Remote Procedure Calls (RPCs) in the Exchange Front-End and Back-End Topology

DSAccess no longer uses RPCs to perform Active Directory service discovery, however, it does use RPCs for other tasks. To disable these, see Configuring DSAccess for Perimeter Networks. However, IIS still uses RPCs to authenticate requests on the front-end server. Therefore, if you enable authentication on the front-end server (which is strongly recommended), it must be able to use RPCs. The recommended scenario is for the front-end to be behind the internal firewall, in which case this should not be a problem. However, if you must place your front-end server in a perimeter network, you must open certain RPC ports. For more information about opening RPC ports on the intranet firewall, see Configuring an Intranet Firewall.

Features Lost by Placing an Exchange Front-End Server in the Perimeter Network without RPC Access

Corporations that have perimeter networks often restrict the type of traffic that passes from the perimeter network into the corporate intranet.

Without RPC access to Active Directory servers, the front-end server cannot authenticate clients. Therefore, features that require authentication on the front-end server (such as implicit logon and public folder tree load balancing) will not work. Public folder access is possible, but the front-end server cannot load-balance the requests because the front-end server cannot determine the identity of the user. Without the user's authentication token, the front-end server cannot perform the load balancing hashing algorithm. As a result, all anonymous requests for a public folder are routed to the same back-end server.

If RPC ports are not allowed between the perimeter network and the corporate intranet, you must use pass-through authentication. With pass-through authentication, the front-end server passes requests to the back-end anonymously, and then the back-end server performs the authentication.