• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: RPC over HTTPS status code 64

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: RPC over HTTPS status code 64 Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: RPC over HTTPS status code 64 - 27.Mar.2008 12:40:51 PM   
bjblackmore

 

Posts: 103
Joined: 9.Aug.2005
Status: offline
Hi,

Did anyone manage to fix this? I've spent the past 2 weeks trying to get RPC over HTTPS working. I've followed all 5 parts of http://www.isaserver.org/tutorials/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part1.html as its a very similar setup to ours, but no matter what I can't get RPC over HTTPS to connect through ISA 2006.

Our setup is:
Two Win2003 SP2 domain controllers:
One runs DHCP, DNS, and a Certificate Authority - server1.domain.com
The other runs Exchange 2003 SP2 - exchange.domain.com
Both are Global Catalog servers.
One Win2003 SP2 server running ISA 2006 with Supportability Update, this is in a workgroup, not the domain.
Clients are all WinXP SP2, running Office 2003 SP3.
OWA is published as owa.domain.com and works perfectly.
We use certificates created by the internal CA for externally published websites, so the clients all have the root CA installed in the trusted root certificates folder, allowing Outlook to connect via RPC.

The steps taken so far are:

On the DNS/DHCP/CA Server:
  1. Setup our CA and CA root certificate
  2. Setup DNS records, we have a split DNS, so internally we can access owa.domain.com (although now one does as they use Outlook), and externally users can use the same address.
    • A DNS record already exists for exchange.domain.com, and we also have one setup for owa.domain.com pointing to the same IP address (192.168.1.3)
    • Have also setup a DNS record on our external DNS name server for owa.domain.com that points to 194.xxx.xxx.25 (the ISA external listener IP)

On the Exchange Server:
  1. Added the RPC over HTTP componant from Add/Remove Programs > Windows Setup.
  2. Selected RPC-HTTP back-end server from the RPC-HTTP tab in ESM.
  3. I used the RPCNoFrontEnd tool (by Harry Bates) to set the RPC valid ports, which is set to:
    • exchange:6001-6002;exchange.domain.com:6001-6002;owa.domain.com:6001-6002;exchange:6004;exchange.domain.com:6004;owa.domain.com:6004

  4. Checked the NSPI interface protocol sequences registry setting was set to  NCACN_HTTP:6004
  5. OWA is already setup and working from the Default Website, which has the IP address 192.168.1.3. The SSL certificate is owa.domain.com. I have exported this certificate & private ket to the ISA server.
  6. Checked the Default Website/Rpc directory, set 'Require secure channel' & 'Require 128-bit encryption'. Removed Integrated Authentication, just leaving Basic.
    • Now one question I have, is: does there need to be a default domain stated? Some setups I've seen a domain stated, some haven't. If so, should be be the netbios domain name, or the FQDN?

  7. Rebooted the Exchange Server

Now, as far as I've read, that is everything that needs to be done on the Exchange server!? I've tested this by setting up a client, and forcing it to connect via RPC over HTTP using Outlook.exe /RPCDIAG the following screen is shown, with all HTTPS connections established.


On the ISA server I have performed the following steps:
  1. Imported the OWA web server certificate.
  2. Cretaed a new publishing rule, using the Publish Exchange Web Client Access wizard using the following settings:
    • Called it Outlook Anywhere & OWA
    • Selected Exhcange 2003
    • Selected Outlook Web Access & Outlook RPC/HTTPs
    • Publish a single web site
    • Use SSL to connect to published web server
    • Internal site name: owa.domain.com - use IP address 192.168.1.3
    • Accept request for this domain name: owa.domain.com
    • Used the existing OWA listener, which has the following settings:
      • Require SSL
      • Listen on External - IP 194.xxx.xxx.25
      • Use a single certificate - owa.domain.com
      • HTML Form Authentication
      • Validate credentials - LDAP (Active Directory)
      • Enable single sign on for domain.com

    • Authentication Deligation: Basic authentication
    • All authenticated users

  3. Applied the ISA changes

Now, according to ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part3.html, that is everything that needs to be done to the ISA server.

On the clients I have done the following:
  1. Made sure the domain CAs root certificate is in the trusted root authority folders
  2. Created a new profile in Outlook with the following settings:
    • Exchange server: exchange.domain.com
    • Username: valid domain/exchange user
    • More settings > Connections tab:
    • Connect to my exchange mailbox using HTTP
    • Exchange Proxy settings:
    • https://owa.domain.com
    • Connect using SSL
    • Mutually authenticate: msstd:owa.domain.com
    • On fast & slow networks connect using HTTP first
    • Use basic authentication.

Now as I said, I have tested this client inside the network, and it successfully establishes a connection. Externally it hangs for about 2 minutes, and the status just shows 'connecting'.

