rpc over http not connecting

I have a 2008 server with 2007 exchange
(outlook anyware), AD installed.

No problems for lan users, OWA and active sync devices.

When i try to have an external user setup outlook 2010 it can not connect.

the exchange server is "servername.activedomain.local

firewall forwards proper traffic to the server.

we only have self-signing certs.
cjpcman01Asked:
Who is Participating?
 
Alan HardistyCo-OwnerCommented:
Did you install the Self-Issued certificate on each client?  If not - RCP over HTTPS (Outlook Anywhere in Exchange 2007 / 2010) won't work.

If you have a 3rd party trusted SSL certificate, then you don't need to install the certificate on each and every client.
0
 
strivoliCommented:
Is the CA's CER added to the MACHINE CERs Repository under Trusted CAs?
0
 
ManicDCommented:
The name in the issued to of the certificate MUST 100% MUST be the same as the proxy server name you are using or it will not work!!!

your user MUST also trust the certification authority,
i find that the best way is to export the certificate of the CA and import it to the users, when i do this i do not allow it to automatically choose the store i choose it manually and add it to the trusted root certification authorities.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Alan HardistyCo-OwnerCommented:
Being self-issued and the fact that OWA / Activesync and the rest of Exchange works - I think that we don't need to worry about the name on the certificate.
0
 
ManicDCommented:
RPC/HTTP is more picky than owa or activesync (both you can choose to ignore certificate issues)

I have had the same problem before, when a certificate is issued to mail.domain.com and the proxy server is set to webmail.domain.com. They may both resove to the same IP but unless you use teh one on the certificate it will fail!!!
0
 
Alan HardistyCo-OwnerCommented:
Activesync has to use the same name on the certificate or it will also fail - thus your comment is not correct.
0
 
cjpcman01Author Commented:
cert is installed on the local machine root ca.

I get an error:

you must connect the current profile to exchange before sync...
0
 
Alan HardistyCo-OwnerCommented:
If your server's FQDN is servername.activedomain.local and your cert matches it - that is your problem in a nutshell.  .local domains are not internet routeable, so this will never work outside of your LAN unless you use a domain name / SSL cert that has a .com / .co.uk / .net etc domain name to point to your server and a certificate with that name included in it.

The usual SSL cert to install for Exchange 2007 / 2010 is a SAN / UCC certificate with the following names included:

mail.externaldomain.com
autodiscover.externaldomain.com
servername.internaldomain.local
servername

0
 
cjpcman01Author Commented:
how do i modify the cert to include the external domain settings
0
 
Alan HardistyCo-OwnerCommented:
I always use the following site to generate the Certificate Signing Request for an Exchange 2007 Certificate:

https://www.digicert.com/easy-csr/exchange2007.htm

Fill in the details and then copy / paste the output and then generate a new SSL cert for your server, install it and then install the new cert on the clients.

Any reason for not buying a 3rd party one?  $180 buys you a 3-year trusted 5 name SAN / UCC certificate that doesn't need to be installed on each and every client.
0
 
cjpcman01Author Commented:
I am using the iis to manage the ssl and not seeing how i can use the csr file to make the ssl.
0
 
Alan HardistyCo-OwnerCommented:
Never used a self-signed certificate myself so not run through the steps personally, but the following link looks about right (from my Exchange 2003 Self-Signed cert days):

http://blogs.technet.com/b/andym/archive/2008/09/15/exchange-2007-create-self-signed-certificates.aspx
0
 
cjpcman01Author Commented:
did all this ssl cert stuff and still not able to connect, could this be that the exchange server's FQDN is servername.ADdomain.local . if so how do i attach our external fqdn to it.
0
 
AniDXBCommented:
Try Digicert.com, they have a proper guides and tools for installing SSL certificate for Exchange.
0
 
cjpcman01Author Commented:
ok cert installed, had to install the CA cert also.

only problem now is that when I re-open outlook it keeps asking for username and password
0
 
