Networking

Setup RPC over HTTPS with Exchange 2003 (where Exchange is not installed on a Global Catalog server)


After setting up a small Exchange lab and successfully configuring Outlook Web Access (OWA) using a free SSL certificate, I thought it would be interesting to try enabling RPC over HTTPS.

In order to make use of all Exchange's collaborative tools, Outlook must communicate with the Exchange server via the remote procedure call protocol (RPC). It's not a good idea to open these ports to the Internet due to RPC's rich history of exploitable vulnerabilities. RPC over HTTPS allows RPC traffic to be tunnelled inside secured HTTP packets. This enables roaming users to enjoy full Outlook/Exchange functionality without having to open any additional firewall ports or dial a VPN connection.

My test lab setup contains one Domain Controller and one Exchange 2003 server (SP2). The Domain Controller provides Domain, DNS, and DHCP services while the Exchange server hosts OWA, which has been configured to run over HTTPS. Although RPC can be tunnelled inside unencrypted HTTP packets, I think this is an unnecessary risk, so I won't even tell you how to do it! If you really want to, then Google may be of some help. I'm using a standard DSL router setup to forward

ports 25 and 443 to the Exchange server.

Modify the Domain Controller

Let's get down to business. We will start on the Domain Controller. It's important to note that the Domain Controller must be a Global Catalogue. We only need to make one update to the registry and can then move on to Exchange.

Add the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Type REG_MULTI_SZ
Name: NSPI Interface protocol sequences
Value: ncacn_http:6004

There should be no need to reboot, but if things don't seem to be working correctly later on, then give it a go.

Install RPC over HTTP proxy

Installing the RPC over HTTP proxy service is pretty simple.

  1. On the Exchange server, open Control Panel. Launch add/remove programs and click on the Add/Remove Windows Components button.
  2. Scroll down the available Windows components and highlight Networking Services.
  3. Click on Details to open up a list of subcomponents and select RPC over HTTP Proxy.
  4. Click on OK and then Next to install the service.

Configure ports for the RPC proxy

Now that we have the RPC proxy installed, we will need to configure the ports that it uses. To do this, we update a registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

The ValidPorts key will likely already include an entry for ports 100-5000; we need to add a few more. Below is a copy of my key; you will need to change the hostnames and domains to match your own environment. To make this easier to read, I have split the data string into multiple lines. This should be entered as a single line with no spaces after the semicolons.

Exchange1:100-5000;
Exchange1:6001-6002;
Exchange1.internaldomain.local:6001-6002;
PDC:6001-6002;
PDC.internaldomain.local:6001-6002;
mail.externaldomain.com:6001-6002;
Exchange1:6004;
Exchange1.internaldomain.local;
PDC:6004;
PDC.internaldomain.local:6004;
mail.externaldomain.com:6004;
Exchange1:593;
Exchange1.internaldomain.local:593;
PDC:593;
PDC.internaldomain.local:593;
mail.externaldomain.com:593;

If the Domain Controller and Exchange server are on the same box then entries for the Domain Controller (in my case, this is PDC) and also port 593 should be excluded.

Configure Exchange server as an RCP-HTTP back-end server

Telling the Exchange server to act as a target for the RPC proxy is very simple.

  1. Open up Exchange System Manager, browse to your target server, right-click, and select Properties.
  2. Just above the General tab you will find the RPC-HTTP tab. Select this tab and ensure that the option ‘RPC-HTTP back-end server' is checked.
  3. Click on OK to exit.

Modify IIS virtual directories

Installing the RPC proxy will create two new virtual directories under your Default Web Site. We need to modify these slightly in order to allow proper authentication and encryption of RPC over HTTP connections.

  1. Open up the IIS Manager.
  2. Navigate to Web Sites | Default Web Site.
  3. Right click on the RPC directory and select Properties from the drop-down menu.
  4. Select the Directory Security tab.
  5. Click on the Edit button within ‘Authentication and access control'.
  6. Make sure that the option ‘Enable anonymous access' is deselected.
  7. Check ‘Integrated Windows authentication' and ‘Basic authentication' and click on OK. You may be prompted with a warning dialogue; click on Yes and ignore this as it does not apply while using SSL.
  8. Click on the Edit button within ‘Secure communications'.
  9. Check ‘Require secure channel (SSL)' and ‘Require 128-bit encryption' and click on OK.
  10. Click on OK to apply the changes.

Repeat these steps for the RPCWithCert directory.

Configure Outlook 2003 for RPC over HTTPS

I won't go over adding a new Exchange account to Outlook as it's a pretty standard affair and there are a myriad of support sites covering this. I already have Outlook configured to connect to my Exchange server. I'm using cached mode as I want to emulate a configuration which would be used by a roaming laptop user. Cached mode keeps a local copy of e-mails and attachments so that the data can be accessed offline.

To configure RPC over HTTPS:

  1. Go to the Open The Account settings, select your Exchange account, and click on More Settings.
  2. Go to the Connection tab and tick the checkbox next to ‘Connect to my Exchange mailbox using HTTP'.
  3. Now open up the ‘Exchange Proxy Settings' and use the options below.

Use this URL to connect to my proxy server for Exchange:

https://mail.externaldomain.com

  • Check ‘Connect using SSL only'.
  • Check ‘Mutually authenticate the session when connection with SSL'.
  • ‘Principal name for proxy server:' msstd:mail.externaldomain.com
  • If you want to use RPC over HTTPS even while on the internal network, then check ‘On fast networks, connect using HTTP first, then connect using TCP/IP' (I don't use this).
  • Make sure ‘On slow networks, connect using HTTP first, then connect using TCP/IP' is checked.
  • For the ‘Proxy authentication settings' we can use either NTLM or Basic authentication. I prefer NTLM as it doesn't constantly prompt for a username and password to be entered.

Apply the changes and you're ready to start testing. Don't forget to forward port 443 to the Exchange Server on your external firewall.

Testing RCP over HTTPS

There are two ways to test whether or not RCP over HTTPS is working. The first is to try connecting from outside of your internal network. The second is to filter all ports but 443 while on the internal network to make sure that Outlook can't connect via the standard TCP/IP protocols. To apply such a filter, go to the advanced TCP/IP properties of your network connection, select filtering, and deny all but port 443.

One important thing to note is that if you're connecting Outlook to the Exchange server for the first time, then you must be on the internal network using TCP/IP. I'm not sure why this is but found out using trial and error.

To check whether Outlook has connected via HTTPS you must hold down [Ctrl] and click on Outlook's taskbar icon. Select ‘Connection status' and you will see a list of all connections between Outlook and the Exchange server. These should all be of the type HTTPS.

I hope this has been a useful guide for those looking to try out RPC over HTTPS with Exchange 2003. I haven't covered every angle in detail as there is plenty of information available on the Web; rather I have tried to cover the areas where I had difficulty in finding solid information while researching this topic for myself.

Remember if you have any questions or suggestions then leave a comment and I'll try to help out.

21 comments
the_wizkid
the_wizkid

Hi, when having FE and BE Servers, you need to first set the BE Servers as RPC Proxy BE Servers, and than set the RPC FE. Reference: http://support.microsoft.com/kb/841652/en-us By the way, since Exchange 2003 SP 1, the Registry Settings seem to not be needed any longer...

ceejay
ceejay

hi my problem is when running outlook.exe /rpcdiag i get https for all connection, but type 'Mail' connects to TCP/IP. can someone help with this?

pervez909
pervez909

Hello my problem is i have domain with exchange on it, but the issue is when iam trying to open any server with remote it gives me a error, RPC is not Available, and i wont be able to access any server with remote and due to these my users are not able have access to shared folders, kindly let me know why these is happeing and how can i resolve these issue, it will be great help if u give me some knowledge about it,

dmadlung
dmadlung

not sure if anyone caught this, but the line: Exchange1.internaldomain.local; should read: Exchange1.internaldomain.local:6004; Otherwise, run rpccfg /hd and you get the result: Error: Expected ':' in string ''. The command did not complete successfully.

