Re: RPC over HTTP - Client Setup Perameters

From: WK (wkent_at_netsandbytesdotcom)
Date: 10/25/04 

Date: Sun, 24 Oct 2004 19:07:27 -0800

Hi Matthew,
Answers inline. I am not explaining this very well.
For this to work you either need a DNS record for
"hostname.yourdomain.whatever" that points to your external router
interface. This is the dns name to use during CEICW and for the certificate.
OR use the external ipaddress of the router in place of
"hostname.yourdomain.whatever".
Internet
|
"hostname.yourdomain.whatever" (router)
 |
Forwards Ports 25,443,444,3389,4125
|
SBSServer proxies "fqdn resolves to ipaddess" to SBSServer.domain.local

The "hostname.yourdomain.whatever" should be the same one used during CWICW.

HTH
"Matthew Greig" <mgreig@REMOVE.groundlevelconsulting.com> wrote in message
news:ehDAQRiuEHA.2508@TK2MSFTNGP10.phx.gbl...
> WK
>
> Thanks for the quick reply. I would agree with you that the service is
> most useful for mobile users, but you have to get it working correctly
> first. I'm following you when you reference "mail.domain.com", but I've
> never had an Internet DNS server pointing to the external IP of the router
> (and then forwarding it on to my SBS2K3 server) b/c I've always used a
> dynamic IP address and not a static one that would allow me to effectively
> post an Internet DNS entry. I'm not sure just exactly what I've used when
> running the CEICW.
>
> 1. Even when I join a machine (say a laptop) to the domain, take that
> machine to another domain, and then try to connect the remote site - I
> *still* receive the "Security Alert" popup. If I'm reading your response
> correctly, I shouldn't receive the "Security Alert" popup window--You will
> always recieve the certificate pop up if your computer is not a member of
> the domain controlled by the SBS2003. The certificate may be installed on
> the computer BUT the issuer, SBS2003, is no longer trusted.
>
> 2. See #1.
>
> 3. Fair enough - what I had assumed.
>
> 4. There is no DNS record that points to the IP address of the SBS2K3
> server b/c the IP address leased from the ISP is a dynamic IP. That's why
> I'm using dyndns.org's free service. I could understand if I *have* to
> have a DNS record pointing to the IP address of my SBS2K3 server, but as I
> mentioned before - I've never had anything BUT a dynamic IP address and
> the RPC via HTTP *has* worked for me previously.---For any computer to
> resolve your fqdn there has to be a DNS record for that domain somewhere.
> Dynamic DNS monitors your external ipaddress and updates the records
> accordingly. The DNS record has to point to the external ipaddress of your
> network.
>
> 5. I'm assuming that I'm not receiving a standard "mail.domain.com"
> return for the "Principal name for proxy server" (step #10) b/c I didn't
> use a FQDN when running CEICW. And I didn't use the FQDN b/c I'm not
> hosting the website locally, I'm using a third party (PowWeb) to host the
> website and thus need the Internet DNS entries to point to PowWeb's
> servers and not to the dynamic IP address = external IP address of the
> router. If your web site is hosted elsewhere then you need a DNS record
> created that points to anotherhostname.yourdomain.com.
>
> 6. I haven't worried about running the extra security patch b/c I'm
> running SP2, I just wanted to verify that there isn't some goofy known
> issue with RPC via HTTP and SP2 (or lack-there-of).
> --
> Matthew Greig
> Ground Level Consulting
> "WK" <wkent@netsandbytesdotcom> wrote in message
> news:uWgV00huEHA.2632@TK2MSFTNGP10.phx.gbl...
>> Hi Matthew,
>> My take on Exchange RPC via HTTPS. It is most useful for mobile users.
>> See Answers Inline
>> In the answers to your questions "mail.domain.com" refers to your
>> internet fully qualified domain name which internet dns servers resolve
>> as pointing to the external ipaddress of your router and you used when
>> running the CEICW wizard.
>>
>> "Matthew Greig" <mgreig@REMOVE.groundlevelconsulting.com> wrote in
>> message news:OzURpWhuEHA.1372@TK2MSFTNGP14.phx.gbl...
>>> Ok, so I love the ability to use a full Outlook 2K3 client to connect to
>>> an Exchange 2K3 server - very slick. However, when I try and setup the
