EdMacFly
asked on
Exchange Transition 2003/2007 - Outlook Anywhere not working...
I'm midway through a transition from Exchange 2003 to 2007. Exchange 2003 is running on a second DC and the network is sitting behind an ISA 2006 box.
Outlook Web Access and RPC over HTTPS both work fine and all is well!
Last week, I added a new Server 2008 64bit box to the network as a member server and installed Exchange 2007 on it using the three part guide on MSExchange.org. I have so far moved only my inbox over for testing. I can connect internally using Outlook, use OWA inside and out but RPC over HTTPS or Outlook Anywhere as it is now called does not work when outside the internal LAN.
Looking at the Connection Status box I can see that my machine is picking up the internal names of the DC and the new Exchange box but it will not connect. Any idea how I can figure out what is stoping the connection occuring?
TIA
Outlook Web Access and RPC over HTTPS both work fine and all is well!
Last week, I added a new Server 2008 64bit box to the network as a member server and installed Exchange 2007 on it using the three part guide on MSExchange.org. I have so far moved only my inbox over for testing. I can connect internally using Outlook, use OWA inside and out but RPC over HTTPS or Outlook Anywhere as it is now called does not work when outside the internal LAN.
Looking at the Connection Status box I can see that my machine is picking up the internal names of the DC and the new Exchange box but it will not connect. Any idea how I can figure out what is stoping the connection occuring?
TIA
ASKER
Hi demazter,
Been a member here for ages so am aware of the rules but my browser decided to throw a wobbly!
My initial post didn't turn up for ages and then when I'd reposted it, I found it had gone through but twice!! Once all messages were deleted I submitted this one which also appeared twice. I've now reset the machine and whatever was causing the problem has hopefully gone away.
Apologies for the mess!!
Been a member here for ages so am aware of the rules but my browser decided to throw a wobbly!
My initial post didn't turn up for ages and then when I'd reposted it, I found it had gone through but twice!! Once all messages were deleted I submitted this one which also appeared twice. I've now reset the machine and whatever was causing the problem has hopefully gone away.
Apologies for the mess!!
ASKER
Again with two posts!!!! What is going on...
ASKER
Again with two posts!!!! What is going on...
look at your isa rules and there ordering
go to properties for the outlook anywhere rule and use the test rule button
go to properties for the outlook anywhere rule and use the test rule button
the order i use successfully is an Exchange OWA rule first (has the following paths: /public/*, /owa/*, /exchange/*)
Outlook Anywhere is second (has the following paths: /rpc/*, /OAB/*, /ews/*, /AutoDiscover/*
my third rule is for ActiveSync
Outlook Anywhere is second (has the following paths: /rpc/*, /OAB/*, /ews/*, /AutoDiscover/*
my third rule is for ActiveSync
ASKER
Comes back with a green tick. Does that suggest an issue with my client?
ASKER
Comes back with a green tick. Does that suggest an issue with my client?
In ISA/FTMG I only every create one rule and change the path's to /* so that all paths use the same rule.
This makes it easier to identify which part isn't working.
This makes it easier to identify which part isn't working.
Can you also run the RPC over HTTP test here: https://www.testexchangeconnectivity.com/
I would advise you setup a test account specifically for running this test that can be deleted/disabled afterwards.
I would advise you setup a test account specifically for running this test that can be deleted/disabled afterwards.
ASKER
The test failed with the following message:
The certificate chain couldn't be built. You may be missing required intermediate certificates.
RPC over HTTP works for the mailboxes that are still on the Server 2003 / Exchange 2003 box - I added the webmail certificate that is installed on that box and the ISA Server to the new 2008 64bit / Ex 2007 box but still no joy.
The certificate chain couldn't be built. You may be missing required intermediate certificates.
RPC over HTTP works for the mailboxes that are still on the Server 2003 / Exchange 2003 box - I added the webmail certificate that is installed on that box and the ISA Server to the new 2008 64bit / Ex 2007 box but still no joy.
OK, on the ISA box using the certificate MMC snaping, add the local computer and then check that under personal > Certificates the properties of the certificate on the last tab (can't remember what it's called) you will see the certificate chain. Check all sections and make sure it says the certificate is valid.
the same certificate should be installed on the 2007 server and the ISA server and the publishing rule for the Exchange 2007 server should use this certificate in the listener.
