• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article on Outlook Access from Anywhere

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion about article on Outlook Access from Anywhere Page: <<   < prev  1 [2] 3 4 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article on Outlook Access from Any... - 7.Mar.2005 4:20:00 PM   
jwilcox

 

Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
I just found this MS KB article.

http://support.microsoft.com/default.aspx?scid=kb;en-us;810710

Looks like anyone on Cox internet is out of luck for now until we can upgrade to Exchange 2003. Unfortunately Cox is the major high speed ISP for my area.

Thanks for all the help,
Jack

[ March 07, 2005, 04:21 PM: Message edited by: Jack Wilcox ]

(in reply to tshinder)
Post #: 21
RE: Discussion about article on Outlook Access from Any... - 7.Mar.2005 4:37:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

Ouch! That's really crummy [Frown]

I knew there were those ISPs out there, but I thought most of them quit doing that.

Tom

(in reply to tshinder)
Post #: 22
RE: Discussion about article on Outlook Access from Any... - 5.May2005 10:28:00 PM   
Guest
I had a question about one section of the configuration:

"Create DNS and SMTP Protocol Rules
The Exchange Server needs to forward mail it receives from the Outlook MAPI clients to SMTP servers on the Internet. An Access Rule allowing outbound access to the following protocols may be required:

DNS (TCP and UDP 53)
SMTP (TCP 25)
A DNS Access Rules allows the Exchange SMTP service to resolve MX domain names. You can configure the Access Rule to allow only the Exchange Server access to it, or you can configure the Access Rule to allow all machines on the network to use it.

Access control on the DNS Access Rule depends on which machine is responsible for resolving the MX domain names. You might want to forward the DNS queries from the Exchange Server to an internal DNS server and let the DNS server on your internal network take care of name resolution.

The SMTP Access Rule is required for the Exchange Server to send out mail to external mail domains. Access controls on the SMTP Protocol Rule depend on which machine actually sends the mail to the external SMTP servers.

If the Exchange Server is sending the mail directly to the Internet SMTP servers, allow only the Exchange Server access to the SMTP Protocol Rule. If you are using an outbound SMTP relay, allow the relay access to the SMTP Protocol Rule. If you are using a mail relay, make sure the SMTP relay server has access to the DNS Protocol Rule are well, since it will need to resolve Internet MX mail domains. The exception to this requirement is if the SMTP relay (or the Exchange Server) is configured to use an internal DNS server, then allow only the internal DNS server to resolve Internet host names."

Where are these rules supposed to be configured.

Thanks.

(in reply to tshinder)
  Post #: 23
RE: Discussion about article on Outlook Access from Any... - 31.May2005 10:11:00 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
WS2003 Gold domain, Exchange 2003 SP1 on WS2003 Gold, ISA 2000 SP2 on Win 2003 Gold, Outlook 2003 SP1. Different external & internal domain names.

However, Outlook "just doesn't work" right now [Wink] . At least it doesn't on the public Internet. The message from OL2003 on the remote machine is "Task 'Microsoft Exchange Server' reported error (0x8004011D): 'The server is not available. Contact your administrator if this condition persists.'"

I've gone over this article with a fine-toothed comb, as well as its several predecessors on your site. Also followed http://isaserver.org/articles/outlookrpcdns.html and http://isaserver.org/tutorials/2004illegaltldsplitdns.html. Still not working; can't figure out what I've overlooked.

Answering what seem to be the most frequent issues after scanning this board: Split DNS is set up, and I get correct internal and external name resolution when I ping the mail server names from inside and outside the LAN. The Exchange server is a SecureNAT client. I'm aware of the WS2003SP1 hotfix for ISA 2000 SP2, but we're still at WS2003 Gold. Client's ISP passes port 135 as does remote user's ISP.

Here are my questions:

1. You've documented this technique in several articles on isaserver.org & the ISA-Exchange Kit (we've been planning to do this for a long time, so I've read them all!). In prior versions, you've said it's necessary to create an external "A" record for a GC, similar to what you do for the Exchange server, pointing to the external IP. But this article adds discussion of the No RFR Service=1 value in the HKLM\...\MSExchangeSA parameters key. Does "No RFR Service=1" eliminate the need for the external GC "A" record and likewise in the internal split DNS zone that corresponds to the external domain name?

2. If it's necessary to have external "A" records for a GC, can I select any GC in the domain, or does it need to be all GCs?

