“What is RPC over HTTPS, and why is enabling it on a single Exchange
Server significant?” I hear you cry.
RPC over the HTTP(S) is the technical term for ‘Outlook Anywhere’ –
the technology that allows you to access Exchange from an Outlook client via
any Internet connection as if you were connected via the local network.
Outlook Anywhere is similar to the Server ActiveSync protocol used
by Windows Mobile devices to access Exchange in that it is used to synchronise
email, contacts and calendar with the client device, but whereas Server
ActiveSync can only synchronise data with a specific user mailbox, Outlook
Anywhere allows the user to use the full functionality of their Outlook client
remotely – this includes accessing mailboxes other than their own (should they
have permission to), public folders, everything they can do when connected
locally in the office.
RPC stands for Remote Procedure Call. Whenever you perform an action
in Outlook that requires a response from the Exchange server, Outlook sends a
remote procedure call to the Exchange server and gets a response back.
What Outlook Anywhere does is to encrypt these remote procedure
calls using a digital certificate and then send them to the Exchange server
over the Internet, hence RPC over HTTPS.
Exchange 2007 can support Outlook Anywhere in a single-server
deployment, but Exchange 2003 requires that Exchange be deployed in a 2-server
topology called a ‘front-end’ / ‘back-end’ deployment. This is principally for
security reasons: the ‘front-end’ server, because it is Internet-facing, sits
in a DMZ environment and receives the encrypted request from the Outlook
client. It then decrypts the request and sends it, unencrypted, over the local
network to the ‘back-end’ Exchange server exactly as a local Outlook client
would do. When the response is received from the back-end Exchange server, it
is encrypted and then sent back to the client over the Internet.
It is possible to do all of this without encrypting the information,
in which case it would be RPC over HTTP, but this guide assumes that you are
using a certificate to encrypt information and I would not recommend not doing
so.
It is important to note that Exchange 2007 can also be configured in
this way should security be a concern, except that with Exchange 2007 the
terminology has changed so that you no longer have ‘front-end’ and ‘back-end’
servers, instead you have different Exchange roles that can be applied in any
topology you want – so you have ‘edge servers’ and ‘mailbox servers’ as well as
‘client access servers’ and ‘hub transport servers’.
The ‘role’ of an Exchange 2003 server is specified in the Exchange
System Manager. Right click on the Exchange server and select Properties. On
the General tab there is an option to specify ‘This is a Front End server’:
In a single-server deployment, if you try to select this option you
will receive an error indicating that you cannot set a server as a front-end
server if it is the only Exchange server in the organisation:
However, trust me, it IS possible. But it does involve editing the
registry on the Exchange server. Because of this I cannot stress enough that
you do NOT perform any of what I am about to tell you on your own production
(that is to say, LIVE) Exchange environment unless you fully understand the ramifications
of any changes you make to your server and have at the very least a full backup
of the server that can be restored should anything go wrong. In fact, I would
suggest that, if you do want the functionality of Outlook Anywhere and cannot
afford either an additional license for a second Exchange server or an upgrade
to Exchange 2007, that you pay me to do it for you!
To enable RPC over HTTP on your Exchange server, there are a number
of steps you need to follow.
Install RPC over HTTP Proxy Service
You first need to install the RPC over HTTP proxy service. This is a
component of the Windows Server operating system and is installed via the
Add/Remove Windows Components applet within the Control Panel. It is located
under Networking Services:
Configure authentication mechanism to RPC virtual directory within
IIS Manager
Now launch the Internet Information Services (IIS) Manager applet.
Locate the RPC virtual directory:
Right click on the virtual directory and select Properties.
Click on the Directory Security tab and then on the Edit button in
the Authentication and Access Control section:
Untick the option to Enable Anonymous Access.
Tick the option to enable Basic Authentication, a warning message
will be displayed click Yes to acknowledge it.
In the Default Domain field, click on the Select button and select
the Domain that the Exchange server services:
Click OK.
NOTE – you have now basic authentication access to the Exchange
server RPC directory, as mentioned previously this is acceptable if you are
using a digital certificate to encrypt client-server communications, if you are
not then any password information sent over the Internet could be intercepted.
Configure RPC virtual directory to require SSL communication within
IIS Manager
Still within the Directory Security tab, click on the Edit button in
the Secure Communications section:
Ensure that the option to Require Secure Channel (SSL) is ticked, as
well as the option below it. Normally this option will be selected already if
you use SSL with Outlook Web Access.
