Announcement

Collapse
No announcement yet.

Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

    Good Morning Everyone,

    Can anyone provide any assistance with this problem with OA on Exchange 2010 I've been banging my head against for a couple of days now.

    Let me prefix this problem by saying that running outlook anywhere with a self signed SSL is not what I would normally recommend, nor would I usually attempt this configuration without an (autodiscover.) in the DNS for the external domain, but in this case this setup has been working without issue for about 15 months, so the IT admin I'm attempting to assist is reluctant to get his wallet out without proof that doing so will resolve this problem.

    A few weeks ago, users external to the domain started reporting Outlook had stopped working. The message reported onscreen is [Cannot open your default e-mail folders. Microsoft Exchange is not available.] - These users are using a mix of Office 2007 and 2010 and all have a self signed certificate deployed in the trusted root authority on their local machines. Visiting https://fqdn.somedomain.co.uk/owa successfully allows a login to Outlook Web Access without any certificate errors or prompts.

    Launching outlook.exe /RPCDIAG shows connections to the directory service [http://i40.tinypic.com/90d9vl.jpg] but no MAIL connections that I would normally expect. Also, when configuring a new profile, after entering the Proxy details (basic auth) and putting a username and password in, Outlook successfully resolves the internal FQDN and username (i.e. SRVSBS01 and Username change to SRVSBS01.domain.local and "A User" underlined ) - implying that the RPC proxy is getting at least into Active Directory(?)

    As they are using self-signed certs, www.testexchangeconnectivity.com is not available as test. This is a single server SBS2011 deployment, so should (usually) be fairly straightforward tp troubleshoot.

    RPCPing tests using various switches all seem to pass [http://pastebin.com/03SqgMbQ] with either

    1. --RPCPinging proxy server fqdn.somedomain.co.uk with Echo Request Packet
    2. --Sending ping to server
    3. --Response from server received: 200
    4. --Pinging successfully completed in 1014 ms

    or
    1. --Completed 1 calls in 2637 ms
    2. --0 T/S or 2637.000 ms/T

    RPCcfg.exe /HD, RPCDump.exe /v and get-outlookanywhere|fl appear to show everything running on the ports I would expect [http://pastebin.com/7Fq6pkm7]


    So far I've followed a number of toubleshooting steps (disabling IPv6, adding entries to Hosts file, uninstalling outlook anywhere [servermanagercmd -r rpc-over-http-proxy] including recreation of RPC/RPCWITHCERT directories, using RPCNoFrontEnd to set reg keys manually)

    I've come to the conclusion that I'm probably out of my depth on this one but I've already learnt a considerable amount that I didn't know before about how OA works, so thought I'd try to glean a little more knowledge before I give up.

    Many Thanks

    Mark
    Last edited by Havelock; 27th February 2012, 12:34.

  • #2
    Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

    Outlook Anywhere with the self signed certificate is not supported.

    The fact that it was working for whatever time is nothing but the drink driver's excuse. Spend the $60, get the certificates sorted and you will find most problems go away.

    Disabling IPv6 was never a solution, a few people claim is causes problems, but in the numerous installations I have done, I have never once disabled it.

    As you are using SBS, I would probably start with the Fix My Network wizard to try and get things back to standard and then get the SSL certificate sorted out.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

      Evening Simon,

      Thanks for your reply - can you advise where on the Microsoft site it advises that generating your own CA for use with Outlook Anywhere is not possible (or even better - is there a command/utility that can be run from the client that would show specifically a certificate failure?) as Exchangepedia and a follow up to your post in Feb 2011 from your fellow MVP seems to contradict this?

      http://exchangepedia.com/2007/08/out...rtificate.html

      http://social.technet.microsoft.com/...d-f61b5acc5603

      Sorry if I'm missing something, I'm just struggling to understand why outlook would care if the cert is generated by a CA supplied with windows by default or is a CA you've added into the trusted root later?

