Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RPC over HTTPS Using Port 135 - WHY??
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
RPC over HTTPS Using Port 135 - WHY?? - 27.Jan.2005 4:49:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
I could easily type several pages to describe in detail what the problem is, but I will only state the crucial information for the sake of your time/my fingers.
I have two separate networks A and B. In network A, I have some PCs all running Windows XP with Outlook 2003. In network B, I have a server machine running Windows Server 2003 and Exchange Server 2003.
The enterprise firewall at network A blocks all incoming AND outgoing connections to port 135. Since Exchange Server by default uses port 135, the Outlook clients cannot see the server. As a solution, I've installed the Windows Server 2003 component called RPC over HTTP, which allows for wrapping RPC packets over the HTTP/HTTPS (80/443) protocol.
The only problem is that, even though both the Exchange server and the Outlook clients are configured for RPC over HTTP, Outlook reports that the Exchange server is unavailable.
To troubleshoot, I used a network analyzer to track packets. To my surprise, I discovered outgoing packets from the Outlook machines to the Exchange Server's port 135, even though I have configured Outlook to use RPC over HTTPS. There are also packets that go to port 443 (HTTPS), but I think the problem has to do with the lost packets going to port 135.
I am convinced that everything is setup correctly with the Exchange Server; I have also done everything correctly in setting up Outlook 2003 to use RPC over HTTP. So I have ABSOLUTELY no idea why Outlook is still trying to connect to the server on the RPC End Point Mapper (135).
At this point, I am so frustrated, because the whole point of installing WS2003 on the server machine was to use the RPC over HTTP feature due to port 135 being blocked.
Does anyone have suggestions? Is there anyone out there who was able to make RPC over HTTP work with port 135 disabled? Please help, I will be grateful!
Thank you.
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 27.Jan.2005 5:35:00 PM
|
|
|
Henrik Walther
Posts: 6849
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
You don't need port 135/TCP in order to make use of RPC over HTTP(S), only port 443/TCP is required. In the past it was a general misconception that 135/TCP was required as well.
I've setup several environments where they use RPC over HTTP(S) and where port 135/TCP was blocked, so you can take my word for it.
Now on to your problem...
Did you try to create completely new Outlook profiles or did you just add the proxy settings in each existing profile?
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 27.Jan.2005 5:45:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
Thanks for the quick reply.
I would really like to believe you about RPC over HTTP not using 135 at all. It makes sense, I've just yet to see it.
I chose to add the Exchange Server as a new mail server into an existing profile. The reason for this is because:
The clients are using a POP3 server in the intranet to send/retrieve e-mail. The Exchange Server, which is on the internet, will only be used for collaboration, i.e. shared calendar, etc.
If I create a new profile for the Exchange Server, then the users have to switch profiles in order to view their e-mail or view the calendar. This is my understanding anyway.
Is the profile the reason that the client tries to connect to the Exchange box on port 135?
[ January 27, 2005, 06:53 PM: Message edited by: anonim ]
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 27.Jan.2005 7:59:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
I should also let you guys know that I can't connect to the Exchange server from within the same network.
I have another PC with Windows XP and Outlook 2003 in the same network as the Exchange server, and this PC makes the same requests in terms of sending packets to port 135.
So before we make any attempts to troubleshoot the two separate networks, I would like to find out how to get RPC over HTTP to work from within my network.
It does work if I allow requests to 135 inside my network, but this defeats the purpose of using RPC over HTTP.
Thanks in advance.
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 27.Jan.2005 8:48:00 PM
|
|
|
Henrik Walther
Posts: 6849
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
As a start I would try to create a completely new Outlook profile and see whether this makes a difference. I've have personally tried to configure the Proxy settings in an existing Outlook profile where it worked without a glitch, but have also heard about other Exchange admin's who had to create a new profile.
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 27.Jan.2005 9:06:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
Yes I did just that, using the PC in the same network as the Exchange server, and I am still having the same issue. Any other ideas?
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 27.Jan.2005 9:35:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
Thanks for the suggestions.. I ran the rpcdump.exe tool which comes with the Windows Resource Kit Tools, and I got the following result:
code:
D:\Program Files\Windows Resource Kit Tools>rpcdump /P:ncacn_http
Querying Endpoint Mapper Database...
