Solved

Outlook is not connecting by proxy, what to do?

Posted on 2010-09-07
72
806 Views
Last Modified: 2012-06-22
Hello!

for few days all my users have problem with connecting to Exchange Server through proxy.
While in the lan, everything works great, they can't check their emails being out of office.
For the last few month everuthing was fine. Now, without VPN, it's impossible to check emails.

Exchange 2008, Outlook 2007&2010.

Can you give me some advice what to check and where?
0
Comment
Question by:piatkos_oxyt
  • 34
  • 17
  • 11
  • +4
72 Comments
 
LVL 26

Expert Comment

by:e_aravind
ID: 33616737
Looks like Outlook-Anywhere is broken

Can you check if you can access
https://domain-name/rpcproxy/rpcproxy.dll from the Internet location's (Internet Explorer)

If needed
Check on the CAS servers Application logs; or IIS logs
0
 
LVL 2

Expert Comment

by:tspreeth
ID: 33616738
Hi ,
Check the Test Email Auto Configuration from LAN and from Internet and check what is the difference in  settings.
Right Click on  the Outlook Icon on the rihgt hand bottom corner of your screen holding control key. Select Test email Auto COnfiguration and run it . Give your email id and password.
Based on this settings it can be checked.
0
 

Author Comment

by:piatkos_oxyt
ID: 33616771
> Looks like Outlook-Anywhere is broken

might be... but OWA is working perfetcly.

> Can you check if you can access
> https://domain-name/rpcproxy/rpcproxy.dll from the Internet location's (Internet Explorer)

404 - file not found. Where to look for it?

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33616778
most probably this is because your packets are getting fragmented over VPN.
Exchange/outlook connectivity requires packets not be fragmented during transport.

a) If you want to go the vPN way, configure your max MTU settings as per this article
ping exchangename -f -l 1462
Increase it by 3/5 till you get ping back.
Configure your firewall Max MTU with that

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/A_3110-Setting-WAN-MTU-Size-For-Sonicwall-Appliances.html

b) If you dont want to go that route
Configure your outlook to access exchange over RPC/HTTPS
http://www.msexchange.org/tutorials/outlookrpchttp.html

check the guide here on how to configure outlook anywhere in exchange 2007
http://www.exchange-genie.com/2008/02/configuring-outlook-anywhere-for-exchange-2007-sp1/
0
 

Author Comment

by:piatkos_oxyt
ID: 33616818
sunnyc7:

I don't want to use VPN to use Outlook, but now after connecting through VPN everything works well. Without it - nothing.

e_aravind:
I've found this URL working:
https://my.domain/rpc/rpcproxy.dll

tspreeth:
In LAN this test is succesfull. From internet it is not working. But I think it never was.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33616841
I don't want to use VPN to use Outlook, but now after connecting through VPN everything works well. Without it - nothing.

>> that means mailboxes are not local to exchange ?
If you cant ping exchange server. There is no way you can connect it.

Better to configure using RPC/HTTPS IMHO
0
 
LVL 2

Expert Comment

by:tspreeth
ID: 33616862

Is it Outlook Anywhere enabled on CAS Server?
If yes then is Outlook Anywhere published over ISA server ?I
If yes then On the Rule Run Test Rule and check if its successfull.
 
0
 

Author Comment

by:piatkos_oxyt
ID: 33616874
The problem is exactly in RPC/HTTPS.
Exchange server is behind firewall router, ...
Outlooks are configured to use https connection to OWA (exchange proxy).
It was working for half a year ;-) from few days it's not.
0
 

Author Comment

by:piatkos_oxyt
ID: 33616928
tspreeth:
>Is it Outlook Anywhere enabled on CAS Server?

I only have Outlook Web Access. I don't see Outlook Anywhere, anywhere in configuration ;-)

>If yes then is Outlook Anywhere published over ISA server ?I

OWA is.

>If yes then On the Rule Run Test Rule and check if its successfull.

