none
Validation Failure - An existing connection was forcibly closed by the remote host

    Question

  • Afternoon all, i'm in the process of evaluating CAS roles on 2007 connecting to a 2003 back end cluster.  Have done all of what i believe needs doing to setup the server side, and added a valid Unified Communicaitons cert.  However, when i run any of the tests, validation always fails on the SSL Cert test.  The messages are pretty similar, but vary slightly depending on the test run:

    A network error occurred while communicating with remote host
    Exception Details:
    Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
    Type: System.IO.IOException
    Stack Trace:
    at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
    at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
    at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()
    Exception Details:
    Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
    Type: System.IO.IOException
    Stack Trace:
    at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
    at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
    at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()

    The errors always say something relating to the connection being closed by the remote host.  It would seem to me this is something to do with our perimiter firewall, which is a Cisco PIX 515, can anyone make any suggestions with regards to config changes to make to resolve this?  The rules i've setup so far is a static NAT for the 3 websites (the OWA, the autodiscover and the autodiscover redirect), along with allowing ports 80 and 443.

    Many Thanks,


    Andy
    Friday, February 05, 2010 3:32 PM

All replies

  • "Forcibly closed by the remote host" usually points to a port that isn't open or listening. 6001, 6002 & 6004 would also likely be required for for that configuration. However, placing CAS in a DMZ with Exchange 2007 probably isn't supported. See the following information:

    Planning for Client Access Servers: http://technet.microsoft.com/en-us/library/bb232184(EXCHG.80).aspx

    Installation of a Client Access server in a perimeter network is not supported. The Client Access server must be a member of an Active Directory directory service domain, and the Client Access server machine account must be a member of the Exchange Servers Active Directory security group. This security group has read and write access to all Exchange servers within your organization. Communications between the Client Access server and the Mailbox servers within the organization occurs over RPC. It is because of these requirements that installing a Client Access server in a perimeter network is not supported.

    Kary

    Saturday, March 20, 2010 2:15 AM