Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Messaging Software > Exchange 2007 / 2010 / 2013
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

this thread has 18 replies and has been viewed 30454 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #11  
Old 28th February 2012, 22:20
nharvey nharvey is offline
Casual
It's not a coincidence
 
 Join Date: Apr 2011
  6 month star 12 month star
 Posts: 80
 Reputation: nharvey is on a distinguished road (10)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Quote:
Originally Posted by Havelock View Post
It's certainly been a learning experience

To clarify, from the terminal server on the domain, forcing Outlook Anywhere as the connection method, it works fine, mailbox and all mail appears - looking at the connections by launching outlook with outlook.exe /rpcdiag, you see 2 connections with a connection type of HTTPS to a directory service and one with a type of TCP/IP to a mail service.

From outside the domain, i.e. my home PC, the "directory service" connection establishes, mail tries and then errors. There are maybe about 4-5 Sales people who use this functionality - when in the office all works fine, outside, problem occurs.

My guess is that in addition to the first remote.somedomain.co.uk certificate, the client machine is also trying to authenticate srvsbs01.domain.local against the same cert, which is a no-no (for self-signed).

As an aside, I've spoken with this customer and their reluctance to purchase an additional cert is clearer - they're currently paying just under 300 a year for their citrix.somedomain.co.uk certificate - as a workaround we've set their reps up to use VPN/Outlook and when their citrix cert expires they're going to buy a 10 domain UCC cert to cover all their sub-domains.

I'll return to this post to confirm this resolves the issue in a couple of months should anyone come across it with their google-fu

Again - thanks for the assistance on clarifying this setup for me

Mark

eh, mostly I use ss certs.
The directory service establishes then errors, what error does it give?
  #12  
Old 28th February 2012, 23:48
Havelock Havelock is offline
Casual
Casual
 
 Join Date: Apr 2008
  6 month star 12 month star
 Posts: 13
 Reputation: Havelock is on a distinguished road (10)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

No errors - just a failure to connect. Event viewer nothing, IIS logs on server nothing, Transport log for Outlook nothing.

I've even attempted resorting to Wireshark to watch what its doing but the SSL stream is obfuscated so its pretty hard to follow
  #13  
Old 29th February 2012, 01:42
nharvey nharvey is offline
Casual
It's not a coincidence
 
 Join Date: Apr 2011
  6 month star 12 month star
 Posts: 80
 Reputation: nharvey is on a distinguished road (10)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Have you tried turning off any & every firewall you have?

Maybe the mail pointer for the domain?
..nevermind. if it was that, owa wouldn't work.
..right? lol
  #14  
Old 29th February 2012, 12:18
Havelock Havelock is offline
Casual
Casual
 
 Join Date: Apr 2008
  6 month star 12 month star
 Posts: 13
 Reputation: Havelock is on a distinguished road (10)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Windows firewall was disabled for testing - though if this was the problem I wouldn't have expected to be able to get to https://somedomain.co.uk/rpc/rpcproxy.dll, which we could, and I would have expected RPCPing to ports 6001, 6002 and 6004 to fail, and they all succeeded.

The way I understand this stuff to work is that the outlook client only "sees" the RPC/CAS/Web server, and the webserver interfaces with the exchange box (or in this case itself) through something called DSProxy to do its mail and active directory stuff. If I'm mistaken on this please correct me as I find this stuff interesting.

My general feeling about this problem now is that we could probably - if we spent enough time messing around with it - be able to fudge this into working, but when all's said and done this would be an unsupported deployment should the customer ever have to call PSS, is harder to manage when adding more clients and there would be nothing stopping Microsoft from releasing a security update that nobbled whatever workaround system we came up with in the future anyway.

For now the customer is happy using VPN/Outlook in place of Outlook Anywhere - with the added bonus (for them) of being able to get to some additional internal resources they didn't realise would be accessible via VPN

Mark
  #15  
Old 29th February 2012, 12:26
Virtual Virtual is offline
Moderator
 
 Join Date: Jul 2008
  6 month star 12 month star
 Location: England, UK
 Posts: 2,841
 Reputation: Virtual is a jewel in the roughVirtual is a jewel in the roughVirtual is a jewel in the rough (286)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Not sure if this is of use.

http://forums.petri.com/showthread.php?t=58175

Last post shows you some technical aspects. I had to re-write URLs to suit the certificate being used.
  #16  
Old 29th February 2012, 15:25
Havelock Havelock is offline
Casual
Casual
 
 Join Date: Apr 2008
  6 month star 12 month star
 Posts: 13
 Reputation: Havelock is on a distinguished road (10)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Morning Virtual,

Thats an interesting though and something I hadn't even through about - so if a customer has configured their own domain name (let say for some reason they called their local domain PETRI.CO.IL) that's resolvable externally it will break OA config, and disallow the creation of SSL Certs (and I presume break lots of other stuff...)

I think I was pretty much at that stage (apart from the certificate) - though this setup is much simpler:

>>>Get-WebServicesVirtualDirectory |fl identity,internalurl,externalurl
Identity : SERVER\EWS (Default Web Site)
InternalUrl : https://sub.somedomain.co.uk/EWS/Exchange.asmx
ExternalUrl : https://sub.somedomain.co.uk/ews/exchange.asmx

>>>Get-AutodiscoverVirtualDirectory
Name Server InternalUrl
---- ------ -----------
Autodiscover (Default Web Site) SERVER https://sub.somedomain.co.uk/

>>>Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
Identity : SERVER
AutoDiscoverServiceInternalUri : https://sub.somedomain.co.uk/Autodis...todiscover.xml

Pinging SERVER.somedomain.co.uk and SERVER.domain.local from the client PC fail, pinging sub.somedomain.co.uk resolves to the public IP in the external DNS.

Pinging SERVER.somedomain.co.uk, SERVER.domain.local and sub.somedomain.co.uk from the LAN resolves to the private IP.

So I'm guessing all this is right, and they just need a UCC cert with sub.somedomain.co.uk and SERVER.domain.local in it.

Mark

Last edited by Havelock; 29th February 2012 at 15:27..
  #17  
Old 1st March 2012, 11:23
Virtual Virtual is offline
Moderator
 
 Join Date: Jul 2008
  6 month star 12 month star
 Location: England, UK
 Posts: 2,841
 Reputation: Virtual is a jewel in the roughVirtual is a jewel in the roughVirtual is a jewel in the rough (286)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

In my case, their AD domain was resolvable on the internet and they didn't own the address. Their registered external domain used by Exchange was the SMTP address and providing external access, hence having to make some changes.

It does allow you to reduce the entries for the cert. I have even used a Wildcard certificate before as have used the same for a number of systems. I tend to also include netbios name etc as well on the cert but it depends how you configure the URLs.

Also, using a wildcard can give limitations in Exchange, so one to be tested.

How about try a free trial with a Certificate provider at some point and test this on a test system representative of the Production one. Maybe even P to V the current.
  #18  
Old 19th March 2012, 12:19
Havelock Havelock is offline
Casual
Casual
 
 Join Date: Apr 2008
  6 month star 12 month star
 Posts: 13
 Reputation: Havelock is on a distinguished road (10)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Morning All,

Just a quick update on this - customer purchased a full, externally verified SSL certificate - all problems with OA are resolved as a result

Cheers for the assist everyone

Mark
  #19  
Old 19th March 2012, 22:41
Virtual Virtual is offline
Moderator
 
 Join Date: Jul 2008
  6 month star 12 month star
 Location: England, UK
 Posts: 2,841
 Reputation: Virtual is a jewel in the roughVirtual is a jewel in the roughVirtual is a jewel in the rough (286)
Default Re: Exchange 2010 - Outlook Anywhere (RPC over HTTP/s)

Good to hear and thanks for posting back.
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Outlook 2010 not syncing with exchange 2010 Hijinxx Exchange 2007 / 2010 / 2013 4 15th February 2012 13:39
Exchange 2010 Deployment WinRM and HTTP errors nukunu Exchange 2007 / 2010 / 2013 1 2nd December 2010 18:26
Exchange 2010 + SP1 + SP1 Rollup ==> OWA HTTP 500 EXPPW not found Davy Exchange 2007 / 2010 / 2013 1 17th October 2010 14:29
Outlook 2007 with RPC + Exchange 2010 pambosc Outlook 3 27th August 2010 11:08
Outlook Anywhere/RPC over HTTP not working Exchange 2007 sfosmire Exchange 2007 / 2010 / 2013 5 10th July 2008 18:36


All times are GMT +3. The time now is 04:53.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri