RPC over HTTPS Using Port 135 - WHY??

RPC over HTTPS Using Port 135 - WHY?? (Full Version)

All Forums >> [Microsoft Exchange 2003] >> General

Message

anonim -> RPC over HTTPS Using Port 135 - WHY?? (27.Jan.2005 4:49:00 PM)
I could easily type several pages to describe in detail what the problem is, but I will only state the crucial information for the sake of your time/my fingers. I have two separate networks A and B. In network A, I have some PCs all running Windows XP with Outlook 2003. In network B, I have a server machine running Windows Server 2003 and Exchange Server 2003. The enterprise firewall at network A blocks all incoming AND outgoing connections to port 135. Since Exchange Server by default uses port 135, the Outlook clients cannot see the server. As a solution, I've installed the Windows Server 2003 component called RPC over HTTP, which allows for wrapping RPC packets over the HTTP/HTTPS (80/443) protocol. The only problem is that, even though both the Exchange server and the Outlook clients are configured for RPC over HTTP, Outlook reports that the Exchange server is unavailable. To troubleshoot, I used a network analyzer to track packets. To my surprise, I discovered outgoing packets from the Outlook machines to the Exchange Server's port 135, even though I have configured Outlook to use RPC over HTTPS. There are also packets that go to port 443 (HTTPS), but I think the problem has to do with the lost packets going to port 135. I am convinced that everything is setup correctly with the Exchange Server; I have also done everything correctly in setting up Outlook 2003 to use RPC over HTTP. So I have ABSOLUTELY no idea why Outlook is still trying to connect to the server on the RPC End Point Mapper (135). At this point, I am so frustrated, because the whole point of installing WS2003 on the server machine was to use the RPC over HTTP feature due to port 135 being blocked. Does anyone have suggestions? Is there anyone out there who was able to make RPC over HTTP work with port 135 disabled? Please help, I will be grateful! Thank you.

Henrik Walther -> RE: RPC over HTTPS Using Port 135 - WHY?? (27.Jan.2005 5:35:00 PM)
You don't need port 135/TCP in order to make use of RPC over HTTP(S), only port 443/TCP is required. In the past it was a general misconception that 135/TCP was required as well. I've setup several environments where they use RPC over HTTP(S) and where port 135/TCP was blocked, so you can take my word for it. Now on to your problem... Did you try to create completely new Outlook profiles or did you just add the proxy settings in each existing profile?

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (27.Jan.2005 5:45:00 PM)
Thanks for the quick reply. I would really like to believe you about RPC over HTTP not using 135 at all. It makes sense, I've just yet to see it. I chose to add the Exchange Server as a new mail server into an existing profile. The reason for this is because: The clients are using a POP3 server in the intranet to send/retrieve e-mail. The Exchange Server, which is on the internet, will only be used for collaboration, i.e. shared calendar, etc. If I create a new profile for the Exchange Server, then the users have to switch profiles in order to view their e-mail or view the calendar. This is my understanding anyway. Is the profile the reason that the client tries to connect to the Exchange box on port 135? [ January 27, 2005, 06:53 PM: Message edited by: anonim ]

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (27.Jan.2005 7:59:00 PM)
I should also let you guys know that I can't connect to the Exchange server from within the same network. I have another PC with Windows XP and Outlook 2003 in the same network as the Exchange server, and this PC makes the same requests in terms of sending packets to port 135. So before we make any attempts to troubleshoot the two separate networks, I would like to find out how to get RPC over HTTP to work from within my network. It does work if I allow requests to 135 inside my network, but this defeats the purpose of using RPC over HTTP. Thanks in advance.

Henrik Walther -> RE: RPC over HTTPS Using Port 135 - WHY?? (27.Jan.2005 8:48:00 PM)
As a start I would try to create a completely new Outlook profile and see whether this makes a difference. I've have personally tried to configure the Proxy settings in an existing Outlook profile where it worked without a glitch, but have also heard about other Exchange admin's who had to create a new profile.

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (27.Jan.2005 9:06:00 PM)
Yes I did just that, using the PC in the same network as the Exchange server, and I am still having the same issue. Any other ideas?

