Step by Step Instruction to verify RPC over HTTP setup in Exchange 2013

Because Outlook Anywhere is now enabled with Exchange 2013 by default, the RPC over HTTP Proxy feature should be automatically installed. However, it is always best to verify this because this is the bread and butter of Outlook Anywhere.

We will see the below steps to verify them

Step 1 – RPC over HTTP Proxy Feature

Open the Server Manager from the Start Menu.

Image

If this is not the case and you do not see it installed, you will need to add it manually by clicking the Add Features on the right side of the screen.

Then select the feature and click Install.

Step 2 – DNS and Security Certificates
Most likely you have already added the webmail2 subdomain that points to your CAS server. In this example, the domain is domain.com. Therefore, our subdomain is webmail2.domain.com. We need to add a Host (A) record that points internally to our CAS server and externally to the NAT for that server. It should look something like this:
Internal:
mail Host (A) 10.131.14.90
External:
mail Host (A) <external NAT IP>
Depending on how your site’s DNS is set up, you may have to get your ISP to add the external record for you.
Now that we have the DNS set up we need to verify/install the security certificate for webmail2.domain.com to our CAS server. Again, most likely you have already accomplished this when setting up your Exchange server. You must first obtain a valid security certificate from a trusted source such as Symantec. Ensure that you get it for webmail2.<your_domain>.com.
Depending on what type of certificate and who it was requested through, the installation steps may be different. Please refer to your vendor’s installation instructions. You must have a valid certificate installed on your CAS server in order for Outlook Anywhere to work properly. Otherwise, Outlook will just report an error and not allow the Outlook Anywhere connection.
Step 3 – Publish external host name for outlook anywhere from reverse proxy server.

Step 4 – Outlook Anywhere Configuration (EAC or EMS)
After verifying the prerequisites for Outlook Anywhere, we are ready to configure the settings. There are two ways we can accomplish this: EAC (Exchange Admin Center – the web based replacement for the EMC) and EMS (Exchange Management Shell).
The easiest route is to use EMS. There is a lot less effort involved and this is the direction . However, some people are still more comfortable using a GUI to configure Outlook Anywhere.
Exchange Admin Center

Steps to modify through EAC
Open a browser from your CAS server and go to http://localhost/ecp. You will be met with the following:

Enter your logon credentials and press enter. When you have successfully logged in, click the servers’ link on the left.

And then the pencil icon above the server name on the subsequent page.

The next window that pops up will be the Edit screen for the CAS server. On the left, click Outlook Anywhere and fill in the information. We want to set the internal and external URL’s to webmail2.domain.com, the authentication method to NTLM, and uncheck Allow SSL offloading. If you plan on offloading the SSL certs, you may keep it checked.

Click the Save button to save the new configuration and close the Edit window.
Through Exchange Management Shell (EMS)
To configure Outlook Anywhere via the EMS, open the Exchange Management Shell from the Start menu.

The syntax for the cmdlets to configure Outlook Anywhere look like the following:
Set-OutlookAnywhere -Identity ‘testlab\rpc (Default Web Site)’ –ExternalHostname mail.exchangequery.com –InternalHostname mail.exchangequery.com –ExternalClientAuthenticationMethod Ntlm -ExternalClientsRequireSsl:$true –InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl:$true –IISAuthentication Ntlm –SSLOffloading:$false

Step 5 – Verification
Microsoft has come up with an amazing site to test the connectivity of Exchange: Microsoft Remote Connectivity Analyzer

As you can see, there are many testing options we can select from. We want to test Outlook Anywhere, so select the Outlook Anywhere (RPC over HTTP) radio button under Microsoft Office Outlook Connectivity Tests and click Next.
Enter the valid information into the form and click Perform Test at the bottom.

The website will then begin to test your Outlook Anywhere settings.

Once complete, the site will give you the status and any other pertinent information such as how to fix an issue.

Step 6 – Client configuration
To do this, open Outlook and go to File on the menu bar and then click the Account Setting button and the Account Settings…

When the Account Settings dialogue box pops up, click the account and then the Change… button.

Another dialogue box will pop up. Click the More Settings… button. Stay with me. We’re almost there!

Now we get to the Exchange Settings dialogue box. Click on the Connection tab. You will see that there is a section for Outlook Anywhere and a tick box that says Connect to Microsoft Exchange using HTTP. As you can see from the screenshot, mine is greyed out. I have set this up via Group Policy. Now click on the Exchange Proxy Settings… button.

Finally we are at the spot where we can enter our information for Outlook Anywhere. Enter the required information into form as shown in the screenshot. The principal name text box must be preceded with the msstd: prefix in order for the certificate to be valid. This will automatically be added.

If you want to has outlook work with auto configuration when Outlook locates in external/Internet network, it is required to do following steps.

publish autodiscover.domain.com from reverse proxy and External DNS for exchange 2013 CAS server (Therefore when you ping autodiscover.domain.com from Internet, it will resolve to exchange 2013 CAS server public IP).

