Positioning Your RPC Proxy Server and Firewalls in a Corporate Environment

 

When you deploy RPC over HTTP in your corporate environment, you have several deployment strategies available for positioning your RPC proxy server and firewalls. The recommended deployment strategy for your messaging environment is to deploy an advanced firewall server, such as Microsoft® Internet Security and Acceleration (ISA) Server 2000 with Service Pack 1 and Feature Pack 1 or later, in the perimeter network. Then position your RPC proxy server in the corporate network and use the Exchange front-end and back-end server architecture.

Note

When you use ISA Server as your advanced firewall server, you have several deployment options. These options are explained in the following sections. For information about how to install ISA Server as an advanced firewall server, see Using ISA Server 2004 with Exchange Server 2003 (https://go.microsoft.com/fwlink/?LinkId=42243).

Scenario 1: Front-End and Back-End Server Architecture with ISA Server in the Perimeter Network

By using ISA Server in the perimeter network to route RPC over HTTP requests and positioning the Exchange front-end server in the corporate network, you need to open only port 443 on the internal firewall for Microsoft Office Outlook® 2003 clients to communicate with Exchange. The following figure shows this deployment scenario.

Deploying RPC over HTTP using ISA Server as a reverse proxy server in the perimeter network

RPC over HTTP with ISA Server in perimeter network

When located in the perimeter network, ISA Server routes RPC over HTTP requests to the Exchange front-end server that is acting as an RPC proxy server. The RPC proxy server then communicates over specific ports to other servers that use RPC over HTTP.

Note

If your firewalls are configured to allow access only to specific virtual directories, you must specifically allow access to the /rpc virtual directory that is created when you install the Microsoft Windows® RPC networking component.

Scenario 2: Positioning the RPC Proxy Server in the Perimeter Network

Although not recommended, you can position the Exchange Server 2003 front-end server acting as the RPC proxy server inside the perimeter network. For details about placing an Exchange front-end server in a perimeter network, see the topic "Scenarios for Deploying Front-End and Back-End Topology" in Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology (https://go.microsoft.com/fwlink/?LinkId=34216).

In this scenario, you configure your Exchange servers as in Scenario 1. However, you will need to make sure to open the ports required by RPC over HTTP on your internal firewall, in addition to those already required for an Exchange front-end server. The following ports are required for RPC over HTTP:

  • TCP 6001 (Microsoft Exchange Information Store service)

  • TCP 6002 (referral service of Directory Service proxy component)

  • TCP 6004 (proxy service of Directory Service proxy component)

Note

When you run Exchange Server 2003 Setup, Exchange is automatically configured to use port 6001, which is required for the store, and 6004, which is required for Directory Service proxy component (DSProxy).

For a complete list of the other ports required on the Exchange front-end and back-end servers, see "Considerations when Deploying a Front-End and Back-End Topology" in Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology (https://go.microsoft.com/fwlink/?LinkId=34216). The following figure shows this deployment scenario.

Deploying RPC over HTTP on the Exchange front-end server in the perimeter network

59edc739-ae09-49a7-81c6-7b4627f90a07

Scenario 3: Using Exchange Single-Server Installations

If you plan to use a single server as your Exchange mailbox server and RPC proxy server, or if you plan to use a single server as your Exchange mailbox server, RPC proxy server, and global catalog server, and you do not have a separate Exchange front-end server, see one of the following topics:

The following figure shows this deployment scenario.

Single Exchange server deployment

a5ee239a-7fa0-4f2d-8dcf-9c1948142711

In this scenario, you will also need to configure your server to use specified ports for RPC over HTTP. The following ports are required for RPC over HTTP:

  • TCP 6001 (Microsoft Exchange Information Store service)

  • TCP 6002 (referral service of DSProxy)

  • TCP 6004 (proxy service of DSProxy)

Note

When you run Exchange Server 2003 Setup, Exchange is automatically configured to use port 6001, which is required for the Microsoft Exchange Information Store service, and port 6004, which is required for the proxy service of DSProxy.

Scenario 4: Secure Sockets Layer Offloading

You can use a different server than your Exchange front-end server to handle the Secure Sockets Layer (SSL) decryption for your client connections. In this scenario, you will need to set a special registry setting to allow SSL decryption to occur on a different computer than your front-end server. For more information, see How to Configure the RPC Proxy Server to Allow for SSL Offloading on a Separate Server. The following figure shows this deployment scenario.

Deploying RPC over HTTP using ISA Server as a reverse proxy server in the perimeter network with SLL offloading

RPC over HTTP with ISA Server and SSL Offloading