Exchange RPCoHTTP fails with L7 content switching

1

Hi,

I'm testing KEMP with publishing Exchange 2016 in a 2 node PoC setup, test tool is https://testconnectivity.microsoft.com.

I've created two VIPs for testing based on the Exchange 2013 templates and publish one of them on the FW under a single public IP/DNS name:

  1. L7 per server: everything works fine
  2. L7 per service using content switching: RPC over HTTP test fails, all other protocols work fine. The error is the following:

    Attempting to ping the MAPI Mail Store endpoint with identity: 0fdb0518-1d23-4cb6-a606-83365aca1f17@ex16test.xxx.yyy:6001.
    The attempt to ping the endpoint failed.

    Additional Details
    An RPC error was thrown by the RPC Runtime process. Error 1818 CallCancelled
    Elapsed Time: 57273 ms.

    I see no errors within the KEMP system log with L7 debug traces turned on. 

What could be the RPC specific problem on KEMP which comes up only when using per service content switching?
The RPC selection pattern is /^\/rpc.*/ from the template.

BR,

Andras



 

9 comments

Avatar
0
david.archambeau

Hi,

 

I have the same problem and one client with Outlook 2010 (RPC Over HTTP) not able to connect.

Have you found a solution ?

 

David

Avatar
0
Christian Scheller

Hello,

 

the regex is correct, it matches everything that begins with /rpc after the FQDN. 

Have you enabled Transparency for the virtual service? If so please disable.

And please check your persistence options set for the MAPI connection. If persistence is the root cause for the failure you could get a better indication by enabling:

 

System Configuration ==> System Log Files ==> Debug Options ==> Enable L7 Debug Traces

 

which would enable verbosity for the "System Message File". 

Please post your results here.

 

In addition, customers in evaluation are entitled to raise support tickets, so please consider this option if the above would not help in solving the issue.

With Kind Regards
KEMP Customer Service

 

 

Avatar
0
atudos

Hi,

 

I've turned off transparency both at /RPC and /MAPI (although I would prefer to have client IPs in my logs on Exchange side), but this didn't help. Persistence mode is set to none.

I see the following errors in system log after enabling L7 debug traces:

l7_mangle_(replace)header failed '/mapi/emsmdb/?MailboxId=4d707369-fcf3-478c-bb1c-3d4747ba74f1@ex16test.neostratus.com'

l7_mangle_(replace)header failed '/rpc/rpcproxy.dll?4d707369-fcf3-478c-bb1c-3d4747ba74f1@ex16test.neostratus.com:6001'

Both errors are repeated multiple times while the MS RCA test is running and at the end timing out with the following RPC error:

MAPI over HTTP seems to be working fine:

...

Testing the MAPI Mail Store endpoint on the Exchange server.
We successfully tested the Mail Store endpoint.

Additional Details
Elapsed Time: 2321 ms.

Test Steps

Attempting to log on to the Mailbox.
We were able to log on to the Mailbox.

Additional Details
Elapsed Time: 2321 ms.


RPC over HTTP fails:

...

Testing HTTP Authentication Methods for URL https://ex16test.neostratus.com/rpc/rpcproxy.dll?4d707369-fcf3-478c-bb1c-3d4747ba74f1@ex16test.neostratus.com:6002.
The HTTP authentication methods are correct.

Additional Details

The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLM
HTTP Response Headers:
request-id: 9c7393c4-35fe-407c-89b9-f01ddd0fda8e
Cache-Control: private
Set-Cookie: ClientId=B4DP9U3DFECKV5A7MHYNVG; expires=Wed, 02-Nov-2016 13:22:48 GMT; path=/; secure; HttpOnly
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate,NTLM,Basic realm="ex16test.neostratus.com"
Date: Tue, 03 Nov 2015 13:22:48 GMT
Content-Length: 0
Elapsed Time: 146 ms.

Attempting to ping RPC proxy ex16test.neostratus.com.
RPC Proxy was pinged successfully.

Additional Details
Elapsed Time: 913 ms.

Attempting to ping the MAPI Mail Store endpoint with identity: 4d707369-fcf3-478c-bb1c-3d4747ba74f1@ex16test.neostratus.com:6001.
The attempt to ping the endpoint failed.

Additional Details
An RPC error was thrown by the RPC Runtime process. Error 1818 CallCancelled
Elapsed Time: 33252 ms.

 

I'm evaluating and will try to open a support ticket as well.

 

BR,

Andras

Avatar
0
atudos

KEMP support could resolve this quickly: the "Exchange 2013 HTTPS Offloaded" template creates a "HTTP header modification rule", which is redirecting the root URL to /owa. After removing this rule RPC testing with RCA works as expected. I still need to figure out how to make both root redirection and RPC work correctly together.

Avatar
0
atudos

I've figured out the solution: the redirection rule needs to be added to the OWA subVS instead of the main VS and this way both RPC and root to OWA redirection seems to work fine. (The OWA subVS is selected for the root URL based on the content switching rules.)

Avatar
0
Christian Scheller

Thank you.

 

KEMP Customer Service

 

Avatar
0
edv

Hi atudos, i tried it like you explain, but i don't will be redirected to owa after the changes. 

What did you mean with The OWA subVS is selected for the root URL based on the content switching rules?

 

Thanks

 

Daniel

Avatar
0
atudos

Hi,

This is working for us correctly.

Here is a SubVS selector content rule pattern as an example: /^mail\.domain\.com(\/|\/owa.*)$/
Make sure you have "Include Host in URL" option checked or you can try it without the FQDN as well! This rule matches to root and to /owa as well.

The redirect rule is then applied within the subVS under "HTTP Header Modifications":

Type: Modify URL
Pattern: /^\/$/
Replacement: /owa

BR, Andras

Avatar
0
Athideth Sananikone

Hi there,

I'm having the same problem, that Outlook clients won't connect using Outlook Anywhere. Using the MSRCA it stops saying:

Attempting to ping RPC proxy mail.tangro.de.
RPC Proxy can't be pinged.

Additional Details

An unexpected network-level exception was encountered. Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportException
Stack trace:
at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
at Microsoft.Exchange.Tools.ExRca.Tests.MapiPingProxyTest.PerformTestReally()
Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at RpcPingLib.RpcPing.PingProxy(String internalServerFqdn, String endpoint)
at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
Elapsed Time: 665 ms.

What am I doing wrong here?

Regards,

Athi