“What is RPC over HTTPS, and why is enabling it on a single Exchange Server significant?” I hear you cry.

RPC over the HTTP(S) is the technical term for ‘Outlook Anywhere’ – the technology that allows you to access Exchange from an Outlook client via any Internet connection as if you were connected via the local network.

Outlook Anywhere is similar to the Server ActiveSync protocol used by Windows Mobile devices to access Exchange in that it is used to synchronise email, contacts and calendar with the client device, but whereas Server ActiveSync can only synchronise data with a specific user mailbox, Outlook Anywhere allows the user to use the full functionality of their Outlook client remotely – this includes accessing mailboxes other than their own (should they have permission to), public folders, everything they can do when connected locally in the office.

RPC stands for Remote Procedure Call. Whenever you perform an action in Outlook that requires a response from the Exchange server, Outlook sends a remote procedure call to the Exchange server and gets a response back.

What Outlook Anywhere does is to encrypt these remote procedure calls using a digital certificate and then send them to the Exchange server over the Internet, hence RPC over HTTPS.

Exchange 2007 can support Outlook Anywhere in a single-server deployment, but Exchange 2003 requires that Exchange be deployed in a 2-server topology called a ‘front-end’ / ‘back-end’ deployment. This is principally for security reasons: the ‘front-end’ server, because it is Internet-facing, sits in a DMZ environment and receives the encrypted request from the Outlook client. It then decrypts the request and sends it, unencrypted, over the local network to the ‘back-end’ Exchange server exactly as a local Outlook client would do. When the response is received from the back-end Exchange server, it is encrypted and then sent back to the client over the Internet.

It is possible to do all of this without encrypting the information, in which case it would be RPC over HTTP, but this guide assumes that you are using a certificate to encrypt information and I would not recommend not doing so.

It is important to note that Exchange 2007 can also be configured in this way should security be a concern, except that with Exchange 2007 the terminology has changed so that you no longer have ‘front-end’ and ‘back-end’ servers, instead you have different Exchange roles that can be applied in any topology you want – so you have ‘edge servers’ and ‘mailbox servers’ as well as ‘client access servers’ and ‘hub transport servers’.

The ‘role’ of an Exchange 2003 server is specified in the Exchange System Manager. Right click on the Exchange server and select Properties. On the General tab there is an option to specify ‘This is a Front End server’:

In a single-server deployment, if you try to select this option you will receive an error indicating that you cannot set a server as a front-end server if it is the only Exchange server in the organisation:

However it is possible. But it does involve editing the registry on the Exchange server. Therefore, you should not make any changes to your live Exchange environment unless you fully understand the potential ramifications of making any changes to the registry on your Exchange server.

To enable RPC over HTTP on your Exchange server, there are a number of steps you need to follow.

Install RPC over HTTP Proxy Service

You first need to install the RPC over HTTP proxy service. This is a component of the Windows Server operating system and is installed via the Add/Remove Windows Components applet within the Control Panel. It is located under Networking Services:

Configure authentication mechanism to RPC virtual directory within IIS Manager

Now launch the Internet Information Services (IIS) Manager applet. Locate the RPC virtual directory:

Right click on the virtual directory and select Properties.

Click on the Directory Security tab and then on the Edit button in the Authentication and Access Control section:

Untick the option to Enable Anonymous Access.

Tick the option to enable Basic Authentication, a warning message will be displayed click Yes to acknowledge it.

In the Default Domain field, click on the Select button and select the Domain that the Exchange server services:

Click OK.

NOTE – you have now basic authentication access to the Exchange server RPC directory, as mentioned previously this is acceptable if you are using a digital certificate to encrypt client-server communications, if you are not then any password information sent over the Internet could be intercepted.

Configure RPC virtual directory to require SSL communication within IIS Manager

Still within the Directory Security tab, click on the Edit button in the Secure Communications section:

Ensure that the option to Require Secure Channel (SSL) is ticked, as well as the option below it. Normally this option will be selected already if you use SSL with Outlook Web Access.

Configure RPC port access in the Registry

On the Exchange server, click on Start and select Run. Type in ‘regedt32.exe’ and click OK. This will launch Registry Editor.