Henrik Walther -> RE: RPC over HTTPS Using Port 135 - WHY?? (27.Jan.2005 9:21:00 PM)
If you haven't already done so I would also suggest you install Exchange 2003 SP1. Do you when configuring a new profile specify the PRoxy settings before you click check name at the Exchange server name box? Other than that I can only recommend you check out below articles (if you haven't already done so): How to configure RPC over HTTP on a single server in Exchange Server 2003: http://support.microsoft.com/?id=833401 Exchange Server 2003 RPC over HTTP Deployment Scenarios: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3rpc.mspx How to configure an RPC over HTTP topology on computers that are running Exchange 2003 with Service Pack 1: http://support.microsoft.com/?id=841652 How to troubleshoot client RPC over HTTP connection issues in Office Outlook 2003: http://support.microsoft.com/kb/827330/en-us

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (27.Jan.2005 9:35:00 PM)
Thanks for the suggestions.. I ran the rpcdump.exe tool which comes with the Windows Resource Kit Tools, and I got the following result: code: D:\Program Files\Windows Resource Kit Tools>rpcdump /P:ncacn_http Querying Endpoint Mapper Database... 0 registered endpoints found. rpcdump completed sucessfully after 1 seconds D:\Program Files\Windows Resource Kit Tools> The ncacn_http protocol is "Connection-oriented TCP/IP using Microsoft Internet Information Server as HTTP proxy." Does this mean that the RPC over HTTP is not listening for connections? Does anyone mind issuing this command on their server if they have RPC over HTTP running and let me know what the result is? [ January 27, 2005, 09:36 PM: Message edited by: anonim ]

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (31.Jan.2005 3:41:00 PM)
Over the weekend, I fiddled around some more with the server. I removed the SSL/HTTPS requirement for the RPC virtual directory. I then configured Outlook to use RPC over HTTP (not HTTPS). When I started Outlook, it actually seemed to be communicating with the server. I was not seeing any requests to port 135 anymore, only to port 80 (HTTP). Unfortunately, I still could not log in to my Exchange account because Outlook does not allow you to use Basic Authentication with HTTP.. so I had to set it to NTLM Authentication, and I believe this is the reason why it could not authenticate with the Exchange box. However, all of the tests that I've performed to test SSL were valid, so I don't know what the problem is. Is there a way to set up RPC over HTTP over port 80 (I know this is unsafe - it is just for testing purposes)? Outlook forces me to give an HTTPS URL as soon as I select Basic Authentication. This would allow me to rule out another variable (SSL) to better troubleshoot the RPC issue. Thanks.

ErohnTrask -> RE: RPC over HTTPS Using Port 135 - WHY?? (4.Feb.2005 3:02:00 AM)
I am having the same issue. my external outlook clients want to connect on port 135 as well. I have 2 different lab environments. both only have 1 server that acts as IIS, DC, and Exchange server. the only difference between the 2 is that 1 is protected by ISA 2004, and the other a Linksys Router. Now I have tried every trick that i can find. regardless of what i do, It fails to connect. then, when i check the logs, i can see a connection on port 443 and then i see the attempts on 135. Could this issue be isolated to single server environments??

devaldi -> RE: RPC over HTTPS Using Port 135 - WHY?? (13.Feb.2005 1:53:00 AM)
I just got this all working at my location where we have a frontend/backend configuration where our frontend is in our DMZ and is not published via ISA server. Now the first thing to do if you haven't yet is to install Exchange SP1 as it makes it much easier to get it working at the server level. I am also under the assumption that you are configuring this on one Exchange server if this is so did you follow the MS instructions on installing rpc/https on one Exchane Server? Also you said that the exchange server is on one network but also connected to the internet. So is it in a DMZ or just exposed to the internet and live in your internal subnet? I ask that because Exchange needs to talk to your DC's on a crap load of ports and you may need to edit your DC's/Exchange registry to specify what rpc end point port to use and then enable this on your firewall. Now if you are sure the server is setup correctly go to a client and point browser to https://yourexchangeserver/rpc which should prompt you for authentication and if you authenticate correctly then it will show an error page. If you don't get the authentication pop up then there is something wrong with either the connection to the server (telnet to port 443 to check to see if the webserver is working) or communication between your DC's and Exchange server. If you suspect it to be problems with the server communication let me know and I will forward you a list of ports that need to be openned. If all is working from here then there is a problem with Outlook. Now onto outlook, well actually first if you have not done so first point IE at your https://site and click view certifiacte and then install certificate and follow the wizard. Once this is done all I had to do was go into the Connection tab under more settings check connect using HTTP and then added the URL of the Exchange server, I also checked the Mutually Authenticate option and under principle name you have to type in msstd:fqdn.of.exchange and I use NTLM authentication. This even works for me if I add a new profile on a laptop that is not connected to the internal network using an unroutable (.local) Exchange Server name. A trick to see how you are trying to connect is to hold down ctrl, right click the outlook icon by the system time and selec connection status. I hope this helps.....