Which provider did you purchase your SSL certificate from?
Which provider did you purchase your SSL certificate from?
ASKER
It's self signed. the certificate worked fine for the 2003 Server so figured it should be the same for 2007?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So does that mean that the certificate requirements have changed between 2003 and 2007?
it has always been recommended to use a 3rd party product but yes, Exchange 2003 would use a standard single domain/name certificate, Exchange 2007 and 2010 require a multiple domain (SAN/UCC) certificate.
you can also refer to this article to help identify which fqdn values you need within your certificate
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html
ASKER
Have just paid for a certificate and will report back when it's setup and installed.
make sure you install it on both
and on the isa update the web listener with the new certificate
and on the isa update the web listener with the new certificate
ASKER
I imagine this will break the link to the Exchange 2003 box as there is no longer a reference to the original server in the certificate? Is there anyway to be able to access both servers still?
install the cert on 2003 and have all traffic sent to 2007
2007 will redirect to 2003
2007 will redirect to 2003
ASKER
Excellent. Will give it a go.
ASKER
Got the certificate from the site listed on your blog but the ISA Listener thinks the certificate is invalid as there is no private key installed. Should I have been sent a private key? Also, my Outlook client now pops up a security alert. One thing I did notice about the certificate is that nowhere does it mention the internal name of the exchange server - I used the tool listed on your blog to build the request so am confused as to why it isn't correct. Sorry that this is turning into a mammoth task.
the generated request should have included the private key
i believe requires a new request
did you use the exchange shell to generate the request
New-ExchangeCertificate -DomainName mail.domain.com,autodiscov
you should see all the names in the subject alternate names field
i believe requires a new request
did you use the exchange shell to generate the request
New-ExchangeCertificate -DomainName mail.domain.com,autodiscov
you should see all the names in the subject alternate names field
The one in my blog?
If so it should have the internal fully qualified domain name in it.
You may have to manually enter some as well using the tool. Make sure the names I listed above are added.
If you used the site on my blog for the SSL you will need to add the intermediate certificate as detailed in the instructions for Exchange 2007 when you download the certificate.
If so it should have the internal fully qualified domain name in it.
You may have to manually enter some as well using the tool. Make sure the names I listed above are added.
If you used the site on my blog for the SSL you will need to add the intermediate certificate as detailed in the instructions for Exchange 2007 when you download the certificate.
ASKER
Sorry for the lack of progress, been away over the last few days.
I have the certificate installed now and have been following the instructions to setup Exchange 2007 using autodiscover. So far so good until I ran the test again. It now stops on the following error:
ExRCA is testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
An error occurred while testing the NSPI RPC endpoint.
The test site seems to be connecting okay and the previous test:
Attempting to ping RPC Endpoint 6001
works fine.
So close...
I have the certificate installed now and have been following the instructions to setup Exchange 2007 using autodiscover. So far so good until I ran the test again. It now stops on the following error:
ExRCA is testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
An error occurred while testing the NSPI RPC endpoint.
The test site seems to be connecting okay and the previous test:
Attempting to ping RPC Endpoint 6001
works fine.
So close...
did you enable outlook anywhere?
open iis manager
under the default web site you should see an rpc vdir
check the authentication settings and ensure anonymous is disabled
open iis manager
under the default web site you should see an rpc vdir
check the authentication settings and ensure anonymous is disabled
ASKER
This sorted it!
http://clintboessen.blogspot.com/2010/07/error-occurred-while-testing-nspi-rpc.html
Thanks for all your guidance :)
http://clintboessen.blogspot.com/2010/07/error-occurred-while-testing-nspi-rpc.html
Thanks for all your guidance :)
ASKER
Continuous monitoring of my question by the solution provider ensured I could keep trying things before finally solving the problem!
ASKER
Been a member here for ages so am aware of the rules but my browser decided to throw a wobbly!
My initial post didn't turn up for ages and then when I'd reposted it, I found it had gone through but twice!! Once all messages were deleted I submitted this one which also appeared twice. I've now reset the machine and whatever was causing the problem has hopefully gone away.
Apologies for the mess!!