Discussion of RPC over HTTP Series

Discussion of RPC over HTTP Series (Full Version)

All Forums >> [ISA Server 2000 General] >> Web Publishing

Message

tshinder -> Discussion of RPC over HTTP Series (29.Dec.2003 7:24:00 PM)
This thread is for discussing the RPC over HTTP series. Part 1 is at: http://www.msexchange.org/articles/rpchttppart1.html Thanks! Tom

spouseele -> RE: Discussion of RPC over HTTP Series (29.Dec.2003 9:06:00 PM)
Hi Tom, what a coincidence! I was just start looking at the best scenario for the full blown Outlook 2003 clients to get to the internal Exchange 2003 without using a VPN connection or plain RPC publishing. If I understand it all well, then the RPC/HTTP proxy is a Windows 2003 component, not an Exchange 2003 component. So, to the internal Exchange server all traffic seems to come from regular Outlook 2003 clients (plain RPC traffic). Right? If that's the case, can't we combine the RPC/HTTP proxy for easy firewall traversal at the client side and ISA RPC publishing for maximum security at the server side? More precisely, what do you think of the following "Poor man's" scenario or any variant of it: code: [Exchange] --- [ISA] --- Internet ! ! [RPC/HTTP Proxy] Of course I assume here a complete locked down box for the RPC/HTTP Proxy in the DMZ. Should it still work if we RPC publish the Exchange server on the ISA DMZ interface or is it much more complex? Thanks, Stefaan [ December 29, 2003, 09:16 PM: Message edited by: spouseele ]

tshinder -> RE: Discussion of RPC over HTTP Series (29.Dec.2003 10:11:00 PM)
Hi Stefaan, That is a very interesting scenario! I haven't considered it, but I would be interesting to see if it works. We should be able to use an Exchange RPC Server Publishing Rule to allow the RPC proxy access to the Exchange Server on the internal network. However, there are some other considerations, as setting the proper Registry entries for port numbers used to communicate between the RPC proxy and the back end Exchange Server. This can complicate the scenario quite a bit over making the RPC proxy a LAT host, but its not insurmountable. Name resolution would also pose a bit of a challange, too. The Registry info will be included in the second part of the series, which I'll post on ISAServer.org tonight. thanks! Tom

spouseele -> RE: Discussion of RPC over HTTP Series (29.Dec.2003 11:33:00 PM)
Hi Tom, after going through some docs about RPC over HTTP, I have a feeling it isn't indeed that easy as one would expect at first sight! As you know, I'm an advocate of strong user authentication. Is it right to say that in the current version of the RPC/HTTP proxy you can't use a client certificate or a smartcard for authentication against the RPC/HTTP proxy? If that is true, it is probably not a limitation of the RPC/HTTP proxy implementation on IIS6 but rather a limitation on the RPC/HTTP proxy implementation on Windows XP-SP1. Correct? BTW --- it would be great if a secure RPC over HTTP proxy would be incorporated as an application filter in ISA server, including the RPC inspection. That would be another killing application of ISA server! Thanks, Stefaan [ December 29, 2003, 11:45 PM: Message edited by: spouseele ]

tshinder -> RE: Discussion of RPC over HTTP Series (30.Dec.2003 1:17:00 AM)
Hi Stefaan, Indeed, I think this DMZ config you outlined would not be easy, but should be able to be done. You are correct that you can't configure the Outlook 2003 client to present a client certificate, or enable it to use smartcard auth. However, I think there is a problem with the RPC proxy in that it will not accept a client certificate. I discovered this when trying to configure the ISA firewall to send a client certificate to the RPC proxy server to authentication by requiring a client certificate. While this works fine with OWA, I was never able to get it to work with the RPC proxy. Thanks! Tom

spouseele -> RE: Discussion of RPC over HTTP Series (30.Dec.2003 9:39:00 PM)
Hi Tom, hmm... maybe I should get back to the drawing board and take a look at all the possible alternatives. Thanks, Stefaan

tshinder -> RE: Discussion of RPC over HTTP Series (31.Dec.2003 2:05:00 AM)
Hi Stefaan, I think the new VPN implement in ISA2004 might be the best solution. I can write you offline with more details, and then we'll share it with the world when the public beta begins! Thanks! Tom

spouseele -> RE: Discussion of RPC over HTTP Series (31.Dec.2003 11:04:00 AM)
Hi Tom, Great! We are going offline! Thanks, Stefaan

goodie -> RE: Discussion of RPC over HTTP Series (2.Jan.2004 4:49:00 PM)
Tom, Thanks for the articles. I was reading through part 1 and 2 but my setup is a bit different. I would like to use only 2 servers, one ISA and the other Exchange 2003 with IIS6. You mentioned it is possible to configure RPC over HTTP that way. What would the proper config be. I have installed RPC Proxy on the exchange server and removed anonymous access and installed a certificate. What would need to be done on the ISA server? Thanks very much Jon

rpotthoff -> RE: Discussion of RPC over HTTP Series (2.Jan.2004 9:40:00 PM)
I have read part1 and part2 and I have one problem I do not have a front end server, I only have one exchange server and I need to use this whit ISA what do I need to do to make this work? PLEASE help as I will be installing exch2k3 this weekend.

