We have just moved from Exchange 2003 to 2007 with no difficulty. I have previously published OWA and RPC/HTTPS successfully from Exchange 2003, and need to do the same in the new environment. OWA is giving no problem, but I am unable to get a working Outlook Anywhere connection on the internet (it works internally using Outlook 2003/2007, Windows XP SP3/Vista SP1/Windows 2003 TS).
Our environment is simple:
Internet Client (Outlook, IE) --> ISA 2006 Std (domain member) running on Windows 2003 Std R2 --> --> Exchange 2007 Std SP1 MB/CAS on Windows 2008 Ent SP1 --> DC / GC / DNS on Windows 2008 Ent R2
A SAN certificate has been created from an internal CA and installed on the Exchange 2007 server, and imported to the ISA 2006 server. The listener has been configured with that certificate, and the CA root certificate has been imported into the test client's Local Computer Trusted Root Certificates store.
Other information: In the Exchange Management Console, - OWA uses Integrated and Basic authentication - RPCProxy HAS been installed - Outlook Anywhere is enabled with Basic authentication
In IIS 7 on the Exchange server, - The certificate is installed - All virtual directories set to require SSL - All virtual directories have Basic authentication enabled
On the ISA server: - 1 listener created - SSL connections enabled on port 443; HTTP conections disabled - Certificate is installed (single certificate for this web listener) - Authentication is HTML Form Authentication validating against AD
- Outlook Anywhere rule created - TO tab shows INTERNAL fqdn - Requests appear to come from the original client - PUBLIC NAME tab shows EXTENAL fqdn - PATHS are unchanged from default - Authentication Delegation is Basic Authentication - Bridging: Redirect requests to SSL port (443) - Users: Authenticated Users
When Test Rule is clicked, all paths are green.
On the external (internet) client, - Windows XP SP3 / Windows Vista SP1 - Outlook 2007 - Outlook Anywhere profile has: - in Microsoft Exchange Settings, server name is INTERNAL fqdn In Exchange Proxy Settings, - URL is EXTERNAL fqdn - Only connect to proxy servers that have this principal name in their certificate is checked - SPN is msstd:<EXTERNAL fqdn> - Connect using HTTP first is selected for both Fast and Slow networks - Authentication type is Basic Authentication
When connecting internally, OWA and Outlook using RPC/HTTP work. OWA works externally, but connections using Outlook Anywhere cannot be completed. Several packet captures show the SSL handshaking is completed successfully, both between client ISA server, and between the ISA and Exchange servers.
I sense that I'm missing some ridiculously simple setting, but at the moment what I need most is another set of eyes to help me find out where.
Briefly, although IPv6 was disabled on the server's NICs, the hosts file still had an IPv6 reference for localhost. Because the CAS and MB roles are on one server, they use this address to communicate. However, the RPCProxy does not recognize the IPv6 stack, so communication fails.