As the article “SSL certificate options for secure access to Exchange Server through the Internet” explains, RPC Server is a feature in Exchange 2003 Server that allows Outlook 2003 users to connect to the server securely. Essentially, the main steps to implement Exchange RPC Server include:
- Configuring Windows 2003 Server to use the RPC over HTTP service.
- Configuring basic authentication on the RPC virtual directory in Internet Information Services (IIS) 6.0.
- Defining specific ports to be used by the RPC over HTTP service.
Let’s take a look at these steps in greater detail.
Configure RPC over HTTP service
The RPC over HTTP service needs to be installed on a Windows 2003 Server that houses either Exchange 2003 Server or an Exchange 2003 front engine. The procedure to configure the RPC over HTTP service is:
1. Access Add/Remove Programs from the Control Panel on the Windows 2003 Server.
2. Click the Add/Remove Windows Components button in the Add Or Remove Programs dialog box. The Windows Components Wizard dialog box appears, as shown in Figure A.
3. Select Networking Services on the list in the Windows Components Wizard dialog box, and then click the Details button. The Networking Services dialog box appears, as shown in Figure B.
4. Place a check mark in the RPC Over HTTP Proxy check box in the Networking Services dialog box, and click OK.
5. Click Next at the bottom of the Windows Components Wizard dialog box. The Windows 2003 Server will be reconfigured to use the RPC over HTTP service.
6. Click Finish once the final screen of the Windows Components Wizard appears.
7. Close the Add Or Remove Programs dialog box.
Configure basic authentication on the RPC virtual directory
During the configuration of the RPC over HTTP service, a virtual directory should be created in the default Web site in IIS. You’ll need to make sure the RPC virtual directory includes basic authentication. Basic authentication is generally a “no-no” over the Internet; however, you’ll be using SSL to secure data transmission.
The procedure to configure basic authentication on the RPC virtual directory is:
1. Access the Internet Information Services Manager from the Administrative Tools menu on the Start menu (or in the Control Panel).
2. Locate the default Web site and then click the plus sign (+) preceding the site to expand its branches.
3. Locate the RPC virtual directory and right-click while over it.
4. Choose Properties from the shortcut menu. The RPC Properties dialog box appears, as shown in Figure C.
5. Click the Directory Security tab in the RPC Properties dialog box. The Directory Security screen appears, as shown in Figure D.
6. Click the Edit button in the Authentication And Access Control section of the Directory Security screen. As shown in Figure E, the Authentication Methods screen appears.
7. Place a check mark in the Basic Authentication check box in the Authenticated Access section of the Authentication Methods screen.
8. Click OK twice to save your changes and exit.
To increase security on the RPC virtual directory, disallow anonymous access. This access prevents users who are using RPC over HTTP version 1.0 from connecting, which is less secure than version 2.0. Version 2.0 authenticates using only basic or Windows integrated authentication.
Define specific ports for the RPC over HTTP service
The final step is to define specific ports to be used by the RPC over HTTP service. If you have multiple Exchange Servers that will be accessed by Outlook 2003 clients through the Exchange RPC Server, you’ll need to define the same ports on each of those servers as well. The ports are:
- 6001—To access the Exchange store
- 6004—To access the Directory Service proxy
These ports will be defined in the registry, so be sure to back it up before proceeding. The procedures to define specific ports for the RPC over HTTP service are:
1. Access the registry by typing in regedit.exe from the Run command or command prompt.
2. Locate the key for the RPC over HTTP service port settings— HKEY_LOCAL_MACHINE\Software\Microsoft\RPC\RpcProxy. The information shown in Figure F should appear in the Registry Editor’s details pane to the right.
3. Right-click the ValidPortssubkey in the Registry Editor’s details pane, and then click Modify. The Edit String dialog box appears, as shown in Figure G.
4. Make sure the Value Data field contains the following:
- The NETBIOS names for your Exchange Server and global catalog server for each port
- The Fully Qualified Domain Name (FQDN) for your Exchange Server and global catalog server for each port
The appropriate syntax for the Value Data field for the ValidPorts subkey is:
Let’s say your Exchange 2003 Server is located on a Windows 2003 Server, which acts as a global catalog server. The NETBIOS name of the server is CLAUD and the FQDN is CLAUD.OFFICE.LOCAL. The value in the Value Data field should be:
If Outlook 2003 clients will be asking for the RPC over HTTP service using IP addresses, you should also include entries for the IP address for each of the ports.
You may notice that there are entries for port 593 when you check the ValidPorts subkey. Port 593 is for the Distributed Component Object Model (DCOM) protocol. This allows DCOM to be used over the RPC over HTTP service for client/server applications. If DCOM will not be used in this capacity, remove any entries for port 593 to improve security. Check out Microsoft Security Bulletin MS03-026 for further details.