RPC over HTTPS with Front-End OWA and Back-End Exchange 2003 SP1

[wrathyimp]

Hi,

I have been googleing to get the best configuraton steps for my scenario:

Back-End: Windows 2003 SP1 - Exchange 2003 SP1
Front-End: Windows 2003 SP1 - Exchange 2003 SP1 (OWA)
SSL Certificate: 3rd Party (Equifax)

Now most of the forums, articles and guides are pointing to a RPC-HTTPS on a single Server scenario
(

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm).

But didn't fine any for my scenario (as mentioned above).

Could any one put a light on this!

Thanks in advance.

 

[wrathyimp]

Sorry my Front-End Server Updates:

Front-End: Windows 2003 SP2 - Exchange 2003 SP2 (OWA)

 

[TechyMcSe2k]

http://technet.microsoft.com/ru-ru/library/aa995869(EXCHG.65).aspx

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[TechyMcSe2k]

I take it this worked for you

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[wrathyimp]

Sorry , for the delayed reply, we had a weekend.

TechyMcSe2k,

I can just use the petri.il guide and contiune with the setup, no need to configure RPC-HTTP Proxy on the Front-End?

Please clearify my doubts

Thnk you.

 

[TechyMcSe2k]

I would use the front end for items like OWA and the RPC-HTTP service. Backend should handle mail load.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[wrathyimp]

Now I have updated my Exchange 2003 server with Sp2

the Following is my setup for RPC-HTTPS

Backend: Win2003 Sp2 + Exchange 2003 SP2 + RPC Proxy setting
NetBOIS Name: SRV
Domain: domain.local
FQDN: mail.domain.com
Registry Changes:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
the values should be entered in the below format:
srv:6001-6002;
srv.domain.local:6001-6002;
mail.domain.com:6001-6002;
dadsrv:6004;
srv.domain.local:6004;
mail.domain.com:6004
NSPI interface protocol sequences
ncacn_http:6004

Frontend:Win2003 SP2 + Exchange 2003 SP2 + RPC Proxy setting
NetBOIS Name: Webmail
Domain: domain.local
FQDN: webmail.domain.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
the values should be entered in the below format:
srv:6001-6002;
srv.domain.local:6001-6002;
mail.domain.com:6001-6002;
dadsrv:6004;
srv.domain.local:6004;
mail.domain.com:6004

I am facing connectivity issues, I can connect outlook within LAN, but the connection is over TCP/IP, its not taking HTTPS, after enabling Exchange proxy over HTTP.

Do I have a messedup registry settings with my backend server, and my frontend server.

I did a singal server configuration before setting up the Fronend server for RPC.(

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm)

The following error at testexchangeconnectivity.com
Connectivity Test Failed
Attempting to Ping RPC Proxy webmail.dadholding.com
Cannot ping RPC Proxy
Additional Details
A Web Exception occured because an HTTP 401 -
Unauthorized response was received from IIS6

Please advice me if I am doing something wrong.

Thank you.

 

[TechyMcSe2k]

Remove the RPC Proxy component, iisreset, reinstall the RPC Proxy component

http://www.petri.co.il/forums/showthread.php?t=12359

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[wrathyimp]

Remove the RPC Proxy component:
Which Server FE or BE?
iisreset on which server FE or BE?
again reinstall the component on? FE or BE?

And regarding the registry changes, do i need to remove from which servers?

Still checking the petri.il forum,

Thanks

 

[TechyMcSe2k]

On the FE for all questions above.
The FE is the RPC Proxy to the backend. Then you configure your BE to recieve the RPC traffic

http://technet.microsoft.com/ru-ru/library/aa996083(EXCHG.65).aspx

This is a link from the first document I gave you. SSL should be handled by the FE and permissioning for IIS/Exchange directory as well. BE should not need the SSL configuration on itself.

Also, come troubleshooting tips:

http://technet.microsoft.com/ru-ru/library/bb124649(EXCHG.65).aspx

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[wrathyimp]

Now let me go through this in steps:

1st remove registry entries from Backend server:
How can i remove these registry entries?

2nd Reset RPC setting to anonymous access in IIS of Backend
Uncheck Reqquire SSL (128-bit) under IIS of Backend

3rd Set RPC-HTTP tab to Not part of exchange RPC-HTTP topolgy
in Exchange System Manager of Backend

4th remove registry entries from Front-End
How can i remove these registry entries?

5th remove RPC component from Frontend

6th IISreset on Frontend

7th Reinstall RPC component on Frontend

8th Test Client.

Are these steps correct, that i can perform?
Do I miss any thing?

Please guide me.

Thank you.

 

[wrathyimp]

I Had followed the steps as I have mentioned.

But still i can connect locally with TCP/IP connection, instead of HTTPS.

in my frontend the RPC registry showed the following:
SRV:6001-6002;srv.domain.local:6001-6002;SRV:6004;srv.domain.local:6004;

so I added the the extra mail.domain.com:
srv:6001-6002;srv.domain.local:6001-6002;mail.domain.com:6001-6002;srv:6004;srv.domain.local:6004;mail.domain.com:6004

but still no luck, My FE NEtBios name: webmail, so do I need to add additional "webmail.domain.local" ports?

Thank you.

 

[TechyMcSe2k]

It keeps pointing me to a permissions issue on the IIS FE server. webmail.yourdomain.com does resolve to your FE(public IP)? Does your Exchange directory use Basic Authentiation only? Does the account (UPN) you are using for test have appropriate access?

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[wrathyimp]

webmail.mydomain.com does resolve from public IP (its our OWA).
Yes, I have set to Basic Authentication.
The account can be accessed by OWA, from public and webmail.mydomain.local/exchange (internal) as well.

But Still i can get the setup working, even internally, as the Conn states as TCP/IP, not HTTP/S on my client, thats when i am using mail.mydomain.com, not webmail.mydomain.com.

But using webmail.mydomain.com, I keep getting the login popup window, cant pass the authentication.

thanks for the comments.

 

[TechyMcSe2k]

Does mail.mydomain.com have a SSL cert on the FE for the Exchange directory?
The name of the certificate matches the Web site that is being accessed. The client computer trusts the certification authority that issued the certificate.

when you get the prompt for username and password, do you put domain\username?

is there a firewall in the middle of all of this?

http://technet.microsoft.com/en-us/library/aa996656(EXCHG.65).aspx

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[wrathyimp]

FE has a SSL cert on webmail.domain.com
The Name on SSL cert is webmail.domain.com, and I have configured outlook to the same webmail.domain.com, Its working with OWA.
Yes as the SSL cert is not custom made or home-made, we have it from Geotrust.

At the login prompt, i get webmail.domain.com on the top, and domain, is the SRV\username

Which domain shall is try? I tried domain.com\username

 

[wrathyimp]

RPCPinging proxy server webmail.domain.com with Echo Request Packet
Sending ping to server
Response from server received: 200
Pinging successfully completed in 172 ms