Documente Academic
Documente Profesional
Documente Cultură
Page 1 of 15
Home Articles & Tutorials Exchange 2003 Articles Mobility & Client Access
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 2 of 15
There are many ways you can make the RPC over HTTP proxy available to remote users. The most secure way, and the only way I recommend that you do so, is to use an ISA Server 2000 firewall to control inbound access to the RPC over HTTP proxy. The ISA Server 2000 firewall is able to inspect even SSL encrypted packets for dangerous exploits that might be hidden inside the SSL tunnel. Other firewalls are not able to evaluate the validity of the commands and data moving from a remote client to the RPC over HTTP proxy and put your network and Exchange Servers at unnecessary risk. For more information on how to configure an ISA Server 2000 firewall to support secure inbound RPC over HTTP connections, check out the following series of articles: Part 1 of this series can be found at: http://www.msexchange.org/articles/rpchttppart1.html Part 2 of this series can be found at: http://isaserver.org/articles/rpchttppart2.html Part 3 of this series can be found at: http://www.isaserver.org/tutorials/rpchttppart3.html Part 4 of this series can be found at: http://isaserver.org/tutorials/rpchttppart4.html You must use Outlook 2003 running on Windows XP Service Pack 1 to connect using the RPC over HTTP protocol. In addition, you must install the hotfix mentioned in Microsoft KB article Outlook 11 Performs Slowly or Stops Responding When Connected to Exchange Server 2003 Through HTTP. Download and install the hotfix before configuring a profile that allows the user to connect to the Exchange Server. It is important to note that you must create the Outlook 2003 profile while the Outlook 2003 computer is on the internal network, or while the Outlook 2003 computer is on the Internet and can access the Exchange Server using RPC (TCP 135 typically through an ISA Server 2000 secure Exchange RPC Publishing rule). You will not be able to create a new profile or change an existing profile to use RPC over HTTP if is does not have access to the Exchange Server via RPC (TCP 135). This bears repeating: you will not be able to create a new Outlook profile when the Outlook client is not on the internal network and can access the Exchange Server using RPC via TCP 135. In addition, a user with an existing profile will not be able to alter the existing profile so that it can use RPC over HTTP if that client is not located on the internal network and can access the Exchange Server using TCP 135. The Outlook 2003 profile must be configured to use RPC over HTTP while that machine is connected to the internal network and can access the Exchange Server via TCP port 135. Of course, there are always exceptions to the rule. The article Configuring Outlook 2003 for RPC over HTTP indicates that you should be able to use the Office Resource Kit to configure an Outlook 2003 profile that allows access to the RPC over HTTP severs without requiring RPC access to the Exchange Server. We have not tested this configuration. If you have used the ORK to
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 3 of 15
configure such a profile, please let us know about your experiences on the message board at http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=002315.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 4 of 15
3. Type in a name for the profile in the Profile Name text box. Click OK.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 5 of 15
4. Select the Add a new e-mail account option in the This wizard will allow you to change the e-mail accounts the direction that Outlook uses page. Click Next.
5. On the Server Type page, select the Microsoft Exchange Server option and click Next.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 6 of 15
6. On the Exchange Server Settings page, type in the FQDN of the front-end Exchange Server. This must be the same name used on the Web site certificate you have assigned to the front-end Exchange Servers Web site. For example, we obtained a Web site certificate for the front-end Exchange Servers Web site. The Common Name (CN) on the Web site certificate is owa.internal.net. Therefore we enter owa.internal.net in the Microsoft Exchange Server text box. Type a user account name in the User Name text box. Click the Check Name button to confirm that the Outlook 2003 client machine can communicate with the front-end Exchange Server. Put a checkmark in the Use local copy of Mailbox checkbox. Click the More Settings button.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 7 of 15
7. You can change how Outlook detects the connection state on the General tab of the Microsoft Exchange Server dialog box. Do not make any changes here unless you have an explicit reason to do so.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 8 of 15
8. Click on the Advanced tab. Confirm that there is a checkmark in the Use local copy of Mailbox checkbox. The default selection is Download headers followed by full item.
