On IIS 6.

0, how do I configure my website to use

SSL?
By default, web browsing is being performed by use of the HTTP protocol, i.e. a connection between the
client computer (using a web browser) to the web server (using IIS, Apache or any other sort of web server
program). HTTP relies on TCP (Transmition Control Protocol) and uses port 80 on the listening server.

The main security issue with HTTP is the fact that all the traffic between the client and the server is done as
clear text, meaning that anyone could potentially "listen" to your talk and grab frames and valuable
information from the net.

To secure the transmission of information between your web server running IIS 6.0
on Windows Server 2003 and your browser clients, you can encrypt the information
being transmitted by using SSL (Secure Sockets Layer).

Note: The procedure for applying SSL on IIS 5.0 (on Windows 2000) and IIS 5.1 (on Windows XP) is quite
the same.

In order to successfully use SSL you need to obtain a Server Certificate. In this article I will only focus on
obtaining a certificate from a local CA or importing an already existing certificate. However, it is possible
(and in many cases preferred) that you obtain the Server Certificate from a trusted 3rd party CA such as
Verisign or Thawte.

Configure SSL
To configure SSL for your website on IIS 6.0 (running on Windows Server 2003)
complete the following steps:

Note: Although the screenshots are made with IIS 6.0 on Windows Server 2003, the
same procedure applies for IIS 5.0 and IIS 5.1.

1. Click Start, point to All Programs, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
2. In Internet Services Manager, in the console tree, expand SERVERNAME (your
local computer), and then expand Web Sites.
3. In the console tree, right-click Default Web Site, and then click Properties.

Note: It's possible that the site you've created was stored under a different virtual server. If your website is
not stored within the Default Web Site, right-click your own web site and click Properties.

4. In the Default Web Site Properties dialog box, click Directory Security.
 5. On the Directory Security tab, click Server Certificate.
6. In the Welcome to the Web Server Certificate Wizard, on the Welcome page,
click Next.
7. On the Server Certificate page, verify that Create a new certificate is selected,
and then click Next.

Note: You can also import an already existing certificate. Do do so follow these steps:

1. Click Import a certificate from a .pfx file. Click Next.

1. In the Import Certificate path enter the path to where you've stored your existing certificate. Click
Next.

1. Enter the password configured for the .pfx file. Click Next.

4. Go to step #13.

5. On the Delayed or Immediate Request page, click Send the request

immediately to an online certification authority, and then click Next.
Note: If you don't have a Certificate Authority (CA) installed on your server or on a
different server on the network you can prepare the request but you'll need to
manually send it to the CA.

9. On the Name and Security Settings page, in the Name box, type
yourservername.domainname.com (or .net, .org, .mil etc. Use your own
registered domain name, the one you want people to use when browsing to
your site) and then click Next.

Note: You will need a different certificate for each website you'll run on this server, so make sure you
provide the exact server URL.

Important note - Internet use: You must make sure that either the Name or the Common Name fields
(one of them or both of them) exactly match the external FQDN of the website. For example, if your
server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it
will host a website that will require users to enter WWW.KUKU.CO.IL to reach it, you must then use
WWW.KUKU.CO.IL as the Name or Common Name in the certificate request wizard, and DO NOT use
SERVER1.MYINTERNALDOM.LOCAL.

Important note - Intranet use: For Intranet-only purposes you CAN use the internal FQDN of the server,
or even just it's NetBIOS name. For example, if your server's NetBIOS name is SERVER1, and it is located
in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or
just SERVER1 for the Name or the Common Name fields.

You can also change the Bit Length for the encryption key if you want.

10. On the Organization Information page, in the Organization box, type your own
company name. In the Organizational Unit box, type a descriptive name and
then click Next.

9. On the Your Sites Common Name page, in the Common name box, type
yourservername.domainname.com (see important note in step #9) and
then click Next.
 9. On the Geographical Information page, in the State/province box, type the
required info and then click Next.

13. On the SSL Port page, in the SSL port this web site should use box, verify that
443 is specified, and then click Next.

Note: SSL can only listen once on port 443, requiring you to either select a different SSL port for each SSL
protected website you're about to host on the server, or, even better, use a different static IP for each site,
and share port 443 amongst them.

9. On the Choose a Certification Authority page, in the Certification Authorities

box, verify that your online CA is selected, and then click Next.

9. On the Certificate Request Submission page, click Next to submit the request,
and then click Finish to complete the wizard.

To use the certificate to secure the web site that is using

SSL

1. In the Default Web Site Properties dialog box, on the Directory Security tab,
in the Secure communications area, click Edit.
Note: It's possible that the site you've created was stored under a different virtual server. If your website is
not stored within the Default Web Site, right-click your own web site and click Properties.

