Joining the Branch Office to the Main Office with ISA 2000 Firewalls: Connecting to the Main Office Exchange Server from the Branch Office using RPC over HTTP

Joining the Branch Office to the Main Office:
Connecting to the Main Office Exchange Server from the Branch Office using RPC over HTTP


by Thomas W Shinder, M.D.

E-mail is the most used Internet application for businesses, and remote access to Microsoft Exchange Server services is vital for branch office users. In branch office environments that are connected via a site to site VPN link, Outlook MAPI clients can connect to the Exchange Server directly through the VPN tunnel. However, some branch offices may have an ISA Server 2000 firewall or some other firewall protecting the branch office and may not have established a site to site VPN link.

An alternative to direct RPC communications over a site to site VPN link is to use Outlook 2003 to create an RPC over HTTP connection from the main office to the branch office. The only requirement for the branch office firewall is that it allows outbound TCP 443 (SSL). The RPC commands that are required to benefit from the full Outlook 2003 MAPI client functionality are encapsulated (“wrapped”) in an HTTP header. When the communication arrives at the RPC over HTTP proxy at the main office network, the HTTP header is removed and the RPC commands and data are forwarded to the Exchange Server. The Exchange Server responses are forwarded to the RPC over HTTP proxy, re-encrypted, and returned to the Outlook 2003 RPC over HTTP client.

The figure below shows a high level overview of the communications path between the Outlook 2003 RPC over HTTP client and the Exchange Server.

In this document, we will discuss the procedures required to install and configure an RPC over HTTP proxy server on the ISA Server 2000 firewall at the main office and configure the branch office ISA Server 2000 firewall and Outlook 2003 client to connect to the main office Exchange Server using the RPC over HTTP protocol.

The following procedures are required to create the RPC over HTTP connection:

  • Step 1: Install Windows Server 2003 on the main office and branch office machines
  • Step 2: Install ISA Server 2000 on the main office and branch office machines
  • Step 3: Install the Microsoft DNS server on the branch office machine and configure the Exchange Public DNS Records
  • Step 4: Install the RPC over HTTP Proxy service on the ISA Server 2000 firewall machine
  • Step 5: Disable Socket Pooling for the W3SVC and bind the Web site to the internal address on the ISA Server 2000 firewall
  • Step 6: Obtain a Web site certificate for the RPC over HTTP Web site
  • Step 7: Force basic authentication on the RPC over HTTP folder
  • Step 8: Create a Web Publishing Rule using the OWA Wizard and add the RPC site to the Destination Set
  • Step 9: Configure the Registry Settings for the RPC over HTTP Service
  • Step 10: Create the HOSTS file setting for the name on the Web site certificate
  • Step 11: Configure DNS to resolve the RPC over HTTP connection to the external interface of the ISA Server 2000 firewall
  • Step 12: Create an HTTPS Access Policy

Note that I will not talk about the Outlook 2003 client configuration in this article. I will post an updated version of my previous Outlook 2003 RPC over HTTP client article on this site in the next few days.

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines

The first step is to install Windows Server 2003 on the machines that will act as the main office and branch office gateways. The machines should meet the hardware requirements for both Windows Server 2003 and ISA Server 2000. The table below shows the hardware requirements for the Standard, Enterprise, and Datacenter editions. Note that you cannot use the Web edition for your VPN gateways.

Windows Server 2003 System Requirements

Requirement

Standard

Enterprise

Datacenter

Recommended CPU

550 MHz

733 MHz

733 MHz

Recommend Minimum RAM

256 MB

256 MB

1 GB

Multiprocessor Support

Up to 4

Up to 8

Max 64

Disk Space for Setup

1.5 GB

1.5 GB

1.5 GB

The lab scenario used in this document is described in the table and figure below.

Lab Network Details

Setting

EXCHANGE
2003

LOCALHOST

LOCALVPNISA

REMOTEVPN

REMOTEHOST

IP Address

10.0.1.2

10.0.1.3

Int: 10.0.1.1

Ext: 192.168.1.70

Int: 10.0.2.1

Ext: 192.168.1.71

10.0.2.2

Default Gateway

10.0.1.1

10.0.1.1

192.168.1.60

192.168.1.60

10.0.2.1

DNS

10.0.1.2

10.0.1.2

10.0.1.2

10.0.2.1

10.0.2.1

WINS

10.0.1.2

10.0.1.2

10.0.1.2

 

 

Services

DC

DNS

WINS

DHCP

Enterprise CA

None

ISA Server 2000

ISA Server 2000

DNS

 

Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue a certificate to the RPC over HTTP Web site located on the ISA Server 2000 firewall machine.