Now we are done with verifying the RPC over HTTP setup in Exchange 2013

Thanks 

Sathish Veerapandian

MVP -Exchange Server

 

7 thoughts on “Step by Step Instruction to verify RPC over HTTP setup in Exchange 2013

  1. satheshwaran November 25, 2013 at 12:37 am Reply

    Hey Sathesh,

    Good to see your Blog.

    I have Two Server . HA _ LB

    CAS+MBX

    CAS+MBX

    If it CAS1 and Database is mounted on Other Server

    OWA Logs out .

    Exchange 2013 Cu2, Is it a bug ?

    Log Name: Application
    Source: MSExchange Web Services
    Date: 11/11/2013 12:38:59 PM
    Event ID: 15
    Task Category: Core
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: CloudExch2.Careexchange.in
    Description:
    Client Access server CLOUDEXCH2 tried to proxy Exchange Web Services traffic to Client Access server CLOUDEXCH1.exchangecloud.com.au. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems:

    1. The host name in CLOUDEXCH1.careexchange.in may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the “internalHostname” configuration for the Exchange Web Services virtual directory on the target Client Access server. You can change the “internalHostname” configuration for the target Client Access server using the “Set-Webservicesvirtualdirectory” cmdlet. If you don’t want to change the “internalHostname” configuration for the Exchange Web Services virtual directory on the target Client Access server, you can also use the tool “setspn.exe” on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication.

    2. The server hosting CLOUDEXCH1.careexchange.in may be configured not to allow Kerberos authentication. It might be set to use “Integrated Windows” authentication for the /ews virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Integrated Windows authentication. If you suspect this may be the cause of the failure, see the IIS documentation for additional troubleshooting steps.

    Log Name: Application
    Source: ASP.NET 4.0.30319.0
    Date: 11/11/2013 12:39:42 PM
    Event ID: 1309
    Task Category: Web Event
    Level: Warning
    Keywords: Classic
    User: N/A
    Computer: CloudExch2.Careexchange.in

    Description:

    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 11/11/2013 12:39:42 PM
    Event time (UTC): 11/11/2013 1:39:42 AM
    Event ID: d5ecf8c6ad044519a70fbf76265b1b8f
    Event sequence: 607 Event occurrence: 606
    Event detail code: 0

    Application information:

    Application domain: /LM/W3SVC/2/ROOT/owa-3-130285893697303698
    Trust level: Full
    Application Virtual Path: /owa
    Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\
    Machine name: CLOUDEXCH2

    Process information:

    Process ID: 15712
    Process name: w3wp.exe
    Account name: NT AUTHORITY\SYSTEM

    Exception information:

    Exception type: MapiExceptionIllegalCrossServerConnection
    Exception message: MapiExceptionIllegalCrossServerConnection: Monitoring mailbox [] with application ID [Client=OWA;Action=ViaProxy] is not allowed to make cross-server calls to [CLOUDEXCH1.exchangecloud.com.au]
    at Microsoft.Mapi.MonitoringBlockingExRpcConnectionFactory.Create(ExRpcConnectionInfo connectionInfo)
    at Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId,Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout, Byte[] tenantHint)
    at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)

    Request information:

    Request URL: https://localhost:444/owa/proxylogon.owa
    Request path: /owa/proxylogon.owa
    User host address: ::1
    User: EXCHANGECLOUD\SM_bbc806b9b41a42ab9
    Is authenticated: True
    Authentication Type: Kerberos
    Thread account name: NT AUTHORITY\SYSTEM

    Thread information:

    Thread ID: 58
    Thread account name: NT AUTHORITY\SYSTEM
    Is impersonating: False
    Stack trace: at Microsoft.Mapi.MonitoringBlockingExRpcConnectionFactory.Create(ExRpcConnectionInfo connectionInfo)
    at Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId, Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout, Byte[] tenantHint)
    at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)

    Please let me know . if you got some suggestions for me

    Like

  2. sathishveerapandian December 1, 2013 at 11:53 pm Reply

    Hi Satheesh,

    Looks like this is an proxy issue

    Based on the troubleshooting done that you have posted on technet blogs you can try the below settings and we can see if it can help us

    Try with allowproxywithoutSSL registry not set
    technet.microsoft.com/en-us/library/ff360856(v=exchg.140).aspx
    Also you can check if SSL offloading is done

    You can try if the default selfsigned certificate or 3rd party certificate is assigned correctly to the default website on the affected server

    Finally you can try Replacing the OWA Version folder for HTTP Proxy & Client Access from the other server which is working fine

    Like

  3. hearthstone cheats and hacks October 1, 2014 at 4:54 pm Reply

    Valuable info. Fortunate me I found your site by accident,
    and I’m stunned why this coincidence did not took place earlier!
    I bookmarked it.

    Like

  4. Proxy Server Not Responding Chrome October 7, 2014 at 4:24 pm Reply

    Thank you for the auspicious writeup. It if truth bbe told was a
    enjoyment account it. Loook complex to far added agreeable
    from you! By the way, how could we be in contact?

    Like

  5. Arctic Cat Wildcat October 30, 2014 at 2:54 pm Reply

    Quality content is the key to be a focus for the
    visitors to visit the web site, that’s what this website is providing.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: