• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 616
  • Last Modified:

Outlook RPC HTTPS behind the firewall

Hi i have exchange 2003 configure to use https and the CA on the server. i use the url https://test.servername/certsrv and log in ok select user certificate etc can can install it fine on the LAN. When i use the external url i get as far as installing the certificate and then it fails.

I am guessing this may have something to do with the firewall then?

Any help greatly appreciated.
0
FattyPo
Asked:
FattyPo
  • 32
  • 16
  • 3
  • +1
2 Solutions
 
MegaNuk3Commented:
What error or message do you get? Is there a difference between the internal computers and external computers in terms of OS and IE version?
0
 
FattyPoAuthor Commented:
I rebooted the server and i can now install the certificates fine externally, https://url/exchange works fine (OWA) but Outlook will not connect using RPC. But i guess i should close the question and reopen?
0
 
MegaNuk3Commented:
Leave the question open.

What happens if you open Outlook externally? Do you get an error? Start outlook with /rpcdiag and see if you are getting connections at all.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
FattyPoAuthor Commented:
i can't resolve the mailbox name when i set the profile up, also the /rpcdiag shows connecting then the microsoft exchange server is unavailable.
0
 
FattyPoAuthor Commented:
if i go to certsrv via google chrom nor IE i get the error invalid client certificate Error 207 (net:err_cert_invald)
0
 
FattyPoAuthor Commented:
but i IE no issues and the security report shows all ok.
0
 
MegaNuk3Commented:
Have you filled in the http proxy settings? Set it to use Basic authentication and No mutual auth (cert principal name)
0
 
FattyPoAuthor Commented:
using the exchange remote connectivity i got the following error.


 Certificate trust is being validated.
  Certificate trust validation failed.
   Additional Details
  The certificate chain couldn't be built. You may be missing required intermediate certificates.
 
0
 
MegaNuk3Commented:
Self signed / internally generated won't work in that test
0
 
FattyPoAuthor Commented:
i get the same issue, name cannot be resolved
0
 
MegaNuk3Commented:
Put the internal exchange name in the main outlook profile page and the Exchange proxy name in the https settings
0
 
FattyPoAuthor Commented:
i have done that when i set the profile up.
0
 
AquinosCommented:
HI!

First you need to generate the server certificate.
It could be a curinga certificate in the EXCHANGE SERVER Internet Information Service
Than try to install the certificate server in the clients pc and add the domain to trusted certified....


0
 
FattyPoAuthor Commented:
The server certificate has been generated, can i can install the certificate fine (via IE) i get the yellow padlock fine when accessing /exchange. The certificate has been added to the trusted certified....

It just now appears to be an issue with outlook not being able to login and resolve the server name.
0
 
AquinosCommented:
Did you have the your AD in another server ?
0
 
FattyPoAuthor Commented:
i have 3 servers, ad, exchange, and a BES/apps server.
0
 
AquinosCommented:
Try to force the Exchange server IPV6 ip in DNS Server at the AD
0
 
FattyPoAuthor Commented:
its a 2003 domain no IP settings
0
 
FattyPoAuthor Commented:
IP6 settings i meant, thanks
0
 
rpartingtonCommented:
I always always use the following site when I have issues as it gives you a wealth of pointers where to start looking.
Hope this helps.

https://www.testexchangeconnectivity.com/
0
 
FattyPoAuthor Commented:
thanks will check it out
0
 
FattyPoAuthor Commented:
arh already did, everything past except for Certificate trust is being validated.
  Certificate trust validation failed.
   Additional Details
  The certificate chain couldn't be built. You may be missing required intermediate certificates.  which is normal anyway
0
 
rpartingtonCommented:
0
 
FattyPoAuthor Commented:
i looked at that, but the SSL passes all checks on a SSL checker. I used www.digicert.com 
0
 
MegaNuk3Commented:
Try and get Outlook Anywhere (RPC over HTTPs) working internally before tackling it externally
0
 
FattyPoAuthor Commented:
it worked internally with all the settings in, even though connected by LAN in the status
0
 
FattyPoAuthor Commented:
but OWA works fine, and it does say the certificate is as it should be.
0
 
