Announcement

Collapse
No announcement yet.

RPC-HTTP with IIS Front-End and SQL Back-End

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RPC-HTTP with IIS Front-End and SQL Back-End

    Hi,

    I've got a question which I hope someone can answer. We are trying to implement a Single Exchange Server RPC-HTTP but on the machine there is SQL DB with a Webpage running on ports 80 and 443 and there is no way that we can move it so................ am I correct in saying that RPC-HTTP should still work because Exchange listens on port 6001, 6002 and 6004 for RPC traffic and if we NAT these ports to the machine running Exchange, IIS and SQL Echange will still respnd to the RPC-HTTP requests?

    Reason why we NAT these ports is because we run a Linux Firewall and in order for RPC-HTTP to work we had to NAT it on another site to work - took us a couple of days to figure that one out becuase I thought RPC-HTTP is what it says RPC encapsulated in traffic runnning on ports 80 and 443.

    Hope I made sense and that someone will give me an answer because I don't want to try this on a Live network and there is no V-Network I can test it on.

  • #2
    Re: RPC-HTTP with IIS Front-End and SQL Back-End

    RPC over HTTPS only works on port 443 for the inbound traffic from the internet. That cannot be changed.
    Those other ports you have mentioned are for internal use only and do not (and should not) be open to the internet.

    Therefore if you have other services running on this server your options are limited.
    If the other server can be reconfigured to listen on another IP address, then add another IP address to the server and change the application. Exchange needs to listen on the default IP address. You will also need a second external IP address.

    If that isn't possible then you are unable to use RPC over HTTPS without an additional server and a lot of fiddling around - thinking of an ISA server in front of the existing box.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: RPC-HTTP with IIS Front-End and SQL Back-End

      Simon,

      I got some bad news, I don't know if you have a Linux Firewall and trying to connect via RPC-HTTP but unless you open those ports on the Net RPC-HTTP doesn't work - believe me we've tried and failed miserably.

      If you have a better way of doing it pleaaaaaaaaaaaaaaaaaaaaaase let me know.

      OK on the other matter of apps running on the ports needed by RPC-HTTP, the client will not allow me to that change the ports and if I understood correctly I'm stuffed????


      I'm going to open a new thread - wrong heading

      Comment


      • #4
        Re: RPC-HTTP with IIS Front-End and SQL Back-End

        If you have to open additional ports than 443 then you do not have RPC over HTTPS configured correctly. It is designed to go through that single port and I have pushed it through that port on virtually every firewall going - that includes Linux based firewalls.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: RPC-HTTP with IIS Front-End and SQL Back-End

          Well you might be right but I've set it up excatly like numerous Internet pages including the one posted on this site explained and as far as the settings go everything seems to be in order but the moment that we close those 6000 ports RPC-HTTP no longer works. At this point I want to through in the towl and say RPC-HTTP sucks and it'll never work but I can't.

          If I send you my RPC-HTTP configuration will you have a look at it and tell me what the hell I'm doing wrong? You drop me an e-mail janco at opensolutions co za

          Silly question can it have something to do with the Certificate or lack there of? On the one site we have a non-Authoritive Certificate published which is installed on all the Client PCs and on this site there is no Certificate can that also have an impact on RPC-HTTP?

          Comment


          • #6
            Re: RPC-HTTP with IIS Front-End and SQL Back-End

            If you don't have a certificate then the feature doesn't work. It is designed to work over port 443, which is https. I refer to the feature as RPC over HTTPS, not RPC over HTTP or any other name with HTTP only in it.
            Furthermore Outlook needs to trust the certificate, so if you browse to https://host.domain.com/rpc and get a certificate prompt then it will not work with Outlook.

            If you haven't got a certificate in place then what is happening is Outlook is making a TCP/IP connection, not a HTTPS connection. With Outlook running and working with your additional ports open, hold down CTRL and right click on the Outlook icon in the system tray. Choose Connection Status. A correctly working deployment will show all connections as HTTPS. If they show TCP/IP then it is not working correctly.

            RPC over HTTPS basically fails on one of three elements...