On the ISA server the 2 following error messages appear:

Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 1460 This operation returned because the timeout period expired. 
Rule: OWA & Outlook Anywhere
Source: External (194.xxx.xxx.25)
Destination: (exchange.domain.com 192.168.1.3:443)
Request: RPC_OUT_DATA http://owa.domain.com/rpc/rpcproxy.dll?EXCHANGE:6004
Filter information: Req ID: 09051610; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=yes, logged off=no, client type=unknown, user activity=yes
Protocol: https


Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available. 
Rule: OWA & Outlook Anywhere
Source: External (194.xxx.xxx.25)
Destination: (exchange.domain.com 192.168.1.3:443)
Request: RPC_IN_DATA http://owa.domain.com/rpc/rpcproxy.dll?EXCHANGE:6004
Filter information: Req ID: 0905160e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=yes, logged off=no, client type=unknown, user activity=yes
Protocol: https

If I open IE7 from the ISA server, and go to https://owa.domain.com/rpc/rpcproxy.dll I get an authentication popup, when I enter my credentials I get a blank page, which from what I've read is correct. However, the url in the error message isn't httpS, its plain http. So, for testing purposed, I've tried accessing this same url externally, as it should also be published with the OWA & Outlook Anywhere rule created above. When I go to https://owa.domain.com/rpc/rpcproxy.dll I get the standard ISA 2006 OWA authentication form, I enter my domain name & password, and it forwards me to the RPC url, but I get a Page cannot be displayed error:

Page cannot be displayed
Explanation: The Web server connection was closed.
Error Code 64: Host not available

Which is the same error code as the ISA server error. There has got to be something misconfigured in ISA that is stopping RPC over HTTPS communication. I can only assume its ISA, as Exchange & Outlook seem to be configured correctly, and work when the client is connected internally.

Any help with this would be much appreciated!

Ben

(in reply to Ulaa)
Post #: 41
RE: RPC over HTTPS status code 64 - 27.Mar.2008 1:19:34 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: tshinder

ACCKCCKCK!!!!
Not the dreaded .local !!
I'm outtua here!


Tom




_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 42
RE: RPC over HTTPS status code 64 - 3.Apr.2008 9:26:20 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
:)

Well, the latest request doesn't seem to use the dreaded .local.

To solve his problem, he just needs to join the ISA Firewall to the domain and it will work.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 43
RE: RPC over HTTPS status code 64 - 4.Apr.2008 3:50:04 AM   
bjblackmore

 

Posts: 103
Joined: 9.Aug.2005
Status: offline
Hi Tom,

Did you mean my request?

Joining the ISA server to the domain will fix this issue will it? Is there anyway to do it without joining it to the domain? I've read pros & cons for joining ISA to a domain, I'm not sure if I should do it or not, do you have to open more ports and things for domain traffic?

Many thanks

Ben

(in reply to tshinder)
Post #: 44
RE: RPC over HTTPS status code 64 - 11.Apr.2008 10:25:41 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

There are two ways to do this:

Join the ISA Firewall to the domain. I almost always do this, because it actually increases the level of security that ISA Firewall can provide.

or

You can allow anonymous connections to your RPC/HTTP site through the ISA Firewall. In that case, you expose your Exchange Server to attacks over anonymous connections from the Internet.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bjblackmore)
Post #: 45
RE: RPC over HTTPS status code 64 - 7.May2008 5:13:31 PM   
BogdanSUA

 

Posts: 13
Joined: 9.Apr.2005
From: Chicago
Status: offline
This thread did the trick for me.

In the end, my problem was two-fold.

1. I forgot to specify the Network in which my mailbox server was located in as part of the Internal Network set in ISA....Doah!

2. I followed the steps posted by forum member Ulaa earlier in this thread regarding rpccfg.

Many Thanks,

BogdanSUA

(in reply to tshinder)
Post #: 46
RE: RPC over HTTPS status code 64 - 23.May2008 10:13:29 AM   
bjblackmore

 

Posts: 103
Joined: 9.Aug.2005
Status: offline
Hi Tom,

I finally got around to scheduling downtime on the ISA server, and got it on to our domain. This seems to have 'half' fixed the problem.

I can now connect Outlook over RPC/HTTPS and it connects and sends/receives emails - YAY!

However, while monitoring the connections, I'm still noticing the 2 error codes, these appear when I first open Outlook, and it tries to connect, and when I press send/receive:

Failed Connection Attempt ISA2006 5/23/2008 2:39:14 PM
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available. 
Rule: OWA & Outlook Anywhere
Source: External (xx.xx.xx.xx)
Destination: - (exchange.domain.com 192.168.1.3:443)
Request: RPC_IN_DATA http://owa.domain.com/rpc/rpcproxy.dll?exchange.domain.com:6002
Filter information: Req ID: 0f7ccdfe; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=yes, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Client agent: MSRPC
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40000008 (Request includes the AUTHORIZATION header. Response should not be cached.)

