Secure Exchange Connectivity from the Branch Office to the Main Office
Chapter 11
Connecting to the Main Office Exchange Server from the Branch Office using
Secure Exchange RPC Publishing
Contents
Secure Exchange Connectivity from the Branch Office to the Main Office
Chapter 11
Connecting to the Main Office Exchange Server from the Branch Office using
Secure Exchange RPC Publishing
Contents
How
Exchange RPC Publishing Works
Creating
a Supporting DNS Infrastructure
Step
1: Install Windows Server 2003 on the Main Office and Branch Office Machines
Step
2: Install ISA Server 2000 on the Main Office and Branch Office Machines
Step
4: Create the Secure RPC Server Publishing Rule on the Main Office ISA Server
2000 Firewall
Step
5: Configure the Registry on the Main Office ISA Server 2000 to Force Encrypted
RPC Sessions
Step
7: Configure the Outlook 2003 Profile to Connect to the Exchange Server
Branch office Outlook clients can connect to the main office Exchange Server and take advantage of the full functionality provided by the full Outlook MAPI client. Unlike Outlook Web Access, full Outlook MAPI client functionality allows branch office users to take advantage of the entire set of mail and groupware features provided by Exchange Server.
Secure Exchange RPC publishing enables remote users access
the full range of Exchange Services. Some important reasons for considering secure
Exchange RPC publishing include:
· Publishing Exchange RPC services is secure because of the application layer intelligence provided by the Exchange RPC filter
· Data can be encrypted between the branch office client and the Exchange Server. You can force encryption of Outlook client connections by installing ISA Server 2000 Feature Pack 1 on the main office ISA Server 2000 firewall
· Exchange RPC Server Publishing is relatively simple
· Access is limited to mail services only -- not access to the entire network
· Users can continue using their familiar Outlook MAPI client
Traditionally, RPC connections over the Internet have not been considered secure. The RPC filter handles the
connection between the branch office Outlook client and the main office
Exchange Server and creates dynamic packet filters that can
only be used by specific Outlook clients. In addition, the secure
Exchange RPC filter allows only valid Exchange Server related RPC connections; all other RPC connections are dropped by the filter. The RPC
filter is a unique feature that until recently was
found in ISA Server 2000 firewalls.
You can configure the Outlook client to encrypt data using
56-bit MD5 encryption. ISA Server 2000 Feature Pack 1 allows you to configure
the Registry on the ISA Server firewall to force remote Outlook MAPI clients to
use a secure connection. Non-secured connection attempts are
dropped by the ISA Server 2000 firewall.
Exchange RPC publishing is relatively simple. A single
Server Publishing Rule enables your remote Outlook MAPI clients access the
internal Exchange Server. You do not need to create Destination Sets or special
Protocol Definitions. The built-in Exchange RPC Protocol Definition works
together with the RPC filter to provided a protected, secure publishing rule.
In the past branch office users needs a VPN connection to
the corporate network before they could access the Exchange Server to obtain
full Outlook MAPI client access. The drawback of allowing VPN connections to
allow Outlook MAPI client access is that VPN clients have access to the entire
network. Access to the entire network is should not be required in order to
allow users to access resources on the Exchange Server using the Outlook MAPI
client. Enabling users access to the entire network
represents a potential security risk that should be avoided. Secure RPC
Publishing allows the Outlook MAPI client full access to the Exchange services
remote users require without giving them access to any other resource on the
network.
Users often
resist using different email client applications to access Exchange resources when they move between the corporate
network and a remote site. Users prefer the same mail client regardless of
their location when you have standardized on Outlook. Exchange RPC publishing
gives them the ability to use the same familiar interface they use at work
while at home or on the road.
The branch office Outlook MAPI client connects to the
corporate Exchange Server from behind a NAT router or firewall, such as ISA
Server 2000. The branch office Outlook MAPI connection can work in both
scenarios.
The following communications take place when Outlook is opened:
1. Outlook establishes a connection to TCP port 135 on the external interface of the ISA Server. Included in this connection request are the Exchange Server specific UUIDs.
2. The ISA Server’s Exchange RPC filter intercepts the request and forwards it to the internal network Exchange Server.
3. The main office network Exchange Server responds to the request by sending a port number on which the Outlook client can send its messages. The Exchange RPC filter on the ISA Server intercepts this response and opens a dynamic packet filter on its external interface. The dynamic packet filter assigns a port on the external interface of the ISA Server on which only this particular Outlook client can communicate. Any other Internet host will not be able to use that port for inbound access The ISA Server maps this port on its external interface to the port number the Exchange Server expects to receive messages from the Internet Outlook client. In addition, when the Outlook client logs on, it registers a port on which is can receive new mail notification messages from the Exchange Server. The ISA Server RPC filter also registers this port number, creates a dynamic packet filter, and passes the new mail notification messages from the Exchange Server to the Internet Outlook client.