The LOCALHOST and REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the LOCALHOST and REMOTEHOST computers is required to allow these machines to route requests to the opposite network to the internal interface of the ISA Server 2000 firewall computer.

In the current example, the REMOTEHOST is the Outlook 2003 client. The LOCALHOST computer will not be used.

Step 2: Install ISA Server 2000 on the Main Office and Branch Office Machines

The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office and branch office machines. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document

Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).

Step 3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 VPN Gateway

In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computer. Name resolution is a critical element of all ISA Server 2000 firewall and Web proxy installations. We can solve most of the name resolution issues that impact the branch office by installing a DNS server on the branch office computer.

The branch office computer will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:

  • Recursion to resolve Internet host names
  • Acting as a secondary DNS server to the Active Directory based DNS server at the main office.

The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The ISA Server 2000 firewall includes a pre-built packet filter that enables the ISA Server 2000 firewall computer to perform DNS queries when the queries are issued from the firewall itself (the packet filter does not enable hosts on the internal network to issue DNS queries). The DNS server on the ISA Server 2000 firewall at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office ISA Server 2000 firewall.

In addition, the DNS server at the branch office will act as a secondary DNS server for the domain DNS server located at the branch office. This allows the client computers on the branch office network to use the DNS server located on the branch office ISA Server 2000 firewall to resolve names for computers that belong to the domain. We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.

The figure below illustrates how the DNS server at the branch office performs recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.

  1. The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office ISA Server 2000 VPN gateway/DNS server.
  2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the ISA Server 2000 VPN gateway the address of the .com DNS server.
  3. The DNS server on the ISA Server 2000 VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the ISA Server 2000 VPN gateway machine.
  4. The DNS server on the ISA Server 2000 VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the ISA Server 2000 VPN gateway machine.
  5. The DNS server on the ISA Server 2000 VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.
  6. When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2000 VPN gateway machine.
  7. The DNS server on the ISA Server 2000 VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.

Perform the following steps on the branch office ISA Server 2000 computer to install the Microsoft DNS Server service:

  1. Click Start and point to Control Panel. Click on Add or Remove Programs.
  2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.
  3. On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.
  4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

  1. Click Next on the Windows Components page.
  2. Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.
  3. Click Finish on the Completing the Windows Components Wizard page.

At this point, the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks. Later you can create a site to site VPN link to make the DNS server a secondary DNS server for the main office DNS server.

In the current example, we will not create the site to site link. Instead, we will enter the public address used by the name used in the RPC over HTTP connection configured on the Outlook 2003 client a standalone primary DNS server at the branch office. We are doing this for the sake of simplicity for our lab configuration. In a production environment, the name used to connect to the RPC over HTTP site is resolved by using public DNS servers and the branch office DNS server is configured as a secondary of the main office DNS server.

We will cover this issue in more detail later in this document when we configured the supporting DNS entry.

Step 4: Install the RPC over HTTP Proxy service on the ISA Server 2000 firewall machine

Perform the following steps to install the RPC over HTTP Proxy networking service on the front-end Exchange Server:

  1. Click Start, point to Control Panel and click on Add or Remove Programs. In the Add or Remove Programs window, click on the Add/Remove Windows Components button.

  • In the Windows Components dialog box, click on the Networking Services entry in the Components list and then click the Details button.
  • In the Networking Services dialog box, put a checkmark in the RPC over HTTP Proxy checkbox and click OK.
  • Click Next in the Windows Components dialog box, click Next.
  • An Insert Disk dialog box may appear asking you to insert the Windows CD-ROM (This will occur if you installed Windows from the CD, rather than from a network share or installation files copied to the local disk). Click OK.
  • Enter a path to the i386 folder in the Files Needed dialog box. Click OK.
  • Click Finish on the Completing the Windows Components Wizard page.
  • Close the Add or Remove Programs window.
  • Step 5: Disable Socket Pooling for the W3SVC and bind the Web site to the internal address on the ISA Server 2000 firewall

