After setting up a small Exchange lab and successfully configuring Outlook Web Access (OWA) using a free SSL certificate, I thought it would be interesting to try enabling RPC over HTTPS.

In order to make use of all Exchange’s collaborative tools, Outlook must communicate with the Exchange server via the remote procedure call protocol (RPC). It’s not a good idea to open these ports to the Internet due to RPC’s rich history of exploitable vulnerabilities. RPC over HTTPS allows RPC traffic to be tunnelled inside secured HTTP packets. This enables roaming users to enjoy full Outlook/Exchange functionality without having to open any additional firewall ports or dial a VPN connection.

My test lab setup contains one Domain Controller and one Exchange 2003 server (SP2). The Domain Controller provides Domain, DNS, and DHCP services while the Exchange server hosts OWA, which has been configured to run over HTTPS. Although RPC can be tunnelled inside unencrypted HTTP packets, I think this is an unnecessary risk, so I won’t even tell you how to do it! If you really want to, then Google may be of some help. I’m using a standard DSL router setup to forward
ports 25 and 443 to the Exchange server.

Modify the Domain Controller

Let’s get down to business. We will start on the Domain Controller. It’s important to note that the Domain Controller must be a Global Catalogue. We only need to make one update to the registry and can then move on to Exchange.

Add the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Type REG_MULTI_SZ

Name: NSPI Interface protocol sequences

Value: ncacn_http:6004

There should be no need to reboot, but if things don’t seem to be working correctly later on, then give it a go.

Install RPC over HTTP proxy

Installing the RPC over HTTP proxy service is pretty simple.

1. On the Exchange server, open Control Panel. Launch add/remove programs and click on the Add/Remove Windows Components button.
2. Scroll down the available Windows components and highlight Networking Services.
3. Click on Details to open up a list of subcomponents and select RPC over HTTP Proxy.
4. Click on OK and then Next to install the service.

Configure ports for the RPC proxy

Now that we have the RPC proxy installed, we will need to configure the ports that it uses. To do this, we update a registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

The ValidPorts key will likely already include an entry for ports 100-5000; we need to add a few more. Below is a copy of my key; you will need to change the hostnames and domains to match your own environment. To make this easier to read, I have split the data string into multiple lines. This should be entered as a single line with no spaces after the semicolons.

Exchange1:100-5000;

Exchange1:6001-6002;

Exchange1.internaldomain.local:6001-6002;

PDC:6001-6002;

PDC.internaldomain.local:6001-6002;

mail.externaldomain.com:6001-6002;

Exchange1:6004;

Exchange1.internaldomain.local;

PDC:6004;

PDC.internaldomain.local:6004;

mail.externaldomain.com:6004;

Exchange1:593;

Exchange1.internaldomain.local:593;

PDC:593;

PDC.internaldomain.local:593;

mail.externaldomain.com:593;

If the Domain Controller and Exchange server are on the same box then entries for the Domain Controller (in my case, this is PDC) and also port 593 should be excluded.

Configure Exchange server as an RCP-HTTP back-end server

Telling the Exchange server to act as a target for the RPC proxy is very simple.

1. Open up Exchange System Manager, browse to your target server, right-click, and select Properties.
2. Just above the General tab you will find the RPC-HTTP tab. Select this tab and ensure that the option ‘RPC-HTTP back-end server’ is checked.
3. Click on OK to exit.

Modify IIS virtual directories

Installing the RPC proxy will create two new virtual directories under your Default Web Site. We need to modify these slightly in order to allow proper authentication and encryption of RPC over HTTP connections.

1. Open up the IIS Manager.
2. Navigate to Web Sites | Default Web Site.
3. Right click on the RPC directory and select Properties from the drop-down menu.
4. Select the Directory Security tab.
5. Click on the Edit button within ‘Authentication and access control’.
6. Make sure that the option ‘Enable anonymous access’ is deselected.
7. Check ‘Integrated Windows authentication’ and ‘Basic authentication’ and click on OK. You may be prompted with a warning dialogue; click on Yes and ignore this as it does not apply while using SSL.
8. Click on the Edit button within ‘Secure communications’.
9. Check ‘Require secure channel (SSL)’ and ‘Require 128-bit encryption’ and click on OK.
10. Click on OK to apply the changes.