Failed Connection Attempt ISA2006 5/23/2008 2:38:55 PM
Log type: Web Proxy (Reverse)
Status: 10054 An existing connection was forcibly closed by the remote host. 
Rule: OWA & Outlook Anywhere
Source: External (xx.xx.xx.xx)
Destination: - (exchange.domain.com 192.168.1.3:443)
Request: RPC_OUT_DATA http://owa.domain.com/rpc/rpcproxy.dll?exchange.domain.com:6002
Filter information: Req ID: 0f7cce00; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=yes, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Client agent: MSRPC
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40000008 (Request includes the AUTHORIZATION header. Response should not be cached.)

I notice it says 'User: anonymous', even though I'm being asked to authenticate. I don't know if these errors matter, or if I can ignore them safely! Any suggestions would be welcome!

Ben

EDIT: I had posted the same status code 64 error twice, edited to add 10054 error.

< Message edited by bjblackmore -- 27.May2008 3:47:40 AM >

(in reply to tshinder)
Post #: 47
RE: RPC over HTTPS status code 64 - 27.May2008 8:52:50 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

Those and other errors are normal and you can ignore them. One thing I've noticed about RPC/HTTP publishing, is that the log files are useless when it comes to troubleshooting RPC/HTTP connectivity.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bjblackmore)
Post #: 48
RE: RPC over HTTPS status code 64 - 2.Jul.2008 11:03:18 AM   
Baalzamon

 

Posts: 3
Joined: 14.Nov.2007
Status: offline
Thanks Ulaa

I finally got my Outlook Anywhere working thanks to this.  Examined my RPC ports and noticed that my fqdn was missing ARGH!  Fixed it up and now Outlook Anywhere is working

quote:

ORIGINAL: Ulaa

Hi guys,
I had exactly the same problems as many of you describe, exactly the same issue as the OP, no matter what I did to the ISA box nothing worked to get rpc/https working, until finally I went back to the Exchange server.

In the end what worked was an uninstall/reinstall of the RPC Proxy serverice on the exchange box followed by a re creation of the listening ports. The following is taken from the ISA 200 lab manual and worked a treat for me.

Open a Command Prompt window.
b. At the command prompt, type cd \tools\reskit, and then press Enter.
�� The Reskit folder contains a configuration tool (rpccfg.exe) from the Windows Server 2003 Resource Kit.
�� At each of the steps below, press Enter after the command.
c. Type rpccfg /hd.
�� The output of the command displays which ports on which computer the RPC Proxy service is allowed to create an RPC connection to. The default setting is: Denver 100-5000.
d. Type rpccfg /hr Denver.
�� This removes the current port range settings for Denver.
�� The next commands add the required port ranges for both the NetBIOS name, and the fully qualified domain name (FQDN) of the (back-end) Exchange Server and Global Catalog server. The RPC connections to the Exchange Server are done at port 6001 (Store), 6002 (DSReferral) and 6004 (DSProxy).
e. Type rpccfg /ha Denver 6001 6002 6004.
f. Type rpccfg /ha denver.contoso.com 6001 6002 6004.
g. Type rpccfg /hd.

I just had the problem reoccur. Single NIC ISA in a Vlan/DMZ with a single Exchange server sitting in another Domain from the ISA.

Nothing has changed in the configuration from when we fixed this last time, but suddenly the outlook clients are getting the exact same error message.

I reinstalled the RPC proxy service and used the above to reconfigure the ports and users started to work again.

The only thing thats different is that the CP firewall the ISA sits behind is "flapping" at the moment and randomly going up and down. I dont know why this would cause the observed fault.

I inherited the current system and one good thing is I now know a hell of a lot about Reverse Proxying and exchange :)

(in reply to Ulaa)
Post #: 49
RE: RPC over HTTPS status code 64 - 31.Jul.2008 4:59:24 PM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
Guys,

Thought I would share my experience with you (aren't you all lucky?!).  ;-)

ISA 2006 STD (not SP1 yet)
Windows Server 2003 R2 SP1 (don't have the minerals to upgrade to SP2 on my ISA yet!!)
Exchange 2003 SP2
FE server in ISA DMZ with RPC Proxy service (also runs OWA).
Public Cert
Split DNS
1x Web Listener for OWA and RPC\HTTPS.  Listener uses FBA with LDAP not AD (i need users to be able to change password using OWA so requires LDAPS).
2x Publishing rules for OWA and RPC\HTTPS respectively

Followed Tom's articles as closely as possible given live ISA and the scenario is a little more complex than the lab.

