MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2013: Configuring Outlook anywhere

In Exchange 2013, Outlook Anywhere is enabled by default, because all Outlook connectivity takes place via Outlook Anywhere anyways.

Thats’ right. Its all HTTP now from exchange 2013. The Windows RPC over HTTP Proxy component, which Outlook Anywhere clients use to connect, wraps remote procedure calls (RPCs) with an HTTP layer. This allows traffic to traverse network firewalls without requiring RPC ports to be opened.

 

Follow the steps to configure Outlook anywhere in Exchange 2013 server.

  1. From EAC, click Servers as shown and double click on the server name.

 

 

2. Before you proceed please ensure that you have configured a certificate to use with Outlook Anywhere. You may leave the external hostname blank if you do not want your external clients to connect to Outlook Anywhere from internet.

If you wish to disable Outlook anywhere over the internet in Exchange 2013, simply leave the external hostname entry blank !!! This will ensure that only internal users can access Outlook…

Outlook Anywhere for a user depends on the attribute “MAPIBlockOutlookRpcHttp” which can be found by running the cmdlet:

Get-CASMailbox alias | Name, *MAPIBlock*

It is important for you to understand the difference between several authentication types Exchange offers for Outlook Anywhere

Basic authentication: If you select this authentication type, Outlook will prompt for username and password while attempting a connection with Exchange.

NTLM authentication: If you select this authentication type, exchange does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password. So, when Outlook is trying to connect to Exchange and if the machine is domain joined, there isn’t a need to provide password.

Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.

If you look at Outlook settings –> Account Settings –> More Settings –> Connection, you may see the same authentication settings.

When we configure Outlook Anywhere and select an authentication type, Autodiscover will update outlook client with all URL details and authentication type.

Always note that you should not be mislead with proxy settings in Outlook alone. If you have a different URL configured for InternalHostname and ExternalHostName, Outlook proxy settings will only show InternalHostname and this is by design.

Outlook Exchange Proxy Settings dialog box always displays the internal host name as the Proxy server in an Exchange Server 2013 environment: http://support.microsoft.com/kb/2754898

Configuring high availability for Outlook anywhere in Exchange 2013:

In my case, I have the following configuration for load balancing and redundancy:

URL oa.msexchangeguru.com will have 2 interface on a hardware load balancer as shown:

Any client which tries to establish a connection from internet will talk to the external DNS record for the OA URL pointing to a firewall which inturn points to the load balancer.

All internal clients are pointed to the load balancer internal ip to bypass the firewall.

Testing Outlook Anywhere in exchange 2013:

Testexchangeconnectivity.com or Exchange Remote Connectivity Analyzer (ExRCA) is an service offered by Microsoft in their inhouse data center which enables companies to test their Exchange features over the internet.

Navigate to testexchangeconnectivity.com and select the following option:

You may also use Test-OutlookConnectivity. The cmdlet tests for Outlook Anywhere (RPC over HTTP) connections. If the cmdlet test fails, the output notes the step that failed.

Ratish Nair

MVP Exchange

Team @MSexchangeGuru

Keywords: Setup Exchange 2013, Setup Exchange 2013 Outlook anywhere, Exchange 2013 Outlook anywhere design document, Exchange 2013 Outlook anywhere, how to configure Exchange 2013 Outlook anywhere, Exchange 2013 Outlook anywhere design diagram, Disable Outlook anywhere in Exchange 2013.

30 Responses to “Exchange 2013: Configuring Outlook anywhere”

  1. Blog Posts of the Week (06th - 12th January 2013) - The South Asia MVP Blog - Site Home - TechNet Blogs Says:

    [...] Exchange 2013: Configuring Outlook anywhere [...]

  2. Exchange 2010 – Outlook Anywhere – Outlook is unable to connect to the proxy server. (Error Code 10) | FICILITY.NET Says:

    [...] Exchange 2013: Configuring Outlook anywhere [...]

  3. cuocdoi Says:

    Hi all,

    Thank for helpful article. In my case, my lab has 3 version Exchange systems (coexistence system ): 1 Dc + 3 Exchange PCs.

    But I cannot create Outlook profile (Exchange 2007/2010) for Exchange 2013 users.

    I also create certificate for Exchange 2013: OWA, Autodiscover, OAB….and apply but cannot solve my issue.