Repeat these steps for the RPCWithCert directory.

Configure Outlook 2003 for RPC over HTTPS

I won’t go over adding a new Exchange account to Outlook as it’s a pretty standard affair and there are a myriad of support sites covering this. I already have Outlook configured to connect to my Exchange server. I’m using cached mode as I want to emulate a configuration which would be used by a roaming laptop user. Cached mode keeps a local copy of e-mails and attachments so that the data can be accessed offline.

To configure RPC over HTTPS:

1. Go to the Open The Account settings, select your Exchange account, and click on More Settings.
2. Go to the Connection tab and tick the checkbox next to ‘Connect to my Exchange mailbox using HTTP’.
3. Now open up the ‘Exchange Proxy Settings’ and use the options below.

Use this URL to connect to my proxy server for Exchange:

https://mail.externaldomain.com

• Check ‘Connect using SSL only’.
• Check ‘Mutually authenticate the session when connection with SSL’.
• ‘Principal name for proxy server:’ msstd:mail.externaldomain.com
• If you want to use RPC over HTTPS even while on the internal network, then check ‘On fast networks, connect using HTTP first, then connect using TCP/IP’ (I don’t use this).
• Make sure ‘On slow networks, connect using HTTP first, then connect using TCP/IP’ is checked.
• For the ‘Proxy authentication settings’ we can use either NTLM or Basic authentication. I prefer NTLM as it doesn’t constantly prompt for a username and password to be entered.

Apply the changes and you’re ready to start testing. Don’t forget to forward port 443 to the Exchange Server on your external firewall.

Testing RCP over HTTPS

There are two ways to test whether or not RCP over HTTPS is working. The first is to try connecting from outside of your internal network. The second is to filter all ports but 443 while on the internal network to make sure that Outlook can’t connect via the standard TCP/IP protocols. To apply such a filter, go to the advanced TCP/IP properties of your network connection, select filtering, and deny all but port 443.

One important thing to note is that if you’re connecting Outlook to the Exchange server for the first time, then you must be on the internal network using TCP/IP. I’m not sure why this is but found out using trial and error.

To check whether Outlook has connected via HTTPS you must hold down [Ctrl] and click on Outlook’s taskbar icon. Select ‘Connection status’ and you will see a list of all connections between Outlook and the Exchange server. These should all be of the type HTTPS.

I hope this has been a useful guide for those looking to try out RPC over HTTPS with Exchange 2003. I haven’t covered every angle in detail as there is plenty of information available on the Web; rather I have tried to cover the areas where I had difficulty in finding solid information while researching this topic for myself.

Here is what you need:

• Exchange 2003 SP2 setup and fully functional.
• Administrator access to both Front-end and Back-end servers
• Firewall Administrator Access to your incoming firewall
• And an iPhone with Wifi access (for initial sync and testing)

Setup Exchange 2003 for IMAP4 (incoming emails to your iPhone)

1. Go into Exchange System Manager. Expand to Administrative Groups –> GroupName –> Servers –> Exchange_server_2003 –> Protocols –> IMAP4.
2. Create a new IMAP4 Virtual Server. New –> IMAP4 Virtual Server…
3. Give it a name
4. Assign IP to “AllUnassigned“
5. A new IMAP4 Server should be assigned in the right pane. Right click on it, and go into properties.
6. Leave General tab as is. (unless you want to change the default TCP ports of 143 and SSL port of 993)
7. In Access tab, click on “Authentication…” button. If you want to use SSL or have Weboutlook going into SSL automatically, then you do not need the “Requires SSL/TLS encryption” button. Otherwise, you need to check box it. Otherwise your password will be going thru cleartext!!
8. Okay, and get out of this window.
9. Repeat the same steps on your backend server.