Browse to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

Verify that the Rpc/HTTP port is set to 6001 (it will be by default):

Now browse to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters

Verify that the HTTP Port is set to 6002 (it will be by default)

Also verify that the Rpc/HTTP NPSI Port is set to 6004 (it will be by default)

Now browse to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

Double click on the ValidPorts entry, the following will be displayed:

Delete the contents of the field (exchange:100-5000), and replace it with the following:

(ServerNETBIOSName):6001-6002;:6001-6002;(ServerNetBIOSName):6004;(ServerFQDN):6004

where (ServerNETBIOSName) is the machine name of the Exchange server itself, and (ServerFQDN) is its external name (ie the name used by Outlook Web Access)

So my server would require the following entry:

exchange:6001-6002;exchange.oa-demo.co.uk:6001-6002;exchange:6004;exchange.oa-demo.co.uk:6004

If the Internal FQDN of the server is different from the External FQDN, then the entry needs to be longer. Suppose the NETBIOS name of the server is 'UKMAIL01', and the internal FQDN is 'UKMAIL01.oa-demo.co.uk', and the external name of the server is 'exchange.oa-demo.co.uk', then the entry would need to be:

UKMAIL01:6001-6002;UKMAIL01.oa-demo.co.uk:6001-6002;exchange.oa-demo.co.uk:6001-6002;
UKMAIL01:6004;UKMAIL01.oa-demo.co.uk:6004;exchange.oa-demo.co.uk:6004

You may need to adjust these settings, for example the internal FQDN may be UKMAIL01.oa-demo.local

Don't be afraid to experiment!

Exit Registry Editor.

Configure RPC over HTTP Topology in Exchange System Manager

Launch the Exchange System Manager.

Right click on the Exchange Server and select Properties.

Click on the RPC-HTTP tab, the following will be displayed:

Select the option to make the server a Back-End server. An error message will be displayed:

Click OK to acknowledge the error. Click OK again to save the changes to the configuration. A warning message will be displayed warning that the ports have not been configured correctly and be prompted to reconfigure them. Click CANCEL. You will be prompted to reboot the server.

Now reboot the Exchange Server.

Install the SSL certificate on the client PC

Before you can use Outlook to connect to the Exchange server via RCP over HTTPS, you will first need to install the correct SSL certificate onto the client PC to authenticate the certificate used by the Exchange server. This is only necessary if you are using a self-issued certificate. If you are using a root-trusted certificate on the Exchange server then ignore this step.

The certificate that needs to be installed on the client PC is not the certificate used by the RPC virtual directory on the Exchange server, but the root certificate of the Certificate Authority that issued the certificate to the RPC directory.

To locate this certificate, log into the server that has the Certificate Authority service installed on it. This may well be the Exchange server itself, it depends on how your network is deployed.

On the server that is acting as the CA, open the Control Panel and open Internet Options.

Click on the Security tab and the on the Certificates button.

Click on the Trusted Root Certification Authorities tab.

Locate the certificate issued by the CA and export it as a CER file. Copy this file to the client PC.

On the client PC double click the CER file to install it. Select the option to install it to the Trusted Root Certification Authorities folder.

Configure the Outlook Client

NOTE – to use Outlook via RPC over HTTPS you will require Outlook 2003 or later.

Create a new Outlook profile if required.

Select the option to create an Exchange Server account.

In the Server Name field enter the LOCAL address of the Exchange server (ie the machine name, or the NETBIOS name)

Enter your username.

DO NOT CLICK NEXT at this point, click on the More Setting button.

You may receive an error saying that the Exchange server cannot be contacted, click OK. A further window will be displayed asking you to verify the address of the Exchange server, click Cancel.

The More Settings window will now be displayed. Click on the Connection tab:

Tick the option to Connect to Microsoft Exchange using HTTP. Click on the Exchange Proxy Settings button:

Enter the external web address of the Exchange server (ie the address used for Outlook Web Access) in the fields as shown above. In the second text field, the ‘msstd’ is required!

Click OK, OK again, Next and then Finish.

Now launch Microsoft Outlook.

You will be prompted to enter your NT domain login credentials:

Enter your username in the form ‘DOMAIN\Username’

You will now be connected to the Exchange server:

In the immortal words of a popular 80s television show: "I love it when a plan comes together!"