Where can I find such a test?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33616933
Did u install any updates ?
0
 

Author Comment

by:piatkos_oxyt
ID: 33616955
sunnyc7:
>Did u install any updates ?

Not by myself, but I can not deny :(

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33616968
Open windows updates from control panel
on the left tab there is a update history.

Check if there are any updates installed since the last time your outlook config was working.
Check this on the server.

and also check on the workstation if any updates were installed.

thanks
0
 

Author Comment

by:piatkos_oxyt
ID: 33616972
sunnyc7:
>Did u install any updates ?

CHECKED: there are no updates installed in last month.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33617006
Go here
www.testexchangeconnectivity.com/

test for outlook anywhere

Manually enter your proxy settings there

Try it for NTLM as well as BASIC authentication.

copy paste the results here.

thanks
0
 

Author Comment

by:piatkos_oxyt
ID: 33617050
sunnyc7:

ExRCA is testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      Attempting to resolve the host name mydomain.mmm in DNS.
       Host successfully resolved
       
      Additional Details
       IP(s) returned: 11.11.11.11
      Testing TCP Port 443 on host big.ik.pl to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      The certificate name is being validated.
       Successfully validated the certificate name
       
      Additional Details
       Found hostname mydomain in Certificate Subject Common name
      Certificate trust is being validated.
       Certificate trust validation failed.
       
      Additional Details
       The certificate chain couldn't be built. You may be missing required intermediate certificates.


I've checked certicate on OWA (https://mydomain/owa/) and it's OK. It has a good FQDN in it, I have my root CA installed.
How can I check what certificate is used by this test?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33617062
There is a link above called Expand All - click that.

Question - did you install a UCC/SAN cert or a self signed cert for RPC/HTTPS

Also open inetmgr
click on server
on the right tab there is SSL
double click that and see what certificate is installed on IIS
0
 

Author Comment

by:piatkos_oxyt
ID: 33617112
sunnyc7:

I've checked. I have there few certificates. All are OK (valid).
I use self signed cert. My root CA cert is installed on workstations.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33617133
Did you install the intermediate cert in ISA as well as Exchange ?
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33617217
Can you access https://yourdomain/oma

Outlook Mobile Acccess?
0
 

Author Comment

by:piatkos_oxyt
ID: 33617261
On IIS on my server I have 5 certificates including this for my site and it's issuer.
On website in IIS I don't have information which certificates are user, but I conencted to https://mydomain/owa/ and checked it - it is OK.

How to check certicates used by exchange?
0
 

Author Comment

by:piatkos_oxyt
ID: 33617277
boxerenterprises:
>Can you access https://yourdomain/oma

nope. I have no such "site" configured in IIS.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33617291
get-exchangecertificates | fl

> checks certs installed by exchange
Verify the thumbprint.

0
 

Author Comment

by:piatkos_oxyt
ID: 33617400
sunnyc7:
> get-exchangecertificates | fl

both required certs are there and thumbsprint are OK.

0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33617558
Here is a troubleshooting guide for RPC over HTTPS
http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part1.html
0
 

Author Comment

by:piatkos_oxyt
ID: 33617594
boxerenterprises:

I saw that. Nothing there helped me :(

I suppose problem is in a certificate, but I don't know what else to check.
When I'm visiting my OWA from IE everythings OK.
I tried to visit https://mysite/owa/ from lynx on remote linux machine and I got there:
SSL error:no issuer was found-Continue? (y)

Any ideas?
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33617638
I'm not sure this is a certificate problem. I have been forced to crawl through each setting in IIS before to correct problems like this that just started to happen after having worked fine for months or even years.

It's the RPC directory in IIS that is most relevant. Do you happen to have an IIS configuration backup you could restore?
0
 

Author Comment

by:piatkos_oxyt
ID: 33617683
boxerenterprises:
RPC seems to be OK.

I've checked on testexchangeconnectivity.com conenction through ActiveSync. Also there i have an error with certificate:
The certificate chain couldn't be built. You may be missing required intermediate certificates.