Have been struggling for several man-hours over several days to get this working.  I've been bashing my head against a brick wall until tonight when I finally cracked it.  Except I'm not sure of the exact technical reason for the fix...

What I found was that the 'ValidPorts' reg key for the RPC Proxy service on my front-end server would mysteriously clear itself.  Several reboots and it was still occuring.  I would populate the value with the relevant info (ie. netbios:6001;fqdn:6001 etc etc), close regedit, open it again and it's still there.  Come back to it in an hour and it was empty.  Not even containing the 'default' value that is applied when installing the RPCProxy service (FEnetbios:500-1000 I think it was).

Very strange.  I couldn't think what would cause that key to empty itself.  The FE server was set to be a FE RPC\HTTPS server in ESM, as was the relevant BE server (ie just the one hosting my mailbox).  V Strange.

Anyway one of the posts I read this evening suggested reinstalling the RPCProxy service.  So I removed it, reinstalled it and then restarted the FE server.  Plumbed in the correct value into the ValidPorts key - and HEY PRESTO!

Working a treat, I'm happy and the boss is happy (and our network will be happier now that we can cut out the vast majority of our RAS VPN connections so drastically by using RPC\HTTPS).

Weird eh?  If anyone can explain that to me i would be very grateful!  But for now it is working a treat.

Cheers!

(in reply to PVerdieu)
Post #: 50
RE: RPC over HTTPS status code 64 - 31.Jul.2008 5:14:52 PM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
...........Just a by-the-by, but my single web listener IS listening for both HTTP and HTTPS.  Not just HTTPS.

We redirect users from http to https at the ISA when using OWA so they can just type in the domain name without worrying about the https://.  ISA bounces them over to HTTPS and presents the FBA page.

One of the posts I read here suggested that the web listener needs to listen for ONLY HTTPS.  That does not seem to be the case, at least in my scenario.

Good luck all!

(in reply to davei0594)
Post #: 51
RE: RPC over HTTPS status code 64 - 5.Aug.2008 10:26:39 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: davei0594

Guys,

Thought I would share my experience with you (aren't you all lucky?!).  ;-)

ISA 2006 STD (not SP1 yet)
Windows Server 2003 R2 SP1 (don't have the minerals to upgrade to SP2 on my ISA yet!!)
Exchange 2003 SP2
FE server in ISA DMZ with RPC Proxy service (also runs OWA).
Public Cert
Split DNS
1x Web Listener for OWA and RPC\HTTPS.  Listener uses FBA with LDAP not AD (i need users to be able to change password using OWA so requires LDAPS).
2x Publishing rules for OWA and RPC\HTTPS respectively

Followed Tom's articles as closely as possible given live ISA and the scenario is a little more complex than the lab.

Have been struggling for several man-hours over several days to get this working.  I've been bashing my head against a brick wall until tonight when I finally cracked it.  Except I'm not sure of the exact technical reason for the fix...

What I found was that the 'ValidPorts' reg key for the RPC Proxy service on my front-end server would mysteriously clear itself.  Several reboots and it was still occuring.  I would populate the value with the relevant info (ie. netbios:6001;fqdn:6001 etc etc), close regedit, open it again and it's still there.  Come back to it in an hour and it was empty.  Not even containing the 'default' value that is applied when installing the RPCProxy service (FEnetbios:500-1000 I think it was).

Very strange.  I couldn't think what would cause that key to empty itself.  The FE server was set to be a FE RPC\HTTPS server in ESM, as was the relevant BE server (ie just the one hosting my mailbox).  V Strange.

Anyway one of the posts I read this evening suggested reinstalling the RPCProxy service.  So I removed it, reinstalled it and then restarted the FE server.  Plumbed in the correct value into the ValidPorts key - and HEY PRESTO!

Working a treat, I'm happy and the boss is happy (and our network will be happier now that we can cut out the vast majority of our RAS VPN connections so drastically by using RPC\HTTPS).

Weird eh?  If anyone can explain that to me i would be very grateful!  But for now it is working a treat.

Cheers!



That's great! I hadn't heard of the problem and the solution before, but I'll definitely keep this in mind.
Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to davei0594)
Post #: 52
RE: RPC over HTTPS status code 64 - 22.Aug.2008 9:09:24 AM   
builttorock

 

Posts: 1
Joined: 22.Aug.2008
Status: offline
I had tried everything to get Outlook Anywhere working without success until I stumbled upon this forum. I reinstalled the RPC Proxy Service, re-ran the CEICW in SBS2003 and presto, OA is now working again. Thank you for providing this invaluable tip.

(in reply to tshinder)
Post #: 53
RE: RPC over HTTPS status code 64 - 22.Aug.2008 9:40:05 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Three cheers for the ISAserver.org community!


Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to builttorock)
Post #: 54

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: RPC over HTTPS status code 64 Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts