Secure Exchange Connectivity from the Branch Office to the Main Office

Chapter 11
Connecting to the Main Office Exchange Server from the Branch Office using Secure Exchange RPC Publishing

Contents


Introduction. 1

How Exchange RPC Publishing Works. 2

Creating a Supporting DNS Infrastructure. 4

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines. 7

Step 2: Install ISA Server 2000 on the Main Office and Branch Office Machines. 9

Step 3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 Firewall and Configure the Public DNS Record  10

Step 4: Create the Secure RPC Server Publishing Rule on the Main Office ISA Server 2000 Firewall 15

Step 5: Configure the Registry on the Main Office ISA Server 2000 to Force Encrypted RPC Sessions  17

Step 6: Configure an RPC Protocol Rule at the Branch Office to Enable Outbound RPC Sessions for SecureNAT and Firewall Clients. 18

Step 7: Configure the Outlook 2003 Profile to Connect to the Exchange Server 19

Step 8: Make the Connection. 22

Conclusion. 24

 

Introduction

Branch office Outlook clients can connect to the main office Exchange Server and take advantage of the full functionality provided by the full Outlook MAPI client. Unlike Outlook Web Access, full Outlook MAPI client functionality allows branch office users to take advantage of the entire set of mail and groupware features provided by Exchange Server.

Secure Exchange RPC publishing enables remote users access the full range of Exchange Services. Some important reasons for considering  secure Exchange RPC publishing include:

·         Publishing Exchange RPC services is secure because of the application layer intelligence provided by the Exchange RPC filter

·         Data can be encrypted between the branch office client and the Exchange Server. You can force encryption of Outlook client connections by installing ISA Server 2000 Feature Pack 1 on the main office ISA Server 2000 firewall

·         Exchange RPC Server Publishing is relatively simple

·         Access is limited to mail services only -- not access to the entire network

·         Users can continue using their familiar Outlook MAPI client

Traditionally, RPC connections over the Internet have not been considered secure. The RPC filter handles the connection between the branch office Outlook client and the main office Exchange Server and creates dynamic packet filters that can only be used by specific Outlook clients. In addition, the secure Exchange RPC filter allows only valid Exchange Server related RPC connections; all other RPC connections are dropped by the filter. The RPC filter is a unique feature that until recently was found in ISA Server 2000 firewalls.

You can configure the Outlook client to encrypt data using 56-bit MD5 encryption. ISA Server 2000 Feature Pack 1 allows you to configure the Registry on the ISA Server firewall to force remote Outlook MAPI clients to use a secure connection. Non-secured connection attempts are dropped by the ISA Server 2000 firewall.

Exchange RPC publishing is relatively simple. A single Server Publishing Rule enables your remote Outlook MAPI clients access the internal Exchange Server. You do not need to create Destination Sets or special Protocol Definitions. The built-in Exchange RPC Protocol Definition works together with the RPC filter to provided a protected, secure publishing rule.

In the past branch office users needs a VPN connection to the corporate network before they could access the Exchange Server to obtain full Outlook MAPI client access. The drawback of allowing VPN connections to allow Outlook MAPI client access is that VPN clients have access to the entire network. Access to the entire network is should not be required in order to allow users to access resources on the Exchange Server using the Outlook MAPI client. Enabling users access to the entire network represents a potential security risk that should be avoided. Secure RPC Publishing allows the Outlook MAPI client full access to the Exchange services remote users require without giving them access to any other resource on the network.

Users often resist using different email client applications to access Exchange resources when they move between the corporate network and a remote site. Users prefer the same mail client regardless of their location when you have standardized on Outlook. Exchange RPC publishing gives them the ability to use the same familiar interface they use at work while at home or on the road.

How Exchange RPC Publishing Works

The branch office Outlook MAPI client connects to the corporate Exchange Server from behind a NAT router or firewall, such as ISA Server 2000. The branch office Outlook MAPI connection can work in both scenarios.

The following communications take place when Outlook is opened:

1.       Outlook establishes a connection to TCP port 135 on the external interface of the ISA Server. Included in this connection request are the Exchange Server specific UUIDs.

2.       The ISA Server’s Exchange RPC filter intercepts the request and forwards it to the internal network Exchange Server.

3.       The main office network Exchange Server responds to the request by sending a port number on which the Outlook client can send its messages. The Exchange RPC filter on the ISA Server intercepts this response and opens a dynamic packet filter on its external interface. The dynamic packet filter assigns a port on the external interface of the ISA Server on which only this particular Outlook client can communicate. Any other Internet host will not be able to use that port for inbound access The ISA Server maps this port on its external interface to the port number the Exchange Server expects to receive messages from the Internet Outlook client. In addition, when the Outlook client logs on, it registers a port on which is can receive new mail notification messages from the Exchange Server. The ISA Server RPC filter also registers this port number, creates a dynamic packet filter, and passes the new mail notification messages from the Exchange Server to the Internet Outlook client.

4.       The ISA Server forwards the response from the Exchange Server. The Outlook client receives the port number on the external interface of the ISA Server to which it can send its messages to the Exchange Server.

5.       The Outlook client establishes a connection to the mapped port on the external interface of the ISA Server and through that port connects to the internal network Exchange Server.

Check out the diagram below to see the sequence of events.

 

*       Note:
For a deeper technical explanation of how the Exchange RPC filter works, please refer to TechNet articles Microsoft ISA Server 2000 - Configuring and Securing Microsoft Exchange 2000 Server and Clients and Protecting Windows RPC Traffic

Creating a Supporting DNS Infrastructure

The DNS infrastructure must be designed in a way that allows the Outlook MAPI client to correctly resolve the name of the Exchange Server regardless of its location. The user should never need to reconfigure the Outlook client settings based on his location. Outlook should “just work” whereever the client system is located.

The ideal DNS configuration is the split DNS infrastructure. The split DNS infrastructure requires that you maintain two separate DNS zones for the same domain. One of these zones supports internal or main office network clients and the other zone supports external or branch office network clients. These two zones service the same domain or domains.  The difference is that resource records on the internal DNS zone contain the private IP address of the Exchange Server and the external DNS zone has the public IP address remote users use to connect to your published Exchange Server.

The figure below shows the different paths Outlook clients take to access an Exchange Server via Exchange RPC.

1.       The branch office Outlook client is configured to connect to an Exchange Server named exchange2003. The client fully qualifies the name to exchange2003.msfirewall.org and sends the request to a public DNS server. The public DNS server returns to the branch office Outlook client the IP address on the external interface of the ISA Server 2000 firewall that is used by the secure RPC Server Publishing Rule at the main office network.

2.       The branch office Outlook client sends the RPC connection request to the external address of the ISA Server 2000 firewall at the main office. The secure RPC Server Publishing Rule forwards the request to the Exchange Server on the main office network.

3.       The Outlook client located at the main office is configured to connect to the same Exchange server. The main office Outlook client fully qualifies the name and sends a DNS query to the main office DNS server for exchange2003.msfirewall.org. The main office DNS server returns to the Outlook client the internal network IP address of the Exchange Server.

4.       The main office Outlook client connects directly to the Exchange Server on the main office network. The client does not loop back through the ISA Server 2000 firewall. The split DNS infrastructure prevents overloading the firewall with internal network client requests for internal network resources.

You can access the Exchange Server via a secure Exchange RPC publishing rule by using local host name resolution if your organization does not use the same domain name for resources that are accessible both internally and externally. In this case, you need to create a HOSTS file entry with the NetBIOS name of the Exchange Server computer (sometimes referred to as the “computer name”). You do not need to include the FQDN of the Exchange Server in the HOSTS file; only the NetBIOS name is required. The primary drawback of this approach is that you need to change the IP address in the HOSTS file depending on whether the Outlook client is located on the main office or branch office network.

