RPC over HTTP - Have you gotten it to work II

[Guest]

I've been down the road Bill has (see post RPC over HTTP - Have you gotten it to work) including the information provided by neo...but still no joy! The only way I can get a connection using this technique is to open port 135 on the server firewall(not a long term solution, obviously). I've gone over every scrap of crap Microsoft has to say and I'm out of ideas. Can anyone offer any suggestions

Thanks in advance

 

[Lanwench [MVP - Exchange]]

Have you posted in an Exchange group? I'd try
microsoft.public.exchange.admin - more likely to get help in there.

Me, I am sticking with VPN, to be honest. ;-)

 

[neo [mvp outlook]]

Start Outlook with the /rpcdiag command line switch. Does it look like
Outlook is hanging on connecting to the Global Catalog server or Exchange
before jumping back to a standard TCP/IP connection?

Also, can you tell us a little about the setup? For example, is exchange
and the global catalog server NAT'd behind the firewall? Are both
resolvable from the internet? You mentioned firewall, what kind of firewall
are the boxes behind (PIX, Checkpoint)? Have you successfully establish a
RPC/HTTPs connection on the corporate network w/out jumping through the
firewall?

I've been down the road Bill has (see post RPC over HTTP - Have you gotten

it to work) including the information provided by neo...but still no joy!
The only way I can get a connection using this technique is to open port 135
on the server firewall(not a long term solution, obviously). I've gone over
every scrap of crap Microsoft has to say and I'm out of ideas. Can anyone
offer any suggestions?

 

[Zeus]

Thanks for the help Neo, RPCDIAG shows the server name
and type directory and referal and under the Conn heading
for both "---" with status "connecting". A netstat shows
me trying to connect to the server's IP on port 135 with
SYN_SENT. The firewall is just a D-Link router for the
time being to simplify things. I have ports 6001 and 6004
open to the server. The only way I can connect to it via
outlook is if I open port 135 to the server. I've
configured the server to issue a certificate to both the
FQDN and the public DNS name of the server with the same
results.

using RPCPING (rpcping.exe -t ncacn_http -s
ExchangeServerName -o RpcProxy=ProxyServerName -
P "user,domain,*" -H 1 -u 10 -a connect -F 3 -E -R none)
simply produces "ping failed" with no other information.

 

[neo [mvp outlook]]

Assuming the following configuration with use of a broadband<?> router...

1) Server(s) are behind a router that lets you share an IP address

2) Client (laptop) is on public internet side of router

3) Configure router to route port 443 (HTTPS) to Exchange server. (For sake
of clarity of this example, I'm pretending that I have a single exchange
server that is doing it all.) No other ports need to be opened to the
servers.

4) Review http://support.microsoft.com/default.aspx?scid=kb;en-us;833401
Step #1 is done to Exchange server
Step #2 is done to Global Catalog server(s) that Exchange uses

5) Assuming that you are using a private (self-issued) certificate, make
sure that the laptop has a copy of the approving root CA installed. (Outlook
will throw no errors if it can't trace the certificate back up the chain and
just fail the connection over to a standard TCP/IP connection [which is port
135 by the way].)

Step #5 should be thought of this way, if you attach the certificate to a
website, type https://fqdn.myserver.ext in your browser, and get any type of
dialog about the certificate not being trusted, doesn't match what was typed
in for an address, .etc, the RPC/HTTPs connection will fail everytime.
(Took me a while to figure this one out because no dialogs are ever
displayed that something is wrong.)

 

[Zeus]

The certificate issue was a big part of the problem (#5)
(KB297681) and now I can rpcping to the server and my
connections are on port 443 as expected. I'm getting
the 'insufficient memory' thing now when I try to logon
though. I'm using the principle name (e-mail address removed) and
I've ensured that basic authentication is being used.
I've seen some posts on this one before but can't seem to
find the solution.

Thanks for the advice so far!

-----Original Message-----
Assuming the following configuration with use of a

1) Server(s) are behind a router that lets you share an IP address

2) Client (laptop) is on public internet side of router

3) Configure router to route port 443 (HTTPS) to Exchange server. (For sake
of clarity of this example, I'm pretending that I have a single exchange
server that is doing it all.) No other ports need to be opened to the
servers.

4) Review http://support.microsoft.com/default.aspx? scid=kb;en-us;833401
Step #1 is done to Exchange server
Step #2 is done to Global Catalog server(s) that Exchange uses

5) Assuming that you are using a private (self-issued) certificate, make
sure that the laptop has a copy of the approving root CA installed. (Outlook
will throw no errors if it can't trace the certificate back up the chain and
just fail the connection over to a standard TCP/IP connection [which is port
135 by the way].)

Step #5 should be thought of this way, if you attach the certificate to a
website, type https://fqdn.myserver.ext in your browser, and get any type of
dialog about the certificate not being trusted, doesn't match what was typed
in for an address, .etc, the RPC/HTTPs connection will fail everytime.
(Took me a while to figure this one out because no dialogs are ever
displayed that something is wrong.)

Thanks for the help Neo, RPCDIAG shows the server name
and type directory and referal and under the Conn heading
for both "---" with status "connecting". A netstat shows
me trying to connect to the server's IP on port 135 with
SYN_SENT. The firewall is just a D-Link router for the
time being to simplify things. I have ports 6001 and 6004
open to the server. The only way I can connect to it via
outlook is if I open port 135 to the server. I've
configured the server to issue a certificate to both the
FQDN and the public DNS name of the server with the same
results.

using RPCPING (rpcping.exe -t ncacn_http -s
ExchangeServerName -o RpcProxy=ProxyServerName -
P "user,domain,*" -H 1 -u 10 -a connect -F 3 -E -R none)
simply produces "ping failed" with no other information.
technique
is to open port 135 of
ideas. Can anyone

.