Configuring the Outlook 2003 RPC Over HTTP Client

8/2/2019 Configuring the Outlook 2003 RPC Over HTTP Client

1/15

Configuring the Outlook 2003 RPC over HTTPClient

Published: Jan 05, 2004 Updated: Oct 05, 2006 Section: Mobility & Client Access Author: Thomas Shinder Rating: 3.9/5 - 322 Votes

The RPC over HTTP protocol allows your full Outlook 2003 MAPI clients to connect to Exchange 2003 Servers usingHTTP/HTTPS. This solves the problem remote Outlook 2003 users have when located behind restrictive firewalls. The trick isto figure out how to properly configure the Outlook 2003 client to use this protocol. If you have remote users who need to accessExchange 2003 via Outlook 2003, then check out this article and see how to configure Outlook 2003 to use RPC over HTTP.

Internet connected organizations are coming to the realization that firewalls are useful for more than just inbound access control.The traditional way of thinking about firewalls is that they protect you from intruders located outside the firewall. Todaysfirewall administrator realizes that the corporate firewall must not only control what comes into the network, but also whatleaves the network. Many of us learned this lesson the hard way after having our networks infected with the Nachi virus.

Unfortunately, many firewall administrators go too far. In their attempts at controlling outbound access, they end up preventingoutbound access to all protocols except for HTTP or SSL secured HTTP (HTTPS). This prevents remote users from accessingyour Exchange Server using secure Outlook RPC connections via ISA Server 2000 Secure Exchange RPC publishing. Blocking

secure RPC connections prevents your remote users from benefiting from the full Outlook MAPI client.

Microsoft realized the magnitude of this problem. Their solution is the RPC over HTTP protocol. This protocol allows remoteOutlook 2003 clients to connect to Exchange 2003 Servers using HTTP or HTTPS. The RPC protocol commands and data are"wrapped" (as known as encapsulated) in an HTTP header. The firewall in front of the Outlook 2003 MAPI client only sees theHTTP header and passes the outbound connection through. The RPC over HTTP protocols allows your remote users to getaround what might be considered an overly zealous approach to outbound access control.

The Outlook 2003 client connects to an RPC over HTTP proxy server. The RPC over HTTP proxy server can be a front-endExchange Server running IIS 6.0 on Windows Server 2003, or the RPC over HTTP proxy server can be a machine running theIIS 6.0 RPC over HTTP proxy service on a machine that is not configured as a front-end Exchange Server. Microsoftsdocumentation stresses the front-end/back-end Exchange configuration, but this configuration is notrequired. The Outlook 2003client only needs to connect to a Windows Server 2003 machine configured as a RPC over HTTP proxy.

An example of such a configuration is shown in the figure below.

Home Articles & Tutorials

Exchange 2003 Articles

Mobility & Client Access

Page 1 of 15Configuring the Outlook 2003 RPC over HTTP Client

04/04/2008http://www.msexchange.org/tutorials/outlookrpchttp.html


2/15

There are many ways you can make the RPC over HTTP proxy available to remote users. The most secure way, and the onlyway I recommend that you do so, is to use an ISA Server 2000 firewall to control inbound access to the RPC over HTTP proxy.The ISA Server 2000 firewall is able to inspect even SSL encrypted packets for dangerous exploits that might be hidden insidethe SSL tunnel. Other firewalls are not able to evaluate the validity of the commands and data moving from a remote client to theRPC over HTTP proxy and put your network and Exchange Servers at unnecessary risk.

