Daily IT Matters, this is the place where I post my daily findings on IT.

Thursday, September 27, 2007

RPC over HTTP for Outlook

Project: RPC over HTTP for Outlook

Introduction

RPC over HTTP for Outlook 2003 / 2007 is a technique for using Outlook as a mailclient for Exchange remotely from anywhere. But with sporting all the features you have when you are normally sitting at your desk at work (I presume you already have outlook as a client for exchange at work)

Advantages:

  1. Only one port open at the firewall, port 443.
    We now have SMTP, POP3 and HTTP (25, 110 and 80) wide open to the outside world, for supporting email, Outlook Web Access and Outlook Mobile Access.
  2. The SMTP port can now be configured to only accept mail from from your provider (I have bSMTP setup), this will significantly decrease the number of attacks on our network. SMTP is prone to attacks and is used a lot by spammers (searching for open relays)
  3. All data coming in and out of the network is now encrypted through SSL.

Disadvantages:

  1. The Outlook Client must be version 2003 or later.
  2. The OS must be windows XP SP1 with http://go.microsoft.com/fwlink/?linkid=3052&kbid=331320 installed or just SP2.
  3. The outlook client is harder to setup ( I do not really think its hard but its different)

Setup:

First to thing to do is setting up an RPC proxy on the Exchange Server.
This can be done by just going to Add/Remove Programs and then go to network services and there select RPC Proxy.
Installing is just a point and click exercise there is nothing to it.

After installing has finished there is one thing you should do.

The setup installs 2 virtual directory under your Default Website in IIS 6.

- Rpc

- RpcWithCert

We need to configure the directory security on the RPC object. (and not on the Default Website! Doing that will break OWA). First we disable anonymous access, and enable Basic Authentication. Also in Default Domain and Realm fill in your domain name, mine is <domain>.local. When you hit the OK button there will be a message stating that the passwords will be send in cleartext and that protocol analyzers can gather them, however this does not apply to HTTPS connections since the whole connection is encrypted (you can safely hit Yes)

Now we should setup the rpc server to use specific ports.

You must do this by editing the registry. Locate the Key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

servername:6001-6002;
servername.domain.local:6001-6002;
remote.domain.com:6004

the above must be entered on one line in the ValidPorts Key.

servername = The netbios name of the server (no FQDN)

servername.domain.local = internally FQDN (servername + your domainname)

remote.domain.com = external name where the website is reachable.

RPC is setup correctly now, we can move on to the next part.

Setting up Exchange

The next part is configuring exchange 2003 SP1 (SP1 must be installed otherwise the settings below are not available, and thus leaving you to edit the registry) as a backend server for RPC.

Go to the ESM and find the server right click it and go to the RPC – HTTP tab.

There you will find the following setting.

RPC-HTTP back-end server select it.

You will have to restart your machine to complete the setup.

After the machine is rebooted, you are ready to configure an outlook client

Otherwise then others on the web are saying there is really nothing fancy about it, you don’t need to be on your LAN first to set it up.

Setting UP an Outlook Profile

Just create an exchange profile (I assume you know how)

Type in the netbios name of the server on the first page.

Type in your name (if you are remote the name resolving process will not work, just click cancel then) after you have done this go to [more settings] à tab [connection] go to sub [exchange over internet] select proxy settings of exchange.

In the HTTPS part type in your remote.domain.com, and select basic authentication.

NTLM might work or not because some firewall are modifying NTLM packets when they pass-through, basic authentication always work.

(trade off: you will have to enter always a password when you connect outlook to exchange some might see this as an advantage instead of a trade off)

Make sure you select both the settings about using HTTP first instead of TCP.

(atleast that is what I do)

Now all you have to do is to get an SSL certificate and install it on your machine.

Installing SSL certificate from Godaddy.

Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b):

i. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).

ii. In the Management Console, select File; then "Add/Remove Snap In."

iii. In the Add/Remove Snap-In dialog, select Add.

iv. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.

v. Choose Computer Account; then click Next and Finish.

vi. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.

vii. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.

viii. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.

ix. Follow the wizard prompts to complete the installation procedure.

x. Click Browse to locate the certificate file (gd_iis_intermediates.p7b).

xi. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.

xii. Click Finish.

Installing SSL Certificate

i. Select the Internet Information Service console within the Administrative Tools menu.

ii. Select the Web site (host) for which the certificate was made.

iii. Right mouse-click and select Properties.

iv. Select the Directory Security tab.

v. Select the Server Certificate option.

vi. The Welcome to the Web Server Certificate Wizard windows opens. Click OK.

vii. Select Process the pending request and install the certificate. Click Next.

viii. Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).

ix. When the correct certificate file is selected, click Next.

x. Verify the Certificate Summary to make sure all information is accurate. Click Next.

xi. Select Finish.

Now you’re done.

This is how I’ve done it if you have questions feel free to email me.

No comments:

Google