3. Am I correct that because I have different external & internal domain names, I have to use a HOSTS file on the external client, since the MAPI profile records the FQDN of the internal name of the Exchange server?

4. In previous versions of this article, you said to put the NetBIOS name of the mail server in the HOSTS file. In this article, you said to use the FQDN...although in this case, HOSTS was used in lieu of Split DNS with the same internal & external domain name. Is the NetBIOS name correct for my situation (different ext. & int. names)?

(in reply to tshinder)
Post #: 24
RE: Discussion about article on Outlook Access from Any... - 1.Jun.2005 7:05:00 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
More info...

The ISA Server is behind a SOHO NAT router. Client says this is necessary for some reason with this particular ISP; can't recall his reason, and I've not confirmed it, and until now, it's not caused any difficulties beyond having to forward a few ports to ISA's external IP. But now I'm wondering if this is where the "Outlook Just Works" problem is.

Anyway, I've forwarded port 135 to the ISA Server external IP. The NAT router logs confirm that 135 is not being blocked...but I do notice that several inbound connection attempts to ephemeral ports from the remote IP ARE being blocked by the NAT router. I gather these are the ports Exchange opens for the RDP connection as described in your article.

I guess my next move is to see if the client will allow me to put the ISA Server in the NAT router's DMZ, at least for long enough to see if it makes "Outlook just work".

But I'd sure like it if anyone can confirm that this is a likely cause of the problem.

(in reply to tshinder)
Post #: 25
RE: Discussion about article on Outlook Access from Any... - 2.Jun.2005 7:24:00 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Well, it seems I'm just posting to myself at this point, but for the benefit of any lurkers, putting the ISA server in the DMZ of the NAT router enabled it to work. Since the NAT router is accomplishing nothing at this point, I'm going to see if I can persuade the client to remove it.

But at least now "Outlook just works". [Wink]

[ June 02, 2005, 09:36 PM: Message edited by: JRV ]

(in reply to tshinder)
Post #: 26
RE: Discussion about article on Outlook Access from Any... - 30.Jun.2005 10:36:00 AM   
replicants

 

Posts: 9
Joined: 20.Aug.2002
From: London
Status: offline
Trying to get this working from a test machine which on another site in a different domain. If I tick always prompt for authenticatation then I can see it trying to auth against the test PCs DC/GC rather than the published RPC exchange server.

Anyone got it to work where outlook is run from foreign domain to the domain hosting the intended target exchange server?

(in reply to tshinder)
Post #: 27
RE: Discussion about article on Outlook Access from Any... - 30.Jun.2005 1:07:00 PM   
techleet

 

Posts: 9
Joined: 27.Jun.2005
From: Santa Clara, CA
Status: offline
Hi Tom,

In regards to your Oulook Just Works ( Enabling Full Outlook Client Access Anywhere using the ISA FirewallĘs Secure Exchange RPC Filter) article... well.. mine Just Doesn't Work. [Frown]

First off, my internal Win2k3 domain structure is this:

I migrated from NT4 domain to Win2k3 domain by doing a parallel install. I used the ADMT. NT4 domain was "MYDOMAIN" and the new Win2k3 domain is "CORP.MYDOMAIN.COM". Everything went smoothly, but I have to keep the NT4 PDC up and running because of a legacy app installed on it, which means I have to keep both "MYDOMAIN" and "CORP.MYDOMAIN.COM" up and running.

The aspect of Split DNS setup is eluding me. My exchange server internal address is AMBASSADOR.CORP.MYDOMAIN.COM. I have created an A Record on our External DNS for AMBASSADOR.CORP.MYDOMAIN.COM and pointed it to my ISA 2004 server. Of course, that zone doesn't really exist, per se, to the outside world, but it exists in-house, and it works just fine when I do an NSLOOKUP from the outside.

My question is this: Will this setup work for Outlook Just Works? Do I have to change my internal domain name to MYDOMAIN.COM? Is that even possible considering I already have MYDOMAIN as a Netbios/Nt4 domain name? They both would show up as MYDOMAIN in netbios.

