Implementing RPC over HTTPS in a single Exchange Server 2003 environment
Saturday, December 22nd, 2007Sources: http://www.outlookexchange.com/articles/HenrikWalther/RPC_over_HTTP.asp
http://www.msexchange.org/tutorials/Implementing-RPC-over-HTTPS-single-Exchange-Server-2003-environment.html
http://blogs.techrepublic.com.com/networking/?p=292
In order to make use of all Exchange’s collaborative tools, Outlook must communicate with the Exchange server via the remote procedure call protocol (RPC). It’s not a good idea to open these ports to the Internet due to RPC’s rich history of exploitable vulnerabilities. RPC over HTTPS allows RPC traffic to be tunnelled inside secured HTTP packets. This enables roaming users to enjoy full Outlook/Exchange functionality without having to open any additional firewall ports or dial a VPN connection.
The following steps are necessary to implement RPC over HTTPS in a single Exchange Server environment:
- Configure an Exchange Server 2003 back-end server as an RPC proxy server.
- Configure the RPC virtual directory for Basic authentication and SSL
- Configure the RPC proxy server to use specified ports for RPC over HTTP
- Set the NT Directory Services (NTDS) port on all global catalog servers that act as Exchange Server 2003 back-end servers
- Create a Microsoft Office Outlook 2003 Profile for your users to use with RPC over HTTPS
- Test the connection
Requirements in order to get RPC over HTTP working:
Client(s)
Windows XP with Service Pack 2.
Outlook 2003 installed, previous Outlook versions won’t work.
Server:
The exchange server needs to be running Windows 2003 and Exchange 2003.
It’s not a requirement running Exchange in a Front-End/Back-End topology as many believe, actually you could get by running everything from a single server. But depending on your environment, Microsoft recommends you make use of a Front-End/Back-End scenario, and if possible placed behind an ISA 2000 server.
You will also need to have a Microsoft Certificate Authority (CA) installed , this should be used to issue the respective certificates needed in order to have SSL/443 working properly. You could as well go the easy way and get the certificate from a certificate provider like Verisign or Thawte.
Configuration Steps:
1) Install the RPC over HTTP Proxy component on Windows Server 2003
- Click Start | Settings | Control Panel
- Double-click Add/Remove Programs
- Click Add/Remove Windows Components
- Double-click Networking Services
- Put a checkmark in RPC over HTTP Proxy
- Click Next | Ok | Finish
2) Configure the RPC virtual directory for Basic authentication and SSL
Installing the RPC proxy will create two new virtual directories under your Default Web Site. We need to modify these slightly in order to allow proper authentication and encryption of RPC over HTTP connections.
- Open up the IIS Manager.
- Navigate to Web Sites | Default Web Site.
- Right click on the RPC directory and select Properties from the drop-down menu.
- Select the Directory Security tab.
- Click on the Edit button within ‘Authentication and access control’.
- Make sure that the option ‘Enable anonymous access’ is deselected.
- Check ‘Integrated Windows authentication’ and ‘Basic authentication’ and click on OK. You may be prompted with a warning dialogue; click on Yes and ignore this as it does not apply while using SSL.
- Click the Select button next to Default Domain and select the domain from the list.
- Click the Select button next to Realm and select the domain from the list.
- Click OK.
- Click on the Edit button within ‘Secure communications’.
- Check ‘Require secure channel (SSL)’ and ‘Require 128-bit encryption’ and click on OK.
- Click on OK to apply the changes.
Repeat these steps for the RPCWithCert directory.
3) Configure the RPC proxy server to use specified ports for RPC over HTTP
Now we need to edit some values in the registry editor, so start it up and navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
The ValidPorts key will likely already include an entry for ports 100-5000; we need to add a few more. Below is an example; you will need to change the hostnames and domains to match your own environment. This should be entered as a single line with no spaces after the semicolons.
ISLMAIN:100-5000;ISLMAIN:6001-6002;ISLMAIN.ISLLLC.local:6001-6002;ISLMAIN:6004;ISLMAIN.ISLLLC.local:6004
4) Set the NT Directory Services (NTDS) port on all Global Catalog Servers that act as Exchange Server 2003 back-end Servers
There are two ways to do this:A) Tell the Exchange server to act as a target for the RPC proxy:
Open up Exchange System Manager, browse to your target server, right-click, and select Properties.
Just above the General tab you will find the RPC-HTTP tab. Select this tab and ensure that the option ‘RPC-HTTP back-end server’ is checked.
Click on OK to exit. You will be prompted to restart the server.
B) Use Regedit to navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
- Then click Edit in the menu > New then click Multi-String Value
- Name it NSPI interface protocol sequences
- Right-click the NSPI interface protocol sequences multi-string value, and then click Modify
- Type ncacn_http:6004 in the value box
- Now restart the Global Catalog Server.
5) Create a Microsoft Office Outlook 2003 Profile for your users to use with RPC over HTTPS
- Open the Control Panel | Double-click Mail
- Click Show Profiles
- Click Add…
- Give the profile a name and click Ok
- Click Next and set bullet in Microsoft Exchange Server
- Now you should type in yourExchange server FQDN (ex. exchange.domainname.local)
-Set a checkmark in Use Cached Exchange Mode, type in your username, but don’t hit Check Name yet, instead click More Settings…
- Click the Connection tab
- Set a checkmark in Connect to my Exchange mailbox using HTTP
-Now open up the ‘Exchange Proxy Settings’ and use the options below.
Use this URL to connect to my proxy server for Exchange:
https://mail.domainname.com
-Check ‘Connect using SSL only’.
-Check ‘Mutually authenticate the session when connection with SSL’.
‘Principal name for proxy server:’ msstd:mail.domainname.com
-If you want to use RPC over HTTPS even while on the internal network, then check ‘On fast networks, connect using HTTP first, then connect using TCP/IP
-Make sure ‘On slow networks, connect using HTTP first, then connect using TCP/IP’ is checked.
-For the ‘Proxy authentication settings’ we can use either NTLM or Basic authentication. I prefer NTLM as it doesn’t constantly prompt for a username and password to be entered.
Apply the changes and you’re ready to start testing. Don’t forget to forward port 443 to the Exchange Server on your external firewall.
6) Test the connection
After enabling the RPC Proxy settings, your Outlook connection to the Exchange Server should be established successfully. The question is now: How to determine that it is an RPC over HTTPS connection?
The answer is simple. Right click the Outlook icon in the taskbar while you are holding the CTRL Key. The Context menu opens and now you have the option to see the Exchange Server Connection Status. Here you can see if your connected, and if yes what connection type is used.