Microsoft KB Archive/884506

= How to configure ISA Server 2006 or ISA Server 2004 to allow for RPC over HTTP client connections from Office Outlook 2003 to Exchange Server 2003 =

Article ID: 884506

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition

-





INTRODUCTION
This step-by-step article describes how to configure Microsoft Internet Security and Acceleration (ISA) Server 2006 or ISA Server 2004 so that Remote Procedure Call (RPC) over HTTP client connections can pass from Microsoft Office Outlook 2003 to Microsoft Exchange Server 2003. The RPC over HTTP feature makes it possible for remote client computers that are running Microsoft Windows Server 2003, Microsoft Windows XP Service Pack 1, or later versions of Microsoft Windows, to connect to an Exchange server without the need for a virtual private network (VPN) connection. You can configure the RPC over HTTP traffic to be sent through an ISA Server-based computer on your network by creating a Secure Sockets Layer (SSL) Web Publishing rule on the ISA Server-based computer.

Note You must confirm that RPC over HTTP traffic is functioning correctly on the Exchange server before you configure RPC over HTTP traffic to pass through the ISA Server-based computer. For more information about how to deploy Exchange Server 2003 RPC over HTTP, click the following article numbers to view the articles in the Microsoft Knowledge Base:

840255 The &quot;Exchange Server 2003 RPC over HTTP deployment scenarios&quot; guide is available

833401 How to configure RPC over HTTP in Exchange Server 2003

827330 How to troubleshoot client RPC over HTTP connection issues in Office Outlook 2003

For more information about Exchange Server 2003 RPC over HTTP, visit the following Microsoft Web sites:  Exchange Server 2003 RPC over HTTP Deployment Scenarios

http://www.microsoft.com/downloads/details.aspx?FamilyID=f7d2d6e5-579f-4779-a6b8-7ef931ec02a5&DisplayLang=en

 Remote Procedure Calls Using RPC over HTTP

http://msdn2.microsoft.com/en-us/library/aa375384.aspx

 Configuring Outlook 2003 for RPC Over HTTP

http://office.microsoft.com/en-us/ork2003/HA011402731033.aspx



Export a Web server certificate from the IIS-based computer that hosts the RPC proxy site

 * 1) On the Web server computer, start Microsoft Internet Information Services (IIS) Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
 * 2) Expand the computer node, expand Web Sites, right-click the Web site that you want to export the certificate from, and then click Properties.
 * 3) Click the Directory Security tab, and then click View Certificate.
 * 4) In the properties of the certificate, make sure that the certificate says &quot;You have a private key that corresponds to this certificate.&quot;
 * 5) Click the Details tab, click Issuer, and then click Copy to File.
 * 6) Click Next, click Yes, export the private key, and then click Next.
 * 7) In the Export File Format dialog box, click Personal Information Exchange – PKCS #12 (.PFX).
 * 8) Click to select the Include all certificate in the certification path if possible check box.
 * 9) Make sure that the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box and the Delete the private key if the export is successful check box are cleared.
 * 10) On the Password page, type a password, and then confirm the password.
 * 11) On the File to Export page, type the location where you want to save the exported certificate, and then click Next. For example, type c:\webcert.pfx, and then click Next.
 * 12) On the Completing the Certificate Export Wizard page, click Finish.
 * 13) When the Certificate Export Wizard dialog box informs you that the export was successful, click OK
 * 14) Click OK to close the Default Web Site Properties dialog box.

On the ISA Server computer, import the Web server certificate from the IIS-based computer that hosts the RPC proxy site, and then install the certificate
 On the ISA Server computer, click Start, click Run, type mmc in the Open box, and then click OK. On the File menu, click Add/Remove Snap-in, click Add, and then click Certificates. Click Add, click Computer account, click Next, click Finish, click Close, and then click OK.</li> Expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Import.</li> Click Next, click the certificate file that you want to import, and then click Next.</li> In the Password box, type the password to decrypt the private key, click to select the Mark this key as exportable check box, and then click Next.</li> Leave the Place all certificates in the following store option selected, make sure that Personal is selected in the Certificate store box, click Next, and then click Finish.</li> When you receive the following message, click OK:

The import was successful.

</li> Expand Personal, and then click Certificates.</li> Make sure that the certificate with the name of the Web server computer appears in the right pane. You might have to update the display before this certificate appears.</li> Right-click the Web server certificate, and then click Properties.</li> If the Enable all purposes for this certificate option is selected, click Enable only the following purposes, click Apply, and then click OK.</li></ol>

Create a new Web publishing rule on the ISA Server computer
Note If you already have a Microsoft Outlook Web Access (OWA) Web publishing rule and the OWA server is also the RPC proxy server, you can add /RPC/* to the path instead of creating a new rule.