    1. Copy the Support folder from the Windows Server 2003 CD-ROM to the local hard disk on the ISA Server 2000 firewall computer.
    2. In the Tools folder, double click on the SUPTOOLS.MSI file.
    3. Click Next in the Welcome to the Windows Support Tools Setup Wizard page.
    4. Select the I Agree option on the End User License Agreement page. Click Next.
    5. On the User Information page, enter your Name and Organization.
    6. On the Destination Directory page, select a location for the Support Tools files and click Install Now.
    7. Click Finish on the Completing the Windows Support Tools Setup Wizard page.
    8. In the Support Tools folder to which the files were installed, find the httpcfg.exe file and copy that file to the root of the C:\ drive.
    9. Configure HTTP.sys to listen only on the specified IP address (usually the internal IP address of ISA Server) by typing httpcfg set iplisten -i ip-address at a command prompt. In this example, we will enter httpcfg set iplisten –i 10.0.1.1 and press ENTER.

    1. At the command prompt, enter net stop http and press ENTER. Press Y to confirm that you want to stop the services.
    2. At the command prompt, enter net stop W3proxy and press ENTER.
    3. At the command prompt, enter net start http and press ENTER.
    4. At the command prompt, enter net start W3SVC and press ENTER.
    5. At the command prompt, enter net start W3proxy and press ENTER.
    6. Close the command prompt window.

    The next step is to open the Internet Information Services (IIS) console and bind the Web site to the internal IP address on the ISA Server 2000 firewall computer.

    Perform the following steps to bind the correct address to the Web site:

    1. Click Start and point to Administrative Tools. Click on Internet Information Services (IIS) Manager.
    2. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console.
    3. Right click the Default Web Site and click Properties.
    4. In the Default Web Site Properties dialog box, click on the Web Site tab. Select the internal IP address on the ISA Server 2000 firewall computer from IP address list. Click Apply and then click OK.

    1. Leave the Internet Information Services (IIS) Manager console open to prepare for the next procedure.

    Step 6: Obtain a Web Site Certificate for the RPC Over HTTP Web Site

    The next step is to obtain a Web site certificate for the RPC over HTTP Web site. In our example, the Outlook 2003 client will connect to the RPC over HTTP Web site using the URL https://owa.msfirewall.org. The name in the request must match the name in the certificate, so we will request a certificate with the common name owa.msfirewall.org.

    Perform the following steps to request the certificate:

    1. Right click on the Default Web Site and click Properties.
    2. In the Default Web Site Properties dialog box, click the Directory Security tab.
    3. On the Directory Security tab, click the Server Certificate button.
    4. Click Next on the Welcome to the Web Server Certificate Wizard page.
    5. On the Server Certificate page, select the Create a new certificate option and click Next.
    6. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option and click Next.
    7. On the Name and Security Settings page, you can use the default name in the Name text box and use the default value in the Bit length text box, or you can use alternative values if you wish. In this example, we will use the defaults and click Next.
    8. On the Organization Information page, enter your Organization and Organizational unit in the text boxes provided. Click Next.
    9. On the Your Site’s Common Name page, enter the fully qualified domain name external RPC over HTTP clients will use to connect to the site. In this example, remote Outlook 2003 clients will connect to the site using the name owa.msfirewall.org. Therefore, we will enter owa.msfirewall.org in the Common name text box. Click Next.

    1. On the Geographical Information page, enter your Country/Region, State/Province and City/Locality and click Next.
    2. On the SSL Port page, use the default port of 443 and click Next.
    3. On the Choose a Certification Authority page, use the default entry in the Certification authorities list and click Next.
    4. Review your configuration on the Certificate Request Submission page, and click Next.
    5. Click Finish on the Completing the Web Server Certificate Wizard page.
    6. In on the Directory Security tab, click the Edit button in the Secure communications frame.
    7. In the Secure Communications dialog box, place a checkmark in the Require secure channel (SSL) checkbox and the Require 128-bit encryption checkbox. Click OK.
    8. Click Apply in the Default Web Site Properties dialog box.
    9. Leave the Default Web Site Properties dialog box open to prepare for the next step.

    Step 7: Force basic authentication on the RPC over HTTP folder

    In order to prevent problems related to the negotiation of integrated authentication, we will configure the RPC directory on the Web site to accept only basic authentication. We do not want the site to negotiate any other form of authentication. Although basic authentication can potentially expose credentials to intruders, the problem is mitigated by the use of SSL. The SSL channel will protect both the user credentials and data moving through the SSL channel.

