Configuring ISA Server to Secure RPC over HTTP(S) Traffic


The technique used to configure publishing rules for RPC over HTTP(S) are slightly different technique than those used with the OWA, OMA, and ActiveSync publishing rules, but the basic idea is still the same: to provide for reverse-proxied HTTP(S) access through the ISA Server, to secure the traffic sent back to Exchange. Before RPC over HTTP(S) can be secured with ISA Server, it must first be enabled in the Exchange Topology.

NOTE

Client support of RPC over HTTP requires Outlook 2003 to be running on Windows XP SP2 (or Windows XP SP1 with the KB Article #331320 patch installed) or higher. The KB Article can be found at the following URL:

http://support.microsoft.com/kb/331320


Installing the RPC over HTTP Proxy

The RPC over HTTP service requires the use of an RPC-HTTP proxy that assists in the management of RPC-HTTP requests to the Exchange mailbox server. This Proxy is normally installed on an Exchange front-end server, but can also be installed on a single all-in-one Exchange server that acts as both the back-end and front-end server, if special Registry changes are made to that server, as described in the following sections.

To install the RPC over HTTP service on the front-end or all-in-one back-end server, perform the following steps:

1.

From the Exchange front-end or all-in-one back-end server, go to Start, All Programs, Add or Remove Programs.

2.

Click the button for Add/Remove Windows Components.

3.

Scroll down and select Networking Services by clicking once on the name (not the check box) and then clicking the Details button.

4.

Check the box next to RPC over HTTP Proxy, as shown in Figure 13.12. Click OK.

Figure 13.12. Installing the RPC over HTTP Proxy service.


5.

Click Next to continue.

6.

Click Finish when complete.

Configuring RPC over HTTPS on an Exchange Back-End Server

After the networking service for RPC over HTTP has been installed, the Exchange server must be configured to act as an RPC over HTTP back-end server. In the case of the all-in-one Exchange server, where there is no unique front-end server and a single Exchange server acts as the primary mailbox and OWA server for the enterprise, this configuration is performed on the Exchange server where the RPC over HTTP Networking Service was installed, and must be followed by the Registry change outlined in following sections.

In deployment scenarios where there are separate front-end and back-end servers, the back-end server must first be configured as an RPC over HTTP back-end, followed by configuration of the front-end server as an RPC-HTTP front-end. To configure the back-end server for RPC over HTTP, do the following:

NOTE

The scenarios outlined in this book assume that Exchange Server 2003 Service Pack 1 is installed. SP1 adds a lot of configuration enhancements, including a much more simplified RPC over HTTP configuration. It is not recommended to use RPC over HTTP on pre-SP1 Exchange Server 2003 implementations, and the scenarios presented in this book will not be accurate without SP1 installed.


1.

From the Exchange back-end mailbox server, open ESM by clicking on Start, All Programs, Microsoft Exchange, System Manager.

2.

Navigate to ORGANIZATIONNAME (Exchange), Administrative Groups, ADMINGROUPNAME, Servers.

3.

Right-click on the back-end server and click Properties.

4.

Select the RPC-HTTP tab (if it doesn't appear, it probably means that Exchange Server 2003 Service Pack 1 is not installed).

5.

Select RPC-HTTP Back-End Server from the list.

6.

Click OK if warned that there are no RPC-HTTP front-end servers in the organization.

7.

Click OK to save the changes.

8.

When prompted with the warning message shown in Figure 13.13, select OK to change the ports automatically.

Figure 13.13. Examining the RPC over HTTP port changes warning.


9.

Click OK to acknowledge that the role change will not be effective until reboot.

10.

Reboot the server (when feasible to do so).

Configuring RPC over HTTPS on an Exchange Front-End Server

As previously mentioned, deployment scenarios involving separate hardware for Exchange front-end servers and Exchange back-end servers require the front-end server or servers to be configured as RPC over HTTP front-ends. In single all-in-one server deployments, this step can be skipped and the Registry change outlined in the next section of this chapter should instead be run.

That said, the following procedure enables an Exchange Server 2003 SP1 front-end server to act as a proxy for RPC-HTTPS traffic:

1.

From the Exchange back-end mailbox server, open ESM by clicking on Start, All Programs, Microsoft Exchange, System Manager.

2.

Navigate to ORGANIZATIONNAME (Exchange), Administrative Groups, ADMINGROUPNAME, Servers.

3.

Right-click on the front-end server and click Properties.

4.

Select the RPC-HTTP tab.

5.

Select RPC-HTTP Front-End Server from the list and click OK.

6.

Reboot the server to complete the changes.

Modifying the Registry to Support a Single-Server Exchange RPC over HTTP Topology

As previously mentioned, if there is not a dedicated front-end server in the RPC-HTTP topology, then a special Registry change needs to be performed on the all-in-one Exchange server. To make this change, to the following:

CAUTION

Be sure that the Registry change is made to only back-end servers that do not have any front-end RPC-HTTP servers in the environment. This procedure is meant only for Exchange servers that serve dual roles as both front-end and back-end servers.


1.

On the all-in-one Exchange front-end/back-end server, open the Registry editor (Start, Run, cmd.exe, regedit.exe).

2.

Navigate through the console tree to HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy.

3.

Right-click the ValidPorts entry, and then click Modify.

4.

In the Edit String field, under Value Data, type in the following and click OK, as shown in Figure 13.14:

 SERVERNAME:6001-6002;server.companyabc.com:6001-6002; SERVERNAME:6004;server.companyabc.com:6004; 

Figure 13.14. Entering the Registry change for RPC-HTTP support on an all-in-one Exchange front-end/back-end server.


(Where SERVERNAME is the NetBIOS name of the server and server.companyabc. com is the FQDN of the server as it will appear for RPC services.)

