Contributor Brien M. Posey explains why how ISA Server 2004 makes it relatively easy for Microsoft Outlook clients to establish secure RPC communications with their Exchange servers. In an accompanying tip below, he offers step-by-step advice on how to actually set it up.
You have a variety of solid options for providing remote e-mail access to end users, but contributor Brien Posey says one tool stands out above the rest. In this tip, he explains how ISA Server 2004 makes it relatively easy for Microsoft Outlook clients to establish secure RPC communications with their Exchange servers -- and he offers step-by-step advice on how to set it up.
E-mail ranks among the most critical applications for many companies whose employees demand e-mail accessibility from outside the company. External e-mail access can be achieved in a variety of ways: Some companies use Outlook Web Access (OWA); others have implemented virtual private networks (VPNs); still others use HTTP over Remote Procedure Call (RPC). But none of these are ideal solutions.
All three options are fine for remote e-mail access, but they have their downfalls: OWA doesn't provide the full functionalities of Outlook; VPNs tend to be slow (less computer-illiterate employees hate the connection process); and HTTP over RPC only works with Outlook 2000 -- and its server-side configuration can be complicated.
So what's the better option? If your network runs Internet Security and Acceleration (ISA) Server 2004 as a perimeter firewall, you can allow employees to connect to your mail server directly through Outlook. The primary requirement is simply that the remote client be configured in a way that allows it to resolve your mail server's NetBIOS name.
ISA Server 2004 makes remote e-mail access possible because it can function as an RPC proxy. Outlook uses RPC to communicate with an Exchange Server. However, the RPC protocol relies on dynamic port assignments. To make RPC function over a normal firewall, you would have to open port number 135 (the RPC endpoint mapper port), plus ports numbered 1,025 to 65,535 because you never know which ports RPC will use.
There are some tricks you can use to force RPC over specific ports. Even so, it would be a major security risk to leave the designated ports open. ISA Server 2004 solves these problems by dynamically opening and closing ports as required. ISA Server 2004 also performs a stateful inspection of all RPC packets to make sure they are valid and nonmalicious. Of course ISA Server 2004 isn't about to allow RPC traffic into your network by default. You will have to publish a rule to allow RPC communications to take place.
1. Open ISA Server's management console and expand the container bearing the name of your ISA Server.
2. Right click on the Firewall Policy container (beneath the server container) and select the New/Mail Server Publishing Rule commands from the shortcut menus.
3. Windows will open the New Mail Server Publishing Rule Wizard.
4. Enter a name for the new publishing rule that you are creating in the space provided and click Next.
5. The wizard will now ask you which type of access the rule should provide. Select the option for Client Access: RPC, IMAP, POP3, SMTP and click Next.
6. You will now see a screen asking which services you are publishing on the mail server. Select the Outlook (RPC) option found in the Standard Ports column. Make sure no other options are selected and then click Next.
7. Now you will be prompted to enter the IP address of the Exchange Server you are trying to provide access to. If you need to provide access to multiple Exchange Servers, then you have to create a separate publishing rule for each Exchange Server. Click Next.
8. You will see a screen asking on which interface ISA Server should be listening for RPC communications. Select the external address that's connected to the Internet and click Next, followed by Finish. Your new publishing rule is now created.
9. You aren't quite done yet. Right-click on the newly created publishing rule and select the Configure Exchange RPC command from the resulting shortcut menu. When you do, Windows will display the Configure Exchange RPC Policy dialog box. Select the Enforce Encryption check box and click OK. This will force RPC communications to be encrypted so that no one can listen to them over the wire.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
More information from SearchWindowsSecurity.com
Tip: Keeping remote PCs patched
Book Excerpt: Six steps for deploying Network Access Quarantine Control
Checklist: Seven steps to properly set account lockout
Why use ISA Server 2004 for remote e-mail access
