Lukas Beeler's IT Blog

RPC-over-HTTP or Outlook Anywhere as it is called in Exchange 2007 offers users a way to access their E-Mail using Outlook securely from anywhere in the World, without using a VPN connection.

If you’re using Microsoft’s ISA product line at your border, then you’re fine. ISA works just fine with RPC over HTTP. However Apache’s mod_proxy doesn’t support passing along the proprietary RPC_IN_DATA and RPC_OUT_DATA.

There are other proxies which support it, like Pound, however Pound doesn’t allow SSL-Backend connections, leaving plaintext passwords in your mostly-trusted-lan.

In the end, i gave up and published a seperate IIS website directly to the web. For this, i created a new IIS website, assigned it to a random port, added the proper port forwardings on the gateway, and added just the RPC directory to this new site, and exposed it only through HTTPS. I think this is as good as it gets.

If you don’t know how to move these virtual directories yet, it is quite simple. Right click the directory, select “All tasks”, select “Export to a file”, and then go to the new website, right click on it, select “New” and then “New virtual directory (from file)”. Quite easy – if you know where to find it.

If you’re having trouble getting RPC over HTTP to work, here are two tips:

• Make sure that the certificate for the RPC over HTTP server is trusted by the client. For laptops in your domain, this is usually automatically the case, because of group policies. With home offices, this is usually not the case. Outlook does not give you an error message regarding this problem.
• Start outlook.exe using the /rpcdiag switch. This allows you to see how outlook establishes the connection.

A few months back the Sylon Mail Server crashed because of spurious reiserfs errors. The machine was already old, and we suspected problems with the storage subsystem (a HP SmartArray and 2×36, 2x 147GB U320 Disks), so we replaced the whole machine, but also changed the filesystem back to ext3. Luckily, thanks to backups and a mostly working reiserfsck, no mail was lost (but a whole night).

Now the same problem happened again, but on another machine, about a year old (an IBM xSeries 306m), running a Linux software raid with two 80GB disks on an Intel AHCI SATA controller. Completely different hardware.

ReiserFS: dm-2: warning: vs-13060: reiserfs_update_sd: stat data of object [491319 491321 0x0 SD] (nlink == 11) not found (pos 1)

I don’t really understand why these errors just pop up. The machine has ECC RAM, and the AHCI controllers are rather stable. It’s the same symptoms as we had on the Sylon mail server. In this case, i had a lot more luck than with the sylon mail server. The affected volume was just for online backup storage. I ran reiserfsck, which suggested a --rebuild-tree. I didn’t go that route, and reformatted the volume with ext3.

I still have one machine running reiserfs, but i hope that i don’t get anymore problems with it.

I’ve always hated the IBM service agent. But with V5R4, it has become usable. Not good, but working. I still think that IBM lacks quite a lot of documentation when it comes to setting up service agent for a first time. If you’re in this helpless situation as i was, here’s my short list on how to get it working.

• Setup TCP/IP, you will need a default route, name servers, etc.pp. ping 'www.google.com' should work
• Use WRKCNTINF to set contact information
• Set the system value QRETSVRSEC to 1
• Create a duplicate of QSECOFR and logon as that user – i usually call this one QESAADM
• Logon as QESAADM
• Type GO SERVICE, and answer the country questions
• If you did everything correctly, you should be in the SERVICE menu
• Go back, and use SNDSRVRQS *TEST to send a test request – the first one will take lots of time, and a java job named QESECARE will run for a few minutes
• Use to job scheduler to submit the scheduled job QS9AUTOTST right now.
• Have a look at the QSYSOPR MSGQ, and at the WRKPRB output to see if everything worked.

If you have some problem’s, they’re probably related to a missing crypto option (5722-AC3 on V5R3, V5R4 does not need one). Other causes can be connection problems like restrictive firewalls. See WRKTCPPTP – QLCLDIAL* for Dial Up connections, and QVPNIBM* for VPN connections. Especially the spool files of these job containing valuable debug information.