ISA Server 2006
<ol> Start the ISA Server Management tool.</li> Expand  .</li> Right-click Firewall Policy, point to New, and then click Exchange Web Client Access Publishing Rule.</li> In the Exchange Publishing rule name box of the New Exchange Publishing Rule Wizard, type a descriptive name for the new publishing rule, and then click Next.</li> In the Exchange version list, click Exchange Server 2003, click to select the Outlook RPC/HTTP(s) check box, and then click to clear the following check boxes:  Outlook Web Access</li> <li>Outlook Mobile Access</li> <li>Exchange ActiveSync</li></ul>

Click Next.</li> <li>Leave the default Publish a single Web site or load balancer option selected, and then click Next.</li> <li>Click Use SSL to connect to the published Web server or server farm, and then click Next.</li> <li>In the Internal site name box, type the DNS name that internal users use to access the Web site. For example, type .example.com.

Note The internal name must match the name that appears on the server certificate that is installed on the internal Web server.</li> <li>Click to select the Use a computer name or IP address to connect to the published server check box, type the name of the computer or the IP address of the computer that hosts the RPC Proxy in the Computer name or IP address box, and then click Next.</li> <li>In the Accept requests for list, click This domain name (type below), type the DNS name that external users must use to access the Web server. For example, type mail.example.com. In this domain name, replace  with the publicly-accessible alias that you use for the Web site.</li> <li>Click Next.</li> <li>On the Select Web Listener page, click New.</li> <li>On the Welcome to the New Web Listener Wizard page, type a descriptive name in the Web listener name box, and then click Next.</li> <li>Leave the default Require SSL secured connections with clients option selected, and then click Next.</li> <li>On the Web Listener IP Addresses page, click to select the External check box, and then click Next.</li> <li>Click Select Certificate, click the server certificate that you previously imported, and then click Select.

Note Make sure that the name on the certificate matches the name that is used by Office Outlook 2003 clients to connect. If the certificate does not match, the Office Outlook 2003 connection does not work, the Office Outlook 2003 user does not receive a warning, and the user cannot continue.</li> <li>Click Next.</li> <li>In the Select how clients will provide credentials to ISA Server list, click HTTP Form Authentication, and then click Next.

Note For more information about the authentication methods that are available, click the authentication settings link.</li> <li>If you want to enable the Single Sign On functionality, click to select the Enable SSO for Web sites published with this Web listener check box, and then type the Single Sign On domain in the SSO domain name box. For example. type .example.com. .

Note In this example, note the period (dot) that appears before &quot;example.com.&quot;</li> <li>Click Next. Review the settings on the Completing the New Web Listener Wizard page, and then click Finish.</li> <li>If you configured a different authentication method in step 18, examine the value of the Require all users to authenticate check box for this Web listener. To do this, follow these steps: <ul> <li>On the Select Web Listener page, click Edit.</li> <li>Click the Authentication tab, and then click Advanced.</li> <li>If the Require all users to authenticate check box is selected on the Web listener, you must reconfigure the Web listener to use basic authentication.</li> <li>Click OK two times.</li></ul> </li> <li>On the Select Web Listener page, click Next.</li> <li>In the Select the method used by ISA Server to authenticate to the published Web server list, click Basic authentication, and then click Next.</li> <li>On the User Sets page, leave the All Authenticated Users user set in the This rule applies to requests from the following user sets box, click Next, and then click Finish. For more information about what to do if you are not using the default settings in the HTTP filter configuration, click the following article number to view the article in the Microsoft Knowledge Base:

823175 Fine-tuning and known issues when you use the Urlscan utility in an Exchange 2003 environment

For more information about HTTP filtering, visit the following Microsoft Web site:

http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx

</li> <li>Click Apply to apply the changes to the firewall policy, and then click OK.</li></ol>

ISA Server 2004
<ol> <li>Start the ISA Server Management tool.</li> <li>Expand  .</li> <li>Right-click Firewall Policy, point to New, and then click Web Server Publishing Rule.</li> <li>Type a descriptive name for the new server publishing rule, and then click Next.</li> <li>If the Allow option is not selected, click Allow, and then click Next.</li> <li>Under Computer name or IP address, type the name of the computer or the IP address of the computer that hosts the RPC Proxy, type the path of the file or folder you want to publish in the Path box, and then click Next.</li> <li>Under Accept requests for, you can configure the rule to accept all requests, or only to accept requests for a specific domain name.</li> <li>Type the domain name in the Public name box, and then click Next. For example, type. .com, and then click Next.</li> <li>On the Select Web Listener page, click New.</li> <li>On the Welcome to New Web Listener Wizard page, type a descriptive name in the Web listener name box, and then click Next.</li> <li>On the IP Addresses page, click to select the External check box, and then click Next.</li> <li>On the Port Specification page, click to select the Enable SSL check box, and then click Select.</li> <li>Click the server certificate that you previously created, and then click OK.

