[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Outlook RPC HTTPS behind the firewall

Posted on 2011-05-09
55
Medium Priority
?
613 Views
Last Modified: 2012-05-11
Hi i have exchange 2003 configure to use https and the CA on the server. i use the url https://test.servername/certsrv and log in ok select user certificate etc can can install it fine on the LAN. When i use the external url i get as far as installing the certificate and then it fails.

I am guessing this may have something to do with the firewall then?

Any help greatly appreciated.
0
Comment
Question by:FattyPo
  • 32
  • 16
  • 3
  • +1
54 Comments
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35726442
What error or message do you get? Is there a difference between the internal computers and external computers in terms of OS and IE version?
0
 

Author Comment

by:FattyPo
ID: 35726448
I rebooted the server and i can now install the certificates fine externally, https://url/exchange works fine (OWA) but Outlook will not connect using RPC. But i guess i should close the question and reopen?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35726560
Leave the question open.

What happens if you open Outlook externally? Do you get an error? Start outlook with /rpcdiag and see if you are getting connections at all.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 

Author Comment

by:FattyPo
ID: 35726631
i can't resolve the mailbox name when i set the profile up, also the /rpcdiag shows connecting then the microsoft exchange server is unavailable.
0
 

Author Comment

by:FattyPo
ID: 35726643
if i go to certsrv via google chrom nor IE i get the error invalid client certificate Error 207 (net:err_cert_invald)
0
 

Author Comment

by:FattyPo
ID: 35726654
but i IE no issues and the security report shows all ok.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35726676
Have you filled in the http proxy settings? Set it to use Basic authentication and No mutual auth (cert principal name)
0
 

Author Comment

by:FattyPo
ID: 35726679
using the exchange remote connectivity i got the following error.


 Certificate trust is being validated.
  Certificate trust validation failed.
   Additional Details
  The certificate chain couldn't be built. You may be missing required intermediate certificates.
 
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35726690
Self signed / internally generated won't work in that test
0
 

Author Comment

by:FattyPo
ID: 35726697
i get the same issue, name cannot be resolved
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35726948
Put the internal exchange name in the main outlook profile page and the Exchange proxy name in the https settings
0
 

Author Comment

by:FattyPo
ID: 35726980
i have done that when i set the profile up.
0
 

Expert Comment

by:Aquinos
ID: 35727079
HI!

First you need to generate the server certificate.
It could be a curinga certificate in the EXCHANGE SERVER Internet Information Service
Than try to install the certificate server in the clients pc and add the domain to trusted certified....


0
 

Author Comment

by:FattyPo
ID: 35727094
The server certificate has been generated, can i can install the certificate fine (via IE) i get the yellow padlock fine when accessing /exchange. The certificate has been added to the trusted certified....

It just now appears to be an issue with outlook not being able to login and resolve the server name.
0
 

Expert Comment

by:Aquinos
ID: 35727142
Did you have the your AD in another server ?
0
 

Author Comment

by:FattyPo
ID: 35727162
i have 3 servers, ad, exchange, and a BES/apps server.
0
 

Expert Comment

by:Aquinos
ID: 35727318
Try to force the Exchange server IPV6 ip in DNS Server at the AD
0
 

Author Comment

by:FattyPo
ID: 35727337
its a 2003 domain no IP settings
0
 

Author Comment

by:FattyPo
ID: 35727553
IP6 settings i meant, thanks
0
 
LVL 9

Expert Comment

by:rpartington
ID: 35727740
I always always use the following site when I have issues as it gives you a wealth of pointers where to start looking.
Hope this helps.

https://www.testexchangeconnectivity.com/
0
 

Author Comment

by:FattyPo
ID: 35727747
thanks will check it out
0
 

Author Comment

by:FattyPo
ID: 35727758
arh already did, everything past except for Certificate trust is being validated.
  Certificate trust validation failed.
   Additional Details
  The certificate chain couldn't be built. You may be missing required intermediate certificates.  which is normal anyway
0
 
LVL 9

Expert Comment

by:rpartington
ID: 35727833
0
 

Author Comment

by:FattyPo
ID: 35729425
i looked at that, but the SSL passes all checks on a SSL checker. I used www.digicert.com 
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35729517
Try and get Outlook Anywhere (RPC over HTTPs) working internally before tackling it externally
0
 

Author Comment

by:FattyPo
ID: 35729553
it worked internally with all the settings in, even though connected by LAN in the status
0
 

Author Comment

by:FattyPo
ID: 35729618
but OWA works fine, and it does say the certificate is as it should be.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35729651
In outlook /rpcdiag you need to have it connected over HTTP

