expuser2008
asked on
Need help to deploy RPC/HTTPS for exchange 2003 SP2 with 2 DC with GCs.
Hi all
Iam trying toconfigure RPC over HTTPS
Here is my setup
2 domain controllers with GC (windows 2003 server SP2)
1 exchange server 2003 SP2 (windows 2003 server SP2)
I have installed RPC over HTTP component on my exchange server and enable RPC-HTTP backend topology.
IIS authentication is basic on both RPC and RPCwihCERT directories and SSL is enabled.I have vaild certificate
from Local ROOT CA on DC1 with comman name (exchange netbios name of server).
while from outside Ihave a vaild certificate from GEOTRUST (CN= mail.domain.com) which is installed on my Squid proxy server all my https trafic is forwarded to my squid server from DMZ , so users from out side connect to squid server gets vaild
ssl certificate from geotrust and squid redirect to exchange server on internal LAN ( squid DO NOT Verify local certificate
on exchange)
Exchange vaild ports are
rpccfg /hd
exchange 593 6001-6002 6004
excahnge netbios 593 6001-6002 6004
excahne(FQDN) 593 6001-6002 6004
all the defaut regisrty entries are correct on exchange server
do I need NSPI interface protocal sequences entry on my DC or not ?
since Iam Using exchage 2003 with SP2.
Here is my troubleshooting result.
telnet on excahange server with in LAN
on port 6001 it opens the port but with strange NO. appears 000395691638 and when you press enter connection to host is lost.
on port 6002 it opens the port with ncacn_http/1.0
on port 6004 it opens the port with ncacn_http/1.0
when I connect from outside with outlook outlook established connection over https on directory but could not connect
on mail information storage and in the result outlook shows disconneted.
I think the problem is some where in the regisrty or something Iam missing .
Can some one provide me the solution for this issue.
Best Regards.
Adil Syed
E-Mail adil.syed@holborn.com.cy
Iam trying toconfigure RPC over HTTPS
Here is my setup
2 domain controllers with GC (windows 2003 server SP2)
1 exchange server 2003 SP2 (windows 2003 server SP2)
I have installed RPC over HTTP component on my exchange server and enable RPC-HTTP backend topology.
IIS authentication is basic on both RPC and RPCwihCERT directories and SSL is enabled.I have vaild certificate
from Local ROOT CA on DC1 with comman name (exchange netbios name of server).
while from outside Ihave a vaild certificate from GEOTRUST (CN= mail.domain.com) which is installed on my Squid proxy server all my https trafic is forwarded to my squid server from DMZ , so users from out side connect to squid server gets vaild
ssl certificate from geotrust and squid redirect to exchange server on internal LAN ( squid DO NOT Verify local certificate
on exchange)
Exchange vaild ports are
rpccfg /hd
exchange 593 6001-6002 6004
excahnge netbios 593 6001-6002 6004
excahne(FQDN) 593 6001-6002 6004
all the defaut regisrty entries are correct on exchange server
do I need NSPI interface protocal sequences entry on my DC or not ?
since Iam Using exchage 2003 with SP2.
Here is my troubleshooting result.
telnet on excahange server with in LAN
on port 6001 it opens the port but with strange NO. appears 000395691638 and when you press enter connection to host is lost.
on port 6002 it opens the port with ncacn_http/1.0
on port 6004 it opens the port with ncacn_http/1.0
when I connect from outside with outlook outlook established connection over https on directory but could not connect
on mail information storage and in the result outlook shows disconneted.
I think the problem is some where in the regisrty or something Iam missing .
Can some one provide me the solution for this issue.
Best Regards.
Adil Syed
E-Mail adil.syed@holborn.com.cy
ASKER
As you mention I added on both GC's "NSPI interface protocol sequences".
the outlook is configure as you mention . And I have the same result
Telnet on exchange server 6001 gives me this ¿¿ 000786010947
Telnet on exchange server 6002 gives me ncacn_http/1.0
Telnet on exchange server 6004 gives me ncacn_http/1.0
That means I can not connect to information store with port 6001.
