RE: RPC with illegal TLD
- From: Shijaz <Shijaz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 30 Nov 2006 02:32:00 -0800
A TLD of .local is often recommended for internal domains to prevent possible
DNS conflicts with internet domain names. The customer you inherited is
following best practices as far as internal domain name is concerned.
I highly recommend using HTTPS for RPC, to safeguard passwords. If you use
https, be sure to use a commercial certificate (certificates are cheap - $20
certificates available on godaddy.com). If not, you should copy the CA
certificate into the trusted CA store of each client machine.
I suggest you also have a look at the article for "RPC over HTTP Single
Server Scenario" on petri.co.il
Tip: If you hold down CTRL key and click on the Outlook 2003 system tray
icon, you see an item called "Connection details" on the menu, this will help
you in troubleshooting because it shows if the connection is http/s or tcp.
Good luck,
--
Shijaz Abdulla
MVP, MCSE:Security, CCNA
Articles: www.shijaz.com/isaserver
Forums: www.tech-links.org
"Brian Edwards" wrote:
Just inherited a customer that uses an illegal TLD, .local. They would like.
to use Exchange RPC for Outlook clients. RPC over HTTPS is an option, but
not the preferred method. They use a split DNS infrastructure. Here are
some notes:
Internal TLD: domain.local
External TLD: domain.com
Single Exchange server
Exchange 2003 Enterprise SP2, server named "mail"
Windows 2003 Standard SP1
ISA 2004 SP2 at perimeter, joined to domain - separate server from Exchange
Internal Outlook clients resolve the Exchange server name to
"mail.domain.local". The internal DNS also hosts domain.com internally, and
has an entry for "mail.domain.com" that points to the internal IP address of
mail.domain.local. The public DNS, located on a DMZ, points mail.domain.com
to the external IP address of the ISA server. One rule is configured to
allow "RPC (all interfaces)" from Internal to External. Another rule
publishes "Exchange RPC Server" to External from the internal IP address of
mail.domain.local.
When external Outlook clients attempt to create a profile using
mail.domain.com, the process errors out saying that the Exchange server is
unavailable. When the clients connect via VPN, the process completes
successfully, but the name of the Exchange server is changed from
"mail.domain.com" to "mail.domain.local", the internal DNS NetBIOS name of
the Exchange server.
What am I doing wrong here? I'm following 3 similar, but slightly
different, tutorials: one on microsoft.com, one on isaserver.org and one on
windowsitpro.com. They're basically all the same tutorial, albeit with
slightly minor differences, but I can't seem to get this to work. When I
monitor logging for the rule[s] mentioned above, no results are returned. It
does not appear that the rules ever get touched. Any help is appreciated.
TIA
- Next by Date: ISA 2k4 Non-SSL 500 errors
- Next by thread: ISA 2k4 Non-SSL 500 errors
- Index(es):
Relevant Pages
|
Loading
