Providing Full-Featured Remote Access for Exchange Clients

Virtual private network (VPN) clients, present in all versions of Windows, are the typical choice for anyone needing to provide full Outlook client functionality to users across the Internet. However, VPN security leaves a lot to be desired, at least out of the box: although Point-to-Point Tunneling Protocol (PPTP) can be made highly secure, doing so requires an extensive knowledge of both the machines running the VPN software (a feat not always possible when you're dealing with your users' home machines) and a deep familiarity with encryption techniques and settings. Of course, there are also logistical hurdles you'll jump through when using a VPN: they simply won't work in some public locations because of firewalls blocking the needed ports. In addition, users encounter difficulties with using IPSec and Layer Two Tunneling Protocol (L2TP) across the Internet because of packet fragmentation issues and other problems. Finally, although VPNs are useful tools for connecting remote clients to corporate networks, they are less useful for connecting from a corporate network to an application service provider that might be running your Exchange servers for you.

The grim reality is that people have grown at best accustomed, and at worst absolutely dependent, on full Outlook client functionality. For example, suppose your corporation has standardized LookOut, the popular Outlook search plug-in, or perhaps you have a third-party calendaring and agenda plug-in. You might also require the ability to synchronize your mailbox with a handheld personal digital assistant (PDA)—like device, or your users might need the functionality provided by Outlook 2003 to work seamlessly offline, with full Outlook functionality even when not connected to an Exchange server. Your front-line customer service users might depend heavily on custom functionality offered by client-side rules, or your organization might require its users to take advantage of a standard, business-wide address book.

Therein lies the problem: How does one provide secure access to an Exchange server for remote users while not making those users jump through hoops to access their groupware application? The best answer to this might be to deploy a machine running ISA Server 2004.

Security Features within Exchange

ISA Server 2004 provides a specially designed Exchange RPC filter, which takes the good parts of the RPC Proxy element that is included with the raw Exchange Server 2003 product to allow RPC-over-HTTP connections, and then marries them to a certain intelligence about how Exchange Server does its business. The Exchange RPC filter is programmed to know how Exchange RPC connections are established and what the proper format for that protocol is. It also allows only Exchange RPC Unique User IDs (UUIDs) to be transmitted, all while enforcing client authentication and requiring encryption.

Here's how it works:

1. The client connects to the Exchange RPC filter's quasi-port mapper. This piece of the puzzle really isn't a port mapper—it just acts like one, which reduces the attack surface by only responding to requests for Exchange-based RPCs.

2. Once the connection is established, the ISA server returns the filter's Exchange RPC port numbers. Remember, the client is connecting to the filter, which then uses the RPC element proxy in Exchange Server 2003 itself, so the client never directly touches the Exchange server during this stage.

3. The client, filled with knowledge about the location of RPC ports, logs onto Exchange Server. During this process, Exchange Server refers the logon to Active Directory, which makes the final decision on whether the user is authenticated or not.

4. The RPC filter on the ISA server is monitoring this process the whole time, waiting for the approval from Active Directory that the user is valid. Once it sees that approval, the filter makes sure that the connection is using encryption (if you specify that you want to require it), and then the client sees his or her mailbox open.

It is also important to note that the entire process just outlined is transparent from the clients' perspective. They will see a user name and password prompt when they open Outlook and they are away from the corporate network, but once the users enter those credentials, they see an approximately five-second delay and then their mailbox opens. Thus, this solution passes the first litmus test of all security solutions: Make it easy for the user to do things securely.

This solution also protects you from various RPC-based attacks. For example, the ISA RPC filter is immune to reconnaissance attacks and denial-of-service attacks against the RPC port mapper. All known attacks fail, but even if an attack were successfully able to penetrate the RPC filter, recall that Exchange is still protected because ISA Server works at the perimeter to vet your connections before they ever reach your Exchange server. This solution is also highly resistant to service attacks, mainly because such attacks require reconnaissance information that is unavailable. Also, the back end of this RPC filter connection, the ISA Server to Exchange Server part of the transmission, simply dies if the first part of the connection (the client to the ISA server) isn't correctly positioned or formatted.