How to check what certificates are sent by my server?


0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33617747
what version of IIS are you running?
0
 

Author Comment

by:piatkos_oxyt
ID: 33617748
I've connected to my site form remote linux.
It seems that server sends only one certificate for my domain.
Where to force IIS to send also my CA cert?
0
 

Author Comment

by:piatkos_oxyt
ID: 33617767
IIS 7
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33617900
Take a look at the certificates IIS is using and see if they are correct
certs.PNG
0
 

Author Comment

by:piatkos_oxyt
ID: 33619933
boxerenterprises:
these are correct.
But i have there 5 certs. One of them is that for my site, another - it's my root-CA.

For that moment I think problem is that when you enter my site you get only this one for my domain, not both of them (whole chain).
In options I only found place where I decide which certifacte to send. But I can't choose two of them.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33620245
I re-read your original question and the answered seemed obvious.

While in the lan, everything works great, they can't check their emails being out of office.
For the last few month everuthing was fine. Now, without VPN, it's impossible to check emails.
>>
a) you are using self-signed certificates.
b) The reason it worked before with VPN is
You were connecting to mail.domain.local - where the certificate was issued to - mail.domain.local (self-signed)
c) When you try to connect using RPC/HTTPS - you are trying to connect to

mail.domain.com (External FQDN)
Hence your certificate should also be issued for mail.domain.com.
You cant create a self-signed for that - you will have to buy a UCC/SAN cert

d) Your RPC/HTTPS will fail if you are trying to connect to mail.domain.com
it will pass - if you are trying to connect to mail.domain.local

So the resolution in your case is
1) buy ucc/san cert for these 4 names

mail.domain.com
autodiscover.domain.com
mailservername.domain.local
mailservername

and then issue the cert to exchange server.

post back if you have any questions.
0
 

Author Comment

by:piatkos_oxyt
ID: 33620422
sunnyc7:
thanks for the anwser, but I don't get it.

till last week I didn't need to start VPN to check emails.
Nothing changed and now I need: buy certificate or use VPN.
Why?

I have trusted certificate for wildcard: *.mydomain
Can I use it on my IIS?
Is there an option to import such certificate (generated few months ago for another server) on my IIS? I've created it on another linux machine. How can I do that?

0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 28

Expert Comment

by:sunnyc7
ID: 33620481
Trusted Wildcard cert is issued by who ? is it by a Web based certificate authority or self signed-cert ?

when you ran get-exchangecertificate | fl
did all the results show-up with
IsSelfSigned : > True ?

0
 

Author Comment

by:piatkos_oxyt
ID: 33620588
sunnyc7:
Wildcard cert issued by GigaOne.

IsSelfSigned: only on two of them. One is for my CA on Windows 2008 SBS, another on some strange named cert:
CN=WMSvc-WIN-USS9SIODHAR
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33620631
in your outlook MSSTD box

are you typing
*.domain.com
or mail.domain.com

try it with *.domain.com in outlook and see if that works ?
0
 

Author Comment

by:piatkos_oxyt
ID: 33620669
no no no...

On my exchange (iis) there is no wildacard certificate. I use it on other webserver running apache under linux.
If it's possible I can import this cert to IIS, but I don't know how. I have CSR I used to get it, and the certificate from GigaOne.
When I tried to import it in IIS it asks my for some password - which I don't know :(

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33620679
0
 

Author Comment

by:piatkos_oxyt
ID: 33620942
unfortunately this tool is unable to import my cert :(

I've created new cert using this program. Cert for all my domains.
Using it outlook shows me an error:

cert-error.png
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33621114
What is the proxy server you are connecting to ?

is it a *.domain ?
0
 

Author Comment

by:piatkos_oxyt
ID: 33621126
Now another issue after using this soft.
Although I removed this new cert from server (I can't see it anymore) all my sites (and also exchange) are using it and showing errors :(
0
 

Author Comment

by:piatkos_oxyt
ID: 33621134
yaps... its big.mydomain
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33621185
ok. If that didnt work. Then try the power shell.

