Announcement

Collapse
No announcement yet.

exch2003 http over rpc - no isa server?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • exch2003 http over rpc - no isa server?

    Hello People

    My AD Domain composed of 2 DC's -2000,2003 - and 3 SA servers,all 2003.There is no ISA server, all domain servers and wks are beyond firewall.

    My single Exchange 2003 server is one of these stand-alone servers,working well, no problems at all ; I want to enable Internet secured access for my Outlook 2003 clients thru Http over Rpc to the internal singel ex2003 server.
    I made all the necessary prepartaions - configuring the IIS server,intalling 3rd
    certificate,configuring RPC-HTTP in the Ex2003, opening the 443 and 80 ports in the firewall; still,there is connection problems.

    Is the "missing'' ISA server the only reason for that connection problem? is it possible to enable Http over Rpc to external Outlook users without the ISA server at all ? if is possible - what is the right procedure of configuration (single Ex2003,beyond firewall)?

    Thanks in ahead

  • #2
    Re: exch2003 http over rpc - no isa server?

    The missing ISA server is not the cause of any problems. You don't need ISA to use RPC over HTTPS.

    Three most common reasons for failure

    - certificate mismatch or other certificate errors (non trusted certificate, certificate issued to mail.domain.com and you are entering owa.domain.com etc)
    - authentication mismatch - the virtual directory is set to basic and you are using NTLM in Outlook (integrated in IIS).
    - registry settings wrong.

    I have seen three servers recently though where the only fix was to remove the RPC Proxy component from Windows Components, then remove the virtual directories from IIS Manager. Run iisreset from a command prompt to write the changes to the metabase. Then reinstall the RPC Proxy component. I have also seen instances where anonymous authentication is enabled on the virtual directory which will also break it.

    http://exchange.sembee.info/2003/rpc...tp/default.asp

    Simon.
    Last edited by Sembee; 15th July 2011, 11:57. Reason: URL Correction
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: exch2003 http over rpc - no isa server?

      Sembee, thank you so much for quick, detailed answer.

      I will check the procedure again - regarding your remarks and the suggested article - reporting to you asap.

      thks again for kind help.

      Comment


      • #4
        Re: exch2003 http over rpc - OWA access instead

        I am trying to enable OWA access,instead.

        Now there is Internet access problem: since my stand-alone Ex2003 is beyond firewall, the FQDN name which should be the COMMON NAME of the Certificate is "mail.MYDOMAIN.dom" (lan AD domain is MYDOMAIN.DOM) ; the Internet organization address is different ,"x.DOMAIN.org"; potential Internet out-of-lan user will not be able to access the Ex2003 server mailbox,even all firewall ports etc are gonfigured.

        Is there any way to enable OWA access in such configuration,without ISA server or/and Ex2003 server in addition?

        thks in advance

        Comment


        • #5
          Re: exch2003 http over rpc - no isa server?

          The name of your domain has nothing to do with the name on the SSL certificate. They can be the same, they can be different. As long as the port is open and the DNS is configured correctly, then OWA will work. No additional servers required.

          If you want the external name to work internally then you will need to configure a split DNS system. http://www.amset.info/exchange/split-dns.asp

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: exch2003 http over rpc - no isa server?

            Sembee- thks again for your kind,quick answer

            By reading the article you have recommended - and other SPLIT-DNS relates articles - I came to other solution,easier one:

            Let say I will put a second nic in the EX2003 server,in addition to the current nic which serve the internal,nat users. The second,new nic will be configured to external IP address,on different port in my router,accompanied by the right firewall configuration. Client Certificate will be required by the IIS server (for the external users access,accompanied by AD autehtication).It seems to me that such a configuration will be secured enough.

            I would be glad to know your opinion about that kind of solution.

            Comment


            • #7
              Re: exch2003 http over rpc - no isa server?

              Originally posted by hatul View Post
              Sembee- thks again for your kind,quick answer

              By reading the article you have recommended - and other SPLIT-DNS relates articles - I came to other solution,easier one:

              Let say I will put a second nic in the EX2003 server,in addition to the current nic which serve the internal,nat users. The second,new nic will be configured to external IP address,on different port in my router,accompanied by the right firewall configuration. Client Certificate will be required by the IIS server (for the external users access,accompanied by AD autehtication).It seems to me that such a configuration will be secured enough.

              I would be glad to know your opinion about that kind of solution.
              Why do you think that a second NIC is an easier solution?
              You have to purchase the card, take the machine down, put the card in, boot the machine, configure the network card correctly, reboot again.
              Dual homing an Exchange server is not something I would recommend either.

              Whereas a split DNS system takes two to three minutes to configure, does not involve any downtime or financial outlay. It does not mean that you have to configure split DNS.

              Oh, and you can't use client certificates with RPC over HTTPS, as the feature cannot cope with certificate prompts. You must use a single commercial SSL certificate for the feature to work correctly.

              You are making things too complicated. The feature is very easy to implement, in a secure manner - even without ISA.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment

              Working...
              X