Exchange 2010 RPC Encryption Requirement

Current Status: Non-issue

Exchange 2010 SP1
With Exchange 2010 RTM, the RPC encryption requirement was an issue with mitigation. However, in Exchange Server 2010 Service Pack 1, the RPC encryption requirement has been disabled by default. This means that any new Exchange 2010 SP1 Client Access Servers (CAS) deployed in the organization won’t require encryption and Outlook 2003 clients will connect without the need to enable the RPC encryption feature in the Outlook profile.

Important
Having the RPC encryption requirement on an Exchange 2010 CAS server disabled doesn’t lower the security between Outlook 2007/2010 and any Exchange 2010 CAS server. RPC communication for these Outlook versions will remain encrypted as long as the client has the RPC encryption feature enabled. It’s only the requirement itself that is disabled on the Exchange 2010 CAS server.

Exchange 2010 CAS servers deployed prior to Service Pack 1, or upgraded to Service Pack 1, will retain the existing RPC encryption requirement setting.

Exchange 2010 RTM
When upgrading or migrating an organization that fully or partly uses Outlook 2003 to Exchange 2010, we hear there are out of the box problems, when trying to connect an Outlook 2003 client to an Exchange 2010 RTM mailbox? We heard this is because an Exchange 2010 RTM Client Access Server by default requires an Outlook client to support RPC encrypted traffic in order to be able to connect.

While it’s true the default configuration of an Outlook 2003 client doesn’t have support for RPC encryption, this requirement is fully supported with Outlook 2003.

There are two methods that can be used in order to have Outlook 2003 clients connect to an Exchange 2010 RTM mailbox:

Method 1: Enable the RPC encryption support in Outlook 2003

If “Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server” is enabled under the “Security” tab in the Outlook 2003 profile (see figure 1), the client will be able to connect to an Exchange 2010 RTM mailbox.


Figure 1:
RPC Encryption enabled in Outlook 2003

If you are working with or for a small organization, it may be acceptable the end user enables this feature manually, but if you have thousands of users in the organization, you would want to enable it using a group policy (GPO). The steps necessary to implement a GPO to enable this setting are included in this KB article.


Important

The “EnableRPCEncryption” registry key mentioned in the KB article was originally introduced via a hotfix for Outlook 2003 SP2. This means that clients that either runs Outlook 2003 SP2 or an older version of Outlook 2003 doesn’t respect this registry key. In addition, Outlook 2003 clients not running SP3 are not supported by Microsoft.

Method 2: Disable the RPC Encryption requirement on the Client Access Servers

Instead of enabling support for RPC encryption in the Outlook 2003 profiles, you also have the option of disabling the requirement for RPC encryption on all Exchange 2010 RTM Client Access Servers in the organization.

This can be accomplished using the Set-RpcClientAccess cmdlet:

Set-RpcClientAccess –Server Exchange_server_name –EncryptionRequired $False


Figure 2:
RPC Encryption requirement disabled on Exchange 2010 CAS servers

As mentioned earlier Exchange 2010 SP1 servers that hasn’t been upgraded from Exchange 2010 RTM has the RPC encryption requirement disabled by default.

The following KB article describes the symptoms and remediation in detail:

The core Exchange 2010 TechNet documentation also describes the configuration that can be used to remediate the issue:

Important
Unmanaged client machines cannot be controlled using GPOs or login scripts. If you have unmanaged machines connecting to Exchange 2010 using Outlook 2003, one solution would be to send those users a script or a registry file which they can run manually on their machine to enable the RPC encryption setting.

Special Thanks to Henrik Walther

Leave a Reply

Translate »