Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 830
  • Last Modified:

Outlook is not connecting by proxy, what to do?

Hello!

for few days all my users have problem with connecting to Exchange Server through proxy.
While in the lan, everything works great, they can't check their emails being out of office.
For the last few month everuthing was fine. Now, without VPN, it's impossible to check emails.

Exchange 2008, Outlook 2007&2010.

Can you give me some advice what to check and where?
0
piatkos_oxyt
Asked:
piatkos_oxyt
  • 34
  • 17
  • 11
  • +4
1 Solution
 
e_aravindCommented:
Looks like Outlook-Anywhere is broken

Can you check if you can access
https://domain-name/rpcproxy/rpcproxy.dll from the Internet location's (Internet Explorer)

If needed
Check on the CAS servers Application logs; or IIS logs
0
 
tspreethCommented:
Hi ,
Check the Test Email Auto Configuration from LAN and from Internet and check what is the difference in  settings.
Right Click on  the Outlook Icon on the rihgt hand bottom corner of your screen holding control key. Select Test email Auto COnfiguration and run it . Give your email id and password.
Based on this settings it can be checked.
0
 
piatkos_oxytAuthor Commented:
> Looks like Outlook-Anywhere is broken

might be... but OWA is working perfetcly.

> Can you check if you can access
https://domain-name/rpcproxy/rpcproxy.dll from the Internet location's (Internet Explorer)

404 - file not found. Where to look for it?

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
sunnyc7Commented:
most probably this is because your packets are getting fragmented over VPN.
Exchange/outlook connectivity requires packets not be fragmented during transport.

a) If you want to go the vPN way, configure your max MTU settings as per this article
ping exchangename -f -l 1462
Increase it by 3/5 till you get ping back.
Configure your firewall Max MTU with that

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/A_3110-Setting-WAN-MTU-Size-For-Sonicwall-Appliances.html

b) If you dont want to go that route
Configure your outlook to access exchange over RPC/HTTPS
http://www.msexchange.org/tutorials/outlookrpchttp.html

check the guide here on how to configure outlook anywhere in exchange 2007
http://www.exchange-genie.com/2008/02/configuring-outlook-anywhere-for-exchange-2007-sp1/
0
 
piatkos_oxytAuthor Commented:
sunnyc7:

I don't want to use VPN to use Outlook, but now after connecting through VPN everything works well. Without it - nothing.

e_aravind:
I've found this URL working:
https://my.domain/rpc/rpcproxy.dll

tspreeth:
In LAN this test is succesfull. From internet it is not working. But I think it never was.

0
 
sunnyc7Commented:
I don't want to use VPN to use Outlook, but now after connecting through VPN everything works well. Without it - nothing.

>> that means mailboxes are not local to exchange ?
If you cant ping exchange server. There is no way you can connect it.

Better to configure using RPC/HTTPS IMHO
0
 
tspreethCommented:

Is it Outlook Anywhere enabled on CAS Server?
If yes then is Outlook Anywhere published over ISA server ?I
If yes then On the Rule Run Test Rule and check if its successfull.
 
0
 
piatkos_oxytAuthor Commented:
The problem is exactly in RPC/HTTPS.
Exchange server is behind firewall router, ...
Outlooks are configured to use https connection to OWA (exchange proxy).
It was working for half a year ;-) from few days it's not.
0
 
piatkos_oxytAuthor Commented:
tspreeth:
>Is it Outlook Anywhere enabled on CAS Server?

I only have Outlook Web Access. I don't see Outlook Anywhere, anywhere in configuration ;-)

>If yes then is Outlook Anywhere published over ISA server ?I

OWA is.

>If yes then On the Rule Run Test Rule and check if its successfull.

Where can I find such a test?
0
 
sunnyc7Commented:
Did u install any updates ?
0
 
piatkos_oxytAuthor Commented:
sunnyc7:
>Did u install any updates ?