tshinder -> RE: Discussion of RPC over HTTP Series (3.Jan.2004 2:38:00 PM)
quote: Originally posted by goodie: Tom, Thanks for the articles. I was reading through part 1 and 2 but my setup is a bit different. I would like to use only 2 servers, one ISA and the other Exchange 2003 with IIS6. You mentioned it is possible to configure RPC over HTTP that way. What would the proper config be. I have installed RPC Proxy on the exchange server and removed anonymous access and installed a certificate. What would need to be done on the ISA server? Thanks very much Jon Hi Jon, Yes, that would be an interesting scenario. I haven't tested it out yet, though. I wanted to start with the scenario that officially sanctioned by MS, and then move to more creative approaches. If you have a chance to test it before me, please let us know the results of your testing. Thanks! Tom

tshinder -> RE: Discussion of RPC over HTTP Series (3.Jan.2004 2:39:00 PM)
quote: Originally posted by rpotthoff: I have read part1 and part2 and I have one problem I do not have a front end server, I only have one exchange server and I need to use this whit ISA what do I need to do to make this work? PLEASE help as I will be installing exch2k3 this weekend. Hi R, The front end can be just an IIS 6 box running the RPC over HTTP service. The Exchange front-end server is the officially sanctioned config, but not required. HTH, Tom

Vem427 -> RE: Discussion of RPC over HTTP Series (5.Feb.2004 5:20:00 AM)
For those of you wanting to host OWA, RPC/HTTP, Active Sync and or OMA using ISA server one document that you might find very useful is Fine-Tuning and Known Issues When You Use the Urlscan Utility in an Exchange 2003 Environment This handles all aspects of urlscan with respect to ISA 2000 and Exchange 2003 and includes a fully functional urlscan file. If you are also providing access for to a MS SharePoint Portal Server then I suggest that you look at the documentation for that as it is also affected by urlscan. Hope this is of some use to other members. Anyway here are my comments on "spouseele" idea for a poor mans solution to rpc/http. Not so certain about the achieved end result. The following ports (in addition to rpc port) must be opened from this rpc/http server to: To all Exchange back-end servers: 593 (end point mapper) 6001 (Store) 6002 (DS referral) 6004 (DS proxy) To all utilized Global catalog server: 593 and 6004 I believe that you could do what you suggest but wonder if the result is as good as keeping the rpc/http server on the internal network.

tshinder -> RE: Discussion of RPC over HTTP Series (5.Feb.2004 2:39:00 PM)
Hi Vern, Thanks! Tom

freeballn -> RE: Discussion of RPC over HTTP Series (12.Mar.2004 1:43:00 AM)
Dr. Shinder and other contributors, Thank you for all the information you all have provided, I really appreciate your work. I have been going through the process to get RPC working over HTTP to an Exchange server, and I have a question regarding the IPSec between the backend and frontend Exchange servers. My frontend and backend Exchange servers are both also the domain controllers for my AD. I haven't read anything that says that is an issue, but when I go to access the Local Security Policy on either machine it isn't available, instead there are Domain Security Policy and Domain Controller Security Policy options. I went ahead and attempted to create the policies according to the article, but because they are for the domain rather than the local machines, they each show up on both machines. I am unable to assign them both at the same time, and if I do assign one, then the other machine looses access to the Security Policy editor entirely. I may be writing this prematurely as I am betting that there is a way to create a single domain policy to accomplish what the two machine policies would normally do. Unless there is a way to manage local security policy on a domain controller that I haven't yet found? I would appreciate any recommendations or information. Thank you, Carson [ March 17, 2004, 09:44 PM: Message edited by: Carson ]

tshinder -> RE: Discussion of RPC over HTTP Series (31.Mar.2004 10:43:00 PM)
Hi Carson, Its is possible to create the same domain security policy that applies only to the two machines. I would configure it in the domain controllers OU. HTH, Tom

thejun -> RE: Discussion of RPC over HTTP Series (31.Mar.2004 10:54:00 PM)
has anyone gotten this to work without ssl certificates?

TimTrace -> RE: Discussion of RPC over HTTP Series (2.Apr.2004 10:25:00 PM)
Tom, thanks for yet another EXCELLENT walkthrough. In my situation, I have a single-EX2k3 installation. I saw the note, above, that an IIS6 box can perform as the RPC>HTTP proxy server... ...but... ...is it possible (and secure) to have the single-EX2K3 box run the RPC>HTTP proxy site locally, with the proxy site registry entries referring back to 127.0.0.1, or something like that? Best regards, Tim ==

mcfly9 -> RE: Discussion of RPC over HTTP Series (31.Oct.2004 12:56:00 AM)
Hello, I have been successful in configuring the RPC over HTTP Proxy and everything seems to be fine, except for one thing. My users get the auth dialog box pop up when they start outlook on a remote network. I acknowledge that this is the way it should go with Basic authentication, so i configured the RPC virtual dir in IIS to use integrated auth, and configured Outlook to use Integrated auth as well. Now i still get the auth dialog box, where there's a new checkbox (save password) but i can't get my clients to save the password, it keeps on forgetting it every time. I also tried putting the site hosting the RPC over HTTP proxy directory into the Trusted Zone in internet explorer, hoping that it'll do an automatic login, but nothing happened... the login dialog still keeps on coming up. Any ideas to solve this problem?

tshinder -> RE: Discussion of RPC over HTTP Series (1.Nov.2004 6:51:00 AM)
Hi Fly, IIRC, this is required for RPC over HTTP connections, so its not an ISA firewall issue. Can't say for sure though, but you can find out quick by testing from a host behind the ISA firewall. HTH, Tom

Page: [1] 2 next > >>