Remote Access to Exchange 2003 Server Recommendation Request
Installed new MS Exchange 2003 Server & set up RPC over HTTP (ROH) connectivity (on internal LAN behind inside interface of PIX515 FW).
Works great, now working on providing staff remote access to email solution.
With some help from ExEx, for a test I successfully configured Outlook 2003 on a couple of our department's "loaner" laptops for remote access to the Exchange server using ROH. These test laptops were initially configured while on the internal LAN before taking them off site and verifying that Outlook was indeed connecting to the internal Exchange 2003 server via HTTPS. (Setting them up while on the LAN with the Exchange server first seemed to be necessary to get ROH to work from remote location later).
This test seems to exclude ROH as a remote email access solution for staff members wanting Exchange access from their homes using their personal PCs, correct?
ROH is only a functional remote email access solution for those staff members who have been issued company laptops that are members of the organization's domain and can therefor be brought on site for the initial configuration of ROH access, correct?
Staff without a company laptop should use OWA for remote access to email, correct?
It is possible to configure the Exchange 2003 Server to support both ROH & OWA remote connections, correct?
Works great, now working on providing staff remote access to email solution.
With some help from ExEx, for a test I successfully configured Outlook 2003 on a couple of our department's "loaner" laptops for remote access to the Exchange server using ROH. These test laptops were initially configured while on the internal LAN before taking them off site and verifying that Outlook was indeed connecting to the internal Exchange 2003 server via HTTPS. (Setting them up while on the LAN with the Exchange server first seemed to be necessary to get ROH to work from remote location later).
This test seems to exclude ROH as a remote email access solution for staff members wanting Exchange access from their homes using their personal PCs, correct?
ROH is only a functional remote email access solution for those staff members who have been issued company laptops that are members of the organization's domain and can therefor be brought on site for the initial configuration of ROH access, correct?
Staff without a company laptop should use OWA for remote access to email, correct?
It is possible to configure the Exchange 2003 Server to support both ROH & OWA remote connections, correct?
ASKER
So you are saying one can use a home computer that does not have a machine account in Active Directory to connect remotely to the company's Exchange 2003 server using ROH? (And also that it is NOT necessary to make the first connection to Exchange via HTTP/HTTPS from the LAN, right?)
(I think) I would rather have our staff use ROH for a remote email access solution than OWA but I am not seeing how that is practically possible if the initial connection to the Exchange server during the initial Outlook/ROH config process requires being present on the LAN?
I also got the feeling ROH could only be utilized remotely from a computer with a machine account in Active Directory by a person who also has a valid account in AD?
Thanks for the tip on OWA Red, it is working and I am testing it now.
(I think) I would rather have our staff use ROH for a remote email access solution than OWA but I am not seeing how that is practically possible if the initial connection to the Exchange server during the initial Outlook/ROH config process requires being present on the LAN?
I also got the feeling ROH could only be utilized remotely from a computer with a machine account in Active Directory by a person who also has a valid account in AD?
Thanks for the tip on OWA Red, it is working and I am testing it now.
I am saying that I have done that before,
I just had a skim of this -> http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm
And he has either removed the part that I read about being on the lan to configure it the first time, or it never existed :) Either way, it now makes references to configuring it remotely.
The machine will not need an AD account - the User will.
-red
I just had a skim of this -> http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm
And he has either removed the part that I read about being on the lan to configure it the first time, or it never existed :) Either way, it now makes references to configuring it remotely.
The machine will not need an AD account - the User will.
-red
ASKER
K - I see something here from Petri that I have not done in my configuration, that being to "import the ROOT CA Digital Certificate into the client computers in order to make them trust your CA".
I will import the ROOT CA Certificate on to one of my home PCs and then re-test an ROH remote connection to the company Exchange 2003 server.
That may be why that connection test was failing?
I will import the ROOT CA Certificate on to one of my home PCs and then re-test an ROH remote connection to the company Exchange 2003 server.
That may be why that connection test was failing?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"This test seems to exclude ROH as a remote email access solution for staff members wanting Exchange access from their homes using their personal PCs, correct?" No, you can configure any PC or laptop for RPC over https connection. You do not have to bring PC/Laptop to office to configure it and then take it back home.
"ROH is only a functional remote email access solution for those staff members who have been issued company laptops that are members of the organization's domain and can therefor be brought on site for the initial configuration of ROH access, correct?" Initial configuration can be done at home. Does not have to take place in the office.
"Staff without a company laptop should use OWA for remote access to email, correct?" Staff with or without a laptop can access exchange using OWA and RPC over https.
"It is possible to configure the Exchange 2003 Server to support both ROH & OWA remote connections, correct?" Yes it is.
There is also another option. Does your company's staff have Palm Treos (running either Palm OS or Windows Mobile) or other Smartphones that run on Windows Mobile (Motorola Q).
They can also access your Exchange 2003 server. You can configure Microsoft Active Sync. With Palm Treos running Palm OS they need to have the latest verion of veramail.
If your company's staff have Blackberry smartphones, you can also install Backberry Enterprise Server (BES 4.0), which works with Exchange 2003.
Cheers,
NITADMIN
"ROH is only a functional remote email access solution for those staff members who have been issued company laptops that are members of the organization's domain and can therefor be brought on site for the initial configuration of ROH access, correct?" Initial configuration can be done at home. Does not have to take place in the office.
"Staff without a company laptop should use OWA for remote access to email, correct?" Staff with or without a laptop can access exchange using OWA and RPC over https.
"It is possible to configure the Exchange 2003 Server to support both ROH & OWA remote connections, correct?" Yes it is.
There is also another option. Does your company's staff have Palm Treos (running either Palm OS or Windows Mobile) or other Smartphones that run on Windows Mobile (Motorola Q).
They can also access your Exchange 2003 server. You can configure Microsoft Active Sync. With Palm Treos running Palm OS they need to have the latest verion of veramail.
If your company's staff have Blackberry smartphones, you can also install Backberry Enterprise Server (BES 4.0), which works with Exchange 2003.
Cheers,
NITADMIN
ASKER
Not to ramble to far from the requested information but doesn't OWA expose my internal Exchange server to attacks from the Web? (We only have the one Exchange server and the web proxy service runs on the same box).
[The PIX FW is performing a static translation of the Exchange server's private LAN IP to a public one, FYI].
OWA works real well from the testing I have done so far but it scares me to think of putting a record in the public DNS database that points to our Exchange server on our internal LAN as a Web server?
Isn't ROH a much more secure method for remote access to email than OWA?
[The PIX FW is performing a static translation of the Exchange server's private LAN IP to a public one, FYI].
OWA works real well from the testing I have done so far but it scares me to think of putting a record in the public DNS database that points to our Exchange server on our internal LAN as a Web server?
Isn't ROH a much more secure method for remote access to email than OWA?
RPC/HTTP is no more secure than OWA - they both use exactly the same protocol - HTTPS
While there are valid reasons to be concerned about having direct access to your exchange server from the world, in practice, it is not a reason to not use OWA.
All exchange servers I have allow port 25 and 443 straight to them, Sembee is the same way (if I remember rightly).
If you stay patched to the latest level, and only use 443 and 25, then you have minimized the risk to an acceptable level.
-red
While there are valid reasons to be concerned about having direct access to your exchange server from the world, in practice, it is not a reason to not use OWA.
All exchange servers I have allow port 25 and 443 straight to them, Sembee is the same way (if I remember rightly).
If you stay patched to the latest level, and only use 443 and 25, then you have minimized the risk to an acceptable level.
-red
ASKER
When I go to a remote location, add a record to the HOSTS file for OWA.mydomain.org, and enter https://owa.mydomain.org in IE I get:
1. Problem with Security Certificate - from Company you have not chosen to trust - I click YES to proceed
2. After entering credentials in login dialog box, https://owa.mydomain.org comes up as 'PAGE UNDER CONSTRUCTION - THE SITE YOU ARE TRYING TO VIEW DOES NOT HAVE A DEFAULT PAGE'
Guessing I need to back track and install a certificate from a third party provider to solve #1.
#2 surprised me because from the LAN if I enter the Exchange Server's name in the url of IE's address bar OWA pops right up (after logging in of course)... ??
P.S. Should I install Anti-Virus software on the new Exchange server?
1. Problem with Security Certificate - from Company you have not chosen to trust - I click YES to proceed
2. After entering credentials in login dialog box, https://owa.mydomain.org comes up as 'PAGE UNDER CONSTRUCTION - THE SITE YOU ARE TRYING TO VIEW DOES NOT HAVE A DEFAULT PAGE'
Guessing I need to back track and install a certificate from a third party provider to solve #1.
#2 surprised me because from the LAN if I enter the Exchange Server's name in the url of IE's address bar OWA pops right up (after logging in of course)... ??
P.S. Should I install Anti-Virus software on the new Exchange server?
1, yes, you need a proper certificate to get rid of that
2, ideally you should create an A record in DNS so you dont have to mess about with hosts files, and, the link should be https://owa.yourdomain.org/exchange
To set up redirection (why it works in your office I can only guess at) you need to do this -> http://support.microsoft.com/kb/319878
-red
2, ideally you should create an A record in DNS so you dont have to mess about with hosts files, and, the link should be https://owa.yourdomain.org/exchange
To set up redirection (why it works in your office I can only guess at) you need to do this -> http://support.microsoft.com/kb/319878
-red
First, yes, OWA and RPC/HTTP will work happily next to each other - and is already configured for you
https://yourserver.yourdomain.com/exchange
Second, I have seen it written many times that for RPC/HTTP to work, you need to connect first on the local network - but in practice, this is not always true, and I have been successful in doing so (the procedure is exactly the same).
The main problem with doing this, is that it will try to copy the entire mailbox down over the internet line, which can be a burden on the link
Hope that helps,
-red