Outlook, Exchange, and RPC-HTTP

[Haggart]

I've been working my way through setting up a RPC-HTTP connection between Outlook 2003 and Exchange 2003. It's to the point that an internal (within the local network and domain) RPC-HTTP connection seems to work fine. Also, I've used IE to connect to Exchange's RPC folder (example -

https://mail.exchangeserver.com/rpc

and then filled out a challenge box for user name and password). The proper error page shows up (403.2 Forbidden: Read access is denied) and everything seems fine.
But Outlook can't find the server. I've made repeated attempts to connect with Outlook in rpc diagnostic mode (DOS box - "outlook /rpcdiag") and get the challenge box for user name and pass; but it never finds an Exchange server. I've tried to put the user name in different formats: domain_name\user_name, server_name\user_name, just user_name, and so on; just to see if it mattered.
There is a PIX 501 firewall sitting between external clients and the Exchange server. The PIX is setup to allow/pass traffic from ports 80 (HTTP) and 443(HTTPS) to the Exchange server. Since the RPC packets are being moved via HTTP, I have not punch a hole for RPC in the firewall.
The Exchange I'm using is part of the Small Business Server 2003 package. SBS made it easy to setup the Exchange side of RPC-HTTP (a wizard and a check box later it was ready) and I've gone through different 'How to' FAQs that verified Exchange's setting are correct. So I'm left with the firewall and/or the client.

Any help on this would be great.

Also, I did see some posts similiar to this (April 2004?), but they too were stuck. One solution involved adding an entry to the client's 'hosts' file; but I haven't had any sucess defining the Exchange address with the full server name.

Thanks.

 

[AndyPeck]

Haggart

When you do an NSlookup external to network what do you get for mail.exchangeserver.com, does it find your externally visable IP which you have assigned to the OWA website.

 

[Haggart]

Yes, NSlookup comes up with the correct IP address. I also checked the certificate for this (in SBS2003) and made sure the names match exactly.

 

[AndyPeck]

When you try to accessing OWA from externally using

https://mail.exchangeserver.com,

does it bring up the right screens and allow you to logon on??

Andy

 

[Haggart]

yes it does.

 

[AndyPeck]

So your test client is XP+Sp1+few hotfixes, Outlook 2003 is configure with the internal name of the server in a "Microsoft Exchange Server:" dialog box, and with

https://mail.exchangeserver.com,

under connect to "my exchange mailbox over using HTTP" and you've select on FAST & on SLOW and set to basic authentication.

 

[Haggart]

Yes.
A solution has been found. I didn't do two things.
One was to install the certificate on the client machine during the "

https://mail.server.com/rpc"

test. So, when the challenge box comes up stating the security certificate was issued by a company you have not chosen to trust and you have to choose between 'yes', 'no', and 'View Certificate'; you must click 'View Certificate' and install the certificate. If the certificate isn't install on the client, it won't work. I never install one before, so I didn't know.
Second, under 'Exchange Proxy Settings' the box by 'Mutually authenticate the session whe connecting with SSL' needs to be checked. The 'Principal name for proxy server' needs to be list as 'msstd:mail.server.com' (use the same address your using for https). Though many docs I read stated this to be optional, I needed this setting.
I hope this explains where I went wrong.

Thanks for you help Andy.

 

[dougmbti]

Haggart,
I am in the same boat ... I have SBS 2003 with XP Pro SP1, etc. for client machine. I can run Outlook just fine when on the internal network.

On the outside, I get the login box and it is not working. I have done the early steps as outlined in the earlier posts with similar results. I have the firewall open for HTTP and HTTPS and NOT for the RPC ports.

The only thing different is that I am trying to test the external piece and I am at an office with an existing Exchange 2000 server. Every time I get the login box, it is trying to connect to the Exchange 2000 server for the internal piece and it is not attempting to connect to the SBS External piece.

Can this RPC over HTTP process work for a remote client that is on another Exchange network?

Much thanks for any help you can offer.

Doug

 

[Haggart]

I had a simmiliar problem, but once I changed the 'Exchange Proxy Settings' to the remote exchange server's information it started trying to connect to it instead of the local server. Or am I missing what you're asking?

I would not open the RPC ports. They aren't needed, only the HTTPS port.

 

[dougmbti]

When I add the exchange profile, I set it to the internal name of the exchange server .... exchange.local let's say. Then, in the "more settings" section, I set the proxy settings to the exchange.external address. When I try to "check name" or run Outlook, it keeps trying to connect to the Exchange 2000 server that is on the network that I happen to be connected to and the SBS server that I actually need.

Also, you mentioned the The "Principal name for proxy server' needs to be list as 'msstd:mail.server.com' (use the same address your using for https)". I'm afraid I don't understand what that is. I know where to set it, but I don't know what to put there. If my external address is mail.exchange.external, would that address be msstd:mail.exchange.external?

 

[Haggart]

The 'msstd:' address should be the same address as the 'https:' one, just with 'msstd:' in front of the address. So, my is yes for the 'msstd:' question.

In the 'E-mail Accounts' window (same one with 'more settings' button), did you change the Microsoft Exchange Server entry to the external/SBS server address? You should be able to click 'Check Name' and have it connect or give you a login box. (Remember to add the domain name to your user name - 'domain.com\Haggart')

 

[dougmbti]

Every time I try to connect with Outlook or "check name", it keeps coming up with authentication to the Exchange 2000 that is on my Internet network.

Maybe I missed some tests to make sure the external side of the SBS is working correctly. What are some other tests to verify that the SBS RPC piece is able to communicate correctly?

 

[Haggart]

The only one I know is the "

https://mail.server.com/rpc"

test. It should ask you about viewing and installing a certificate (if you haven't done it already) then it should ask for you user name and pass. If all is well, it will tell you you're not allow to read this folder. Have you done this test?

 

[dougmbti]

That test is done. I install the security certificate (eventhough it comes up again every other time) and then login to receive the 403.2 error.

 

[Haggart]

Once the certificate is installed it should NOT ask about it again. Does the certificate show the correct name/address for the remote Exchange Server, when you 'view' it (which is where you install it too)?

 

[dougmbti]

It shows exactly the external address ie mail.exchange.com - the part after the

https://.

I don't know a whole lot about the certificates.

 

[Haggart]

sounds good.

I'm not sure what other advise to offer.
You might try and start a fresh thread on this problem.

I can't think of any other place the server name appears in the profile.

Sorry I could be more help,

Haggart

 

[dougmbti]

No problem - you've been more than helpful to this point. Thanks!!

Doug