Please provide me more help for (vaild port ) entries on exchange for RPC.
the outlook is configure as you mention . And I have the same result
Telnet on exchange server 6001 gives me this ¿¿ 000786010947
Telnet on exchange server 6002 gives me ncacn_http/1.0
Telnet on exchange server 6004 gives me ncacn_http/1.0
That means I can not connect to information store with port 6001.
Please provide me more help for (vaild port ) entries on exchange for RPC.
Please have the valid entries as mentioned below:-
Exchangenetbios:6001-6002; exchangefq dn(.i.e hostname.domain.local):600 1-6002;Exc hangenetbi os:6004;ex changefqdn (.i.e hostname.domain.local):600 4;
Please try this, and we dont require 593 as it is used only when we have SBS server in the environment.
Please enter the exact entries as mentioned above and make sure you have semi colon, at the end of the entries.
Try this and revert back!
Exchangenetbios:6001-6002;
Please try this, and we dont require 593 as it is used only when we have SBS server in the environment.
Please enter the exact entries as mentioned above and make sure you have semi colon, at the end of the entries.
Try this and revert back!
ASKER
Sorry for delay
And Thanks for your quick response. I tried the above registry entries.
If I put at the end semi colon it gives me syntex error
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Windows Resource Kits\Tools>rpccfg /hd
Error: Expected ':' in string ''.
The command did not complete successfully.
C:\Program Files\Windows Resource Kits\Tools>
without the semi colon I got the entries.
But still the same problem. I can not telnet to 6001 port.
Waiting for your response .
Regards.
And Thanks for your quick response. I tried the above registry entries.
If I put at the end semi colon it gives me syntex error
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Windows Resource Kits\Tools>rpccfg /hd
Error: Expected ':' in string ''.
The command did not complete successfully.
C:\Program Files\Windows Resource Kits\Tools>
without the semi colon I got the entries.
But still the same problem. I can not telnet to 6001 port.
Waiting for your response .
Regards.
Please try testexchangeconnectivity.c om connectivity of RPC over HTTPs and paste the error message here.. so that we get more detail information about the issue.
And sorry its not this colon ":" its this ";".
And also please run netstat-ano to check port 6001 which PID is using the port 6001.
Please try that and revert back with the status.
And also please run netstat-ano to check port 6001 which PID is using the port 6001.
Please try that and revert back with the status.
Probably it seems that port 6001 is listening to some other service instead of store.exe.
Please run netstat-ano and check the port 6001 on which server it is listening tooo..
Try that and revert back if you have any issues.
Please run netstat-ano and check the port 6001 on which server it is listening tooo..
Try that and revert back if you have any issues.
ASKER
below is the conectivity test result from external PC
ExRCA is testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
Attempting to resolve the host name mail.holborn.com.cy in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 212.31.109.14
Testing TCP Port 443 on host mail.holborn.com.cy to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname mail.holborn.com.cy in Certificate Subject Common name
Certificate trust is being validated.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information.
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 8/8/2010 3:23:12 AM, NotAfter = 9/9/2010 7:18:05 AM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
Testing Http Authentication Methods for URL https://mail.holborn.com.cy/rpc/rpcproxy.dll
The HTTP authentication methods are correct.
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic
SSL mutual authentication with the RPC proxy server is being tested.
Mutual authentication was verified successfully.
Additional Details
Certificate common name mail.holborn.com.cy matches msstd:mail.holborn.com.cy
Attempting to Ping RPC Proxy mail.holborn.com.cy
RPC Proxy was pinged successfully.
Additional Details
Completed with HTTP status 200 - OK
Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server hemexch1.holborncy.local
The attempt to ping the endpoint failed.
Tell me more about this issue and how to resolve it
Additional Details
RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime
below is the netstat -a -o result
Proto Local Address Foreign Address State PID
TCP exchange:6001 exchange.domain.local:0 LISTENING 2068
TCP exchange:6002 exchange.domain.local:0 LISTENING 2980
TCP exchange:6004 exchange.domain.local:0 LISTENING 2980
exchange:6001 mail.domain.com:2290 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2292 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2306 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2324 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2331 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2347 CLOSE_WAIT 2068
Regards.
