RE: Certificate names and RPC over HTTP for Exchange 2003

Hi Madrilleno,
I can confirm that "Status: 64 The specified network name is no longer
available." for RPC_IN_DATA is completely normal and correct. Every ISA
server that I have checked has this entry right next to a successful
RPC_OUT_DATA when RPC/HTTP is working properly. I read something somewhere
that error 64 is something to do with the way that RPC/HTTP works. Apparently
it keeps the channel open by requesting 1GB of data, but never completely
fulfilling the request. Asking for 1GB but never completing the request keeps
the server in limbo, expecting further requests, thus keeping the channel
open. Something like that.

From some of the logs in your previous posts, I am suspicious that your
RPC/HTTP config on the Exchange server is not quite right. Let's get RPC/HTTP
working properly internally first, then get it to work through ISA. Have a
look at
http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm and
the more detailed version at http://support.microsoft.com/kb/833401/en-us. I
suspect that you do not have the ports and other details set properly in the
Registry. If you make any changes, reboot your Exchange server.

Once you have confirmed that these settings are all correct, configure a
client that has Outlook 2003 or 2007 to connect to Exchange using RPC/HTTP
within the internal network (avoiding ISA). To make this work, make an entry
into the client machine's hosts file with the internal IP of the Exchange
server and the external DNS name that is on the certificate, something like:
10.0.0.8 mail2.mydomain.co.uk
Configure Outlook's RPC/HTTP (Outlook Anywhere in 2007) with:
https://mail2.mydomain.co.uk (you won't need to type the "https://";)
tick "Connect using SSL only"
tick "On fast networks, connect using HTTP first..."
tick "On slow networks, connect using HTTP first..."
set authentication to Basic

Ticking "HTTP first" on both fast and slow networks will force Outlook to
connect via HTTP instead of TCP.

Open Outlook. It should prompt you to login. Remember to include the NetBIOS
domain name. Once it is connected, hold down the Ctrl key and right click on
the Outlook icon in the System Tray and select Connection Status. If it is
HTTP and there are multiple lines with "Established" then we know that
RPC/HTTP is working internally and we can move onto getting it to work
through ISA.

All of my clients use Forms Based Authentication but you are using HTTP
Authentication on the listener, so unfortunately I do not have a working
example to refer to. I am building an Exchange and ISA setup in the lab at
the moment for my own purposes, but once I get it all installed I will see if
I can get it working with HTTP Authentication.

Have you checked the Authentication Delegation tab in your rule in ISA? I
don't know what the right setting is as I don't have a working example to
refer to, but I think that "No delegation, and client cannot authenticate
directly" probably won't work. I will be trying "No delegation, but client
may authenticate directly" in my lab once I get it set up.

In your listener, on the Authentication tab, Advanced button, do you have
"Require all users to authenticate" ticked? I am not sure what is the right
setting, but try changing it to see if it helps.

Is your ISA server a member of the domain? If so, the description for the
Authentication Domain section of this same area (listener, on the
Authentication tab, Advanced button) says that you don't need to enter in a
domain name if the server is a domain member, but your previous post says
that you have your NetBIOS domain name in there. Maybe this is confusing the
issue, so remove it.

Let me know if any of this helps. Since the error messages in the logs that
you are posting are changing, I think we are getting closer to getting it to
work. Unfortunately I am going to be very busy next week, so it may be a
while before I can finish building my lab and get back to you.

Regards,
Paul Whitfield
.

Loading