Exchange 2010 sp3 RPC connectivity between separate physical sites

Good evening! I have installed Exchange 2010 a few times in my life but never in an environment like this. Please don't judge me for this architecture, it wasn't my idea! ;)

I have two physical sites - one is a sort-of hot backup for the other. Each site has an equally deployed set of Exchange 2010 server roles. Both sites are on the same AD domain and are replicating well. Both sites have full access to AD.

Each site has:

Server 1 - HUB/CAS

Server 2 - Mailbox

Server 3 - Mailbox

(edge role performed by security appliance, not part of this problem/question)

The sites are separated by Cisco ASA Firewalls

I have followed the instructions available almost everywhere online to statically assign to RPC ports for the dynamic range to each server: 59540, and 59541 for ExchangeRPC, ExchangeAB, and ExchangeIS. These are permitted through the firewalls. 135 is also permitted (as is 25 for e-mail transfers).

I can do some things but not others - for instance:

I can move mailboxes from site A to site B. I can send e-mail from site A to site B.

I cannot access a mailbox through OWA that is in Site A through Site B's CAS role (or vice-versa). I cannot get certificates in EMC or EMS (system cites an RPC error). I cannot build a DAG across all 4 mailbox servers as is required by the architecture I was given. I do have a replication network setup on the 4 mailbox servers.

I believe this to be an RPC problem as that is the error I generally get. Netstat shows many ports listening on each server in addition to the ones I statically configured. I'm assuming that the servers are still handing out ports in the dynamic rpc range but I could be misunderstanding this process.

What am I missing? How do I get RPC to work only over those two ports (or a couple more)? Our networking group will not open 1000 or 5000 ports for me.

Alternately - is there a way you can think-of that I can push RPC traffic over the replication network? I could probably get them to add the replication network to my hub/cas servers.

Any help is appreciated - thank you!

July 15th, 2015 12:22am

There is no way you can restrict RPC port range to 2. My experience is minimum 10+ ports are required. I would recommend 100 ports.

Free Windows Admin Tool Kit Click here and download it now
July 15th, 2015 12:34am

Hi,

Since you cannot use Netstat to list the port which you configured, it seems something port within it.

Firstly, please refer to below blog to ensure the steps about "Configure Static RPC Ports on an Exchange 2010 Client Access Server":
http://social.technet.microsoft.com/wiki/contents/articles/864.configure-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx

Thanks
July 17th, 2015 11:49pm

Hi,

You might want to read this

RPC Client Access Cross-Site Connectivity Changes:

http://blogs.technet.com/b/exchange/archive/2012/05/30/rpc-client-access-cross-site-connectivity-changes.aspx

Exchange Network Port Reference 2010:

https://technet.microsoft.com/en-us/library/bb331973(v=exchg.141).aspx

The Clustering data path listed in the preceding table uses dynamic RPC over TCP to communicate cluster status and activity between the different cluster nodes. The Cluster service (ClusSvc.exe) also uses UDP/3343 and randomly allocated, high TCP ports to communicate between cluster nodes.

Many Exchange services use remote procedure calls (RPCs) for communication. Server processes that use RPCs contact the RPC Endpoint Mapper to receive dynamic endpoints and register those endpoints in the Endpoint Mapper database.

The installation of a firewall between Exchange servers or between an Exchange 2010 Mailbox or Client Access server and Active Directory isnt supported. However, you can install a network device if traffic isnt restricted and all available ports are open between the various Exchange servers and Active Directory.

This line should be enough to confirm\prove that the architecture is not feasible or to get the management pressurize the networking group to allow unrestricted ports between exchange.

Exchange, Firewalls, and Support Oh, my!

http://blogs.technet.com/b/exchange/archive/2013/02/18/exchange-firewalls-and-support-oh-my.aspx

What all the info on earlier post and links suggest is restriction between Outlook and CAS. Not between exchange servers.

Figure 5: Firewalls between users and Exchange servers as well as between datacenters. Supported if the firewalls are configured to allow unfettered access between Exchange servers, between Exchange servers and AD, and appropriate client rules. AD not shown.

Exchange 2013 has narrowed the client side requirement to 443( only protocol supported for  Windows Outlook clients is RPC over HTTPS.) But the server requirements remains same.

"Staying within support guidelines does in fact help us help you as expeditiously as possible, and in the end will save you time, support costs, labor costs, and last but not least aggravation.-Brian Day"

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2015 5:16am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics