Exchange 2007 has rebranded rpc/https which is now called Outlook Anywhere and has even made some slight modification from RTM to Exchange 2007 SP1. +
When utlizing Outlook 2007 the autodiscover service is heavily tied into Outlook anywhere functionality, I am going to reference a previous posting that explains those functions in detail.
With Exchange 2007 in order to allow clients remote access to the mail system you will need to install an Exchange 2007 CAS server which will allow clients to access thier mail via Imap,Pop,OWA,Active Sync, and Rpc/https (outlook anywhere).
For this article I am going to skip the installation of each server role and just work with the configuration. The lab consists of 1 DC, 1 CAS/Hub and 1 MBX server running Windows 2003 and Exchange 2007 SP1.
Rpc/http was first introduced with Exchange 2003 and has been renamed with Exchange 2007 to Outlook Anywhere. In order to use this functionality with Exchange we must install the RPC over HTTP Proxy networking component on a server (recommened on your Exchange server).
What does this network componet do for us?
RpcProxy.dll is an Internet Server API (ISAPI) that runs in Internet Information Services (IIS). RpcProxy.dll listens for activity on the RPC virtual directory
The rpcproxy.dll requires authentication and will not pass anonymous request even if IIS is configured for anonymous authentication.
When an Outlook clients typicaly communicates with an Exchange server the client attempts to connect via Mapi Rpc, with Rpc/http Outlook makes a http connection to the rpc proxy server which strips the http and send the rpc request to tha appropriate Exchange server.
Installing Rpc/http networking componet:
1. From the Add/Remove programs select Windows components
2. Select Networking Services then details
3. Select Rpc over http proxy -> OK
4. Click Next to start the installation
5. Click Finish to complete the installation
How do we verify the installation?
1. Validate you have 2 virtual directories installed called RPC and RPC with Cert
The 2 new virtual directories points to C:\WINDOWS\System32\RpcProxy which is the location of the rpcproxy.dll
2. Verify the RPC Proxy server extension is allowed in IIS (this will be enabled after you install the component)
Later we will look at a tool called rpc dump that can be used to troubleshoot connectivity problems.
After we have installed our CAS server we need to enable Outlook Anywhere which can be done in 1 of two ways, 1. EMS (command line) or 2. EMC (gui)
To work with Outlook anywhere via EMS we would use the the following set of commands Get-OutlookAnywhere,Set-OutlookAnywhere,Enable-OutlookAnywhere.
A. Open EMS
B. Now we will use the Enable-OutlookAnywhere command to enable this feature
–The following switches are available for the command
** Pre SP1
Enable-OutlookAnywhere -DefaultAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm ] [-DomainController ] [-Server ] [-TemplateInstance ] [-WhatIf ]
** Post SP1
Enable-OutlookAnywhere -ClientAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm ] [-DomainController ] [-IISAuthenticationMethods ] [-Server ] [-TemplateInstance ][-WhatIf ]
For this demo I used the following command
[PS] C:\>Enable-OutlookAnywhere -Server vmcashub -SSLOffloading:$false -ExternalHostname vmcashub.vn.local -ClientAuthenticationMethod basic -IISAuthenticationMethods basic
*Note if you use the defaultauthenticationmethod is will override the clientauth and IISAuth **
*Setting the ClientAuthMethod is what autodiscover will user to configure the client*
We can ouse the Get-OutlookAnywhere command to view our configuration
Once we have enable Outlook Anywhere any future modification will be done with the Set-OutlookAnywhere command (i.e. changing authentication)
a. Open EMC –> Server configuration –> client Access Server
b. Select the CAS server you want to enable
c. Click the button to Enable Outlook Anywhere
d. Enter the External name that clients will use to connect to your Exchange Server, note this name should match the name on your certificate. Select the authentication method of choice
e. On the Completion Wizard Click finish
As you saw there is very little configuration when enabling Outlook Anywhere we have 3 options
1. Url 2. authentication and 3. Enable SSL offloading
Once we have Enabled Outlook Anywhere we can validate the registry key has configured correct ports for communication to our mailbox servers. Note only the name listed in the key can be used by clients to connect and you will notice there is no IP address listed so testing via IP will fail through the rpc proxy.
1. Click start Run
2. Regedit – this will open the registry editor
4. Notice the Dword called Enabled set to 1
5. There is a String value called “ValidPorts”
**Note if the port are not listed it could take up to 15 minutes to update or you can restart the Microsoft Exchange Service Host **
we can see that the rpc proxy connects to our mailbox server on the following port 6001-6002 and 6004. Each port is defined below
Microsoft Exchange Information Store service: 6001
referral service of DSProxy: 6002
proxy service of DSProxy: 6004
Active Directory (if the global catalog server and Exchange Server are on the same server): 6004
In our client testing we can validate the proxy making connections to our mailbox server with these ports.
3. Select Microsoft Exchange
4. Input your mailbox server name (this could be FQDN or Netbios Name)
5. Click the “More settings” button
6. Select the connections tab
7. Check the box “Connect to Microsoft Exchange using HTTP” -> Exchange Proxy Settings
8. Input the url of your Outlook Anywhere server, check the appropriate authentication
9. Click OK and finish the profile
** if autodiscover is not working please refer to my blog on autodiscover **
You can see our connection shows https, which validates we are going through the CAS server and proxying our connection.
We can use netstat to show our connection for each hop Client-> CAS -> Mbx -> DC
You can see from the screen shot above that our client 192.168.1.5 is making connections are port 443 to our CAS server 192.168.1.101
As noted in the connections window from Outlook you can see that the Outlook client makes multiple connections to the CAS server on port 443 and this is validated in the netstat
CAS -> MBX
On the mailbox server open a command window and type Netstat -na
We can use a tool like NetMon or WireShark to perform network captures on each hop as well to validate our traffic between each node. We must note this is encrypted traffic so we will only see sessions between the nodes
This capture show communication from the CAS 192.168.101 to the mailbox server on port 6001/6004
RpcPing is a utility that we can use to troubleshoot or validate that our rpc proxy is working properly.
Rpc ping is a command line tool that can be found in the Windows 2003 resource kithttp://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en We can use this tool to test rpc connectivity through an rpc proxy server which is used for Outlook Anywhere.
You can use this MS article to assist with this utility http://support.microsoft.com/kb/831051
1. Open a command line to the resource kit directory
2. Lets connect to port 6001 =store
rpcping -t ncacn_http -s vmmbx1.vm.local -o RpcProxy=mail.vm.local -P “brian.tirch,vm.local,*” -I “brian.tirch,vm.local,*” -H 1 -F 3 -v 3 -B msstd:mail.vm.local -e 6001 -u 10 -a connect
3. Lets connect to port 6004 =DsProxy
rpcping -t ncacn_http -s vmmbx1.vm.local -o RpcProxy=mail.vm.local -P “brian.tirch,vm.local,*” -I “brian.tirch,vm.local,*” -H 1 -F 3 -v 3 -B msstd:mail.vm.local -e 6004 -u 10 -a connect
These tests show us that we are properly connecting through the rpc proxy server to the correct ports associated with Outlook Anywhere.
reference the above MS article for a break down of the switches.
Windows 2008 has added some additional perf counters that we can use with Rpc/Proxy that can assist in identifying connectivity and user load.
1. Certificates – If the client machine does not trust the certificate that is being presented it will fail to connect. So if you are using self signed or self issued certificates you will need to deploy them to each client machine