?
Solved

Exchange Transition 2003/2007 - Outlook Anywhere not working...

Posted on 2010-09-23
31
Medium Priority
?
523 Views
Last Modified: 2012-05-10
I'm midway through a transition from Exchange 2003 to 2007. Exchange 2003 is running on a second DC and the network is sitting behind an ISA 2006 box.

Outlook Web Access and RPC over HTTPS both work fine and all is well!

Last week, I added a new Server 2008 64bit box to the network as a member server and installed Exchange 2007 on it using the three part guide on MSExchange.org. I have so far moved only my inbox over for testing. I can connect internally using Outlook, use OWA inside and out but RPC over HTTPS or Outlook Anywhere as it is now called does not work when outside the internal LAN.

Looking at the Connection Status box I can see that my machine is picking up the internal names of the DC and the new Exchange box but it will not connect. Any idea how I can figure out what is stoping the connection occuring?

TIA
0
Comment
Question by:EdMacFly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 7
  • 7
31 Comments
 

Author Comment

by:EdMacFly
ID: 33743051
Hi demazter,

Been a member here for ages so am aware of the rules but my browser decided to throw a wobbly!

My initial post didn't turn up for ages and then when I'd reposted it, I found it had gone through but twice!! Once all messages were deleted I submitted this one which also appeared twice. I've now reset the machine and whatever was causing the problem has hopefully gone away.

Apologies for the mess!!
0
 

Author Comment

by:EdMacFly
ID: 33743052
Hi demazter,

Been a member here for ages so am aware of the rules but my browser decided to throw a wobbly!

My initial post didn't turn up for ages and then when I'd reposted it, I found it had gone through but twice!! Once all messages were deleted I submitted this one which also appeared twice. I've now reset the machine and whatever was causing the problem has hopefully gone away.

Apologies for the mess!!
0
 

Author Comment

by:EdMacFly
ID: 33743078
Again with two posts!!!! What is going on...
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:EdMacFly
ID: 33743079
Again with two posts!!!! What is going on...
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33743101
look at your isa rules and there ordering
go to properties for the outlook anywhere rule and use the test rule button
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33743117
the order i use successfully is an Exchange OWA rule first (has the following paths: /public/*, /owa/*,  /exchange/*)

Outlook Anywhere is second (has the following paths: /rpc/*, /OAB/*, /ews/*, /AutoDiscover/*

my third rule is for ActiveSync
0
 

Author Comment

by:EdMacFly
ID: 33743118
Comes back with a green tick. Does that suggest an issue with my client?
0
 

Author Comment

by:EdMacFly
ID: 33743119
Comes back with a green tick. Does that suggest an issue with my client?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33743168
In ISA/FTMG I only every create one rule and change the path's to /* so that all paths use the same rule.
This makes it easier to identify which part isn't working.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33743180
Can you also run the RPC over HTTP test here: https://www.testexchangeconnectivity.com/

I would advise you setup a test account specifically for running this test that can be deleted/disabled afterwards.
0
 

Author Comment

by:EdMacFly
ID: 33743457
The test failed with the following message:

The certificate chain couldn't be built. You may be missing required intermediate certificates.

RPC over HTTP works for the mailboxes that are still on the Server 2003 / Exchange 2003 box - I added the webmail certificate that is installed on that box and the ISA Server to the new 2008 64bit / Ex 2007 box but still no joy.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33743472
OK, on the ISA box using the certificate MMC snaping, add the local computer and then check that under personal > Certificates the properties of the certificate on the last tab (can't remember what it's called) you will see the certificate chain.  Check all sections and make sure it says the certificate is valid.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33743488
the same certificate should be installed on the 2007 server and the ISA server and the publishing rule for the Exchange 2007 server should use this certificate in the listener.

Which provider did you purchase your SSL certificate from?
0
 

Author Comment

by:EdMacFly
ID: 33743562
It's self signed. the certificate worked fine for the 2003 Server so figured it should be the same for 2007?
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 2000 total points
ID: 33743659
You need a SAN/UCC certificate for Exchange 2007 that contains the following names:

autodiscover.domainname.com (where domainname.com is the part after the @ in your email address)
owa.domainname.com (your Outlook Web Access URL)
servername.domainname.local (the internal fully qualified domain name of your server)

You will also find it very difficult to use self signed certificates with Outlook Anywhere.

I can recommend a utlity for managing your SSL certificates on Exchange 2007 and I have a blog post here: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/
For the sake of $60 for a signed 3rd party certificate it really isn't worth trying to get it to work without it.
0
 

Author Comment

by:EdMacFly
ID: 33743758
So does that mean that the certificate requirements have changed between 2003 and 2007?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33743800
it has always been recommended to use a 3rd party product but yes, Exchange 2003 would use a standard single domain/name certificate, Exchange 2007 and 2010 require a multiple domain (SAN/UCC) certificate.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33743826
you can also refer to this article to help identify which fqdn values you need within your certificate

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html
0
 

Author Comment

by:EdMacFly
ID: 33744393
Have just paid for a certificate and will report back when it's setup and installed.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33744421
make sure you install it on both
and on the isa update the web listener with the new certificate
0
 

Author Comment

by:EdMacFly
ID: 33744461
I imagine this will break the link to the Exchange 2003 box as there is no longer a reference to the original server in the certificate? Is there anyway to be able to access both servers still?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33744500
install the cert on 2003 and have all traffic sent to 2007
2007 will redirect to 2003
0
 

Author Comment

by:EdMacFly
ID: 33744551
Excellent. Will give it a go.
0
 

Author Comment

by:EdMacFly
ID: 33745480
Got the certificate from the site listed on your blog but the ISA Listener thinks the certificate is invalid as there is no private key installed. Should I have been sent a private key? Also, my Outlook client now pops up a security alert. One thing I did notice about the certificate is that nowhere does it mention the internal name of the exchange server - I used the tool listed on your blog to build the request so am confused as to why it isn't correct. Sorry that this is turning into a mammoth task.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33745528
the generated request should have included the private key
i believe requires a new request
did you use the exchange shell to generate the request

New-ExchangeCertificate -DomainName mail.domain.com,autodiscover.domain.com,server.domain.com -FriendlyName Ex2007Cas -GenerateRequest:$True -Keysize 2048 -path c:\cascert.txt -privatekeyExportable:$true -subjectName "c=us, o=OrgName, CN=mail.domain.com"

you should see all the names in the subject alternate names field
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33745531
The one in my blog?

If so it should have the internal fully qualified domain name in it.

You may have to manually enter some as well using the tool.  Make sure the names I listed above are added.

If you used the site on my blog for the SSL you will need to add the intermediate certificate as detailed in the instructions for Exchange 2007 when you download the certificate.
0
 

Author Comment

by:EdMacFly
ID: 33769505
Sorry for the lack of progress, been away over the last few days.

I have the certificate installed now and have been following the instructions to setup Exchange 2007 using autodiscover. So far so good until I ran the test again. It now stops on the following error:

      ExRCA is testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
       An error occurred while testing the NSPI RPC endpoint.

The test site seems to be connecting okay and the previous test:

Attempting to ping RPC Endpoint 6001

works fine.

So close...
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33769650
did you enable outlook anywhere?

open iis manager
under the default web site you should see an rpc vdir
check the authentication settings and ensure anonymous is disabled
0
 

Author Comment

by:EdMacFly
ID: 33769678
0
 

Author Closing Comment

by:EdMacFly
ID: 33769686
Continuous monitoring of my question by the solution provider ensured I could keep trying things before finally solving the problem!
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question