Recipe 10.10. Setting Up RPC over HTTPSProblemYou want to enable RPC tunneling over HTTPS so that your Outlook 2003 users can use Outlook directly against your servers. SolutionSetting up RPC over HTTPS is easier in Exchange Server 2003 SP1 than it was in the original release version, but it's still a reasonably involved task that requires you to know a good bit about your Exchange topology, and to understand the underlying mechanics. There are three basic steps:
Using a graphical user interfaceTo install the RPC-over-HTTP proxy, do the following:
To enable RPC-over-HTTP on an Exchange front-end server, do the following:
To configure an Exchange back-end server, do the following:
Figure 10-3. The warning dialog produced when you enable RPC-over-HTTP on a domain controllerTo configure SSL offloading for the front-end, do the following:
To configure a single-server Exchange Server 2003 organization, do the following:
If your Exchange back-end server is also a global catalog server, you have to force the directory service to use the correct TCP port for queries. To do so, follow these steps:
DiscussionOne of the biggest new features of Exchange Server 2003 is its ability to work with Outlook 2003 to tunnel remote procedure call (RPC) traffic inside of ordinary-looking HTTP packets. This might not seem like a big deal, but it is. Microsoft has long recommended against allowing random Internet clients to send RPCs directly into your networka number of serious vulnerabilities in the Windows NT RPC stack led to this policy, and it's very rare to find exceptions. That means that Outlook, which uses RPCs to exchange MAPI data with the server, needs an unobstructed path between the Outlook machine and the Exchange server. Previously, there were three primary ways to accomplish this: allow raw RPC traffic from the Internet, use ISA Server to publish the RPC interfaces, or allow Outlook users to establish VPN connections to the corporate network. This new feature adds a fourth way: when enabled, Outlook 2003 takes its RPC requests and encapsulates them in an HTTP packet, which it then sends using HTTP (preferably with SSL) to an RPC proxy server. This server breaks apart the HTTP packet and redirects the RPC requests to the Exchange back-end server, returning any results to the client in an encapsulated HTTP packet. The advantages of this are obvious: it allows the Outlook client to connect without needing a VPN (and thus without any special configuration or, worse, proprietary VPN clients on the client machine), but it doesn't allow raw RPC traffic from the Internet. If you wish, you can use ISA Server to perform application-level inspection of the RPC packets as they come in, but that's not mandatory. However, there are some prerequisites: to use RPC-over-HTTP, you must have Exchange Server 2003 running on Windows Server 2003, and all GCs that Exchange or the clients will talk to must also be running Windows Server 2003. Outlook 2003, running on Windows XP SP1 or later, is required as the client. Overall, the configuration and setup process for RPC-over-HTTP is fairly straightforward; it was greatly improved with the release of SP1, which introduced the RPC-HTTP tab in the server properties dialog. One significant speed bump is that the server SSL certificate installed on the RPC proxy must match the common name that the client uses to connect. Let's say you've configured a client to connect to exchange.robichaux.net, and that your RPC proxy is named spiderman.robichaux.net and has a certificate by that name. Because the names don't match, the SSL handshake will fail (as described in MS KB 822594). To fix this, either change the RPC proxy name specified on the Outlook client or get a new certificate for the RPC proxy itself. What about SSL offloading? This term is a little misleading in this context. It would probably be more proper to talk about SSL termination, since the steps in this recipe are required when you want to terminate an inbound RPC-over-HTTPS connection at an ISA server (or other firewall), then pass the unencrypted traffic to the RPC proxy server, then to the back-end server. In most configurations, it's easier to either allow SSL bridging so that the proxy sees an SSL connection or to put the proxy service on the firewall machine so that the termination happens at the proxy. See Also"Configuring Outlook 2003 for RPC over HTTP" topic in the Outlook 2003 Resource Kit (www.microsoft.com/office/ork/2003/three/ch8/OutC07.htm), Exchange Server 2003 RPC over HTTP Deployment Scenario Guide (http://www.microsoft.com/technet/prodtechnol/Exchange/guides/E2k3RPCHTTPDep/1583ab17-f7d1-41c1-ba52-37ec276e3644.mspx), MS KB 833401 (How to configure RPC over HTTP on a single server in Exchange Server 2003), MS KB 841652 (How to configure an RPC over HTTP topology on computers that are running Exchange Server 2003 with Service Pack 1), MS KB 827330 (How to troubleshoot client RPC over HTTP connection issues in Office Outlook 2003), MB KB 833003 (Description of the RPC over HTTP feature and the AllowAnonymous registry entry in Windows Server 2003), and MS KB 822594 (Remote Procedure Call over HTTP Is Not Successful or Reverts to TCP) |