>>> connection (and yes, follow the custom instructions to a "T"), my
>>> results seem to be very hit or miss (and more often miss than hit). I'm
>>> hoping for some clarification as to exactly what has to be done to
>>> connect an Outlook 2K3 client to an Exchange server using RPC over HTTP.
>>> Here are my questions:
>>>
>>> 1. Does the client PC have to be a part of the SBS2K3 domain? -- No,
>>> but issue 2 is avoided if it is. :)
>>>
>>> 2. Does the SSL cert, once it's been imported from the
>>> https://xxx.com/remote site, have to be installed such that you are
>>> never bothered with the "Security Alert" window again when navigating to
>>> the site? I ask b/c on all three SBS2K3 servers that I've setup, even
>>> after the cert is imported, I continue to receive the "Security Alert"
>>> popup window. Before importing the cert, both the first and last of the
>>> three site notifications return problems (yellow triangles w/
>>> exclamation points) - the first being the cert issuing source (do you
>>> trust it or not) and the last being: "The name on the security
>>> certificate is invalid or does not match the name of the site". After
>>> importing the cert, the first problem warning, pertaining to the cert
>>> issuing source, changes to a green circle w/ a check mark, but the last
>>> warning continues to show up as a problem and you have to click on the
>>> "Yes" button to proceed every time you navigate to the site - very
>>> annoying. Have I set something up incorrectly, or is this just an
>>> unavoidable by-product of using a free dynamic IP forwarding service
>>> (dyndns.org) where the name of the site is "xxx.gotdns.com/remote"
>>> instead of xxDNSnamexxx.com/remote"? -- This behaviour is the result of
>>> using a free certificate as opposed to paying an issuing company
>>> $300+/yr. You can import the certificate until the "cows come home" it
>>> is issued by an untrusted source which the computer will never trust
>>> unless it is a member of the domain.
>>>
>>> 3. It doesn't make any difference what account is used when logging
>>> into the client PC (running XP of course) - does it?--I don't think it
>>> matters. The Outlook setup is what matters.
>>>
>>> 4. In following the "Using Outlook via the Internet" custom tutorial
>>> found after logging into the https://xxx.com/remote site, step #4
>>> (Exchange Server name) & #8 (URL to connect to my proxy server for
>>> Exchange) in the "Configure the computer for RPC over HTTP" section
>>> instructs use of "boxname.domainname.loc" (substituting the actual box
>>> name and domain name for the first two sub-domains and I've picked "loc"
>>> as the top level domain name). However, if the SBS2K3 server is using a
>>> dynamic IP address and a free dynamic IP forwarding service, how is the
>>> client machine going to locate "boxname.domainname.loc"?--It locates
>>> #8, your mail.domain.com, which proxies the request to #4,
>>> servername.local (whatever)
>>>
>>> 5. Additionally in step #10 (Principal name for proxy server), I'm
>>> instructed to use "msstd:boxname.domainname.loc". I again don't
>>> understand how that proxy server is going to be found w/o a permanent
>>> DNS entry that the client PC can lookup regardless of what network (and
>>> therefore DNS servers) it's connected to.--On my custom instruction
>>> *** it says type msstd:mail.domain.com
>>>
>>> 6. Any problems (or benefits) with using SP2 for XP with trying to
>>> establish a RPC over HTTP connection?--The issue with installing the
>>> hotfix Q331320 is avaoided if XPSP2 is installed on the client.
>>>
>>> It would seem to me like every time I try and set up a client using the
>>> custom tutorial found after logging into the https://xxx.com/remote
>>> site, it should fail b/c of the DNS problems - but sometimes it has
>>> worked for me. I couldn't recount just exactly what I did in those
>>> cases b/c I've tried too many things to be the service to work at that
>>> point and I've tried so many different time on some many different boxes
>>> that they all start running together. I just want to know what I have
>>> to do to get the service up and running...
>>>
>>> A big old TIA!
>>>
>>> --
>>> Matthew Greig
>>> Ground Level Consulting
>>>
>>
>>
>
>