Publishing Outlook RPC for MAPI Clients

ISA Server 2004 provides Outlook clients behind an ISA server the ability to access external Exchange servers through the use of outbound RPC access. This option creates a more flexible environment to allow mail access across campuses through the Internet, without the configuration of dedicated VPN connections or tunnels.

To publish Outlook RPC for MAPI clients, follow these instructions:

1. In the ISA Server Management console, click the Firewall Policy node.

2. On the Task pane, click the Tasks tab, then click Publish A Mail Server.

3. On the Welcome To The New Mail Server Publishing Rule Wizard page, type the name of the rule (such as Outlook RPC), and then click Next.

4. On the Select Access Type page, select Client Access: RPC, IMAP, POP3, SMTP, and then click Next.

5. On the Select Services page, select Outlook (RPC) and click Next.

6. On the Select Server page, type in the IP address of your Exchange server, and then click Next.

7. On the IP Addresses page, select the networks from which you will allow RPC over HTTP access (normally External and VPN Clients), and then click Next.

8. On the Completing The New Mail Server Publishing Rule Wizard page, click Finish.

9. Click Apply to commit the changes, and then click OK.

Configuring the Remote Client for RPC

Your clients will most likely be laptop users who connect both from within your network and from external locations. For client access to work, you must have a name resolution infrastructure that allows clients to resolve the name of the Exchange server both internally and externally. You must then configure the Outlook client to connect to the Exchange server.

Creating a Split DNS To set up name resolution, you can configure a split DNS. To create a split DNS, you create a structure like that shown in Figure 16-2.

Figure 16-2: A split DNS ensures that clients can always resolve the IP address for mail regardless of their location—when inside the network, they use the internal Exchange server IP address; when outside, they use the IP address for the ISA server's external network adapter.

To connect from a remote client, configure Outlook using the following procedures.

Enabling Client Authentication By default, external clients aren't able to authenticate directly with a domain controller on the internal network. You must configure the Exchange server to act as a proxy for these clients. To configure the Exchange server as a proxy for the Outlook client, complete the following steps:

1. On the Exchange server, click Start and then click Run.

2. Type regedit and then click OK.

3. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters key.

4. Right-click the Parameters key.

5. Select New and then choose DWORD Value.

6. Type No RFR Service.

7. Double-click the new value, and set Value Data to 1. Click OK.

Configuring the Outlook Client Create a new profile on the Outlook client by performing the following procedures.

Configuring Outlook 2002 and Outlook 2003 Clients

1. Start the Mail program in Control Panel. You will see the Mail Setup – Outlook dialog box.

2. Click Show Profiles.

3. If a profile does not exist, follow these steps:

   1. Click Add, and then enter a name for the profile.

   2. Select Add A New E-Mail Account, and then click Next.

   3. Select Microsoft Exchange Server, and then click Next.

   4. Type the name of the Microsoft Exchange server and the user name of your mailbox. When prompted, enter your password.

   5. Click Next, and then click Finish.

4. If a profile already exists, select the profile for your Exchange server, and then click Properties.

5. Click E-Mail Accounts.

6. Select View Or Change Existing E-Mail Accounts, and then click Next.

7. Choose the e-mail account for your Exchange server, and then click Change.

8. On the General tab, verify that the Exchange server can resolve the name of your mailbox by retyping your mailbox name, and then clicking Check Name.

9. If you cannot connect, create an entry in the local HOSTS file that maps the external IP address for the Exchange server address to its NetBIOS name.