9. Click on the Security tab. Put a checkmark in the Encrypt information checkbox. Im not sure this does anything when you use RPC over HTTP, but encryption is a good thing, so well enable this checkbox anyhow.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 9 of 15
10. Click on the Connection tab. Select the Connect using my Local Area Network (LAN) option. Put a checkmark in the Connect to my Exchange mailbox using HTTP, then click the Exchange Proxy Settings button.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 10 of 15
11. You configure the specifics of the RPC over HTTP session in the Exchange Proxy Settings dialog box. Type in the FQDN to your front-end Exchange Server in the Use this URL to connect to my proxy server for Exchange text box. This is same name listed as the Common Name on the Web site certificate. Put a checkmark in the Mutually authenticate the session when connecting with SSL checkbox. Put in the FQDN of the front-end Exchange Server (the same name listed on the Web site certificate) in the Principal name for proxy server text box. Use the format: Msstd:FQDN For example, we use msstd:owa.internal.net for our published front-end Exchange Server because the Common Name on the certificate is owa.internal.net. Put a checkmark in the Connect using HTTP first, then connect using my Local Area Network (LAN). This is an interesting setting, as its unclear what a "LAN" protocol is in contrast to an "HTTP" protocol. I assume it means to use unencapsulated RPC messages, but I cant say that for sure. In the Use this authentication when connecting to my proxy server for Exchange drop down box, select the Basic Authentication option. This forces you to use SSL, which is OK, because we are using SSL for our links. Click OK on the Exchange Proxy Settings dialog box.
12. Click Apply and OK on the Microsoft Exchange Server dialog box.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 11 of 15
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 12 of 15
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 13 of 15
16. Open Outlook 2003. You will be able to use HTTPS for the connection, as confirm in the Exchange Server Connection Status window. You can access the connection status window by right clicking on the Outlook 2003 icon in the system tray and selecting the connection status command right after you start up Outlook 2003.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 14 of 15
Summary
Outlook 2003 clients can connect to Microsoft Exchange 2003 Servers using the RPC over HTTP protocol. This allows Outlook 2003 clients to get through firewalls that are configured to block secure Exchange RPC connections from Outlook MAPI clients. Microsoft has solved this problem by enabling the Outlook 2003 client running on Windows XP SP1 and above to encapsulate the RPC protocol information in an HTTP header. ISA Server 2000 firewalls provide the highest level of protection for RPC over HTTP proxies. This makes ISA Server 2000 the firewall of choice when providing remote access to your Exchange Servers. The Outlook 2003 can be configured on an individual basis, or you may be able to use the Office Resource Kit to configure Outlook profiles. I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=002315 and post a message. Ill be informed of your post and will answer your questions ASAP. Thanks! Tom
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008
Page 15 of 15
Protecting Microsoft Exchange with ISA Server 2004 Firewalls Providing E-Mail Defense in Depth for Microsoft Exchange with the ISA 2004 Firewall SMTP Message Screener Providing Secure Remote Access for the Full Outlook MAPI Client using the Exchange RPC Filter
Related links
Using Outlook 2003 to connect to Exchange 2003 using RPC over HTTPS Implementing RPC over HTTPS in a single Exchange Server 2003 environment Configuring ISA Server 2000 to Support Outlook 2003 RPC over HTTP - Part 1: Preparing the Infrastructure and Configuring the Front-End Exchange Server Troubleshooting RPC over HTTPS (Part 1) Troubleshooting RPC over HTTPS (Part 2)
About Us : Email us : Product Submission Form : Advertising Information MSExchange.org is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers. Copyright 2008 TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms & Conditions.
http://www.msexchange.org/tutorials/outlookrpchttp.html
04/04/2008