none
Everything works, but RCA fails on two tests with RPC Proxy can't be pinged and Forbidden

    Question

  • Running the Remote Connectivity Analyzer against a new complex E2010 environment. There are two domainjoined TMG Enterprise SP2 servers in an array. These are loadbalanced using HLB Citrix NetScaler with IPSource affinity and 8 hour timeout.
    TMG is configured for NTLM authentication (Kerberos Constrained Delegation) using the following whitepaper:
    http://www.microsoft.com/download/en/details.aspx?id=22723
    TMG is also configured for AS + OWA + LEGACY OWA using the following whitepaper:
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8946
    TMG access a farm of 2 CAS servers and there is also 2 MBX/HT servers running DAG.

    More info:
    - Running Exchange SP1 + RU5.
    - Public trusted SAN-certificate used
    - Autodiscover using SRV record since many domain names
    - The OA rule has the following paths:
      /rpc/*
      /OAB/*
      /ews/*
      /AutoDiscover/*
    - The OWA rule has the following paths:
      /public/*
      /OWA/*
      /Exchange/*
      /ecp/*
    - The ASrule has the following paths:
      /Microsoft-Server-ActiveSync/*
      /Autodiscover/

    And, most importantly - everything is working! ActiveSync works, Autodisocver works, Outlook Anywhere works with NTLM and users are successfully logging in from the Internet and Outlook doesn't prompt for username/password but use Cached Credentials instead.

    AS + AS Autodiscover + Outlook Autodiscover tests work and succeed in the tests. So that's all good, but the Remote Connectivity Analyzer fails on two tests:

    Outlook (RPC over HTTP) test fails with error:
    Attempting to ping RPC proxy webmail.domain.com.
    RPC Proxy can't be pinged.
    An HTTP 403 error was received because ISA Server denied the specified URL.

    Have tried the suggested solutions:
    KB942637 - seems to only apply to ISA
    KB947124 - Tried method 1 and rebooted.


    Exchange Web Services synchronization, notification, availability, and Automatic Replies (OOF) test fails with error:
    Ensuring that the test mailbox folder is empty and accessible.
    ExRCA couldn't confirm that the folder is accessible and empty.
    Additional Details
    Exception details:
    Message: The request failed. The remote server returned an error: (403) Forbidden.
    Type: Microsoft.Exchange.WebServices.Data.ServiceRequestException
    Stack trace:
     at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
     at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
     at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder[TFolder](FolderId folderId, PropertySet propertySet)
     at Microsoft.Exchange.Tools.ExRca.Tests.EnsureEmptyFolderTest.PerformTestReally()
    Exception details:
    Message: The remote server returned an error: (403) Forbidden.
    Type: System.Net.WebException
    Stack trace:
     at System.Net.HttpWebRequest.GetResponse()
     at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse()
     at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)

     


    • Edited by jbb1234 Wednesday, February 15, 2012 12:30 PM
    Tuesday, January 31, 2012 5:32 PM

Answers

  • At last we found the problem!

    We have Hardware Load Balancers in front of the TMG-servers and it had rules to match the different paths:
    /rpc/
    /ews/
    /oab/
    etc...

    Depending on the path, it sent the traffic to different listeners on the TMG-servers. The problem was that these rules were not case sensitive so this probabaly caused /rpc/ traffic and /EWS/ traffic to be sent to different listeners on the TMG servers. Now, I don't really know if Outlook 2010 use /ews/ or /EWS/ so we changed the rules to be case insensitive and this immediately solved our problems with Free/Busy, OOF, OAB and now the tests work properly.

    If someone wants more details, please reply to this thread.

    Monday, August 13, 2012 1:25 PM

All replies

  • For the OOF message, were you using your mailbox or another mailbox that has actual emails in it?  If so, create a blank mailbox just for the test.  Then it should succeed.

    As for the other message, do you really want the proxyy address to be pingable from the Internet?  Did you check logging on the TMG server?


    JAUCG
    Thursday, February 02, 2012 5:14 AM
  • Are you entering an account with windows administrative permission when using testexchangeconnectivity.com? then some test will fail on Exchange.
    use a regular user/testaccount as already suggested

    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com

    Friday, February 10, 2012 9:43 PM
  • Sorry for late reply, busy migrating mailboxes the last couple of days but I've made some progress.

    No, the user is not admin (know about this problem with ActiveSync will stop working because Inherit... is unchecked on Domain Admins).

    I needed to add the following path also to the OWA rule in addition to clear out the data in the mailbox.
    /ews/*
    I guess this is because the OA rule does not have SSO for .domain.com enabled (greyed out). 
    This also got BlackBerry working. 

    Regarding ping. But isn't RPC Proxy ping performed once authentication has been performed? Or is it just like that if you're using TMG you will get errors in RCA Is there any way to temporarily allow this so RCA succeed so I just can check if all the other tests in the Outlook Anywhere test succeed to verify everything is correct and then change it back to block RPC Ping?

    Wednesday, February 15, 2012 1:07 PM
  • Is IPv6 unbound from your NIC on Exchange servers? if so enable it and try the test again.


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com

    Thursday, February 16, 2012 9:38 PM
  • No, it's enabled. I specifically told the installation guys not to disable it since they seem to do it quite often. Just doublechecked, it's enabled on all servers (including the TMGs)
    Friday, February 17, 2012 9:01 AM
  • How is the Listener on TMG configured reagrding authentication, is it demanding auth. whats the other settings on Listener?


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com

    Friday, February 17, 2012 8:30 PM
  • It's for OA so the rule is configured for Kerberos Constrained Delegation. Regarding the listener, any other details you need?

    Monday, February 20, 2012 8:10 AM
  • This is from another thread and could be your solution.

    http://social.technet.microsoft.com/Forums/en-US/exrca/thread/4addbbf8-e3cb-4f78-82cc-8d78a4d623ba/


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com

    Tuesday, February 21, 2012 6:20 AM
  • Any updates?

    JAUCG

    Monday, March 05, 2012 6:16 PM
  • At last we found the problem!

    We have Hardware Load Balancers in front of the TMG-servers and it had rules to match the different paths:
    /rpc/
    /ews/
    /oab/
    etc...

    Depending on the path, it sent the traffic to different listeners on the TMG-servers. The problem was that these rules were not case sensitive so this probabaly caused /rpc/ traffic and /EWS/ traffic to be sent to different listeners on the TMG servers. Now, I don't really know if Outlook 2010 use /ews/ or /EWS/ so we changed the rules to be case insensitive and this immediately solved our problems with Free/Busy, OOF, OAB and now the tests work properly.

    If someone wants more details, please reply to this thread.

    Monday, August 13, 2012 1:25 PM
  • Interested to know the configuration in the netscaler as we are looking to implement both Exchange and ADFS through TMG HLB by the Netscaler. Thanks.
    Wednesday, August 22, 2012 11:16 AM
  • We have two TMG Enterprise servers in DMZ that we load balance using TMG. This article explains quite well how we load balance Exchange then after the TMG:
    http://www.microsoft.com/en-us/download/details.aspx?id=22723

    Citrix also has a Deployment Guide here:
    http://community.citrix.com/display/ns/Microsoft

    Let me know if you have any specific questions since the implementation is quite complex compared to the Citrix deployment guide :)

    Wednesday, August 22, 2012 11:43 AM