Alan HardistyCo-OwnerCommented:
0
 
AniDXBCommented:
is it on RPC  ? then u have to feed in.
domain/user
password

0
 
Alan HardistyCo-OwnerCommented:
Not necessarily.
0
 
anuragshankarCommented:
Disable the IPv6.
1) NIC Card
2) HOST file: Comment out line "::1" with the "#" sign.
3) From the registry with the help of the article:http://support.microsoft.com/kb/929852
Ensure that the value set is 0xffffffff in Hexadecimal or 4294967295 in Decimal for the key "DisabledComponents" under the location:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters.
4) If you have multiple NIC Cards, ensure that the active NIC should be on the top for the NIC Binding order.
5) Ensure that you are able to browse the http://mail.domain.com/rpc/rpcproxy.dll from outside and you should get a blank page. If not, please get IIS Logs and check for the error for rpcproxy.dll.
Try uninstalling and re-installing the Rpc over HTTP component.
Disabling and re-enabling the Outlook Anywhere feature from the EMC/Server Config/Server Name/Properties.
6) Ensure that there is correct Application Pool(DefaultAppPool) is set for the Rpc virtual directory.
0
 
cjpcman01Author Commented:
got the rpcproxy.dll

ask for username/password

login and then get You do not have permission to view this directory or page.
0
 
cjpcman01Author Commented:
got in but states:

The webpage at ******/rpc/rpcproxy.dll is currently unavailable. It may be overloaded or down for maintenance.
0
 
cjpcman01Author Commented:
outlook is trying to connect to

servername.ADNAME.local

this is the exchange server address do i need to change the exchange server address to be based on our external FQDN?
0
 
Alan HardistyCo-OwnerCommented:
If your client is External - you will have to use the External FQDN.

.local domain names are not internet routeable, so if you use the internal address externally, it won't resolve to anything.

Also - the name you use (External FQDN) HAS to match one of the names in your SSL certificate.
0
 
cjpcman01Author Commented:
the ssl is a *.externalfqdn.com

in the setup of the mailbox outlook changes the server name to reflect the internal fqdn

Upon intital creation of the profile and mailbox it syncs and connects no problem. But upon reconnect it doesn't connect.

server: 2008 with exchange 2007 sp1

0
 
Alan HardistyCo-OwnerCommented:
Outlook should use the Internal FQDN - the Proxy section will use the External FQDN.

The fact that it connects is good - do you see anything that has changed after you have synced initially? Has the internal FQDN changed or the Proxy FQDN?

Do you want to setup a test account and ping me the details so I can see what might be happening?
0
 
cjpcman01Author Commented:
ok, how do i send the data to you?
0
 
Alan HardistyCo-OwnerCommented:
Check my profile - email address is in there.  Profile is available by clicking on my name.
0
 
anuragshankarCommented:
Run the command:Set-OutlookProvider -id EXPR -CertPrincipalName "msstd:*.domain.com"
0
 
cjpcman01Author Commented:
ok I installed a free 30 day cert based on the external FQDN, seemed to resolve most problems.

where is the best (cheapest) site to get a cert for UCC/SAN.

Also will this resolve the problem that internal users are having with outlook showing/stating the ssl does not match the server name.
0
 
anuragshankarCommented:
You can get a UCC Cert from either GoDAddy or GeoTrust or Verisign.
0
 
Alan HardistyCo-OwnerCommented:
My profile has a link to a site cheaper than GoDaddy and GoDaddy are about the cheapest site available.  The link is to my GoDaddy Reseller Account!
0
 
cjpcman01Author Commented:
ok need some answers,

install sp3 and third party cert...  did not fix

unchecked the msttd reqirement and wala it connected...
0
 
Alan HardistyCo-OwnerCommented:
Did you run the command mentioned above:

Set-OutlookProvider -id EXPR -CertPrincipalName "msstd:*.domain.com"

If you did - you probably needed to undo the command and set it back to the name on your ssl certificate e.g.,

Set-OutlookProvider -id EXPR -CertPrincipalName "msstd:owa.domain.com"
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.