The release of Exchange 2003 bought us some very good features such as Intelligent Message Filtering (IMF) and my favourite RPC over HTTP. This allows a user to access email using their outlook client without the use of VPN's or dial up networking. For me this feature has been a god send as I spend alot of time on customer sites and always need access to important documents stored in my email. With RPC over HTTP I can just plug my laptop onto the network, open my Outlook client and pull my emails down as if I was in the office.
The initial set up of RPC over HTTP is not simple and requires you follow a strict process. I have a great many customers call me saing that they cannot get it working so I decided to write an article dedicated to this feature.
RPC over HTTP System Requirements
To use RPC over HTTP, you must run Windows Server 2003 on the following computers:
• All Exchange 2003 servers that will be accessed with Outlook 2003 clients using RPC over HTTP.
• The Exchange 2003 front-end server acting as the RPC Proxy server.
• The global catalog server used by Outlook 2003 clients and the Exchange 2003 servers configured to use RPC over HTTP.
Exchange 2003 must be installed on all Exchange servers that are used by the computer designated as the RPC proxy server. Additionally, all client computers running Outlook 2003 must also be running Microsoft Windows XP Service Pack 1 (SP1) or later.
------------------------------------------------------------
Deploying RPC over HTTP
This section provides detailed steps about how to deploy RPC over HTTP in your Exchange 2003 organization. Complete the steps in the following order.
1. Configure your Exchange front-end server as an RPC Proxy server.
2. Configure the RPC virtual directory in Internet Information Services (IIS) on the Exchange front-end server.
3. Configure the registry on the Exchange 2003 computer that communicates with the RPC proxy server to use the specific ports for RPC over HTTP communication.
4. Open the specific ports on the internal firewall for RPC over HTTP, as well as the standard ports for Exchange front-end communication.
5. Create a profile for each of your users to use with RPC over HTTP. Each of these steps is detailed in the following sections. After you have completed these steps, your users can begin using RPC over HTTP to access the Exchange front-end server.
------------------------------------------------------------
Step 1: Configuring Your Exchange Front-End Server to Use RPC over HTTP The RPC Proxy server processes the Outlook 2003 RPC requests that come in over the Internet. In order for the RPC Proxy server to successfully process the RPC over HTTP requests, you must install the Windows Server 2003 RPC over HTTP Proxy networking component on your Exchange front-end server.
To configure your Exchange front-end server to use RPC over HTTP
1. On the Exchange front-end server running Windows Server 2003, click Start, click Control Panel, and then click Add or Remove Programs.
2. In Add or Remove Programs, click Add/Remove Windows Components in the left pane.
3. In the Windows Components Wizard, on the Windows Components page, highlight Networking Services, and then click Details.
4. In Networking Services, select the RPC over HTTP Proxy check box, and then click OK.
5. On the Windows Components page, click Next to install the RPC over HTTP Proxy Windows component.
------------------------------------------------------------
Step 2: Configuring the RPC Virtual Directory in Internet Information Services
Now that you have configured your Exchange front-end server to use RPC over HTTP, you must configure the RPC virtual directory in IIS.
To configure the RPC virtual directory
1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In Internet Information Services (IIS) Manager, in the console tree, expand the server you want, expand Web Sites, expand Default Web Site, right-click the RPC virtual directory, and then click Properties.
3. In RPC Properties, on the Directory Security tab, in the Authentication and access control pane, click Edit.
Note: RPC over HTTP does not allow anonymous access.
4. Under Authenticated access, select the check box next to Basic authentication (password is sent in clear text), and then click OK.
5. To save your settings, click Apply, and then click OK.
Your RPC virtual directory is now set to use Basic authentication. If you plan to use SSL, skip the following procedure For non-SSL configurations, however, the RPC proxy server must be configured to allow non-SSL sessions to be forwarded. The non-SSL sessions are able to be forwarded by adding a specific registry value to the server.
Warning: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
To allow non-SSL encrypted traffic with RPC over HTTP
1. On the RPC Proxy server, start Registry Editor (regedit).
2. In the console tree, navigate to the following registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftRpcRpcProxy
3. In the details pane, right-click and add a new DWORD Value named AllowAnonymous, and then right-click it and choose Modify.
4. In Edit DWORD Value, in the Value data box, enter 1.
The RPC proxy server is now configured to allow requests to be forwarded without the requirement to first establish an SSL-encrypted session. The setting to enforce authenticated requests is still controlled in the Authentication and access control settings.
------------------------------------------------------------
Step 3: Configuring the RPC Proxy Server to Use Specified Ports After you enable the RPC over HTTP networking component for IIS, you should configure the RPC proxy server to use specific port numbers to communicate with the servers in the corporate network. In this scenario, the RPC proxy server is configured to use specific ports and the individual computers that the RPC proxy server communicates with are also configured to use specific ports when receiving requests from the RPC proxy server. When you run Exchange 2003 Setup, Exchange is automatically configured to use the ncacn_http ports listed in Table 2.1.
Step 3 involves the following two procedures.
1. Configure the RPC Proxy server to use specified ports for RPC over HTTP requests to communicate with servers inside the corporate network.
2. Configure the global catalog servers to use specified ports for RPC over HTTP requests to communicate with the RPC Proxy server inside the perimeter network.
