Professional Documents
Culture Documents
Contents
Overview 1
Lesson 1: Cache Mode 3
Lesson 2: RPC Over HTTPs 5
Lesson 3: Troubleshooting 24
Lab A: Outlook 2003 41
Review 49
Appendix A 50
Appendix B 57
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 8: Outlook 2003 1
Overview
Introduction The new version of Microsoft® Office Outlook® 2003 has added a number of
new features to the mail client that are only exposed when combined with
Microsoft® Exchange Server 2003. The following table highlights some of
these:
Outlook Exchange 5.5 Exchange Exchange Exchange
Improvement 2000 2000 SP 3 + 2003
Cache Mode supported supported supported supported
Best body unsupported unsupported unsupported supported
download
Sync unsupported unsupported unsupported supported
associated
messages with
headers
Recursively unsupported unsupported unsupported supported
register for
notifications
on hierarchy
table
Reduced blob unsupported unsupported unsupported supported
size
RPC unsupported unsupported unsupported supported
compression
Skip bad item unsupported unsupported unsupported supported
Sync cost unsupported unsupported unsupported supported
reporting
(number of
items and total
size)
2 Module 8: Outlook 2003
This module is going to discuss some of the new features here and how to
troubleshoot them.
Module 8: Outlook 2003 3
Note This feature can only be configured for Microsoft Exchange Server e-
mail accounts. While Cached Exchange Mode is supported on Microsoft
Exchange Server 5.5 and later, users will have the best supported experience
using Cached Exchange Mode with Exchange Server 2003 or later.
When a user starts Outlook for the first time with Cached Exchange Mode
configured, Outlook creates a local copy of the user's mailbox by creating an
OST file (unless one already exists), synchronizing the OST with the user's
mailbox on the Exchange server, and creating an Offline Address Book. (If a
user is already configured for offline use with an OST and an Offline Address
Book, Outlook can typically download just the new information from the
server, not the whole mailbox and Offline Address Book.)
How Cached Exchange The primary benefits of using Cached Exchange Mode are the following:
Mode can help improve
the Outlook user Shielding the user from troublesome network and server connection issues.
experience Facilitating switching back and forth from online to offline for mobile users.
By caching the user's mailbox and the Offline Address Book locally, Outlook
no longer depends on on-going network connectivity for access to user
information. In addition, users' mailboxes are kept up to date, so if a user
disconnects from the network — for example, by removing a laptop from a
docking station — the latest information is automatically available offline.
In addition to improving the user experience by using local copies of
mailboxes, Cached Exchange Mode optimizes the type and amount of data sent
over a connection with the server. For example, if On Slow Connections
4 Module 8: Outlook 2003
Introduction This module will describe the architecture, usage and troubleshooting of the
new connection method using Remote Procedure Call Protocol (RPC) wrapped
in HTTP.
RPC over HTTPs enables Outlook to have the same mailbox functionality when
connect over the Internet as in the office.
6 Module 8: Outlook 2003
Introduction Traditionally, clients connect to their Exchange server using RPC over TCP or
another transport. With Microsoft® Windows® XP, the client now has the
ability to wrap these RPC calls in an HTTP wrapper, thus allowing the traffic to
be more easily transmitted over the Internet.
Outlook 2003 can connect to a Microsoft Exchange server only by using either
RPC over TCP/IP or RPC over HTTP
Protocol name RPC protocol string
TCP/IP ncacn_ip_tcp
HTTP ncacn_http
Module 8: Outlook 2003 7
Outlook 2003 does not try to use named pipes or any other RPC binding
method to establish a connection to an Exchange server.
The interaction between the client and servers can be seen in the following
diagram.
8 Module 8: Outlook 2003
Architecture of Server
Please see the Exchange 2003 Getting Started Guide for the most up to date
information:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/exchange/Exchange2003/proddocs/library/DepGuide.asp
RPC-over-HTTP enables client programs to use the Internet to execute
procedures provided by server programs on distant networks. RPC over HTTP
tunnels its calls through an established HTTP port. Thus, its calls can cross
network firewalls on both the client and server networks.
RPC over HTTP routes its calls to the RPC proxy located on the RPC server's
network. The RPC Proxy establishes and maintains a connection to the RPC
server. It serves as a proxy, dispatching remote procedure calls to the RPC
server and sending the server's replies back across the Internet to the client
application. This process is illustrated in the following diagram.
Module 8: Outlook 2003 9
The diagram above shows a firewall on the client application's network. This is
not required for RPC over HTTP to operate.
When Outlook 2003 issues a remote procedure call using HTTP as the
transport, the RPC run-time library on the client contacts the RPC proxy.
Depending on whether the RPC client was asked to use HTTP or HTTPS
(HTTP with SSL) port 80 or port 443 is used, respectively. The RPC proxy
contacts the RPC server program and establishes a TCP/IP connection. The
client and the RPC proxy maintain their HTTP or HTTPS connection across the
Internet. The only supported connection for Outlook 2003 using RPC/HTTP is
through an SSL session.