CAUTION

It is critical to match the FQDN entered into this registry with the FQDN that will be used from the Internet for RPC over HTTP traffic. This may or may not be different from the FQDN used for OWA, depending on whether a different namespace is used so as to allow forms-based authentication, as described in Chapter 12.

5.

Close Registry Editor.

Creating the RPC Virtual Directory on the Proper Virtual Server

In certain scenarios, such as when a separate virtual server has been created for nonforms-based authentication traffic, the RPC virtual directory needs to be exported from the default OWA virtual server to the secondary virtual server, such as in the scenarios described in this chapter. To export and import this setting, do the following:

NOTE

This procedure needs to be followed only if multiple OWA Virtual Servers have been created, and the RPC traffic will be directed at the one that doesn't currently have the \rpc virtual directory.


1.

From the OWA Server, open IIS Manager (Start, All Programs, Administrative Tools, Internet Information Services (IIS) Manager).

2.

Navigate to SERVERNAME, Web Sites, Default Web Site (or the name of the primary OWA Virtual Server).

3.

Right-click the RPC virtual directory listed under the OWA website and select All Tasks, Save Configuration to a File.

4.

Enter rpc as the filename and a local patch and click OK.

5.

Right-click the Secondary Virtual Server and choose New, Virtual Directory (from file).

6.

Enter the path and name of the XML file that was exported, and click the Read File button. Select RPC from the list, as shown in Figure 13.15, and click OK.

Figure 13.15. Importing the RPC virtual directory to a secondary virtual server.


7.

Right-click the server name and choose All Tasks, Restart IIS, then click OK to confirm.

Securing RPC over HTTPS Servers with an ISA Publishing Rule

Securing an RPC over HTTPS proxy server involves publishing the RPC virtual directory as part of a publishing rule. This is typically done on the rule where OMA and ActiveSync have been set up, unless forms-based authentication is used, and then it is typically enabled on the standard OWA rule.

CAUTION

Once again, it is important to note that RPC over HTTP cannot utilize a Listener on a rule that uses forms-based authentication. Instead, it must utilize a basic authentication-enabled Listener. Consult the previous sections for more information on this.


To modify an existing ISA mail publishing rule to include RPC over HTTPS support, perform the following steps:

1.

From the ISA Server Console, select the Firewall Policy Node.

2.

Double-click on the rule that will be modified (typically the OMA-EAS rule previously set up, or the OWA rule if FBA is not used).

3.

Select the Paths tab and click the Add button.

4.

Enter /rpc/* and click OK.

5.

Click OK, Apply, and OK to save the changes.

NOTE

For access to an internal RPC over HTTP topology over the Internet, the server's host name must be published via external DNS so that it can be propagated across the Internet and made available for lookups.


Setting Up an Outlook 2003 Profile to Use RPC over HTTP

The final step involved with enabling RPC over HTTP support for clients is to configure the client Outlook 2003 mail profiles to use it as a service. First, ensure that Windows XP Service Pack 2 (or the hotfix for RPC over HTTP previously mentioned) is installed, along with the Outlook 2003 client. After it is verified, a mail profile can be created via the following procedure:

NOTE

Unfortunately, the profile cannot be set up remotely, or at least not without RPC access to the Exchange server to create the initial connection. The initial creation of the profile itself should be performed on the Internal network, or somewhere with standard RPC access (essentially full network access) to the Exchange server. After it has been set up for the first time and all mail has been synchronized, it can then be sent out into the field indefinitely. The upside to this is that the initial synchronization of the offline folder settings, which can be quite extensive, can be done on a fast local network segment.


1.

From the Outlook 2003 client (connected to the Internal network, with full access to the Exchange server), click Start, Control Panel.

2.

Double-click on the Mail item (switching to Classic view may be required to see it).

3.

Click Show Profiles.

4.

At the General tab, select either Always Use This Profile (if this is the only mail server that will be set up as part of a profile), or Prompt for a Profile to Be Used. Click Add.

5.

Enter a name for the profile, such as Exchange-RPC-HTTP.

6.

Select Add a New E-mail Account and click Next.

7.

Select Microsoft Exchange Server from the list shown in Figure 13.16 and click Next.

Figure 13.16. Configuring an RPC over HTTPenabled Outlook profile.


8.

Enter the local name of the back-end mailbox server, such as server20, and make sure that Use Cached Exchange Mode is checked.

9.

Enter the name of the mailbox that will be set up (for example, the user's username or full name) and click More Settings.

10.

Select the Security tab and check the box for Always Prompt for User Name and Password.

11.

Select the Connection tab and check the box for Connect to My Exchange Mailbox Using HTTP, then click the Exchange Proxy Settings button.

12.

Using the Exchange Proxy Settings dialog box, enter the FQDN of the external name of the RPC-HTTP topology, such as mail2.companyabc.com (which corresponds to the ISA listener for Basic authentication). Check the box to Mutually Authenticate the Session, and enter msstd:serverfqdn (for example msstd:mail2.companyabc. com). Change the Proxy authentication settings to Basic Authentication, as shown in Figure 13.17.

Figure 13.17. Reviewing Exchange proxy settings for the RPC-HTTPS Outlook profile.


13.

To force RPC over HTTP for all connections, select the box labeled On Fast Net works, Connect Using HTTP First, Then Connect Using TCP/IP. If this is not checked, MAPI is attempted first when the connection to the server is fast. Click OK twice.

14.

The username and Exchange server should be underlined at this point; click Next to continue.

15.

Click Finish and then click OK.

Outlook needs to be opened and the mailbox synchronized with the client at this point. After the full mailbox data has been copied locally, the system is free to roam around on the Internet, wherever HTTPS access back to the ISA server is granted.



    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net