The following is tip #4 from "8 Exchange 2003 security tips in 8 minutes" excerpted from a chapter in David McAmis...
and Don Jones' book, Microsoft Exchange Server 2003 Delta Guide, published by Sams Publishing. Return to the main page for more tips on this topic.
As e-mail has grown to be one of the primary methods of business communication, enabling users to access their e-mail remotely has become a priority. With an updated version of OWA, users have a rich e-mail client that is approaching the full set of features and functionality found in Outlook 2003. However, some features are available only in the full Outlook client.
The good news is that with Exchange 2003 and RPC over HTTP, you can allow remote users to use the full Outlook 2003 client to access their e-mail without setting up a VPN or other facility.
Remote Procedure Call (RPC) is one of the protocols that Exchange supports for client connections. To use RPC over HTTP, you need to configure one of your Exchange front-end servers to act as an RPC proxy server.
You can then expose this server to the outside world and allow users to connect through it. Alternatively, you can use Microsoft ISA Server to route requests through your firewall or perimeter network.
MICROSOFT ISA SERVER
For more information on installing and configuring Microsoft ISA Server, check out http://www.microsoft.com/isa.
Outlook 2003 supports RPC over HTTP. However, you need to upgrade your user's operating system to Windows XP, SP1 and apply Windows Update 331320 (available from http://windowsupdate.microsoft.com) to use this feature.
To configure RPC over HTTP using your existing Exchange front-end servers, follow these steps:
1. From the Control Panel, select Add/Remove Programs and then Add/Remove Windows Components. From Networking Services, install the RPC over HTTP protocol.
2. In the IIS Manager, locate the RPC virtual directory and select its properties from the shortcut menu, shown in Figure 8.3.
3. Open the Directory Security property page and edit the Authentication and Access Control settings to select Basic Authentication.
4. Edit the registry and locate the HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy key.
5. Modify the ValidPorts key and add the following identifiers and ports, separated by a semicolon as shown here:
Replace the previous placeholders with the name and fully qualified domain name of the servers in your Exchange topology.
6. On your Global Catalog Server, edit the registry and locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key.
7. Add a new key (multistring) and name it NSPI interface Protocol Sequences.
8. Modify the key you have just created and add the value ncacn_http:6004.
To configure Outlook 2003 to communicate via RPC over HTTP, follow these steps:
1. From the Control Panel, open the Mail control panel. Then create a new profile.
2. Add a new email account, selecting Exchange as your server type. Enter the name of your Exchange back-end server (not your Exchange front-end server).
3. Click the More Settings button and select the Connection property page shown in Figure 8.4. Then select the option Connect to My Exchange Mailbox Using HTTP.
4. Select the Exchange Proxy Settings property page, shown in Figure 8.5. Under Connection Settings, enter the name of your Exchange front-end server in the text box marked Use This URL.
5. Check the options for Connect Using SSL Only and Mutually Authenticate.
6. In the text box marked Principle Name for Proxy Server, enter the fully qualified domain name of your Exchange front-end server, prefixed by msstd: (that is, msstd:exch.orion.com).
7. Change the Proxy Authentication Settings to use basic authentication.
Your Outlook client is now ready to communicate with Exchange using RPC over HTTP.
WORKING WITH MICROSOFT ISA SERVER
There are two critical areas where Microsoft ISA Server can be implemented alongside Exchange to increase security. The first is RPC over HTTP, which was already examined. You can place an ISA Server within the demilitarized zone (DMZ) or outside your firewall to handle RPC requests and route these requests back to your Exchange front-end servers.
Second, for securing OWA implementations, you can configure ISA as a proxy to an Exchange front-end server, eliminating the need to expose a front-end server to the rest of the world. Using ISA Server, you can use a special publishing wizard for OWA to configure a proxy to your Exchange front-end servers. This eliminates the need to open multiple ports to the outside world and provides a more secure implementation method for OWA.
Get more "8 Exchange 2003 security tips in 8 minutes." Return to the main page.
About the authors:
David McAmis is an enterprise architect and partner in a consulting firm in Sydney, Australia. David has written a number of books and more than 100 articles that have appeared in magazines and journals.
Don Jones, MCSE, CTT+, is an independent consultant and founding partner of BrainCore.Net. Don is the author of more than a dozen books and the creator and series editor of Sams Publishing's Delta Guide series. He is also a contributing editor and columnist for Microsoft® Certified Professional Magazine, the Microsoft technology columnist for CertCities.com, and a speaker at technology conferences.