The client's HTTP or HTTPS connection to the RPC proxy can pass through a
firewall (subject to appropriate access permissions) if one is present. The server
can then execute the remote procedure call and use the connection through the
RPC proxy to reply to the client. The RPC proxy is an Internet Server
Application Programming Interface (ISAPI) extension running in the context of
Internet Information Services (IIS).
If either the client or the server disconnects for any reason, the RPC proxy will
detect it and end the RPC session. As long as the session continues, the RPC
proxy will maintain its connections to the client and the server. It will forward
remote procedure calls from the client to the server, and send replies from the
server to the client.
The RPC client program can tunnel its RPC calls through the Internet by
creating a string binding of the form:
[object_uuid@]ncacn_http:rpc_server[endpoint,HttpProxy=proxy_s
erver:http_port,RPCProxy=rpc_proxy:rpc_port]
Where:
object_uuid specifies an RPC object universal unique identifier (UUID).
For more information, see Generating Interface UUIDs and String UUID.
10 Module 8: Outlook 2003
ncacn_http selects the protocol sequence specification for RPC over HTTP.
For more information, see Protocol Sequence Constants and String Binding.
rpc_server is the network address of the computer that is executing the
RPC server process. The server address must be specified in a form visible
and understandable by the RPC proxy computer, not by the client. Since the
client does not connect directly to the server, it does not need to be able to
resolve the name of the server, or establish a connection to it. The RPC
proxy will establish the connection on the client’s behalf, and therefore,
rpc_server must be a name recognizable by the RPC proxy.
endpoint specifies the TCP/IP port that the RPC server process listens to for
remote procedure calls. For more information, see Finding Endpoints.
HttpProxy optionally specifies an HTTP proxy server on the RPC client's
network, such as Microsoft Proxy Server. If a proxy server is selected, no
port number is specified, the RPC stub uses port 80 by default if SSL is not
requested, and port 443 if SSL is specified.
RPCProxy specifies the address and port number of the IIS computer that
acts as a proxy to the RPC server. You only need to specify this if the RPC
server process resides on a different computer than the RPC proxy. If you
do not specify a port number, the RPC client stub by default uses port 80 if
SSL is not specified, and uses port 443 is SSL (HTTPS) is specified.
For more information on creating string bindings, see Binding and Handles.
The RPC server program can accept tunneled RPC calls by listening on the
ncacn_http protocol sequence.
Versions Microsoft has two major implementations of RPC over HTTP: Version 1 and
Version 2.
Version 1 (called RPC over HTTP v1) is supported through Microsoft®
Windows® XP. Version 1 of the RPC proxy is supported through
Microsoft® Windows® 2000.
Version 2 (called RPC over HTTP v2) is the current version.
The two versions have different capabilities and limited interoperability. A
summary of the differences is provided here. For interoperability
considerations, see System Requirements and Interoperability for RPC over HTTP.
RPC over HTTP v1 requires SSL Tunneling to be enabled on all HTTP
proxies/firewalls between the RPC over HTTP client and the RPC proxy. RPC
over HTTP v2 has no such requirement. However, it is recommended and only
supported when using an SSL connection.
RPC over HTTP v1 cannot establish an SSL session to the RPC proxy. The
RPC over HTTP v2 can send all RPC over HTTP traffic within an SSL session;
by default v2 requires the data be sent within an SSL session.
RPC over HTTP v1 cannot authenticate to the RPC proxy. RPC over HTTP v2
can authenticate; by default v2 requires authentication to the RPC proxy.
RPC proxy v1 does not operate correctly when the IIS machine on which it is
installed is part of a Web farm. RPC proxy v2 operates properly when the IIS
machine on which it is installed is part of a Web farm.
Module 8: Outlook 2003 11
®
Note If Microsoft Internet Explorer is installed on the client program's
computer and your client does not specify an HttpProxy in its string binding,
the RPC client stub will search the registry on the client computer for an
HttpProxy entry. If it finds one, it will use the proxy specified in the registry
entry.
Suppose, for instance, your client program needs to connect across the Internet
to an RPC server on a computer called Server7.microsoft.com. Further, suppose
that the RPC proxy runs on Major7.microsoft.com. The RPC server program
listens to port 2225. Your client would use the string binding:
ncacn_http:Server7.microsoft.com[2225,
RPCProxy=Major7.microsoft.com]
If the RPC proxy can resolve the server name as Server7, without requiring a
fully qualified domain name, you can also specify:
ncacn_http:Server7 [2225, RPCProxy=Major7.microsoft.com]
If the client network uses a firewall and an Internet proxy server called
myproxy, and Internet Explorer on the client is not configured to use that proxy,
you would need to modify the client's string binding to:
ncacn_http:Server7.microsoft.com[,HttpProxy=myproxy:80,RPCProx
y=Major7.microsoft.com:80]
Note After installing the fix the client will need to be rebooted.
Server-side 1. Exchange 2003 on Microsoft® Windows Server™ 2003 for front-end (if
front-end is deployed)
2. Exchange 2003 on Windows Server 2003 for back-end
3. Exchange 2003 on Windows Server 2003 for Public Folders
4. Exchange 2003 on Windows Server 2003 for System Folders
5. Windows Server 2003 for global catalog server(s)
6. Windows Server 2003 for RPCProxy.
7. The NSPI interface protocol sequences parameter needs to be added to the
registry on ALL Windows Server 2003 global catalogs. This is a manual
entry not configured by RpcHttp_Setup.vbs; the contents of the correct .reg
file are included in Appendix B.
Module 8: Outlook 2003 13
Exchange Server The RPCProxy server, the server with the RPCProxy protocol installed, must be
Registry a Windows Server 2003 server. However, it does not have to have any
Exchange components installed. Many will choose to have their front-end
servers act as the RPCProxy server because this will eliminate hardware and
administrative costs. The RPCProxy protocol will work installed on a Microsoft
Internet Security and Acceleration (ISA) server as well.
Exchange 2003 server adds the following registry entries to every Windows
Server 2003 server on which it is installed. These registry entries determine
the ports that RPCProxy will use. The installation sets a fixed port for the
protocol and this reduces security risks with regard to TCP port control.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchang
eIS\ParametersSystem
Parameter: Rpc/HTTP Port
Type: REG_DWORD
Value: 0x1771 (Decimal: 6001)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchang
eSA\Parameters
Parameter: HTTP Port
Type: REG_DWORD
Value: 0x1772 (Decimal: 6002)
14 Module 8: Outlook 2003
Global Catalog Registry The registry setting for Windows Server 2003 global catalog servers is not
automated by Exchange 2003 setup. This setting must be configured either
manually or programmatically for RPC over HTTP to work. This is scheduled
to be included in Windows Server 2003 Service Pack 1 (SP1).
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Para
meters
Parameter: NSPI interface protocol sequences
Type: REG_MULTI_SZ
Value: ncacn_http:6004
RPCProxy Server The RPC/HTTP Proxy server(s) must have the following registry entry to
Registry communicate with the Exchange 2003 server and the Windows Server 2003
global catalog(s).
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\’rpcproxy’
Parameter: ValidPorts
Type: REG_SZ
The string data in this registry value should contain all the Windows Server
2003 global catalogs and Exchange 2003 in the Exchange Organization.
This key can be configured manually, but the RpcHttp_Setup.vbs utility will
configure this value for every Exchange 2003 server installed on Windows
Server 2003 server and every Windows Server 2003 global catalog server. The
contents of the registry key should be similar to the one below.
Module 8: Outlook 2003 15
It is highly recommended that you use the setup script to configure the
‘rpcproxy server’ and then remove any global catalog servers that should not be
included in the RPCProxy topology.
16 Module 8: Outlook 2003
The RPC virtual directory is created under the default Web site when the
RPCProxy service is installed. The RPC virtual directory should be configured
with Basic Authentication if the server is adjacent to the Internet and with
Anonymous access if the RPCProxy server is behind a firewall; ISA for
example.
Selecting the “Require secure channel (SSL)” option will force encryption of all
network communication to and from this socket.
Module 8: Outlook 2003 17
Note The Exchange over Internet portion of the above screen will not appear if
you have not installed Windows XP SP1 + Q331320. It looks for rpcrt4.dll
being at least build 5.1.260.1142.
an SSL connection. The RPC layer does not support mutual authentication
without SSL since the Server Certificate is not requested.
For more information on MSSTD format of the principal name. Please see:
http://msdn.microsoft.com/library/en-us/rpc/rpc/principal_names.asp.
The Proxy Authentication settings drop-down menu allows the user to select
which authentication to use when connecting to the RPC Proxy server. Please
note there is not a way to recover from NTLM if it fails. If you are using a
reverse proxy server similar to ISA, then Basic will be the supported connection
authentication.
Module 8: Outlook 2003 19
Setting It All Up
Introduction This is a quick-fire guide on the basic steps to install and configure RPC/HTTP.
The examples given here were set up on a three-machine setup (all running
Windows Server 2003 RTM and IIS 6):
Server Server Name Running IP Address
domain rpchttp-dc Outlook 2003 RTM 10.10.1.1
controller/glo
bal catalog
Front-End rpchttp-fe Exchange 2003 RTM 10.10.1.2
Back-End rpchttp-be Exchange 2003 RTM 10.10.1.3
2) Install Certificate on 1. Select the properties of Default Web Site, and the Directory Security tab.
Front-End Server 2. Select Server Certificate under Secure Communications.
3. Create a new certificate and send immediately.
4. Enter a certificate name, then enter the Organization and organizational unit
details.
5. In order to prevent users from being prompted when using SSL, the
common name of the certificate MUST be the fully qualified domain name
(FQDN) of the Front-End server
[e.g. fe.domain.com]
6. Enter the Country, State, and City details.
7. Select the SSL port that has been configured for the Web site (default is
443).
8. Select the Certification Authority that was set up on the Global Catalog as
the authority to process certification requests.
9. You can verify that the certificate has been successfully issued by checking
the Certification Authority on the Global Catalog.
3) Configure Forms- **This step is not necessary to install RPC/HTTP, but is useful to have**
Based Authentication
1. Within Exchange System Manager on the Front-End server, expand
Protocols, HTTP and select properties for the Exchange Virtual Server.
2. On the settings tab, select Enable Forms-Based Authentication.
3. From IIS, on the directory security tab within the properties for the
Exchange site, select the Require Secure Channel (SSL) checkbox.
4. Outlook Web Access will now only work on HTTPS and will display the
login screen, rather than a pop-up message prompting for credentials.
Module 8: Outlook 2003 21
4) Install RPC/HTTP 1. On the Front-End server, within Add/Remove programs, install the RPC
Proxy and configure over HTTP Proxy under Networking Services from Windows Components.
Global Catalog + Front-
End for RPC/HTTP 2. Check that the following registry keys have been automatically set on the
usage Back-End server:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
MSExchangeIS\ParametersSystem]
“Rpc/HTTP Port”=dword:0x1771 (decimal: 6001)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
MSExchangeSA\Parameters]
“Rpc/HTTP NSPI Port”=dword:-x1774 (decimal: 6004)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
MSExchangeSA\Parameters]
“HTTP Port”=dword:0x1772 (decimal: 6002)
- GC:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
NTDS\Parameters]
"NSPI interface protocol sequences"=Reg_Multi_SZ:
"ncacn_http:6004"
4. On the Front-End server, within the RPC virtual directory in IIS (this
should already exist), under the Directory Security tab, edit
Authentication and Access Control, allow Basic and Integrated
authentication, and clear Anonymous access.
5) Configure Outlook 1. Install the hotfix for KB 331320 on the Outlook 2003 client – this addresses
2003 to use RPC/HTTP the performance problems that have been experienced when using Outlook
2003 to connect to Exchange using RPC/HTTP.
2. Open Outlook 2003 normally, and hold down Control and right-click the
Outlook logo in the taskbar. Select Connection Status.
This will show that normal TCP/IP communication is taking place between
Outlook and the Exchange servers.
3. Close Outlook, then within RegEdit set the following keys:
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\
Outlook\RPC]
"EnableRpctunnelingUI"=dword:1 <-- set to 2 by default
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\
Outlook\RPC]
"DisableRpcTcpFallback"=dword:1
22 Module 8: Outlook 2003
Note The second key will prevent TCP being used, even if HTTP is available.
So for troubleshooting purposes this can be set to ‘0’ if HTTP is unavailable,
and you want to use TCP/IP instead.
4. Restart Outlook, select Tools – E-mail Accounts and modify your existing
account. Select More Settings, and on the Connection tab, click Connect
to my Exchange Mailbox using HTTP.
5. Click Exchange Proxy Settings and enter the FQDN of the Front-End
server. Allow Exchange to connect using HTTP on fast networks.
6. The Mutual Authentication checkbox can also be selected to pass the
credentials to the RPC Proxy server when connecting using HTTP. The
server will need to be configured to authenticate certificates/Smartcards on
the client machine. The syntax for this field is :
msstd:FQDN-of-RPC-Proxy-server
7. Restart Outlook, hold Control and right-click on the logo again. Select
Connection Settings, and this time HTTPS will be used to connect to
Exchange, rather than TCP/IP.
Module 8: Outlook 2003 23
Introduction Configuring and publishing Certificates to servers is out of the scope of this
document. See the following article for more information:
http://support.microsoft.com/?id=281106. However, the following points must be
taken on board.
In order for the client machine to successfully use SSL, the client’s certificate
must be validated.
This step is only needed when the RPC/HTTP client has requested an
SSL/Transport Layer Security (TLS) connection to the RPCProxy. However,
note that using SSL/TLS for RPC/HTTP is a recommended security practice
and it is likely that most applications will ask RPC/HTTP to perform this step.
In order for this step to succeed, the server must send a valid, not expired
certificate issued by a trusted certification authority. In RPC/HTTP, there are
two most common ways that this step fails – the RPC/HTTP client does not
recognize the certification authority that issues the certificate or it does not
recognize the certificate itself. Both causes exhibit a common symptom, when
you run RPCPing against the RPCProxy server you will see error 12175
(ERROR_WINHTTP_SECURE_FAILURE).
If you were to point Internet Explorer to an HTTPS resource on this server, you
will get somewhat more verbose information. Note that since the SSL
connection happens before any resource is retrieved, you can check the validity
of the server certificate by browsing any virtual directory.