Not by myself, but I can not deny :(

0
 
sunnyc7Commented:
Open windows updates from control panel
on the left tab there is a update history.

Check if there are any updates installed since the last time your outlook config was working.
Check this on the server.

and also check on the workstation if any updates were installed.

thanks
0
 
piatkos_oxytAuthor Commented:
sunnyc7:
>Did u install any updates ?

CHECKED: there are no updates installed in last month.
0
 
sunnyc7Commented:
Go here
www.testexchangeconnectivity.com/

test for outlook anywhere

Manually enter your proxy settings there

Try it for NTLM as well as BASIC authentication.

copy paste the results here.

thanks
0
 
piatkos_oxytAuthor Commented:
sunnyc7:

ExRCA is testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      Attempting to resolve the host name mydomain.mmm in DNS.
       Host successfully resolved
       
      Additional Details
       IP(s) returned: 11.11.11.11
      Testing TCP Port 443 on host big.ik.pl to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      The certificate name is being validated.
       Successfully validated the certificate name
       
      Additional Details
       Found hostname mydomain in Certificate Subject Common name
      Certificate trust is being validated.
       Certificate trust validation failed.
       
      Additional Details
       The certificate chain couldn't be built. You may be missing required intermediate certificates.


I've checked certicate on OWA (https://mydomain/owa/) and it's OK. It has a good FQDN in it, I have my root CA installed.
How can I check what certificate is used by this test?
0
 
sunnyc7Commented:
There is a link above called Expand All - click that.

Question - did you install a UCC/SAN cert or a self signed cert for RPC/HTTPS

Also open inetmgr
click on server
on the right tab there is SSL
double click that and see what certificate is installed on IIS
0
 
piatkos_oxytAuthor Commented:
sunnyc7:

I've checked. I have there few certificates. All are OK (valid).
I use self signed cert. My root CA cert is installed on workstations.

0
 
sunnyc7Commented:
Did you install the intermediate cert in ISA as well as Exchange ?
0
 
boxerenterprisesCommented:
Can you access https://yourdomain/oma

Outlook Mobile Acccess?
0
 
piatkos_oxytAuthor Commented:
On IIS on my server I have 5 certificates including this for my site and it's issuer.
On website in IIS I don't have information which certificates are user, but I conencted to https://mydomain/owa/ and checked it - it is OK.

How to check certicates used by exchange?
0
 
piatkos_oxytAuthor Commented:
boxerenterprises:
>Can you access https://yourdomain/oma

nope. I have no such "site" configured in IIS.
0
 
sunnyc7Commented:
get-exchangecertificates | fl

> checks certs installed by exchange
Verify the thumbprint.

0
 
piatkos_oxytAuthor Commented:
sunnyc7:
> get-exchangecertificates | fl

both required certs are there and thumbsprint are OK.

0
 
boxerenterprisesCommented:
Here is a troubleshooting guide for RPC over HTTPS
http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part1.html
0
 
piatkos_oxytAuthor Commented:
boxerenterprises:

I saw that. Nothing there helped me :(

I suppose problem is in a certificate, but I don't know what else to check.
When I'm visiting my OWA from IE everythings OK.
I tried to visit https://mysite/owa/ from lynx on remote linux machine and I got there:
SSL error:no issuer was found-Continue? (y)

Any ideas?
0
 
boxerenterprisesCommented:
I'm not sure this is a certificate problem. I have been forced to crawl through each setting in IIS before to correct problems like this that just started to happen after having worked fine for months or even years.

It's the RPC directory in IIS that is most relevant. Do you happen to have an IIS configuration backup you could restore?
0
 
piatkos_oxytAuthor Commented:
boxerenterprises:
RPC seems to be OK.

I've checked on testexchangeconnectivity.com conenction through ActiveSync. Also there i have an error with certificate:
The certificate chain couldn't be built. You may be missing required intermediate certificates.

How to check what certificates are sent by my server?


