Re: Open Ports required for RFC over HTTP

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

If you're getting an invalid cert error when you http to the url, that's the
issue. Get that resolved and you should be on your way w/ rpc/http.

--
--Brian Desmond
Windows Server MVP
desmondb@xxxxxxxxxxxxxxxxxxxx

www.briandesmond.com


"Harold Bruce" <HaroldBruce@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:61EBBF87-EECE-451E-BBFE-45B88A513445@xxxxxxxxxxxxxxxx
> Brian,
>
> We are using a cert issued by Geotrust. Now, this is where is gets
> complicated...
> The university I work for has some strange rules. The A record entries
> match the actual host name, which is quite long. We have a CName pointing
> to
> the A record which is slight shorter and more descriptive. When we were
> issued our cert, it was issued for the Cname, and worked fine. The CName
> also had an assocaiated MX record. They (univeristy system) changed the
> "policies" to where you could not have a MX record match a CName or A
> record.
> This means that the site named in the cert is just an MX record and cannot
> be accessed via a browser. Now, when you visit Exchange via the web
> interface, either by going to the Cname, A record or IP address, you get a
> security alert saying the name on the cert is invalid or does not match
> the
> name of the site.
>
> On my XPSP2 laptop, either inside or outside our firewall on campus (all
> ports are open), I get the same security warning via IE. BUT, I can still
> connect succesfully with Outlook configured for RPC over HTTP, using the
> Exchange server's A record, which as stated above, in a browser, gives a
> security alert.
>
> Again, this leaves me to believe my ISP is doing something, but I have no
> clue what. I asked them what ports they block, and was given this list:
> tcp 135
> udp 135
> udp 137
> udp 138
> tcp 139
> tcp 445
> udp 445
> tcp 593
> tcp 4444
> udp 4444
> tcp 27374
>
> Any other ideas??
>
> Thanks.
> harold
>
> "Brian Desmond [MVP]" wrote:
>
>> Phil,
>>
>> Harold is using RPC/HTTP. This works over HTTP ports NOT RPC ports. So
>> that
>> wont' be the case.
>>
>> Harold - are you using a valid https cert on the frontend (and it was
>> issued
>> by someone lke thawte or verisin)? That makes a differenece.
>>
>> --
>> --Brian Desmond
>> Windows Server MVP
>> desmondb@xxxxxxxxxxxxxxxxxxxx
>>
>> www.briandesmond.com
>>
>>
>> "Phil Hunt" <hunt@xxxxxxxxxxxxxx> wrote in message
>> news:ONSsHNVOFHA.3296@xxxxxxxxxxxxxxxxxxxxxxx
>> > This is probaby due to your home isp/broadband provider closing all the
>> > RPC
>> > ports 'for your protection'
>> >
>> > Pretty bad that you cannot run the client at home. If you have a user
>> > on
>> > the road for weeks, the only way they can connect is vpn (not
>> > practical
>> > for
>> > dialup foreign connections (way too slow)), or pop/imap, or dialup
>> > using
>> > ras
>> > on the exchange server.
>> >
>> > Groupwise can use its client at home using TCP and 2 ports.
>> >
>> > Any 3rd party apps that would allow w2k systems to connect?
>> >
>> >
>> > "Harold Bruce" <HaroldBruce@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:DE68DC65-198C-4F68-BD5D-D90D66FE4FF9@xxxxxxxxxxxxxxxx
>> >> Brian,
>> >>
>> >> We actually had them remove all port blocking for the IP associated
>> >> with
>> > our
>> >> Exchange 2003 server. Via wireless or wired on the same subnet
>> >> (inside
>> > our
>> >> firewall), we can successfully connect to the exchange server. Across
>> >> campus, on a totally different subnet (outside the firewall, although
>> >> all
>> >> ports are open for the exchange server), we can via wireless or wired
>> > connect
>> >> via RPC over HTTP.
>> >>
>> >> At home, using a broadband ISP, neither myself or my assistant cannot
>> >> connect successfully. What do I need to look at? Is there any way to
>> > trace
>> >> from home or setup tracing on the exchange server to see what the deal
>> >> is?
>> >> We have tried using the DNS name and IP address, with the same
>> > non-results.
>> >>
>> >> Thanks!
>> >> harold
>> >>
>> >> "Brian Desmond [MVP]" wrote:
>> >>
>> >> > Harold-
>> >> >
>> >> > The only thing you need open facing the world is port 443. All those
>> > other
>> >> > ports - opening them negates the whole idea of rpc/http and leaves
>> >> > your
>> >> > server wide open for the world.
>> >> >
>> >> > --
>> >> > --Brian Desmond
>> >> > Windows Server MVP
>> >> > desmondb@xxxxxxxxxxxxxxxxxxxx
>> >> >
>> >> > www.briandesmond.com
>> >> >
>> >> >
>> >> > "Harold Bruce" <Harold Bruce@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> > message
>> >> > news:CE0C7650-B83B-4471-B83B-F02823E5325A@xxxxxxxxxxxxxxxx
>> >> > >I have an Exchange 2003 (SP1) single server that I have configured
>> >> > >for
>> > RFC
>> >> > >or
>> >> > > HTTP. It works great if we are inside the firewall, but outside,
>> >> > > it
>> > never
>> >> > > connects. I know it is a firewall issue because we turned the
>> > firewall
>> >> > > off
>> >> > > for the IP of the server.
>> >> > >
>> >> > > My question is: what ports are required to be open for RFC over
>> >> > > HTTP?
>> >> > > I had the following ports open: 110, 995, 25, 143, 993, 80, 21,
>> >> > > 443,
>> > 691,
>> >> > > 389, 3268, 88, and 135.
>> >> > >
>> >> > > We actually run SurfControl on the server, so it is listening on
>> >> > > port
>> > 25
>> >> > > while Exchange is set to listen on port 26. Do I need to open
>> >> > > port
>> > 26?
>> >> > > Is
>> >> > > there anything I am missing?
>> >> > >
>> >> > > Thanks
>> >> >
>> >> >
>> >> >
>> >
>> >
>>
>>
>>


.

Relevant Pages

  • Re: Open Ports required for RFC over HTTP
    ... We are using a cert issued by Geotrust. ... issued our cert, it was issued for the Cname, and worked fine. ... I asked them what ports they block, ... we can successfully connect to the exchange server. ...
    (microsoft.public.exchange.setup)
  • Re: this is a port scan, right?
    ... > Quite a lot of services have reserved ports for both tcp and udp ... ... HTTP communication usually takes place over TCP/IP connections. ...
    (comp.security.misc)
  • Re: ibm jsse ssl and client authentication
    ... already made the connection and successfully sent your HTTP Request. ... That might mean that some other required authentication has failed. ... 403 response if I dont' have the cert installed in my broswer. ...
    (comp.lang.java.programmer)
  • Re: OT - advice re watching news videos on computer
    ... UDP, TCP and HTTP are checked. ... 'Use ports' should be unchecked with ...
    (rec.outdoors.rv-travel)
  • Re: Can I publish a certificate to a network location
    ... The CA has no code to support publishing CRLs to an http: or ftp: location. ... The CA can only publish to ldap: or file: locations. ... base CRL. ... > Now i tried to see if the cert would install on the local ...
    (microsoft.public.win2000.security)