Exchange/Outlook Port

skypilot

Golden Member
Mar 20, 2000
1,616
0
0
I've just deployed small business server 2k3 for a friend's business, and have been using outlook web access over http for desktops as well activesync over http for PDAs to keep clients connected to their exchange boxes. This seems to work well.

The problem I have is that in some scenarios, the desktop outlook 2003 client would meet our needs better than OWA. However, when I try to connect to exchange from outside the firewall, it can't reach the server.

This could be because I have no idea which ports to forward through the router... I have 135 open on a suggestion from a friend, but no luck as of yet. I also have the standard port 25 for SMTP and 80 for HTTP (OWA, activesync, and it's also a webserver). Any takers?

Thanks in advance,
 

Genx87

Lifer
Apr 8, 2002
41,091
513
126
you are going to have to setup RPC over HTTPS, unless you are trying to do pop?

 

skypilot

Golden Member
Mar 20, 2000
1,616
0
0
Which requires ISA, correct? I don't have that set-up (I'm using SBS standard edition).

Can RPC do uPnP requests to the consumer router, instead of negotiating with ISA?
 

Genx87

Lifer
Apr 8, 2002
41,091
513
126
afaik you can set it up to work without ISA server, and you can do it in a single exchange enviornment as well, althought both not recommended by Microsoft.

They recommend you use ISA server but I dont believe it is a requirement. SBS 2003 may also have a simple install wizard to get it up and running for you vs manually doing it with an Exchange 2003 box.

Edit: Dont forget to get RPC over HTTPS working you require exchange SP1.

 

Tsaico

Platinum Member
Oct 21, 2000
2,669
0
0
Where is RebateMonger?!?

In any case, here is a bit that you will need to know, that I learned the hard way. First The easy stuff was creating a ssl (or buying one, keep this in mind, I will come back to it later). Then turn on ssl for exchange OWA and RPC. Now all you need are two NICs, one for internal traffic, one for the outside world. You can then filter traffic to specific needs through the External NIC.

I did find out though, after I got all my stuff deployed and PDAs hooked up, that now I need a SSL CA from a pre-approved list for my Palm users. It turns out that Palm users cannot add to their trusted root list, which is something incredibly easy to do with a windows PDA. The official solution from Palm Inc. is to either buy a SSL CA from someone on their list, or turn off SSL completly. Your choice.

Read up and good luck. As for ports, you only need 443 and 80 to be open. Hence the beauty of RPC over HTTPS. I would close the other port 135. It is generally a bad idea to leave this open exposed to the internet.
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Most ISPs don't pass traffic on inbound TCP Port 135 anymore, anyway. They filter it off.

With SBS 2003, you can remotely connect Outlook 2003 using either a VPN or "RPC over HTTPS". I've used both. Your choice. Neither requires ISA 2004.

You can do RPC over HTTPS with only TCP Port 443 open.

The only thing that I kinda' hate about RPC over HTTPS is that you have to enter UserName/Password when you first connect your Outlook. With a VPN, you can save your UserName/Password and not have to type it each time you connect. But it's not a big deal either way.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
The only thing that I kinda' hate about RPC over HTTPS is that you have to enter UserName/Password when you first connect your Outlook. With a VPN, you can save your UserName/Password and not have to type it each time you connect. But it's not a big deal either way.
If you are logged on to a remote machine with the domain account, you can configure Outlook to use NTLM and not be prompted. I do it every single day because I don't work out a Microsoft office, and I don't connect over VPN regularly.
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Originally posted by: stash
If you are logged on to a remote machine with the domain account, you can configure Outlook to use NTLM and not be prompted. I do it every single day because I don't work out a Microsoft office, and I don't connect over VPN regularly.
Thanks, Stash!
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Originally posted by: Tsaico
I did find out though, after I got all my stuff deployed and PDAs hooked up, that now I need a SSL CA from a pre-approved list for my Palm users. It turns out that Palm users cannot add to their trusted root list, which is something incredibly easy to do with a windows PDA. The official solution from Palm Inc. is to either buy a SSL CA from someone on their list, or turn off SSL completly. Your choice.
I'm using Sprint and Verizon PPC6700 WM5 phones, and those let you use the SBS 2003 self-signed Certificate for the SSL.

But, yeah, not all phones will let you use a self-signed Certificate. Some, in fact, will reject even commonly-accepted (but lower-cost) public Certs (like GoDaddy's). Instead, they require those high-priced Certs (like VeriSign's). Be sure to do some research before investing in a public Certificate for a new SmartPhone.

And, of course, for a SmartPhone or PDAPhone, be sure that your Certificate name is EXACTLY the same as the URL you use to access the Exchange Server. This requirement applies to SmartPhones and to PC access using "RPC over HTTPS". If you encounter a Security Warning when you manually access your OWA site, you have a Certificate name problem, or you haven't installed your Server's Root Certificate in your Phone or PC.