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (15.Feb.2005 8:45:00 PM)
IT'S WORKING! WOOHOOOO. Once I had set everything up properly, it no longer sent requests to port 135, only 443. I kept getting the user/pass dialog box over and over.. When it popped back up, it had the format LOCAL_PC_NAME\username. So I re-entered the username as EXCHANGE_SERVER_DOMAIN_NAME\username, and voila! Now that I have it working internally, I would like to make it work externally. I have removed the certificate for server.exchange.local and have added a new certificate for my public internet DNS name. My public DNS name is an alias that I am using through dyndns.org, which points at my static IP address. I've put the server machine in the DMZ for testing purposes, but I still cannot connect from outside the network. Here is what I have for HKLM\Software\Microsoft\Rpc\RpcProxy\ValidPorts: server:6001-6002;server.exchange.local:6001-6002;server:6004;server.exchange.local:6004; Do these also need to be changed to reflect my external DNS name, or should they stay the same? Where else do I need to change my internal DNS name to my external DNS name? Of course, I am using the external DNS name from the Outlook client configuration. Thanks for all the help guys, the hard part is over! Just a little more help.. [ February 15, 2005, 09:41 PM: Message edited by: anonim ]

Henrik Walther -> RE: RPC over HTTPS Using Port 135 - WHY?? (16.Feb.2005 10:41:00 PM)
The servername(s) under HKLM\Software\Microsoft\Rpc\RpcProxy\ValidPorts are just fine. Have you tried to open the connection status window while Outlook is trying to establish a connection via RPC over HTTP(S)? What happens? [ February 16, 2005, 10:42 PM: Message edited by: Henrik Walther ]

PureKrome -> RE: RPC over HTTPS Using Port 135 - WHY?? (16.Feb.2005 10:52:00 PM)
how do u do that Henrik?

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (17.Feb.2005 3:52:00 AM)
Pure Krome, You can do this by going to Start -> Run and typing in outlook /rpcdiag. I think you can also bring it up by holding down the CTRL key and right-clicking on the Outlook icon in the system tray. Henrik, I think I've determined the problem. I hope I'm wrong, but somehow I doubt it. I have everything working perfectly inside my network, so I decided to do it all over again one step at a time and try to diagnose the problem. I configured my Outlook client to connect to my external DNS name, and I blocked all outgoing connections to port 135. I started Outlook, it sent some packets to 135 (which were blocked) and 443, then came back and told me that the server was unreachable. Next, I removed the port block rule and started Outlook again. Right away, it asked me for the username/password, which I entered. Immediately, it sent packets to 135, 443, and 88 (Kerberos), and then the Connection Status window showed me that I was connected via HTTPS. Now having set up the profile, I enabled the port 135 block again and tried to connect. Sure enough, it connected without any issues over port 443. So, my understanding is that for whatever reason, the connection must be made over port 135 before HTTPS will work. This seems ridiculous considering that the whole point of RPC over HTTP(S) is due to port 135 being blocked. Can someone please prove me wrong?

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (17.Feb.2005 4:20:00 AM)
Okay, so I proved myself right. Profile MUST be created over RPC (135) before you can connect via RPC over HTTP(S). I dug up some old articles where it was recommended to use profgen.exe to create the profiles for RPC over HTTP. Unfortunately, I am having hell of a time finding this utility. I found the link for Exchange Server All-In-One Tools Download, but it does not include the profgen.exe utility. Has it been replaced by something else? Is it no longer supported on Exchange 2003?

