Lukas Beeler's IT Blog

RPC-over-HTTP or Outlook Anywhere as it is called in Exchange 2007 offers users a way to access their E-Mail using Outlook securely from anywhere in the World, without using a VPN connection.

If you’re using Microsoft’s ISA product line at your border, then you’re fine. ISA works just fine with RPC over HTTP. However Apache’s mod_proxy doesn’t support passing along the proprietary RPC_IN_DATA and RPC_OUT_DATA.

There are other proxies which support it, like Pound, however Pound doesn’t allow SSL-Backend connections, leaving plaintext passwords in your mostly-trusted-lan.

In the end, i gave up and published a seperate IIS website directly to the web. For this, i created a new IIS website, assigned it to a random port, added the proper port forwardings on the gateway, and added just the RPC directory to this new site, and exposed it only through HTTPS. I think this is as good as it gets.

If you don’t know how to move these virtual directories yet, it is quite simple. Right click the directory, select “All tasks”, select “Export to a file”, and then go to the new website, right click on it, select “New” and then “New virtual directory (from file)”. Quite easy – if you know where to find it.

If you’re having trouble getting RPC over HTTP to work, here are two tips:

• Make sure that the certificate for the RPC over HTTP server is trusted by the client. For laptops in your domain, this is usually automatically the case, because of group policies. With home offices, this is usually not the case. Outlook does not give you an error message regarding this problem.
• Start outlook.exe using the /rpcdiag switch. This allows you to see how outlook establishes the connection.