Secure Exchange Connectivity from the Branch Office to the Main Office
Chapter 12
Connecting to the Main Office Exchange Server from the Branch Office using RPC
over HTTP
Contents
Secure Exchange Connectivity from the Branch Office to the Main Office
Chapter 12
Connecting to the Main Office Exchange Server from the Branch Office using RPC
over HTTP
Contents
Step
1: Install Windows Server 2003 on the Main Office and Branch Office Machines
Step
2: Install ISA Server 2000 on the Main Office and Branch Office Machines
Step
3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 VPN
Gateway
Step
4: Install the RPC over HTTP Proxy service on the ISA Server 2000 firewall
machine
Step
6: Obtain a Web Site Certificate for the RPC Over HTTP Web Site
Step
7: Force basic authentication on the RPC over HTTP folder
Step
9: Configure the Registry Settings for the RPC over HTTP Service
Step
10: Create the HOSTS file setting for the name on the Web site certificate
Step
12: Create an HTTPS Access Policy
Step
13: Install the CA certificate on the Outlook 2003 client computer
Step
14: Configure the Exchange Profile on the Outlook 2003 client
E-mail is the most used Internet application for businesses, and remote access to Microsoft Exchange Server services is vital for branch office users. In branch office environments that are connected via a site to site VPN link, Outlook MAPI clients can connect to the Exchange Server directly through the VPN tunnel. However, some branch offices may have an ISA Server 2000 firewall or some other firewall protecting the branch office and may not have established a site to site VPN link.
An alternative to direct RPC communications over a site to site VPN link is to use Outlook 2003 to create an RPC over HTTP connection from the main office to the branch office. The only requirement for the branch office firewall is that it allows outbound TCP 443 (SSL). The RPC commands that are required to benefit from the full Outlook 2003 MAPI client functionality are encapsulated (“wrapped”) in an HTTP header. When the communication arrives at the RPC over HTTP proxy at the main office network, the HTTP header is removed and the RPC commands and data are forwarded to the Exchange Server. The Exchange Server responses are forwarded to the RPC over HTTP proxy, re-encrypted, and returned to the Outlook 2003 RPC over HTTP client.
The figure below shows a high level overview of the communications path between the Outlook 2003 RPC over HTTP client and the Exchange Server.
In this document, we will discuss the procedures required to install and configure an RPC over HTTP proxy server on the ISA Server 2000 firewall at the main office and configure the branch office ISA Server 2000 firewall and Outlook 2003 client to connect to the main office Exchange Server using the RPC over HTTP protocol.
The following procedures are required to create the RPC over HTTP connection:
- Step 1: Install Windows Server 2003 on the main office and branch office machines
- Step 2: Install ISA Server 2000 on the main office and branch office machines
- Step 3: Install the Microsoft DNS server on the branch office machine and configure the Exchange Public DNS Records
- Step 4: Install the RPC over HTTP Proxy service on the ISA Server 2000 firewall machine
- Step 5: Disable Socket Pooling for the W3SVC and bind the Web site to the internal address on the ISA Server 2000 firewall
- Step 6: Obtain a Web site certificate for the RPC over HTTP Web site
- Step 7: Force basic authentication on the RPC over HTTP folder
- Step 8: Create a Web Publishing Rule using the OWA Wizard and add the RPC site to the Destination Set
- Step 9: Configure the Registry Settings for the RPC over HTTP Service
- Step 10: Create the HOSTS file setting for the name on the Web site certificate
- Step 11: Configure DNS to resolve the RPC over HTTP connection to the external interface of the ISA Server 2000 firewall
- Step 12: Create an HTTPS Access Policy
- Step 12: Install the CA certificate on the Outlook 2003 client computer
- Step 13: Configure the Exchange Profile on the Outlook 2003 client
- Step 14: Make the connection
The first step is to install Windows Server 2003 on the
machines that will act as the main office and branch office gateways. The
machines should meet the hardware requirements for both Windows Server 2003 and
ISA Server 2000. The table below shows the hardware requirements for the
Standard,
|
Windows Server 2003 System Requirements |
|||
|
Requirement |
Standard |
|
Datacenter |
|
Recommended CPU |
550 MHz |
733 MHz |
733 MHz |
|
Recommend Minimum RAM |
256 MB |
256 MB |
1 GB |
|
Multiprocessor Support |
Up to 4 |
Up to 8 |
Max 64 |
|
Disk Space for Setup |
1.5 GB |
1.5 GB |
1.5 GB |
The lab scenario used in this document is described in the table and figure below.