      Cheers
      Mark

      Comment


      • #4
        Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

        If you are using a Windows CA, rather than the self signed certificate that Exchange installs, then I cannot help you. I don't use the Windows CA at all - never even looked at it. Not worth the hassle. At my hourly rate the cheapest solution is to deploy a commercial SSL certificate, which then means nothing else has to be done to any clients. No roots install, no headaches or hassles.

        Since Exchange 2007 I have deployed 100s of servers, all of them with commercial certificates, all of them without any issues with SSL certificates.

        All the problems I have seen have been down to people trying to "save money" by using either the self signed or internally generated SSL certificate. On an SBS deployment, it isn't worth the headache.

        For support of the self signed certificate that is installed by Exchange (not by Windows) see the various Technet articles:
        http://technet.microsoft.com/en-us/l...exchg.80).aspx

        "Important The self-signed certificate is not supported for use with Outlook Anywhere or Exchange ActiveSync. "

        There is nothing on the client that will indicate an SSL certificate failure, that is why the process is so frustrating for end users/admins. However I can tell you right now, that if you deploy a commercial certificate (in the correct way for SBS) then the problems will go away.

        What it comes down to is how much is your time worth? For me, less than 30 minutes.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

          Simon,

          Thank you very much for your help on this - my gut feeling on this is that you're right and that this is related to the certificates - unfortunately I'm a salaried tech support monkey for a company that probably offers more tech support than we should (i.e. we don't maintain this server, we're just trying to keep good customer relations etc. etc.) so this customer can feel free to waste as much of my time without paying anything extra....

          Out of curiosity - do you think a 90 day trial certificate (like from Comodo) would be suitable for OA - if I can demo this working with a valid SSL cert they'll likely buy one. Some of my reading suggests that a SAN/UC certificate with multiple server addresses is required...

          Thanks again
          Mark

          Comment


          • #6
            Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

            You do need a Unified Communications certificate, but I am not aware of anyone providing trial versions of that certificate type, it is all single name certificates.

            If you are billing the client, then how long before the bill is more than US$60? That is all that a suitable certificate costs from https://certificatesforexchange.com/

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

              Cheers Simon - I'd love to use that reasoning, but in this case, the customer pays a flat yearly fee for support, whether we spend 5 minutes looking into a problem or if I have to investigate all year.

              *Sigh* I guess I'll have to find some Salesman pants to try and convince 'em its required - not optional

              Thanks Again

              Mark

              Comment


              • #8
                Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

                Originally posted by Havelock View Post

                *Sigh* I guess I'll have to find some Salesman pants to try and convince 'em its required - not optional
                That is what I tell my clients right from the start - it goes in to the costings for the deployment.

                If they are on a flat rate, then look at your own company time. Rather than spending hours getting it to work, it will probably be more cost effective if your own company bought the certificate, as it would allow you to get on with other things.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

                  To put light to the situation, isn't it amazing how much you learn when something isn't working? lol


                  Let's try to isolate this first..
                  is it everyone in 1 office? EVERYONE?
                  If you set up a mailbox at (your house, your office, -remotely-), do you get it as well?

                  (i.e. SRVSBS01 and Username change to SRVSBS01.domain.local and "A User" underlined ) - implying that the RPC proxy is getting at least into Active Directory(?)
                  ..I had that issue as well. Never fixed it, just shrugged it off

                  Comment


                  • #10
                    Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

                    It's certainly been a learning experience

                    To clarify, from the terminal server on the domain, forcing Outlook Anywhere as the connection method, it works fine, mailbox and all mail appears - looking at the connections by launching outlook with outlook.exe /rpcdiag, you see 2 connections with a connection type of HTTPS to a directory service and one with a type of TCP/IP to a mail service.

                    From outside the domain, i.e. my home PC, the "directory service" connection establishes, mail tries and then errors. There are maybe about 4-5 Sales people who use this functionality - when in the office all works fine, outside, problem occurs.