0 registered endpoints found.
rpcdump completed sucessfully after 1 seconds
D:\Program Files\Windows Resource Kit Tools>
The ncacn_http protocol is "Connection-oriented TCP/IP using Microsoft Internet Information Server as HTTP proxy."
Does this mean that the RPC over HTTP is not listening for connections? Does anyone mind issuing this command on their server if they have RPC over HTTP running and let me know what the result is?
[ January 27, 2005, 09:36 PM: Message edited by: anonim ]
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 31.Jan.2005 3:41:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
Over the weekend, I fiddled around some more with the server. I removed the SSL/HTTPS requirement for the RPC virtual directory. I then configured Outlook to use RPC over HTTP (not HTTPS). When I started Outlook, it actually seemed to be communicating with the server. I was not seeing any requests to port 135 anymore, only to port 80 (HTTP). Unfortunately, I still could not log in to my Exchange account because Outlook does not allow you to use Basic Authentication with HTTP.. so I had to set it to NTLM Authentication, and I believe this is the reason why it could not authenticate with the Exchange box.
However, all of the tests that I've performed to test SSL were valid, so I don't know what the problem is. Is there a way to set up RPC over HTTP over port 80 (I know this is unsafe - it is just for testing purposes)? Outlook forces me to give an HTTPS URL as soon as I select Basic Authentication. This would allow me to rule out another variable (SSL) to better troubleshoot the RPC issue.
Thanks.
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 13.Feb.2005 1:53:00 AM
|
|
|
devaldi
Posts: 1
Joined: 13.Feb.2005
From: Vancouver
Status: offline
|
I just got this all working at my location where we have a frontend/backend configuration where our frontend is in our DMZ and is not published via ISA server. Now the first thing to do if you haven't yet is to install Exchange SP1 as it makes it much easier to get it working at the server level. I am also under the assumption that you are configuring this on one Exchange server if this is so did you follow the MS instructions on installing rpc/https on one Exchane Server?
Also you said that the exchange server is on one network but also connected to the internet. So is it in a DMZ or just exposed to the internet and live in your internal subnet? I ask that because Exchange needs to talk to your DC's on a crap load of ports and you may need to edit your DC's/Exchange registry to specify what rpc end point port to use and then enable this on your firewall.
Now if you are sure the server is setup correctly go to a client and point browser to https://yourexchangeserver/rpc which should prompt you for authentication and if you authenticate correctly then it will show an error page. If you don't get the authentication pop up then there is something wrong with either the connection to the server (telnet to port 443 to check to see if the webserver is working) or communication between your DC's and Exchange server. If you suspect it to be problems with the server communication let me know and I will forward you a list of ports that need to be openned. If all is working from here then there is a problem with Outlook.
Now onto outlook, well actually first if you have not done so first point IE at your https://site and click view certifiacte and then install certificate and follow the wizard. Once this is done all I had to do was go into the Connection tab under more settings check connect using HTTP and then added the URL of the Exchange server, I also checked the Mutually Authenticate option and under principle name you have to type in msstd:fqdn.of.exchange and I use NTLM authentication. This even works for me if I add a new profile on a laptop that is not connected to the internal network using an unroutable (.local) Exchange Server name. A trick to see how you are trying to connect is to hold down ctrl, right click the outlook icon by the system time and selec connection status.
I hope this helps.....
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 15.Feb.2005 8:45:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
IT'S WORKING! WOOHOOOO.
Once I had set everything up properly, it no longer sent requests to port 135, only 443. I kept getting the user/pass dialog box over and over..
When it popped back up, it had the format LOCAL_PC_NAME\username. So I re-entered the username as EXCHANGE_SERVER_DOMAIN_NAME\username, and voila!
Now that I have it working internally, I would like to make it work externally.
I have removed the certificate for server.exchange.local and have added a new certificate for my public internet DNS name. My public DNS name is an alias that I am using through dyndns.org, which points at my static IP address.