    So, could you give me some ideas to troubleshoot my problem ?
    Thanks,
    cuocdoi

  4. MKW Says:

    Hello,

    How can i disable the auto update feature off the rcp clients. I have 4 clients thats have different mailboxes (3 exchange accounts) they al point to the same url. Not a problem but windows is only holds one authentication because he thinks it is the same location. Windows popups the times for connection can be made.
    I want the manualy configure the other 2 exchange mailboxes with a other url (pointing to the same ip).

    I know this is possible but how.

  5. cuocdoi Says:

    Hi all,

    do we need to create certificate for external host “oa.msex….” ? right ?

    Thanks,

  6. Pierre Says:

    Hi Ratish

    Can you please help me understand the following?

    I have

    Site A Internet Access
    2x CAS servers Ex2013 Cas Array 01
    2x Mbx Servers Ex2013 DAG 01

    Site B No Internet Access
    2x CAS servers Ex2013 Cas Array 02
    2x Mbx Servers Ex2013 DAG 02

    Bandwidth between the Sites are not an issue there is plenty

    1. are the CAS servers required in Site B, seeing that there is no Internet breakout?
    2. Seeing that we can configure internal URL of outlook anywhere per server and assuming we need the 2x CAS servers in Site B, we can configure the internal OA URL for site A to be CasArray01.intenal.net & site B to be CasArray02.intenal.net. My question around this, is this how we can ensure that Mailbox users located in Site B will always use CAS servers in Site B to connect to their mailboxes? and Mailbox Users in Site A will always connect to CAS Servers in Site A?

    There is not a lot of documentation on the web around how the Clients connect to the CAS Servers from internal, and across AD sites with CAS & mailbox servers and how to ensure SITE A only connects to SITE A Cas Servers and SITE B only connects to SITE B CAS Servers.

    3. Does the Outlook Client use the SCP value in AD to determine which CAS server to connect to?

    Your response would be highly appreciated.

  7. Ratish Sekhar Says:

    Please see this presentation from 9th minute :-)
    http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/OUC-B313#fbid=KGhuKQslbjD

  8. sajid Says:

    hey,
    in exchange 2010 we create CAS Arry and in that array we add CAS servers of the Site so that user connect to that array for RPC/outlook and then we configure out mailbox databases to use that array for high avilibility.

    in exchange 2013 what we have to do because after running the command

    Get-MailboxDatabase | select name,rpcclientaccessserver | ft -auto
    i only see one CAS server which mean if that CAS server goes down my client will not connect to
    exchange any more.as you know there is not more CAS array and exchange use outlook anywhere for communication with client.
    do we have other method to make this work ?
    Regards

  9. Patrik Says:

    Hi

    I’ve followed this guide and it works for Outlook 2013.
    But for our Outlook 2010sp1 users, we got this issue.
    Outlook does not save password. :-(
    Is this becuse of Negotiate?

  10. Patrik Says:

    I solved it!! :-)
    I changed OutlookAnywhere to

    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
    ExternalClientsRequireSsl : True
    InternalClientsRequireSsl : True

    :-) :-)

  11. pravin Says:

    Hi All,

    Please see the below Scenario:

    I have Exchange server 2013 installed on Two server with DAG and Both Roles(Mailbox and Client) are installed on each both server. So how do I configured Outlook Anywhere setting.

    Also one more issue is that while configuring Outlook, In server name it is showing different server E.g. fbee18a1-87c2-41fc-80eb-2e7495ffc80c@sitename

  12. Prabhat Nigam Says:

    @Pravin
    Outlook anywhere configuration is explained above.
    Server name is correct. Exchange 2013 has replaced server name with mailbox guid.
    Exchange 2013 automatically configures outlook anywhere so you don’t need to do it manually if your outlook is configured
    Outlook can only work with outlook anywhere with exchange 2013, there is no mapi/rpc client connectivity.

  13. Cesar Says:

    My LAN connected users keep getting prompted for credentials. I noticed that my Outlook Anywhere proxy settings is ticking the box “on fast networks, use http first…” I suspect this is the cause. How do I remove this from being ticked automatically? I see that you settings doesn’t have it and that’s the way i want mine to appear.

    Thank you.

  14. Ratish Nair Says:

    Whats the version of exchange youre running ?