|
Lab Network Details |
|||||
|
Setting |
EXCHANGE |
LOCALHOST |
LOCALVPNISA |
REMOTEVPN |
REMOTEHOST |
|
IP Address |
10.0.1.2 |
10.0.1.3 |
Int: 10.0.1.1 Ext: 192.168.1.70 |
Int: 10.0.2.1 Ext: 192.168.1.71 |
10.0.2.2 |
|
Default Gateway |
10.0.1.1 |
10.0.1.1 |
192.168.1.60 |
192.168.1.60 |
10.0.2.1 |
|
DNS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
10.0.2.1 |
10.0.2.1 |
|
WINS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
|
|
|
Services |
DC DNS WINS DHCP |
None |
ISA Server 2000 |
ISA Server 2000 DNS |
|
Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue a certificate to the RPC over HTTP Web site located on the ISA Server 2000 firewall machine.
The LOCALHOST and REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the LOCALHOST and REMOTEHOST computers is required to allow these machines to route requests to the opposite network to the internal interface of the ISA Server 2000 firewall computer.
In the current example, the REMOTEHOST is the Outlook 2003 client. The LOCALHOST computer will not be used.
The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office and branch office machines. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).
In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computer. Name resolution is a critical element of all ISA Server 2000 firewall and Web proxy installations. We can solve most of the name resolution issues that impact the branch office by installing a DNS server on the branch office computer.
The branch office computer will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:
- Recursion to resolve Internet host names
- Acting as a secondary DNS server to the Active Directory based DNS server at the main office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The ISA Server 2000 firewall includes a pre-built packet filter that enables the ISA Server 2000 firewall computer to perform DNS queries when the queries are issued from the firewall itself (the packet filter does not enable hosts on the internal network to issue DNS queries). The DNS server on the ISA Server 2000 firewall at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office ISA Server 2000 firewall.
In addition, the DNS server at the branch office will act as a secondary DNS server for the domain DNS server located at the branch office. This allows the client computers on the branch office network to use the DNS server located on the branch office ISA Server 2000 firewall to resolve names for computers that belong to the domain. We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.
The figure below illustrates how the DNS server at the branch office performs recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.
1. The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office ISA Server 2000 VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the ISA Server 2000 VPN gateway the address of the .com DNS server.
3. The DNS server on the ISA Server 2000 VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the ISA Server 2000 VPN gateway machine.
4. The DNS server on the ISA Server 2000 VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the ISA Server 2000 VPN gateway machine.
5. The DNS server on the ISA Server 2000 VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2000 VPN gateway machine.
7. The DNS server on the ISA Server 2000 VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.
Perform the following steps on the branch office ISA Server 2000 computer to install the Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.
3. On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point, the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks. Later you can create a site to site VPN link to make the DNS server a secondary DNS server for the main office DNS server.
In the current example, we will not create the site to site link. Instead, we will enter the public address used by the name used in the RPC over HTTP connection configured on the Outlook 2003 client a standalone primary DNS server at the branch office. We are doing this for the sake of simplicity for our lab configuration. In a production environment, the name used to connect to the RPC over HTTP site is resolved by using public DNS servers and the branch office DNS server is configured as a secondary of the main office DNS server.
We will cover this issue in more detail later in this document when we configured the supporting DNS entry.
Perform the
following steps to install the RPC over HTTP Proxy networking service on the
front-end Exchange Server:
1. Click Start, point to Control Panel and click on Add or Remove Programs. In the Add or Remove Programs window, click on the Add/Remove Windows Components button.
