Exchange 2007 Outlook anywhere RPC endpoint 6004 error

2 Comments

I was attempting to get outlook anywhere to work. My environment is Exchange 2007 SP3 with the latest rollup package (as of 2/27/13) running on W2K8R2. I am using a UCC certificate from godaddy with my external name “mail.mydomain.com” and my Subject Alternative Names are autodiscover.mydomain.com; MYINTERNALSRVNAME.mydomain.com; etc…

This is a small environment so every exchange role is installed on the same server.
The error pops up when I run the RPC over HTTP test at
https://www.testexchangeconnectivity.com

and get an error on the following test:

Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server.

I checked a few things on this:
1. I made sure that the “valid ports” registry key in HKLM/Software/Microsoft/RPC/RpcProxy had the following:

“MYMXINTERNALSRVNAME:6001-6002;MYMXINTERNALSRVNAME:6004;MYMXINTERNALSRVNAME..com:6001-6002;MYMXINTERNALSRVNAME.mydomain.com:6004”

2.I added my internal server name to my DNS hosts (I’m not sure if this made a difference) I’m going to remove it and test at a later time.

3. Following someone’s advice (and what I really think solved the problem) was that I edited the hosts file on the exchange server and put in 2 entries (192.168.1.10 is my internal ip address for my exchange server)
192.168.1.10 MYMXINTERNALSRVNAME
192.168.1.10 MYMXINTERNALSRVNAME.mylocaldomain.com

This seemed to solve the problem with that 6004 error. I believe it has something to do with an IPv6/IPv4 incompatibility problems with Outlook Anywhere/rpcoverhttp.

More info at:
http://technet.microsoft.com/en-us/library/db543644-c252-47ee-a70b-4f60770083dc.aspx

Advertisements

Solve Proxy Bypass Problems

12 Comments

I noticed that a lot of people were bypassing my proxy using Firefox Portable and other standalone browsers.  I am using a proxy installed on a machine that is not directly attached to my default gateway, so I have them pick up the proxy address from wpad, and lockdown the proxy settings page in IE through Group Policy.

A simple solution to people bypassing your proxy, is to put an entry in your firewall to only allow HTTP and HTTPS traffic that originates from your proxy server.  If you’re not administering a very large network this is ideal.  Another advantage, since it is not specific to just Firefox, it will allow you to catch any browser that users throw at it and force them to put in proxy settings to use the internet.  This also solves the problem if they try to get around the proxy by modifying their “auto detect proxy” settings.  Since Group Policy cannot lockdown the proxy editing page of every browser, and people always find clever ways to install the multitude of internet browsers out there, this will not allow them to simply bypass it by turning the “don’t detect proxy” setting off .   Here’s what the entries look like in a Sonicwall router to allow only http/https traffic that comes from your proxy  (the proxy server in this example is called flserver4.)

bypassproxy

Once you have a rule like the above setup, you can add a few exceptions in for your servers, etc. by placing an “allow” for those addresses with a lower priority than the deny.  In the example above, I created an Address Group and can add IP addresses/hosts to it whenever I need. I would put an allow entry in where the source is my Server IP, the destination is ANY, and the service is Http/Https, at a priority of 17/18, which would process before the deny.  To make it easier you can create a Service Group containing both HTTP and HTTPS ports so you don’t have to put every exception in twice as well as the address group to contain the hosts you would like to allow this way you do not have to create an entry for every ip address.

Obviously, The best way to use a proxy is to use two nics and place the server/device in front of your router, or use a content filtering solution that is installed on the router itself since all traffic leaving must go through this server/device to get out.  Sonicwall has one, Cisco has one on a certain series of routers.  However, if you have a proxy working on a standalone server that is not installed in front of your gateway so that all traffic has to pass through it, then the above solution should suffice. Everyone out there has a different setup so this will help when you do not have the luxury of having this type of setup.

There is a also an ADM out there that allows you to configure Firefox through Windows Group Policy, however, since Firefox standalone is not actually installed on the machine and does not contain registry entries, I’m not sure that this will work, so you might want to investigate that.  Another person has a great writeup on how to create your own.  If you need to enforce more than just proxy settings then you should take a look at it.

http://ilias.ca/blog/2005/03/locking-mozilla-firefox-settings/

Here’s another writeup I had on autoconfiguration setup a little while ago that addresses how to set it up and contains links at the bottom on troubleshooting and concerns with using wpad.

Multiple Desktops On Windows

Leave a comment

Not sure how long this has been out, but I just came across a helpful tool. Those of you who use Ubuntu or most other Linux versions are familiar with multiple desktops. I was using the sysinternals suite to troubleshoot a file problem i was having, and I came across Desktops application that allows you to do this. It is ridiculously easy to use and you can set it to load on startup. You can also easily switch between screens with shortcut keys just like Linux.   It also has some limitations, such as you can’t close windows once they are created (need to logoff to close).  For more info or to download you can visit here or just get it as part of the sysinternals suite which contains great tools for troubleshooting and maintenance.