After setting up a small Exchange lab and successfully configuring Outlook Web Access (OWA) using a free SSL certificate, I thought it would be interesting to try enabling RPC over HTTPS.
In order to make use of all Exchange’s collaborative tools, Outlook must communicate with the Exchange server via the remote procedure call protocol (RPC). It’s not a good idea to open these ports to the Internet due to RPC’s rich history of exploitable vulnerabilities. RPC over HTTPS allows RPC traffic to be tunnelled inside secured HTTP packets. This enables roaming users to enjoy full Outlook/Exchange functionality without having to open any additional firewall ports or dial a VPN connection.
My test lab setup contains one Domain Controller and one Exchange 2003 server (SP2). The Domain Controller provides Domain, DNS, and DHCP services while the Exchange server hosts OWA, which has been configured to run over HTTPS. Although RPC can be tunnelled inside unencrypted HTTP packets, I think this is an unnecessary risk, so I won’t even tell you how to do it! If you really want to, then Google may be of some help. I’m using a standard DSL router setup to forward
ports 25 and 443 to the Exchange server.
Modify the Domain Controller
Let’s get down to business. We will start on the Domain Controller. It’s important to note that the Domain Controller must be a Global Catalogue. We only need to make one update to the registry and can then move on to Exchange.
Add the following registry key:
Name: NSPI Interface protocol sequences
There should be no need to reboot, but if things don’t seem to be working correctly later on, then give it a go.
Install RPC over HTTP proxy
Installing the RPC over HTTP proxy service is pretty simple.
- On the Exchange server, open Control Panel. Launch add/remove programs and click on the Add/Remove Windows Components button.
- Scroll down the available Windows components and highlight Networking Services.
- Click on Details to open up a list of subcomponents and select RPC over HTTP Proxy.
- Click on OK and then Next to install the service.
Configure ports for the RPC proxy
Now that we have the RPC proxy installed, we will need to configure the ports that it uses. To do this, we update a registry key:
The ValidPorts key will likely already include an entry for ports 100-5000; we need to add a few more. Below is a copy of my key; you will need to change the hostnames and domains to match your own environment. To make this easier to read, I have split the data string into multiple lines. This should be entered as a single line with no spaces after the semicolons.
If the Domain Controller and Exchange server are on the same box then entries for the Domain Controller (in my case, this is PDC) and also port 593 should be excluded.
Configure Exchange server as an RCP-HTTP back-end server
Telling the Exchange server to act as a target for the RPC proxy is very simple.
- Open up Exchange System Manager, browse to your target server, right-click, and select Properties.
- Just above the General tab you will find the RPC-HTTP tab. Select this tab and ensure that the option ‘RPC-HTTP back-end server’ is checked.
- Click on OK to exit.
Modify IIS virtual directories
Installing the RPC proxy will create two new virtual directories under your Default Web Site. We need to modify these slightly in order to allow proper authentication and encryption of RPC over HTTP connections.
- Open up the IIS Manager.
- Navigate to Web Sites | Default Web Site.
- Right click on the RPC directory and select Properties from the drop-down menu.
- Select the Directory Security tab.
- Click on the Edit button within ‘Authentication and access control’.
- Make sure that the option ‘Enable anonymous access’ is deselected.
- Check ‘Integrated Windows authentication’ and ‘Basic authentication’ and click on OK. You may be prompted with a warning dialogue; click on Yes and ignore this as it does not apply while using SSL.
- Click on the Edit button within ‘Secure communications’.
- Check ‘Require secure channel (SSL)’ and ‘Require 128-bit encryption’ and click on OK.
- Click on OK to apply the changes.
Repeat these steps for the RPCWithCert directory.
Configure Outlook 2003 for RPC over HTTPS
I won’t go over adding a new Exchange account to Outlook as it’s a pretty standard affair and there are a myriad of support sites covering this. I already have Outlook configured to connect to my Exchange server. I’m using cached mode as I want to emulate a configuration which would be used by a roaming laptop user. Cached mode keeps a local copy of e-mails and attachments so that the data can be accessed offline.
To configure RPC over HTTPS:
- Go to the Open The Account settings, select your Exchange account, and click on More Settings.
- Go to the Connection tab and tick the checkbox next to ‘Connect to my Exchange mailbox using HTTP’.
- Now open up the ‘Exchange Proxy Settings’ and use the options below.
Use this URL to connect to my proxy server for Exchange:
- Check ‘Connect using SSL only’.
- Check ‘Mutually authenticate the session when connection with SSL’.
- ‘Principal name for proxy server:’ msstd:mail.externaldomain.com
- If you want to use RPC over HTTPS even while on the internal network, then check ‘On fast networks, connect using HTTP first, then connect using TCP/IP’ (I don’t use this).
- Make sure ‘On slow networks, connect using HTTP first, then connect using TCP/IP’ is checked.
- For the ‘Proxy authentication settings’ we can use either NTLM or Basic authentication. I prefer NTLM as it doesn’t constantly prompt for a username and password to be entered.
Apply the changes and you’re ready to start testing. Don’t forget to forward port 443 to the Exchange Server on your external firewall.
Testing RCP over HTTPS
There are two ways to test whether or not RCP over HTTPS is working. The first is to try connecting from outside of your internal network. The second is to filter all ports but 443 while on the internal network to make sure that Outlook can’t connect via the standard TCP/IP protocols. To apply such a filter, go to the advanced TCP/IP properties of your network connection, select filtering, and deny all but port 443.
One important thing to note is that if you’re connecting Outlook to the Exchange server for the first time, then you must be on the internal network using TCP/IP. I’m not sure why this is but found out using trial and error.
To check whether Outlook has connected via HTTPS you must hold down [Ctrl] and click on Outlook’s taskbar icon. Select ‘Connection status’ and you will see a list of all connections between Outlook and the Exchange server. These should all be of the type HTTPS.
I hope this has been a useful guide for those looking to try out RPC over HTTPS with Exchange 2003. I haven’t covered every angle in detail as there is plenty of information available on the Web; rather I have tried to cover the areas where I had difficulty in finding solid information while researching this topic for myself.
Remember if you have any questions or suggestions then leave a comment and I’ll try to help out.