MJCS
asked on
Troubleshooting RPC over HTTP / HTTPS
Migrated from pop/imap to Exchange 2003 via SBS2003 over the week-end.
Exchange seems to be running fine.
However, cannot get RPC over HTTP to work.
Port 443 on the router is forwarding to the Server
My understanding is that the internet connection wizard on SBS2003 creates its own SSL certificate, is this correct?
the exchange server is mail.XXXX.ca. the website: XXXX.ca is hosted with Hostgator. The internal domain is XXXX.local.
On an internal workstation I am trying to connect to server.XXXX.local. Is this correct or should I be trying mail.XXXX.ca or something else?
Also, for mailbox do I use username or XXXX\username or XXXX.ca\username or XXXX.local\username?
Exchange seems to be running fine.
However, cannot get RPC over HTTP to work.
Port 443 on the router is forwarding to the Server
My understanding is that the internet connection wizard on SBS2003 creates its own SSL certificate, is this correct?
the exchange server is mail.XXXX.ca. the website: XXXX.ca is hosted with Hostgator. The internal domain is XXXX.local.
On an internal workstation I am trying to connect to server.XXXX.local. Is this correct or should I be trying mail.XXXX.ca or something else?
Also, for mailbox do I use username or XXXX\username or XXXX.ca\username or XXXX.local\username?
SBS2003 should already be configured correctly for the RPC over HTTP a.k.a. "Outlook Anywhere" feature right out-of-the-box. You need to check that RPC over HTTP Proxy is installed in Control Panel Add/Remove Windows components, along with all the other Exchange requirements like IIS, SMTP and NNTP. This sets the https.sys IIS driver to listen for RPC connections on 443. Then in the Registry you need to make the 3 settings for the TCP ports or use the free utility "RPCNoFrontEnd" to set or check the correct NSPI, Public and Private IS ports. You may have additional problems if you fiddled with IIS security settings to sort through, including address and host restrictions. You should also have correctly installed an SSL certificate, either self-made through the Resource Kit utility or purchased which is preferable.
If you are using / have re-created a new self-issued SSL certificate, you need to install the certificate on each and every client computer that is going to use RPC over HTTPS otherwise Outlook won't connect.
If you use a 3rd party (trusted) SSL certificate, then you don't need to install the certificate onto each client.
Some prefer to install the cert and use self-issued as no-one can set Outlook up on their own (more secure / more control), others prefer the 3rd party SSL cert option as it is less hassle.
When you configure Outlook - only type in the internal server name (only), not server.internaldomain.loca l - let Outlook resolve the FQDN itself.
If you use a 3rd party (trusted) SSL certificate, then you don't need to install the certificate onto each client.
Some prefer to install the cert and use self-issued as no-one can set Outlook up on their own (more secure / more control), others prefer the 3rd party SSL cert option as it is less hassle.
When you configure Outlook - only type in the internal server name (only), not server.internaldomain.loca
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Alan,
How do I install the certificate on my remote users machines?
How do I install the certificate on my remote users machines?
Though IE:
To install the certificate, you need to export it first via IIS Manager on the server.
Open up IIS Manager, expand Web Sites, then right-click on your Default Web Site and choose properties, then click on the Directory Security Tab, then the View Certificate button, then on the Details Tab of the Certificate Windows.
On the Details Tab, click on Copy To File, click Next, Next, Next, Choose the name and location for the certificate file (Desktop should be easy to find and certificate.cer for the name) then click Next and then Finish.
Copy the certificate.cer file to the computer on a USB stick and then do the following:
Open up Internet Explorer, Click on Tools, Internet Options, Content Tab, Certificate Button, Trusted Root Certification Authorities Tab. Click Import, Next, Browse to the certificate.cer file on the USB stick and click next, Select 'Place all certificates in the following store' and click Browse, check the Show Physical Stores Box and then select Trusted Root Certification Authorities Folder (Expand it) and then choose Registry and click OK. Click Next and then Finish. Click OK on the next prompt.
To install the certificate, you need to export it first via IIS Manager on the server.
Open up IIS Manager, expand Web Sites, then right-click on your Default Web Site and choose properties, then click on the Directory Security Tab, then the View Certificate button, then on the Details Tab of the Certificate Windows.
On the Details Tab, click on Copy To File, click Next, Next, Next, Choose the name and location for the certificate file (Desktop should be easy to find and certificate.cer for the name) then click Next and then Finish.
Copy the certificate.cer file to the computer on a USB stick and then do the following:
Open up Internet Explorer, Click on Tools, Internet Options, Content Tab, Certificate Button, Trusted Root Certification Authorities Tab. Click Import, Next, Browse to the certificate.cer file on the USB stick and click next, Select 'Place all certificates in the following store' and click Browse, check the Show Physical Stores Box and then select Trusted Root Certification Authorities Folder (Expand it) and then choose Registry and click OK. Click Next and then Finish. Click OK on the next prompt.
ASKER
So my belief that the internet connection wizard did this all for me automatically in SBS2003 was wrong?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
So I unchecked.Net and ran IISRESET
Also, the comapnyweb receives a "The page cannot be found" error, is this related?
Also, the comapnyweb receives a "The page cannot be found" error, is this related?
Not to RPC. Sounds like you have a few issues with IIS.
RPC uses the RPC and Exchange virtual directories.
Companyweb is just your intranet site.
RPC uses the RPC and Exchange virtual directories.
Companyweb is just your intranet site.
ASKER
Is this what I want there?
No - usually set to ignore client certs.
ASKER
Should I uncheck Require SSL than?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Yes.
ASKER
accidentally set it as mail.xxx.ca
Have made some adjustments to settings in response to Remote Connectivity Analyzer.
Now hung up on:
The certificate chain didn't end in a trusted root.
Have made some adjustments to settings in response to Remote Connectivity Analyzer.
Now hung up on:
The certificate chain didn't end in a trusted root.
Download and install the following update:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6149
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6149
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hopefully no more than $30 for a 1 year certificate.
ASKER
no comment.
ASKER
At that point I was past caring and ready to spend some money to make the issues go away.
Ah! No problems. Check my profile if you need to buy another one!
ASKER
I got ther eventually through a combination of feedback coupled with my own research. If someone else has this issue, I'd suggest 3 things.
#1. Start by using https://www.testexchangeconnectivity.com/ to see where it's breaking
#2. Try update KB931125. If I had gotten that tip a bit sooner, I would have tried it.
#3. At some point, it may save a lot of time to just buy an external SSL certificate. If you do, Digicert can get you one within an hour of submission (In my case it was like 10 minutes) However, there are cheaper options out there.
#1. Start by using https://www.testexchangeconnectivity.com/ to see where it's breaking
#2. Try update KB931125. If I had gotten that tip a bit sooner, I would have tried it.
#3. At some point, it may save a lot of time to just buy an external SSL certificate. If you do, Digicert can get you one within an hour of submission (In my case it was like 10 minutes) However, there are cheaper options out there.
You also need a valid certificate from a CA(normally)
but first refer to this : http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm