As email has grown to be one of the primary methods of business communication, enabling users to access their email remotely has become a priority. With an updated version of OWA, users have a rich email client that is approaching the full set of features and functionality found in Outlook 2003. However, some features are available only in the full Outlook client.
The good news is that with Exchange 2003 and RPC over HTTP, you can allow remote users to use the full Outlook 2003 client to access their email without setting up a VPN or other facility.
Remote Procedure Call (RPC) is one of the protocols that Exchange supports for client connections. To use RPC over HTTP, you need to configure one of your Exchange front-end servers to act as an RPC proxy server.
You can then expose this server to the outside world and allow users to connect through it. Alternatively, you can use Microsoft ISA Server to route requests through your firewall or perimeter network.
|MICROSOFT ISA SERVER
For more information on installing and configuring Microsoft ISA Server, check out http://www.microsoft.com/isa.
Outlook 2003 supports RPC over HTTP. However, you need to upgrade your user's operating system to Windows XP, SP1 and apply Windows Update 331320 to use this feature.
To configure RPC over HTTP using your existing Exchange front-end servers, follow these steps:
- From the Control Panel, select Add/Remove Programs and then Add/Remove Windows Components. From Networking Services, install the RPC over HTTP protocol.
- In the IIS Manager, locate the RPC virtual directory and select its properties from the shortcut menu, shown in Figure 8.3.
Figure 8.3: Virtual directory properties.
- Open the Directory Security property page and edit the Authentication and Access Control settings to select Basic Authentication.
- Edit the registry and locate the HKEY_LOCAL_MACHINESoftwareMicrosoftRpcRpcProxy key.
- Modify the ValidPorts key and add the following identifiers and ports, separated by a semicolon as shown here:
Replace the previous placeholders with the name and fully qualified domain name of the servers in your Exchange topology.
- On your Global Catalog Server, edit the registry and locate the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters key.
- Add a new key (multistring) and name it NSPI interface Protocol Sequences.
- Modify the key you have just created and add the value ncacn_http:6004.
To configure Outlook 2003 to communicate via RPC over HTTP, follow these steps:
- From the Control Panel, open the Mail control panel. Then create a new profile.
- Add a new email account, selecting Exchange as your server type. Enter the name of your Exchange back-end server (not your Exchange front-end server).
- Click the More Settings button and select the Connection property page shown in Figure 8.4. Then select the option Connect to My Exchange Mailbox Using HTTP.
- Select the Exchange Proxy Settings property page, shown in Figure 8.5. Under Connection Settings, enter the name of your Exchange front-end server in the text box marked Use This URL.
- Check the options for Connect Using SSL Only and Mutually Authenticate.
Figure 8.4: Outlook connection settings.
Figure 8.5: Proxy settings.
- In the text box marked Principle Name for Proxy Server, enter the fully qualified domain name of your Exchange front-end server, prefixed by msstd: (that is, msstd:exch.orion.com).
- Change the Proxy Authentication Settings to use basic authentication.
Your Outlook client is now ready to communicate with Exchange using RPC over HTTP.
|WORKING WITH MICROSOFT ISA SERVER
There are two critical areas where Microsoft ISA Server can be implemented alongside Exchange to increase security. The first is RPC over HTTP, which was already examined. You can place an ISA Server within the demilitarized zone (DMZ) or outside your firewall to handle RPC requests and route these requests back to your Exchange front-end servers.
Second, for securing OWA implementations, you can configure ISA as a proxy to an Exchange front-end server, eliminating the need to expose a front-end server to the rest of the world. Using ISA Server, you can use a special publishing wizard for OWA to configure a proxy to your Exchange front-end servers. This eliminates the need to open multiple ports to the outside world and provides a more secure implementation method for OWA.
Securing Exchange Server 2003 -- 5 tips in 5 minutes
Tip 1: Configuring SSL for Exchange Server 2003
Tip 2: Exchange Server 2003 Kerberos authentication
Tip 3: Setting up RPC over HTTP for Exchange Server 2003
Tip 4: Using cross-forest SMTP authentication with Exchange 2003
Tip 5: Exchange Server 2003 client security enhancements
|This chapter excerpt from Microsoft Exchange Server 2003 Delta Guide, by David McAmis and Don Jones, is printed with permission from Sams Publishing, Copyright 2004.|