The host name portion (the leftmost name or “label”) of the FQDN must be the same as the computer name of the Exchange Server published via the secure Exchange RPC Server Publishing Rule. In addition, the Outlook MAPI client must be configured to use the computer name of the Exchange Server and be able to fully qualify the name correctly.

In order for the Outlook client computer to correctly fully qualify the single label, NetBIOS name of the Exchange Server, the client operating system must use a primary domain name or an adapter specific domain name. In addition, Outlook 2000 clients will need to be able to resolve the name of its Global Catalog server to the same IP address used to publish the Exchange RPC server. The Global Catalog Server’s name will also need to placed in the public DNS in the same domain as the Exchange Server’s name.

The figure below shows the name resolution process for two Outlook clients:

1.       A branch office Outlook client is configured with a primary domain name of msfirewall.org. When this Outlook client connects to the Exchange Server on the main office network, it fully qualifies the NetBIOS name of the Exchange Server with its primary domain name. A query for NetBIOS_name.msfirewall.org is sent to a public DNS server. The public DNS server returns the IP address on the external interface of the ISA Server 2000 firewall that is publishing secure Exchange RPC.

2.       The branch office Outlook client sends an Exchange RPC request to the ISA Server 2000 firewall at the main office. The secure Exchange RPC Server Publishing Rule forward the request to the Exchange Server on the main office network.

3.       A second Outlook client is not configured with a primary domain name that it can use to append to unqualified names, such as the Exchange Server’s NetBIOS name. This Outlook client cannot issue a DNS query, so it sends a NetBIOS name query broadcast to the local branch office network segment. The Outlook client is unable to resolve the name to an IP address and the connection attempt fails.

Secure Exchange RPC publishing is a viable alternative for clients that are not able to connect to the main office via a site to site VPN link. The branch office Outlook clients derive the same high level of functionality as those who connect directly to the Exchange Server over a site to site VPN connection.

The following procedures are required to create the secure Exchange RPC connection:

·         Step 1: Install Windows Server 2003 on the main office and branch office machines

·         Step 2: Install ISA Server 2000 on the main office and branch office machines

·         Step 3: Install the Microsoft DNS server on the branch office machine and configure the Exchange Public DNS Records

·         Step 4: Create the RPC Server Publishing Rule on the main office ISA Server 2000 firewall

·         Step 5: Configure the Registry on the Main Office ISA Server 2000 to force encrypted RPC sessions

·         Step 6: Configure an RPC Protocol Rule at the branch office to enable outbound RPC sessions for SecureNAT and Firewall clients

·         Step 7: Configure the Outlook 2003 profile to connect to the Exchange Server

·         Step 8: Make the Connection

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines

The first step is to install Windows Server 2003 on the machines that will act as the main office and branch office ISA Server 2000 firewalls. The machines should meet the hardware requirements for both Windows Server 2003 and ISA Server 2000. The table below shows the hardware requirements for the Standard, Enterprise, and Datacenter editions. Note that you cannot use the Web edition for ISA Server 2000.

Windows Server 2003 System Requirements

Requirement

Standard

Enterprise

Datacenter

Recommended CPU

550 MHz

733 MHz

733 MHz

Recommend Minimum RAM

256 MB

256 MB

1 GB

Multiprocessor Support

Up to 4

Up to 8

Max 64

Disk Space for Setup

1.5 GB

1.5 GB

1.5 GB

 

The lab scenario used in this document is described in the table and figure below.

Lab Network Details

Setting

EXCHANGE
2003

LOCALHOST

LOCALVPNISA

REMOTEVPN

REMOTEHOST

IP Address

10.0.1.2

10.0.1.3

Int: 10.0.1.1

Ext: 192.168.1.70

Int: 10.0.2.1

Ext: 192.168.1.71

10.0.2.2

Default Gateway

10.0.1.1

10.0.1.1

192.168.1.60

192.168.1.60

10.0.2.1

DNS

10.0.1.2

10.0.1.2

10.0.1.2

10.0.2.1

10.0.2.1

WINS

10.0.1.2

10.0.1.2

10.0.1.2

 

 

Services

DC

DNS

WINS

DHCP

Enterprise CA

None

ISA Server 2000

 

ISA Server 2000

DNS

 

 

Note that multiple network services are installed on the domain controller on the main office network. These services are typical services that would be maintained on a main office network. The DNS service is required by Active Directory.

The LOCALHOST and REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), we will make the branch office client a SecureNAT client to demonstrate the functionality of the RPC Protocol Rule that enables the SecureNAT client full MAPI access to the Exchange Server on the main office network.

In the current example, the REMOTEHOST is the Outlook 2003 client. The LOCALHOST computer will not be used.

Step 2: Install ISA Server 2000 on the Main Office and Branch Office Machines

The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office and branch office firewall machines. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).

Step 3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 Firewall and Configure the Public DNS Record

In the current example, we will install and configure a DNS server on the branch office ISA Server 2000 firewall computer and use it to simulate a public DNS server. In a production network, you would configure a public DNS server to host the public component of your split DNS infrastructure.

Perform the following steps on the branch office ISA Server 2000 computer to install the Microsoft DNS Server service:

1.       Click Start and point to Control Panel. Click on Add or Remove Programs.

2.       In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.

3.       On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.

4.       In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

5.       Click Next on the Windows Components page.

6.       Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.

7.       Click Finish on the Completing the Windows Components Wizard page.

At this point, the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.

In this example, we will enter the public address used to resolve the name of the Exchange Server on the main office network to the external IP address on the main office ISA Server 2000 firewall. We are doing this for sake of simplicity for our lab configuration. In a production environment, the name used to connect to the Exchange Server is resolved by using public DNS servers.

You need to configure a forward and reverse lookup zone on the DNS server to resolve the name of the Exchange Server to the IP address on the external interface of the ISA Server 2000 firewall at the main office.

Perform the following steps to create the reverse lookup zone:

1.       Click Start and point to Administrative Tools. Click DNS.

2.       Expand the server name in the left pane of the console and then right click on the Reverse Lookup Zones node. Click New Zone.

3.       Click Next on the Welcome to the New Zone Wizard page.

4.       On the Zone Type page, select the Primary zone option and click Next.

5.       On the Reverse Lookup Zone Name page, select the Network ID option and enter 10.0.2 in the Network ID text box. This is the network ID of the internal interface of the ISA Server 2000 firewall at the branch office network. Click Next.

6.       On the Zone File page, accept the default zone file name and click Next.

7.       On the Dynamic Update page, use the default setting, Do not allow dynamic updates, and click Next.

8.       Click Finish on the Completing the New Zone Wizard page.

9.       Right click on the Reverse Lookup Zones node. Click New Zone.

10.   Click Next on the Welcome to the New Zone Wizard page.

11.   On the Zone Type page, select the Primary zone option and click Next.

12.   On the Reverse Lookup Zone Name page, select the Network ID option and enter 192.168.1 in the Network ID text box. This is the network ID of the external interface of the ISA Server 2000 firewall at the main office network. Click Next.

13.   On the Zone File page, accept the default zone file name and click Next.

14.   On the Dynamic Update page, use the default setting, Do not allow dynamic updates, and click Next.

15.   Click Finish on the Completing the New Zone Wizard page.

The next step is to create the forward lookup zone for the public component of the split DNS infrastructure. In our current example, the main office network hosts the private component of the split DNS infrastructure. Our DNS server at the branch office network will host the public component. Remember, in a production environment, the public component of the split DNS infrastructure would be hosted on the public DNS server.