Note: It's also possible that you might not wish to protect the entire website, but merely one or two pages
within the large website. In fact, this scenario is highly probable for most site operators that would only like
to protect a couple or important pages, such as an online store or registration form. In that case you do NOT
need to SSL-protect the entire site, so do NOT right-click the entire site. Right-click only the directory or
pages within the site.

2. In the Secure Communications dialog box, click the Require secure channel
(SSL) check box, click the Require 128-bit encryption check box, and then
click OK.

Note: Using a requirement of 128-bit encryption should pose no problem to current operation systems and
web browsers, but keep in mind that older OSs might not be able to connect to your site.

3. On the Directory Security tab, in the Authentication and access control area,
click Edit.
4. In the Authentication Methods dialog box, click Basic authentication
(password is sent in clear text), and then click Yes to acknowledge the
warning.
5. Clear the Integrated Windows Authentication and Enable Anonymous Access
check boxes, and then click OK.

Note: You are NOT required to disable anonymous access, this is just a security measure. It might be likely
that your site is supposed to allow anonymous access, while still using SSL as the encryption method. This
is true for websites that offer online shopping carts where surfers are supposed to enter their credit card
numbers. You might not want to restrict these online shops only for people that hold a username and
password. In that case keep the Enable Anonymous Access check boxes selected.

3. In the Default Web site Properties dialog box, click OK.

4. In all Inheritance Overrides dialog boxes, click OK.
 8. Close Internet Information Services (IIS) Manager.

Verify that SSL is working

To test your new settings connect your open a browser and type your server's FQDN
(or NetBIOS name, if on the LAN) in the address bar (for example: http://server200
for your Intranet, or http://www.kuku.co.il for the Internet).

Note: Make sure you've followed the important note in step #9 above.

Since you still used HTTP (plain text http, using TCP port 80) you'll get the following
error message:

Now re-type the URL by using HTTPS instead of HTTP. You should be able to view the
OWA website.

You'll receive a Security Alert window. Click Ok.

If configured correctly, you should be able to connect to your now SSL-protected website.

To verify that you're using SSL try to find a small yellow lock icon on the browser
lower right corner . Double click the lock icon.

A Certificate window will open. Review the information that is entered into the
certificate and click Ok.
Note: Make sure you renew your certificate a few weeks before it expires in order to
prevent mishaps like this one: Expired SSL Website Certificate.

The RPC virtual directory is now configured to use basic authentication. As stated in the
Recommendations section of this article, you must configure SSL on your RPC Proxy server (i.e. on
your single server). To enable SSL on the RPC virtual directory you must obtain and publish a
certificate. Follow the guidelines on the Configure SSL on Your Website with IIS article for more info
on this issue (This procedure assumes that you have obtained and published certificate).

After setting up a Digital Certificate for the Default Website you will need to configure the RPC
virtual directory to require SSL for all client-side connections.

To configure the RPC virtual directory to require SSL for all client-side connections, follow these
steps:

1. In Internet Information Services (IIS) Manager expand Web Sites, expand Default Web Site,
right-click Rpc, and then click Properties.
2. Click the Directory Security tab, and then click Edit under Secure communications.

3. Click to select the Require secure channel (SSL) check box and the Require 128-bit
encryption check box.

4. Click OK, click Apply, and then click Ok.

Configure the RPC proxy server to use specific ports

After you configure the RPC over HTTP networking component for Internet Information Services,
configure the RPC proxy server. Configure the RPC proxy server to use specific ports to
communicate with the directory service and with the information store on the Exchange computer.
 Warning!
This document contains instructions for editing the registry. If you make any error
while editing the registry, you can potentially cause Windows to fail or be unable to
boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always
back up the registry before making any changes. If you do not feel comfortable editing
the registry, do not attempt these instructions. Instead, seek the help of a trained
computer specialist.

Tip: Instead of manually editing the registry, reader Harry Bates has most cleverly designed a small
utility that will allow you to perform all these changes by pressing a couple of buttons. The tool is
called RPCNoFrontEnd (19kb).

Run the tool on your Exchange server, input the server's names and you're done! Thanks Harry!

If you've used the above tool you no longer need to perform any manual registry changes and you can
safely skip the rest of this guide till the Global Catalog configuration section below.

However, if you're still interested to know what's going on for your information, here are the required
changes and information:

No action required - for your information only!

