The following is tip #5 from "20 Tips on securing Outlook in 20 minutes," excerpted from a chapter in Paul Robichaux's book, Secure Messaging with Microsoft Exchange Server 2003 © 2004, published by Microsoft Press. Return
to the main page for more tips on this topic.
Exchange and Outlook use the remote procedure call (RPC) protocol to communicate. This is fine on local area networks (LANs), but most administrators wisely block RPC traffic at their network perimeter; there is no good reason to allow random Internet hosts to send you RPC packets -- in fact, it's a good idea not to given the past history of vulnerabilities in the Windows RPC stack.
This has posed a conundrum for Exchange administrators: what's the best way to allow remote users access to their mailboxes?
There are several options to choose from: Microsoft Outlook Web Access does a good job overall, but doesn't allow access to stored mail while users are disconnected; POP and IMAP are useful lightweight protocols, but don't offer the full range of Exchange services; virtual private networks (VPNs) allow secure access, but they also allow the remote machine full run of the connected network, which isn't always desirable; and Internet and Security Acceleration (ISA) Server allows publishing RPC-based services while inspecting inbound RPC traffic to ensure its integrity and harmlessness.
In Outlook 2003, Microsoft has added full support for tunneling RPC packets inside of Hypertext Transfer Protocol (or, more precisely, Secure Sockets Layer [SSL]-protected HTTP) packets. With the right configuration, a mobile user can launch Outlook, connect to the corporate network on port 443, and have his or her RPC traffic tunneled from the network entry point to the Exchange server. Users get complete Outlook functionality, and administrators enjoy the protection of blocking plain RPC traffic at the perimeter. However, this magic requires some configuration on the Outlook side, which I discuss later in the chapter.
Get more "20 Tips on securing Outlook in 20 minutes!" Return to the main page.
About the author: Paul Robichaux is a partner at 3sharp LLC, author of several books on Exchange, Windows, and security, a Microsoft MVP for Exchange Server and a frequent speaker and presenter at IT industry conferences. He's written software for everyone from the U.S. National Security Agency to scientists flying their experiments aboard the Space Shuttle, fixed helicopters in the desert and spent way too much time playing video games.