RPC Proxy Can't Be Pinged: 2013/2010 Co-Existence with Outlook Anywhere (Network Steve Forum)

RPC Proxy Can't Be Pinged: 2013/2010 Co-Existence with Outlook Anywhere

ISSUE: Can't RPC Proxy Outlook Anywhere requests for Exchange 2010 mailbox users via the Exchange 2013 CAS NLB IP.

SYMPTOMS: Externally with TestExchangeConnectivity.com, I get 'RPC Proxy Can't Be Pinged' with 'An HTTP 401 Unauthorized response was received from the remote Unknown server'. Internally, I get password prompts with Outlook 2010.

SETUP:

Exchange 2013 CU1
CAS NLB: exchange.mydomain.com
Get-OutlookAnywhere Details:
InternalHostname: exchange.mydomain.com
ExternalHostname: exchange.mydomain.com
ExternalClientAuthenticationMethod: Negotiate
InternalClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: Basic, Ntlm, Negotiate

Exchange 2010 SP3
CAS NLB: legacy.mydomain.com
CAS Array: legacy.mydomain.com
Get-OutlookAnywhere Details:
ExternalHostname: exchange.mydomain.com
ClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: Basic, Ntlm

ADDITIONAL DETAILS:
- With the above settings, Outlook 2010 configures the 'Exchange Proxy Settings' with exchange.mydomain.com and NTLM authentication, which is what I want. However, Outlook 2010 doesn't seem to be able to proxy through exchange.mydomain.com as I continually get password prompts.
- If I change ExternalHostname on the Exchange 2010 side's OutlookAnywhere to legacy.mydomain.com, then Outlook 2010 uses legacy.mydomain.com for the 'Exchange Proxy Settings' and that works fine. However, I want all Outlook requests to be proxied through the Exchange 2013 CAS servers.
- For users with Exchange 2013 mailboxes, they are able to use exchange.mydomain.com as their 'Exchange Proxy Settings' without any issues. The problem therefore lies with proxying RPC requests FROM 2013 to 2010.
- Here are some pertinent lines from a 2013 CAS server's IIS logs:
01:37:58 192.168.150.210 RPC_IN_DATA /rpc/rpcproxy.dll legacy.domain.com:6002&RequestId=d01bfb91-6fa7-47bb-a1c6-ba2cda921c3a 443 - 207.46.14.63 MSRPC - 401 2 5 15
2013-06-24 01:37:58 192.168.150.210 RPC_IN_DATA /Rpc/RpcProxy.dll legacy.domain.com:6001&RequestId=cbcd4706-9a34-499e-8b63-8b0e0b58e946 443 - 207.46.14.63 MSRPC - 401 1 2148074254 31
2013-06-24 01:37:58 192.168.150.210 RPC_IN_DATA /rpc/rpcproxy.dll &RequestId=114f4709-d614-4a6a-96e6-b33729d85cf1 443 - 207.46.14.63 MSRPC - 401 2 5 218
2013-06-24 01:37:58 192.168.150.210 RPC_IN_DATA /Rpc/RpcProxy.dll legacy.domain.com:6001&RequestId=5d1390b3-84c8-4402-849f-edefe37da159 443 DOMAIN\testuser 207.46.14.63 MSRPC - 401 0 0 62
2013-06-24 01:37:58 192.168.150.210 RPC_IN_DATA /Rpc/RpcProxy.dll legacy.domain.com:6001&RequestId=73f08b89-b71e-46c0-b3c6-5b9dbbacc5c4 443 - 207.46.14.63 MSRPC - 401 2 5 249

Any thoughts or comments are highly appreciated. Let me know if additional details are needed.

June 24th, 2013 5:50pm

Exchange 2013 CU1
ExternalClientAuthenticationMethod: Negotiate

Hi,
Change ExternalClientAuthenticationMethod to NTLM.
Not sure if that is causing the problem you have, but Negotiate should only be used in a pure Exchange 2013 environment and can cause other problems if configured when running in co-existence with EX07/EX10.

