ISA Web Publishing Rules: To troubleshoot an SSL bridge, try using HTTP on the internal side of the bridge, if it works but not SSL on the internal side, log into the ISA server. Type in the URL for the bridge destination setting see what happens. If you get a certificate warning prompt, that is why SSL is not working on the other side of the bridge. ISA will simply fail, it has no mechanism for alerting an external client that "although the certificate I fronted to you works, the certificate on the other side of the bridge (the destination) is invalid (or cannot be verified). -------------------------------------------------------------------------------- To prevent users in your organization from configuring RPC over HTTP settings in the user interface, set a policy to disallow the settings in the user interface. In Group Policy, under User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools | E-Mail Accounts, double-click Exchange over the Internet User Interface. Click Enabled to enable configuring the policy, then in the drop-down list, select Hidden. By default, the RPC over HTTP options are enabled, if the user's computer has the required operating system version. You add the value entry in the following subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\RPC Value name: EnableRPCTunnelingUI Value data: DWORD Set the value to 1 to enable RPC over HTTP user interface options. Set the value to 0 to disable the options. -------------------------------------------------------------------------------- Deploying RPC over HTTP after deploying Outlook 2003 You can update an Outlook 2003 installation to configure RPC over HTTP or make changes to an existing RPC over HTTP installation by using the Custom Maintenance Wizard. The settings available for configuring RPC over HTTP in the Custom Maintenance Wizard are the same as those provided in the Custom Installation Wizard. After you run the Custom Maintenance Wizard and configure the changes you want to make to your Outlook installation, you save the maintenance file and deploy it to your users. -------------------------------------------------------------------------------- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy ServerNETBIOSName:6001;ServerFQDN:6001;ServerNetBIOSName:6004;ServerFQDN:6004 You may notice a mapping for port 593 and for port 6002. Port 593 and port 6002 are not required unless your Exchange computer uses ports that are not the default ports. In a typical Exchange environment, you do not have to configure these ports. Important: To communicate with the RPC Proxy server, all servers accessed by the Outlook client must have set ports. If a server, such as an Exchange public folder server, has not been configured to use the specified ports for RPC over HTTP communication, the client will not be able to access the server. ExchangeServer:593; ExchangeServerFQDN:593; ExchangeServer:6001-6002; ExchangeServerFQDN:6001-6002; ExchangeServer:6004; ExchangeServerFQDN:6004; GlobalCatalogServer:593; GlobalCatalogServerFQDN:593; GlobalCatalogServer:6004; GlobalCatalogServerFQDN:6004 exchange1:593; exchange1.acp-inc.com:593; exchange1:6001-6002; exchange1.acp-inc.com:6001-6002; exchange1:6004; exchange1.acp-inc.com:6004; dc1:593; dc1.acp-inc.com:593; dc1:6004; dc1.acp-inc.com:6004 exchange1:593;exchange1.acp-inc.com:593;exchange1:6001-6002;-> exchange1.acp-inc.com:6001-6002;exchange1:6004;-> exchange1.acp-inc.com:6004;dc1:593;dc1.acp-inc.com:593;-> dc1:6004;dc1.acp-inc.com:6004 Now we need to logon to the Global Catalog server (which would be the Domain Controller), here we need to add a string to the registry as well, so navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Multi-String Value: NSPI interface protocol sequences ncacn_http:6004 Restart the Global Catalog Server. -------------------------------------------------------------------------------- RPC over HTTP does not require OWA and it is beneficial in troubleshooting across a firewall if you keep this in mind. OWA can be completely turned off and RPC over HTTP works fine. RPC over HTTP acts just like you are on the local network using RPCs via TCP/IP, you are just encapulating RPCs in HTTP headers within a SSL tunnel sometimes using Outlook / Exchange encryption... RPC over HTTP Proxy Server: IIS: Default Web Site/ Certificate to enable SSL RPC/ No Anonymous Basic Authentication Require SSL and 128bit (check http://mail.domain.com/rpc/ for error message)