FQDN vs. NetBIOS Name It has been known that you can have certificate issues if you used the FQDN or
NetBIOS name for the certificates common name.
24 Module 8: Outlook 2003
Lesson 3: Troubleshooting
Overview The following illustrates what stages Outlook and Exchange 2003 will go
through to successfully establish an HTTP/RPC connection:
1. Client needs to be able to resolve DNS to the RPCProxy Server.
2. Client needs to be able to connect to RPCProxy Server via HTTPS (HTTP).
3. Client’s Internet Explorer needs to be to process the Certificate issued by
the RPCProxy Server.
4. Client needs to successfully authenticate.
5. Checks to make sure that Anonymous Access is disabled on the RPC virtual
directory.
6. RPCProxy needs to know destination servers (Exchange 2003, domain
controllers, Global Catalogs).
7. RPCProxy needs to be able to resolve DNS for destination servers.
8. RPCProxy needs to establish a TCP connection to the destination servers.
9. Credentials from the client are authorized.
10. Send credentials to the Exchange 2003 store and log on.
Module 8: Outlook 2003 25
RPCPing
Software requirements The -P, -F, -H, -B, -b, -R, -E options require Microsoft Windows Server 2003,
Windows XP Service Pack 2 or Windows XP Service Pack 1 with hotfix found
in Knowledge Base article Q331320.
26 Module 8: Outlook 2003
The following list illustrates the steps involved in the successful connection of
an Outlook 2003 client to an Exchange 2003 server via RPC over HTTP:
1. Client must be able to resolve the RPCProxy server in DNS.
2. Client requires SSL to connect to RPCProxy server.
3. Client’s Internet Explorer must have the certificates installed into the
certificate store such that there is no prompt when browsing the
http://rpcproxy_server/rpc. Outlook has no mechanism to prompt to accept
the certificate and will fail to connect. RPCPing will return a 12175 error if
when the certificate is not trusted.
4. Client needs to successfully authenticate.
5. Check to make sure that Anonymous Access is disabled on the RPC virtual
directory.
6. RPCProxy needs to know destination servers (Exchange 2003 server,
domain controllers, global catalogs).
7. RPCProxy needs to be able to resolve DNS for destination servers.
8. RPCProxy needs to establish a TCP connection to the destination servers.
9. Credentials from the client are authorized.
10. Send credentials to the Exchange 2003 server store and log on.
The following section provides recommend steps to successfully resolve
problems that can occur at the given point in the client-server connection
attempt.
Client must be able to The client must be able to contact the RPCProxy server before it can
resolve RPCProxy authenticate.
Server in DNS
If the client (RPC) is asked to decide the use of an HTTP proxy, it retrieves that
information from Internet Explorer Proxy settings. The HTTP Proxy settings
are available from the Tools | Internet Options | Connections tab in Internet
Explorer.
Module 8: Outlook 2003 29
From this dialog, you can choose what HTTP proxy settings an RPC/HTTP
client will use.
The options that will be used by RPC/HTTP are in the “Proxy Server” section.
If the “Use a proxy server for your LAN” check box is not checked, RPC/HTTP
will not use an HTTP proxy. If the “Use a proxy server for your LAN”
checkbox is checked and the “Bypass proxy server for local addresses” is not
checked, RPC/HTTP client will always use the HTTP proxy specified in the
“Address:” field to contact the RPCProxy.
Note Up until now, the logic used by RPC/HTTP for establishing connections
is the same as the logic used by Internet Explorer. However, if both checkboxes
are checked as in the graphic above, the RPC/HTTP client will need to perform
some additional steps in order to determine if an HTTP proxy needs to be used,
and these are different from what Internet Explorer does.
When both checkboxes are checked, Internet Explorer will look at the name
entered in “Address field” when trying to determine if the name belongs to a
local server and thus whether an HTTP proxy should be used. If the name
contains a dot, the address will be assumed to be fully qualified domain name
address or an IP address and an HTTP proxy will be used.
Hence, if you enter http://server-name in the address bar, Internet Explorer will
not use an HTTP proxy. If you enter http://server-name.de.mo, a FQDN in the
address bar, Internet Explorer will assume the name does not belong to a local
server and will use an HTTP proxy. Internet Explorer determines whether or
not to use the HTTP proxy based on the way the URL is entered.
RPC/HTTP on the other hand never takes direct input from the user; RPC is
called by a program which acts on behalf of the user. Since the user rarely
enters the DNS name of the RPCProxy server, chances are it is stored by the
program and retrieved automatically every time. RPC does not get the benefit
of the hint expressed a URL. Hence, RPC cannot use the same logic as Internet
Explorer.
RPC sends two small echo packets to the RPCProxy server to achieve a similar
result. One of them is sent directly, the other through the HTTP proxy specified
in the “Address:” field of the browser.
When the RPCProxy receives this echo packet, it responds with a short echo.