See: http://support.microsoft.com/kb/2834139

Free Windows Admin Tool Kit Click here and download it now

June 24th, 2013 7:04pm

Exchange 2013 CU1
ExternalClientAuthenticationMethod: Negotiate

Hi,
Change ExternalClientAuthenticationMethod to NTLM.
Not sure if that is causing the problem you have, but Negotiate should only be used in a pure Exchange 2013 environment and can cause other problems if configured when running in co-existence with EX07/EX10.

See: http://support.microsoft.com/kb/2834139

June 24th, 2013 7:48pm

Are you sure that the Clients got the new setting?
If you didn't recycle the application pools MSExchangeAutodiscoverAppPool in IIS after you made the change, it would be a good thing to do. It usually triggers Outlook to get the new settings faster.

Free Windows Admin Tool Kit Click here and download it now

June 24th, 2013 7:54pm

Are you sure that the Clients got the new setting?
If you didn't recycle the application pools MSExchangeAutodiscoverAppPool in IIS after you made the change, it would be a good thing to do. It usually triggers Outlook to get the new settings faster.

June 24th, 2013 8:24pm

Also, should I remove 'Negotiate' from the IISAuthenticationMethods in the 2013 CAS servers?

Free Windows Admin Tool Kit Click here and download it now

June 24th, 2013 8:30pm

Hi,
You shouldn't need to hardcode any Outlookprovider.
(I assume now that you have exchange.mydomain.com both as the common name and the as the first SAN)

I haven't added any ValidPorts since Exchange 2003, so no, that is not an option.

Not sure what you mean with "hardcoding the settings into Outlook or the online tool ".

Regarding IISAuthenticationMethods...I have removed that, but also seen when it still has been enabled and it has worked.

I remember another thread, where the poster also had problems with password prompts. It was solved by enable/disable Outlook Anywhere on the legacy server. You might want to give that a try.

Does the clients with mailboxes on Exchange 2013 also have problems to connect?

June 24th, 2013 8:48pm

Hi,
You shouldn't need to hardcode any Outlookprovider.
(I assume now that you have exchange.mydomain.com both as the common name and the as the first SAN)

I haven't added any ValidPorts since Exchange 2003, so no, that is not an option.

Not sure what you mean with "hardcoding the settings into Outlook or the online tool ".

Regarding IISAuthenticationMethods...I have removed that, but also seen when it still has been enabled and it has worked.

I remember another thread, where the poster also had problems with password prompts. It was solved by enable/disable Outlook Anywhere on the legacy server. You might want to give that a try.

Does the clients with mailboxes on Exchange 2013 also have problems to connect?

Free Windows Admin Tool Kit Click here and download it now

June 24th, 2013 9:50pm

- By hardcoding I mean, explicitly setting the RPC Proxy server. For instance, with the online tool, I will select "Outlook Anywhere (RPC over HTTP)" then on the next page, I choose "Manually specify server settings". Though this still fails as with Autodiscover, to me it demonstrates that Autodiscover (and the XML response that Autodiscover returns) is not a problem. Does that make sense?

I didn't get that you were talking about ExrCA (exrca.com) :)

Disable/Enable Outlook Anywhere on EX10, might seems unnecessary but it worked for the other poster. I will see if I can find that post.

Btw..you do have changed Autodiscover.domain.com to point to your Exchange 2013 Server, right?

June 24th, 2013 10:12pm

- By hardcoding I mean, explicitly setting the RPC Proxy server. For instance, with the online tool, I will select "Outlook Anywhere (RPC over HTTP)" then on the next page, I choose "Manually specify server settings". Though this still fails as with Autodiscover, to me it demonstrates that Autodiscover (and the XML response that Autodiscover returns) is not a problem. Does that make sense?

I didn't get that you were talking about ExrCA (exrca.com) :)

Disable/Enable Outlook Anywhere on EX10, might seems unnecessary but it worked for the other poster. I will see if I can find that post.

