I'm interested in using Exchange Server 2003's remote procedure call (RPC)over-HTTP feature, but my boss is worried about opening RPC ports to the Internet. Does opening these ports pose a security risk?
Yes, opening the RPC ports without some kind of filter or firewall in place is risky, but when you deploy Exchange 2003's RPC-over-HTTP feature, you don't need to open the RPC ports themselves. When you use this feature, the RPC communications that Outlook uses to talk to Exchange are nestled inside HTTP packets and carried over a Secure Sockets Layer (SSL)protected channel. As a result, the RPC ports are never exposed to the Internet. To use this feature, you must use Microsoft Office Outlook 2003 (the only client that can talk to Exchange in this mode) running on Windows XP with Service Pack 1 (SP1), and you must install the hotfix from the Microsoft article "Outlook 2003 Performs Slowly or Stops Responding When Connected to Exchange Server 2003 Through HTTP" (http://support.microsoft.com/?kbid=331320). Your mailbox server must run Exchange 2003, and you must use Windows Server 2003 on all servers that the client will talk to, including the Global Catalog (GC) servers and domain controllers (DCs), which provide the RPC-over-HTTP interfaces that Exchange uses.