Re: Outlook 2003 - RPC over HTTP

From: Adarsh Atikukke (AdarshAtikukke_at_discussions.microsoft.com)
Date: 07/12/04 

Date: Mon, 12 Jul 2004 08:34:06 -0700

Neo,

Have you had enough of me already or is that you just seem to have missed this post?

Please advise.

Thank you.

Sincerely,
Adarsh

"Adarsh Atikukke" wrote:

> Hello,
> WOW! Thanks for the time! That was an update in some detail. And of course, the paper for SP1 had just the right information. And as a result, I am all done with the server and am ready to test.
>
> Now for the client side :) :-P
>
> Referring back to the document "Creating an Outlook Profile to Use with RPC over HTTP", on page 157, step 11 talks about providing the FQDN of the RPC proxy server in the "Use this URL to my proxy server for Exchange" box. Now, if my server is called exch01.contoso.com, is the URL going to be "https://exch01.contoso.com" - If yes, doesn't exch01.contoso.com need to be recognized out on the Internet, which would mean I would need appropriate NAT and DNS resolutions. As I mentioned earlier, my exchange server is also my web server serving our website, and therefore, there is a DNS entry that maps exch01.contoso.com to www.mycompany.com. Therefore, I am a little confused as to which is URL I need to be using - https://exch01.contoso.com or https://www.mycompany.com.
>
> If I need to use https://exch01.contoso.com, then will Outlook recognize this URL out on the Internet? If yes, how?
>
> And regardless of which of the two URLs I need to use, when accessed (say through IE), both URLs point to my website. Hhaving said that, I do understand that IE is resolving the URL over port 443/80. Will Outlook "automatically" "look beyond" just the website and get connected to services provided by Exchange over the specific ports?
>
> And one final question - step 11d of the above mentioned document talks about entering the FQDN of the RPC proxy server in the Principle Name for proxy server box in the format "msstd:FQDN of RPC Proxy Server" - Could you please clarify as to what the msstd stands for - is it Microsoft Standard ;) ? Could you please provide me with an example of what the format should look like for exch01.contoso.com?
>
> Thanks a ton!
>
> Sincerely and Gratefully,
> Adarsh.
>
> "neo [mvp outlook]" wrote:
>
> > Open Exchange System Manager and go to the server object. Right click on
> > server object and select properties. There is a new tab labeled RPC-HTTP.
> > Select the bottom radio button to make it a back end server. You will get
> > a message that no front end are defined. Say okay to it and the next one
> > comes asking to allow Exchange to configure the ports.
> >
> > Now for the registry keys (this should straight verification at this point,
> > I couldn't tell on mine since I had mine setup before SP1 came along), but
> > the below will help you have to add keys manually.
> >
> > Network host assumptions...
> >
> > * Exchange member server is named "EXCH01"
> > * Domain/Global Catalog server is named "DOM01"
> > * Domain is contoso.com
> >
> > - Open regedit on EXCH01
> > - Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy
> > - Create DWORD value named Enabled and set it to 1
> > - Create STRING value named ValidPorts. Set the value to:
> >
> > exch01:593;exch01.contoso.com:593;exch01:6001-6002;exch01.contoso.com:6001-6
> > 002;exch01:6004;exch01.contoso.com:6004
> >
> > Verify that the following keys have been created in the registry on Exchange
> > server
> >
> > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Parameters
> > System
> > Value name: Rpc/HTTP Port
> > Value type: REG_DWORD
> > Value data: 0x1771 (Decimal 6001)
> >
> > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
> > Value name: HTTP Port
> > Value type: REG_DWORD
> > Value data: 0x1772 (Decimal 6002)
> >
> > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
> > Value name: Rpc/HTTP NSPI Port
> > Value type: REG_DWORD
> > Value data: 0x1774 (Decimal 6004)
> >
> >
> >
> > Restart the server and start testing. :)
> >
> >
> >
> > Oh and before I forget, here is the updated RPC/HTTP deployment whitepaper