When you run Exchange Server 2003 Setup, Exchange is configured to use the ports in the following
table:

Server Port Service

Exchange Server (Global
6001 Store
Catalog)
6002 DSReferral
6004 DSProxy

The three registry values that follow are automatically configured by Exchange Server 2003 Setup.
Although you do not have to configure these registry values, you might want to verify that these
registry values are configured correctly.
Do NOT modify these registry values. Just make sure they exist.

Action required - configure the RPC proxy server to use

specific ports
To configure the RPC proxy server to use specific ports, follow these steps.

1. On the RPC proxy server (i.e. your Exchange server - this is a single server scenario), start
Registry Editor.
2. Locate and then click the following registry subkey:

3. In the right pane, right-click ValidPorts, and then click Modify.

Note: The default value for the ValidPorts key is:

Where ServerNetBIOSName is the NetBIOS name of your server.

4. Remove all the information from the Value data box, and then type the following
information:

Replace ServerNetBIOSName with the NetBIOS name of your server. Replace ServerFQDN with the
fully qualified domain name (FQDN) of your server.

Note: The above text is ONE LONG LINE. Copy and paste it into Notepad, and edit it there. Once
done, copy it from Notepad and enter it in the Registry editor.

Note: This is the part where most administrators fail. Take a look at the following table and enter the
correct values based upon this example:

Role Names
Windows Server 2003 NetBIOS FQDN - Internal: FQDN - External:
SP1 name:
+ zeus.dpetri.net mail.dpetri.net
Exchange 2003 SP1 zeus
+ (this is just an example, the (this is just an example, the
DC, FSMO, GC name is bogus) name is bogus)
+
RPC Proxy

Note: In the above table I've used the same domain name internally as externally (dpetri.net). This is
NOT a best practice, as one SHOULD keep these two domain names separate, mostly for security and
DNS issues. For example, if I would have to re-write this guide, I'd probably use dpetri.local for the
internal domain name, and dpetri.net externally.
Text to enter in the registry:

Note: Some guides and articles instruct you to also add the external FQDN of the RPC Proxy, i.e. the
FQDN used to access the server from the Internet. For example, in the above scenario, you should
use:

I've experimented with both settings, both work. To be on the safe side I'd recommend using the
longer version.

5. Click OK, and then quit Registry Editor.

Note: You can also use the Rpccfg tool to set and to troubleshoot port assignments. The Rpccfg tool is
included in the Windows Server 2003 Resource Kit tools (Download Windows 2003 Reskit Tools):

Configure all your global catalogs to use specific ports for

RPC over HTTP for directory services
Exchange Server 2003 Service Pack 1 note: Exchange Server 2003 Service Pack 1 has a new built-
in RPC over HTTP/S GUI setting on the Exchange Server properties page in Exchange System
Manager. If you configure the RPC over HTTP/S option from the GUI, there is NOT need to
make any manual changes in the Registry.

To make the changes via the GUI follow these steps:

1. Click Start, point to Microsoft Exchange, and then click System Manager.
2. Expand your organization, expand Administrative Groups > First Administrative Group >
Servers.
3. Right-click on your server name and select Properties.
4. On the General tab, verify that you have SP1 installed. Verify that a tab called RPC-HTTP is
present.

5. On the RPC-HTTP tab, click on RPC-HTTP Back-End Server.

You might get an error:

Exchange System Manager
There is no RPC-HTTP front-end in your Exchange organization. There must be at least one RPC-
HTTP front-end server in the organization before the RPC-HTTP back-end server can be accessed.

Acknowledge the error.

6. Click Ok all the way out.

7. You need to reboot your server for the settings to take place.

If you did not install Exchange Server 2003 SP1, or if you did not configure the RPC over
HTTP/S option from the GUI, then you MUST manually perform the changes in the Registry.

To do this, follow these steps:

1. Start Registry Editor.

2. Locate and then click the following registry subkey:

On the Edit menu, point to New, and then click Multi-String Value.

Note Make sure that you select the correct value type for the registry subkey. If the registry subkey
type is set to anything other than Multi-String Value, you may experience problems.

3. Name the new registry value NSPI interface protocol sequences.

4. Right-click NSPI interface protocol sequences, and then click Modify.
5. In the Value data box, type

and then click OK.

6. Quit Registry Editor, and then restart the computer.

Configure the Outlook 2003 computer to use RPC over

HTTP/S
You must now configure a client computer that meets the requirements specified at the beginning of
this article to use RPC over HTTP/S.

Follow the instructions found in the Configure Outlook 2003 to use RPC over HTTP/S article.

Test the RPC over HTTP/S connection

Next, the natural step is to test your configuration. Testing can be done on the LAN or on the WAN.

Follow the instructions found in the Testing RPC over HTTP/S Connection article.

If a successful connection is made then you can start deploy