runPCrun Notes for Configuring Server and Outlook for RPC over HTTPS

First read these pages for full details.

• RPC over HTTPS by Simon Butler, Exchange MVP
• Outlookexchange.com - RPC over HTTP
• MS Exchange.org Tutorials - Troubleshooting RPC over HTTPS Part 1
• MS Exchange.org Tutorials - Troubleshooting RPC over HTTPS Part 2

Set up

You need: (assuming a single server setup)

1. Windows 2003 with SP1
2. Outlook 2003
3. Windows XP with SP2
• RPC over HTTP Proxy needs to be installed on the serverh
• Outlook Web Access needs to be working and tested
• The certificate on the server needs to be installed in Internet Explorer on the client if it a self created one We prefer to purchase a certificate.
  
• Make sure the name on the certificate is the same as the External User Name that you use later

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy Key:ValidPorts 

For the following where :-

• 'server' is the internal name for the server
• 'domain.local' is the internal domain name
• 'mail.external.com' is the external domain name as per the certificate

• Quick Tip:Use this tool to do this http://www.petri.co.il/software/rpcnofrontend.zip

server:100-5000;
server:6001-6002;
server:6004;
server.domain.local:6001-6002;
server.domain.local:6004;
mail.external.com:6001-6002;
mail.external.com:6004;

IIS RPC.dll

Configure the RPC virtual directory in Internet Information Services
After you configure the Exchange computer to use RPC over HTTP, you must configure the RPC virtual directory in Internet Information Services. To do this, follow these steps:
1.      Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2.      Expand servername (local computer), expand Web Sites, expand Default Web Site, right-click Rpc, and then click Properties.
3.      Click the Directory Security tab, and then click Edit under Authentication and access control.
4.      Click to clear the Enable anonymous access check box.
5.      Click to select the Basic authentication (password is sent in clear text) check box.
You receive the following message:
The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS(orSSL) connections.
Are you sure you want to continue?
Note In this error message, the word "HTTPS(orSSL)" is a misspelling for the words "HTTPS (or SSL)."
6.      Click Yes, and then click OK.
7.      Click Apply, and then click OK.
The RPC virtual directory is configured to use basic authentication. We recommend that you use SSL together with basic authentication. To enable SSL on the RPC virtual directory, you must obtain and publish a certificate. This procedure assumes that you have obtained and published certificate. To configure the RPC virtual directory to require SSL for all client-side connections, follow these steps:
1.      Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2.      Expand Web Sites, expand Default Web Site, right-click Rpc, and then click Properties.
3.      Click the Directory Security tab, and then click Edit under Secure communications.
4.      Click to select the Require secure channel (SSL) check box and the Require 128-bit encryption check box.
Note We recommend that you click to select the Require 128-bit encryption check box. However, RPC over HTTP functions correctly even if you do not require 128-bit encryption.
5.      Click OK, click Apply, and then click OK.

Client Set Up

It is recommended to set the client up on the network;

1. In Outlook 2003, choose "Tools", "Email Accounts..."
2. Ensure that "View or Change existing email accounts" is selected and press Next.
3. With "Microsoft Exchange Server" highlighted, click Change.
4. In the bottom right corner locate and click "More Settings..."
5. Click on the "Connection" tab, and enable the option "Connect to my Exchange mailbox using HTTP"
6. Click on "Exchange Proxy Settings..."
7. Complete the options as required for the client.
   • Remember that the server name must match the certificate

     https://<external domain name>

Tick 'connect using SSL only' Tick 'Mutually authenticate...' The principal name for proxy server is msstd:"external domain name" (no quotes) Select Basic Proxy Authentication You can start Outlook using the /rpcdiag switch to checkhow it's communicating with the server.

If you need to configure Outlook when you are not on the domain, there are a couple more steps.

1. When you create the profile and after you have selected 'Exchange Server', type in the internal server name and the username but DO NOT select 'Check Name'

2. Select 'More Settings..' and wait until the 'unavailable' error message appears. Click OK and then Cancel on the next message.

Then complete the set up as before. You will be prompted to enter logon credentials. Use the form 'domain\username' and the password. The servername and username should now be underlined - simply click 'Next' and complete the wizard.

Troubleshooting

Gotcha - check that there are no IP addresses listed in deny access within RPCproxy.dll within IIS on the default website.
Gotcha - check the path of IIS RPC extentions - it must be c:\windows\system32\rpcproxy\rpcproxy.dll not c:\windows\systems32\rpcproxy.dll
How to Verify That RPC Proxy Server Extension Is Loading Properly