    Perform the following steps to force basic authentication on the RPC directory:

    1. On the Default Web Site Properties dialog box, click on the Directory Security tab.
    2. On the Directory Security tab, click the Edit button in the Authentication and access control frame.
    3. Remove the checkmark from the Enable anonymous access checkbox. Remove the checkmark from the Integrated Windows authentication checkbox. Place a checkmark in the Basic authentication (password sent in the clear) checkbox. Click Yes in the IIS Manager dialog box warning that passwords are sent in the clear when using basic authentication and that you should use SSL. Click Select to select the Default domain. In the Browse for Domain dialog box, select the internal network domain. In this example, the domain name is msfirewall.org, so we will select that one. Click OK in the Browse for Domain dialog box. Click OK in the Authentication Methods dialog box.
    4. Click Apply and then click OK in the Default Web Site Properties dialog box.
    5. Close the Internet Information Servers (IIS) Manager dialog box.

    The RPC Proxy Web site is now ready to accept secure inbound requests. The next step is to create the Web Publishing Rule to allow inbound access to the RPC over HTTP site.

    Step 8: Create a Web Publishing Rule using the OWA Wizard and add the RPC site to the Destination Set

    We can use an OWA Web Publishing rule to simplify creating the secure Web Publishing rule that allows inbound access to the RPC over HTTP Web site. The OWA Web Publishing Rule will configure many elements of the secure publishing rule. However, we will need to customize the Destination Set created by the rule.

    Perform the following steps to create the Web Publishing rule:

    1. Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then expand the Publishing node.
    2. Right click on the Web Publishing Rules node and then point to New. Click on Publish Outlook Web Access Server.
    3. On the Welcome to the Outlook Web Access Publishing Wizard page, enter a name for the rule in the Outlook Web Access Server rule name text box. In this example, we will name the rule RPC Proxy. Click Next.
    4. On the Name of Published Server page, enter the name of the RPC over HTTP Web site. This is the common name on the certificate bound to the Web site. In this example, the common name on the Web site certificate is owa.msfirewall.org, so we will enter that name into the Internal name or IP address of the Outlook Web Access Server text box. Place a checkmark in the Use an SSL connection from the ISA Server to the Outlook Web Access Server checkbox. Click Next.

    1. On the Listeners page, enter the URL that external users will use to access the Web site. This is the URL that is entered into the Outlook 2003 RPC over HTTP configuration page. In this example, we will configure the public DNS to enable access using the URL https://owa.msfirewall.org. We will enter https://owa.msfirewall.org in the Outlook Web Access site URL text box. Click Next.

    1. On the Secure Connection from Client page, put a checkmark in the Enable SSL. Client must use SSL to connect to the ISA Server checkbox. Click the Select button. In the Select Certificate dialog box, select the Web site certificate for the Web site. In this example, the certificate is for the owa.msfirewall.org Web site, so we will select that certificate. Click OK in the Select Certificate dialog box. Click Next on the Secure Connection from Client page.

    1. Click Finish on the Completing the Outlook Web page.
    2. Select the Save the changes and restart the service(s) option and click OK on the ISA Server Warning dialog box.

    The next step is to customize the Destination Set created by the Web Publishing Rule to support access to the RPC over HTTP directory:

    1. In the ISA Management console, expand the Policy Elements node and click on the Destination Sets node. Double click on the RPC Proxy entry in the right pane of the console.
    2. On the RPC Proxy Properties dialog box, click the Destinations tab. On the Destinations tab, click the Add button.
    3. On the Add/Edit Destination dialog box, select the Destination option and enter the name of the RPC over HTTP Web site. In this example, the Web site answers to the name owa.msfirewall.org. We will enter owa.msfirewall.org in the Destination text box. In the Path text box, enter /rpc*. Click OK in the Add/Edit Destination dialog box.

    1. In the RPC Proxy Properties dialog box, click on one of the entries created by the OWA Web Publishing Wizard and click Remove. Remove each of the entries created by the Wizard, so that the only remaining entry is the owa.msfirewall.org /rpc* entry. Click Apply and then click OK in the RPC Proxy Properties dialog box.

    We now need to configure the Incoming Web Request listener to support basic authentication. Perform the following steps to configure the ISA Server 2000 firewall to accept basic authentication credentials on the Incoming Web Requests listener:

    1. In the ISA Management console, right click on the server name and click Properties.
    2. On the server Properties dialog box, click the Incoming Web Requests tab. In the list of listeners, select the listener created by the OWA Wizard and click Edit.