For more information on how to configure an ISA Server 2000 firewall to support secure inbound RPC over HTTP connections,check out the following series of articles:

Part 1 of this series can be found at:http://www.msexchange.org/articles/rpchttppart1.html

Part 2 of this series can be found at:http://isaserver.org/articles/rpchttppart2.html

Part 3 of this series can be found at:http://www.isaserver.org/tutorials/rpchttppart3.html

Part 4 of this series can be found at:http://isaserver.org/tutorials/rpchttppart4.html

You must use Outlook 2003 running on Windows XP Service Pack 1 to connect using the RPC over HTTP protocol. In addition,

you must install the hotfix mentioned in Microsoft KB article Outlook 11 Performs Slowly or Stops Responding WhenConnected to Exchange Server 2003 Through HTTP. Download and install the hotfix before configuring a profile that allowsthe user to connect to the Exchange Server.

It is important to note that you must create the Outlook 2003 profile while the Outlook 2003 computer is on the internal network,or while the Outlook 2003 computer is on the Internet and can access the Exchange Server using RPC (TCP 135 typicallythrough an ISA Server 2000 secure Exchange RPC Publishing rule). You will not be able to create a new profile or change anexisting profile to use RPC over HTTP if is does not have access to the Exchange Server via RPC (TCP 135).

This bears repeating: you will not be able to create a new Outlook profile when the Outlook client is not on the internal networkand can access the Exchange Server using RPC via TCP 135. In addition, a user with an existing profile will not be able to alterthe existing profile so that it can use RPC over HTTP ifthat client is not located on the internal network and can access theExchange Server using TCP 135. The Outlook 2003 profile must be configured to use RPC over HTTP while that machine isconnected to the internal network and can access the Exchange Server via TCP port 135.

Of course, there are always exceptions to the rule. The article Configuring Outlook 2003 for RPC over HTTP indicates thatyou should be able to use the Office Resource Kit to configure an Outlook 2003 profile that allows access to the RPC over HTTPsevers without requiring RPC access to the Exchange Server. We have not tested this configuration. If you have used the ORK to




3/15

configure such a profile, please let us know about your experiences on the message board athttp://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=002315.

Configuring the Outlook 2003 Client to use RPC over HTTP

Perform the following steps to create the Outlook 2003 profile:

1. Click Start and then right click on the Outlook 2003 icon in the menu. Click on the Properties command.

2. Click the Add button in the Mail dialog box.




4/15

3. Type in a name for the profile in the Profile Name text box. ClickOK.




5/15

4. Select the Add a new e-mail account option in the This wizard will allow you to change the e-mail accounts thedirection that Outlook uses page. ClickNext.

5. On the Server Type page, select the Microsoft Exchange Server option and clickNext.




6/15

6. On the Exchange Server Settings page, type in the FQDN of the front-end Exchange Server. This must be the samename used on the Web site certificate you have assigned to the front-end Exchange Servers Web site. For example, weobtained a Web site certificate for the front-end Exchange Servers Web site. The Common Name (CN) on the Web site

certificate is owa.internal.net. Therefore we enter owa.internal.netin the Microsoft Exchange Server text box.

Type a user account name in the User Name text box. Click the Check Name button to confirm that the Outlook2003 client machine can communicate with the front-end Exchange Server.

Put a checkmark in the Use local copy of Mailbox checkbox.

Click the More Settings button.




7/15

7. You can change how Outlook detects the connection state on the General tab of the Microsoft Exchange Server dialogbox. Do not make any changes here unless you have an explicit reason to do so.




8/15

8. Click on the Advanced tab. Confirm that there is a checkmark in the Use local copy of Mailbox checkbox. The defaultselection is Download headers followed by full item.

9. Click on the Security tab. Put a checkmark in the Encrypt information checkbox. Im not sure this does anything whenyou use RPC over HTTP, but encryption is a good thing, so well enable this checkbox anyhow.




9/15

10. Click on the Connection tab. Select the Connect using my Local Area Network (LAN) option. Put a checkmark in theConnect to my Exchange mailbox using HTTP, then click the Exchange Proxy Settings button.




10/15

11. You configure the specifics of the RPC over HTTP session in the Exchange Proxy Settings dialog box. Type in theFQDN to your front-end Exchange Server in the Use this URL to connect to my proxy server for Exchange text box.This is same name listed as the Common Nameon the Web site certificate.

