Solved

Exchange Transition 2003/2007 - Outlook Anywhere not working...

Posted on 2010-09-23
31
515 Views
Last Modified: 2012-05-10
I'm midway through a transition from Exchange 2003 to 2007. Exchange 2003 is running on a second DC and the network is sitting behind an ISA 2006 box.

Outlook Web Access and RPC over HTTPS both work fine and all is well!

Last week, I added a new Server 2008 64bit box to the network as a member server and installed Exchange 2007 on it using the three part guide on MSExchange.org. I have so far moved only my inbox over for testing. I can connect internally using Outlook, use OWA inside and out but RPC over HTTPS or Outlook Anywhere as it is now called does not work when outside the internal LAN.

Looking at the Connection Status box I can see that my machine is picking up the internal names of the DC and the new Exchange box but it will not connect. Any idea how I can figure out what is stoping the connection occuring?

TIA
0
Comment
Question by:EdMacFly
  • 16
  • 7
  • 7
31 Comments
 

Author Comment

by:EdMacFly
Comment Utility
Hi demazter,

Been a member here for ages so am aware of the rules but my browser decided to throw a wobbly!

My initial post didn't turn up for ages and then when I'd reposted it, I found it had gone through but twice!! Once all messages were deleted I submitted this one which also appeared twice. I've now reset the machine and whatever was causing the problem has hopefully gone away.

Apologies for the mess!!
0
 

Author Comment

by:EdMacFly
Comment Utility
Hi demazter,

Been a member here for ages so am aware of the rules but my browser decided to throw a wobbly!

My initial post didn't turn up for ages and then when I'd reposted it, I found it had gone through but twice!! Once all messages were deleted I submitted this one which also appeared twice. I've now reset the machine and whatever was causing the problem has hopefully gone away.

Apologies for the mess!!
0
 

Author Comment

by:EdMacFly
Comment Utility
Again with two posts!!!! What is going on...
0
 

Author Comment

by:EdMacFly
Comment Utility
Again with two posts!!!! What is going on...
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
look at your isa rules and there ordering
go to properties for the outlook anywhere rule and use the test rule button
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
the order i use successfully is an Exchange OWA rule first (has the following paths: /public/*, /owa/*,  /exchange/*)

Outlook Anywhere is second (has the following paths: /rpc/*, /OAB/*, /ews/*, /AutoDiscover/*

my third rule is for ActiveSync
0
 

Author Comment

by:EdMacFly
Comment Utility
Comes back with a green tick. Does that suggest an issue with my client?
0
 

Author Comment

by:EdMacFly
Comment Utility
Comes back with a green tick. Does that suggest an issue with my client?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
In ISA/FTMG I only every create one rule and change the path's to /* so that all paths use the same rule.
This makes it easier to identify which part isn't working.
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Can you also run the RPC over HTTP test here: https://www.testexchangeconnectivity.com/

I would advise you setup a test account specifically for running this test that can be deleted/disabled afterwards.
0
 

Author Comment

by:EdMacFly
Comment Utility
The test failed with the following message:

The certificate chain couldn't be built. You may be missing required intermediate certificates.

RPC over HTTP works for the mailboxes that are still on the Server 2003 / Exchange 2003 box - I added the webmail certificate that is installed on that box and the ISA Server to the new 2008 64bit / Ex 2007 box but still no joy.
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
OK, on the ISA box using the certificate MMC snaping, add the local computer and then check that under personal > Certificates the properties of the certificate on the last tab (can't remember what it's called) you will see the certificate chain.  Check all sections and make sure it says the certificate is valid.
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
the same certificate should be installed on the 2007 server and the ISA server and the publishing rule for the Exchange 2007 server should use this certificate in the listener.

Which provider did you purchase your SSL certificate from?
0
 

Author Comment

by:EdMacFly
Comment Utility
It's self signed. the certificate worked fine for the 2003 Server so figured it should be the same for 2007?
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
Comment Utility
You need a SAN/UCC certificate for Exchange 2007 that contains the following names:

autodiscover.domainname.com (where domainname.com is the part after the @ in your email address)
owa.domainname.com (your Outlook Web Access URL)
servername.domainname.local (the internal fully qualified domain name of your server)

You will also find it very difficult to use self signed certificates with Outlook Anywhere.

I can recommend a utlity for managing your SSL certificates on Exchange 2007 and I have a blog post here: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/
For the sake of $60 for a signed 3rd party certificate it really isn't worth trying to get it to work without it.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:EdMacFly
Comment Utility
So does that mean that the certificate requirements have changed between 2003 and 2007?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
it has always been recommended to use a 3rd party product but yes, Exchange 2003 would use a standard single domain/name certificate, Exchange 2007 and 2010 require a multiple domain (SAN/UCC) certificate.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
you can also refer to this article to help identify which fqdn values you need within your certificate

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html
0
 

Author Comment

by:EdMacFly
Comment Utility
Have just paid for a certificate and will report back when it's setup and installed.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
make sure you install it on both
and on the isa update the web listener with the new certificate
0
 

Author Comment

by:EdMacFly
Comment Utility
I imagine this will break the link to the Exchange 2003 box as there is no longer a reference to the original server in the certificate? Is there anyway to be able to access both servers still?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
install the cert on 2003 and have all traffic sent to 2007
2007 will redirect to 2003
0
 

Author Comment

by:EdMacFly
Comment Utility
Excellent. Will give it a go.
0
 

Author Comment

by:EdMacFly
Comment Utility
Got the certificate from the site listed on your blog but the ISA Listener thinks the certificate is invalid as there is no private key installed. Should I have been sent a private key? Also, my Outlook client now pops up a security alert. One thing I did notice about the certificate is that nowhere does it mention the internal name of the exchange server - I used the tool listed on your blog to build the request so am confused as to why it isn't correct. Sorry that this is turning into a mammoth task.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
the generated request should have included the private key
i believe requires a new request
did you use the exchange shell to generate the request

New-ExchangeCertificate -DomainName mail.domain.com,autodiscover.domain.com,server.domain.com -FriendlyName Ex2007Cas -GenerateRequest:$True -Keysize 2048 -path c:\cascert.txt -privatekeyExportable:$true -subjectName "c=us, o=OrgName, CN=mail.domain.com"

you should see all the names in the subject alternate names field
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
The one in my blog?

If so it should have the internal fully qualified domain name in it.

You may have to manually enter some as well using the tool.  Make sure the names I listed above are added.

If you used the site on my blog for the SSL you will need to add the intermediate certificate as detailed in the instructions for Exchange 2007 when you download the certificate.
0
 

Author Comment

by:EdMacFly
Comment Utility
Sorry for the lack of progress, been away over the last few days.

I have the certificate installed now and have been following the instructions to setup Exchange 2007 using autodiscover. So far so good until I ran the test again. It now stops on the following error:

      ExRCA is testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
       An error occurred while testing the NSPI RPC endpoint.

The test site seems to be connecting okay and the previous test:

Attempting to ping RPC Endpoint 6001

works fine.

So close...
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
did you enable outlook anywhere?

open iis manager
under the default web site you should see an rpc vdir
check the authentication settings and ensure anonymous is disabled
0
 

Author Comment

by:EdMacFly
Comment Utility
0
 

Author Closing Comment

by:EdMacFly
Comment Utility
Continuous monitoring of my question by the solution provider ensured I could keep trying things before finally solving the problem!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cannot expand the folder in Outlook 6 19
IIS Log files on Exchange 2013 server 6 36
outlook 15 42
exchange 6 29
Easy CSR creation in Exchange 2007,2010 and 2013
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now