Hmm... my head hurts. [Confused]

[ June 30, 2005, 01:10 PM: Message edited by: techleet ]

(in reply to tshinder)
Post #: 28
RE: Discussion about article on Outlook Access from Any... - 5.Jul.2005 4:18:00 AM   
Strato

 

Posts: 11
Joined: 1.May2003
Status: offline
Hi,

this is good forum and I just had one question about ISA Server 2000 and its Firewall service.
Our customers connects via this ISA Server to their hosted mail server and it is published as RPC over HTTP. Their Outlook versions vary from Outlook 2000 to 2003.
Now we had situation where following warning was recorded to event log on ISA Server.
Type: Warning
User: N/A
Source: Microsoft Firewall RPC Filter
Category: none
Event ID: 20021

Description: The publlishing RPC service <ip-address:135> cannot be reached.

After this there is that connection is regained. But this happend several times per minute and it blocked some Outlook connections. Why it happend? Do you have any comments on this?

-Strato-

(in reply to tshinder)
Post #: 29
RE: Discussion about article on Outlook Access from Any... - 5.Jul.2005 12:01:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <JohnLeo>:
I had a question about one section of the configuration:

"Create DNS and SMTP Protocol Rules
The Exchange Server needs to forward mail it receives from the Outlook MAPI clients to SMTP servers on the Internet. An Access Rule allowing outbound access to the following protocols may be required:

DNS (TCP and UDP 53)
SMTP (TCP 25)
A DNS Access Rules allows the Exchange SMTP service to resolve MX domain names. You can configure the Access Rule to allow only the Exchange Server access to it, or you can configure the Access Rule to allow all machines on the network to use it.

Access control on the DNS Access Rule depends on which machine is responsible for resolving the MX domain names. You might want to forward the DNS queries from the Exchange Server to an internal DNS server and let the DNS server on your internal network take care of name resolution.

The SMTP Access Rule is required for the Exchange Server to send out mail to external mail domains. Access controls on the SMTP Protocol Rule depend on which machine actually sends the mail to the external SMTP servers.

If the Exchange Server is sending the mail directly to the Internet SMTP servers, allow only the Exchange Server access to the SMTP Protocol Rule. If you are using an outbound SMTP relay, allow the relay access to the SMTP Protocol Rule. If you are using a mail relay, make sure the SMTP relay server has access to the DNS Protocol Rule are well, since it will need to resolve Internet MX mail domains. The exception to this requirement is if the SMTP relay (or the Exchange Server) is configured to use an internal DNS server, then allow only the internal DNS server to resolve Internet host names."

Where are these rules supposed to be configured.

Thanks.

Hi John,
On the ISA firewall.

HTH,
Tom

(in reply to tshinder)
Post #: 30
RE: Discussion about article on Outlook Access from Any... - 5.Jul.2005 12:06:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by JRV:
WS2003 Gold domain, Exchange 2003 SP1 on WS2003 Gold, ISA 2000 SP2 on Win 2003 Gold, Outlook 2003 SP1. Different external & internal domain names.

However, Outlook "just doesn't work" right now [Wink] . At least it doesn't on the public Internet. The message from OL2003 on the remote machine is "Task 'Microsoft Exchange Server' reported error (0x8004011D): 'The server is not available. Contact your administrator if this condition persists.'"

I've gone over this article with a fine-toothed comb, as well as its several predecessors on your site. Also followed http://isaserver.org/articles/outlookrpcdns.html and http://isaserver.org/tutorials/2004illegaltldsplitdns.html. Still not working; can't figure out what I've overlooked.

Answering what seem to be the most frequent issues after scanning this board: Split DNS is set up, and I get correct internal and external name resolution when I ping the mail server names from inside and outside the LAN. The Exchange server is a SecureNAT client. I'm aware of the WS2003SP1 hotfix for ISA 2000 SP2, but we're still at WS2003 Gold. Client's ISP passes port 135 as does remote user's ISP.

Here are my questions:

1. You've documented this technique in several articles on isaserver.org & the ISA-Exchange Kit (we've been planning to do this for a long time, so I've read them all!). In prior versions, you've said it's necessary to create an external "A" record for a GC, similar to what you do for the Exchange server, pointing to the external IP. But this article adds discussion of the No RFR Service=1 value in the HKLM\...\MSExchangeSA parameters key. Does "No RFR Service=1" eliminate the need for the external GC "A" record and likewise in the internal split DNS zone that corresponds to the external domain name?

2. If it's necessary to have external "A" records for a GC, can I select any GC in the domain, or does it need to be all GCs?

3. Am I correct that because I have different external & internal domain names, I have to use a HOSTS file on the external client, since the MAPI profile records the FQDN of the internal name of the Exchange server?