I've put the server machine in the DMZ for testing purposes, but I still cannot connect from outside the network. Here is what I have for HKLM\Software\Microsoft\Rpc\RpcProxy\ValidPorts:
server:6001-6002;server.exchange.local:6001-6002;server:6004;server.exchange.local:6004;
Do these also need to be changed to reflect my external DNS name, or should they stay the same? Where else do I need to change my internal DNS name to my external DNS name?
Of course, I am using the external DNS name from the Outlook client configuration.
Thanks for all the help guys, the hard part is over! Just a little more help..
[ February 15, 2005, 09:41 PM: Message edited by: anonim ]
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 16.Feb.2005 10:41:00 PM
|
|
|
Henrik Walther
Posts: 6849
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
The servername(s) under HKLM\Software\Microsoft\Rpc\RpcProxy\ValidPorts are just fine.
Have you tried to open the connection status window while Outlook is trying to establish a connection via RPC over HTTP(S)? What happens?
[ February 16, 2005, 10:42 PM: Message edited by: Henrik Walther ]
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 16.Feb.2005 10:52:00 PM
|
|
|
PureKrome
Posts: 32
Joined: 11.Jan.2005
From: Melbourne, Australia
Status: offline
|
how do u do that Henrik?
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 17.Feb.2005 3:52:00 AM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
Pure Krome,
You can do this by going to Start -> Run and typing in outlook /rpcdiag. I think you can also bring it up by holding down the CTRL key and right-clicking on the Outlook icon in the system tray.
Henrik,
I think I've determined the problem. I hope I'm wrong, but somehow I doubt it. I have everything working perfectly inside my network, so I decided to do it all over again one step at a time and try to diagnose the problem.
I configured my Outlook client to connect to my external DNS name, and I blocked all outgoing connections to port 135. I started Outlook, it sent some packets to 135 (which were blocked) and 443, then came back and told me that the server was unreachable.
Next, I removed the port block rule and started Outlook again. Right away, it asked me for the username/password, which I entered. Immediately, it sent packets to 135, 443, and 88 (Kerberos), and then the Connection Status window showed me that I was connected via HTTPS.
Now having set up the profile, I enabled the port 135 block again and tried to connect. Sure enough, it connected without any issues over port 443.
So, my understanding is that for whatever reason, the connection must be made over port 135 before HTTPS will work. This seems ridiculous considering that the whole point of RPC over HTTP(S) is due to port 135 being blocked.
Can someone please prove me wrong?
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 17.Feb.2005 4:20:00 AM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
Okay, so I proved myself right. Profile MUST be created over RPC (135) before you can connect via RPC over HTTP(S).
I dug up some old articles where it was recommended to use profgen.exe to create the profiles for RPC over HTTP. Unfortunately, I am having hell of a time finding this utility. I found the link for Exchange Server All-In-One Tools Download, but it does not include the profgen.exe utility. Has it been replaced by something else? Is it no longer supported on Exchange 2003?
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 17.Feb.2005 10:15:00 AM
|
|
|
Henrik Walther
Posts: 6849
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
As I already mentioned you don't need port 135/TCP opened in order to create the Outlook RPC over HTTP(S) profile, but when creating the profile you need to make sure you enter the proxy connection settings before clicking check name at the Exchange Server text box. This is pretty logical as you reach the Exchange Server via an HTTPS tunnel to the Proxy Server.
You can use Office Custom Installation Wizard to create the profiles, this wizard is part of the Office 2003 Resource Kit.
Below links might be of interest:
Microsoft Office Online: Office 2003 Resource Kit Home Page:
http://office.microsoft.com/en-us/FX011511471033.aspx
Microsoft Office Assistance: Options for Installing Outlook 2003:
http://office.microsoft.com/en-us/assistance/HA011402561033.aspx
[ February 17, 2005, 10:23 AM: Message edited by: Henrik Walther ]
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 17.Feb.2005 4:14:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
quote:
Originally posted by Henrik Walther:
As I already mentioned you don't need port 135/TCP opened in order to create the Outlook RPC over HTTP(S) profile
Hmm.. are you contradicting yourself as well as Thomas Shinder? You made the following post on October 08, 2003 09:17 PM:
Thomas Shinder
ISA Server expert and moderator of this board
Quote from his article about RPC HTTP trough ISA:
"It is important to note that you must create the profile while the Outlook 2003 computer is on the internal network, or while the Outlook 2003 computer is on the Internet and can access the Exchange Server using RPC (TCP 135). You will not be able to create a new profile or change an existing profile to use RPC over HTTP if is does not have access to the Exchange Server via RPC (TCP 135).