Setup Exchange 2003 for SMTP (outgoing emails from your iPhone)

1. Go into Exchange System Manager. Expand to Administrative Groups –> GroupName –> Servers –> Exchange_server_2003 –> Protocols –> SMTP.
2. Create a new SMTP Virtual Server. New –> SMTP Virtual Server…
3. Give it a name
4. Assign IP to “AllUnassigned“
5. A new SMTP Server should be assigned in the right pane. Right click on it, and go into properties.
6. Leave General tab as is. (unless you wnat to change the default TCP port of 25)
7. In Access tab, click on “Authentication…” button. It should look like below
   
8. Click on the “Users” button and add the appropriate mobile users who will have an iPhone that will be sending. Make sure you only include those you want to be able to send. !!!Otherwise, you will have a nice open SMTP server for all the spammers to spam if you put “everyone”!!! Click OK and OK when you are done with the users and Authentication.
9. Skip Messages Tab
10. Click on “Delivery tab” and on “Advanced” button
11. If this Exchange server you are setting up is a front-end server, you will want to fill the Smart host field with your Back-end Server or whatever server processes your outgoing SMTP requests. If your Back-end server has an IP address of 172.16.62.5, put the IP address in a square bracket. Ie. [172.16.62.5] Click on OK when you are done.
12. You do not need to do this on your back-end server if your back-end server is sending the outgoing emails.

Firewall:
Depending on what firewall you have: Cisco Pix, Nokia checkpoint, etc. you’ll need to open the following TCP ports to the front-end Exchange server to the world.

• IMAP4 (ie 143)
• SMTP (ie. 25)
• SSL IMAP4 (ie.993)

Exchange Services:

• You need to set “Microsoft Exchange IMAP4″ Service to Automatic and Start the service.
• You need to set “Microsoft Exchange SMTP” Service to Automatic and Start the service. (if it isn’t already)

Apple iPhone:
I would recommend putting your iPhone onto a wifi network instead of EDGE until you get this up. Edge works fine on updates, but

1. Go into the main Springboard page (With all the icons)
2. Tap Settings
3. Tap Mail
4. Tap Other
5. Tap Exchange
6. Fill in the Name, Email address and a brief description of your work email
7. In the Incoming Mail Server
   Fill in the Host Name of your Weboutlook server. (Ie. owa.testserver.com)
8. Fill in the Username with your domain and username. (IE. TESTDOMAIN\USERNAME)
9. Fill in your password
10. In the Outgoing Mail Server
11. Fill in the Host Name of your Weboutlook server. (Ie. owa.testserver.com)
12. Fill in the Username with your domain and username. (IE. TESTDOMAIN\USERNAME)
13. Fill in your password
14. Tap Save and it should say “Verifying Exchange account information” on top.
15. The screen should go back to your Mail screen, and you are set.
16. Go into Mail and you will see your email box in the account tab all the way on top.

Troubleshooting

• Make sure your firewall to IMAP4 and SMTP is open. You can usually check this if you do the telnet test via command line (ie. telnet owa.testserver.com 143). You should see a “* OK Microsoft Exchange Server 2003 IMAP4rev1 server…” reply . Just make sure you are testing this from outside your network.
• Make sure your webaddress, username and password and tapped correctly. The iPhone is notorious for mistyping extra long passwords.

Final Thoughts:
I hope this How-to is a good starter for your IT people to get you started on the IMAP4 syncing on the iPhone. I have used it at my workplace many a times to answer emails and no one can tell you are replying via an iPhone. Please leave comments or suggestions if there are any typographic errors or anything I missed

1.Open the Active Directory Users And Computers management console.
2.Navigate to the organizational unit wherein the new contact should reside.
3.Select the organizational unit.
4.Click the Action menu and select New and then Contact.
5.Provide a name for the contact.
6.Provide a display name for the contact. This name will be used in the Active Directory Global Catalog. Click Next.
7.Enable the Create an Exchange Email Address checkbox on the New Object page.
8.Click Modify.
9.Create the external SMTP email address where messages are to be forwarded to. Click Next.
10.Verify the information displayed on the Summary page.
11.Click Finish.

1.Open the Active Directory Users And Computers console.
2.Navigate to the organizational unit wherein the new contact should reside.
3.Select the organizational unit.
4.Click the Action menu and select New and then Contact.
5.Provide the details for the new contact and click Next.
6.On the Email page, provide the alias for the contact.
7.Select the Create an Exchange Email Address checkbox so that an email address is created for the new contact.
8.Click Modify.
9.Select the SMTP Address option.
10.Provide the fully qualified Internet email address that should be used for the new contact.
11.To override the default Internet mail message formats, click the Advanced tab.
12.Click OK.
13.Click Next and then click Finish.