Perform the following steps to configure the forward lookup zone:

1.       Right click the Forward Lookup Zone node in the left pane of the DNS console and click New Zone.

2.       Click Next on the Welcome to the New Zone Wizard page.

3.       On the Zone Type page, select the Primary zone option and click Next.

4.       On the Zone Name page, enter the name of the domain in the Zone name text box. Click Next.

5.       Accept the default zone file name on the Zone File page and click Next.

6.       Accept the default selection, Do not allow dynamic updates, on the Dynamic Update page. Click Next.

7.       Click Finish on the Completing the New Zone Wizard page.

8.       Right click on the msfirewall.org forward lookup zone and click New host (A). In the New Host dialog box, enter the name of the branch office ISA Server 2000 firewall in the Name (uses parent domain name if blank) text box. Enter the internal IP address of the branch office ISA Server 2000 firewall in the IP address text box. In this example, the name of the ISA Server 2000 firewall at the branch office is REMOTEVPNISA and the IP address is 10.0.2.1. We will enter those addresses in the text boxes and click Add Host.

9.       Click OK on the DNS dialog box.

10.   Right click on the msfirewall.org forward lookup zone and click New host (A). In the New Host dialog box, enter the NetBIOS name of the Exchange Server on the main office network in the Name (uses parent domain name if blank) text box. Enter the external IP address of the main office ISA Server 2000 firewall in the IP address text box. In this example, the name of the Exchange Server at the main office is EXCHANGE2003 and the IP address is 192.168.1.70. We will enter those addresses in the text boxes and click Add Host.

11.   Click OK on the DNS dialog box.

12.   Click Done in the New Host dialog box.

13.   Right click on the server name in the left pane of the console, point to All Tasks and click Restart.

The next step is to create the secure RPC Server Publishing Rule on the main office ISA Server 2000 firewall machine.

Step 4: Create the Secure RPC Server Publishing Rule on the Main Office ISA Server 2000 Firewall

The Exchange RPC Server Publishing Rule uses a Protocol Definition provided by the RPC Application filter. If you disable the Application Filter, you lose the Protocol Definition, so confirm that the filter is enabled. You can check the status of the RPC Filter in the Application Filters node under the Extensions node in the left pane of the ISA Management console.

Perform the following steps to create a secure Outlook MAPI client access Server Publishing Rule:

1.       In the ISA Management Console, expand your server or array name and then expand the Publishing node. Right click on the Server Publishing Rule node, point to New and click Rule.

2.       Enter a name for the secure Exchange RPC Server Publishing rule in the Server publishing rule name text box on the Welcome to the New Server Publishing Rule Wizard page. Click Next.

3.       On the Address Mapping page, type in the IP address of the Exchange Server on the internal network. Click the Browse button and select the IP address on the external interface of the ISA Server 2000 firewall that you want to use to accept the incoming requests from the remote Outlook MAPI clients.

4.       Click Next after entering the IP addressing information on the Address Mapping page. Click Next.

5.       On the Protocol Settings page, select the Exchange RPC Server rule and click Next.

6.       On the Client Type page, select Any Request and click Next.s

7.       On the final page of the Wizard, click Finish.

The rule will take effect soon after you click Finish. If you want the rule to be applied immediately, restart the Firewall service.

Step 5: Configure the Registry on the Main Office ISA Server 2000 to Force Encrypted RPC Sessions

All communications over a public network should be encrypted. You can force only encrypted connections to the Exchange Server via the secure Exchange RPC Server Publishing rule by configuring the Registry of the ISA Server 2000 firewall computer. This option is only available on ISA Server 2000 firewalls that have ISA Server 2000 Feature Pack 1 installed.

Perform the following step to configure the Registry on the main office ISA Server 2000 firewall:

1.       Click Start and then click the Run command. In the Run dialog box, enter regedit in the Open text box and click OK.

2.       In the Registry Editor, expand HKEY_LOCAL_MACHINE, then expand Software. Expand Microsoft, and then expand FPC. Click PluginRPC.

3.       In the right pane of the Registry Editor, right-click MinimumAuthenticationLevel, and then click Modify.

4.       In Value data, type:

1 to disable forced encryption.

6 to enforce encryption

5.       Close the Registry Editor and restart the ISA Server 2000 firewall computer.

The next step is to create an RPC Protocol Rule at the branch office.

