RPC over HTTPS: Requirements and Best Practises
RPC over HTTPS Section Home Page
This page outlines some of the information you need for RPC/HTTPS and some tips on what you can do to ensure that it is a success.
System Requirements
Domain Requirements
At least one Windows 2003 Global Catalog Domain Controller.
This feature does not work with Windows 2000 domain controllers.
Server Requirements
- Windows 2003 Server
- Exchange 2003 Server
- or Small Business Server 2003 with Exchange 2003 installed.
- Commercial SSL Certificate (get a cheap certificate from certificatesforexchange.com )
Client Requirements
- Outlook 2003
- Windows XP Service Pack 2 or higher (it is possible to use it with Windows XP SP1, with a hotfix, but you should have upgraded to at least Service Pack 2 by now)
- If you are using a home generated certificated (not recommended), then install the Certificate on your test machine.
Take your time...
When trying to get this feature operating do not attempt to rush too far ahead too quickly.
Test the web site first to ensure that you aren't getting any certificate errors.
Then test the client on the local area network. Only once you are sure that you getting https connections, can you think about using the facility from an external connection.
Certificates
Always use a commercial certificate - trying to use a self generated certificate will cause any number of problems which make it harder to troubleshoot. One of the cheapest and widely trusted certificates are those from certificatesforexchange.com.
If you are using the default web site for both RPC and OWA, then the same certificate will protect both.
Using a real certificate provides two benefits.
- It is trusted by the web browser without having to install anything. This stops the prompt about trusting the certificate from appearing. You should attempt to get rid of that message from being seen by the users wherever possible. If users get used to accepting "OK" on your site, then they may do the same thing on other sites, sites that are impersonating legitimate sites. As network administrators we are responsible for some of the user education, and the message should be consistent - no exceptions.
- For RPC/HTTPS to work correctly, you cannot have the trust message prompt as you do not see it and Outlook cannot manage that prompt - so the process will fail and attempt to use TCP/IP connections.
Certificate Name Choice
When you are setting up the URL and naming convention for the certificate, use a generic name instead of the actual name of the server. Instead of "server1.domain.com" use "mail.domain.com".
In the event that you upgrade your Exchange server to a new machine, which has a new name, Outlook will redirect automatically to the new server. However the RPC over HTTPS configuration will NOT automatically update. By using a generic name you can simply move the certificate to the new machine and adjust the DNS.
Use Split DNS
If you decide to implement this technology then you should use a split DNS system. This will ensure that the name resolves correctly both internally and externally. The primary reason for this is to allow the users to use RPC/HTTPS both inside and outside the network without having to make changes. More Information on Split DNS
Configure Outlook to use RPC/HTTPS for both slow and fast connections
There is an option in the RPC/HTTPS configuration to use TCP/IP on fast connections, which sounds ideal for allowing direct connection when on the LAN and using RPC/HTTPS when away from the office. In our experience it is easily confused when the machine is connected to another network - which could be another corporate network or even a home network. Enable both options and this isn't an issue. You just need to make sure that the same name that works externally also works internally.
Test the System from Outside using Microsoft's Test Site
Microsoft have created a test site for Exchange features. use a test account with it.
https://testexchangeconnectivity.com
Configure Dumpster Always On All for all Users
If you use recover deleted items for Outlook users, you should be aware that it does not work for folders other than Deleted Items unless you have made the dumpster always on change first. This change is discussed in this kb article: http://support.microsoft.com/kb/886205 and the registry key is available for easy import from our recover deleted items web page here.