4. In previous versions of this article, you said to put the NetBIOS name of the mail server in the HOSTS file. In this article, you said to use the FQDN...although in this case, HOSTS was used in lieu of Split DNS with the same internal & external domain name. Is the NetBIOS name correct for my situation (different ext. & int. names)?

1. You've documented this technique in several articles on isaserver.org & the ISA-Exchange Kit (we've been planning to do this for a long time, so I've read them all!). In prior versions, you've said it's necessary to create an external "A" record for a GC, similar to what you do for the Exchange server, pointing to the external IP. But this article adds discussion of the No RFR Service=1 value in the HKLM\...\MSExchangeSA parameters key. Does "No RFR Service=1" eliminate the need for the external GC "A" record and likewise in the internal split DNS zone that corresponds to the external domain name?
TOM: The differences have to do with the OL version. If you're using OL2003, you don't need to publish the GC name. Earlier versions didn't seem to be as friendly. I had to reverse engineer all of this, because the MS.com site has no information on how the OL clients of different versions need access to various servers.

2. If it's necessary to have external "A" records for a GC, can I select any GC in the domain, or does it need to be all GCs?
TOM: It shouldn't matter, since they'll be using the same secure RPC server publishing rule. You don't create a second rule for the GC.

3. Am I correct that because I have different external & internal domain names, I have to use a HOSTS file on the external client, since the MAPI profile records the FQDN of the internal name of the Exchange server?
TOM: Not sure. You should create a split DNS so that the same names are used internally and externally, although the HOSTS file might work. I haven't tested with non-split configs because they would never work with pre-OL2003 Outlook clients.

4. In previous versions of this article, you said to put the NetBIOS name of the mail server in the HOSTS file. In this article, you said to use the FQDN...although in this case, HOSTS was used in lieu of Split DNS with the same internal & external domain name. Is the NetBIOS name correct for my situation (different ext. & int. names)?
TOM: For OL2003, its more FQDN friendly, so I use FQDNs now with the full OL2003 client using secure Exchange RPC.
HTH,
Tom

(in reply to tshinder)
Post #: 31
RE: Discussion about article on Outlook Access from Any... - 5.Jul.2005 12:08:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by JRV:
More info...

The ISA Server is behind a SOHO NAT router. Client says this is necessary for some reason with this particular ISP; can't recall his reason, and I've not confirmed it, and until now, it's not caused any difficulties beyond having to forward a few ports to ISA's external IP. But now I'm wondering if this is where the "Outlook Just Works" problem is.

Anyway, I've forwarded port 135 to the ISA Server external IP. The NAT router logs confirm that 135 is not being blocked...but I do notice that several inbound connection attempts to ephemeral ports from the remote IP ARE being blocked by the NAT router. I gather these are the ports Exchange opens for the RDP connection as described in your article.

I guess my next move is to see if the client will allow me to put the ISA Server in the NAT router's DMZ, at least for long enough to see if it makes "Outlook just work".

But I'd sure like it if anyone can confirm that this is a likely cause of the problem.

Hi J,
If the NAT router doesn't have RPC awareness, it won't work. Try the DMZ config on the NAT device and see if that works.

HTH,
Tom

(in reply to tshinder)
Post #: 32
RE: Discussion about article on Outlook Access from Any... - 5.Jul.2005 12:09:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by JRV:
Well, it seems I'm just posting to myself at this point, but for the benefit of any lurkers, putting the ISA server in the DMZ of the NAT router enabled it to work. Since the NAT router is accomplishing nothing at this point, I'm going to see if I can persuade the client to remove it.

But at least now "Outlook just works". [Wink]

Hi J,
That's great! Sorry to take so long to find your posts [Smile]

Thanks!
Tom

(in reply to tshinder)
Post #: 33
RE: Discussion about article on Outlook Access from Any... - 5.Jul.2005 12:11:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by techleet:
Hi Tom,

In regards to your Oulook Just Works ( Enabling Full Outlook Client Access Anywhere using the ISA FirewallĘs Secure Exchange RPC Filter) article... well.. mine Just Doesn't Work. [Frown]

First off, my internal Win2k3 domain structure is this:

I migrated from NT4 domain to Win2k3 domain by doing a parallel install. I used the ADMT. NT4 domain was "MYDOMAIN" and the new Win2k3 domain is "CORP.MYDOMAIN.COM". Everything went smoothly, but I have to keep the NT4 PDC up and running because of a legacy app installed on it, which means I have to keep both "MYDOMAIN" and "CORP.MYDOMAIN.COM" up and running.

