Michael, Hold off on wasting your time with the pings for now. I have some inconsistencies I need to validate first. However, I am seeing posts about using an internal CA with e2k7+ just not giving good results? Have you found this to be the case as well?
Thanks! jlc -----Original Message----- From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Wednesday, April 29, 2009 7:29 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Are you talking about the ValidPorts registry key? Don't touch it! :-P Exchange autoconfs that in both 2007 and 2010. I'll look into your rpcping results later today... ________________________________________ From: Joseph L. Casale [jcas...@activenetwerx.com] Sent: Tuesday, April 28, 2009 12:47 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Well in 2003 Server and E2k3, you must specify name and ports for the DC/GC? Also, here are some interesting tidbits done from outside the lan on a wkst With 2k3 res kit: rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P "user,dom,pass" -I "user,dom,pass" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 3 RPCPinging proxy server internal.fqdn.local with Echo Request Packet Sending ping to server Response from server received: 401 Client is not authorized to ping RPC proxy Ping failed. **** rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P "user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6001 RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 3 Completed 1 calls in 594 ms 1 T/S or 594.000 ms/T **** rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P "user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6002 RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 3 Completed 1 calls in 203 ms 4 T/S or 203.000 ms/T **** rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P "user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6004 RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 3 Exception 1722 (0x000006BA) So it looks like I have two problems, the 1722 suggests reg entries (IPv6 is disabled)? This is Exchange 2007/10 (two identical labs built to test) so I don't mangle ports AFAIK? The 401 uptop has me baffled! Thanks so much! jlc -----Original Message----- From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Tuesday, April 28, 2009 10:04 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert I don't understand your question "no mention of the DC and applicable ports"??? If you specify auth types on the vdirs, you will almost certainly break something. Don't do it. ________________________________________ From: Joseph L. Casale [jcas...@activenetwerx.com] Sent: Monday, April 27, 2009 5:59 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Appreciate all of that. Well, I am at a loss. I have been troubleshooting this now on my own setup inside and esx server, and even rolled out a new dc and exchange server using 2010 and same behavior. Obviously I am missing something... In the registry, there is no mention of the dc and applicable ports? Is This not something needed in '07/10? Also, is there ever a need to manually specify Auth types on the IIS virtual dirs? Thanks Michael! jlc -----Original Message----- From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Monday, April 27, 2009 3:03 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Well, they do very different things. :-) The -IncludeAcceptedDomains parameter is a switch. If it is set to true (or just specified without a ":$false", then all of the Accepted Domains in the organization are included in the certificate request (if -GenerateRequest is set to true). I don't think that I have ever used the -IncludeAcceptedDomains switch. The -DomainName parameter is a list of domains that you want to be represented as subject alternative names (SANs) within the certificate. The list of domains in the -DomainName parameter and the contents resulting from the -IncludeAcceptedDomains parameter are merged to come up with a full list of the domains that will be in the SAN list of the certificate request. Finally, the -SubjectName parameter identifies the organization who is requesting the certificate (think of it as the "subject company for the cert"). The organization and country should absolutely be correct. So, a typical certificate request, for a single server environment, where the server is named SERVER1 and the AD domain is named ESSENTIAL.LOCAL and the email domain is TheEssentialExchange.com: new-ExchangeCertificate -GenerateRequest -Path C:\Temp\Cert-request.txt -Subject "c=US, O=The Essential Exchange, CN=mail.TheEssentialExchange.com" -domainName Essential.Local, Server1, Server1.Essential.Local, mail.TheEssentialExchange.com, autodiscover.TheEssentialExchange.com -FriendlyName "Cert for mail.TheEssentialExchange.com" -privateKeyExportable:$true ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~