Btw..you do have changed Autodiscover.domain.com to point to your Exchange 2013 Serv

Free Windows Admin Tool Kit Click here and download it now

June 24th, 2013 10:52pm

Ok, I disabled/enabled OutlookAnywhere with no difference in results. If it helps, when running "Test-OutlookConnectivity -Protocol HTTP" from the 2010 EMS and having the 2010 OutlookAnywhere set to exchange.mydomain.com, I was getting:

RunspaceId                  : 08fb1b71-1d81-4820-85f5-249e685723a8
ServiceEndpoint             : legacy.mydomain.com
Id                          : GetReferral
ClientAccessServer          : EXCA01.domain.internal
Scenario                    : RFRI::GetReferral.
ScenarioDescription         :
PerformanceCounterName      : RFR: Get referral latency
Result                      : Failure
Error                       :
UserName                    : domain.internal\extest_66a4736126034
StartTime                   : 6/24/2013 6:56:02 PM
Latency                     : 00:00:02.7337975
EventType                   : Failure
LatencyInMillisecondsString : 2733.80
Identity                    :
IsValid                     : True

Does that have any significance? When I change OutlookAnywhere for 2010 back to legacy.mydomain.com, it works fine.

June 25th, 2013 2:01am

Your Settings should look like the below

Exchange 2013 CU1
CAS NLB: legacy.mydomain.com - Get These CAS boxes in the Same NLB as 2010use different NLB's"
Get-OutlookAnywhere Details:
InternalHostname: exchange.mydomain.com
ExternalHostname: exchange.mydomain.com
ExternalClientAuthenticationMethod: Basic
InternalClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: Basic, Ntlm, Negotiate

Exchange 2010 SP3
CAS NLB: legacy.mydomain.com
CAS Array: legacy.mydomain.com - Dosent Matter
Get-OutlookAnywhere Details:
ExternalHostname: exchange.mydomain.com

ExternalClientAuthenticationMethod: Basic
InternalClientAuthenticationMethod: Ntlm

ClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: Basic, Ntlm

----Mark as answer if this helps.

Free Windows Admin Tool Kit Click here and download it now

June 25th, 2013 3:21am

Your Settings should look like the below

Exchange 2013 CU1
CAS NLB: legacy.mydomain.com - Get These CAS boxes in the Same NLB as 2010use different NLB's"
Get-OutlookAnywhere Details:
InternalHostname: exchange.mydomain.com
ExternalHostname: exchange.mydomain.com
ExternalClientAuthenticationMethod: Basic
InternalClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: Basic, Ntlm, Negotiate

Exchange 2010 SP3
CAS NLB: legacy.mydomain.com
CAS Array: legacy.mydomain.com - Dosent Matter
Get-OutlookAnywhere Details:
ExternalHostname: exchange.mydomain.com

ExternalClientAuthenticationMethod: Basic
InternalClientAuthenticationMethod: Ntlm

ClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: Basic, Ntlm

----Mark as answer if this helps.

June 25th, 2013 8:04am

What are you using for load balancing? Can you bypass it when connecting to the 2013 CAS and the 2010 external host name set to exchange.mydomain.com?

A hosts file entry on the internal PC with exchange.mydomain.com set to a specific IP of the 2013 CAS would work for the test. Flush DNS on the PC before testing and ensure its finding the host file setting.

Oh and no firewalls or anything in between the 2013 and 2010 CAS that may interfere yes?

Free Windows Admin Tool Kit Click here and download it now

June 26th, 2013 2:27pm

What are you using for load balancing? Can you bypass it when connecting to the 2013 CAS and the 2010 external host name set to exchange.mydomain.com?

A hosts file entry on the internal PC with exchange.mydomain.com set to a specific IP of the 2013 CAS would work for the test. Flush DNS on the PC before testing and ensure its finding the host file setting.

Oh and no firewalls or anything in between the 2013 and 2010 CAS that may interfere yes?

June 26th, 2013 6:39pm

What are you using for load balancing? Can you bypass it when connecting to the 2013 CAS and the 2010 external host name set to exchange.mydomain.com?

A hosts file entry on the internal PC with exchange.mydomain.com set to a specific IP of the 2013 CAS would work for the test. Flush DNS on the PC before testing and ensure its finding the host file setting.

Oh and no firewalls or anything in between the 2013 and 2010 CAS that may interfere yes?

Free Windows Admin Tool Kit Click here and download it now

June 26th, 2013 7:44pm

What are you using for load balancing? Can you bypass it when connecting to the 2013 CAS and the 2010 external host name set to exchange.mydomain.com?