Warning: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
To configure the RPC Proxy server to use the specified default ports for RPC over HTTP
The following ports are the required ports for RPC over HTTP.
Table 2.1 Required ports for RPC over HTTP
Server Ports (Services)
Exchange back-end servers 593 (end point mapper)
6001 (Store)
6002 (DS referral)
6004 (DS proxy)
Global catalog server 593 and 6004
1. On the RPC Proxy server, start Registry Editor (regedit).
2. In the console tree, navigate to the following registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftRpcRpcProxy
3. In the details pane, right-click the ValidPorts subkey, and then click Modify.
Figure 2.4 The RPCProxy registry settings
4. In Edit String, in the Value data box, type the following information: ExchangeBEServer:593;ExchangeBEServerFQDN:593;ExchangeBEServer:6001-6002;ExchangeBEServerFQDN:6001-6002;ExchangeBEServer:6004;ExchangeBEServerFQDN:6004; GlobalCatalogServer:593;GlobalCatalogServerFQDN:593;GlobalCatalogServer:6004;GlobalCatalogServerFQDN:6004
• ExchangeBEServer and GlobalCatalogServer are the NetBIOS names of your Exchange back-end server and global catalog server.
• ExchangeBEFQDN and GlobalCatalogServerFQDN are the fully qualified domain names (FQDNs) of your Exchange back-end server and global catalog server.
In the registry key, continue to list all servers in the corporate network with which the RPC Proxy server will need to communicate.
Important: To communicate with the RPC Proxy server, all servers accessed by the Outlook client must have set ports. If a server, such as an Exchange public folder server, has not been configured to use the specified ports for RPC over HTTP communication, the client will not be able to access the server.
To configure the global catalog servers to use specific ports for RPC over HTTP
1. On the global catalog server, start Registry Editor (regedit).
2. Navigate to the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters
3. From the Edit menu, point to New, and then click Multi-String value.
4. In the details pane, create a multi-string value with the name NSPI interface protocol sequences.
5. Right-click the NSPI interface protocol sequences multi-string value, and then click Modify.
6. In Edit String, in the Value data box, type ncacn_http:6004
7. Restart the global catalog server.
------------------------------------------------------------
Step 4: Create an Outlook Profile to Use With RPC over HTTP
In order for your users to use RPC over HTTP from their client computer, they must create an Outlook profile that uses the necessary RPC over HTTP settings. These settings enable Secure Sockets Layer (SSL) communication with Basic authentication, which is necessary when using RPC over HTTP. Although optional, it is highly recommended that you use the "Use Cached Exchange Mode" option for all profiles that will connect to Exchange using RPC over HTTP.
To create an Outlook profile to use with RPC over HTTP
1. Click Start and then click Control Panel.
2. In Control Panel, perform one of the following tasks:
• If you are using Category View, in the left pane, under See Also, click Other Control Panel Options, and then click Mail.
• If you are using Classic View, double-click Mail.
3. In Mail Setup, under Profiles, click Show Profiles.
4. In Mail, click Add.
5. In New Profile, in the Profile Name box, type a name for this profile, and then click OK.
6. In the E-mail Accounts wizard, click Add a new e-mail account, and then click Next.
7. On the Server Type page, click Microsoft Exchange Server, and then click Next.
8. On the Exchange Server Settings page, perform the following steps:
a. In the Microsoft Exchange Server box, type the name of your back-end Exchange server where your mailbox resides.
b. Check the check box next to Use Cached Exchange Mode.
c. In the User Name box, type the user name.
d. Click More Settings.
9. On the Connection tab, in the Exchange over the Internet pane, select the Connect to my Exchange mailbox using HTTP check box.
10. Click Exchange Proxy Settings.
11. On the Exchange Proxy Settings page, under Connections Settings, perform the following steps:
a. Enter the fully qualified domain name (FQDN) of the RPC Proxy server in the Use this URL to connect to my proxy server for Exchange box.
b. Select the Connect using SSL only check box.
c. Select the Mutually authenticate the session when connecting with SSL check box next.
d. Enter the FQDN of the RPC Proxy server in the Principle name for proxy server box. Use the format: msstd:FQDN of RPC Proxy Server.
e. As an optional step, you can configure Outlook 2003 to connect to your Exchange server using RPC over HTTP by default by checking the check box next to On fast networks, connect to Exchange using HTTP first, then connect using TCP/IP.
12. On the Exchange Proxy Settings page, in the Proxy authentication settings window, in the Use this authentication when connecting to my proxy server for Exchange list, select Basic Authentication.
13. Click OK
14. Enable RPC over HTTP by configuring your user's profiles to allow for RPC over HTTP communication with Outlook 2003. Alternatively, you can instruct your users on how to manually enable RPC over HTTP for their Outlook 2003 profiles.
Note: If you have configured the client to communicate using SSL, you must add the complete SSL certificate chain to the Trusted Root Certificate Authorities on the client machine.
Your users are now configured to use RPC over HTTP.
Scott Croucher is an IT Consultant who runs S3 Solutions IT Ltd a UK based solution provider. Scott has over 12 years consultancy experience. Visit http://www.s3-solutions.co.uk for more information.
ไม่มีความคิดเห็น:
แสดงความคิดเห็น