    1. On the Add/Edit Listeners dialog box, put a checkmark in the Basic with this domain checkbox. Click Yes in the ISA Server Configuration dialog box warning you that basic credentials are passed in the clear and that you should use SSL.
    2. Click the Select domain button. In the Select Domain dialog box, click the Browse button. Select the internal network domain in the Browse for Domain dialog box. In this example, the domain name is msfirewall.org, so we will select that one. Click OK in the Browse for Domain dialog box.
    3. Click OK in the Select Domain dialog box.
    4. Remove the checkmark from the Integrated checkbox from the Add/Edit Listeners dialog box.
    5. Click OK in the Add/Edit Listeners dialog box.
    6. Click Apply in the server Properties dialog box.
    7. Select the Save the changes and restart the service(s) option and click OK on the ISA Server Warning dialog box.
    8. Click OK in the server Properties dialog box.

    The next step is to configure the Registry on the ISA Server 2000 machine to support the RPC over HTTP proxy.

    Step 9: Configure the Registry Settings for the RPC over HTTP Service

    The Registry on the ISA Server 2000 machine must be configured to support the RPC proxy. The RPC over HTTP proxy service must know the name of the Exchange Server and the name of the Global Catalog server. In our current example, the Exchange Server and the Global Catalog server are on the same machine. For more information on Registry configuration for alternate scenarios, please see Exchange Server 2003 Deployment Guide

    Perform the following steps to configure the Registry on the ISA Server 2000 machine:

    1. Click Start and then click Run. In the Run dialog box, enter regedit in the Open text box. Click OK.
    2. Navigate to the following Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

    1. In the right pane of the Registry Editor, double click on the Valid Ports entry.
    2. In the Edit String dialog box, enter the following information:
    3. ServerNETBIOSName:6001;ServerFQDN:6001;ServerNetBIOSName:6004;ServerFQDN:6004
    4. The ServerNETBIOSName:6001 is the NetBIOS name of the Exchange Server and the ServerFQDN:6001 entry is the fully qualified domain name of the Exchange Server. The ServerNetBIOSName:1-65535 entry is the NetBIOS name of the Global Catalog server. The ServerFQDN:1-65535 entry is the fully qualified domain name of the Global Catalog server. In our current example, we will enter the following line:
    5. EXCHANGE2003:6001;EXCHANGE2003.msfirewall.org:6001;EXCHANGE2003:1-65535;EXCHANGE2003.msfirewall.org:1-65535
    6. Click OK in the Edit String dialog box.
    7. Restart the ISA Server 2000 firewall computer.

    Step 10: Create the HOSTS file setting for the name on the Web site certificate

    Although it is not required, you may wish to create a HOSTS file entry on the ISA Server 2000 firewall computer that maps the common name on the RPC over HTTP Web site certificate to the IP address on the internal interface of the ISA Server 2000 firewall computer. This is not required if you have a split DNS infrastructure. If you do not have a split DNS infrastructure or if you are not sure, then create the following HOSTS file entry.

    Perform the following steps to create the HOSTS file entry:

    1. Open Windows Explorer and go to \\%systemroot%\system32\drivers\etc.
    2. Open the hosts file in Notepad.
    3. Enter the line 10.0.1.1 owa.msfirewall.org as seen in the figure below. Make sure to press ENTER at the end of the line.

    1. Close Notepad and save the changes to the file.

    Step 11: Configure DNS to resolve the RPC over HTTP connection to the external interface of the ISA Server 2000 firewall

    A publicly available DNS server must be available to resolve the name of the RPC over HTTP Web site to the IP address on the external interface of the ISA Server 2000 firewall. In the current example, we do not have a public DNS server. Instead, we will manually create a msfirewall.org domain on the branch office DNS server and create a Host (A) record for the entry owa.msfirewall.org

    Perform the following steps to create the Host (A) record on the branch office DNS server (note that these entries match the IP addressing scheme used in our sample test environment):

    1. At the branch office domain controller ISA Server 2000 firewall computer, click Start, point to Administrative Tools and click DNS.
    2. In the DNS Management console, expand the server name and right click on the Reverse Lookup zone. Click New Zone.
    3. Click Next in the Welcome to the New Zone Wizard dialog box.
    4. On the Zone Type page, select the Primary zone option and click Next.
    5. On the Reverse Lookup Zone Name page, enter 10.0.2 in the Network ID text box and click Next.
    6. Accept the default entry in the Create a new file with this file name text box on the Zone File page and click Next.
    7. Select the Do not allow dynamic updates option on the Dynamic Update page and click Next.
    8. Click Finish on the Completing the New Zone Wizard page.
    9. In the DNS Management console, right click on the Reverse Lookup zone node. Click New Zone.
    10. Click Next in the Welcome to the New Zone Wizard dialog box.
    11. On the Zone Type page, select the Primary zone option and click Next.
    12. On the Reverse Lookup Zone Name page, enter 192.168.1 in the Network ID text box and click Next.
    13. Accept the default entry in the Create a new file with this file name text box on the Zone File page and click Next.
    14. Select the Do not allow dynamic updates option on the Dynamic Update page and click Next.
    15. Click Finish on the Completing the New Zone Wizard page.

