Saturday, August 2, 2008

Setting up RPC over HTTP (S) - Quick & Simple

I have seen several good articles out there on how to set up RPC over HTTP(S). Some of them are pretty verbose and are written for guys who work with MS Exchange on a daily basis. RPC over HTTP(S) is very powerful and has a multitude of setup possibilities depending on the complexity of your MS Exchange Organization. I think many of you out there have a pretty strait forward setup with  just a single MS Exchange Server. You just want a concise step by step on what to do to get RPC over HTTP(S) working quickly. Here is the quick and simple process.

Let's preface the scenario before I give you these steps. Here are the prerequisites:

  • You have a single 2003 MS Exchange Server (no front end server).
  • Your 2003 MS Exchange Server is not serving as a Domain Controller.
  • You have one or more separate Domain Controllers acting with the AD FSMO Role of Global Catalog.

Here is the step by step...

  1. Purchase a Publicly Trusted Certificate for your MS Exchange Server. I can't stress this enough. If you try to use self-signed certificates to secure your 2003 MS Exchange web services it will just produce headaches and extra work for your end users. Technically savvy users will be ok but every day users will not. I recommend DigiCert for your certificate purchases. Their prices are a bargain and I have never had any trouble with their certificates being trusted. If you just need one or two than I recommend the DigiCertSSL. It is only $144.00 per year per certificate. They also offer all kinds of other options including wild-card certificates and specially priced bundles. Take a look at the DigiCert Web Site for more details.

On your 2003 MS Exchange Server:

  1. Install and test that your certificate is installed and comes up as trusted. The easiest way to do this is bring up OWA or some other 2003  MS Exchange web service from outside your network. Make sure the browser has the padlock indicating it is secure and that the certificate listed is the certificate from your selected provider.
  2. There is a component that must be installed called RPC over HTTP Proxy. It is installed from the Add/Remove Programs Panel. After opening the panel, select Add/Remove Windows Components. image                   Open Networking Services and select RPC over HTTP Proxy.image                   Click OK, Next, & Finish.
  3. Configure the MS Exchange RPC Web Services for Basic Authentication and SSL. Open the Internet Information Services Manager and expand the Default Web Site. Right-Click the RPC Virtual Directory.image               Select the Directory Security Tab and uncheck Enable anonymous access. Next, check only Basic Authentication under the Authenticated Access section.image              Click OK . From the Directory Security tab click edit under the Secure Communications section. Check Require secure channel (SSL) and Require 128-bit encryption. Click OK, OK and then close IIS.image 
  4. Configure RPC to use required ports for RPC over HTTP(S). This step requires editing the registry on your 2003 MS Exchange Server. I highly recommend that you make a back-up of the registry before making any changes. Open up the registry editor (regedit from the run command box) and browse down to the registry key: HKLM\SOFTWARE\MICROSOFT\RPC\RPCPROXYimage                The registry key we are going to modify is ValidPorts. The key should already be present. We need to modify the key to set up RPC over HTTP(S) to use the port range 6001-6002 and port 6004 for NETBIOS and DNS FQDN connections to your MS Exchange server. Right Click the ValidPorts key and choose modify. In the field data add your server's NETBIOS and DNS FQDN entries for the prescribed ports as I have them set in the sample. Just replace the sample NETBIOS and DNS FQDN names with the names from your MS Exchange server.   server:6001-6002;server.domain.local:6001-6002;server:6004;server.domain.local:6004                                           Once your modifications are complete close the registry editor.
  5. Set the MS Exchange Server as an RPC-HTTP Back End Server. The final setting to make to the MS Exchange server is to configure it as the RPC-HTTP Back End Server for your Exchange Organization. Open the MS Exchange System Manager. Drill down through Administrative Groups, Your Exchange Organization Name, Servers, Your MS Exchange Server Name. Right click on your MS Exchanger server and select properties. Click on the tab labeled RPC-HTTP.          image          Select RPC-HTTP back-end server. Click OK and close the MS Exchange System Manager.

On all Domain Controllers acting as Global Catalogs

  1. Specify a static port for the Name Service Provider Interface (NSPI) for all Global Catalogs in the Domain. Depending on the size of your network you may have just one Domain Controller with the FSMO Role Global Catalog (GC). However if you have more than a single Domain Controller there may be more than a single GC. The following registry entries will have to be made on any Domain Controller with GC FSMO Role enabled. On your     GC('s) open the registry editor (regedit from the run command box). Browse down to the registry key: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ NTDS\PARAMETERSimage The registry key needed will not yet be present so it will have to be created. With the Parameters folder selected, choose  New from the Edit menu. Select Multi-String Value and name it NSPI interface protocol sequences. Right click the newly created key and select Modify. In the box labeled Value Data enter ncacn_http:6004 and click OK.image               Close the registry editor and restart the Domain Controller.

With all of the above steps complete you now have a working RPC over HTTP(S) server and can use Outlook 2003 or Outlook 2007 from anywhere on the Internet just as if you were in the office. No VPN's required.

Microsoft has published extensive information on RPC over HTTP(S) for not only the scenario mentioned in this post but for any other type you organization may have deployed. Check it out if you would like more information.

Check out my blog posts on Using Outlook 2003 and 2007 with RPC over HTTP(S) for additional information on setting up the client side. Please leave comments if this article was helpful!

 

1 comment:

Alex said...

I think this problem calls for especial decision just like the next with the help of a program. For example I would advise the next tool, which I found out at a soft forum some days ago. I'm sure it is able to manage many complicated problems related to ms exchange - how to recover mails from exchange db.