4. The ISA Server forwards the response from the Exchange Server. The Outlook client receives the port number on the external interface of the ISA Server to which it can send its messages to the Exchange Server.
5. The Outlook client establishes a connection to the mapped port on the external interface of the ISA Server and through that port connects to the internal network Exchange Server.
Check out the
diagram below to see the sequence of events.
Note:
For a deeper technical explanation of how the Exchange RPC filter works, please
refer to TechNet articles Microsoft ISA
Server 2000 - Configuring and Securing Microsoft Exchange 2000 Server and
Clients and Protecting Windows RPC
Traffic
The DNS infrastructure must be designed in a way that allows the Outlook MAPI client to correctly resolve the name of the Exchange Server regardless of its location. The user should never need to reconfigure the Outlook client settings based on his location. Outlook should “just work” whereever the client system is located.
The ideal DNS configuration is the split DNS infrastructure. The split DNS infrastructure requires that you maintain two separate DNS zones for the same domain. One of these zones supports internal or main office network clients and the other zone supports external or branch office network clients. These two zones service the same domain or domains. The difference is that resource records on the internal DNS zone contain the private IP address of the Exchange Server and the external DNS zone has the public IP address remote users use to connect to your published Exchange Server.
The figure below shows the different paths Outlook clients take to access an Exchange Server via Exchange RPC.
1. The
branch office Outlook client is configured to connect
to an Exchange Server named exchange2003.
The client fully qualifies the name to exchange2003.msfirewall.org
and sends the request to a public DNS server. The public DNS server returns to
the branch office Outlook client the IP address on the external interface of
the ISA Server 2000 firewall that is used by the
secure RPC Server Publishing Rule at the main office network.
2. The
branch office Outlook client sends the RPC connection request to the external
address of the ISA Server 2000 firewall at the main office. The secure RPC
Server Publishing Rule forwards the request to the Exchange Server on the main
office network.
3. The
Outlook client located at the main office is configured
to connect to the same Exchange server. The main office Outlook client fully
qualifies the name and sends a DNS query to the main office DNS server for exchange2003.msfirewall.org. The main
office DNS server returns to the Outlook client the internal network IP address
of the Exchange Server.
4. The
main office Outlook client connects directly to the Exchange Server on the main
office network. The client does not loop back through the ISA Server 2000
firewall. The split DNS infrastructure prevents overloading the firewall with
internal network client requests for internal network resources.
You can access the Exchange Server via a secure Exchange
RPC publishing rule by using local host name resolution if your organization
does not use the same domain name for resources that are accessible both
internally and externally. In this case, you need to create a HOSTS file entry
with the NetBIOS name of the Exchange Server computer (sometimes referred to as
the “computer name”). You do not need to include the FQDN of the Exchange
Server in the HOSTS file; only the NetBIOS name is required. The primary
drawback of this approach is that you need to change the IP address in the
HOSTS file depending on whether the Outlook client is located on the main
office or branch office network.
The host name portion (the leftmost name or “label”) of the FQDN must be the same as the computer name of the Exchange Server published via the secure Exchange RPC Server Publishing Rule. In addition, the Outlook MAPI client must be configured to use the computer name of the Exchange Server and be able to fully qualify the name correctly.
In order for the Outlook client computer to correctly fully qualify the single label, NetBIOS name of the Exchange Server, the client operating system must use a primary domain name or an adapter specific domain name. In addition, Outlook 2000 clients will need to be able to resolve the name of its Global Catalog server to the same IP address used to publish the Exchange RPC server. The Global Catalog Server’s name will also need to placed in the public DNS in the same domain as the Exchange Server’s name.
The figure below shows the name resolution process for two Outlook clients:
1. A branch office Outlook client is configured with a primary domain name of msfirewall.org. When this Outlook client connects to the Exchange Server on the main office network, it fully qualifies the NetBIOS name of the Exchange Server with its primary domain name. A query for NetBIOS_name.msfirewall.org is sent to a public DNS server. The public DNS server returns the IP address on the external interface of the ISA Server 2000 firewall that is publishing secure Exchange RPC.
2. The branch office Outlook client sends an Exchange RPC request to the ISA Server 2000 firewall at the main office. The secure Exchange RPC Server Publishing Rule forward the request to the Exchange Server on the main office network.