Henrik Walther -> RE: RPC over HTTPS Using Port 135 - WHY?? (17.Feb.2005 10:15:00 AM)
As I already mentioned you don't need port 135/TCP opened in order to create the Outlook RPC over HTTP(S) profile, but when creating the profile you need to make sure you enter the proxy connection settings before clicking check name at the Exchange Server text box. This is pretty logical as you reach the Exchange Server via an HTTPS tunnel to the Proxy Server. You can use Office Custom Installation Wizard to create the profiles, this wizard is part of the Office 2003 Resource Kit. Below links might be of interest: Microsoft Office Online: Office 2003 Resource Kit Home Page: http://office.microsoft.com/en-us/FX011511471033.aspx Microsoft Office Assistance: Options for Installing Outlook 2003: http://office.microsoft.com/en-us/assistance/HA011402561033.aspx [ February 17, 2005, 10:23 AM: Message edited by: Henrik Walther ]

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (17.Feb.2005 4:14:00 PM)
quote: Originally posted by Henrik Walther: As I already mentioned you don't need port 135/TCP opened in order to create the Outlook RPC over HTTP(S) profile Hmm.. are you contradicting yourself as well as Thomas Shinder? You made the following post on October 08, 2003 09:17 PM: Thomas Shinder ISA Server expert and moderator of this board Quote from his article about RPC HTTP trough ISA: "It is important to note that you must create the profile while the Outlook 2003 computer is on the internal network, or while the Outlook 2003 computer is on the Internet and can access the Exchange Server using RPC (TCP 135). You will not be able to create a new profile or change an existing profile to use RPC over HTTP if is does not have access to the Exchange Server via RPC (TCP 135). This bears repeating: you will not be able to create a new Outlook profile when the Outlook client is not on the internal network and can access the Exchange Server using RPC via TCP 135. In addition, a user with an existing profile will not be able to alter the existing profile so that it can use RPC over HTTP if that client is not located on the internal network and can access the Exchange Server using TCP 135. The Outlook 2003 profile must be configured to use RPC over HTTP while that machine is connected to the internal network and can access the Exchange Server via TCP port 135." quote: Originally posted by Henrik Walther: but when creating the profile you need to make sure you enter the proxy connection settings before clicking check name at the Exchange Server text box. This is pretty logical as you reach the Exchange Server via an HTTPS tunnel to the Proxy Server. Unfortunately, the first time when you create a profile, after entering the Exchange server name and username and clicking More Settings to get to the RPC over HTTP configuration, Outlook automatically performs a check name. After being unable to connect to the server over port 135, it pops up with the Check Name once again. If you then click Cancel, you can get to the window to configure More Settings. quote: Originally posted by Henrik Walther: You can use Office Custom Installation Wizard to create the profiles, this wizard is part of the Office 2003 Resource Kit. Below links might be of interest: Microsoft Office Online: Office 2003 Resource Kit Home Page: http://office.microsoft.com/en-us/FX011511471033.aspx Microsoft Office Assistance: Options for Installing Outlook 2003: http://office.microsoft.com/en-us/assistance/HA011402561033.aspx I will look into these tools and see if I can find a way to create the profile from outside the network.

anonim -> RE: RPC over HTTPS Using Port 135 - WHY?? (17.Feb.2005 5:15:00 PM)
Well, I used the Custom Installation Wizard to set up an Outlook profile to connect via RPC over HTTP. I then exported the settings to a .prf file. When I executed this file, it asked me if I wanted to import the settings from the file into my Outlook, and I of course said yes. Then, I noticed that it started trying to connect to the Exchange server on port 135 and 443. After a while, it came back saying that the Exchange server is unavailable. Hence, it did not work. I am curious about the profile creation process over RPC (135). Is the profile created on the server-end or the client-end? I assume it is on the client-end. If so, is this something that I can do: 1. Create a profile to connect via RPC over HTTP using a machine inside my Exchange network. 2. Somehow export this profile to a file (this is the part I'm not sure about - are the different profiles in the Mail Setup represented as files?) 3. Copy the file over to a machine outside of the network and import it into Outlook, and voila! This theoretically should work (in my head). Or am I making false assumptions?

Henrik Walther -> RE: RPC over HTTPS Using Port 135 - WHY?? (17.Feb.2005 5:18:00 PM)
quote: Originally posted by anonim: quote: Originally posted by Henrik Walther: As I already mentioned you don't need port 135/TCP opened in order to create the Outlook RPC over HTTP(S) profile Hmm.. are you contradicting yourself as well as Thomas Shinder? You made the following post on October 08, 2003 09:17 PM: Did you note the date I replied with that answer? And yes based on my real-world experience with Exchange 2003's RPC over HTTP(S) feature I do contradict with information I posted over 1 year ago and right after RTM was put on the market (based on a BETA release). If you don't find my answers trustworthy I honestly couldn't care less, I spend quite a lot of my time helping out frustrated Exchange Admins here on MSExchange.org's Message Boards, and don't really want to bother with lame replies such as your latest.

Page: [1] 2 next > >>