Did you tick the "on fast networks..." box in the outlook proxy settings?
0
 

Author Comment

by:FattyPo
ID: 35837378
Hi i have tried all of the above, and it does connect using RPC internally even Outlook then reverts to LAN connection. Fast networks is ticked and i have tried both with and without.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35837489
Try
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\

make a new RPC key in that folder if one doesn't exist already and then add:
DisableRpcTcpFallback as a DWORD=1
DefConnectOpts as a DWORD=0

If you aren't running Outlook 2007, then substitute the "12.0" value above
0
 

Author Comment

by:FattyPo
ID: 35837548
ok will try now
0
 

Author Comment

by:FattyPo
ID: 35837626
Hi i'm afraid it didn't work. The strange thing is that OWA works fine with https://mail.domainname.com/exchange when the certificate has been installed. No errors at all. Using RPC it puts the authentication box up and using the same details as OWA it just fails. Could it be some sort of authentication issue?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35837706
Confirm that if you ping mail.domain.com internally that it resolves to internal IP address of your exchange server?

Also ensure the proxy name you are connecting to in Outlook is just mail.domain.com and nothing else. Don't use mutual auth and ensure auth = basic

If you open https://mail.domain.com/RPC/rpcproxy.dll in IE, does it prompt for credentials and then show you a blank page once you have entered your credentials?
0
 

Author Comment

by:FattyPo
ID: 35837725
ping mail.domain.com resolves fine to the IP address of the server, i will take mutual auth of (have this currently set) and auth = basic. if i open https://mail.domain.com/RPC/rpcproxy.dll i get this page cannot be displayed.
0
 

Author Comment

by:FattyPo
ID: 35837764
i have just gone into IIS and i have no RPC folder, can't remember if i did before?
0
 

Author Comment

by:FattyPo
ID: 35837900
right i have fixed the RPC folder issue, not sure what happened with that. when i now go to https://mail.domainname.com/RPC/rpcproxy.dll i get a blank page
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35837914
Did it prompt for authentication or not before displaying the blank page? Does outlook work now?
0
 

Author Comment

by:FattyPo
ID: 35837925
it did prompt after an IIS restart, and then go to blankl page, but if i go to that page now it doesn't require a login
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 1000 total points
ID: 35838181
In IIS set the auth on the RPC VD to basic and Untick windows integrated, then try outlook with basic auth in the HTTP Proxy settings
0
 

Author Comment

by:FattyPo
ID: 35838195
should i have annon user ticked or unticked?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35838234
On the RPC VD that should be unticked
0
 

Author Comment

by:FattyPo
ID: 35838251
yer thats what i have, but still no joy. Still connecting using TCP/IP not https
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35838308
What version of Outlook are you running?
0
 

Author Comment

by:FattyPo
ID: 35838336
outlook 2010, but just found an article with a regitry entry that is different from mine. ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:6004;ExchangeServerFQDN:6004; but i have FQDN:100-5000 never come across this before should i change this? to reflect the above?
0
 

Author Comment

by:FattyPo
ID: 35838339
also just to add the same client is connecting back to my office servers using RPC no issues.
0
 

Assisted Solution

by:FattyPo
FattyPo earned 0 total points
ID: 35838403
This registry entry has fixed the issue.

ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:6004;ExchangeServerFQDN:6004;
0
 
LVL 9

Expert Comment

by:rpartington
ID: 35838477
http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm
then scroll down for
>>> Configure the RPC proxy server to use specific ports <<<
And you can use the below exe to save manually inputting the reg ports.

http://www.petri.co.il/software/rpcnofrontend.zip
0
 

Author Closing Comment

by:FattyPo
ID: 35838485
Thanks for all the patience and persistance.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35838585
I don't see how you can accept rpartington's comment as the solution when you figured it out before that comment was posted. You should accept your comment as the solution and others as assists (if necessary)

Glad you have got it working. I'd like to think that sorting out the RPC VD in IIS helped ;-)
0
 

Author Comment

by:FattyPo
ID: 35838599
sorry the page refreshed at different times, on my PC. I assume i can't change the points now?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35839290
Yes you can object to your own question closure and then the question will be reopened for you to close how you see fit.
0
 

Author Comment

by:FattyPo
ID: 35841033
will do :-)
0
 

Author Closing Comment

by:FattyPo
ID: 35892688
Thanks MegaNuk3 for you help and persistence on this.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35892862
Thanks for the points, glad you got it working in the end.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I came across an unsolved Outlook issue and here is my solution.
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month20 days, 10 hours left to enroll

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question