Basic Troubleshooting for RPC/HTTP Publishing (Exchange 2003)
Troubleshooting RPC/HTTP is not an easy task. The reason for this is that there are so many moving parts to an RPC/HTTP solution it’s often hard to figure out which part is broken. The ISA Firewall’s log files are of no help at all, so you have to take a different approach to troubleshooting RPC/HTTP publishing failures.
If your RPC/HTTP isn’t working, try checking for the following things:
- Make sure the ISA Firewall is joined to the domain — this is a basic ISA firewall security best practice
- In ISA 2004, make sure you’re using a different Web listener than that used by OWA forms-based authentication publishing. In ISA 2006, you can use the same listener because the listener will fall back to basic for the RPC/HTTP client
- Make sure you’re delegating Basic authentication in the RPC/HTTP Web Publishing Rule
- Make sure that the RPC/HTTP Web Publishing Rule is for authenticated users only. That can be all authenticated users, or selected users or groups
- Make sure your client is running Outlook 2003 on Windows XP SP1 and above
- Make sure your client has the CA certificate of the CA that issued the Web site certificate bound to the Web Listener that’s accepting connections from the RPC/HTTP client. This CA (root) certificate should be installed in the client’s Trusted Root Certification Authorities\Certificates machine certificate store.
- Make sure that you enter the correct name for the Web proxy in the client configuration. This may or may not be the same name of the mailbox server. It is always the common name on the certificate bound to the RPC/HTTP Web listener
- Make sure that IIS is installed on the OWA Web site
- Make sure that the RPC/HTTP Web Proxy service is installed on the OWA server
- Make sure a Web site certificate is installed on the OWA server
- Make sure that the name on the TO tab in the Web Publishing Rule is the same as the name on the Web site certificate bound to the OWA site
- Make sure that the /rpc directory on the OWA Web site is configured to use Basic authentication only
- Make sure the RPC over HTTP proxy service is starting by checking the Event Viewer
- Make sure you have configured RPC/HTTP service correctly on the OWA Server by using the Properties dialog box of that Exchange Server
While not a totally comprehensive list, if you can check on each of these issues, I’d estimate that you have a 90% chance of finding out what the problem is.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Nóri Says:
July 3rd, 2007 at 1:14 pm
But what if I would like to use Integrated Authentication??
Tom Shinder Says:
July 3rd, 2007 at 1:34 pm
You can’t. You must use basic authentication to the Web listener.
HTH,
Tom
Nóri Says:
July 4th, 2007 at 9:48 am
But I’ve managed to get this working by specifying All Users. Why does it not work with All Authenticated Users?
Nóri
Tom Shinder Says:
July 4th, 2007 at 10:34 am
Because you’re not preauthenticating with ISA Firewall, so all anonymous connections from any user on the Internet (read hackers) can get to your Exchange Server and take advantage of the anonymous connections. But not pre-authenticating at the ISA Firewall, you remove much of the security the ISA Firewall provides.
HTH,
Tom
Brian P Says:
September 13th, 2007 at 12:40 pm
I’ve gone through ALL configs over and over again including this checklist: all is OK. HTTPS connections work fine internally. As soon as I test from outside…nothing. Eventually, all connections fail and Outlook goes offline. I have set this up using your tutorial for single exchange publishing (identical!) as well as similar referrals to technet, petri, and others. This is Outlook Anywhere only, not OWA (OWA works when I set it up to test but then remove the policy to focus on RPCoHTTPS). The log shows a failed connection attempt for the RPC/HTTP rule with an HTTP status code of 0×80004005. I’ve searched everywhere and can only find cryptic info about this and even less as it applies to ISA. Please refer this to an appropriate post if needed. Please help…I’m at wits end. Thank you.
Luís Barreto Says:
February 21st, 2008 at 5:22 pm
Hi Dr Tom
I’m a big fan of yours, I like your writing very much, basically because you explain how to do the things and also why they should be that way.
Now, my problem regarding this (as always) comprehensive troubleshooting guide e one simply question:
The last few days I’m trying to configure one of my ISA/Exchange RPC implementations with Single Sign On. I think I’ve read all the info on this matter on the web, and unfortunately I didn’t get the straight answer, although at this time I suspect witch it is…
- Giving 1 ISA 2006 (AD member), 1 Exchange 2003 (witch is also RPC proxy), 1 or 2 public IP, 1 or 2 web listeners, digital certificates, outlook 2003 or 2007 clients, it is possible to publish RPC over HTTP, securely (only to a subset of AD users) without requiring them to type their password to ISA Server?
As I said, at this time, I think the answer is no. But if I’m wrong please point me some directions.
Thank’s
Luis Barreto
Portugal