  15. Raman Says:

    Hello Ratish,
    We are running Exchange 2013 in co-existence with Exchange 2010.
    We are going to point our Outlook Anywhere and OWA towards Exchange 2013. Mailboxes are still going to remain on Exchange 2010.
    Currently Exchange 2010 CAS client and IIS authentication methods for Outlook Anywhere is “Basic”.
    So what would be the authentication I need to set for Exchange 2013 Outlook Anywhere for the following: –
    ExternalClientAuthenticationMethod
    InternalClientAuthenticationMethod
    IISAuthenticationMethods

    We would like to keep the credential prompts for users as minimum as possible. All our Outlook clients are 2010.
    Thanks.

  16. patrick Says:

    Hello Raman,
    any update in your post? I have similar problem. Did you resolved this issue?

  17. Raman Says:

    Hello Patrick,
    I never had an issue I was just confirming. Now we have the following authentication for Outlook Anywhere: –

    Exchange 2013 CAS Servers Outlook Anywhere
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

    Exchange 2010 CAS server Outlook Anywhere
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm}

    All our production mailboxes are still on Exchange 2010 although connections are coming via Exchange 2013 CAS servers since we have moved our External URL towards Exchange 2013.
    Once I start moving mailboxes to exchange 2013 I am thinking to change Exchange 2010 CAS server Outlook Anywhere “ExternalClientAuthenticationMethod: NTLM” since Exchange 2010 CAS is a proxy server now since all the connections are first reaching Exchange 2013. I tried it in Test environment and it worked fine. Even in our current configuration it asks for ID and password once because Exchange 2013 CAS is “ExternalClientAuthenticationMethod: BASIC” that is expected behavior.
    What exact problem are you facing? Is Outlook constantly prompting for credentials? Your Outlook Anywhere is also coming via Exchange 2013 and then proxy to Exchange 2010?

  18. Rani Says:

    Hi All,

    I had an issue on Exchange 2013 SP1. domain connected computer automatically configuring outlook with settings NTLM and same user if try to access from outside the LAN then keeps asking for the password( never accept the password). If changes to Basic then able to connect from outside LAN. And again connects to LAN reverting back to NTLM.

    urgent help would be greatly appreciated.

    Thanks,

  19. Sergey Says:

    Hello. I have issue: one CAS server 2013 and one mailbox server 2013. Outlook clients successfully get autodiscover configuration, but can’t connect to CAS server. https://testconnectivity.microsoft.com talk me, that I have HTTP error 500 on https://exch.domain.name/rpc/rpcproxy.dll Ifound, that I have no MSExchangeRPC service on CAS, but have it on MBX. It’s normal?

  20. Prabhat Nigam Says:

    @Sergey
    Please post the error here and we will have a look and try to help you.

  21. Ian Says:

    Ratish – I am trying to disable Outlook Anywhere for external users. Problem is that my internal namespace is publicly resolvable by DNS and needs to stay that way. I have left the External URL value blank, but that didn’t stop it from working. I would imagine a fake name wouldn’t break it, either. I would like to keep RPC over HTTP internally, so running “Set-CASMailbox –Identity John –MAPIBlockOutlookRpcHttp $True” isn’t desirable. I don’t use TMG, but have a web proxy, so maybe trying to block the port, but not sure, as I need 80/443 for OWA. Any other ideas?

  22. Ninad Says:

    I tried leaving external blank it does not disable OA externally.

  23. Ian Says:

    Reverse proxy (TMG/UAG) seems to be the only option. We have a Netscaler, so that will work too. Just a lot of config on my end. http://blogs.citrix.com/2013/12/19/tmg-replacement-for-exchange-2013-with-netscaler/

  24. Prabhat Nigam Says:

    @Ian and Ninad

    Could you share your Exchange and outlook version.

  25. Ian Says:

    Outlook is a mix of 2010 & 2013, Exchange 2013.

  26. Ninad Says:

    Outlook 2010, Exchange 2013 and 2007 co-existence. Also tested it in pure Exchange 2013 LAB.

  27. Ninad Says:

    I was able to block outlook for external users by setting IIS IP Domain restrictions on the Servers by allowing only internal IP ranges and denying ALL on the RPC Website. Webmail still works for external.

  28. Prabhat Nigam Says:

    Thank you for the update Ninad.

  29. Ian Says:

    Very interesting, thanks for the idea. I was looking to do something like this, as I have done it for EWS in the past and that works well, too. Has anyone else tried this?

  30. Ian Says:

    I have put this into production; it does the trick for sure! MUCH easier than a reverse proxy!
    Thanks, Ninad.

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.