The aspect of Split DNS setup is eluding me. My exchange server internal address is AMBASSADOR.CORP.MYDOMAIN.COM. I have created an A Record on our External DNS for AMBASSADOR.CORP.MYDOMAIN.COM and pointed it to my ISA 2004 server. Of course, that zone doesn't really exist, per se, to the outside world, but it exists in-house, and it works just fine when I do an NSLOOKUP from the outside.

My question is this: Will this setup work for Outlook Just Works? Do I have to change my internal domain name to MYDOMAIN.COM? Is that even possible considering I already have MYDOMAIN as a Netbios/Nt4 domain name? They both would show up as MYDOMAIN in netbios.

Hmm... my head hurts. [Confused]

Hi Tech,
You can still replicate your internal domain name to external domains and get the split DNS.

What OL version are you using?

Thanks!
Tom

(in reply to tshinder)
Post #: 34
RE: Discussion about article on Outlook Access from Any... - 5.Jul.2005 12:13:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Strato:
Hi,

this is good forum and I just had one question about ISA Server 2000 and its Firewall service.
Our customers connects via this ISA Server to their hosted mail server and it is published as RPC over HTTP. Their Outlook versions vary from Outlook 2000 to 2003.
Now we had situation where following warning was recorded to event log on ISA Server.
Type: Warning
User: N/A
Source: Microsoft Firewall RPC Filter
Category: none
Event ID: 20021

Description: The publlishing RPC service <ip-address:135> cannot be reached.

After this there is that connection is regained. But this happend several times per minute and it blocked some Outlook connections. Why it happend? Do you have any comments on this?

-Strato-

Hi Strato,

RPC/HTTP and secure Exchange RPC publishing are different things.

Only OL2003 on WinXP SP1 and above supports RPC/HTTP

HTH,
Tom

(in reply to tshinder)
Post #: 35
RE: Discussion about article on Outlook Access from Any... - 15.Aug.2005 1:47:00 PM   
jasdeeps

 

Posts: 3
Joined: 4.Sep.2003
From: CA
Status: offline
I would like to do this. I have Exchange 2000 and ISA 2000 Server can you please tell me that how can I accomplish this. You may call me at 559-479-2763.

Thansk,

(in reply to tshinder)
Post #: 36
RE: Discussion about article on Outlook Access from Any... - 19.Aug.2005 11:04:00 AM   
Guest
Hi,

I'm just trying to confirm as to whether or not this procedure will work for Outlook 2000 <-> Exchange 2000?

Thank you very much.

(in reply to tshinder)
  Post #: 37
RE: Discussion about article on Outlook Access from Any... - 22.Aug.2005 9:49:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Miek,

Yes, it'll work for OL2000 and Exchange 2000.

HTH,
Tom

(in reply to tshinder)
Post #: 38
RE: Discussion about article on Outlook Access from Any... - 22.Aug.2005 9:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Jas Singh:
I would like to do this. I have Exchange 2000 and ISA 2000 Server can you please tell me that how can I accomplish this. You may call me at 559-479-2763.

Thansk,

Hi Jas,

Check out the ISA 2000/Exchange Deployment kit docs on this site.

HTH,
Tom

(in reply to tshinder)
Post #: 39
RE: Discussion about article on Outlook Access from Any... - 23.Sep.2005 4:00:00 PM   
Kaimanu

 

Posts: 1
Joined: 23.Sep.2005
From: Orange County, CA
Status: offline
I seem to be having the exact same errors as those that Jack Wilcox posted earlier. I have worked through the solutions posted, but the situation persists. At this point:

"I do see the request get to the ISA server by using the real-time logging. I see it Initiate the connection from the Client to the ISA server on port 135, but then I get a "Failed Connection Attempt" with:
Destination IP: <Exchange Server IP>
Destination Port: 135
Protocol: Exchange RPC Server
Rule: Publish Secure Exchange RPC"

I have tried making the Exchange Server a SecureNat client, the problem persists. Additionally, I allowed the client requests to appear as coming from ISA rather than the original host, still the connection is closed.

Unlike the previous post I do not have Cox as an ISP,and we are running Exchange 2003. As of now I am at a loss as to what else to try. Any help would be much appreciated.

Best Regards,

Josh

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3 4 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion about article on Outlook Access from Anywhere Page: <<   < prev  1 [2] 3 4 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts