Solved

Remote Access to Exchange 2003 Server Recommendation Request

Posted on 2006-10-29
10
319 Views
Last Modified: 2008-03-17
Installed new MS Exchange 2003 Server & set up RPC over HTTP (ROH) connectivity (on internal LAN behind inside interface of PIX515 FW).
Works great, now working on providing staff remote access to email solution.

With some help from ExEx, for a test I successfully configured Outlook 2003 on a couple of our department's "loaner" laptops for remote access to the Exchange server using ROH.  These test laptops were initially configured while on the internal LAN before taking them off site and verifying that Outlook was indeed connecting to the internal Exchange 2003 server via HTTPS. (Setting them up while on the LAN with the Exchange server first seemed to be necessary to get ROH to work from remote location later).

This test seems to exclude ROH as a remote email access solution for staff members wanting Exchange access from their homes using their personal PCs, correct?

ROH is only a functional remote email access solution for those staff members who have been issued company laptops that are members of the organization's domain and can therefor be brought on site for the initial configuration of ROH access, correct?

Staff without a company laptop should use OWA for remote access to email, correct?

It is possible to configure the Exchange 2003 Server to support both ROH & OWA remote connections, correct?





0
Comment
Question by:dealvis
  • 5
  • 4
10 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17830910
Hi dealvis,

First, yes, OWA and RPC/HTTP will work happily next to each other - and is already configured for you

https://yourserver.yourdomain.com/exchange

Second, I have seen it written many times that for RPC/HTTP to work, you need to connect first on the local network - but in practice, this is not always true, and I have been successful in doing so (the procedure is exactly the same).

The main problem with doing this, is that it will try to copy the entire mailbox down over the internet line, which can be a burden on the link

Hope that helps,

-red
0
 

Author Comment

by:dealvis
ID: 17831163
So you are saying one can use a home computer that does not have a machine account in Active Directory to connect remotely to the company's Exchange 2003 server using ROH?  (And also that it is NOT necessary to make the first connection to Exchange via HTTP/HTTPS from the LAN, right?)

(I think) I would rather have our staff use ROH for a remote email access solution than OWA but I am not seeing how that is practically possible if the initial connection to the Exchange server during the initial Outlook/ROH config process requires being present on the LAN?

I also got the feeling ROH could only be utilized remotely from a computer with a machine account in Active Directory by a person who also has a valid account in AD?

Thanks for the tip on OWA Red, it is working and I am testing it now.
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17831196
I am saying that I have done that before,

I just had a skim of this -> http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm

And he has either removed the part that I read about being on the lan to configure it the first time, or it never existed :)  Either way, it now makes references to configuring it remotely.

The machine will not need an AD account - the User will.

-red
0
 

Author Comment

by:dealvis
ID: 17831437
K - I see something here from Petri that I have not done in my configuration, that being to "import the ROOT CA Digital Certificate into the client computers in order to make them trust your CA".

I will import the ROOT CA Certificate on to one of my home PCs and then re-test an ROH remote connection to the company Exchange 2003 server.
That may be why that connection test was failing?
0
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 250 total points
ID: 17831474
That will be exactly why it is failing.

You can test this yourself, go to https://yourserver.yourdomain.com/rpcwithcert

Do you get a certificate prompt?  if so, it is not going to work.

When you import the certificate (you can do it from that prompt) be sure to install it in the physical store > trusted root ca's > local computer

-red
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 8

Expert Comment

by:nitadmin
ID: 17831492
"This test seems to exclude ROH as a remote email access solution for staff members wanting Exchange access from their homes using their personal PCs, correct?" No, you can configure any PC or laptop for RPC over https connection. You do not have to bring PC/Laptop to office to configure it  and then take it back home.  

"ROH is only a functional remote email access solution for those staff members who have been issued company laptops that are members of the organization's domain and can therefor be brought on site for the initial configuration of ROH access, correct?" Initial configuration can be done at home. Does not have to take place in the office.

"Staff without a company laptop should use OWA for remote access to email, correct?" Staff with or without a laptop can access exchange using OWA and RPC over https.

"It is possible to configure the Exchange 2003 Server to support both ROH & OWA remote connections, correct?" Yes it is.

There is also another option. Does your company's staff have Palm Treos (running either Palm OS or Windows Mobile) or other Smartphones that run on Windows Mobile (Motorola Q).
They can also access your Exchange 2003 server. You can configure Microsoft Active Sync. With Palm Treos running Palm OS they need to have the latest verion of veramail.

If your company's staff have Blackberry smartphones, you can also install Backberry Enterprise Server (BES 4.0), which works with Exchange 2003.

Cheers,
NITADMIN
0
 

Author Comment

by:dealvis
ID: 17833288
Not to ramble to far from the requested information but doesn't OWA expose my internal Exchange server to attacks from the Web?  (We only have the one Exchange server and the web proxy service runs on the same box).

[The PIX FW is performing a static translation of the Exchange server's private LAN IP to a public one, FYI].

OWA works real well from the testing I have done so far but it scares me to think of putting a record in the public DNS database that points to our Exchange server on our internal LAN as a Web server?

Isn't ROH a much more secure method for remote access to email than OWA?
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17837617
RPC/HTTP is no more secure than OWA - they both use exactly the same protocol - HTTPS

While there are valid reasons to be concerned about having direct access to your exchange server from the world, in practice, it is not a reason to not use OWA.

All exchange servers I have allow port 25 and 443 straight to them, Sembee is the same way (if I remember rightly).

If you stay patched to the latest level, and only use 443 and 25, then you have minimized the risk to an acceptable level.

-red
0
 

Author Comment

by:dealvis
ID: 17841533
When I go to a remote location, add a record to the HOSTS file for OWA.mydomain.org, and enter https://owa.mydomain.org in IE I get:

1. Problem with Security Certificate - from Company you have not chosen to trust - I click YES to proceed
2. After entering credentials in login dialog box, https://owa.mydomain.org comes up as 'PAGE UNDER CONSTRUCTION - THE SITE YOU ARE TRYING TO VIEW DOES NOT HAVE A DEFAULT PAGE'

Guessing I need to back track and install a certificate from a third party provider to solve #1.

#2 surprised me because from the LAN if I enter the Exchange Server's name in the url of IE's address bar OWA pops right up (after logging in of course)...  ??

P.S. Should I install Anti-Virus software on the new Exchange server?
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17841643
1, yes, you need a proper certificate to get rid of that

2, ideally you should create an A record in DNS so you dont have to mess about with hosts files, and, the link should be https://owa.yourdomain.org/exchange

To set up redirection (why it works in your office I can only guess at) you need to do this -> http://support.microsoft.com/kb/319878

-red
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now