Re: RPC over HTTP - Client Setup Perameters

From: Matthew Greig (mgreig_at_REMOVE.groundlevelconsulting.com)
Date: 10/25/04 

Date: Sun, 24 Oct 2004 22:32:55 -0700

Alright - so let's use my test SBS2K3 server as a specific example so I can
make sure we're both on the same page. My registered domain name is
"groundlevelconsulting.com". That domain is hosted by PowWeb and the DNS
entries for "groundlevelconsulting.com" point to PowWeb's DNS servers. I
can certainly go into my PowWeb account and create a child domain, say
"mailserver", of my domain and point it to my dynamic IP address given to me
by Comcast. There would then be an Internet DNS record for
"mailserver.groundlevelconsulting.com" that would point to my dynamic,
Comcast IP address (24.18.224.2 for argument's sake). Alternatively, I
could simply use my dynamic, Comcast IP address of 24.18.224.2 during the
CEICW and for the certificate. That's all well and good until my IP address
changes - as it is a dynamic IP address - and now the Internet DNS record
for "mailserver.groundlevelconsulting.com" that's pointing to 24.18.224.2
isn't pointing at my SBS server anymore b/c my IP address has changed to
24.18.224.3. If I had just used the straight IP address during the CEICW
setup I wouldn't be any better off.

I'm confident that we'll all agree on the above specifics, but then the
question for me remains if that's how I need to setup my domain to be able
to use RCP via HTTP how have I been able to use RCP via HTTP successfully in
at least three different scenarios when I have most definitely never done
any of the above before?? I know that you aren't going to be able to answer
that question, so how about I ask what people out there are doing to get
around these issues. Certainly a lot of us and our clients have a similar
scenario to the one I'm describing - that being a dynamic IP address
allocation and the desire to use RCP via HTTP. What are people doing to
either create a DNS record that's dynamically updated as the dynamic IP
address changes (but that will still screw things up for a day or two until
all of the DNS records are updated) or ....??!?

Lastly, I'm still unclear on the "Security Alert" popup window. From your
last answer of, "You will always receive the certificate pop up if your
computer is not a member of the domain controlled by the SBS2003" - I'm
assuming that if the computer *IS* a member of the domain controlled by the
SBS2K3 server, the "Security Alert" popup window should *NOT* pop up? 

