Last Update: Nov 19, 2024 | Published: Jan 06, 2009
RPC over HTTP/S is a cool method for connecting your Outlook 2003 client to the corporate Exchange Server 2003 from the Internet or WAN, without the need to establish a VPN session to the corporate LAN and/or needing to open many ports on your corporate firewall. The only ports you’ll need to open on your firewall are TCP 80 and, if using SSL, TCP 443.
Note: This procedure is not required on SBS and that SBS fully configures Exchange for RPC over HTTPS and also provides instructions to connect an Outlook client on the ‘Configure Outlook over the internet’ link on RWW https://sbs/remote.
Note: While RPC over HTTP does not require SSL, you must modify the registry to enable RPC over HTTP if you do not want to use SSL. This is why I’ve used the term “RPC over HTTP/S” in this set of articles.
Basically, there are 2 configurations possible when configuring RPC over HTTP/S:
MS KB 833401 has more info, but as always, I’ve written an article in order to make the configuration process easier, as the original KB tends to be too technical.
When configuring RPC over HTTP/S, you must follow these steps:
To use RPC over HTTP/S, your computers must meet the following requirements.
RPC over HTTP/S requires Windows Server 2003 and Exchange Server 2003. RPC over HTTP/S also requires Windows Server 2003 in a Global Catalog role.
If you’re running SP1, you must install the following update package:
Outlook 2003 Performs Slowly or Stops Responding When Connected to Exchange Server 2003 Through HTTP – 331320
If you have installed Windows XP SP2, you do NOT have to install the update package. You can also run Windows Server 2003 as the client operating system.
Here are some of Microsoft’s (and my) recommendations when using Exchange with RPC over HTTP:
Additionally, if you use your own certification authority, when you issue a certificate to your RPC proxy server, you must make sure that the Common Name field or the Issued to field on that certificate contains the same name as the URL of the RPC proxy server that is available on the Internet.
The RPC proxy server processes the Outlook 2003 RPC requests that arrive from the Internet. To successfully process RPC over HTTP requests, you must install the Windows Server 2003 RPC over HTTP Proxy networking component on your Exchange computer.
Note: The RPC Proxy component does not have to be installed on the Exchange server. It can in fact be installed on a totally different server. In this article we’ll ignore these possibilities and concentrate on the single server scenario.
To install this component, follow these steps:
After you configure the Exchange computer to use RPC over HTTP/S, you must configure the RPC virtual directory in Internet Information Services (IIS).
To do this, follow these steps:
Note: Windows Server 2003 Service Pack 1 (SP1) adds a new virtual directory called RpcWithCert. This virtual directory points to the same location as the Rpc virtual directory. You do NOT need to modify this virtual directory.
You receive the following message:
The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS(orSSL) connections. Are you sure you want to continue?
Click Yes
The RPC virtual directory is now configured to use basic authentication. As stated in the Recommendations section of this article, you must configure SSL on your RPC Proxy server (i.e. on your single server). To enable SSL on the RPC virtual directory you must obtain and publish a certificate. Follow the guidelines on the Configure SSL on Your Website with IIS article for more info on this issue (This procedure assumes that you have obtained and published certificate).
After setting up a Digital Certificate for the Default Website you will need to configure the RPC virtual directory to require SSL for all client-side connections.
To configure the RPC virtual directory to require SSL for all client-side connections, follow these steps:
After you configure the RPC over HTTP networking component for Internet Information Services, configure the RPC proxy server. Configure the RPC proxy server to use specific ports to communicate with the directory service and with the information store on the Exchange computer.
Warning! |
This document contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a trained computer specialist. |
Tip: Instead of manually editing the registry, reader Harry Bates has most cleverly designed a small utility that will allow you to perform all these changes by pressing a couple of buttons. The tool is called [this_link_has_been_removed] (19kb).
Run the tool on your Exchange server, input the server’s names and you’re done! Thanks Harry!
If you’ve used the above tool you no longer need to perform any manual registry changes and you can safely skip the rest of this guide till the Global Catalog configuration section below.
However, if you’re still interested to know what’s going on for your information, here are the required changes and information:
When you run Exchange Server 2003 Setup, Exchange is configured to use the ports in the following table:
Server | Port | Service |
Exchange Server (Global Catalog) | 6001 | Store |
6002 | DSReferral | |
6004 | DSProxy |
The three registry values that follow are automatically configured by Exchange Server 2003 Setup. Although you do not have to configure these registry values, you might want to verify that these registry values are configured correctly.
