I was just start looking at the best scenario for the full blown Outlook 2003 clients to get to the internal Exchange 2003 without using a VPN connection or plain RPC publishing.
If I understand it all well, then the RPC/HTTP proxy is a Windows 2003 component, not an Exchange 2003 component. So, to the internal Exchange server all traffic seems to come from regular Outlook 2003 clients (plain RPC traffic). Right?
If that's the case, can't we combine the RPC/HTTP proxy for easy firewall traversal at the client side and ISA RPC publishing for maximum security at the server side? More precisely, what do you think of the following "Poor man's" scenario or any variant of it:
code:
[Exchange] --- [ISA] --- Internet ! ! [RPC/HTTP Proxy]
Of course I assume here a complete locked down box for the RPC/HTTP Proxy in the DMZ. Should it still work if we RPC publish the Exchange server on the ISA DMZ interface or is it much more complex?
That is a very interesting scenario! I haven't considered it, but I would be interesting to see if it works.
We should be able to use an Exchange RPC Server Publishing Rule to allow the RPC proxy access to the Exchange Server on the internal network.
However, there are some other considerations, as setting the proper Registry entries for port numbers used to communicate between the RPC proxy and the back end Exchange Server. This can complicate the scenario quite a bit over making the RPC proxy a LAT host, but its not insurmountable. Name resolution would also pose a bit of a challange, too.
The Registry info will be included in the second part of the series, which I'll post on ISAServer.org tonight.
after going through some docs about RPC over HTTP, I have a feeling it isn't indeed that easy as one would expect at first sight!
As you know, I'm an advocate of strong user authentication. Is it right to say that in the current version of the RPC/HTTP proxy you can't use a client certificate or a smartcard for authentication against the RPC/HTTP proxy? If that is true, it is probably not a limitation of the RPC/HTTP proxy implementation on IIS6 but rather a limitation on the RPC/HTTP proxy implementation on Windows XP-SP1. Correct?
BTW --- it would be great if a secure RPC over HTTP proxy would be incorporated as an application filter in ISA server, including the RPC inspection. That would be another killing application of ISA server!
Indeed, I think this DMZ config you outlined would not be easy, but should be able to be done.
You are correct that you can't configure the Outlook 2003 client to present a client certificate, or enable it to use smartcard auth.
However, I think there is a problem with the RPC proxy in that it will not accept a client certificate. I discovered this when trying to configure the ISA firewall to send a client certificate to the RPC proxy server to authentication by requiring a client certificate. While this works fine with OWA, I was never able to get it to work with the RPC proxy.
I think the new VPN implement in ISA2004 might be the best solution. I can write you offline with more details, and then we'll share it with the world when the public beta begins!
Tom, Thanks for the articles. I was reading through part 1 and 2 but my setup is a bit different. I would like to use only 2 servers, one ISA and the other Exchange 2003 with IIS6. You mentioned it is possible to configure RPC over HTTP that way. What would the proper config be. I have installed RPC Proxy on the exchange server and removed anonymous access and installed a certificate. What would need to be done on the ISA server? Thanks very much Jon
I have read part1 and part2 and I have one problem I do not have a front end server, I only have one exchange server and I need to use this whit ISA what do I need to do to make this work? PLEASE help as I will be installing exch2k3 this weekend.
quote:Originally posted by goodie: Tom, Thanks for the articles. I was reading through part 1 and 2 but my setup is a bit different. I would like to use only 2 servers, one ISA and the other Exchange 2003 with IIS6. You mentioned it is possible to configure RPC over HTTP that way. What would the proper config be. I have installed RPC Proxy on the exchange server and removed anonymous access and installed a certificate. What would need to be done on the ISA server? Thanks very much Jon
Hi Jon,
Yes, that would be an interesting scenario. I haven't tested it out yet, though. I wanted to start with the scenario that officially sanctioned by MS, and then move to more creative approaches.
If you have a chance to test it before me, please let us know the results of your testing.
quote:Originally posted by rpotthoff: I have read part1 and part2 and I have one problem I do not have a front end server, I only have one exchange server and I need to use this whit ISA what do I need to do to make this work? PLEASE help as I will be installing exch2k3 this weekend.
Hi R,
The front end can be just an IIS 6 box running the RPC over HTTP service. The Exchange front-end server is the officially sanctioned config, but not required.
This handles all aspects of urlscan with respect to ISA 2000 and Exchange 2003 and includes a fully functional urlscan file.
If you are also providing access for to a MS SharePoint Portal Server then I suggest that you look at the documentation for that as it is also affected by urlscan.
Hope this is of some use to other members.
Anyway here are my comments on "spouseele" idea for a poor mans solution to rpc/http. Not so certain about the achieved end result. The following ports (in addition to rpc port) must be opened from this rpc/http server to:
To all Exchange back-end servers: 593 (end point mapper) 6001 (Store) 6002 (DS referral) 6004 (DS proxy) To all utilized Global catalog server: 593 and 6004
I believe that you could do what you suggest but wonder if the result is as good as keeping the rpc/http server on the internal network.
Posts: 1
Joined: 20.Feb.2004
From: Denver, CO
Status: offline
Dr. Shinder and other contributors, Thank you for all the information you all have provided, I really appreciate your work.
I have been going through the process to get RPC working over HTTP to an Exchange server, and I have a question regarding the IPSec between the backend and frontend Exchange servers. My frontend and backend Exchange servers are both also the domain controllers for my AD. I haven't read anything that says that is an issue, but when I go to access the Local Security Policy on either machine it isn't available, instead there are Domain Security Policy and Domain Controller Security Policy options. I went ahead and attempted to create the policies according to the article, but because they are for the domain rather than the local machines, they each show up on both machines. I am unable to assign them both at the same time, and if I do assign one, then the other machine looses access to the Security Policy editor entirely.
I may be writing this prematurely as I am betting that there is a way to create a single domain policy to accomplish what the two machine policies would normally do. Unless there is a way to manage local security policy on a domain controller that I haven't yet found? I would appreciate any recommendations or information. Thank you, Carson
Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Tom, thanks for yet another EXCELLENT walkthrough.
In my situation, I have a single-EX2k3 installation.
I saw the note, above, that an IIS6 box can perform as the RPC>HTTP proxy server...
...but...
...is it possible (and secure) to have the single-EX2K3 box run the RPC>HTTP proxy site *locally*, with the proxy site registry entries referring back to 127.0.0.1, or something like that?
I have been successful in configuring the RPC over HTTP Proxy and everything seems to be fine, except for one thing. My users get the auth dialog box pop up when they start outlook on a remote network. I acknowledge that this is the way it should go with Basic authentication, so i configured the RPC virtual dir in IIS to use integrated auth, and configured Outlook to use Integrated auth as well. Now i still get the auth dialog box, where there's a new checkbox (save password) but i can't get my clients to save the password, it keeps on forgetting it every time. I also tried putting the site hosting the RPC over HTTP proxy directory into the Trusted Zone in internet explorer, hoping that it'll do an automatic login, but nothing happened... the login dialog still keeps on coming up. Any ideas to solve this problem?