    The next step is to create the Forward Lookup Zones and the Host (A) records:

    1. Right click on the Forward Lookup Zones node and click New Zone.
    2. Click Next on the Welcome to the New Zone Wizard page.
    3. On the Zone Type page, select the Primary zone option and click Next.
    4. On the Zone Name page, enter the name for the RPC over HTTP proxy domain. In our example, the domain name is msfirewall.org, so we will enter that in the Zone name text box. Click Next.

    1. Accept the default name for the forward lookup zone on the Zone File page. Click Next.
    2. Select the Do not allow dynamic updates option on the Dynamic Update page. Click Next.
    3. Click Finish on the Completing the New Zone Wizard page.
    4. Right click on the msfirewall.org domain in the left pane of the console and click New Host (A).
    5. In the New Host dialog box, enter the name of the branch office ISA Server 2000 firewall computer in the Name (uses parent domain name if blank) text box. In this example, the name of the ISA Server 2000 firewall at the branch office is REMOTEVPNISA, so we will enter that name. Enter the internal IP address of the ISA Server 2000 firewall computer at the branch office in the IP address text box. In this example, the IP address of the ISA Server 2000 firewall at the branch office is 10.0.2.1, so we shall enter that address. Place a checkmark in the Create associated pointer (PTR) record checkbox. Click Add Host.

    1. Click OK in the DNS dialog box informing you that the record was successfully created.
    2. In the New Host dialog box, enter the name of the branch office ISA Server 2000 firewall computer in the Name (uses parent domain name if blank) text box. In this example, the name of the ISA Server 2000 firewall at the branch office is REMOTEVPNISA, so we will enter that name. Enter the internal IP address of the ISA Server 2000 firewall computer at the branch office in the IP address text box. In this example, the IP address of the ISA Server 2000 firewall at the branch office is 10.0.2.1, so we shall enter that address. Place a checkmark in the Create associated pointer (PTR) record checkbox. Click Add Host.

    1. Click Done in the New Host dialog box.
    2. Right click on the server name in the left pane of the console, point to All Tasks and click Restart.
    3. Close the DNS console on the branch office ISA Server 2000 firewall computer.

    The next step is to create an access policy on this ISA Server 2000 firewall that allows outbound access to the HTTPS (SSL) protocol.

    Step 12: Create an HTTPS Access Policy

    The Outlook 2003 client requires outbound access to TCP port 443 so that it can establish a secure SSL connection with the RPC over HTTP proxy on the main office ISA Server 2000 firewall computer.

    Perform the following steps on the branch office ISA Server 2000 firewall to create the outbound SSL access policy:

    1. On the branch office ISA Server 2000 firewall, open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then expand the Access Policy node.
    2. Right click the Protocol Rules node, point to New and click Rule.
    3. On the Welcome to the New Protocol Rule Wizard page, enter a name for the rule in the Protocol rule name text box. In this example, we will create a protocol rule named Outbound SSL and then click Next.
    4. On the Rule Action page, select the Allow option and click Next.
    5. On the Protocols page, select the Selected protocols option on the Apply this rule to list. In the Protocols list, put a checkmark in the HTTPS checkbox. Put a checkmark in the Show only selected protocols checkbox. Click Next.

    1. Accept the default selection, Always, on the Schedule page and click Next.
    2. Accept the default selection, Any request, on the Client Type page and click Next.
    3. Click Finish on the Completing the New Protocol Rule Wizard page.

    Conclusion

    In this document, we went over the procedures required to create a RPC over HTTP connection from an Outlook 2003 client to an Exchange 2003 server from a branch office location protected by an ISA Server 2000 firewall. The RPC over HTTP protocol is extremely useful during those times when you cannot connect to the Exchange Server using a secure Exchange RPC Server Publishing Rule.


    hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=002407 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’

    by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!

    About The Author

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top