SBS 2003 w/ ISA 2004

[Diaonic]

I have an interesting problem.

here is my setup

I single server with 2 nics. Running SBS 2003, exchange 2003, ISA 2004, IIS.

I ran the internet connection wizard for SBS and setup all the certs and I have all of the other websites working properly. RWW, OWA, ect..

But i can't get RPC over HTTP to work at all. I followed the microsoft guides and when I try to connect it fails. Here is a picture of the ISA log when I try to connect. I edited out the IP's for security reasons.

ISA Log

The certificate is installed on the client machine.

Any help would be appreciated.

Thanks in advance

 

[RebateMonger]

Well, first off, I can tell you that it WILL work. 🙂 I use it on most of my SBS Servers, including those with ISA 2004.

The most common problem with RPC over HTTPS is that the Security Certificate has to have the EXACT name that you use for accessing it with RPC over HTTPS. If your Certificate says "remote.mydomain.com", then that's what has to be used in the Outlook RPC Profile setup. in both the "Exchange Server Proxy Settings" boxes:
Connection Settings URL: https://remote.mydomain.com
Principal name for proxy server: msstd:remote.mydomain.com

The test for this is to close all instances of Internet Explorer, and then try to open up your OWA site: http://remote.mydomain.com/exchange. If the login screen for OWA opens WITHOUT asking about Certificate errors, then you have the certs right. If it asks, then you have the certs wrong and RPC over HTTPS will never work.

Part of the SBS "Connect to the Internet" Wizard includes a checkbox for RPC over HTTPS (called "Outlook Over the Internet"). If you enable the checkbox for that, it SHOULD set up ISA 2004 on it's own.

I imagine there's some more troubleshooting we can do, but I just want to make sure that these two common stumbling blocks are covered first. Finally, be sure that everything is up-to-date in updates: Outlook, ISA, and SBS 2003. SBS 2003 SP1 has all the patches necessary for RPC over HTTPS already installed.

 

[Diaonic]

Let me clarify abit more. I want to do RPC over HTTPS. Remote.mydomain.com/exchange
works fine and does ask for a certificate. So does RWW, monitoring ect..

The certificate name that the ICW installs is: publishing.mydomain.local
The domain name in the exchange over the internet settings is different from that certificate.

 

[RebateMonger]

You can't use the publishing.mydomain.local certificate for the front-end certificate for SBS. That's because you can't reach the site: http://publishing.mycomain.local from across the Internet. It's not a valid public domain name.

You need to create a new certificate that ends in "mydomain.com" and use THAT cert as your front-end. Then, when you access Exchange via RPC over HTTPS you can use a valid site name like http://mydomain.com or http://remote.mydomain.com. Whatever site name you use has to EXACTLY match the friendly name of your front-end certificate or else RPC over HTTPS will never work. (See my instructions and notes in my previous post.)

 

[Diaonic]

If the certificate is not setup right. Wouldn't OWA, Monitoring, RWW not work. Since they all use the same cert?

 

[RebateMonger]

Your cert configuration MUST pass this test:

Close all instances of Internet Explorer, and then try to open up your OWA site: http://xxx.xxx.xxx/exchange. If the login screen for OWA opens WITHOUT asking about Certificate errors, then you have the certs right. If it asks, then you have the certs wrong and RPC over HTTPS will never work.

 

[Diaonic]

it's going to prompt you the first time you goto the site regardless though because you need to install the certificate on the machine right?

 

[RebateMonger]

Originally posted by: Diaonic
it's going to prompt you the first time you goto the site regardless though because you need to install the certificate on the machine right?

Yes. But if it ever prompts you again on the same PC, RPC over HTTPS won't work.