Exchange 2003

RPC over HTTPS: Server Configuration

RPC over HTTPS Section Home Page

There have been lots of articles written about how to setup RPC/HTTPS on the server side. The settings and information on this page have been taken from a working implementation, and then tested on other installs.

• If you are using Exchange 2003 SP1 or higher then you may not need the settings on this page. If you are using a front-end/back-end scenario (at least two Exchange servers), then you do not need these settings, unless you are having problems with the GUI.
  If you have tried to use the GUI interface then you need to change it back to "Not Part of an Exchange Managed RPC-HTTP Topology" and then use the registry keys.
  Remember: GUI or Registry - not both.
• If you are using a single Exchange server then you need to make a setting change in the GUI and then make registry changes as well.

Server Requirements

• Windows 2003 Server
• Exchange 2003 Server or Small Business Server 2003 with Exchange 2003 installed.
• SSL Certificate (get a cheap certificate from certificatesforexchange.com )

These instructions are NOT required for Exchange 2007 or higher.

Required Components Setup

Install the "RPC over HTTP Proxy" on the server that is hosting the public facing web site. If this is a front-end/back-end then it is the front-end server. If if it a single server, then it will be the Exchange server.
You will find RPC Proxy in Add/remove Programs --> Add/Remove Windows Components --> Networking Services
You do NOT install this component on your domain controllers unless you are in a single server environment.

GUI Settings

Exchange Server Service Pack 1 introduced a new setting in Exchange System Manager (ESM) for configuring RPC/HTTP. A setting needs to be made, in all circumstances.
You can find the required GUI setting in "Administrative Groups, <your admin group>, Servers. Right click on your server and choose Properties.

• Single Server: You can either leave the GUI as it is "Not part of an Exchange managed topology" or set the GUI to Back-end Server. It doesn't seem to make a difference. With the latter, you will get one, maybe two error messages. Both of these should be acknowledged.
• Front-end / Back-end scenario: Adjust the GUI as required.
• For troubleshooting or configuring Front-end / Back-end scenario manually: Set the GUI to "Not part of an Exchange Managed RPC-HTTP topology"

Registry Changes

Two sets of registry changes are required and it is these settings that have caused most of the problems. While Microsoft aren't recommending all of these changes, they have come from a live working machine.

Usual registry disclaimer and warnings apply - Sembee Ltd cannot be held responsible for any damage caused to your machine by a registry change outlined below. Always ensure that your registry is backed up before commencing any modifications.

The list of entries will be in one single line when entered in to the registry with no spaces, however they are here on separate lines for easy reading.

Domain Controller Registry Changes - All Scenarios

The domain controller needs to be a Global Catalog Server, but only requires one entry.
If this is a single server (Exchange and DC on the same machine - for example an SBS 2003) then you make this change on the same machine.

Copy and paste the following text in to notepad and save it as rpc-http-dc.reg, changing the file type to All Types so that it is saved as a registry file. Then double click on it to install.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] "NSPI Interface protocol sequences"=hex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,\ 68,00,74,00,74,00,70,00,3a,00,36,00,30,00,30,00,34,00,00,00,00,00

That key is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Type REG_MULTI_SZ
Name: NSPI Interface protocol sequences
Value: ncacn_http:6004

You shouldn't have to reboot, but if the settings don't appear to work in initial testing, then you should reboot to ensure the settings have taken correctly.

Exchange Server Registry Changes

All the changes below are made in the same place, just pick the scenario that matches your environment, then replace the sample entries with the actual names of your environment.

Using the Samples

1. Copy the sample in to notepad and then use "Replace" to replace the information.
2. Remove Word wrap option (on the format menu).
3. Set the cursor to to the top of the text, press "End" on your keyboard and then delete. Do not press any other keys. Then repeat (end and then delete). This will put all of the text on to one line. No spaces between the entries.
4. Save the file as rpc-http-server.reg, changing the "File Type" to "All Types" so that the file is saved as a registry key
5. Double click on the file to install.

