Trying to get RPC over HTTP for Outlook working

[Daniel Mazur]

having trouble seeing my exchange server via outlook 2007 over the internet
connecting to my Exchange Enterprise Server 2003. Have followed Microsoft
instructions, testing first without use of of SSL certificates. I may be a
bit confused about front end and backend servers. I have one PC, a domain
controller at our office, a seperate PC with Exchange Only on it, connecting
to the Domain Controller, and another PC with Blackberry Enterprise
installed. The purpose of this is to get away from use of the VPN
connection required to be part of the local network for Exchange User access
off property. Sounds good configuring settings into the Outlook only and
preventing other local access this way. Any ideas? Again, cannot get the
Outlook to see the Exchange Server during the logon name and password to
server process.

 

[neo [mvp outlook]]

You should be asking this question over in one of the
microsoft.public.exchange support groups. Also, you will need to clarify
your post a bit. Based on the below, I would assume that you have a single
Exchange server setup. If my understanding is right, you high level checks
would be...

1) Ensure that the RPC proxy component is installed on your Windows 2003
(SP1/SP2)/Exchange 2003 SP2 server

2) Enable the Exchange server as an RPC/HTTPS backend server. (Exchange
System Manager > Right click on server object > Properties > RPC-HTTP tab)
You may have to add the necessary registry keys to get this working.
Location in registry is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

The DWORD value Enabled should be set to 1
The REG_SZ value ValidPorts would be set to
ServerNETBIOSName:6001-6002;ServerNETBIOSName:6004;ServerFQDNName:6001-6002;ServerFQDNName:6004

To explain the ValidPort line better, assume that the name of the Exchange
server is EXCH01 and the domain name I'm working with is contoso.com. The
ValidPorts entry would be:

exch01:6001-6002;exch01:6004;exch01.contoso.com:6001-6002;exch01.contoso.com:6004


3) I would test the connection on the internal network before testing from
the internet.

Other than that, test with SSL enabled and if you are using a private
(internal) certificates to secure the web/rpc proxy services, make sure that
a copy of the signing certificate authority is installed on the
workstations. The client operating system (assuming Windows XP SP2 or
newer) will verify the SSL certificate back to the issuing certificate
authority.

 

[Daniel Mazur]

Thanks,

Your reply was most thorough. Got it working!

 

[Evans Leung]

Neo,

I have a similar situation, my domain is company.local, server name is
exchange

with respect to your suggestion to change ValidPorts entry:

at the moment I have:

exchange:6001-6002;exchange.company.local:6001-6002;exchange:6004;exchange.company.local:6004

do I need to change the above entry?

the outlook 2007 (installed in Windows XP SP2) rpc-over-http only works
outside the network only if it VPN in (we use ISA2004 here)

thanks,
Evans

 

[neo [mvp outlook]]

ISA2004 adds a layer of complexity, but
http://www.isaserver.org/tutorials/2004pubowamobile.html might be helpful to
you.

 

[Evans Leung]

thanks for your reply, it puzzeles me that the current setup has been
working well with Outlook 2003 but not Outlook 2007...

Evans

 

[neo [mvp outlook]]

Interesting. What kind of certificate are you using on the ISA box?
(wildcard, san, .etc)

 

[Evans Leung]

Verisign

Interesting. What kind of certificate are you using on the ISA box?
(wildcard, san, .etc)

 

[neo [mvp outlook]]

Not quite what I'm asking. A wildcard certificate shows that the name the
certificate was issued to is *.some.domain. A subject alternatitive name
(SAN) is where the certificate is multiple fqdn server names. For example,
you can have a certificate that can be used for owa.some.domain,
autodiscovery.some.domain, smtp.some.domain, pop3.some.domain, .etc.

 

[Evans Leung]

not a wild card one, just one, owa."company.com"

Not quite what I'm asking. A wildcard certificate shows that the name the
certificate was issued to is *.some.domain. A subject alternatitive name
(SAN) is where the certificate is multiple fqdn server names. For
example, you can have a certificate that can be used for owa.some.domain,
autodiscovery.some.domain, smtp.some.domain, pop3.some.domain, .etc.

 

[neo [mvp outlook]]

hmm... so much for the hunch of OL2007 and a wild card cert...........

When you configure OL2007 for RPC/HTTP, are you setting the principal name
for the proxy field (its the place where you put msstd:some.server.name)?

 

[Evans Leung]

i use the same settings in all fields in OL2007 just like in OL2003...

msstdwa.company.com

 

[neo [mvp outlook]]

safe to assume the result is the same if you remove the msstd setting?

 

[evans leung]

same... is this a known issue?

safe to assume the result is the same if you remove the msstd setting?

 

[neo [mvp outlook]]

There is a known issue about Outlook 2007 and wildcard certificates.

Looking back over this... lets try changing the rpc proxy registry key a bit
based on your description of:

internal name: exchange.company.local
external name: owa.company.com

I would set the ValidPorts registry value to:

exchange:6001-6002;exchange:6004;exchange.company.local:6001-6002;exchange.company.local:6004;owa.company.com:6001-6002;owa.company.com:6004

 

[Evans Leung]

have tried changing the registry but it didn't work, it also broke the
originally working configurations (BOTH Outlook 2003 in Windows XP and
Outlook 2007 in Vista)

Evans

 

[neo [mvp outlook]]

Sorry about that. At this point, I would suggest that you call Microsoft
Product Support Services or repost to one of the microsoft.public.exchange.*
groups to see if you get any different suggestions to try.