Note Make sure that the name on the certificate matches the name that is used by Office Outlook 2003 clients to connect. If the certificate does not match, the Office Outlook 2003 connection does not work, the Office Outlook 2003 user does not receive a warning, and the user cannot continue.</li> <li>Click Next, and then click Finish.</li> <li>On the Select Web listener name page, click Edit.</li> <li>Click the Preferences tab, and then click Authentication.</li> <li>If the Require all users to authenticate check box is selected on the Web listener, you must reconfigure the Web listener to use basic authentication.</li> <li>Click OK two times.</li> <li>On the Select Web Listener page, click Next.</li> <li>On the User Sets page, click All Users, click Next, and then click Finish. For more information about what to do if you are not using the default settings in the HTTP filter configuration, click the following article number to view the article in the Microsoft Knowledge Base:

823175 Fine-tuning and known issues when you use the Urlscan utility in an Exchange 2003 environment

For more information about HTTP filtering, visit the following Microsoft Web site:

http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx

</li></ol>

Troubleshooting
<ul> <li>Make sure that RPC over HTTP traffic is functioning correctly internally. You must allow access from ISA Server to the Web server that hosts the RPC proxy before you can test traffic from ISA Server. If ISA Server is configured as an Edge Firewall and the RPC proxy is located on the internal network, you must have either of the following rules: <ul> <li>A rule that allows SSL from the Localhost object to the Internal network.</li> <li>A rule that allows all IP traffic from the Localhost object to the Internal network.</li></ul>

To test the RPC over HTTP traffic, type https:// /rpc in a Web browser, and then press ENTER. If you receive the following warning message, click OK:

You are about to view pages over a secure connection.

Any information you exchange with this site cannot be viewed by anyone else on the Web.

If you receive a message that states that the certificate was issued by a company that you have not chosen to trust, make sure that the client computer trusts the root certification authority (CA) that issued the certificate. Typically, you receive this message when you do not configure the server to use a third-party certificate.

When you are prompted for your credentials, type your user name in the Universal Naming Convention (UNC) format, type your password, and then click OK. For example, type your user name in the \  format, and then click OK.

The following error message is the expected behavior and indicates that both the server and the client are correctly configured:

The page cannot be displayed HTTP Error 403.2 - Forbidden: Read access is denied. Internet Information Services (IIS)

For additional information about how to troubleshoot SSL-configuration problems by using the SSL Diagnostic Utility for IIS, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/ssldiags.mspx

</li> <li>If you have Windows Server 2003 Service Pack 1 (SP1) installed, you are prompted to enter your credentials three times instead of one time. After you enter your credentials for the third time and then click OK, you receive the following error message:

You are not authorized to view this page

You do not have permission to view this directory or page due to the access control list (ACL) that is configured for this resource on the Web server.

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

Internet Information Services (IIS)

This error message is the expected behavior. The error message indicates that the RPC virtual directory on the server is correctly configured.

Alternatively, you can use the Web browser to locate the Rpcproxy.dll file that is hosted in the RPC virtual directory. To do this, follow these steps: <ol> <li>On the client computer, start Microsoft Internet Explorer, type the URL of the Rpcproxy.dll file that is hosted in the RPC virtual directory in the Address list, and then click Go.

For example, type https://mail.contoso.com/rpc/rpcproxy.dll, and then click Go.</li> <li>When you are prompted for credentials, type a user name in the UNC format, type a password, and then click OK.</li></ol>

You see a blank page in the Web browser together with a lock icon in the Internet Explorer status bar. The lock icon signifies that you have successfully established a secured (SSL) connection to the server. This behavior indicates that the RPC virtual directory is configured correctly on the server.</li> <li>If you use Web publishing and the domain name is the same on the internal network and the external network, it is a good idea to confirm that the ISA Server computer can successfully resolve all the names that are used in the publishing rule to the RPC proxy server. If all the names are not resolved successfully, you can change the hosts file on the ISA Server computer.</li> <li>If a remote user is prompted for logon credentials multiple times, the remote user may be typing credentials in the wrong format. Remote users must use the \  format.</li> <li>You can verify the RPC over HTTP connection to the computer that is running Exchange. To do this, follow these steps: <ol> <li>Click Start, click Run, type outlook /rpcdiag in the Open box, and then click OK.</li> <li>Type your credentials in the User name box and in the Password box, and then click OK. If HTTPS appears in the Conn column in the Exchange Server Connection Status dialog box, a service is connected by using RPC over HTTP.

Note The Exchange Server Connection Status window may appear directly behind the Outlook program window.</li></ol> </li></ul>

Keywords: kbhowto kbhowtomaster kbinfo kbfirewall kbisa2006swept KB884506

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.