2. In the Windows Components dialog box, click on the Networking Services entry in the Components list and then click the Details button.
3. In the Networking Services dialog box, put a checkmark in the RPC over HTTP Proxy checkbox and click OK.
4. Click Next in the Windows Components dialog box, click Next.
5. An Insert Disk dialog box may appear asking you to insert the Windows CD-ROM (This will occur if you installed Windows from the CD, rather than from a network share or installation files copied to the local disk). Click OK.
6. Enter a path to the i386 folder in the Files Needed dialog box. Click OK.
7. Click Finish on the Completing the Windows Components Wizard page.
8. Close the Add or Remove Programs window.
1. Copy the Support folder from the Windows Server 2003 CD-ROM to the local hard disk on the ISA Server 2000 firewall computer.
2. In the Tools folder, double click on the SUPTOOLS.MSI file.
3. Click Next in the Welcome to the Windows Support Tools Setup Wizard page.
4. Select the I Agree option on the End User License Agreement page. Click Next.
5. On the User Information page, enter your Name and Organization.
6. On the Destination Directory page, select a location for the Support Tools files and click Install Now.
7. Click Finish on the Completing the Windows Support Tools Setup Wizard page.
8. In the Support Tools folder to which the files were installed, find the httpcfg.exe file and copy that file to the root of the C:\ drive.
9. Configure HTTP.sys to listen only on the specified IP address (usually the internal IP address of ISA Server) by typing httpcfg set iplisten -i ip-address at a command prompt. In this example, we will enter httpcfg set iplisten –i 10.0.1.1 and press ENTER.
10. At the command prompt, enter net stop http and press ENTER. Press Y to confirm that you want to stop the services.
11. At the command prompt, enter net stop W3proxy and press ENTER.
12. At the command prompt, enter net start http and press ENTER.
13. At the command prompt, enter net start W3SVC and press ENTER.
14. At the command prompt, enter net start W3proxy and press ENTER.
15. Close the command prompt window.
The next step is to open the Internet Information Services (IIS) console and bind the Web site to the internal IP address on the ISA Server 2000 firewall computer.
Perform the following steps to bind the correct address to the Web site:
1. Click Start and point to Administrative Tools. Click on Internet Information Services (IIS) Manager.
2. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console.
3. Right click the Default Web Site and click Properties.
4. In the Default Web Site Properties dialog box, click on the Web Site tab. Select the internal IP address on the ISA Server 2000 firewall computer from IP address list. Click Apply and then click OK.
5. Leave the Internet Information Services (IIS) Manager console open to prepare for the next procedure.
The next step is to obtain a Web site certificate for the RPC over HTTP Web site. In our example, the Outlook 2003 client will connect to the RPC over HTTP Web site using the URL https://owa.msfirewall.org. The name in the request must match the name in the certificate, so we will request a certificate with the common name owa.msfirewall.org.
Perform the following steps to request the certificate:
1. Right click on the Default Web Site and click Properties.
2. In the Default Web Site Properties dialog box, click the Directory Security tab.
3. On the Directory Security tab, click the Server Certificate button.
4. Click Next on the Welcome to the Web Server Certificate Wizard page.
5. On the Server Certificate page, select the Create a new certificate option and click Next.
6. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option and click Next.
7. On the Name and Security Settings page, you can use the default name in the Name text box and use the default value in the Bit length text box, or you can use alternative values if you wish. In this example, we will use the defaults and click Next.
8. On the Organization Information page, enter your Organization and Organizational unit in the text boxes provided. Click Next.
9. On the Your Site’s Common Name page, enter the fully qualified domain name external RPC over HTTP clients will use to connect to the site. In this example, remote Outlook 2003 clients will connect to the site using the name owa.msfirewall.org. Therefore, we will enter owa.msfirewall.org in the Common name text box. Click Next.
10. On the Geographical Information page, enter your Country/Region, State/Province and City/Locality and click Next.
11. On the SSL Port page, use the default port of 443 and click Next.
12. On the Choose a Certification Authority page, use the default entry in the Certification authorities list and click