Registry Location

For reference, the location in the registry where these entries are going is:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy
Key:ValidPorts

NOTE: These are example registry entries, you need to adjust them to fit your particular domain, server name and FQDN - as per the notes beside each entry.

If you find that you already have an entry for 100-5000 then leave that in place.

Single Server Configuration

Exchange Server is also the domain controller
(Small Business Server fits in to this category)

Key:
server = domain controller/exchange server
domain.local = internal domain name
mail.external.com - external domain name - as per certificate and name configured in Outlook that the clients use for connection. If you are using the same domain name internally and externally, then change "domain.local" to match your domain.

(remember: single line before saving as a registry file)

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] "ValidPorts"="server:100-5000; server:6001-6002; server:6004; server.domain.local:6001-6002; server.domain.local:6004; mail.external.com:6001-6002; mail.external.com:6004;"

Separate Exchange and Domain Controller Configuration

Where Exchange is on a member server - not the same server as the domain controller and NOT a front-end/back-end configuration.

Key:
exchange-server = Exchange Server
dc = Domain Controller with Global Catalog
domain.local = Internal domain name
mail.external.com = External certificate/domain name

(remember: single line before saving as a registry file)

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] "ValidPorts"=" exchange-server:100-5000; exchange-server:6001-6002; exchange-server.domain.local:6001-6002; dc:6001-6002; dc.domain.local:6001-6002; exchange-server:6004; exchange-server.domain.local:6004; dc:6004; dc.domain.local:6004; mail.external.com:6001-6002; mail.external.com:6004; dc:593; dc.domain.local:593; exchange-server:593; exchange-server.domain.local:593; mail.external.com:593;"

Front-End / Back-end Server Configuration

Where there are two Exchange servers and a separate domain controller.

You should NOT need these registry settings though, as the GUI should configure everything for you and is the preferred method to set the feature in a Frontend/Backend Scenario.

Key:
server-fe = Front-end Exchange Server
server-be = Back-end Exchange Server
server-dc = Domain Controller with Global Catalog
domain.local = Internal domain name
mail.external.com = External certificate/domain name

(remember: single line before saving as a registry file)

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] "ValidPorts"="server-fe:100-5000; server-be:6001-6002; server-be.domain.local:6001-6002; server-dc:6001-6002; server-dc.domain.local:6001-6002; server-be:6004; server-be.domain.local:6004; server-dc:6004; server-dc.domain.local:6004; mail.external.com:6001-6002; mail.external.com:6004; server-dc:593; server-dc.domain.local:593; server-be:593; server-be.domain.local:593; mail.external.com:593;"

Questions

Q: We use a different domain name for external users than we do internally. This means that it only works outside of the network. How can we enable the service for staff on the network as well, so that they don't have to change their settings?
A: You need to make your internal DNS servers accept requests for your external domain name. This is known as "Split DNS". Setup a new zone for the domain name and then enter internal addresses for hosts. If you need to access a resource that is outside your network ( a web site for example) then enter the external IP address instead. More information.

Q: I have multiple domain controllers. Can I use more than one in the registry settings?
A: Yes you can use more than one domain controller. Make sure that the other domain controllers are global catalog domain controllers and are Windows 2003.

However before duplicating things, getting it working with a single domain controller. When you know it is working, switch the domain controller listed to your other domain controller. Repeat for any others. Once you have tested all domain controllers independently, combine the entries. For example:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] "ValidPorts"="exchange-server:100-5000; exchange-server:6001-6002; exchange-server.domain.local:6001-6002; dc1:6001-6002; dc1.domain.local:6001-6002; dc2:6001-6002; dc2.domain.local:6001-6002; exchange-server:6004; exchange-server.domain.local:6004; dc1:6004; dc1.domain.local:6004; dc2:6004; dc2.domain.local:6004; mail.external.com:6001-6002; mail.external.com:6004; dc1:593; dc1.domain.local:593; dc2:593; dc2.domain.local:593; exchange-server:593; exchange-server.domain.local:593; mail.external.com:593;"

More on RPC over HTTP: Client Setup - Client Diagnostics - Tips on Successful Implementation