3. A second Outlook client is not configured with a primary domain name that it can use to append to unqualified names, such as the Exchange Server’s NetBIOS name. This Outlook client cannot issue a DNS query, so it sends a NetBIOS name query broadcast to the local branch office network segment. The Outlook client is unable to resolve the name to an IP address and the connection attempt fails.
Secure Exchange RPC publishing is a viable alternative for clients that are not able to connect to the main office via a site to site VPN link. The branch office Outlook clients derive the same high level of functionality as those who connect directly to the Exchange Server over a site to site VPN connection.
The following procedures are required to create the secure Exchange RPC connection:
· Step 1: Install Windows Server 2003 on the main office and branch office machines
· Step 2: Install ISA Server 2000 on the main office and branch office machines
· Step 3: Install the Microsoft DNS server on the branch office machine and configure the Exchange Public DNS Records
· Step 4: Create the RPC Server Publishing Rule on the main office ISA Server 2000 firewall
· Step 5: Configure the Registry on the Main Office ISA Server 2000 to force encrypted RPC sessions
· Step 6: Configure an RPC Protocol Rule at the branch office to enable outbound RPC sessions for SecureNAT and Firewall clients
· Step 7: Configure the Outlook 2003 profile to connect to the Exchange Server
· Step 8: Make the Connection
The first step is to install Windows Server 2003 on the
machines that will act as the main office and branch office ISA Server 2000
firewalls. The machines should meet the hardware requirements for both Windows
Server 2003 and ISA Server 2000. The table below shows the hardware
requirements for the Standard,
|
Windows Server 2003 System Requirements |
|||
|
Requirement |
Standard |
|
Datacenter |
|
Recommended CPU |
550 MHz |
733 MHz |
733 MHz |
|
Recommend Minimum RAM |
256 MB |
256 MB |
1 GB |
|
Multiprocessor Support |
Up to 4 |
Up to 8 |
Max 64 |
|
Disk Space for Setup |
1.5 GB |
1.5 GB |
1.5 GB |
The lab scenario used in this document is described in the table and figure below.
|
Lab Network Details |
|||||
|
Setting |
EXCHANGE |
LOCALHOST |
LOCALVPNISA |
REMOTEVPN |
REMOTEHOST |
|
IP Address |
10.0.1.2 |
10.0.1.3 |
Int: 10.0.1.1 Ext: 192.168.1.70 |
Int: 10.0.2.1 Ext: 192.168.1.71 |
10.0.2.2 |
|
Default Gateway |
10.0.1.1 |
10.0.1.1 |
192.168.1.60 |
192.168.1.60 |
10.0.2.1 |
|
DNS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
10.0.2.1 |
10.0.2.1 |
|
WINS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
|
|
|
Services |
DC DNS WINS DHCP |
None |
ISA Server 2000 |
ISA Server 2000 DNS |
|
Note that multiple network services are installed on the domain controller on the main office network. These services are typical services that would be maintained on a main office network. The DNS service is required by Active Directory.
The LOCALHOST and REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), we will make the branch office client a SecureNAT client to demonstrate the functionality of the RPC Protocol Rule that enables the SecureNAT client full MAPI access to the Exchange Server on the main office network.
In the current example, the REMOTEHOST is the Outlook 2003 client. The LOCALHOST computer will not be used.
The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office and branch office firewall machines. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).
In the current example, we will install and configure a DNS server on the branch office ISA Server 2000 firewall computer and use it to simulate a public DNS server. In a production network, you would configure a public DNS server to host the public component of your split DNS infrastructure.
Perform the following steps on the branch office ISA Server 2000 computer to install the Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.
3. On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point, the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.
In this example, we will enter the public address used to resolve the name of the Exchange Server on the main office network to the external IP address on the main office ISA Server 2000 firewall. We are doing this for sake of simplicity for our lab configuration. In a production environment, the name used to connect to the Exchange Server is resolved by using public DNS servers.
You need to configure a forward and reverse lookup zone on the DNS server to resolve the name of the Exchange Server to the IP address on the external interface of the ISA Server 2000 firewall at the main office.
Perform the following steps to create the reverse lookup zone:
1. Click Start and point to Administrative Tools. Click DNS.
2. Expand the server name in the left pane of the console and then right click on the Reverse Lookup Zones node. Click New Zone.
3. Click Next on the Welcome to the New Zone Wizard page.
4. On the Zone Type page, select the Primary zone option and click Next.
5. On the Reverse Lookup Zone Name page, select the Network ID option and enter 10.0.2 in the Network ID text box. This is the network ID of the internal interface of the ISA Server 2000 firewall at the branch office network. Click Next.
