RPC Server allows Outlook 2003 clients to connect to
your Exchange Server securely over the Internet.
As the article "SSL certificate options for secure access to Exchange
Server through the Internet" explains, RPC Server is a feature
in Exchange 2003 Server that allows Outlook 2003 users to connect to the
server securely. Essentially, the main steps to implement Exchange RPC
- Configuring Windows 2003 Server
to use the RPC over HTTP service.
- Configuring basic authentication
on the RPC virtual directory in Internet Information Services (IIS)
- Defining specific ports to be
used by the RPC over HTTP service.
Let's take a look at these steps in greater detail
RPC over HTTP service
The RPC over HTTP service needs to be installed on a Windows 2003 Server
that houses either Exchange 2003 Server or an Exchange 2003 front engine.
The procedure to configure the RPC over HTTP service is:
1. Access Add/Remove Programs from the Control Panel on the Windows 2003
2. Click the Add/Remove Windows Components button in the Add Or
Remove Programs dialog box. The Windows Components Wizard dialog box appears,
as shown in Figure A
3. Select Networking Services on the list in the Windows Components Wizard
dialog box, and then click the Details button. The Networking Services
dialog box appears, as shown in Figure B.
4. Place a check mark in the RPC Over HTTP Proxy
check box in the Networking Services dialog box, and click OK.
5. Click Next at the bottom of the Windows Components
Wizard dialog box. The Windows 2003 Server will be reconfigured to use
the RPC over HTTP service.
6. Click Finish once the final screen of the Windows Components Wizard
7. Close the Add Or Remove Programs dialog box.
authentication on the RPC virtual directory
During the configuration of the RPC over HTTP
service, a virtual directory should be created in the default Web site
in IIS. You'll need to make sure the RPC virtual directory includes basic
authentication. Basic authentication is generally a "no-no"
over the Internet; however, you'll be using SSL to secure data transmission.
Proper setup of the Exchange RPC Server
procedure to configure basic authentication on the RPC virtual directory
Access the Internet Information Services Manager from the Administrative
Tools menu on the Start menu (or in the Control Panel).
2. Locate the default Web site and then click the plus sign (+) preceding
the site to expand its branches.
3. Locate the RPC virtual directory and right-click while over it.
4. Choose Properties from the shortcut menu. The RPC Properties dialog
box appears, as shown in Figure C.
5. Click the Directory Security tab in the RPC Properties dialog box.
The Directory Security screen appears, as shown in Figure D.
6. Click the Edit button in the Authentication And
Access Control section of the Directory Security screen. As shown in Figure
E, the Authentication Methods screen appears.
7. Place a check mark in the Basic Authentication check box in the Authenticated
Access section of the Authentication Methods screen.
8. Click OK twice to save your changes and exit.
To increase security on the RPC virtual directory, disallow anonymous
access. This access prevents users who are using RPC over HTTP version
1.0 from connecting, which is less secure than version 2.0. Version 2.0
authenticates using only basic or Windows integrated authentication.
ports for the RPC over HTTP service
The final step is to define specific ports to
be used by the RPC over HTTP service. If you have multiple Exchange Servers
that will be accessed by Outlook 2003 clients through the Exchange RPC
Server, you'll need to define the same ports on each of those servers
as well. The ports are:
- 6001—To access the Exchange store
- 6004—To access the Directory Service proxy
These ports will be defined in the registry, so be sure to back it up
before proceeding. The procedures to define specific ports for the RPC
over HTTP service are:
1. Access the registry by typing in regedit.exe from the Run command
or command prompt.
2. Locate the key for the RPC over HTTP service port settings— HKEY_LOCAL_MACHINE\Software\Microsoft\RPC\RpcProxy.
The information shown in Figure F should appear in the Registry
Editor’s details pane to the right.
3. Right-click the ValidPortssubkey in the Registry
Editor’s details pane, and then click Modify. The Edit String dialog box
appears, as shown in Figure G.
4. Make sure the Value Data field contains the following:
- The NETBIOS names for your Exchange Server and
global catalog server for each port
- The Fully Qualified Domain Name (FQDN) for your
Exchange Server and global catalog server for each port
The appropriate syntax for the Value Data field for the ValidPorts
Let’s say your Exchange 2003 Server is located on a Windows 2003 Server,
which acts as a global catalog server. The NETBIOS name of the server
is CLAUD and the FQDN is CLAUD.OFFICE.LOCAL. The value in the Value Data
field should be:
If Outlook 2003 clients will be asking for the RPC over HTTP service using
IP addresses, you should also include entries for the IP address for each
of the ports.
You may notice that there are entries for port
593 when you check the ValidPorts subkey.
Port 593 is for the Distributed Component Object Model (DCOM) protocol.
This allows DCOM to be used over the RPC over HTTP service for client/server
applications. If DCOM will not be used in this capacity, remove any entries
for port 593 to improve security. Check out Microsoft Security Bulletin MS03-026 for further details.