Citrix SD-WAN WANOP

RPC over HTTP

Microsoft Exchange Server is one of the common email servers used across organizations. As a result of recent enhancements in Microsoft Exchange Server, you can securely connect to it over the Internet. Depending on the available bandwidth, you might experience latency in the email delivered to the Outlook client. In addition to the MAPI protocol, the Citrix SD-WAN WANOP appliance supports Remote Procedure Call over HTTPS (RPC over HTTPS) to optimize Microsoft Exchange traffic. This feature is also known as Outlook Anywhere.

RPC over HTTPS is not a new protocol, but starting with Microsoft Exchange 2013, it replaces MAPI as the default protocol. The main advantage of RPC over HTTPS is that it enables clients to securely connect to the mail server over the Internet.

When you use RPC over HTTPS, the Microsoft Exchange server must use a digital certificate and private key to authenticate itself to the Outlook client. The communication between the client and server uses HTTPS as a transport protocol.

On the Citrix SD-WAN WANOP appliance, RPC over HTTPS is supported for the following the Microsoft Outlook and Exchange Server versions:

  • Microsoft Outlook

    • Microsoft Outlook version 2007

    • Microsoft Outlook version 2010

    • Microsoft Outlook version 2013

  • Microsoft Exchange Server

    • Microsoft Exchange Server version 2007

    • Microsoft Exchange Server version 2010

    • Microsoft Exchange Server version 2013

Of these, all versions except Microsoft Exchanges Server 2013 support MAPI (over TCP) as well as RPC over HTTPS. However, Microsoft Exchange Server 2013 forces connections to use RPC over HTTPS, regardless of the Microsoft Outlook version you use, to connect to the Exchange server.

Configure RPC over HTTPS

By default, the RPC over HTTPS feature is enabled on the appliance. However, to configure the appliance to accelerate RPC over HTTPS, you must perform the following additional tasks:

  • Configure encrypted MAPI.

  • Configure an SSL profile with a server certificate.

  • Create an RPC over HTTPS service class and bind the SSL profile to it.

Configure Encrypted MAPI

Note

Skip this section if you have already configured encrypted MAPI acceleration on the appliance.

Microsoft Outlook uses Messaging Application Programming Interface (MAPI) connections between Outlook clients and the Microsoft Exchange server. MAPI connections use RPCs, which are encapsulated by an HTTP connection. Therefore, before you configure RPC over HTTPS on a Citrix SD-WAN WANOP appliance, you must configure encrypted MAPI on the appliance.

Prerequisites:

Before you configure encrypted MAPI, make sure that the following prerequisites are met:

  • The Secure Peer option should be set to True on the client as well as the server-side appliance. To configure a secure partner, see Secure Peering.

  • The DNS IP address configured on the server-side appliance must be reachable.

  • The datacenter-side appliance must successfully join the domain.

  • A delegate user must be added to the datacenter-side appliance, and its status should be marked as “Success.”

For more information, see Configure a Citrix SD-WAN WANOP appliance to optimize secure Windows traffic.

Configure an SSL profile with a server certificate

The HTTPS connection that encapsulates the MAPI connection is secured by SSL. As a result, RPC over HTTPS requires connectivity through TCP port 443. This port is assigned to HTTPS, which web-server administrators usually keep open in the firewall application. Using SSL-protected communication helps RPC over HTTPS to maintain the security of all communications.

To enable RPC over HTTPS acceleration, you must install a server certificate on the appliance. Using this server certificate, you can configure an SSL profile that RPC over HTTPS uses for secure communication. To configure an SSL profile with an Exchange server certificate, see Installing Server and Client Certificates.

Note

You must configure an SSL profile only on the datacenter-side appliance.

Create an RPC over HTTPS service class and bind the SSL profile to it

To optimize the RPC over HTTP connections, you must create a service class that lists HTTPS and all MAPI applications. You must provide the IP address of the Microsoft Exchange server as a destination IP address for this service class, and then bind the SSL profile you created to this service class. Binding the profile to the service class makes sure that the communication between the Outlook client and Microsoft Exchange server is secured by using this profile.

Note

You must configure and bind an SSL profile to the service class only on the datacenter-side appliance.

Verify accelerated RPC over HTTPS connections

After you have configured RPC over HTTPS on the appliance , you can verify that the appliance is accelerating the RPC over HTTPS connection on the Monitoring page for MAPI. The accelerated RPC over HTTPS connections are listed on the Accelerated MAPI Sessions tab.

Note

You must configure RPC over HTTPS on your client-side appliances as well as your server-side Citrix SD-WAN WANOP appliances to accelerate the RPC over HTTPS connections.

To verify that RPC over HTTPS Connections are being accelerated

  1. Navigate to the Monitoring > Optimization > Outlook (MAPI).

  2. On the Accelerated MAPI Sessions tab, verify that RPC over HTTPS connections are accelerated.

    localized image

Note

The Application has possible values of: HTTPS eMAPI, HTTP eMAPI, HTTPS MAPI, and HTTP MAPI.

RPC over HTTP