RPC over http

[David Hancock]

I have posted a problem and had no responses. Are there many people doing
RPC over http to get a Outlook2003 client running on XP pro with sp2 to
connect via internet to Exchange 2003 server. I have tried on 3 sites (all
running w2k3 sbs). I followed KB article 833401 "How to configure RPC over
HTTP on a single server in Exchange Server 2003"
and outlook.exe /rpcdiag shows when on the lan we connect via tcp and over
the WAN no connection to the server (directory or mail) is made. OWA to the
same WAN address works ok, so the Exchange server, iis and OWA setup for
that same server and site is ok.

 

[neo [mvp outlook]]

I don't run SBS, but RPC over HTTPS works fine here using the enterprise
class products. So here are some questions before giving ideas what to try.

1) has the site applied SP1 for Exchange 2003 or Windows 2003 at this time?
(This doesn't mean go apply if it hasn't been done yet. just trying to get a
feel if any service packs have been applied.)

2) is the site using an internal or 3rd party (e.g. verisign, thawte, .etc)
certificate to secure the website?

3) is the same certificate in #2 used to secure OWA?

4) if #3 is yes, open your browser and go to OWA. do you get any type of
security prompt about trusting the certificate?

5) i believe sbs also comes with sharepoint. is the rpc folder released
from being managed by sharepoint?

 

[David Hancock]

Answers below:
By the way , is there a way to lock Outlook 2003 on XP pro/sp2 to use only
http, not fallback to TCPIP. I followed a KB that had a registry change,
and I assume that if http did not work then the client would not try RPC
over tcpip. Have not succeeeded here either.
The article that describes the registry change follows:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555233

I don't run SBS, but RPC over HTTPS works fine here using the enterprise
class products. So here are some questions before giving ideas what to try.

1) has the site applied SP1 for Exchange 2003 or Windows 2003 at this time?
(This doesn't mean go apply if it hasn't been done yet. just trying to get a
feel if any service packs have been applied.)

ANSWER:
SP1 for w2k3 has been applied (assumed exchange sp1 was included). Problem
there before and after sp1 applied.

2) is the site using an internal or 3rd party (e.g. verisign, thawte, ..etc)
certificate to secure the website?

ANSWER: using server certificate

3) is the same certificate in #2 used to secure OWA? ANSWER: YES
4) if #3 is yes, open your browser and go to OWA. do you get any type of
security prompt about trusting the certificate?

ANSWER Yes, because the ms generated certificate for this server is not
trusted.

5) i believe sbs also comes with sharepoint. is the rpc folder released
from being managed by sharepoint?

ANSWER: Sharepoint is enabled. Can you elaborate here? How do I release
RPC from being managed by sharepoint?

 

[David Hancock]

Found out w2k3 sp1 did not patch Exchange server so applied sp1 for
Exchange. THis added another TAB for the server iunder Exchange Server
Management called (RPC-HTTP) and set it to option "RPC-HTTP exchange
back-end server" (because it is SBS and there is no front end server).

This has not resolved the issue yet. Must be getting close though!

 

[neo [mvp outlook]]

#4 is a definite problem. outlook 2003 can't throw a warning dialog about
the certificate and just fails the connection out right. Try installing a
copy of the servers certificate into the clients trusted root certificate
store. (can be done via internet explorer's internet options)

#5 i'm not familiar with sharepoint under sbs. i bet if you bounce over to
microsoft.public.server.sbs and ask if you have to release the rpc folder in
IIS from being managed by IIS in order for rpc over https to work, that one
of the channel patrons will say yea or na and even explain how. (i just
know if it has to be done, it is done via sharepoint's administrative web
portal. problem is, i don't have a clue where that is.)

 

[Guest]

Thanks, I need sme help here. I casn import a certificate in IE but cannot
work out how to export the server certificate. I found two certificates in
the certificate server on the SBS server. Right click offers "export binary
data". Can someone explain for a SBS sysetm how to get the server
certificate used by rppc over http can be trusted? I guess I could try and
get OWA on same PC to accept the certificate as trusted?

 

[Guest]

Thanks, you were right.

Resolved by changing ip address of proxy exchange server to the server name
that was in the subject of the certificate used by the Exchange server:
"server.domain.local" and ensuring on the remote PC that the certifcate was
trusted (view certificate and install) whilst connecting by OWA and working
it until the certificate was accepted without any keystrokes.

I had to make an entery in ny hosts file on the notebook. public ip address
with server.domain.local entry. This makes it difficult when the PC is on
line to the LAN becase the server address is then a 192.168.nnn.rrrr address
rather than the public address. I do not want to publish the server
bane.dmain.local on external DNS. How get around this? It would be better

 

[neo [mvp outlook]]

Based on your description, a split dns configuration and issuance of a web
server certificate to internal server where the subject name matches how the
clients access the box internally and externally would be one option.

To be a bit more clear on the above, here is an example of what might work.
I have a server named MSEXCH01.domain.local and it is accessed from the
internet by OWA.contoso.com. I would issue a certificate with a subject of
OWA.contoso.com to the MSEXCH01 server to be used to secure web traffic.

Once this is done, I go to my internal DNS server and create a zone for
contoso.com and setup the a host record OWA.contoso.com with its internal IP
address. I then go to my external DNS provider and create a host record for
OWA.contoso.com that points to the public ip address.

With this setup, I will get the right IP address based on whether I am on an
internal or external connection.

Hope this makes sense...
/neo