> > by Microsoft.
> >
> > http://www.microsoft.com/downloads/details.aspx?familyid=ef58395d-3710-49cf-9698-938e2bef39e8&displaylang=en
> >
> > I think it is pretty clear that you don't have to add the NTDS registry keys
> > to the DC/GC unless it is a DC/GC/E2K3 box. (RPC/HTTP connections are no
> > longer referred to GCs).
> >
> > /neo
> >
> > "Adarsh Atikukke" <AdarshAtikukke@discussions.microsoft.com> wrote in
> > message news:C482D133-D08B-4CCF-B179-0AE7D6F37CB0@microsoft.com...
> >
> > > We do have SP1 for Exchange 2003 installed.
> > >
> > > Given the familiarity of the architecture, could you please advise whether
> > I need the step regarding "To configure the RPC Proxy server to use the
> > specified default ports for RPC over HTTP Proxy inside the corporate
> > network" mentioned on page 156 of the document.
> > >
> > > Also, if you could throw some light on any changes that SP1 brings about
> > that is not discussed in the white paper, it will be extremely helpful.
> > >
> > > Thanks for all the help. Needles to say, it's highly appreciated.
> > >
> > > Thank you.
> > >
> > > Sincerely,
> > > Adarsh
> > >
> > >
> > > "neo [mvp outlook]" wrote:
> > >
> > > > One question before I answer, have you applied SP1 for Exchange 2003?
> > (Not
> > > > sure if the whitepaper has been updated to reflect the changes that SP1
> > for
> > > > Exchange 2003 brings to RPC over HTTPs, but I will look.)
> > > >
> > > > /neo
> > > >
> > > > ps - front/backend solution is not required for rpc/http. I have a
> > setup
> > > > that is similar to what you are describing. :)
> > > >
> > > > "Adarsh Atikukke" <AdarshAtikukke@discussions.microsoft.com> wrote in
> > > > message news:AA52579C-A6AA-442D-93A2-4D387171ADA5@microsoft.com...
> > > > > Thanks a lot for the reply. It's greatly appreciated.
> > > > >
> > > > > I feel I have sorted out all my SSL issues and moving beyond, I am
> > > > referring to the Exchange 2003 Server Deployment Guide for instructions
> > on
> > > > configuring RPC over HTTP. I am slightly confused with step regarding
> > "To
> > > > configure the RPC Proxy server to use the specified default ports for
> > RPC
> > > > over HTTP Proxy inside the corporate network" mentioned on page 156 of
> > the
> > > > document.
> > > > >
> > > > > We have 2 servers - one of them is the exchange server, web server,
> > file
> > > > server and all other watever servers and the other one is just the
> > Global
> > > > Catalog server. Therefore, there is no front-end/back-end scenario here.
> > In
> > > > such a case, is the above mentioned step necessary? Or since I am using
> > just
> > > > one Exchange server throughout, can I skip this step? Also, the
> > > > instructions actually talk about editing the registry to include
> > information
> > > > for the GC server as well. Is this necessary in the given scenario?
> > > > >
> > > > > Please advise.
> > > > >
> > > > > Thank you.
> > > > >
> > > > > Sincerely,
> > > > > Adarsh Atikukke
> > > > >
> > > > > "neo [mvp outlook]" wrote:
> > > > >
> > > > > > This should be helpful in getting you started
> > > > > > http://www.petri.co.il/configure_ssl_on_owa.htm
> > > > > >
> > > > > > some notes are below...
> > > > > >
> > > > > > "Adarsh Atikukke" <Adarsh Atikukke@discussions.microsoft.com> wrote
> > in
> > > > > > message news:07D987D1-2A6D-4634-B274-9BEA973D7FA3@microsoft.com...
> > > > > > > Hello everyone,
> > > > > > > This post may be a little out of place as the problem I am
> > having is
> > > > not
> > > > > > related to Outlook, but I haven't gotten around to having problems
> > with
> > > > > > Outlook yet on this project!
> > > > > > >
> > > > > > > I need to configure Outlook 2003 (running on XP, with SP1 and
> > the
> > > > patch)
> > > > > > to connect to my exchance server (2003) without needing to VPN in. I
> > > > know
> > > > > > the method is to use RPC over HTTP, and I am in the process of
> > > > configuring
> > > > > > the same, but I am confused regarding a few issues and would greatly
> > > > > > appreciate any assistance in this regard.
> > > > > > >
> > > > > > > I do wish to use SSL as I am aware that otherwise passwords are
> > sent
> > > > in
> > > > > > plain text across the network which is highly undesirable. For this
> > > > purpose,
> > > > > > I need a SSL certificate and we plan to use our own CA to issue the
> > > > > > certificates and therefore, I have installed certificate services on
> > the
> > > > > > Exchange server making it the enterprise certificate authority.
> > > > (Security
> > > > > > concerns regarding having the CA on the exchange server is not an
> > > > issue.)
> > > > > > >
> > > > > > > I am not sure what is the next immediate step after this - Do I
> > need
> > > > to
> > > > > > create a (SSL) certificate first or is there a certificate already
> > > > created
> > > > > > for me as part of the Certificate Services installation?
> > > > > >
> > > > > > Once you get the Enterprise Root CA installed, then you would start
> > > > > > requesting SSL certs. Link above will help you start securing OWA.
> > > > > > Assuming that your single server is going to be OWA and a RPC/HTTP
> > > > endpoint,
> > > > > > you can use the same SSL certificate.
> > > > > >
> > > > > > One word of advice since you are going to be using an Internal CA.
> > You
> > > > must
> > > > > > install a copy of the Root CA certificate on your machines. This is
> > > > done
> > > > > > manually for you if using an Enterprise Root CA that is part of your
> > > > Active
> > > > > > Directory domain. (The root certificate is published to all domain
> > > > members.)
> > > > > > If you went a stand-alone CA, then you have to install a copy of the
> > > > signing
> > > > > > root CA certificate on every machine.
> > > > > >
> > > > > > The reason a copy of the root CA must be installed on the clients
> > > > machine is
> > > > > > that if the RPC/HTTP server's SSL certificate can't be verified back
> > up
> > > > to
> > > > > > the root (e.g. if it has to be acknowledged for any reason), Outlook
> > > > 2003
> > > > > > will not be able to connect over HTTP and not give any error
> > messages as
> > > > to
> > > > > > why (it just fails the connection quietly).
> > > > > >
> > > > > > > What I understand is that the exchange virtual roots needed to be
> > > > > > configured to use SSL and the default website hosting these roots
> > needs
> > > > to
> > > > > > be configured to use SSL as well. Am I correct here?
> > > > > >
> > > > > > Yep, it is always best to get the data to go over SSL.
> > > > > >
> > > > > > > Assuming that a certificate is already created and that I am
> > right in
> > > > my
> > > > > > previous understanding, I have couple more questions - 1) Our
> > exchange
> > > > > > server is our web-server as well and it is hosting our website. If I
> > > > were to
> > > > > > enable SSL for the "default website" in IIS Manager, will my website
> > > > then
> > > > > > also be configured to use SSL (only)? 2) If I were to enable SSL for
> > the
> > > > > > "default website" will my OWA also be configured to use SSL?
> > > > > >
> > > > > > You can toggle SSL on/off for each folder. For example, you can
> > require
> > > > SSL
> > > > > > for the "/exchange", "/public", and "/rpc" (and any other) folders
> > you
> > > > can
> > > > > > think of and still allow for anonymous access to the root
> > > > > > (http://server.fqdn.com) and other areas.
> > > > > >
> > > > > > > If yes, is there a way to work around this, i,.e., to not have OWA
> > and
> > > > the
> > > > > > website not be configured for SSL?
> > > > > >
> > > > > > OWA doesn't require SSL, it is just considered a best practice
> > because
> > > > you
> > > > > > don't want data (e.g. user ids, passwords) flowing across the net in
> > the
> > > > > > clear.
> > > > > >
> > > > > > RPC/HTTP default configuration on the other hand states that it
> > should
> > > > be
> > > > > > over SSL.
> > > > > >
> > > > > > FWIW, I run a single member server that offers a public web site
> > that is
> > > > > > accessible via a standard http call and allows OWA & RPC/HTTP calls
> > over
> > > > > > SSL. So a single server can do it all.
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >