Welcome to ISAserver.org

RE: Discussion about article on Outlook Access from Anywhere

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion about article on Outlook Access from Anywhere

Page: << < prev 1 2 3 4 [5]

Message

<< Older Topic Newer Topic >>

RE: Discussion about article on Outlook Access from Any... - 17.Aug.2006 3:20:38 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jeff,

You need to create a split DNS.

Check out the many articles on this site regarding split DNS so that internal and external clients resolve the exch.domain.com name differently.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to jeffrozar)

Post #: 81

Featured Links*

RE: Discussion about article on Outlook Access from Any... - 17.Aug.2006 5:17:17 AM

jeffrozar

Posts: 18
Joined: 18.Apr.2006
Status: offline

Thanks for the response. The article says:

The ideal DNS configuration for supporting hosts that move between the corporate network and remote locations is the split DNS.

Since I don't have any clients that move btwn the corp network and remote locations, it seems like a hosts file should suffice:

If your organization does not use the same domain name for resources that are accessible both internally and externally, then you can still access the Exchange Server via the RPC publishing rule by using local host name resolution, which bypasses the need for a DNS server.

Furthermore, the article's section "Configuring the Outlook 2003 Client to Connect via Secure Exchange RPC" says to add this entry in the client's hosts file:

192.168.1.70 exchange2003be.msfirewall.org

Here is where I am confused because the client in the hotel can't resolve the 192 private address, so how can the Outlook client get to the server in the first place?

(in reply to tshinder)

Post #: 82

RE: Discussion about article on Outlook Access from Any... - 17.Aug.2006 2:07:07 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jeff,

Read each word in the article and you'll see that:

1. The private addresses are used in the lab network to represent external addressess

2. The HOSTS file is used in the lab example only, production networks should use split DNS

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to jeffrozar)

Post #: 83

RE: Discussion about article on Outlook Access from Any... - 17.Aug.2006 5:54:02 PM

jeffrozar

Posts: 18
Joined: 18.Apr.2006
Status: offline

Now that makes sense, must've had brain freeze. :)

Ok, so I have split DNS working:
- my external DNS resolution (Exc2k3.internal.domain.com) correctly resolves to 1.2.3.4
- my internal DNS resolution (Exc2k3.internal.domain.com) correctly resolves to 10.0.0.5

The ISA2k4 server correctly resolves Exc2k3.internal.domain.com to 10.0.0.5, and on an internal client, it connects with Outlook 2k3 to Exc2k3.internal.domain.com with no problem.

On the external client it comes back with "name could not be resolved". Logging in ISA2k4 shows that a request comes in on port 135, protocol Exchange RPC Server, but the action it immediately takes is "Closed Connection". I do have a rule for accepting RPC and sending them to the exchange server.

I tried turning off the XP firewall on the external client, and turning off the RPC filter on the ISA2k4 server, both to no avail.

Also, is it required that my ISA2k4 server belong to the domain internal.domain.com?

< Message edited by jeffrozar -- 17.Aug.2006 6:36:20 PM >

(in reply to tshinder)

Post #: 84

RE: Discussion about article on Outlook Access from Any... - 21.Aug.2006 4:58:19 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jeff,

Is there a NAT device in front of the ISA firewall? That will break Secure Exchange RPC publishing.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to jeffrozar)

Post #: 85

RE: Discussion about article on Outlook Access from Any... - 21.Aug.2006 9:55:51 PM

jeffrozar

Posts: 18
Joined: 18.Apr.2006
Status: offline

Thanks for the reply - there is, and 135 is open. But, I gave up on straight RPC, and instead chose to do RPC over HTTP because of the security. I couldn't get that to work, either, after setting up the ISA box and client with Outlook. But with a little help, I discovered the RPC Proxy needed to be installed on the Exchange server. Once I installed that and created a certificate for non-domain laptops and the ISA server, everything worked great.

(in reply to tshinder)

Post #: 86

RE: Discussion about article on Outlook Access from Any... - 3.Sep.2006 5:53:33 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jeff,

What makes you think RPC/HTTP is more secure than Secure Exchange RPC publishing?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to jeffrozar)

Post #: 87

RE: Discussion about article on Outlook Access from Any... - 15.Sep.2006 8:14:04 PM

jeffrozar

Posts: 18
Joined: 18.Apr.2006
Status: offline

I called MS tech supp for help on configuring this setup, and they *strongly* recommended not to use RPC publishing and opening port 135. I also found that I didn't have RPC over HTTP installed on the Exchange 2k3 server.

(in reply to tshinder)

Post #: 88

RE: Discussion about article on Outlook Access from Any... - 18.Sep.2006 3:44:36 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jeff,

You kidding, right? MS tech support said that?

Do you have a ticket number? I think someone needs a very VERY strong tongue lashing and he gave you totally BOGUS information!!!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to jeffrozar)

Post #: 89

RE: Discussion about article on Outlook Access from Any... - 20.Oct.2006 7:25:11 PM

ilkeryildiz

Posts: 5
Joined: 1.Dec.2002
From: turkey
Status: offline

Hi,
http://www.isaserver.org/articles/2004securerpc.html

I read and apply article but wireless client not connect exchange.I try local host file and dns.
I have one SBS 2003 SP1 (isa2004 and exchange2003 latest srv pack) server.

SBS External nic:
ip:10.0.0.201
gateway:10.0.0.138 ( my zyxel ADSL router DMZ port)
dns:192.168.0.1
-------------------
SBS internal link:
ip:192.168.0.1
gateway: blank
dns:192.168.0.1
--------------------
Zyxel ADSL router:
DMZ port: 10.0.0.138
lan-Wlan: 192.168.1.1-192.168.1.254
lan to dmz and dmz to lan =allow
------------

< Message edited by ilkeryildiz -- 20.Oct.2006 7:30:03 PM >

(in reply to tshinder)

Post #: 90

RE: Discussion about article on Outlook Access from Any... - 21.Oct.2006 11:53:28 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Doesn't apply to SBS.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ilkeryildiz)

Post #: 91

RE: Discussion about article on Outlook Access from Any... - 12.Dec.2006 2:37:36 AM

Viktor

Posts: 1
Joined: 29.Nov.2006
Status: offline

Hi Thomas,

In our office we have established a RPC (not RPC over HTTP) connection to our Exchange based on your article �allowing Outlook MAPI client access from anywhere using the Secure Exchange RPC�

We use Exchange Server 2003 SE full patched, the ISA Server 2004 SE with Service Pack 2. Both are running on different Windows 2003 Servers. They are full patched as well.

Maybe I should note that the Exchange is running in a Virtual Machine.

The Clients are running Windows XP (all Clients have the latest Patches) and are using Outlook Professional 2003 (the �Service Pack 2� for Office 2003 Professional is also installed).

The problem is that some clients are able to connect to the Exchange over RPC but others not. The client is permanently trying to connect to the Exchange but cannot complete it. There are no entries in the event log on the Exchange Server. There are also no entries in the event log of the Client.
I compared the settings on working clients with those that are not working more than 10 times. They are all identically.

The problem does not only exist with one client altogether. There are 6 or 7 Clients with this problem and approximately 15 or 18 clients which don�t have this problem.

If you need some more information, ask me!

Best Regards

Viktor

(in reply to tshinder)

Post #: 92

RE: Discussion about article on Outlook Access from Any... - 12.Dec.2006 6:37:56 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Viktor,

Most likely reason is the firewalls in front of the hosts that cannot connect are not intelligent firewalls and this don't have an RPC NAT editor or filter.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Viktor)

Post #: 93