-- 
Matthew Greig
Ground Level Consulting
"WK" <wkent@netsandbytesdotcom> wrote in message 
news:uA%23ZD$juEHA.2520@TK2MSFTNGP15.phx.gbl...
> Hi Matthew,
> Answers inline. I am not explaining this very well.
> For this to work you either need a DNS record for 
> "hostname.yourdomain.whatever" that points to your external router 
> interface. This is the dns name to use during CEICW and for the 
> certificate. OR use the external ipaddress of the router in place of 
> "hostname.yourdomain.whatever".
> Internet
> |
> "hostname.yourdomain.whatever" (router)
> |
> Forwards Ports 25,443,444,3389,4125
> |
> SBSServer proxies "fqdn resolves to ipaddess"  to SBSServer.domain.local
>
> The "hostname.yourdomain.whatever" should be the same one used during 
> CWICW.
>
> HTH
> "Matthew Greig" <mgreig@REMOVE.groundlevelconsulting.com> wrote in message 
> news:ehDAQRiuEHA.2508@TK2MSFTNGP10.phx.gbl...
>> WK
>>
>> Thanks for the quick reply.  I would agree with you that the service is 
>> most useful for mobile users, but you have to get it working correctly 
>> first. I'm following you when you reference "mail.domain.com", but I've 
>> never had an Internet DNS server pointing to the external IP of the 
>> router (and then forwarding it on to my SBS2K3 server) b/c I've always 
>> used a dynamic IP address and not a static one that would allow me to 
>> effectively post an Internet DNS entry.  I'm not sure just exactly what 
>> I've used when running the CEICW.
>>
>> 1.   Even when I join a machine (say a laptop) to the domain, take that 
>> machine to another domain, and then try to connect the remote site - I 
>> *still* receive the "Security Alert" popup.  If I'm reading your response 
>> correctly, I shouldn't receive the "Security Alert" popup window--You 
>> will always recieve the certificate pop up if your computer is not a 
>> member of the domain controlled by the SBS2003. The certificate may be 
>> installed on the computer BUT the issuer, SBS2003, is no longer trusted.
>>
>> 2.  See #1.
>>
>> 3.  Fair enough - what I had assumed.
>>
>> 4.  There is no DNS record that points to the IP address of the SBS2K3 
>> server b/c the IP address leased from the ISP is a dynamic IP.  That's 
>> why I'm using dyndns.org's free service.  I could understand if I *have* 
>> to have a DNS record pointing to the IP address of my SBS2K3 server, but 
>> as I mentioned before - I've never had anything BUT a dynamic IP address 
>> and the RPC via HTTP *has* worked for me previously.---For any computer 
>> to resolve your fqdn there has to be a DNS record for that domain 
>> somewhere. Dynamic DNS monitors your external ipaddress and updates the 
>> records accordingly. The DNS record has to point to the external 
>> ipaddress of your network.
>>
>> 5.  I'm assuming that I'm not receiving a standard "mail.domain.com" 
>> return for the "Principal name for proxy server" (step #10) b/c I didn't 
>> use a FQDN when running CEICW.  And I didn't use the FQDN b/c I'm not 
>> hosting the website locally, I'm using a third party (PowWeb) to host the 
>> website and thus need the Internet DNS entries to point to PowWeb's 
>> servers and not to the dynamic IP address = external IP address of the 
>> router. If your web site is hosted elsewhere then you need a DNS record 
>> created that points to anotherhostname.yourdomain.com.
>>
>> 6.  I haven't worried about running the extra security patch b/c I'm 
>> running SP2, I just wanted to verify that there isn't some goofy known 
>> issue with RPC via HTTP and SP2 (or lack-there-of).
>> -- 
>> Matthew Greig
>> Ground Level Consulting
>> "WK" <wkent@netsandbytesdotcom> wrote in message 
>> news:uWgV00huEHA.2632@TK2MSFTNGP10.phx.gbl...
>>> Hi Matthew,
>>> My take on Exchange RPC via HTTPS. It is most useful for mobile users. 
>>> See Answers Inline
>>> In the answers to your questions "mail.domain.com" refers to your 
>>> internet fully qualified domain name which internet dns servers resolve 
>>> as pointing to the external ipaddress of your router and you used when 
>>> running the CEICW wizard.
>>>
>>> "Matthew Greig" <mgreig@REMOVE.groundlevelconsulting.com> wrote in 
>>> message news:OzURpWhuEHA.1372@TK2MSFTNGP14.phx.gbl...
>>>> Ok, so I love the ability to use a full Outlook 2K3 client to connect 
>>>> to an Exchange 2K3 server - very slick.  However, when I try and setup 
>>>> the connection (and yes, follow the custom instructions to a "T"), my 
>>>> results seem to be very hit or miss (and more often miss than hit). 
>>>> I'm hoping for some clarification as to exactly what has to be done to 
>>>> connect an Outlook 2K3 client to an Exchange server using RPC over 
>>>> HTTP. Here are my questions:
>>>>
>>>> 1.  Does the client PC have to be a part of the SBS2K3 domain? -- No, 
>>>> but issue 2 is avoided if it is. :)
>>>>
>>>> 2.  Does the SSL cert, once it's been imported from the 
>>>> https://xxx.com/remote site, have to be installed such that you are 
>>>> never bothered with the "Security Alert" window again when navigating 
>>>> to the site? I ask b/c on all three SBS2K3 servers that I've setup, 
>>>> even after the cert is imported, I continue to receive the "Security 
>>>> Alert" popup window. Before importing the cert, both the first and last 
>>>> of the three site notifications return problems (yellow triangles w/ 
>>>> exclamation points) - the first being the cert issuing source (do you 
>>>> trust it or not) and the last being: "The name on the security 
>>>> certificate is invalid or does not match the name of the site".  After 
>>>> importing the cert, the first problem warning, pertaining to the cert 
>>>> issuing source, changes to a green circle w/ a check mark, but the last 
>>>> warning continues to show up as a problem and you have to click on the 
>>>> "Yes" button to proceed every time you navigate to the site - very 
>>>> annoying.  Have I set something up incorrectly, or is this just an 
>>>> unavoidable by-product of using a free dynamic IP forwarding service 
>>>> (dyndns.org) where the name of the site is "xxx.gotdns.com/remote" 
>>>> instead of xxDNSnamexxx.com/remote"? -- This behaviour is the result of 
>>>> using a free certificate as opposed to paying an issuing company 
>>>> $300+/yr. You can import the certificate until the "cows come home" it 
>>>> is issued by an untrusted source which the computer will never trust 
>>>> unless it is a member of the domain.
>>>>
>>>> 3.  It doesn't make any difference what account is used when logging 
>>>> into the client PC (running XP of course) - does it?--I don't think it 
>>>> matters. The Outlook setup is what matters.
>>>>
>>>> 4.  In following the "Using Outlook via the Internet" custom tutorial 
>>>> found after logging into the https://xxx.com/remote site, step #4 
>>>> (Exchange Server name) & #8 (URL to connect to my proxy server for 
>>>> Exchange) in the "Configure the computer for RPC over HTTP" section 
>>>> instructs use of "boxname.domainname.loc" (substituting the actual box 
>>>> name and domain name for the first two sub-domains and I've picked 
>>>> "loc" as the top level domain name).  However, if the SBS2K3 server is 
>>>> using a dynamic IP address and a free dynamic IP forwarding service, 
>>>> how is the client machine going to locate "boxname.domainname.loc"?--It 
>>>> locates #8, your mail.domain.com, which proxies the request to #4, 
>>>> servername.local (whatever)
>>>>
>>>> 5.  Additionally in step #10 (Principal name for proxy server), I'm 
>>>> instructed to use "msstd:boxname.domainname.loc".  I again don't 
>>>> understand how that proxy server is going to be found w/o a permanent 
>>>> DNS entry that the client PC can lookup regardless of what network (and 
>>>> therefore DNS servers) it's connected to.--On my custom instruction 
>>>> *** it says type msstd:mail.domain.com
>>>>
>>>> 6.  Any problems (or benefits) with using SP2 for XP with trying to 
>>>> establish a RPC over HTTP connection?--The issue with installing the 
>>>> hotfix Q331320 is avaoided if XPSP2 is installed on the client.
>>>>
>>>> It would seem to me like every time I try and set up a client using the 
>>>> custom tutorial found after logging into the https://xxx.com/remote 
>>>> site, it should fail b/c of the DNS problems - but sometimes it has 
>>>> worked for me.  I couldn't recount just exactly what I did in those 
>>>> cases b/c I've tried too many things to be the service to work at that 
>>>> point and I've tried so many different time on some many different 
>>>> boxes that they all start running together.  I just want to know what I 
>>>> have to do to get the service up and running...
>>>>
>>>> A big old TIA!
>>>>
>>>> -- 
>>>> Matthew Greig
>>>> Ground Level Consulting
>>>>
>>>
>>>
>>
>>
>
>
Loading