When the RPC/HTTP client receives the response, the route to the RPCProxy
server is chosen. The route is using either using a HTTP Proxy, proxy route, or
direct communication with the RPCProxy, direct route. The route will be used
for the lifetime of the session.
Once the above configuration has been configured, communication can be
tested.
Ping Ping <Server-IP-Address>; this will tell you immediately whether you have
basic network connectivity. To take it a step further you could run TRACERT
to view the network path to the RPCProxy Server.
30 Module 8: Outlook 2003
Outlook Troubleshooting
Introduction The first line of troubleshooting Outlook issues should be looking in the
Application Event Log after enabling Mail Logging in the Outlook client. A
majority of connectivity and problems should be logged here, which should
help indicate the problem. Outlook 2003 also provides counters for Outlook
specifically to help look at performance during usage. These application event
logs will only be created once the user selects to enable mail logging by
enabling it via Tools / Options / Other / Advanced Options, as seen in the
following screenshot.
Application Event Log Here are some examples of the type of error messages you might see in the
Application Log: Most of these errors can be determined by using err.exe or
rover.exe, etc.
Module 8: Outlook 2003 33
Description:
Rpc to server (df-fetch.platinum.corp.microsoft.com) failed
with error code (6ba).
err 6ba
# for hex 0x6ba / decimal 1722 :
RPC_S_SERVER_UNAVAILABLE
winerror.h
# The RPC server is unavailable.
# 1 matches found for "6ba"
34 Module 8: Outlook 2003
You can see that Outlook will utilize the application event log to indicate
problems. These logs can help when trying to determine why you can no longer
connect by looking at which servername you are trying to connect to. One of
the easiest tools to use when trying to decipher these error messages is err.exe
which can be found at http://ToolBox/details/details.aspx?ToolID=839.
An alternative is rover.exe which can be found at
http://ToolBox/details/details.aspx?ToolID=409
Articles: 238119 INFO: List of Extended MAPI Numeric Result Codes
http://support.microsoft.com/?id=238119
Module 8: Outlook 2003 35
Performance Counters Outlook 2003 will include its own set of Performance counters to assist in
included with Outlook troubleshooting connections and latency.
2003
Here are the counters which are included with Outlook 2003. These counters
can be used to assist in determining whether there is a connectivity or latency
issue from the client’s perspective. These counters can be seen in Performance
monitor by adding counters from the Outlook object.
Count obj connection: The number of connection objects that are currently
being used.
RPCs Attempted: Number of RPCs that Outlook attempted to send to the
server.
RPCs Attempted – user interface (UI): Number of RPCs that Outlook
attempted that blocked the UI.
RPCs Cancelled: Number of RPCs that were sent to the server, but the user
cancelled.
RPCs Failed: Number of RPCs that were attempted, but failed.
RPCs Succeeded: Number of RPCs that Outlook successfully sent to the
server.
RPCs UI Shown: Number of RPCs that were sent to the server, and took
long enough to show progress UI.
Time Avg (10): The average amount of time (ms) it took for the last 10
RPCs to complete successfully.
Time Avg (200): The average amount of time (ms) it took for the last 200
RPCs to complete successfully.
Time Avg (50): The average amount of time (ms) it took for the last 50
RPCs to complete successfully.
Time Avg (all): The average amount of time (ms) it took for all RPCs to
complete successfully.
36 Module 8: Outlook 2003
Time Max: The maximum amount of time (ms) it took for an RPC to
complete successfully.
Time Min: The minimum amount of time (ms) it took for an RPC to
complete successfully.
Module 8: Outlook 2003 37
EXTOP
RPC Tracing
Introduction With all versions of Outlook, if you wanted to discover what Outlook is
actually doing, you could get a debug version of emsmdb32.dll.
With Outlook 2003, you do not need to do this anymore. The debugging is
enabled in the code, but not captured.
The Dev team has created two files to help with debugging. These are
rpclog.zip and ewt.zip. Basically you send the customer rpclog.zip and follow
the instructions in the readme file. Once the customer has reproduced the issue
and run rpclog, they can send you the resulting two files for you to process
using ewt.zip and create an HTML file. This HTML file contains the rpctrace
information.
Module 8: Outlook 2003 39
RPCLOG
Rpclog RPC log is an RPC wire analysis tool that collects identifiable information like
folder names, message subjects, and server names.
EWT
EWT The customer should send you these two files. You then need to run the
EWTool to generating HTML from the customer’s data
1. Click on processewt.vbs.
2. Select the file to process.
3. If you have a Folder ID (FID) file available, click yes; otherwise click no
(default).
4. Select FID file if clicked yes above.
5. Finally you are asked "Open HTML File?" Click OK to this, and you see
the results in HTML.
Note This lab focuses on the concepts in this module and as a result may not
comply with Microsoft security recommendations.
Exercise 1
Setup RPC over HTTP
Lab Setup
This is a quick-fire guide on the basic steps to install and configure RPC/HTTP.