            1. Wrong registry settings.
            2. SSL certificate issues
            3. Authentication settings.

            That is of course presuming that everything involved meets the requirements to run the feature.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: RPC-HTTP with IIS Front-End and SQL Back-End

              OK on this site there is no Certificate whic means I have a possible solution here but on the other site we have a certificate, outlook trusts the certificate and the registry setting are as shown on the petri page about RPC-HTTP/HTTPS, why then if we disable the 6001, 6002 and 6004 ports on the firewall RPC-HTTP no longer works?????? The requirments are met, authentication with the above mentioned ports open on the Firewall works and Outlook trusts the cert, please tell me why the moment we disable the 6000 port RPC refuses to work.

              With the ports open we run outlook /rpcdiag and the connection is https but when the ports are closed outlook just sits there and is trying to connect, if you can answer me that I'll owe you big time.

              Another stupid question if I implement a certificate how will that effect the rest of the websites that run only on http?

              Comment


              • #8
                Re: RPC-HTTP with IIS Front-End and SQL Back-End

                Presuming that the firewall is not between the Exchange servers and the domain controllers, ie the firewall is protecting everything from the internet then I cannot answer your question.

                I have deployed RPC over HTTPS numerous times (a dozen or more times a month) with almost every firewall ever used including Linux based firewalls and it only requires port 443 to work. That is the entire point of the feature - one port only is required. The additional port numbers referenced in the article are calls to Exchange and to the domain controllers from the proxy.

                If you are seeing the same problem on two sites then it has to be something that you are doing that is not correct, as this is not an issue I have seen before and I have been working with RPC over HTTPS for over three years.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: RPC-HTTP with IIS Front-End and SQL Back-End

                  I'm not having this problem on 2 different sites it is only one site with this problem the other is a totally different problem. There is no firewall between the DC, Exchange and the Proxy becuase they are one and the same machine the Linux Firewall is merely natting the 443 port to the SBS machine. I don't despute the fact that everything is suppose to run on 443 but in my case from the internet it is not working unless I open ports 6001, 6002 and 6004 and nat them to the SBS machine.

                  The other problem is that I'm bound by red tape because something might go wrong with the other websites if I implement RPC-HTTP and unfortunately I don't have a V-enviroment to test in that is why I asked what will happen if I create a cert, will it be implemented on the other websites?

                  Comment


                  • #10
                    Re: RPC-HTTP with IIS Front-End and SQL Back-End

                    SSL certificates are web site specific. If there are other web sites on the server then they will not be affected, except if you are using host headers. SSL doesn't use host headers, so if the SSL certificate was issued to mail.domain.com and someone enters https://www.domain.com and both URLs point to the same IP address then the visitor who puts in https://www.domain.com will get mail.domain.com with an SSL warning.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: RPC-HTTP with IIS Front-End and SQL Back-End

                      Thank you, now that leaves me with the my last question................ I've sat down and tried this again the moment I close ports 6001, 6002 and 6004 Outlook does not connect eventhought the HTTPS packets are going to the Exchange box, I ran tcpdump to make sure, Outlook is setup using recommended options i.e. basic authentication, mutual athentication with rpcproxy and only use http on slow networks. We made sure that the Firewall blindly passes all https traffic to the SBS 2003 box , IIS is setup using the recommended configuration as shown on the Petri website and MS website and Exchange is set up as back-end rpc proxy.

                      As soon as we open ports 6001, 6002 and 6004 Outlook connects over the Internet no problem, now I need to know why this is happening because theorytically RPC-HTTP, as you said, is only suppose to work on port 443 over the Internet but in this case its not so if you can give me idaes where to go look I'll appreciate it

                      Comment


                      • #12
                        Re: RPC-HTTP with IIS Front-End and SQL Back-End

                        I have nothing to suggest on the problem with the ports.
                        I have never needed to open the additional ports on the firewall, I am using it at home behind a firewall with just two ports open 443 and 25.

                        You will not like me for saying this, but the first thing I would be looking to do is replace the firewall. I would switch it for something else - even a cheap Linksys/Netgear router.

                        If the problem continues then you have to start tearing down the configuration because if the firewall is ruled out I wouldn't have a clue where to start.
                        That would involve removing the RPC Proxy component, RPC virtual directories from IIS Manager and then redoing the RPC Proxy installation from Windows Components and then the registry settings.

                        Simon.
                        --
                        Simon Butler
                        Exchange MVP

                        Blog: http://blog.sembee.co.uk/
                        More Exchange Content: http://exchange.sembee.info/
                        Exchange Resources List: http://exbpa.com/
                        In the UK? Hire me: http://www.sembee.co.uk/

                        Sembee is a registered trademark, used here with permission.

                        Comment

                        Working...
                        X