Put a checkmark in the Mutually authenticate the session when connecting with SSL checkbox. Put in theFQDN of the front-end Exchange Server (the same name listed on the Web site certificate) in the Principal namefor proxy server text box. Use the format:

Msstd:FQDN

For example, we use msstd:owa.internal.net for our published front-end Exchange Server because the CommonName on the certificate is owa.internal.net.

Put a checkmark in the Connect using HTTP first, then connect using my Local Area Network (LAN). This isan interesting setting, as its unclear what a "LAN" protocol is in contrast to an "HTTP" protocol. I assume itmeans to use unencapsulated RPC messages, but I cant say that for sure.

In the Use this authentication when connecting to my proxy server for Exchange drop down box, select theBasic Authentication option. This forces you to use SSL, which is OK, because we are using SSL for our links.

ClickOK on the Exchange Proxy Settings dialog box.

12. Click Apply and OK on the Microsoft Exchange Server dialog box.




11/15

13. Click Next on the Exchange Server Settings page.




12/15

14. Click Finish on the Congratulations! Page.

15. Click OK on the Mail dialog box.




13/15

16. Open Outlook 2003. You will be able to use HTTPS for the connection, as confirm in the Exchange Server ConnectionStatus window. You can access the connection status window by right clicking on the Outlook 2003 icon in the systemtray and selecting the connection status command right after you start up Outlook 2003.




14/15

Summary

Outlook 2003 clients can connect to Microsoft Exchange 2003 Servers using the RPC over HTTP protocol. This allows Outlook2003 clients to get through firewalls that are configured to block secure Exchange RPC connections from Outlook MAPI clients.Microsoft has solved this problem by enabling the Outlook 2003 client running on Windows XP SP1 and above to encapsulatethe RPC protocol information in an HTTP header. ISA Server 2000 firewalls provide the highest level of protection for RPCover HTTP proxies. This makes ISA Server 2000 the firewall of choice when providing remote access to your Exchange Servers.The Outlook 2003 can be configured on an individual basis, or you may be able to use the Office Resource Kit to configureOutlook profiles.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions onanything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=002315and post a message. Ill be informed of your post and will answer your questions ASAP. Thanks! Tom

About Thomas Shinder

Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft.Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such asXerox, Lucent and FINA.

Share this article

Latest articles by Thomas Shinder Configuring ISA to Redirect OWA Users to the Correct Directories and Protocols (Part 2) Configuring ISA to Redirect OWA Users to the Correct Directories and Protocols (Part 1)




15/15

Protecting Microsoft Exchange with ISA Server 2004 Firewalls Providing E-Mail Defense in Depth for Microsoft Exchange with the ISA 2004 Firewall SMTP Message Screener Providing Secure Remote Access for the Full Outlook MAPI Client using the Exchange RPC Filter

Related links

Using Outlook 2003 to connect to Exchange 2003 using RPC over HTTPS Implementing RPC over HTTPS in a single Exchange Server 2003 environment Configuring ISA Server 2000 to Support Outlook 2003 RPC over HTTP - Part 1: Preparing the Infrastructure and

Configuring the Front-End Exchange Server Troubleshooting RPC over HTTPS (Part 1) Troubleshooting RPC over HTTPS (Part 2)

Receive all the latest articles by email!

Receive Real-Time & Monthly MSExchange.org article updates in your mailbox. Enter your email below!Click for Real-Time sample & Monthly sample

Become an MSExchange.org member!

Discuss your Exchange Server issues with thousands of other Exchange experts. Click here to join!

About Us : Email us : Product Submission Form : Advertising InformationMSExchange.org is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers.

Copyright 2008 TechGenix Ltd. All rights reserved. Please read ourPrivacy Policy andTerms & Conditions.

EnterEmail


Documents

Configuring the Outlook 2003 RPC Over HTTP Client