See the screenshot guide and commands here
http://www.exchangeinbox.com/article.aspx?i=127
0
 

Author Comment

by:piatkos_oxyt
ID: 33621245
OK. I will try it, but once again procedure begins from genrating CSR to some CA.
As far as I see if I already created CSR from another computer I'm unable to import cert to Windows.
I'll check it.
0
 

Author Comment

by:piatkos_oxyt
ID: 33621289
anyway - why do I need new cert?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33621295
I am really not sure what cert was applied @ since you mentioned you applied a new cert by the tool and its not working.

Hence = Go clean slate.
0
 

Author Comment

by:piatkos_oxyt
ID: 33621420
OK. I removed this "new" cert issued by this soft.
Now I'm using the same cert as for the last months.
But the problem still exists :(

0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33624906
Sorry if you've already answered this somewhere, but now that you're back to the start, what error message do you currently get from Outlook when trying to connect using RPC over HTTPS?
0
 

Author Comment

by:piatkos_oxyt
ID: 33625048
I receive no error. Just "trying to connect" and then - "Disconnected".
Nothig in event logs - both on workstation and server :(
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33625098
I really don't think this is a certificate problem. You would be getting an error message like you did when you messed with the certs.

I still feel the problem is in IIS.
0
 

Author Comment

by:piatkos_oxyt
ID: 33625106
boxerenterprises:
OK. it may be in IIS. But where to look and what to look for?

0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33625132
OK, I have an idea. You can re-install the PRC over HTTP proxy which will configure IIS

Goto add or remove windows components
drill to networking services
uninstall RPC over HTTP proxy the re-install
0
 

Author Comment

by:piatkos_oxyt
ID: 33625340
OK, I'll try it, but to do this I need to restart server what will be possible in the evening.
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33625380
OK. In the meantime here is something else i've found for testing connectivity

RPCPing:

RpcPing is a utility that we can use to troubleshoot or validate that our rpc proxy is working properly.
Rpc ping is a command line tool that can be found in the Windows 2003 resource kit http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en We can use this tool to test rpc connectivity through an rpc proxy server which is used for Outlook Anywhere.

You can use this MS article to assist with this utility http://support.microsoft.com/kb/831051
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33631733
run this from the workstation

RPCPing.exe -t ncacn_http -o RpcProxy=fqdn.yourdomain.com -P "testuser,yourdomain,testpassword" -I "testuser,yourdomain,testpassword" -H 1 -u 10 -a connect -F 3 -E -v -3 -R none -q

See if you get a response back / post error codes
0
 

Author Comment

by:piatkos_oxyt
ID: 33634361
RPC over HTTP reinstalled and the problem still exists :(

RPCping result:


RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 6.1

RPCPinging proxy server mydomain with Echo Request Packet
Sending ping to server
Response from server received: 405
Ping failed.



0
 

Author Comment

by:piatkos_oxyt
ID: 33635477
ok.
after reinstalling of RPC/HTTP they were located in "default site" not in "sbs web applications".
Now they are on the place and I receive:

RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
 RPCPing set Activity ID:  {1a9a4233-65ff-4cca-a78d-45cf70a49be8}
 RPCPinging proxy server myserver  with Echo Request Packet
 Setting autologon policy to high
 WinHttpSetCredentials for target server called
 Error 87 : The parameter is incorrect.
 returned in WinHttpSetCredentials
 Ping failed
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33635937
Can you ping the server first before trying to rpcping ?
0
 

Author Comment

by:piatkos_oxyt
ID: 33636048
sure.
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33644411
Ah.. I didn't realise you were running a small business server.