10. Click More Settings.

11. Click the Advanced tab. Select Encrypt Information Both When Using The Network And When Using Dial-Up Networking.

12. Click OK to close the Microsoft Exchange Server dialog box, and return to the E-Mail Accounts dialog box.

13. Click Next, and then click Finish.

14. Click Close in the Mail Setup dialog box, and then click OK to close the Mail dialog box.

Publishing RPC over HTTP for Outlook Clients

RPC over HTTP allows RPC requests to be encapsulated in the HTTP protocol, for which most firewalls are already configured and allow access. RPC over HTTP depends on an optional element of Windows Server 2003 called the RPC proxy, an Internet Server Application Programming Interface (ISAPI) extension running in Microsoft Internet Information Services (IIS) on a front-end Outlook Web Access server that sets up an RPC session after authentication. Essentially, the Outlook client connects to this filter using RPC over HTTP, and the filter terminates the "over HTTP" portion of the connection, takes out the RPC requests, and passes them back to the Exchange server.

However, RPC over HTTP isn't a panacea. It supports only basic HTTP authentication, so make certain the HTTP connection uses SSL. Also, there is no support for SecurID, and the limitation here is twofold. For one, there is no dialog within Outlook 2003 to ask for the SecurID PIN from the user's device. Second, Exchange has no built-in, direct ability to proxy authentication requests to an RSA ACE server and not to Active Directory. RADIUS authentication is also not possible with RPC over HTTP, nor is the use of client certificates in most cases. So, although RPC over HTTP solves some configuration problems and some legitimate security problems, there remain other issues to address.

In the following section you learn to configure the front-end Exchange server as an RPC proxy server, create an RPC over HTTP publishing rule, and then configure the Outlook remote client.

Configuring the Exchange Server

Install the RPC Proxy service and set up Exchange as a back-end RPC server by following these steps:

1. On the Exchange server, install the RPC Over HTTP Proxy component from the Add Or Remove Programs, Add/Remove Windows Components, Networking Services interface.

2. On the Exchange server, configure the RPC virtual directory to use basic authentication and require SSL by following these steps:

   1. In the Internet Information Services Manager, expand the Web site hosting Exchange, right-click the RPC virtual directory, and then select Properties.

   2. Click the Directory Security tab, and then in the Authentication And Access Control area, click Edit.

   3. In the Authentication Methods dialog box, select Basic Authentication, clear all other options (including Enable Anonymous Access), click Yes to acknowledge the warning, and then click OK.

   4. On the Directory Security tab, in the Secure Communications area, click Edit.

   5. Select the Require Secure Channel (SSL) check box, and then click OK.

   6. In the RPC Properties dialog box, click OK, and then close the Internet Information Services Manager.

   Note

   You need to request and install a certificate from a third-party or internal CA to provide SSL encryption for the Exchange server. Once the certificate is installed on the Exchange server, export it, along with the private key, and import it into the ISA server.

3. On the Exchange server, open the System Manager by clicking Start, All Programs, Microsoft Exchange, System Manager.

4. In Exchange System Manager, click Servers, right-click your Exchange server, and then select Properties.

5. In the Properties dialog box for your Exchange server, click the RPC-HTTP tab, and then select RPC-HTTP Back-End Server.

   Note

   When using Exchange Server 2003 Service Pack 1 or higher, no manual port configuration is necessary (as described in Step 7). The order is important when using back-and front-end servers, but you must simply enable it, and nothing else.

6. When prompted with a warning, click OK twice, and close Exchange System Manager.

7. Configure the RPC Proxy port settings by using the RPC Configuration tool (RpcCfg.exe) from the Windows resource kit. To use RpcCfg.exe, follow these steps:

   1. Open a Resource Kit Tools command shell by clicking Start, clicking All Programs, then Windows Resource Kit Tools, and then Command Shell.

   2. At the command prompt, to clear the default RPC ports, type

       rpccfg.exe /hr ExchangeServer 

      where ExchangeServer is the name of your Exchange server.

   3. To set the Exchange RPC ports, type the following commands, pressing the Enter key where you see <Enter>:

       rpccfg.exe /ha ExchangeServer 6001-6002 6004 <Enter> rpccfg.exe /ha ExchangeServer.DomainName.com 6001-6002 6004 <Enter> rpccfg.exe /hd <Enter> 

   4. Type exit to close the command prompt.

   Note

   You can download the RpcCfg.exe tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=&displaylang=en.

