Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of RPC over HTTP Series

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Web Publishing >> Discussion of RPC over HTTP Series Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion of RPC over HTTP Series - 29.Dec.2003 7:24:00 PM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		This thread is for discussing the RPC over HTTP series. Part 1 is at:
http://www.msexchange.org/articles/rpchttppart1.html

Thanks!
Tom
Post #: 1
RE: Discussion of RPC over HTTP Series - 29.Dec.2003 9:06:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tom,

what a coincidence! [Big Grin]

I was just start looking at the best scenario for the full blown Outlook 2003 clients to get to the internal Exchange 2003 without using a VPN connection or plain RPC publishing.

If I understand it all well, then the RPC/HTTP proxy is a Windows 2003 component, not an Exchange 2003 component. So, to the internal Exchange server all traffic seems to come from regular Outlook 2003 clients (plain RPC traffic). Right?

If that's the case, can't we combine the RPC/HTTP proxy for easy firewall traversal at the client side and ISA RPC publishing for maximum security at the server side? More precisely, what do you think of the following "Poor man's" scenario or any variant of it:
code:
[Exchange] --- [ISA] --- Internet
                 !
                 !
          [RPC/HTTP Proxy]
Of course I assume here a complete locked down box for the RPC/HTTP Proxy in the DMZ. Should it still work if we RPC publish the Exchange server on the ISA DMZ interface or is it much more complex?

Thanks,
Stefaan

[ December 29, 2003, 09:16 PM: Message edited by: spouseele ]

(in reply to tshinder)
Post #: 2
RE: Discussion of RPC over HTTP Series - 29.Dec.2003 10:11:00 PM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

That is a very interesting scenario! I haven't considered it, but I would be interesting to see if it works.

We should be able to use an Exchange RPC Server Publishing Rule to allow the RPC proxy access to the Exchange Server on the internal network.

However, there are some other considerations, as setting the proper Registry entries for port numbers used to communicate between the RPC proxy and the back end Exchange Server. This can complicate the scenario quite a bit over making the RPC proxy a LAT host, but its not insurmountable. Name resolution would also pose a bit of a challange, too.

The Registry info will be included in the second part of the series, which I'll post on ISAServer.org tonight.

thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of RPC over HTTP Series - 29.Dec.2003 11:33:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tom,

after going through some docs about RPC over HTTP, I have a feeling it isn't indeed that easy as one would expect at first sight! [Frown]

As you know, I'm an advocate of strong user authentication. Is it right to say that in the current version of the RPC/HTTP proxy you can't use a client certificate or a smartcard for authentication against the RPC/HTTP proxy? If that is true, it is probably not a limitation of the RPC/HTTP proxy implementation on IIS6 but rather a limitation on the RPC/HTTP proxy implementation on Windows XP-SP1. Correct?

BTW --- it would be great if a secure RPC over HTTP proxy would be incorporated as an application filter in ISA server, including the RPC inspection. That would be another killing application of ISA server! [Cool]

Thanks,
Stefaan

[ December 29, 2003, 11:45 PM: Message edited by: spouseele ]

(in reply to tshinder)
Post #: 4
RE: Discussion of RPC over HTTP Series - 30.Dec.2003 1:17:00 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

Indeed, I think this DMZ config you outlined would not be easy, but should be able to be done.

You are correct that you can't configure the Outlook 2003 client to present a client certificate, or enable it to use smartcard auth.

However, I think there is a problem with the RPC proxy in that it will not accept a client certificate. I discovered this when trying to configure the ISA firewall to send a client certificate to the RPC proxy server to authentication by requiring a client certificate. While this works fine with OWA, I was never able to get it to work with the RPC proxy.

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion of RPC over HTTP Series - 30.Dec.2003 9:39:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tom,

hmm... maybe I should get back to the drawing board and take a look at all the possible alternatives. [Wink]

Thanks,
Stefaan

(in reply to tshinder)
Post #: 6
RE: Discussion of RPC over HTTP Series - 31.Dec.2003 2:05:00 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

I think the new VPN implement in ISA2004 might be the best solution. I can write you offline with more details, and then we'll share it with the world when the public beta begins!