MegaNuk3Commented:
In outlook /rpcdiag you need to have it connected over HTTP

Did you tick the "on fast networks..." box in the outlook proxy settings?
0
 
FattyPoAuthor Commented:
Hi i have tried all of the above, and it does connect using RPC internally even Outlook then reverts to LAN connection. Fast networks is ticked and i have tried both with and without.
0
 
MegaNuk3Commented:
Try
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\

make a new RPC key in that folder if one doesn't exist already and then add:
DisableRpcTcpFallback as a DWORD=1
DefConnectOpts as a DWORD=0

If you aren't running Outlook 2007, then substitute the "12.0" value above
0
 
FattyPoAuthor Commented:
ok will try now
0
 
FattyPoAuthor Commented:
Hi i'm afraid it didn't work. The strange thing is that OWA works fine with https://mail.domainname.com/exchange when the certificate has been installed. No errors at all. Using RPC it puts the authentication box up and using the same details as OWA it just fails. Could it be some sort of authentication issue?
0
 
MegaNuk3Commented:
Confirm that if you ping mail.domain.com internally that it resolves to internal IP address of your exchange server?

Also ensure the proxy name you are connecting to in Outlook is just mail.domain.com and nothing else. Don't use mutual auth and ensure auth = basic

If you open https://mail.domain.com/RPC/rpcproxy.dll in IE, does it prompt for credentials and then show you a blank page once you have entered your credentials?
0
 
FattyPoAuthor Commented:
ping mail.domain.com resolves fine to the IP address of the server, i will take mutual auth of (have this currently set) and auth = basic. if i open https://mail.domain.com/RPC/rpcproxy.dll i get this page cannot be displayed.
0
 
FattyPoAuthor Commented:
i have just gone into IIS and i have no RPC folder, can't remember if i did before?
0
 
FattyPoAuthor Commented:
right i have fixed the RPC folder issue, not sure what happened with that. when i now go to https://mail.domainname.com/RPC/rpcproxy.dll i get a blank page
0
 
MegaNuk3Commented:
Did it prompt for authentication or not before displaying the blank page? Does outlook work now?
0
 
FattyPoAuthor Commented:
it did prompt after an IIS restart, and then go to blankl page, but if i go to that page now it doesn't require a login
0
 
MegaNuk3Commented:
In IIS set the auth on the RPC VD to basic and Untick windows integrated, then try outlook with basic auth in the HTTP Proxy settings
0
 
FattyPoAuthor Commented:
should i have annon user ticked or unticked?
0
 
MegaNuk3Commented:
On the RPC VD that should be unticked
0
 
FattyPoAuthor Commented:
yer thats what i have, but still no joy. Still connecting using TCP/IP not https
0
 
MegaNuk3Commented:
What version of Outlook are you running?
0
 
FattyPoAuthor Commented:
outlook 2010, but just found an article with a regitry entry that is different from mine. ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:6004;ExchangeServerFQDN:6004; but i have FQDN:100-5000 never come across this before should i change this? to reflect the above?
0
 
FattyPoAuthor Commented:
also just to add the same client is connecting back to my office servers using RPC no issues.
0
 
FattyPoAuthor Commented:
This registry entry has fixed the issue.

ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:6004;ExchangeServerFQDN:6004;
0
 
rpartingtonCommented:
http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm
then scroll down for
>>> Configure the RPC proxy server to use specific ports <<<
And you can use the below exe to save manually inputting the reg ports.

http://www.petri.co.il/software/rpcnofrontend.zip
0
 
FattyPoAuthor Commented:
Thanks for all the patience and persistance.
0
 
MegaNuk3Commented:
I don't see how you can accept rpartington's comment as the solution when you figured it out before that comment was posted. You should accept your comment as the solution and others as assists (if necessary)

Glad you have got it working. I'd like to think that sorting out the RPC VD in IIS helped ;-)
0
 
FattyPoAuthor Commented:
sorry the page refreshed at different times, on my PC. I assume i can't change the points now?
0
 
MegaNuk3Commented:
Yes you can object to your own question closure and then the question will be reopened for you to close how you see fit.
0
 
FattyPoAuthor Commented:
will do :-)
0
 
FattyPoAuthor Commented:
Thanks MegaNuk3 for you help and persistence on this.
0
 
MegaNuk3Commented:
Thanks for the points, glad you got it working in the end.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 32
  • 16
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now