                    My guess is that in addition to the first remote.somedomain.co.uk certificate, the client machine is also trying to authenticate srvsbs01.domain.local against the same cert, which is a no-no (for self-signed).

                    As an aside, I've spoken with this customer and their reluctance to purchase an additional cert is clearer - they're currently paying just under 300 a year for their citrix.somedomain.co.uk certificate - as a workaround we've set their reps up to use VPN/Outlook and when their citrix cert expires they're going to buy a 10 domain UCC cert to cover all their sub-domains.

                    I'll return to this post to confirm this resolves the issue in a couple of months should anyone come across it with their google-fu

                    Again - thanks for the assistance on clarifying this setup for me

                    Mark

                    Comment


                    • #11
                      Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

                      Originally posted by Havelock View Post
                      It's certainly been a learning experience

                      To clarify, from the terminal server on the domain, forcing Outlook Anywhere as the connection method, it works fine, mailbox and all mail appears - looking at the connections by launching outlook with outlook.exe /rpcdiag, you see 2 connections with a connection type of HTTPS to a directory service and one with a type of TCP/IP to a mail service.

                      From outside the domain, i.e. my home PC, the "directory service" connection establishes, mail tries and then errors. There are maybe about 4-5 Sales people who use this functionality - when in the office all works fine, outside, problem occurs.

                      My guess is that in addition to the first remote.somedomain.co.uk certificate, the client machine is also trying to authenticate srvsbs01.domain.local against the same cert, which is a no-no (for self-signed).

                      As an aside, I've spoken with this customer and their reluctance to purchase an additional cert is clearer - they're currently paying just under 300 a year for their citrix.somedomain.co.uk certificate - as a workaround we've set their reps up to use VPN/Outlook and when their citrix cert expires they're going to buy a 10 domain UCC cert to cover all their sub-domains.

                      I'll return to this post to confirm this resolves the issue in a couple of months should anyone come across it with their google-fu

                      Again - thanks for the assistance on clarifying this setup for me

                      Mark

                      eh, mostly I use ss certs.
                      The directory service establishes then errors, what error does it give?

                      Comment


                      • #12
                        Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

                        No errors - just a failure to connect. Event viewer nothing, IIS logs on server nothing, Transport log for Outlook nothing.

                        I've even attempted resorting to Wireshark to watch what its doing but the SSL stream is obfuscated so its pretty hard to follow

                        Comment


                        • #13
                          Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

                          Have you tried turning off any & every firewall you have?

                          Maybe the mail pointer for the domain?
                          ..nevermind. if it was that, owa wouldn't work.
                          ..right? lol

                          Comment


                          • #14
                            Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

                            Windows firewall was disabled for testing - though if this was the problem I wouldn't have expected to be able to get to https://somedomain.co.uk/rpc/rpcproxy.dll, which we could, and I would have expected RPCPing to ports 6001, 6002 and 6004 to fail, and they all succeeded.

                            The way I understand this stuff to work is that the outlook client only "sees" the RPC/CAS/Web server, and the webserver interfaces with the exchange box (or in this case itself) through something called DSProxy to do its mail and active directory stuff. If I'm mistaken on this please correct me as I find this stuff interesting.

                            My general feeling about this problem now is that we could probably - if we spent enough time messing around with it - be able to fudge this into working, but when all's said and done this would be an unsupported deployment should the customer ever have to call PSS, is harder to manage when adding more clients and there would be nothing stopping Microsoft from releasing a security update that nobbled whatever workaround system we came up with in the future anyway.

                            For now the customer is happy using VPN/Outlook in place of Outlook Anywhere - with the added bonus (for them) of being able to get to some additional internal resources they didn't realise would be accessible via VPN

                            Mark

                            Comment


                            • #15
                              Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

                              Not sure if this is of use.

                              http://forums.petri.com/showthread.php?t=58175

                              Last post shows you some technical aspects. I had to re-write URLs to suit the certificate being used.

                              Comment

                              Working...
                              X