RPC over HTTPS on SBS server 2008 / Exchange 2007

Note – the procedure for Exchange 2007 is essentially the same as exchange 2003 – just pay special attention to the port 443 binding to the IP/certificate and the 'valid ports' – even though Windows says it has adjusted the valid ports automatically, it hasn't done it the way we want it:)

-Create the certificate for use on IIS and IE on the server and client

Use any Linux box with openssl installed and run the following:

Make sure that the common name is the name of the rpc proxy (or internet facing PC eg the firewall and not the internal netbios name of the Exchange server)

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out naledi.p12 (you can call it anything)

On the server, use IIS - default website and SBS apps – 'server certificates' to import this certificate from the p12 file. You may have to remove all other certificates to ensure we are using the correct one.

On the client, use IE and import the p12 file into the Trusted Root Certification Authorities.

Also, install the certificate on the server by right clicking on the file and selecting install. Enter the default password that was assigned when the certificate was made (normally tttt).

Then when viewing the certificate in IIS on the server it should now show that it is intended for the following purposes:

All issuance policies

All application policies

If the certificate, when viewed says something like “This has been revoked”, then remove the certificate from “Untrusted Publishers” in the certificate section of IE.

-Configure the exchange server to use RPC over HTTPS

Under control panel, double click 'Programs and Features' and make sure that RPC over HTTP proxy has been installed (on SBS it normally is already).

If not, install it but make sure it sits under SBS applications and NOT the default website or your bindings will be wrong and will be forced to used port 80 for SBS apps as RPC must use 443.

-Enable Outlook Anywhere in the Exchange Management console

In the console tree, expand server configuration and click 'client access'.

In the action pane click 'Enable Outlook Anywhere'.

In the Enable Outlook anywhere wizard, type the external hostname of the site in the box under 'External hostname' (eg. mail.ditsela.org.za), not the hostname of the exchange server itself.

Select basic authentication in the drop down list.

Ignore the part aboout SSL offloading.

Click enable to apply these setting.

Click finish to close the wizard.

Now wait between 10 and 20 minutes and you should get a message ID 3006 in the event viewer saying that Outlook Anywhere has been enabled and the validports entry and has amended successfully (it hasn't!).

Double check the following registry keys and amend if necessary – especially the validports one:

-Configure the RPC proxy server to use the correct ports

Check the following keys in the registry are correct:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

Value name: Rpc/HTTP Port

Value type: REG_DWORD

Value data: 0x1771 (Decimal 6001)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters

Value name: HTTP Port

Value type: REG_DWORD

Value data: 0x1772 (Decimal 6002)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters

Value name: Rpc/HTTP NSPI Port

Value type: REG_DWORD

Value data: 0x1774 (Decimal 6004)

The following key you will have to amend

(here using naledi as an example)

ws1=the internal netbios name of the exchange server

fw1.naledi.org.za=the external internet facing machine you will specify as the rpc proxy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy\ValidPorts

ws1:593;ws1:6001-6002;ws1.naledi.org.za:593;ws1.naledi.org.za:6001-6002;fw1.naledi.org.za:593;fw1.naledi.org.za:6001-6002;ws1:6004;ws1.naledi.org.za:6004;fw1.naledi.org.za:6004

-Configure the SBS root and RPC virtual directory in Internet Information Services

Click the Directory Security tab for SBS applications (which should propagate down through to rpc), and then click Edit under Authentication and access control.

Click to clear the Enable anonymous access check box.

Click to select the Basic authentication (password is sent in clear text) check box.

Under SBS applications in IIS check the bindings setting for port 443 and make sure the IP address of the local machine is specified as well and the certificate we installed/specified earlier.

Also, set SBS apps as well as RPC to use SSL and require 128bit encryption.

-Configure the firewall to DNAT port 443 to the internal IP address of the Windows box

$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 443 -d 192.168.0.3 -o $INTIF -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --dport 443 -j DNAT --to 192.168.0.3:443

(At most sites I also forwarded 6001/2/4 but supposedly this is unnecessary)

Client Side

-Add the certificate into IE as described earlier

-Add the RPC profile into Outlook

Open the control panel, double click mail, click proflies, click add, select the netbios name for the exchange server, and on the connection tab under 'more settings', select:

Connect to my Exchange mailbox usng HTTP

Click on Exchange Proxy Settings and enter the external name eg https://mail.igd.org.za and change authentication to 'Basic Authentication'.

You will also need to specify Mutually authenticate this session when connecting with SSL.

In the case of Ditsela we used:

msstd:mail.ditsela.org.za

Save the profile and test.