The examples given here were set up on a 3-machine setup (with DC-1 and
Exchange running Windows Server 2003 RTM and IIS 6):
VPC Name Server Server Name Running IP Address
DC-1 domain GC DC/GC/DNS 10.0.0.10/8
controller/global
catalog
Exchange Back-End EX2 Exchange 2003 RTM 10.0.0.30/8
XP-Client Outlook Client Basewxpa Outlook 2003 RTM 10.0.0.40/8
1. Start the following Virtual a. Start the following Virtual Machines by opening Virtual PC Console
Machines. (click Start, All Programs, Microsoft Virtual PC) and select each
one and click Start.
• DC-1
Wait until DC-1 has fully started before starting the following VPCs:
• Exchange
• XP-Client
Note: The following tasks are to be completed on the Back End Server (Exchange).
2. Install Certificate on Back- a. Log into Exchange as Administrator with password Passw0rd1
End Server. b. From the task bar click, Start | All Programs | Administrative Tools |
Internet Information Services (IIS) Manager.
c. Expand EX2 (local computer) | Web Sites.
44 Module 8: Outlook 2003
d. Right click Default Web Site, select Properties, and then click the
Directory Security tab.
e. Select the Server Certificate button under Secure Communications.
f. Click the Next button when the Welcome Wizard appears.
g. Select Create a new certificate| click Next.
h. Select Send the request immediately to an online certificate
authority| click Next.
i. Click Next on Name and Security Settings window.
j. Type Contoso in Organization.
k. Type Redmond in Organizational Unit.
l. Click Next.
m. Type mail.contoso.com in Your Site’s Common Name
In order to prevent users from getting prompted when using SSL, the
common name of the certificate MUST be the fully qualified domain name
(FQDN) of the Front-End server.
• [e.g. mail.contoso.com]
n. Click Next.
o. Type Washington in State/Province.
p. Type Redmond in City/locality.
q. Click Next.
r. Click Next on SSL Port.
s. Click Next on Choose a Certificate Authority.
t. Click Next on Certificate Request Submission.
u. Click Finish.
v. Click OK.
3. Install RPC/HTTP Proxy a. Click Start | Control Pannel | Add or Remove Programs.
and configure Global b. Click the Add/Remove Windows Components button.
Catalog + Exchange for
RPC/HTTP usage. c. Double-click Networking Services, select RPC over HTTP Proxy,
and click the OK button.
d. Click the Next button to continue installing the RPC Over HTTP
Proxy.
e. On the Files Needed screen, click OK and set the path to C:\I386 and
click OK.
f. Click the Finish button after installation is complete.
g. Close Add or Remove Programs.
4. Configure the following a. To configure the additional ports, set the following registry keys by
registry settings on clicking Start, Run and type regedit.
Exchange. Expand HKLM | Software| Microsoft| Rpc| RpcProxy and set the
following values:
Enabled=dword:00000001
ValidPorts = Ex2:593;ex2.contoso.com:593;ex2:6001-
6002;ex2.contoso.com:6001-
Module 8: Outlook 2003 45
6002;ex2:6004;ex2.contoso.com:6004;gc:593;gc.contoso.com:593;gc:60
04;gc.contoso.com:6004
5. Enable SSL on the RPC a. Sitch to Internet Information Services (IIS) Manager or click Start|
Virtual Directory. Administrative Tools| Internet Information Services (IIS)
Manager.
b. Expand Web Sites| Default Web Site.
c. Right-click Rpc, and then click Properties.
Note: You may need to press F5 to refresh the Default Web Site listings in
order for the Rpc site to appear.
d. Click the Directory Security tab, and then click Edit under Secure
communications.
e. Click to select the Require secure channel (SSL) check box and the
Require 128-bit encryption check box.
Note: We recommend that you click to select the Require 128-bit encryption
check box. However, RPC over HTTP functions correctly even if you do not
require 128-bit encryption.
f. Click OK.
6. Setup Authentication on the a. Under the Directory Security tab, edit Authentication and access
RPC Virtual Directory. control, and check Basic and Integrated authentication, and clear the
Enable Anonymous access.
b. Click Yes on the warning.
c. Click OK.
d. Click OK.
Note: The following tasks are to be completed on the Global Catalog Server (DC-1).
8. Configure Outlook 2003 to a. Log into XP-Client as Administrator with password Passw0rd1.
use RPC/HTTP b. Open Outlook 2003.
c. Hold down the Ctrl key and right-click the Outlook logo in the
taskbar. Select Connection Status.
Exercise 2
Enable Outlook Logging
Scenario
Make Sure Outlook is not running in Offline or Cached mode for this lab to function properly.
Review
1. What hotfix do you need for Windows XP SP1 to work with RPC over
HTTPs?
Appendix A
2) Install Certificate on 1. Select the properties of Default Web Site, and the Directory Security tab.
