• Insights

Exchange 2010 Notes from the Field – RPC Encryption

Joseph Hoegler

2 min read

All Insights

This has been frequently blogged about by a number of people but this, in my opinion, can be one of the single biggest causes of issues when deploying a new Exchange 2010 environment. Unlike previous versions of Exchange, Exchange 2010 requires RPC encryption between clients and the server, by default. This is not an issue for Outlook 2007 or Outlook 2010 clients since both enable this encryption by default (and fail back to unencrypted communications if the server does not support it). However, legacy Outlook 2003 clients and potentially some third party applications do not enable this by default.

To enable Outlook 2003 to communicate properly, you can simply check the “encrypt data between Microsoft Office Outlook and Microsoft Exchange Server” in the MAPI profile properties (see below). You can also leverage Group Policies to enforce this setting or automate the deployment firm-wide.

RPC Encryption

Alternatively, if you need to disable RPC encryption to support other applications, you can disable RPC encryption requirement via the following cmdlet:

Set-RPCClientAccess -Server SERVER-NAME -EncryptionRequired $false

If you have multiple servers or have broken out your CAS and Mailbox roles onto separate servers, be sure to disable encryption for both your CAS servers and your Mailbox servers. While Exchange 2010 moved the RPC endpoint for mailbox access to the CAS role, the RPC endpoint for public folder access is still the Mailbox role. If you don’t disable RPC encryption on the Mailbox role as well, you won’t be able to connect to public folders from a client that doesn’t support RPC encryption.

If RPC encryption is disabled, you should make a note to re-enable it when your application set allows you so that you can further secure your environment.

Update:  In Exchange 2010 Service Pack 1, the RPC encryption requirement is now disabled, by default.  With SP1, any new CAS servers deployed will not require encryption.  Any CAS servers deployed previously will retain existing settings for RPC encryption after applying SP1, so you do not have to re-enable encryption if you did not disable it previously.  For more information, please refer to http://support.microsoft.com/kb/2006508.

For more in my series on Exchange 2010 Notes from the Field, please click here.