6. On the Zone File page, accept the default zone file name and click Next.
7. On the Dynamic Update page, use the default setting, Do not allow dynamic updates, and click Next.
8. Click Finish on the Completing the New Zone Wizard page.
9. Right click on the Reverse Lookup Zones node. Click New Zone.
10. Click Next on the Welcome to the New Zone Wizard page.
11. On the Zone Type page, select the Primary zone option and click Next.
12. On the Reverse Lookup Zone Name page, select the Network ID option and enter 192.168.1 in the Network ID text box. This is the network ID of the external interface of the ISA Server 2000 firewall at the main office network. Click Next.
13. On the Zone File page, accept the default zone file name and click Next.
14. On the Dynamic Update page, use the default setting, Do not allow dynamic updates, and click Next.
15. Click Finish on the Completing the New Zone Wizard page.
The next step is to create the forward lookup zone for the public component of the split DNS infrastructure. In our current example, the main office network hosts the private component of the split DNS infrastructure. Our DNS server at the branch office network will host the public component. Remember, in a production environment, the public component of the split DNS infrastructure would be hosted on the public DNS server.
Perform the following steps to configure the forward lookup zone:
1. Right click the Forward Lookup Zone node in the left pane of the DNS console and click New Zone.
2. Click Next on the Welcome to the New Zone Wizard page.
3. On the Zone Type page, select the Primary zone option and click Next.
4. On the Zone Name page, enter the name of the domain in the Zone name text box. Click Next.
5. Accept the default zone file name on the Zone File page and click Next.
6. Accept the default selection, Do not allow dynamic updates, on the Dynamic Update page. Click Next.
7. Click Finish on the Completing the New Zone Wizard page.
8. Right click on the msfirewall.org forward lookup zone and click New host (A). In the New Host dialog box, enter the name of the branch office ISA Server 2000 firewall in the Name (uses parent domain name if blank) text box. Enter the internal IP address of the branch office ISA Server 2000 firewall in the IP address text box. In this example, the name of the ISA Server 2000 firewall at the branch office is REMOTEVPNISA and the IP address is 10.0.2.1. We will enter those addresses in the text boxes and click Add Host.
9. Click OK on the DNS dialog box.
10. Right click on the msfirewall.org forward lookup zone and click New host (A). In the New Host dialog box, enter the NetBIOS name of the Exchange Server on the main office network in the Name (uses parent domain name if blank) text box. Enter the external IP address of the main office ISA Server 2000 firewall in the IP address text box. In this example, the name of the Exchange Server at the main office is EXCHANGE2003 and the IP address is 192.168.1.70. We will enter those addresses in the text boxes and click Add Host.
11. Click OK on the DNS dialog box.
12. Click Done in the New Host dialog box.
13. Right click on the server name in the left pane of the console, point to All Tasks and click Restart.
The next step is to create the secure RPC Server Publishing Rule on the main office ISA Server 2000 firewall machine.
The Exchange RPC Server Publishing Rule uses a Protocol Definition provided by the RPC Application filter. If you disable the Application Filter, you lose the Protocol Definition, so confirm that the filter is enabled. You can check the status of the RPC Filter in the Application Filters node under the Extensions node in the left pane of the ISA Management console.
Perform the following steps to create a secure Outlook MAPI client access Server Publishing Rule:
1. In the ISA Management Console, expand your server or array name and then expand the Publishing node. Right click on the Server Publishing Rule node, point to New and click Rule.
2. Enter a name for the secure Exchange RPC Server Publishing rule in the Server publishing rule name text box on the Welcome to the New Server Publishing Rule Wizard page. Click Next.
3. On the Address Mapping page, type in the IP address of the Exchange Server on the internal network. Click the Browse button and select the IP address on the external interface of the ISA Server 2000 firewall that you want to use to accept the incoming requests from the remote Outlook MAPI clients.
4. Click Next after entering the IP addressing information on the Address Mapping page. Click Next.
5. On the Protocol Settings page, select the Exchange RPC Server rule and click Next.
6. On the Client Type page, select Any Request and click Next.s
7. On the final page of the Wizard, click Finish.
The rule will take effect soon after you click Finish. If you want the rule to be applied immediately, restart the Firewall service.
All communications over a public network should be encrypted. You can force only encrypted connections to the Exchange Server via the secure Exchange RPC Server Publishing rule by configuring the Registry of the ISA Server 2000 firewall computer. This option is only available on ISA Server 2000 firewalls that have ISA Server 2000 Feature Pack 1 installed.