0
 
boxerenterprisesCommented:
what version of IIS are you running?
0
 
piatkos_oxytAuthor Commented:
I've connected to my site form remote linux.
It seems that server sends only one certificate for my domain.
Where to force IIS to send also my CA cert?
0
 
piatkos_oxytAuthor Commented:
IIS 7
0
 
boxerenterprisesCommented:
Take a look at the certificates IIS is using and see if they are correct
certs.PNG
0
 
piatkos_oxytAuthor Commented:
boxerenterprises:
these are correct.
But i have there 5 certs. One of them is that for my site, another - it's my root-CA.

For that moment I think problem is that when you enter my site you get only this one for my domain, not both of them (whole chain).
In options I only found place where I decide which certifacte to send. But I can't choose two of them.
0
 
sunnyc7Commented:
I re-read your original question and the answered seemed obvious.

While in the lan, everything works great, they can't check their emails being out of office.
For the last few month everuthing was fine. Now, without VPN, it's impossible to check emails.
>>
a) you are using self-signed certificates.
b) The reason it worked before with VPN is
You were connecting to mail.domain.local - where the certificate was issued to - mail.domain.local (self-signed)
c) When you try to connect using RPC/HTTPS - you are trying to connect to

mail.domain.com (External FQDN)
Hence your certificate should also be issued for mail.domain.com.
You cant create a self-signed for that - you will have to buy a UCC/SAN cert

d) Your RPC/HTTPS will fail if you are trying to connect to mail.domain.com
it will pass - if you are trying to connect to mail.domain.local

So the resolution in your case is
1) buy ucc/san cert for these 4 names

mail.domain.com
autodiscover.domain.com
mailservername.domain.local
mailservername

and then issue the cert to exchange server.

post back if you have any questions.
0
 
piatkos_oxytAuthor Commented:
sunnyc7:
thanks for the anwser, but I don't get it.

till last week I didn't need to start VPN to check emails.
Nothing changed and now I need: buy certificate or use VPN.
Why?

I have trusted certificate for wildcard: *.mydomain
Can I use it on my IIS?
Is there an option to import such certificate (generated few months ago for another server) on my IIS? I've created it on another linux machine. How can I do that?

0
 
sunnyc7Commented:
Trusted Wildcard cert is issued by who ? is it by a Web based certificate authority or self signed-cert ?

when you ran get-exchangecertificate | fl
did all the results show-up with
IsSelfSigned : > True ?

0
 
piatkos_oxytAuthor Commented:
sunnyc7:
Wildcard cert issued by GigaOne.

IsSelfSigned: only on two of them. One is for my CA on Windows 2008 SBS, another on some strange named cert:
CN=WMSvc-WIN-USS9SIODHAR
0
 
sunnyc7Commented:
in your outlook MSSTD box

are you typing
*.domain.com
or mail.domain.com

try it with *.domain.com in outlook and see if that works ?
0
 
piatkos_oxytAuthor Commented:
no no no...

On my exchange (iis) there is no wildacard certificate. I use it on other webserver running apache under linux.
If it's possible I can import this cert to IIS, but I don't know how. I have CSR I used to get it, and the certificate from GigaOne.
When I tried to import it in IIS it asks my for some password - which I don't know :(

0
 
piatkos_oxytAuthor Commented:
unfortunately this tool is unable to import my cert :(

I've created new cert using this program. Cert for all my domains.
Using it outlook shows me an error:

cert-error.png
0
 
sunnyc7Commented:
What is the proxy server you are connecting to ?

is it a *.domain ?
0
 
piatkos_oxytAuthor Commented:
Now another issue after using this soft.
Although I removed this new cert from server (I can't see it anymore) all my sites (and also exchange) are using it and showing errors :(
0
 
piatkos_oxytAuthor Commented:
yaps... its big.mydomain
0
 
sunnyc7Commented:
ok. If that didnt work. Then try the power shell.