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion of RPC over HTTP Series - 31.Dec.2003 11:04:00 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tom,

Great! We are going offline! [Cool]

Thanks,
Stefaan

(in reply to tshinder)
Post #: 8
RE: Discussion of RPC over HTTP Series - 2.Jan.2004 4:49:00 PM   
goodie

 

Posts: 1
Joined: 2.Jan.2004
Status: offline 		Tom,
Thanks for the articles.
I was reading through part 1 and 2 but my setup is a bit different. I would like to use only 2 servers, one ISA and the other Exchange 2003 with IIS6. You mentioned it is possible to configure RPC over HTTP that way. What would the proper config be. I have installed RPC Proxy on the exchange server and removed anonymous access and installed a certificate.
What would need to be done on the ISA server?
Thanks very much
Jon

(in reply to tshinder)
Post #: 9
RE: Discussion of RPC over HTTP Series - 2.Jan.2004 9:40:00 PM   
rpotthoff

 

Posts: 8
Joined: 12.Aug.2003
Status: offline 		I have read part1 and part2 and I have one problem I do not have a front end server, I only have one exchange server and I need to use this whit ISA what do I need to do to make this work? PLEASE help as I will be installing exch2k3 this weekend.

(in reply to tshinder)
Post #: 10
RE: Discussion of RPC over HTTP Series - 3.Jan.2004 2:38:00 PM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by goodie:
Tom,
Thanks for the articles.
I was reading through part 1 and 2 but my setup is a bit different. I would like to use only 2 servers, one ISA and the other Exchange 2003 with IIS6. You mentioned it is possible to configure RPC over HTTP that way. What would the proper config be. I have installed RPC Proxy on the exchange server and removed anonymous access and installed a certificate.
What would need to be done on the ISA server?
Thanks very much
Jon
Hi Jon,

Yes, that would be an interesting scenario. I haven't tested it out yet, though. I wanted to start with the scenario that officially sanctioned by MS, and then move to more creative approaches.

If you have a chance to test it before me, please let us know the results of your testing.

Thanks!
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion of RPC over HTTP Series - 3.Jan.2004 2:39:00 PM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by rpotthoff:
I have read part1 and part2 and I have one problem I do not have a front end server, I only have one exchange server and I need to use this whit ISA what do I need to do to make this work? PLEASE help as I will be installing exch2k3 this weekend.
Hi R,

The front end can be just an IIS 6 box running the RPC over HTTP service. The Exchange front-end server is the officially sanctioned config, but not required.

HTH,
Tom

(in reply to tshinder)
Post #: 12
RE: Discussion of RPC over HTTP Series - 5.Feb.2004 5:20:00 AM   
Vem427

 

Posts: 1
Joined: 4.Feb.2004
Status: offline 		For those of you wanting to host OWA, RPC/HTTP, Active Sync and or OMA using ISA server one document that you might find very useful is Fine-Tuning and Known Issues When You Use the Urlscan Utility in an Exchange 2003 Environment

This handles all aspects of urlscan with respect to ISA 2000 and Exchange 2003 and includes a fully functional urlscan file.

If you are also providing access for to a MS SharePoint Portal Server then I suggest that you look at the documentation for that as it is also affected by urlscan.

Hope this is of some use to other members.

Anyway here are my comments on "spouseele" idea for a poor mans solution to rpc/http. Not so certain about the achieved end result. The following ports (in addition to rpc port) must be opened from this rpc/http server to:

To all Exchange back-end servers:
593 (end point mapper)
6001 (Store)
6002 (DS referral)
6004 (DS proxy)
To all utilized Global catalog server:
593 and 6004

I believe that you could do what you suggest but wonder if the result is as good as keeping the rpc/http server on the internal network.

