Beginning with Exchange Server 2003 and Outlook 2003, users can use their Outlook with full functionality over the Internet. Outlook 2003 is a full MAPI Client which uses RPC to communicate with the Exchange Server. This is definitely not Firewall friendly so Microsoft developed a technology called RPC over HTTPS. Using RPC over HTTPS, RPC packets will be tunnelled through HTTPS so you only need to open the HTTPS Port on the Firewall.
Exchange 2007 has changed the name from RPC over HTTPS to Outlook Anywhere but the technique is the same.
On Exchange Server site
First, the RPC over HTTPS Proxy component must be installed on the Exchange Server.
Figure 1: Install the RPC over HTTPS Proxy
Open the Exchange Management Console and enable Outlook Anywhere under the Client Access role in the Server Configuration container.
Figure 2: Enable Outlook Anywhere
Select the External authentication methods. For this example we select Basic Authentication.
If you are using ISA Server 2006 as the Firewall it is possible to select NTLM authentication, so the password prompt, if users open Outlook 2007, is gone (this is also possible with Outlook 2003 and Exchange Server 2003).
Figure 3: Select Authentication method
On IIS Site
The installation of the RPC over HTTPS proxy components creates a new Virtual Directory in IIS called RPC. You must enable SSL for this Directory and activate Integrated Windows Authentication or Basic Authentication depending on the Authentication selection in Exchange Server 2007.
Figure 4: Enable SSL and Authentication
Split DNS or HOSTS file?
The Public Name RPC.IT-TRAININGR-GROTE.DE in the RPC Web listener must be resolvable to the internal Exchange Server IP Address, so you have two options:
- Split-DNS or
- HOSTS file
If you are using Split DNS you must create a new Forward Lookup zone in DNS named IT-TRAINING-GROTE.DE. Second you must create a new A-record named RPC in the new Forward Lookup zone with the IP Address of the internal Exchange Server.
If you are using the HOSTS file you only need to extend the file with an entry like this:
IP address of the Exchange Server RPC.IT-TRAINING-GROTE.DE
Figure 5: Modify HOSTS file
The next step is to request a certificate for the RPC Listener on ISA Server because we are using HTTPS-Bridging. ISA Server terminates the SSL connection from the Outlook 2007 client, inspects the traffic and encrypts the connection to the Exchange Server again. The common name (CN) of the requested certificate must match the Name of the Server that Outlook 2007 clients use in the Outlook profile. In this example the Public FQDN is RPC.IT-TRAINING-GROTE.DE so the CN of the certificate must be RPC.IT-TRAINING-GROTE.DE. You can request certificates via the CA servers webconsole (http://caservername/certsrv). You must request a Webserver certificate as shown in the following figure.
Depending on your ISA Server Firewall rules, you must create a Firewall rule that allows HTTP or HTPS access from your ISA Server to the CA Server.
Figure 6: Request a certificate for ISA
Now it is time to create the Exchange Webclient Access Publishing rule.
Start the ISA MMC click - New - Exchange Webclient Access Publishing Rule. Name the rule and select the Exchange Version and that you want to publish Outlook Anywhere.
Figure 7: Select Outlook Anywhere
Select Publish a Single Website or load balancer
In the next window of the Wizard select the option Use SSL to connect to the published Web server or server farm.
Enter the Name of the Internal Site Name. You can specify a NetBIOS servername or DNS FQDN.
Next you must enter the Public Name that RPC over HTTPS users with Outlook 2007 must use when they want to access the Exchange Server with Outlook 2007 from the Internet. You can see the configuration in the next figure.
Figure 8: Enter the Public name
New Web listener
The next step in the wizard is to create a Web listener. ISA Server uses Web listeners to listen for incoming requests that match the Listeners' settings. A Web listener is a combination of an IP address, a Port and, when you use SSL, a certificate. You must give the Web listener a unique name.
In the next window of the Wizard select Require SSL secured connections with clients.
You must specify the Web Listener IP Address. If the request comes from the Internet you must select the External Network. If your ISA Server has more than one IP Address bound to the External Network Interface you can select the IP Address used for Outlook Web Access.
Figure 9: Select the Network Listener
Select the Certificate that you had requested from the internal CA server and click Next.
Figure 10: Select a certificate
Select HTTP Authentication from the dropdown field and select Basic as the Authentication method.
Figure 11: Specify Authentication settings
In the Authentication Delegation dialogue box select Basic Authentication.
Figure 12: Select Authentication Delegation
The last step in the Wizard is to specify the user group for which the Firewall rule applies to. The default setting is “All Authenticated Users”.
Finish the Wizard and Click Apply to save the settings.
After creating the RPC rule you should change some settings:
- Change “Requests appears to come from the original Client” in the “To” Tab
- Enable “Require 128 Bit encryption for HTTPS Traffic” in the “Traffic” Tab
Test the Client Connection
After successfully configuring Exchange Server 2007 and the RPC Publishing rule you can test the connection from one of your clients. For this article the client is a Windows XP Service Pack 2 machine with Office 2007 Beta 2 installed.
You must create a new e-mail profile for the user. After creating the profile you must configure Outlook Anywhere by activating Connect to my Exchange Mailbox using HTTP.
Figure 13: Activating Outlook Anywhere in Outlook 2007
The public name is rpc.it-training-grote.de, the Proxy authentication setting is Basic Authentication.
Figure 14: Configuring Outlook Anywhere in Outlook 2007
After the Mail profile is configured you should be successfully logged on to the Exchange Server.
Figure 15: Outlook 2007 connection with HTTPS
Outlook Anywhere in Exchange Server 2007 is a nice feature to support full Outlook 2007 client functionality over the Internet. Outlook Anywhere published over ISA Server 2006 is the ideal solution to secure access to your LAN.