A hosts file entry on the internal PC with exchange.mydomain.com set to a specific IP of the 2013 CAS would work for the test. Flush DNS on the PC before testing and ensure its finding the host file setting.

Oh and no firewalls or anything in between the 2013 and 2010 CAS that may interfere yes?

June 27th, 2013 1:15am

its simple don't make a new NLB for 2013 use the same NLB as 2010.

what you need to know is that 2013 is not a casarray its just independent cas boxes inside an NLB like for any other IIS.

forget what I told you to do on 2010 just focus on 2013 and make 1 independent cas 2013 server with settings exactly as 2010 for outlookanywhere and introduce it into the same NLB as 2010 and stop the 2010 servers in the NLB itself. that should do the trick :-) you may PM me on sahmed@advancepts.com

Free Windows Admin Tool Kit Click here and download it now

June 27th, 2013 11:07pm

its simple don't make a new NLB for 2013 use the same NLB as 2010.

what you need to know is that 2013 is not a casarray its just independent cas boxes inside an NLB like for any other IIS.

forget what I told you to do on 2010 just focus on 2013 and make 1 independent cas 2013 server with settings exactly as 2010 for outlookanywhere and introduce it into the same NLB as 2010 and stop the 2010 servers in the NLB itself. that should do the trick :-) you may PM me on sahmed@advancepts.c

June 28th, 2013 1:33am

"That suggestion definitely doesn't seem very rational" - I am in co-existence.

2013 will proxy and talk to whatever ... try it ... or keep on researching.

Free Windows Admin Tool Kit Click here and download it now

July 2nd, 2013 5:28pm

"That suggestion definitely doesn't seem very rational" - I am in co-existence.

2013 will proxy and talk to whatever ... try it ... or keep on resear

July 2nd, 2013 5:35pm

Ok so again - I am not asking you to shutdown the 2010 boxes they have to be turned on and functioning because you still need the RPC client access service to give out the 2010 mailboxes to you.

All you need to is get 2013 CAS boxes inside the same NLB and Stop the 2010 CAS boxes in NLB ONLY (Right click 2010 cas in NLB manager > click stop)

That's it.

Free Windows Admin Tool Kit Click here and download it now

July 4th, 2013 6:01pm

Ok so again - I am not asking you to shutdown the 2010 boxes they have to be turned on and functioning because you still need the RPC client access service to give out the 2010 mailboxes to you.

All you need to is get 2013 CAS boxes inside the same NLB and Stop the 2010 CAS boxes in NLB ONLY (Right click 2010 cas in NLB manager > click stop)

That'

July 5th, 2013 6:14pm

When you changed the authentication, did you reset IIS afterwards?

Free Windows Admin Tool Kit Click here and download it now

July 9th, 2013 10:33am

When you changed the authentication, did you reset IIS afterwards?

Yes - I always performed an 'iisreset' after changing the authentication methods of all of my CAS 2013 and CAS 2010 servers. They have also been rebooted. Feel free to keep the suggestions coming!

July 9th, 2013 4:19pm

Your last message raises an interesting point though. From the 2013 CAS perspective, when it tries to reverse-proxy to the 2010 CAS environment, does it just choose a 2010 CAS server at random, or does it use the 2010 CAS Array hostname? (which as I mentioned, points to the 2010 NLB IP)

It will connect to the whatever is defined as the RPCClientAccessServer on the 2010 mailbox database.

Free Windows Admin Tool Kit Click here and download it now

July 16th, 2013 8:11am

Your last message raises an interesting point though. From the 2013 CAS perspective, when it tries to reverse-proxy to the 2010 CAS environment, does it just choose a 2010 CAS server at random, or does it use the 2010 CAS Array hostname? (which as I mentioned, points to the 2010 NLB IP)

It will connect to the whatever is defined as the RPCClientAccessServer on the 2010 mailbox

July 16th, 2013 12:58pm

Did you Put the 2013 CAS in the existing ARRAY ever ? And try ?

Free Windows Admin Tool Kit Click here and download it now

July 27th, 2013 12:45pm

Did you Put the 2013 CAS in the existing ARRAY ever ?

July 27th, 2013 7:44pm

This topic is archived. No further replies will be accepted.
Other recent topics