This bears repeating: you will not be able to create a new Outlook profile when the Outlook client is not on the internal network and can access the Exchange Server using RPC via TCP 135. In addition, a user with an existing profile will not be able to alter the existing profile so that it can use RPC over HTTP if that client is not located on the internal network and can access the Exchange Server using TCP 135. The Outlook 2003 profile must be configured to use RPC over HTTP while that machine is connected to the internal network and can access the Exchange Server via TCP port 135."
quote:
Originally posted by Henrik Walther:
but when creating the profile you need to make sure you enter the proxy connection settings before clicking check name at the Exchange Server text box. This is pretty logical as you reach the Exchange Server via an HTTPS tunnel to the Proxy Server.
Unfortunately, the first time when you create a profile, after entering the Exchange server name and username and clicking More Settings to get to the RPC over HTTP configuration, Outlook automatically performs a check name. After being unable to connect to the server over port 135, it pops up with the Check Name once again. If you then click Cancel, you can get to the window to configure More Settings.
quote:
Originally posted by Henrik Walther:
You can use Office Custom Installation Wizard to create the profiles, this wizard is part of the Office 2003 Resource Kit.
Below links might be of interest:
Microsoft Office Online: Office 2003 Resource Kit Home Page:
http://office.microsoft.com/en-us/FX011511471033.aspx
Microsoft Office Assistance: Options for Installing Outlook 2003:
http://office.microsoft.com/en-us/assistance/HA011402561033.aspx
I will look into these tools and see if I can find a way to create the profile from outside the network.
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 17.Feb.2005 5:15:00 PM
|
|
|
anonim
Posts: 34
Joined: 27.Jan.2005
From: US
Status: offline
|
Well, I used the Custom Installation Wizard to set up an Outlook profile to connect via RPC over HTTP. I then exported the settings to a .prf file. When I executed this file, it asked me if I wanted to import the settings from the file into my Outlook, and I of course said yes. Then, I noticed that it started trying to connect to the Exchange server on port 135 and 443. After a while, it came back saying that the Exchange server is unavailable. Hence, it did not work.
I am curious about the profile creation process over RPC (135). Is the profile created on the server-end or the client-end? I assume it is on the client-end. If so, is this something that I can do:
1. Create a profile to connect via RPC over HTTP using a machine inside my Exchange network.
2. Somehow export this profile to a file (this is the part I'm not sure about - are the different profiles in the Mail Setup represented as files?)
3. Copy the file over to a machine outside of the network and import it into Outlook, and voila!
This theoretically should work (in my head). Or am I making false assumptions?
|
|
|
|
|
RE: RPC over HTTPS Using Port 135 - WHY?? - 17.Feb.2005 5:18:00 PM
|
|
|
Henrik Walther
Posts: 6849
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
quote:
Originally posted by anonim:
quote:
Originally posted by Henrik Walther:
As I already mentioned you don't need port 135/TCP opened in order to create the Outlook RPC over HTTP(S) profile
Hmm.. are you contradicting yourself as well as Thomas Shinder? You made the following post on October 08, 2003 09:17 PM:
Did you note the date I replied with that answer?
And yes based on my real-world experience with Exchange 2003's RPC over HTTP(S) feature I do contradict with information I posted over 1 year ago and right after RTM was put on the market (based on a BETA release).
If you don't find my answers trustworthy I honestly couldn't care less, I spend quite a lot of my time helping out frustrated Exchange Admins here on MSExchange.org's Message Boards, and don't really want to bother with lame replies such as your latest.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: RPC over HTTPS Using Port 135 - WHY?? - ![[Frown]](/image/smiles/frown.gif)
