RPC over HTTP for Outlook

Project: RPC over HTTP for Outlook

Introduction

RPC over HTTP for Outlook 2003 / 2007 is a technique for using Outlook as a mailclient for Exchange remotely from anywhere. But with sporting all the features you have when you are normally sitting at your desk at work (I presume you already have outlook as a client for exchange at work)

Advantages:

  1. Only one port open at the firewall, port 443.
    We now have SMTP, POP3 and HTTP (25, 110 and 80) wide open to the outside world, for supporting email, Outlook Web Access and Outlook Mobile Access.
  2. The SMTP port can now be configured to only accept mail from from your provider (I have bSMTP setup), this will significantly decrease the number of attacks on our network. SMTP is prone to attacks and is used a lot by spammers (searching for open relays)
  3. All data coming in and out of the network is now encrypted through SSL.

Disadvantages:

  1. The Outlook Client must be version 2003 or later.
  2. The OS must be windows XP SP1 with http://go.microsoft.com/fwlink/?linkid=3052&kbid=331320 installed or just SP2.
  3. The outlook client is harder to setup ( I do not really think its hard but its different)

Setup:

First to thing to do is setting up an RPC proxy on the Exchange Server.
This can be done by just going to Add/Remove Programs and then go to network services and there select RPC Proxy.
Installing is just a point and click exercise there is nothing to it.

After installing has finished there is one thing you should do.

The setup installs 2 virtual directory under your Default Website in IIS 6.

- Rpc

- RpcWithCert

We need to configure the directory security on the RPC object. (and not on the Default Website! Doing that will break OWA). First we disable anonymous access, and enable Basic Authentication. Also in Default Domain and Realm fill in your domain name, mine is <domain>.local. When you hit the OK button there will be a message stating that the passwords will be send in cleartext and that protocol analyzers can gather them, however this does not apply to HTTPS connections since the whole connection is encrypted (you can safely hit Yes)

Now we should setup the rpc server to use specific ports.

You must do this by editing the registry. Locate the Key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

servername:6001-6002;
servername.domain.local:6001-6002;
remote.domain.com:6004

the above must be entered on one line in the ValidPorts Key.

servername = The netbios name of the server (no FQDN)

servername.domain.local = internally FQDN (servername + your domainname)

remote.domain.com = external name where the website is reachable.

RPC is setup correctly now, we can move on to the next part.

Setting up Exchange

The next part is configuring exchange 2003 SP1 (SP1 must be installed otherwise the settings below are not available, and thus leaving you to edit the registry) as a backend server for RPC.

Go to the ESM and find the server right click it and go to the RPC – HTTP tab.

There you will find the following setting.

RPC-HTTP back-end server select it.

You will have to restart your machine to complete the setup.

After the machine is rebooted, you are ready to configure an outlook client

Otherwise then others on the web are saying there is really nothing fancy about it, you don’t need to be on your LAN first to set it up.

Setting UP an Outlook Profile

Just create an exchange profile (I assume you know how)

Type in the netbios name of the server on the first page.

Type in your name (if you are remote the name resolving process will not work, just click cancel then) after you have done this go to [more settings] à tab [connection] go to sub [exchange over internet] select proxy settings of exchange.

In the HTTPS part type in your remote.domain.com, and select basic authentication.

NTLM might work or not because some firewall are modifying NTLM packets when they pass-through, basic authentication always work.

(trade off: you will have to enter always a password when you connect outlook to exchange some might see this as an advantage instead of a trade off)

Make sure you select both the settings about using HTTP first instead of TCP.

(atleast that is what I do)

Now all you have to do is to get an SSL certificate and install it on your machine.

Installing SSL certificate from Godaddy.

Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b):

i. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).

ii. In the Management Console, select File; then "Add/Remove Snap In."

iii. In the Add/Remove Snap-In dialog, select Add.

iv. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.

v. Choose Computer Account; then click Next and Finish.

vi. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.

vii. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.

viii. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.

ix. Follow the wizard prompts to complete the installation procedure.

x. Click Browse to locate the certificate file (gd_iis_intermediates.p7b).

xi. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.

xii. Click Finish.

Installing SSL Certificate

i. Select the Internet Information Service console within the Administrative Tools menu.

ii. Select the Web site (host) for which the certificate was made.

iii. Right mouse-click and select Properties.

iv. Select the Directory Security tab.

v. Select the Server Certificate option.

vi. The Welcome to the Web Server Certificate Wizard windows opens. Click OK.

vii. Select Process the pending request and install the certificate. Click Next.

viii. Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).

ix. When the correct certificate file is selected, click Next.

x. Verify the Certificate Summary to make sure all information is accurate. Click Next.

xi. Select Finish.

Now you’re done.

This is how I’ve done it if you have questions feel free to email me.

Comments

Post a Comment

Popular posts from this blog

Exchange Server Error -1018: How Microsoft IT Recovers Damaged Exchange Databases

Image
I found this paper on the showcase site from microsoft I hope it is of help to you. It sure helped me!     Technical White Paper Published: August 1, 2005 Executive Summary Error –1018 (JET_errReadVerifyFailure) is a familiar—and dreaded—error in Microsoft® Exchange Server. It indicates that an Exchange database file has been damaged by a failure or problem in the underlying file system or hardware. This paper explains the conditions that result in error –1018. It also covers the detection mechanisms that Exchange uses to discover and recover from damage to its database files. The Microsoft Information Technology group (Microsoft IT) runs one of the most extensive Exchange Server organizations in the world. Exchange administrators at Microsoft have investigated and recovered from dozens of –1018 error problems. This paper shows you how Microsoft IT monitors fo
Read more

Server and Domain Isolation Using IPsec and Group Policy

Image
Microsoft Solutions for Security and Compliance Server and Domain Isolation Using IPsec and Group Policy © 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Table of Contents Chapter 1: Introduction to Server and Domain Isolation. 1 Executive Summary. 1 Who Should Read This Guide. 2 The Business Challenge. 3 The Business Benefits. 3 The Technology Challenge. 4 Creating a Project Team.. 6 Guide Overview.. 7 Chapter 1: Introduction to Server and Domain Isolation. 7 Chapter 2: Understanding Server and Domain Isolation. 7 Chapter 3: Determining the Current State of Your IT Infrastructure. 7 Chapter 4: Designing and Planning Isolation Groups. 8 Chapter 5: Creating IPsec Policies for Isolation Groups.
Read more

[Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute

Image
I had the error below in my application eventlog.     Event Type:    Error Event Source:    Userenv Event Category:    None Event ID:    1085 Date:        30-09-2008 Time:        15:20:30 User:        NT AUTHORITY\SYSTEM Computer:    TBG-TS01 Description: The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .   My problem was with my site to zone assignment list I used a wildcard like this: “ *microsoft.com ” but what you need to do is this “ *.microsoft.com ” So it is safe to say that the documentation from microsoft needs some sort of an update stating that you can only use a wildcard infront of dot. Below is the microsoft explaination:   This policy setting allows you to manage a list of sites that you want to associate with a particular s
Read more