Step 6: Configure an RPC Protocol Rule at the Branch Office to Enable Outbound RPC Sessions for SecureNAT and Firewall Clients

You can create a simple Protocol Rule that allows the Outlook MAPI client outbound access through the ISA Server 2000 firewall. Perform the following steps to create the Protocol Rule:

 

1.       Open the ISA Management console, expand the Servers and Arrays node and expand your server name. Expand the Access Policy node and right click on the Protocols node. Point to New and click on Rule.

2.       Type in a name for the Protocol Rule in the Protocol rule name text box on the Welcome to the New Protocol Wizard page. Click Next.

3.       Select the Allow option on the Rule Action page. Click Next.

4.       On the Protocols page, select the Selected protocols option in the Apply this rule to drop down list. Select the RPC protocol from the list of Protocols. Click Next.

5.       Select a schedule from the Use this schedule drop down list. In this example we’ll use the Always schedule. Click Next.

6.       On the Client Type page, select the Any request option and click Next.

7.       Review your settings on the Completing the New Protocol Rule Wizard page and click Finish.

The new Protocol Rule will appear in the right pane of the console.

 

Step 7: Configure the Outlook 2003 Profile to Connect to the Exchange Server

The Outlook client on the branch office network must be configured with an Exchange profile to connect to the Exchange Server on the main office network.

Perform the following steps to create the Outlook profile:

1.       On the Outlook 2003 client computer, click Start and right click on the Outlook icon. Click Properties.

2.       Click the Show Profiles button on the Mail Setup dialog box.

3.       In the Mail dialog box, click the Add button.

4.       In the New Profile dialog box, enter a name to identify the profile and click OK.

5.       In the E-mail accounts dialog box, select the Add a new e-mail account option and click Next.

6.       On the Server Type page, select the Microsoft Exchange Server option and click Next.

7.       On the Exchange Server Settings page, enter the NetBIOS name of the Exchange Server in the Microsoft Exchange Server text box. Put a checkmark in the Use Cached Exchange Mode checkbox. In the User Name text box, enter the Exchange user name.  Click the Check Name button. You will be presented with a log on dialog box. Enter your user name and password and click OK. Notice that the NetBIOS name you entered into the Microsoft Exchange Server text box changes to the fully qualified domain name of the Exchange server.

8.       Click the More Settings button. In the Microsoft Exchange Server dialog box, put a checkmark in the Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server. Click Apply and then click OK.

9.       Click Next on the Exchange Server Settings page.

10.   Click Finish on the Congratulations! page.

11.   On the Mail dialog box, select the Prompt for a profile to be used option, click Apply and then click OK.

Note that the Outlook client must be configured with a domain name to append to the Exchange Server name. This can be accomplished by configuring the machine with a primary domain name, a DNS server suffix search list, an adapter specific domain name, or via a DHCP scope option.

In the next step we will make the connection to the Exchange Server using secure Exchange RPC.

Step 8: Make the Connection

Now we can test the connection using the new Outlook profile.

Perform the following steps to connect to the Exchange Server using secure Exchange RPC:

1.       Click Start and click the Outlook icon in the Start menu.

2.       Select your profile from the list in the Choose Profile dialog box. Click OK.

3.       Enter your user name and password in the Connect to EXCHANGE dialog box. Click OK.

4.       It will take some time to synchronize your mailbox with the Exchange Server. Allow Outlook to prepare itself for first use.

5.       Hold down the CTRL key on the keyboard and right click on the Outlook icon in the system tray, and click the Connection Status command.

6.       You will see the RPC connections in the Exchange Server Connection Status dialog box. You can also use the Reconnect button if you ever find that you’ve lost your connection to the Exchange Server. Close the Exchange Server Connection Status window.

 

 

 

Conclusion

In this document we went over the procedures required to create a secure Exchange RPC connection from an Outlook client at the branch office to the main office using a secure Exchange Server Publishing Rule at the main office and a RPC Protocol Rule at the branch office. ISA Server 2000 secure RPC Publishing enables Outlook clients at the branch office to connect to the main office without requiring a VPN connection, and without losing any Outlook functionality.