1. Setup our CA and CA root certificate
   
2. Setup DNS records, we have a split DNS, so internally we can access owa.domain.com (although now one does as they use Outlook), and externally users can use the same address.
   
   • A DNS record already exists for exchange.domain.com, and we also have one setup for owa.domain.com pointing to the same IP address (192.168.1.3)
     
   • Have also setup a DNS record on our external DNS name server for owa.domain.com that points to 194.xxx.xxx.25 (the ISA external listener IP)

1. Added the RPC over HTTP componant from Add/Remove Programs > Windows Setup.
   
2. Selected RPC-HTTP back-end server from the RPC-HTTP tab in ESM.
   
3. I used the RPCNoFrontEnd tool (by Harry Bates) to set the RPC valid ports, which is set to:
   
   • exchange:6001-6002;exchange.domain.com:6001-6002;owa.domain.com:6001-6002;exchange:6004;exchange.domain.com:6004;owa.domain.com:6004
   
   
4. Checked the NSPI interface protocol sequences registry setting was set to  NCACN_HTTP:6004
   
5. OWA is already setup and working from the Default Website, which has the IP address 192.168.1.3. The SSL certificate is owa.domain.com. I have exported this certificate & private ket to the ISA server.
   
6. Checked the Default Website/Rpc directory, set 'Require secure channel' & 'Require 128-bit encryption'. Removed Integrated Authentication, just leaving Basic.
   
   • Now one question I have, is: does there need to be a default domain stated? Some setups I've seen a domain stated, some haven't. If so, should be be the netbios domain name, or the FQDN?
   
   
7. Rebooted the Exchange Server

1. Imported the OWA web server certificate.
   
2. Cretaed a new publishing rule, using the Publish Exchange Web Client Access wizard using the following settings:
   
   • Called it Outlook Anywhere & OWA
     
   • Selected Exhcange 2003
     
   • Selected Outlook Web Access & Outlook RPC/HTTPs
     
   • Publish a single web site
     
   • Use SSL to connect to published web server
     
   • Internal site name: owa.domain.com - use IP address 192.168.1.3
     
   • Accept request for this domain name: owa.domain.com
     
   • Used the existing OWA listener, which has the following settings:
     
     • Require SSL
       
     • Listen on External - IP 194.xxx.xxx.25
       
     • Use a single certificate - owa.domain.com
       
     • HTML Form Authentication
       
     • Validate credentials - LDAP (Active Directory)
       
     • Enable single sign on for domain.com
     
     
   • Authentication Deligation: Basic authentication
     
   • All authenticated users
   
   
3. Applied the ISA changes

1. Made sure the domain CAs root certificate is in the trusted root authority folders
   
2. Created a new profile in Outlook with the following settings:
   
   • Exchange server: exchange.domain.com
     
   • Username: valid domain/exchange user
     
   • More settings > Connections tab:
     
   • Connect to my exchange mailbox using HTTP
     
   • Exchange Proxy settings:
     
   • https://owa.domain.com
     
   • Connect using SSL
     
   • Mutually authenticate: msstd:owa.domain.com
     
   • On fast & slow networks connect using HTTP first
     
   • Use basic authentication.

Page cannot be displayed
Explanation: The Web server connection was closed.
Error Code 64: Host not available

quote:

ORIGINAL: tshinder

ACCKCCKCK!!!!
Not the dreaded .local !!
I'm outtua here!


Tom

quote:

ORIGINAL: Ulaa

Hi guys,
I had exactly the same problems as many of you describe, exactly the same issue as the OP, no matter what I did to the ISA box nothing worked to get rpc/https working, until finally I went back to the Exchange server.

In the end what worked was an uninstall/reinstall of the RPC Proxy serverice on the exchange box followed by a re creation of the listening ports. The following is taken from the ISA 200 lab manual and worked a treat for me.

Open a Command Prompt window.
b. At the command prompt, type cd \tools\reskit, and then press Enter.
�� The Reskit folder contains a configuration tool (rpccfg.exe) from the Windows Server 2003 Resource Kit.
�� At each of the steps below, press Enter after the command.
c. Type rpccfg /hd.
�� The output of the command displays which ports on which computer the RPC Proxy service is allowed to create an RPC connection to. The default setting is: Denver 100-5000.
d. Type rpccfg /hr Denver.
�� This removes the current port range settings for Denver.
�� The next commands add the required port ranges for both the NetBIOS name, and the fully qualified domain name (FQDN) of the (back-end) Exchange Server and Global Catalog server. The RPC connections to the Exchange Server are done at port 6001 (Store), 6002 (DSReferral) and 6004 (DSProxy).
e. Type rpccfg /ha Denver 6001 6002 6004.
f. Type rpccfg /ha denver.contoso.com 6001 6002 6004.
g. Type rpccfg /hd.

I just had the problem reoccur. Single NIC ISA in a Vlan/DMZ with a single Exchange server sitting in another Domain from the ISA.

Nothing has changed in the configuration from when we fixed this last time, but suddenly the outlook clients are getting the exact same error message.

I reinstalled the RPC proxy service and used the above to reconfigure the ports and users started to work again.

The only thing thats different is that the CP firewall the ISA sits behind is "flapping" at the moment and randomly going up and down. I dont know why this would cause the observed fault.

I inherited the current system and one good thing is I now know a hell of a lot about Reverse Proxying and exchange :)

quote:

ORIGINAL: davei0594

Guys,

Thought I would share my experience with you (aren't you all lucky?!).  ;-)

ISA 2006 STD (not SP1 yet)
Windows Server 2003 R2 SP1 (don't have the minerals to upgrade to SP2 on my ISA yet!!)
Exchange 2003 SP2
FE server in ISA DMZ with RPC Proxy service (also runs OWA).
Public Cert
Split DNS
1x Web Listener for OWA and RPC\HTTPS.  Listener uses FBA with LDAP not AD (i need users to be able to change password using OWA so requires LDAPS).
2x Publishing rules for OWA and RPC\HTTPS respectively

Followed Tom's articles as closely as possible given live ISA and the scenario is a little more complex than the lab.

Have been struggling for several man-hours over several days to get this working.  I've been bashing my head against a brick wall until tonight when I finally cracked it.  Except I'm not sure of the exact technical reason for the fix...

What I found was that the 'ValidPorts' reg key for the RPC Proxy service on my front-end server would mysteriously clear itself.  Several reboots and it was still occuring.  I would populate the value with the relevant info (ie. netbios:6001;fqdn:6001 etc etc), close regedit, open it again and it's still there.  Come back to it in an hour and it was empty.  Not even containing the 'default' value that is applied when installing the RPCProxy service (FEnetbios:500-1000 I think it was).

Very strange.  I couldn't think what would cause that key to empty itself.  The FE server was set to be a FE RPC\HTTPS server in ESM, as was the relevant BE server (ie just the one hosting my mailbox).  V Strange.

Anyway one of the posts I read this evening suggested reinstalling the RPCProxy service.  So I removed it, reinstalled it and then restarted the FE server.  Plumbed in the correct value into the ValidPorts key - and HEY PRESTO!

Working a treat, I'm happy and the boss is happy (and our network will be happier now that we can cut out the vast majority of our RAS VPN connections so drastically by using RPC\HTTPS).

Weird eh?  If anyone can explain that to me i would be very grateful!  But for now it is working a treat.

Cheers!