(in reply to tshinder)
Post #: 13
RE: Discussion of RPC over HTTP Series - 5.Feb.2004 2:39:00 PM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Vern,

Thanks!
Tom

(in reply to tshinder)
Post #: 14
RE: Discussion of RPC over HTTP Series - 12.Mar.2004 1:43:00 AM   
freeballn

 

Posts: 1
Joined: 20.Feb.2004
From: Denver, CO
Status: offline 		Dr. Shinder and other contributors,
Thank you for all the information you all have provided, I really appreciate your work.

I have been going through the process to get RPC working over HTTP to an Exchange server, and I have a question regarding the IPSec between the backend and frontend Exchange servers. My frontend and backend Exchange servers are both also the domain controllers for my AD. I haven't read anything that says that is an issue, but when I go to access the Local Security Policy on either machine it isn't available, instead there are Domain Security Policy and Domain Controller Security Policy options. I went ahead and attempted to create the policies according to the article, but because they are for the domain rather than the local machines, they each show up on both machines. I am unable to assign them both at the same time, and if I do assign one, then the other machine looses access to the Security Policy editor entirely.

I may be writing this prematurely as I am betting that there is a way to create a single domain policy to accomplish what the two machine policies would normally do. Unless there is a way to manage local security policy on a domain controller that I haven't yet found? I would appreciate any recommendations or information.
Thank you,
Carson

[ March 17, 2004, 09:44 PM: Message edited by: Carson ]

(in reply to tshinder)
Post #: 15
RE: Discussion of RPC over HTTP Series - 31.Mar.2004 10:43:00 PM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Carson,

Its is possible to create the same domain security policy that applies only to the two machines. I would configure it in the domain controllers OU.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion of RPC over HTTP Series - 31.Mar.2004 10:54:00 PM   
thejun

 

Posts: 101
Joined: 21.Jan.2002
Status: offline 		has anyone gotten this to work without ssl certificates?

(in reply to tshinder)
Post #: 17
RE: Discussion of RPC over HTTP Series - 2.Apr.2004 10:25:00 PM   
TimTrace

 

Posts: 105
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline 		Tom, thanks for yet another EXCELLENT walkthrough.

In my situation, I have a single-EX2k3 installation.

I saw the note, above, that an IIS6 box can perform as the RPC>HTTP proxy server...

...but...

...is it possible (and secure) to have the single-EX2K3 box run the RPC>HTTP proxy site *locally*, with the proxy site registry entries referring back to 127.0.0.1, or something like that?

Best regards,

Tim ==

(in reply to tshinder)
Post #: 18
RE: Discussion of RPC over HTTP Series - 31.Oct.2004 12:56:00 AM   
mcfly9

 

Posts: 19
Joined: 10.Apr.2004
Status: offline 		Hello,

I have been successful in configuring the RPC over HTTP Proxy and everything seems to be fine, except for one thing. My users get the auth dialog box pop up when they start outlook on a remote network. I acknowledge that this is the way it should go with Basic authentication, so i configured the RPC virtual dir in IIS to use integrated auth, and configured Outlook to use Integrated auth as well. Now i still get the auth dialog box, where there's a new checkbox (save password) but i can't get my clients to save the password, it keeps on forgetting it every time. I also tried putting the site hosting the RPC over HTTP proxy directory into the Trusted Zone in internet explorer, hoping that it'll do an automatic login, but nothing happened... [Frown] the login dialog still keeps on coming up. Any ideas to solve this problem?

(in reply to tshinder)
Post #: 19
RE: Discussion of RPC over HTTP Series - 1.Nov.2004 6:51:00 AM   
tshinder

 

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Fly,

IIRC, this is required for RPC over HTTP connections, so its not an ISA firewall issue.

Can't say for sure though, but you can find out quick by testing from a host behind the ISA firewall.

HTH,
Tom

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Web Publishing >> Discussion of RPC over HTTP Series Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts