that intead of our domain name, there is a "\". What is the difference and how I change it? Right now it is greyed out.
Don't worry too much about the "\" mine is the same and grayed out in ESM. You can change these settings in IIS manager though. Is basic auth ticked?
ASKER
I rebooted the FE and tried again. I am getting the same thing. Basic authentication is checked.
can you connect to http://servername/exchange on the backend?
ASKER
From the BE I can connect and get my mail with http://be-server/exhange but it takes a long time to load. If I tried to connect from the be to http://fe-server/exchange I get "The page must be viewed over a secure channel".
I did some research and found that I needed to enable the Anonymous Access on exchweb. I did it and now I can connect to the FE with https://fe-server/exchange\ but my client cannot connect remotely. Is this the correct setting to have?
I did some research and found that I needed to enable the Anonymous Access on exchweb. I did it and now I can connect to the FE with https://fe-server/exchange\ but my client cannot connect remotely. Is this the correct setting to have?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Where do I find Exchange-OMA?
Exchange-OMA only exists when you dont have a front end server... normally on SBS servers
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are using Active sync with SSL, you should need to create a OMA-Vir.
http://support.microsoft.com/kb/817379
http://support.microsoft.com/kb/817379
@SatyaPathak - This is a front-end back-end config so that doesn't apply
What error are remote users getting now when they hit OWA?
ASKER
After checking all the requirements as below I was able to hit the fe-server/exchange.
1) Default Website : Annonymous & Integrated NO SSL
2) Exadmin : Integrated NO SSL
3) Exchweb : Annonymous NO SSL
4) Exchange: Basic SSL Optional
5) RPC : Basic SSL Required
6) OMA : Basic SSL Optional
7) Public : Basic+Integrated SSL Optional
8) exchange-oma : Basic & Integrated NO SSL
9) Microsoft-Server-ActiveSyn c : Basic SSL Optional
MegaNuk3, I did step 5 and I was able to hit OWA.
My remote clients still cannot connect. When I do a outlook /rpcdiag I can see the client trying to connect to the fe-server, then to the DC/GC-server...as referral....
This part is very weird.
1) Default Website : Annonymous & Integrated NO SSL
2) Exadmin : Integrated NO SSL
3) Exchweb : Annonymous NO SSL
4) Exchange: Basic SSL Optional
5) RPC : Basic SSL Required
6) OMA : Basic SSL Optional
7) Public : Basic+Integrated SSL Optional
8) exchange-oma : Basic & Integrated NO SSL
9) Microsoft-Server-ActiveSyn
MegaNuk3, I did step 5 and I was able to hit OWA.
My remote clients still cannot connect. When I do a outlook /rpcdiag I can see the client trying to connect to the fe-server, then to the DC/GC-server...as referral....
This part is very weird.
ASKER
What are the IIS requirements for a BE? I wonder if I have the wrong setting.
Okay fine.
How can I configure RPC over HTTP/S on Exchange 2003 please verify all settings as per this kb.
http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm
http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm
How can I configure RPC over HTTP/S on Exchange 2003 please verify all settings as per this kb.
http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm
http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm
Can your remote clients try and hit OWA please so we can make sure that is working before moving onto the RPC/HTTPs stuff?
Or if you have a phone with an internet browser do it from that to prove OWA is working from the internet.
Or if you have a phone with an internet browser do it from that to prove OWA is working from the internet.
ASKER
Is the RPC Proxy server the FE?
Just make sure the BE has no SSL on /exchange, which you actually proved earlier by hitting http://BE/exchange and being able to get into your mailbox...
Yep the FE proxy's the RPC to the BE.
hit your server from https://www.testexchangeconnectivity.com/ to test RPC/Https and then post the results (edit out servernames if you want)
hit your server from https://www.testexchangeconnectivity.com/ to test RPC/Https and then post the results (edit out servernames if you want)
ASKER
In the BE Default Web Site/Exchange I have the following settings:
Enable anonymous access - not checked.
Integrated Windows Authentication and Basic Authentication - check.
Require secury channel (SSL) - not checked
Stand-by for connectivity test.
Enable anonymous access - not checked.
Integrated Windows Authentication and Basic Authentication - check.
Require secury channel (SSL) - not checked
Stand-by for connectivity test.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Deselect "integrated windows auth" if you see it on the /RPC directory
ASKER
In the BE Default Wed Site/RPC I deselected Integrated Windows Auth and confirmed that Basic is checked.
The FE /RPC is Basic _ SSL/Req 128-bit encryption.
The FE /RPC is Basic _ SSL/Req 128-bit encryption.
ASKER
The connectivity test. We haven't updated our internet provider host file for DNS, the FE address is 63.173.140.198:
Testing RPC/HTTP connectivity
RPC/HTTP test failed
Test Steps
Attempting to resolve the host name 63.173.140.198 in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 63.173.140.198
Testing TCP Port 443 on host 63.173.140.198 to ensure it is listening and open.
The port was opened successfully.
Testing SSL Certificate for validity.
The SSL Certificate failed one or more certificate validation checks.
Test Steps
Validating certificate name
Certificate name validation failed
Tell me more about this issue and how to resolve it
Additional Details
Host name 63.173.140.198 does not match any name found on the server certificate CN=ffjwm1.fnly.com
Testing RPC/HTTP connectivity
RPC/HTTP test failed
Test Steps
Attempting to resolve the host name 63.173.140.198 in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 63.173.140.198
Testing TCP Port 443 on host 63.173.140.198 to ensure it is listening and open.
The port was opened successfully.
Testing SSL Certificate for validity.
The SSL Certificate failed one or more certificate validation checks.
Test Steps
Validating certificate name
Certificate name validation failed
Tell me more about this issue and how to resolve it
Additional Details
Host name 63.173.140.198 does not match any name found on the server certificate CN=ffjwm1.fnly.com
Well that is why it won't work then because the certificate name has to match the name of the site...
Have you tried it internally?
Have you tried it internally?
ASKER
If we update the isp provider host file, would it fix the problem? If so, I will request it right now.
If the name on your cert is mail.mycompany.com then add a HOSTS file entry on your machine for that name and the internal IP address of your FE server.
Then hit https://mail.mycompany.com/exchange and verify that Internet Explorer doesn't give you any Certificate errors.
If IE gives you cert errors then you need to resolve those.
Any cert errors and RPC/HTTPs will not work, trust me it will not work...
Then hit https://mail.mycompany.com/exchange and verify that Internet Explorer doesn't give you any Certificate errors.
If IE gives you cert errors then you need to resolve those.
Any cert errors and RPC/HTTPs will not work, trust me it will not work...
Yep, you need to update Internet DNS pronto. So that external users can ping the name on your certificate and get the right IP address as a response otherwise you are going to spend a long time configuring HOSTS files on all the machines out there...
ASKER
I trust you... I have tested with the host file...Let me run some tests now and I will get back to you tomorrow morning. I need to step away to resolve another problem.
but as I said in post 27308405 you can test it internally by creating a hosts file (if you can't ping the FE internally by the certificate name)
Gr8, I am off to bed then because it is 22:30PM here.
Get the internet DNS entry updated and then hopefully it will have replicated by tomorrow morning and all your users will be able to connect again.
Get the internet DNS entry updated and then hopefully it will have replicated by tomorrow morning and all your users will be able to connect again.
Any update? Is everything working now that DNS is updated?
ASKER
MegaNuk3:
I am happy to tell you that the DNS update was successfully. Webmail and Outlook client are functional. I am moving toward setting up ActiveSync for Treo Palm.
I am happy to tell you that the DNS update was successfully. Webmail and Outlook client are functional. I am moving toward setting up ActiveSync for Treo Palm.
Thanks for the update, can you award points and close the question please. If you have issues with ActiveSync then please open another question.