Front-End Server
2. Select Server Certificate under Secure Communications.
3) Configure Forms- ** This step is not necessary to install RPC/HTTP, but is useful to have**
Based Authentication
52 Appendix A
4. Outlook Web Access will now only work on HTTPS and will display the
login screen, rather than a pop-up message prompting for credentials.
4) Install RPC/HTTP 1. On the Front-End server, within Add/Remove programs, install the RPC
Proxy and configure over HTTP Proxy under Networking Services from Windows Components.
Global Catalog + Front-
End for RPC/HTTP
usage
2. Check that the following registry keys have been automatically set on the
Back-End server:
Appendix A 53
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
MSExchangeIS\ParametersSystem]
“Rpc/HTTP Port”=dword:0x1771 (decimal: 6001)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
MSExchangeSA\Parameters]
“Rpc/HTTP NSPI Port”=dword:-x1774 (decimal: 6004)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
MSExchangeSA\Parameters]
“HTTP Port”=dword:0x1772 (decimal: 6002)
- GC:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
NTDS\Parameters]
"NSPI interface protocol sequences"=Reg_Multi_SZ:
"ncacn_http:6004"
54 Appendix A
4. On the Front-End server, within the RPC virtual directory in IIS (this
should already exist), under the Directory Security tab, edit
Authentication and Access Control, allow Basic and Integrated
authentication, and clear Anonymous access.
5) Configure Outlook 1. Install the hot fix for KB 331320 on the Outlook 2003 client – this
2003 to use RPC/HTTP addresses the performance problems that have been experienced when
using Outlook 2003 to connect to Exchange using RPC/HTTP.
2. Open Outlook 2003 normally, and hold down Control and right-click the
Outlook logo in the taskbar. Select Connection Status.
This will show that normal TCP/IP communication is taking place between
Outlook and the Exchange servers.
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\
Outlook\RPC]
"EnableRpctunnelingUI"=dword:1 <-- set to 2 by default
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\
Outlook\RPC]
"DisableRpcTcpFallback"=dword:1
Note: The second key will prevent TCP being used, even if HTTP is
available.
2. Click Exchange Proxy Settings and enter the FQDN of the Front-End
server. Allow Exchange to connect using HTTP on fast networks.
56 Appendix A
Appendix B
SUMMARY
This article discusses how to use the RPC Ping Utility to troubleshoot
connectivity issues for Microsoft Office Outlook 2003 using Exchange over the
Internet by the nesting of Remote Program Calls (RPC) in HTTP packets.
MORE INFORMATION
You can use the RPC Ping Utility to confirm the RPC connectivity between the
computer that is running Microsoft Exchange Server and any of the supported
Microsoft Exchange Client workstations on the network. Additionally, you can
use the RPC Ping Utility to verify that the Microsoft Exchange Server services
are responding to RPC requests from the client workstations through the
network.
The RPC Ping Utility is part of the Microsoft Windows Server 2003 Resource
Kit Tools. You can download the Resource Kit from the following Microsoft
Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-
4ae7-96ee-b18c4790cffd&DisplayLang=en
Note NLTM cannot be used through reverse proxies if they end the TCP
session.
-I & -P Always specify. If you use the asterisk (*) wildcard character for the
password the RPC Ping utility will prompt for a password.
6001 (store)
6004 (dsproxy)
-E Test only RpcProxy. Use this for determining where connection problem
lies.
-R Do not use by default. Picks up the clients HTTP Proxy settings. Can be
used to override HTTP Proxy settings; for example, Internet Explorer
proxy settings.
?R none Forces no proxy to be used. RPC Ping utility will ignore Internet Explorer
proxy settings and try direct connection to server specified in the ?o
switch.
-f (or no ?e) Used to test individual UUIDs on computers behind an RPCProxy server.
You will be prompted to enter your password for your Exchange server, and
then you will be prompted for your password for the RPC proxy server. If the
RPC Ping test was successful, you will receive the following reply:
RPCPinging proxy server <ExchServer> with Echo Request Packet
Verbose Response
This table lists some of the more common verbose responses and why you may
receive them from RPC Ping tests.
Verbose Response Possible Cause
Response from server received: 401 Test failed. Client is not authorized to ping RPC
proxy.
Error 12029 returned in the Test failed. Could not contact ProxyServer.
WinHttpSendRequest.
Port 80 (-F 2) or 443 (-F 3) blocked.
Response from server received: 501 Test failed. The RcpProxy.dll could not be
contacted.
Exception 1722 The RPC service can not be contacted. This can be for many
(0x000006BA) reasons. Problems with the Rpcproxy server itself may cause
this. Use the ?E option to check that the RpcProxy server is
RPC Server is unavailable
available.
Verifying that the Client can contact Back-end server and Back-end
services through UUID
By default the End Point Mapper (port 593) will not be published. Therefore,
these samples are of limited use. However if the End Point Mapper is
published, the following commands can be used: