Simon, agreed, poor design, (pre-me) Michael, we are talking about people who don't want us deploying 2008 member servers even though they know support runs out soon. (GRRRRRRRRR)
RPC/HTTP was my idea as the firewall they have wants MD5 VPN, and well, Vista and 7. Found out after the fact that we have another client with a similar set up, so gonna have a browse through their exchange registries - you know, I am so looking forward to that ;-) Hopefully that will sort me out (he says) This three node backend cluster still has me worried, but I guess it depends on the reg entries? From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: 19 April 2010 18:31 To: MS-Exchange Admin Issues Subject: RE: Configuring RPC/HTTPS in a Multiple Cluster 2003 Environment Wildcards can be made to work. I did it years ago (but I'm shocked that anyone would be deploying a new feature on 2003 at this late date!), but can't find any notes I made about it. AFAICR, You'll need the external fqdn, the wildcard fqdn (*.example.com), the fqdn and shortnames of the fe, the be, and the proxy server. It'll be a long long validports entry. I'm pretty sure you'll also have to set "this server is not a member of a managed front-end/back-end RPC/HTTP network" for all servers. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Simon Butler [mailto:si...@sembee.co.uk] Sent: Monday, April 19, 2010 12:32 PM To: MS-Exchange Admin Issues Subject: RE: Configuring RPC/HTTPS in a Multiple Cluster 2003 Environment Two problems immediately sprint to mind. 1. Exchange in a DMZ - that is such a poor design. 2. RPC over HTTPS does not like wildcard certificates. With outlook it is looking for an exact match. With a wild card certificate *.example.com is NOT the same as mail.example.com You shouldn't be making registry changes if you are using fe/be - only the GUI is required. However I suspect things are not working because of the use of a DMZ and wildcard. Simon. -- Simon Butler MVP: Exchange, MCSE Sembee Ltd. e: si...@sembee.co.uk w: http://www.sembee.co.uk/ w: http://www.amset.info/ w: http://blog.sembee.co.uk/ Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/ for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/ Exchange Resources: http://exbpa.com/ From: Clayton Doige [mailto:clayton.do...@gmail.com] Sent: 19 April 2010 16:18 To: MS-Exchange Admin Issues Subject: Configuring RPC/HTTPS in a Multiple Cluster 2003 Environment Dear all, I hope someone can help with this one. Environment Exchange Front End Servers are Windows 2003 SP2, Exchange 2003 SP configured in a load balanced set up using Windows NLB, digital cert is a wild card, and the servers are sitting in the DMZ (no ISA Server) Exchange back end servers live on a three node cluster (again all 2003 sp2) where node 1 and 3 typically host the two live cluster resources, with node 2 as a failover node for both. OWA works without firing a cert error when connecting. I have installed the RPC/HTTP proxy components on both front end servers, and ticked all the relevant rpc/http radio buttons on the rpc tab for all of the servers (ESM only shows the 4 (two front end, and two back end hosts) If I do an RPCDUMP.exe /v on the first backend server I am testing it is not listening on ports 6001, 6002 and 6004, so I am guessing that this is something to do with it living on a cluster? I have the below information rgearding reg hacks: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] "ValidPorts"="server-fe:100-5000; server-be:6001-6002; server-be.domain.local:6001-6002; server-dc:6001-6002; sWindows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] "ValidPorts"="server-fe:100-5000; server-be:6001-6002; server-be.domain.local:6001-6002; server-dc:6001-6002; server-dc.domain.local:6001-6002; server-be:6004; server-be.domain.local:6004; server-dc:6004; server-dc.domain.local:6004; mail.external.com:6001-6002; mail.external.com:6004; server-dc:593; server-dc.domain.local:593; server-be:593; server-be.domain.local:593; mail.external.com:593;"erver-dc.domain.local:6001-6002; server-be:6004; server-be.domain.local:6004; server-dc:6004; server-dc.domain.local:6004; mail.external.com:6001-6002; mail.external.com:6004; server-dc:593; server-dc.domain.local:593; server-be:593; server-be.domain.local:593; mail.external.com:593;" My question is do I need to add both of the virtual node names in for the back end system on all three back end registries? I am guessing I do, just wanted to run it past you all in case someone else has done this, as google is not being friendly on this one. Thanks in advance Clayton