Re-run the connect to the internet wizard.
0
 

Author Comment

by:piatkos_oxyt
ID: 33660081
which wizard do you mean ?
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33660188
Sorry, in SBS2008 it's the wizard highlighted.
Capture.PNG
0
 

Author Comment

by:piatkos_oxyt
ID: 33660328
it didn't work
0
 

Author Comment

by:piatkos_oxyt
ID: 33680179
still not working:

Rpcping:
C:\>rpcping -t ncacn_http -s *** -o RpcProxy=*** -P "***,***,*" -I "***,***,*" -H 1 -u 10 -a connect -F 3  -v 3 -E -R none
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 6.0, Service Pack 1
Enter password for server:
Enter password for RPC/HTTP proxy:

RPCPinging proxy server ***.local with Echo Request Packet
Sending ping to server
Response from server received: 405
Ping failed.


Rpcdump:
ncacn_http(Connection-oriented TCP/IP using Microsoft Internet Information Server as HTTP proxy.)
  BIG[6004] [12345678-1234-abcd-ef00-01234567cffb]  :NO
  BIG[1030] [12345678-1234-abcd-ef00-01234567cffb]  :NO
  BIG[6004] [12345778-1234-abcd-ef00-0123456789ac]  :NO
  BIG[1030] [12345778-1234-abcd-ef00-0123456789ac]  :NO
  BIG[6004] [12345778-1234-abcd-ef00-0123456789ab]  :NO
  BIG[1030] [12345778-1234-abcd-ef00-0123456789ab]  :NO
  BIG[6004] [f5cc5a18-4264-101a-8c59-08002b2f8426] MS NT Directory NSP Interface :NO
  BIG[1030] [f5cc5a18-4264-101a-8c59-08002b2f8426] MS NT Directory NSP Interface :NO
  BIG[6004] [e3514235-4b06-11d1-ab04-00c04fc2dcd2] MS NT Directory DRS Interface :NO
  BIG[1030] [e3514235-4b06-11d1-ab04-00c04fc2dcd2] MS NT Directory DRS Interface :NO
  BIG[6002] [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange Directory RFR Interface :NO
  BIG[6002] [3cb4be69-9ba1-448c-9a44-a1f759a1878a] MS Exchange Recipient Update Service RPC Interface :NO
  BIG[6002] [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange System Attendant Cluster Interface :NO
  BIG[6002] [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange System Attendant Private Interface :NO
  BIG[6002] [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange System Attendant Public Interface :NO
  BIG[6001] [5261574a-4572-206e-b268-6b199213b4e4] Exchange Server STORE Async EMSMDB Interface :NO
  BIG[6001] [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange Server STORE EMSMDB Interface :NO
  BIG[6001] [da107c01-2b50-44d7-9d5f-bfd4fd8e95ed] Exchange Server STORE ADMIN Interface :NO
  BIG[6001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :NO
  BIG[6001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :NO
  BIG[6001] [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server STORE ADMIN Interface :NO
  BIG[6001] [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server STORE ADMIN Interface :NO
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34222255
Most RPC over HTTP issues are caused by SSL certificates.

Can you please export the SSL certificate from the server and Import it onto the client via IE.

Export the Certificate via IIS then Import as follows:

Copy the certificate.cer file to the client computer on a USB stick and then do the following:

Open up Internet Explorer, Click on Tools, Internet Options, Content Tab, Certificate Button, Trusted Root Certification Authorities Tab.  Click Import, Next, Browse to the certificate.cer file on the USB stick and click next, Select 'Place all certificates in the following store' and click Browse, check the Show Physical Stores Box and then select Trusted Root Certification Authorities Folder (Expand it) and then choose Registry and click OK.  Click Next and then Finish.  Click OK on the next prompt.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34222274
Your Current SSL certificate is self-issued and thus not trusted.  Do you have your 3rd party SSL certificate still?

If you don't - I would recommend buying a GoDaddy one - they are cheap, trusted and hassle free.

Once installed - your problems should go away.

Make sure you get a SAN / UCC certificate with the following names in:

mail.domain.com (or whatever you are using to point to your domain)
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
sites (if you are using SBS 2008)
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34459582
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now