Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
 
  Connect Outlook 2003 to Exchange 2003 using RPC over HTTP Connect Outlook 2003 to Exchange 2003 using RPC over HTTP

Published: October 2003 (last updated December 2003)

In this article I will describe how you use the new RPC over HTTP functionality, which makes it possible to connect an Outlook 2003 client to your Exchange 2003 server over the Internet, without the use of a traditional VPN connection.


Overview of the Technology


Well before I start concentrating on the configuration part, lets look a bit at the technology behind the RPC over HTTP functionality. As most Exchange Admins are aware of the Outlook client, as we know it normally communicates with the Exchange server with the help of MAPI calls, which are send via RPC’s - Remote Procedure Calls. This is still true with RPC over HTTP, but what the RPC over HTTP functionality does, is it puts an HTTP wrapper around the traffic. This makes it possible for the Outlook clients to communicate with the Exchange 2003 server even though they aren’t connected to the local network.

The nice thing about the RPC over HTTP functionality, besides the users get full Outlook access, is you only have to open one port in the firewall, typically port 443 (SSL), just like with OWA – Outlook Web Access. You could of course make use of a VPN connection, but the Outlook client has never worked well through VPN connections.


Requirements


I will start by mentioning the requirements in order to get RPC over HTTP working.

Client(s)
The client(s) should be running Windows XP with at least Service Pack 1, you will as well need to install the patch mentioned in MS KB 331320. Note the patch will be included in Windows XP Service Pack 2, which should be out within first half of 2004.

The client needs to have Outlook 2003 installed, previous Outlook versions won’t work.

Server(s)
The exchange server needs to be running Windows 2003 and Exchange 2003, all other servers which need to communicate with the client, that means DC’s - Domain Controllers, GC - Global Catalog servers etc. needs to be running Windows 2003. It’s not a requirement running Exchange in a Front-End/Back-End topoligy, as many believe, actually you could get by running everything from a single server. But depending on your environment, Microsoft recommends you make use of a Front-End/Back-End scenario, and if possible placed behind an ISA 2000 server.

You will also need to have a Microsoft Certificate Authority (CA) installed , this should be used to issue the respective certificates needed in order to have SSL/443 working properly. You could as well go the easy way and get the certificate from a certificate provider like Verisign or Thawte.

Note: Installation of a Microsoft Certificate Authority (CA) is beyond the scope of this article, but you should be able to find a few articles describing the procedure by doing a search on Google.


Configuring the Server(s)


Well lets move straight ahead and get the server(s) configured.

I will use a scenario existing of an Exchange 2003 server and a Windows 2003 DC, the Exchange server will be acting as the RPC Proxy Server.

First we will need to install the RPC Proxy Service on the Exchange server, so logon to it and do the following:

- Click Start | Settings | Control Panel
- Double-click Add/Remove Programs
- Click Add/Remove Windows Components
- Double-click Networking Services
- Put a checkmark in RPC over HTTP Proxy



- Click Next | Ok | Finish

Now we need to edit some values in the registry editor, so start it up and navigate to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy

Here you need to change the value of the ValidPorts key, the values should be entered in the below format:

ExchangeServer:593; ExchangeServerFQDN:593; ExchangeServer:6001-6002; ExchangeServerFQDN:6001-6002; ExchangeServer:6004; ExchangeServerFQDN:6004; GlobalCatalogServer:593; GlobalCatalogServerFQDN:593; GlobalCatalogServer:6004; GlobalCatalogServerFQDN:6004

This means if your Exchange server is named Exchange01 and your Global Catalog server is called GlobalCatalog01 and both are members of the AD domain privatedomain.com , it should look like:

Exchange01:593; Exchange01.privatedomain.com:593; Exchange01:6001-6002; Exchange01.privatedomain.com:6001-6002; Exchange01:6004; Exchange01.privatedomain.com:6004; GlobalCatalog01:593; GlobalCatalog01.privatedomain.com:593; GlobalCatalog01:6004; GlobalCatalog01.privatedomain.com:6004

Note: If you had several other servers (could be additionel Exchange & Global Catolog servers), which the Outlook client needed to communicate with, you would have to add these to above string as well.

Now close the registry editor then open the IIS Manager and do the following:

- Expand Local Computer | Websites | Default Website
- Right click RPC and choose Properties
- Click Directory Security | Edit… (under Secure Communications)
- Checkmark both Require Secure Channel (SSL) and Require 128-bit encryption
- Click Ok and then Edit… under Authentication and access control
- If present remove checkmark from Enable Anonymous Access
- Put a checkmark in Basic authentication (password is sent in clear text)



- Click Yes in the warning popup box (as we already have enabled SSL)
- Click Ok twice and close the IIS Manager

Now we need to logon to the Global Catalog server (which would be the Domain Controller), here we need to add a string to the registry as well, so navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

- Then click Edit in the menu > New then click Multi-String Value
- Name it NSPI interface protocol sequences
- Right-click the NSPI interface protocol sequences multi-string value, and then click Modify
- Type ncacn_http:6004 in the value box

Now restart the Global Catalog Server.

That was it for the Servers part, let move on to the Outlook RPC over HTTP profile configuration.


Configuring the Client


To configure a RPC over HTTP profile on the client do the following:

- Open the Control Panel | Double-click Mail
- Click Show Profiles



- Click Add…

Give the profile a name and click Ok

- Click Next and set bullet in Microsoft Exchange Server

Now you should type in your Fully Qualified Domain Name, this should be the same as the one used on your SSL certificate.



Set a checkmark in Use Cached Exchange Mode, type in your username, but don’t hit Check Name yet, instead click More Settings…

- Click the Connection tab
- Set a checkmark in Connect to my Exchange mailbox using HTTP
- Click Exchange Proxy Settings

Type in your FQDN (still the same as on your SSL certificate) in Use this url to connect to my proxy server for Exchange:

Put a checkmark in Mutually authenticate session when connecting with SSL Principal name for proxy server:

Then type:

MSSTD:FQDN (again FQDN should be the same as on the SSL certificate)

It’s also recommended you set a checkmark in both:

On fast networks, connect using HTTP first, then TCP/IP and

On slow networks, connect using HTTP first, then connect using TCP/IP

At last but not least make sure you have chosen Basic Authentication under Proxy authentication settings



- Click Ok | Ok | Next | Finish

You’re finished !

You should now be able to connect to your Exchange Server from anywhere over the Internet. Be aware when you start up your Outlook client, you will be asked for user credentials.

To see if you’re actually connected to your Exchange server using RPC over HTTP, you can rightclick the Outlook icon in systray, while holding down CTRL, you will then have the option of choosing Connection Status. Here you can see if your connected, and if yes what connection type is used.


Final word
s

Even though the RPC over HTTP functionality requires quite some configuration both on the client and in the server end, it's hard to give it the thumb down. When first you're up and running you will find it a true pleasure not having to establish a VPN connection and/or be limited by the Outlook Web Access (OWA). I have by the way heard from MS sources, that a script for automatically configuring the servers for RPC over HTTP functionality will be released as a part of the Windows 2003 Server Service Pack 1.


More information

What's New in Microsoft Exchange Server 2003 (MS Paper)

Planning an Exchange Server 2003 Messaging System (MS Paper)

Support WebCast: Using Microsoft Exchange over the Internet (RPC/HTTP) with Microsoft Office Outlook 2003


Should you have any questions or comments, send them to: henrik@outlookexchange.com

Back to main page


Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008