Perform the following step to configure the Registry on the main office ISA Server 2000 firewall:
1. Click Start and then click the Run command. In the Run dialog box, enter regedit in the Open text box and click OK.
2. In the Registry Editor, expand HKEY_LOCAL_MACHINE, then expand Software. Expand Microsoft, and then expand FPC. Click PluginRPC.
3. In the right pane of the Registry Editor, right-click MinimumAuthenticationLevel, and then click Modify.
4. In Value data, type:
1 to disable forced encryption.
6 to enforce encryption
5. Close the Registry Editor and restart the ISA Server 2000 firewall computer.
The next step is to create an RPC Protocol Rule at the branch office.
You can create a
simple Protocol Rule that allows the Outlook MAPI client outbound access
through the ISA Server 2000 firewall. Perform the following steps to create the
Protocol Rule:
1. Open the ISA Management console, expand the Servers and Arrays node and expand your server name. Expand the Access Policy node and right click on the Protocols node. Point to New and click on Rule.
2. Type in a name for the Protocol Rule in the Protocol rule name text box on the Welcome to the New Protocol Wizard page. Click Next.
3. Select the Allow option on the Rule Action page. Click Next.
4. On the Protocols page, select the Selected protocols option in the Apply this rule to drop down list. Select the RPC protocol from the list of Protocols. Click Next.
5. Select a schedule from the Use this schedule drop down list. In this example we’ll use the Always schedule. Click Next.
6. On the Client Type page, select the Any request option and click Next.
7. Review your settings on the Completing the New Protocol Rule Wizard page and click Finish.
The new Protocol Rule will appear in the right pane of the console.
The Outlook client on the branch office network must be configured with an Exchange profile to connect to the Exchange Server on the main office network.
Perform the following steps to create the Outlook profile:
1. On the Outlook 2003 client computer, click Start and right click on the Outlook icon. Click Properties.
2. Click the Show Profiles button on the Mail Setup dialog box.
3. In the Mail dialog box, click the Add button.
4. In the New Profile dialog box, enter a name to identify the profile and click OK.
5. In the E-mail accounts dialog box, select the Add a new e-mail account option and click Next.
6. On the Server Type page, select the Microsoft Exchange Server option and click Next.
7. On the Exchange Server Settings page, enter the NetBIOS name of the Exchange Server in the Microsoft Exchange Server text box. Put a checkmark in the Use Cached Exchange Mode checkbox. In the User Name text box, enter the Exchange user name. Click the Check Name button. You will be presented with a log on dialog box. Enter your user name and password and click OK. Notice that the NetBIOS name you entered into the Microsoft Exchange Server text box changes to the fully qualified domain name of the Exchange server.
8. Click the More Settings button. In the Microsoft Exchange Server dialog box, put a checkmark in the Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server. Click Apply and then click OK.
9. Click Next on the Exchange Server Settings page.
10. Click Finish on the Congratulations! page.
11. On the Mail dialog box, select the Prompt for a profile to be used option, click Apply and then click OK.
Note that the Outlook client must be configured with a domain name to append to the Exchange Server name. This can be accomplished by configuring the machine with a primary domain name, a DNS server suffix search list, an adapter specific domain name, or via a DHCP scope option.
In the next step we will make the connection to the Exchange Server using secure Exchange RPC.
Now we can test the connection using the new Outlook profile.
Perform the following steps to connect to the Exchange Server using secure Exchange RPC:
1. Click Start and click the Outlook icon in the Start menu.
2. Select your profile from the list in the Choose Profile dialog box. Click OK.
3. Enter your user name and password in the Connect to EXCHANGE dialog box. Click OK.
4. It will take some time to synchronize your mailbox with the Exchange Server. Allow Outlook to prepare itself for first use.
5. Hold down the CTRL key on the keyboard and right click on the Outlook icon in the system tray, and click the Connection Status command.
6. You will see the RPC connections in the Exchange Server Connection Status dialog box. You can also use the Reconnect button if you ever find that you’ve lost your connection to the Exchange Server. Close the Exchange Server Connection Status window.
In this document we went over the procedures required to create a secure Exchange RPC connection from an Outlook client at the branch office to the main office using a secure Exchange Server Publishing Rule at the main office and a RPC Protocol Rule at the branch office. ISA Server 2000 secure RPC Publishing enables Outlook clients at the branch office to connect to the main office without requiring a VPN connection, and without losing any Outlook functionality.