Arpitbhargava
Arpitbhargava

Hi i am having the same senario but when i am trying to connect using outlook 2003 but i am getting error that oulook is not connected and unavailable. Need some help please

gld998
gld998

Can I reset the my password thru RPC over HTTPS??

rohansmail
rohansmail

What are the security implications of exposing RPC on the Exchange Server?

hv
hv

After pulling my hair out for a week trying to get Outlook to access Exchange w/ RPC over HTTPS on the WAN, I came across this article. I followed Justin's tip to first connect the computer on the LAN (or VPN) via TCP/IP, and then take the computer back on the WAN. VOILA, it worked perfectly, first time....I was even able to set up additional email accounts on the Outlook client and they worked perfectly, even though the client never revisited the LAN. My question is... Has anyone figured out what the source of this issue is, and why Justin's "workaround" works. Can it be overcome?

TheGooch1
TheGooch1

What if you only have a single exchange server? That's my situation at home. So far, I can't find instructions for doing this with a single Exchange server. Thx.

hagen.dittmer
hagen.dittmer

Great how-to; helped me troubleshoot Outlook RPC/HTTPS authentication failure. Cheers

dedmanpc
dedmanpc

This is a great layout of the process and pretty much mirrors my experience. I, however, still cannot connect. I did install the Add/remove HTTP over RPC component in the GC's programs. Do I need to add identical ports for the GC's registry under the RPC PROXY, the same as the Exchange Server? I.e. 6001-6002? OR just 593 and 6004 which I have added. Can make any conclusions as to why Outlook fails to connect. Re-creating the Certificate maybe? Many Thanks, --Tony

hiral
hiral

Hi Justin, I followed all the steps you have mantioned, but stil when I'm trying to test RPC-HTTPS from within the network it's not working. As you've mentioned in your Testing part I tried to filter deny all but port 443 and checked in the connection status. It's showing HTTPS and connecting but connection wouldn't establish. The only thing I suspect is port forwarding part. I checked on my router. I couldn't find port forwarding anywhere. But packet filtering-> NAT it seems like it's allowing all ports. Any Ideas? Thanks in Advance.

shijaz.a
shijaz.a

Good article. A question - if we have multiple GCs on the same site, do we need to include the names of each GC in the registry key?

carlsondale
carlsondale

Thanks, Justin. Our testing showed the same thing about needing to connect to the internal network first. We found we could do that through VPN and the service then worked fine. In addition, we found that we had no choice but to use Cached Mode. No matter what we tried, we couldn't get this service to work unless we enabled Cached Mode for the user.

dmadlung
dmadlung

A) Look at log files for the site in IIS (to see if your client is hitting the site at all) B) start outlook by running "outlook /rpcdiag" and watch it try to connect. Mine was crapping out on the referral which brought me to: C) RPCCFG /ha (server resource kit) which let me determine that the registry entries in this faq are flawed ;)

dmadlung
dmadlung

Can you reset your password in outlook?

dmadlung
dmadlung

The workaround is to use NTLM authentication for the first connection. Afterwards, use basic.

mradloff
mradloff

Well I have set this up and gone through the set up multiple times. It still isn't working. I set up a entire virtual test domain to test it without some of the varibles present in my real network. I still can't make this work. I have all the settings checked and double checked. I do the internal client without the tcp/ip filtering it starts connecting with https and fails over to tcp/ip. If I filter all but port 443 outlook just hangs and it doesn't even show the attempt and connecting with https it just shows ------ in the conn field on the connection staus window. Any help would be greatly apprecieated. I really need to get this working. I have about 50 remote offices that have dynamic IPs so before me they set up a authenticated users smpt relay and pop3 on the exchange. the smtp traffic is crazy, and the exchange is unstable.

dmadlung
dmadlung

You only need one additional registry entry on the GC machine: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS \Parameters Type REG_MULTI_SZName: NSPI Interface protocol sequencesValue: ncacn_http:6004 The cert needs to read the same as the URL you are trying to access.

dmadlung
dmadlung

I'd say, no you don't have to.. however if you want the GC to be redundant with respect to outlook anywhere, then yes, you would want to.

Justin Fielding
Justin Fielding

I have had this working without Cached mode. It's a little slow to connect when Outlook is opened but it does work.