Link to home
Create AccountLog in
Avatar of MJCS
MJCSFlag for Canada

asked on

Troubleshooting RPC over HTTP / HTTPS

Migrated from pop/imap to Exchange 2003 via SBS2003 over the week-end.

Exchange seems to be running fine.

However, cannot get RPC over HTTP to work.

Port 443 on the router is forwarding to the Server

My understanding is that the internet connection wizard on SBS2003 creates its own SSL certificate, is this correct?

the exchange server is mail.XXXX.ca. the website: XXXX.ca is hosted with Hostgator. The internal domain is XXXX.local.

On an internal workstation I am trying to connect to server.XXXX.local. Is this correct or should I be trying mail.XXXX.ca or something else?

Also, for mailbox do I use username or XXXX\username or XXXX.ca\username or XXXX.local\username?
Avatar of setasoujiro
setasoujiro
Flag of Belgium image

Normally you should use your external domain name for RPC, also setup internal DNS so that it points mail.yourdomain.com to your internal exchange server.

You also need a valid certificate from a CA(normally)

but first refer to this : http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm
SBS2003 should already be configured correctly for the RPC over HTTP a.k.a. "Outlook Anywhere" feature right out-of-the-box.  You need to check that RPC over HTTP Proxy is installed in Control Panel Add/Remove Windows components, along with all the other Exchange requirements like IIS, SMTP and NNTP. This sets the https.sys IIS driver to listen for RPC connections on 443.  Then in the Registry you need to make the 3 settings for the TCP ports or use the free utility "RPCNoFrontEnd" to set or check the correct NSPI, Public and Private IS ports.  You may have additional problems if you fiddled with IIS security settings to sort through, including address and host restrictions.  You should also have correctly installed an SSL certificate, either self-made through the Resource Kit utility or purchased which is preferable.
Avatar of Alan Hardisty
If you are using / have re-created a new self-issued SSL certificate, you need to install the certificate on each and every client computer that is going to use RPC over HTTPS otherwise Outlook won't connect.

If you use a 3rd party (trusted) SSL certificate, then you don't need to install the certificate onto each client.

Some prefer to install the cert and use self-issued as no-one can set Outlook up on their own (more secure / more control), others prefer the 3rd party SSL cert option as it is less hassle.

When you configure Outlook - only type in the internal server name (only), not server.internaldomain.local - let Outlook resolve the FQDN itself.
SOLUTION
Avatar of Anthony Maw
Anthony Maw
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of MJCS

ASKER

Alan,

How do I install the certificate on my remote users machines?
Though IE:

To install the certificate, you need to export it first via IIS Manager on the server.

Open up IIS Manager, expand Web Sites, then right-click on your Default Web Site and choose properties, then click on the Directory Security Tab, then the View Certificate button, then on the Details Tab of the Certificate Windows.

On the Details Tab, click on Copy To File, click Next, Next, Next, Choose the name and location for the certificate file (Desktop should be easy to find and certificate.cer for the name) then click Next and then Finish.

Copy the certificate.cer file to the computer on a USB stick and then do the following:

Open up Internet Explorer, Click on Tools, Internet Options, Content Tab, Certificate Button, Trusted Root Certification Authorities Tab.  Click Import, Next, Browse to the certificate.cer file on the USB stick and click next, Select 'Place all certificates in the following store' and click Browse, check the Show Physical Stores Box and then select Trusted Root Certification Authorities Folder (Expand it) and then choose Registry and click OK.  Click Next and then Finish.  Click OK on the next prompt.
Avatar of MJCS

ASKER

So my belief that the internet connection wizard did this all for me automatically in SBS2003 was wrong?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of MJCS

ASKER

So, do I need to disable .net authentication in order to ungray "Integrated Windows Authentication" & Basic authentication? User generated image
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of MJCS

ASKER

So I unchecked.Net and ran IISRESET

Also, the comapnyweb receives a "The page cannot be found" error, is this related?
Not to RPC. Sounds like you have a few issues with IIS.

RPC uses the RPC and Exchange virtual directories.

Companyweb is just your intranet site.
Avatar of MJCS

ASKER

User generated image
Avatar of MJCS

ASKER

Is this what I want there?
No - usually set to ignore client certs.
Avatar of MJCS

ASKER

Should I uncheck Require SSL than?
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of MJCS

ASKER

Is this what I want? User generated image
Avatar of MJCS

ASKER

accidentally set it as mail.xxx.ca

Have made some adjustments to settings in response to Remote Connectivity Analyzer.

Now hung up on:

The certificate chain didn't end in a trusted root.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hopefully no more than $30 for a 1 year certificate.
Avatar of MJCS

ASKER

no comment.
Avatar of MJCS

ASKER

At that point I was past caring and ready to spend some money to make the issues go away.
Ah!  No problems.  Check my profile if you need to buy another one!
Avatar of MJCS

ASKER

I got ther eventually through a combination of feedback coupled with my own research. If someone else has this issue, I'd suggest 3 things.

#1. Start by using https://www.testexchangeconnectivity.com/ to see where it's breaking

#2. Try update KB931125. If I had gotten that tip a bit sooner, I would have tried it.

#3. At some point, it may save a lot of time to just buy an external SSL certificate. If you do, Digicert can get you one within an hour of submission (In my case it was like 10 minutes) However, there are cheaper options out there.