Configure RPC port access in the Registry
On the Exchange server, click on Start and select Run. Type in
‘regedt32.exe’ and click OK. This will launch Registry Editor.
Browse to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Verify that the Rpc/HTTP port is set to 6001 (it will be by
default):
Now browse to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
Verify that the HTTP Port is set to 6002 (it will be by default)
Also verify that the Rpc/HTTP NPSI Port is set to 6004 (it will be
by default)
Now browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy
Double click on the ValidPorts entry, the following will be
displayed:
Delete the contents of the field (exchange:100-5000), and replace it
with the following:
<ServerNETBIOSName>:6001-6002;<ServerFQDN>:6001-6002;<ServerNetBIOSName>:6004;<ServerFQDN>:6004
where <ServerNETBIOSName> is the machine name of the Exchange
server itself, and <ServerFQDN> is its external name (ie the name used by
Outlook Web Access)
So my server would require the following entry:
exchange:6001-6002;exchange.oa-demo.co.uk:6001-6002;exchange:6004;exchange.oa-demo.co.uk:6004
If the Internal FQDN of the server is different from the External FQDN, then the entry needs to be longer. Suppose the NETBIOS name of the server is 'UKMAIL01', and the internal FQDN is 'UKMAIL01.oa-demo.co.uk', and the external name of the server is 'exchange.oa-demo.co.uk', then the entry would need to be:
UKMAIL01:6001-6002;UKMAIL01.oa-demo.co.uk:6001-6002;exchange.oa-demo.co.uk:6001-6002;UKMAIL01:6004;UKMAIL01.oa-demo.co.uk:6004;exchange.oa-demo.co.uk:6004
You may need to adjust these settings, for example the internal FQDN may be UKMAIL01.oa-demo.local
Don't be afraid to experiment!
Exit Registry Editor.
Configure RPC over HTTP Topology in Exchange System Manager
Launch the Exchange System Manager.
Right click on the Exchange Server and select Properties.
Click on the RPC-HTTP tab, the following will be displayed:
Select the option to make the server a Back-End server. An error
message will be displayed:
Click OK to acknowledge the error. Click OK again to save the
changes to the configuration. A warning message will be displayed warning that
the ports have not been configured correctly and be prompted to reconfigure
them. Click CANCEL. You will be prompted to reboot the server.
Now reboot the Exchange Server.
Install the SSL certificate on the client PC
Before you can use Outlook to connect to the Exchange server via RCP
over HTTPS, you will first need to install the correct SSL certificate onto the
client PC to authenticate the certificate used by the Exchange server. This is
only necessary if you are using a self-issued certificate. If you are using a
root-trusted certificate on the Exchange server then ignore this step.
The certificate that needs to be installed on the client PC is not
the certificate used by the RPC virtual directory on the Exchange server, but
the root certificate of the Certificate Authority that issued the certificate
to the RPC directory.
To locate this certificate, log into the server that has the
Certificate Authority service installed on it. This may well be the Exchange
server itself, it depends on how your network is deployed.
On the server that is acting as the CA, open the Control Panel and
open Internet Options.
Click on the Security tab and the on the Certificates button.
Click on the Trusted Root Certification Authorities tab.
Locate the certificate issued by the CA and export it as a CER file.
Copy this file to the client PC.
On the client PC double click the CER file to install it. Select the
option to install it to the Trusted Root Certification Authorities folder.
Configure the Outlook Client
NOTE – to use Outlook via RPC over HTTPS you will require Outlook
2003 or later.
Create a new Outlook profile if required.
Select the option to create an Exchange Server account.
In the Server Name field enter the LOCAL address of the Exchange
server (ie the machine name, or the NETBIOS name)
Enter your username.
DO NOT CLICK NEXT at this point, click on the More Setting button.
You may receive an error saying that the Exchange server cannot be
contacted, click OK. A further window will be displayed asking you to verify
the address of the Exchange server, click Cancel.
The More Settings window will now be displayed. Click on the
Connection tab:
Tick the option to Connect to Microsoft Exchange using HTTP. Click
on the Exchange Proxy Settings button:
Enter the external web address of the Exchange server (ie the
address used for Outlook Web Access) in the fields as shown above. In the
second text field, the ‘msstd’ is required!
Click OK, OK again, Next and then Finish.
Now launch Microsoft Outlook.
You will be prompted to enter your NT domain login credentials:
Enter your username in the form ‘DOMAIN\Username’
You will now be connected to the Exchange server:
In the immortal words of a popular 80s television show: "I love it when a plan comes together!"