1.Click Start, All Programs, Microsoft Exchange, and then select Exchange System Manager.
2.Exchange System Manager opens.
3.In the left pane, right-click the storage group container and select New and then Mailbox Store from the shortcut menu.
4.On the General tab, provide the database name, default public store, and the offline address list to use.
5.You can also enable message archiving and specify whether clients support S/MIME signatures and whether plain-text should be displayed in fixed-sized font.
6.On the Database tab, provide the location the database locations.
7.On the Limits tab, specify the message storage limit, the deleted items policy, and the deleted mailbox policy.
8.On the Full-Text Indexing tab, specify the frequency at which the full-text index is updated or rebuilt.
9.On the Details tab, specify which configuration information needs to be manually inputted by administrators.
10.On the Policies tab, specify the system mailbox store policies for the mailbox store.
11.Click OK.

How to create storage groups
1.Click Start, All Programs, Microsoft Exchange, and then select Exchange System Manager.
2.Exchange System Manager opens.
3.In the left pane, right-click the Exchange server and select New and then Storage Group from the shortcut menu.
4.In the Properties dialog box which opens, in the Name textbox, provide a name for the new storage group. This is the name that will appear in Exchange System Manager and in the Active Directory Users And Computers management console.
5.In the Transaction log location box, provide the location for storing the transaction logs. Click the Browse button to navigate to the location.
6.In the System path location box, provide the location for storing temporary files. Click the Browse button to navigate to the location.
7.In the Log file prefix box, the specific log file prefix is automatically assigned by the Exchange server.
8.Enable the Zero out deleted database pages checkbox to have all deleted data removed from the drive.
9.The Enable circular logging checkbox should not be enabled.
10.Click OK.

1.Open the Active Directory Users And Computers console.
2.Proceed to select the user account objects that should be modified.
3.Using the Exchange System Manager menu, click Action and then select Exchange Tasks.
4.The Exchange Task Wizard starts.
5.On the Exchange Task Wizard Welcome page, click Next.
6.Select the Configure Exchange Features option. Click Next.
7.Select the Exchange features which should be enabled or disabled.
8.Select either the Enable or Disable tab and then change the options accordingly. Click Next to proceed.
9.Review the displayed summary information.
10.Click Next. Click Finish.

1.Open the Exchange System Manager.
2.Select the Exchange server that will run the Mailbox Manager tasks.
3.Click the Action menu and select Properties.
4.Click the Mailbox Management tab.
5.Select the Start Mailbox Management Process option if you want to specify one of the predefined schedules.
6.If you want to create your own schedule, click Custom.
7.Select the Reporting option to send a report to the administrator account indicated on the Administrator tab.
8.Select the Administrator option if you want to specify the administrator account to which reports should be sent.
9.Click OK.

1.Open the Exchange System Manager.
2.Navigate to the recipient policies container.
3.Select the recipient policies container.
4.Select the Action menu and select New and then Recipient Policy.
5.On the New Policy dialog box, select the Mailbox Manager Settings option.
6.Click OK.
7.Provide a name for the mailbox cleanup policy in the Name field.
8.Click the Modify tab.
9.Specify policy membership for the cleanup policy and then click OK.
10.On the Recipient Policy Change dialog box, click OK.
11.Click the Mailbox Manager Setting (Policy) tab.
12.Specify the mailbox-cleanup options.
13.Click OK.

1.Open the Exchange System Manager.
2.Navigate to the recipient policies container.
3.Select the recipient policies container.
4.Select the Action menu and select New and then Recipient Policy.
5.On the New Policy dialog box, select the Mailbox Manager Settings option.
6.Click OK.
7.Provide a name for the mailbox recipient policy in the Name field.
8.Click the Modify tab.
9.Specify policy membership for the mailbox policy and then click OK.
10.On the Recipient Policy Change dialog box, click OK.
11.Click the Mailbox Manager Setting (Policy) tab.
12.In the Processing a Mailbox drop-down list box, click the Generate Report Only option.
13.Click OK.