See the screenshot guide and commands here
http://www.exchangeinbox.com/article.aspx?i=127
0
 
piatkos_oxytAuthor Commented:
OK. I will try it, but once again procedure begins from genrating CSR to some CA.
As far as I see if I already created CSR from another computer I'm unable to import cert to Windows.
I'll check it.
0
 
piatkos_oxytAuthor Commented:
anyway - why do I need new cert?
0
 
sunnyc7Commented:
I am really not sure what cert was applied @ since you mentioned you applied a new cert by the tool and its not working.

Hence = Go clean slate.
0
 
piatkos_oxytAuthor Commented:
OK. I removed this "new" cert issued by this soft.
Now I'm using the same cert as for the last months.
But the problem still exists :(

0
 
boxerenterprisesCommented:
Sorry if you've already answered this somewhere, but now that you're back to the start, what error message do you currently get from Outlook when trying to connect using RPC over HTTPS?
0
 
piatkos_oxytAuthor Commented:
I receive no error. Just "trying to connect" and then - "Disconnected".
Nothig in event logs - both on workstation and server :(
0
 
boxerenterprisesCommented:
I really don't think this is a certificate problem. You would be getting an error message like you did when you messed with the certs.

I still feel the problem is in IIS.
0
 
piatkos_oxytAuthor Commented:
boxerenterprises:
OK. it may be in IIS. But where to look and what to look for?

0
 
boxerenterprisesCommented:
OK, I have an idea. You can re-install the PRC over HTTP proxy which will configure IIS

Goto add or remove windows components
drill to networking services
uninstall RPC over HTTP proxy the re-install
0
 
piatkos_oxytAuthor Commented:
OK, I'll try it, but to do this I need to restart server what will be possible in the evening.
0
 
boxerenterprisesCommented:
OK. In the meantime here is something else i've found for testing connectivity

RPCPing:

RpcPing is a utility that we can use to troubleshoot or validate that our rpc proxy is working properly.
Rpc ping is a command line tool that can be found in the Windows 2003 resource kit http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en We can use this tool to test rpc connectivity through an rpc proxy server which is used for Outlook Anywhere.

You can use this MS article to assist with this utility http://support.microsoft.com/kb/831051
0
 
sunnyc7Commented:
run this from the workstation

RPCPing.exe -t ncacn_http -o RpcProxy=fqdn.yourdomain.com -P "testuser,yourdomain,testpassword" -I "testuser,yourdomain,testpassword" -H 1 -u 10 -a connect -F 3 -E -v -3 -R none -q

See if you get a response back / post error codes
0
 
piatkos_oxytAuthor Commented:
RPC over HTTP reinstalled and the problem still exists :(

RPCping result:


RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 6.1

RPCPinging proxy server mydomain with Echo Request Packet
Sending ping to server
Response from server received: 405
Ping failed.



0
 
piatkos_oxytAuthor Commented:
ok.
after reinstalling of RPC/HTTP they were located in "default site" not in "sbs web applications".
Now they are on the place and I receive:

RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
 RPCPing set Activity ID:  {1a9a4233-65ff-4cca-a78d-45cf70a49be8}
 RPCPinging proxy server myserver  with Echo Request Packet
 Setting autologon policy to high
 WinHttpSetCredentials for target server called
 Error 87 : The parameter is incorrect.
 returned in WinHttpSetCredentials
 Ping failed
0
 
sunnyc7Commented:
Can you ping the server first before trying to rpcping ?
0
 
piatkos_oxytAuthor Commented:
sure.
0
 
boxerenterprisesCommented:
Ah.. I didn't realise you were running a small business server.

Re-run the connect to the internet wizard.
0
 
piatkos_oxytAuthor Commented:
which wizard do you mean ?
0
 
boxerenterprisesCommented:
Sorry, in SBS2008 it's the wizard highlighted.
Capture.PNG
0
 
piatkos_oxytAuthor Commented:
it didn't work
0
 
piatkos_oxytAuthor Commented:
still not working:

Rpcping:
C:\>rpcping -t ncacn_http -s *** -o RpcProxy=*** -P "***,***,*" -I "***,***,*" -H 1 -u 10 -a connect -F 3  -v 3 -E -R none
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 6.0, Service Pack 1
Enter password for server:
Enter password for RPC/HTTP proxy:

RPCPinging proxy server ***.local with Echo Request Packet
Sending ping to server
Response from server received: 405
Ping failed.


Rpcdump:
ncacn_http(Connection-oriented TCP/IP using Microsoft Internet Information Server as HTTP proxy.)
  BIG[6004] [12345678-1234-abcd-ef00-01234567cffb]  :NO
  BIG[1030] [12345678-1234-abcd-ef00-01234567cffb]  :NO
  BIG[6004] [12345778-1234-abcd-ef00-0123456789ac]  :NO
  BIG[1030] [12345778-1234-abcd-ef00-0123456789ac]  :NO
  BIG[6004] [12345778-1234-abcd-ef00-0123456789ab]  :NO
  BIG[1030] [12345778-1234-abcd-ef00-0123456789ab]  :NO
  BIG[6004] [f5cc5a18-4264-101a-8c59-08002b2f8426] MS NT Directory NSP Interface :NO
  BIG[1030] [f5cc5a18-4264-101a-8c59-08002b2f8426] MS NT Directory NSP Interface :NO
  BIG[6004] [e3514235-4b06-11d1-ab04-00c04fc2dcd2] MS NT Directory DRS Interface :NO
  BIG[1030] [e3514235-4b06-11d1-ab04-00c04fc2dcd2] MS NT Directory DRS Interface :NO
  BIG[6002] [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange Directory RFR Interface :NO
  BIG[6002] [3cb4be69-9ba1-448c-9a44-a1f759a1878a] MS Exchange Recipient Update Service RPC Interface :NO
  BIG[6002] [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange System Attendant Cluster Interface :NO
  BIG[6002] [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange System Attendant Private Interface :NO
  BIG[6002] [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange System Attendant Public Interface :NO
  BIG[6001] [5261574a-4572-206e-b268-6b199213b4e4] Exchange Server STORE Async EMSMDB Interface :NO
  BIG[6001] [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange Server STORE EMSMDB Interface :NO
  BIG[6001] [da107c01-2b50-44d7-9d5f-bfd4fd8e95ed] Exchange Server STORE ADMIN Interface :NO
  BIG[6001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :NO
  BIG[6001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :NO
  BIG[6001] [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server STORE ADMIN Interface :NO
  BIG[6001] [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server STORE ADMIN Interface :NO
0
 
Alan HardistyCo-OwnerCommented:
Most RPC over HTTP issues are caused by SSL certificates.

Can you please export the SSL certificate from the server and Import it onto the client via IE.

Export the Certificate via IIS then Import as follows:

Copy the certificate.cer file to the client computer on a USB stick and then do the following:

Open up Internet Explorer, Click on Tools, Internet Options, Content Tab, Certificate Button, Trusted Root Certification Authorities Tab.  Click Import, Next, Browse to the certificate.cer file on the USB stick and click next, Select 'Place all certificates in the following store' and click Browse, check the Show Physical Stores Box and then select Trusted Root Certification Authorities Folder (Expand it) and then choose Registry and click OK.  Click Next and then Finish.  Click OK on the next prompt.
0
 
Alan HardistyCo-OwnerCommented:
Your Current SSL certificate is self-issued and thus not trusted.  Do you have your 3rd party SSL certificate still?

If you don't - I would recommend buying a GoDaddy one - they are cheap, trusted and hassle free.

Once installed - your problems should go away.

Make sure you get a SAN / UCC certificate with the following names in:

mail.domain.com (or whatever you are using to point to your domain)
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
sites (if you are using SBS 2008)
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 34
  • 17
  • 11
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now