Adil
ExRCA is testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
Attempting to resolve the host name mail.holborn.com.cy in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 212.31.109.14
Testing TCP Port 443 on host mail.holborn.com.cy to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname mail.holborn.com.cy in Certificate Subject Common name
Certificate trust is being validated.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information.
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 8/8/2010 3:23:12 AM, NotAfter = 9/9/2010 7:18:05 AM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
Testing Http Authentication Methods for URL https://mail.holborn.com.cy/rpc/rpcproxy.dll
The HTTP authentication methods are correct.
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic
SSL mutual authentication with the RPC proxy server is being tested.
Mutual authentication was verified successfully.
Additional Details
Certificate common name mail.holborn.com.cy matches msstd:mail.holborn.com.cy
Attempting to Ping RPC Proxy mail.holborn.com.cy
RPC Proxy was pinged successfully.
Additional Details
Completed with HTTP status 200 - OK
Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server hemexch1.holborncy.local
The attempt to ping the endpoint failed.
Tell me more about this issue and how to resolve it
Additional Details
RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime
below is the netstat -a -o result
Proto Local Address Foreign Address State PID
TCP exchange:6001 exchange.domain.local:0 LISTENING 2068
TCP exchange:6002 exchange.domain.local:0 LISTENING 2980
TCP exchange:6004 exchange.domain.local:0 LISTENING 2980
exchange:6001 mail.domain.com:2290 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2292 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2306 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2324 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2331 CLOSE_WAIT 2068
exchange:6001 mail.domain.com:2347 CLOSE_WAIT 2068
Regards.
Adil
Did you checked which process is utilizing the port 6001
exchange:6001 exchange.domain.local:0 LISTENING 2068
Please check 2068 in the task manager add the coloumn PID and check which service is utilizing the process, might be 6001 is used by some other process.
Please try that and revert back!
Thanks!
exchange:6001 exchange.domain.local:0 LISTENING 2068
Please check 2068 in the task manager add the coloumn PID and check which service is utilizing the process, might be 6001 is used by some other process.
Please try that and revert back!
Thanks!
ASKER
yes you are right the 6001 port was listing on 2068 PID which was using some other client application
other than store.exe , I removed that client application and now store.exe is listining on 6001 port.
And the problem is solved. But later I will try again and install that client application
and see If it utilize the other port than 6001.
Thank You very much for your help to solve me this issue.
Please if you can continue help me , since I would like to have Active sync setup as well on my
exchange, I have active sync enable on my exchange as well.
but when I try to connect https://exchangeserver/oma after login it gives me this error
(A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator) .
I read from microsoft KB/817379 artical that I have to create seprate virtual directory for OMA and
Active sync.
Please can you provide me right steps from the begining to setup ssl active sync on exchange 2003
with SP2.
Regards.
Adil
other than store.exe , I removed that client application and now store.exe is listining on 6001 port.
And the problem is solved. But later I will try again and install that client application
and see If it utilize the other port than 6001.
Thank You very much for your help to solve me this issue.
Please if you can continue help me , since I would like to have Active sync setup as well on my
exchange, I have active sync enable on my exchange as well.
but when I try to connect https://exchangeserver/oma after login it gives me this error
(A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator) .
I read from microsoft KB/817379 artical that I have to create seprate virtual directory for OMA and
Active sync.
Please can you provide me right steps from the begining to setup ssl active sync on exchange 2003
with SP2.
Regards.
Adil
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
Sorry for late response because some other things came up. first of all thanks a lot for your help
your response was very quick at all the time . I managed to work activesync with your help.
you can close this question.
Best Regards.
Adil Syed
Sorry for late response because some other things came up. first of all thanks a lot for your help
your response was very quick at all the time . I managed to work activesync with your help.
you can close this question.
Best Regards.
Adil Syed
Kindly Select one of the comment as Accepted solution to close the question.
And also please make sure that you have the above mentioned registry entry on both the GC's.
While configuring Outlook client, please select the options.
Enter the external link which we access OWA externally.
Select Basic Authentication and also select both the slow and fast network options in the Exchange proxy settings.
Please check the above mentioned settings and please do revert back if you have any issues.