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMSExchangeISParametersSystem
Value name: Rpc/HTTP Port
Value type: REG_DWORD
Value data: 0x1771 (Decimal 6001)
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMSExchangeSAParameters
Value name: HTTP Port
Value type: REG_DWORD
Value data: 0x1772 (Decimal 6002)
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMSExchangeSAParameters
Value name: Rpc/HTTP NSPI Port
Value type: REG_DWORD
Value data: 0x1774 (Decimal 6004)
Do NOT modify these registry values. Just make sure they exist. Action required – configure the RPC proxy server to use specific ports
To configure the RPC proxy server to use specific ports, follow these steps.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcRpcProxy
Note: The default value for the ValidPorts key is:
ServerNETBIOSName:100-5000
Where ServerNetBIOSName is the NetBIOS name of your server.
ServerNETBIOSName:6001-6002;ServerFQDN:6001-6002;ServerNetBIOSName:6004;ServerFQDN:6004
Replace ServerNetBIOSName with the NetBIOS name of your server. Replace ServerFQDN with the fully qualified domain name (FQDN) of your server.
Note: The above text is ONE LONG LINE. Copy and paste it into Notepad, and edit it there. Once done, copy it from Notepad and enter it in the Registry editor.
Note: This is the part where most administrators fail. Take a look at the following table and enter the correct values based upon this example:
Role | Names | ||
Windows Server 2003 SP1 + Exchange 2003 SP1 + DC, FSMO, GC + RPC Proxy | NetBIOS name:zeus | FQDN – Internal:zeus.dpetri.net (this is just an example, the name is bogus) |
FQDN – External:mail.dpetri.net (this is just an example, the name is bogus) |
Note: In the above table I’ve used the same domain name internally as externally (dpetri.net). This is NOT a best practice, as one SHOULD keep these two domain names separate, mostly for security and DNS issues. For example, if I would have to re-write this guide, I’d probably use dpetri.local for the internal domain name, and dpetri.net externally.
Text to enter in the registry:
zeus:6001-6002;mail.dpetri.net:6001-6002;zeus:6004;mail.dpetri.net:6004
Note: Some guides and articles instruct you to also add the external FQDN of the RPC Proxy, i.e. the FQDN used to access the server from the Internet. For example, in the above scenario, you should use:
zeus:6001-6002;zeus.dpetri.net:6001-6002;mail.dpetri.net:6001-6002;zeus:6004;zeus.dpetri.net:6004;mail.dpetri.net:6004
I’ve experimented with both settings, both work. To be on the safe side I’d recommend using the longer version.
Note: You can also use the Rpccfg tool to set and to troubleshoot port assignments. The Rpccfg tool is included in the Windows Server 2003 Resource Kit tools (Download Windows 2003 Reskit Tools):
C:WINDOWSrpccfg /hd Server Name Port Settings --------------------------------------------------------- mail.dpetri.net 6001-6002 6004 zeus 6001-6002 6004 zeus.dpetri.net 6001-6002 6004
Configure all your global catalogs to use specific ports for RPC over HTTP for directory services
Exchange Server 2003 Service Pack 1 note: Exchange Server 2003 Service Pack 1 has a new built-in RPC over HTTP/S GUI setting on the Exchange Server properties page in Exchange System Manager. If you configure the RPC over HTTP/S option from the GUI, there is NOT need to make any manual changes in the Registry.
To make the changes via the GUI follow these steps:
You might get an error:
Exchange System Manager There is no RPC-HTTP front-end in your Exchange organization. There must be at least one RPC-HTTP front-end server in the organization before the RPC-HTTP back-end server can be accessed.
Acknowledge the error.
If you did not install Exchange Server 2003 SP1, or if you did not configure the RPC over HTTP/S option from the GUI, then you MUST manually perform the changes in the Registry.
To do this, follow these steps:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters
On the Edit menu, point to New, and then click Multi-String Value.
Note Make sure that you select the correct value type for the registry subkey. If the registry subkey type is set to anything other than Multi-String Value, you may experience problems.
ncacn_http:6004
and then click OK.
You must now configure a client computer that meets the requirements specified at the beginning of this article to use RPC over HTTP/S.
Follow the instructions found in the Configure Outlook 2003 to use RPC over HTTP/S article.
Next, the natural step is to test your configuration. Testing can be done on the LAN or on the WAN.
Follow the instructions found in the Testing RPC over HTTP/S Connection article.
If a successful connection is made then you can start deploying your Outlook clients and begin using RPC over HTTP/S.
You may find these related articles of interest to you:
Exchange Server 2003 RPC over HTTP Deployment Scenarios
How to configure RPC over HTTP on a single server in Exchange Server 2003 – 833401
RPC over HTTP Security
RPC over HTTP Deployment Recommendations