8. Ensure that you schedule and inform your clients of any downtime that results from the reboot of the server, and then restart the Exchange server.

You have now completed configuring the Exchange server.

Creating an RPC over HTTP Publishing Rule

Next, on the ISA server, you create a Web publishing rule by performing these steps:

1. In the ISA Server Management console tree, click the Firewall Policy node.

2. In the Tasks pane, click the Publish A Secure Web Server link.

3. On the New SSL Web Publishing Rule Wizard page, type the name of the rule (such as RPC Over HTTP Publishing rule), and then click Next.

4. On the Publishing Mode page, select the SSL Bridging option, and then click Next.

5. On the Select Rule Action page, select Allow, and then click Next.

6. On the Bridging Mode page, select Secure Connection To Clients And Web Server, and then click Next.

   Best Practices

   You could select other options here, but maintaining HTTPS provides the best protection for your data.

7. On the Define Website To Publish page shown in Figure 16-3, type the computer name or IP address of the Exchange server, select the Forward The Original Host Header check box, and type /rpc/* in the Path text box. Click Next.

8. On the Public Name Details page, in the Accept Requests For drop-down list, select This Domain Name (Type Below), and then type the FQDN for your Web site, such as SecureExchange.Contoso.com. Type /rpc/* in the Path text box, and then click Next.

   Note

   This FQDN must be publicly registered.

9. On the Select Web Listener page, select your Web listener for HTTPS, or create one (as described in the section entitled, "Creating an Outlook Web Access Publishing Rule," earlier in this chapter), and then click Next.

10. On the User Sets page, click Add to add users to whom the rule should apply, and then click Next.

11. On the Completing The New SSL Web Publishing Rule Wizard page, click Finish.

12. In the Details pane, right-click the rule you just created, and then select Properties.

13. Click the Users tab, select the Forward Basic Authentication Credentials (Basic Delegation) check box, and then click OK.

    Important

    To use Basic Authentication, you must use SSL to ensure that your credentials are encrypted. Basic Authentication sends information in clear text, which can be intercepted by network sniffers.

14. Click Apply, and then click OK.

Figure 16-3: Configure the RPC over HTTP publication rule to point to the Exchange server's RPC path.

Configuring the Remote Client for RPC over HTTP

To allow remote clients to connect to the Exchange server, configure the properties of the Outlook 2003 clients by following these steps:

1. Launch the Mail program in Control Panel. You will see the Mail Setup – Outlook dialog box.

2. Click Show Profiles.

3. If a profile does not exist, follow these steps:

   1. Click Add, and then enter a name for the profile.

   2. Select Add A New E-Mail Account, and then click Next.

   3. Select Microsoft Exchange Server, and then click Next.

   4. Type the name of the Microsoft Exchange server and the user name of your mailbox. When prompted, enter your password.

   5. Click Next, and then click Finish.

4. If a profile already exists, select the profile for your Exchange server, and click Properties.

5. Click E-Mail Accounts.

6. Select View Or Change Existing E-Mail Accounts, and then click Next.

7. Choose the e-mail account for your Exchange server, and then click Change.

8. On the General tab, verify that the Exchange server can resolve the name of your mailbox by retyping your mailbox name, and then clicking Check Name.

9. If you cannot connect, create an entry in the local HOSTS file that maps the external IP address for the Exchange server address to its NetBIOS name.

10. Click More Settings.

11. Click the Connections tab, select the Connect To My Exchange Mailbox Using HTTP check box, and then click Exchange Proxy Settings.

12. In the Exchange Proxy Setting dialog box, complete the information as shown in Figure 16-4, replacing the SecureExchange.contoso.com options with the FQDN to the public name of your Exchange server, listening on port 443. Click OK.

13. Click OK to close the Microsoft Exchange Server dialog box, and return to the E-Mail Accounts dialog box.

14. Click Next, and then click Finish.

15. In the Mail Setup dialog box, click Close, and then click OK to close the Mail dialog box.

Figure 16-4: Configure the RPC Proxy settings for Outlook to connect to your Exchange server.