Exchange 2013: Configuring Outlook anywhere
In Exchange 2013, Outlook Anywhere is enabled by default, because all Outlook connectivity takes place via Outlook Anywhere anyways.
Thats’ right. Its all HTTP now from exchange 2013. The Windows RPC over HTTP Proxy component, which Outlook Anywhere clients use to connect, wraps remote procedure calls (RPCs) with an HTTP layer. This allows traffic to traverse network firewalls without requiring RPC ports to be opened.
Follow the steps to configure Outlook anywhere in Exchange 2013 server.
- From EAC, click Servers as shown and double click on the server name.
2. Before you proceed please ensure that you have configured a certificate to use with Outlook Anywhere. You may leave the external hostname blank if you do not want your external clients to connect to Outlook Anywhere from internet.
If you wish to disable Outlook anywhere over the internet in Exchange 2013, simply leave the external hostname entry blank !!! This will ensure that only internal users can access Outlook…
Outlook Anywhere for a user depends on the attribute “MAPIBlockOutlookRpcHttp” which can be found by running the cmdlet:
Get-CASMailbox alias | Name, *MAPIBlock*
It is important for you to understand the difference between several authentication types Exchange offers for Outlook Anywhere
Basic authentication: If you select this authentication type, Outlook will prompt for username and password while attempting a connection with Exchange.
NTLM authentication: If you select this authentication type, exchange does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password. So, when Outlook is trying to connect to Exchange and if the machine is domain joined, there isn’t a need to provide password.
Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.
If you look at Outlook settings –> Account Settings –> More Settings –> Connection, you may see the same authentication settings.
When we configure Outlook Anywhere and select an authentication type, Autodiscover will update outlook client with all URL details and authentication type.
Always note that you should not be mislead with proxy settings in Outlook alone. If you have a different URL configured for InternalHostname and ExternalHostName, Outlook proxy settings will only show InternalHostname and this is by design.
Outlook Exchange Proxy Settings dialog box always displays the internal host name as the Proxy server in an Exchange Server 2013 environment: http://support.microsoft.com/kb/2754898
Configuring high availability for Outlook anywhere in Exchange 2013:
In my case, I have the following configuration for load balancing and redundancy:
URL oa.msexchangeguru.com will have 2 interface on a hardware load balancer as shown:
Any client which tries to establish a connection from internet will talk to the external DNS record for the OA URL pointing to a firewall which inturn points to the load balancer.
All internal clients are pointed to the load balancer internal ip to bypass the firewall.
Testing Outlook Anywhere in exchange 2013:
Testexchangeconnectivity.com or Exchange Remote Connectivity Analyzer (ExRCA) is an service offered by Microsoft in their inhouse data center which enables companies to test their Exchange features over the internet.
Navigate to testexchangeconnectivity.com and select the following option:
You may also use Test-OutlookConnectivity. The cmdlet tests for Outlook Anywhere (RPC over HTTP) connections. If the cmdlet test fails, the output notes the step that failed.
Ratish Nair
MVP Exchange
Team @MSexchangeGuru
Keywords: Setup Exchange 2013, Setup Exchange 2013 Outlook anywhere, Exchange 2013 Outlook anywhere design document, Exchange 2013 Outlook anywhere, how to configure Exchange 2013 Outlook anywhere, Exchange 2013 Outlook anywhere design diagram, Disable Outlook anywhere in Exchange 2013.
January 14th, 2013 at 6:02 am
[…] Exchange 2013: Configuring Outlook anywhere […]
February 20th, 2013 at 3:52 pm
[…] Exchange 2013: Configuring Outlook anywhere […]
March 9th, 2013 at 11:23 am
Hi all,
Thank for helpful article. In my case, my lab has 3 version Exchange systems (coexistence system ): 1 Dc + 3 Exchange PCs.
But I cannot create Outlook profile (Exchange 2007/2010) for Exchange 2013 users.
I also create certificate for Exchange 2013: OWA, Autodiscover, OAB….and apply but cannot solve my issue.
So, could you give me some ideas to troubleshoot my problem ?
Thanks,
cuocdoi
March 21st, 2013 at 11:14 am
Hello,
How can i disable the auto update feature off the rcp clients. I have 4 clients thats have different mailboxes (3 exchange accounts) they al point to the same url. Not a problem but windows is only holds one authentication because he thinks it is the same location. Windows popups the times for connection can be made.
I want the manualy configure the other 2 exchange mailboxes with a other url (pointing to the same ip).
I know this is possible but how.
May 12th, 2013 at 11:23 am
Hi all,
do we need to create certificate for external host “oa.msex….” ? right ?
Thanks,
July 3rd, 2013 at 10:02 am
Hi Ratish
Can you please help me understand the following?
I have
Site A Internet Access
2x CAS servers Ex2013 Cas Array 01
2x Mbx Servers Ex2013 DAG 01
Site B No Internet Access
2x CAS servers Ex2013 Cas Array 02
2x Mbx Servers Ex2013 DAG 02
Bandwidth between the Sites are not an issue there is plenty
1. are the CAS servers required in Site B, seeing that there is no Internet breakout?
2. Seeing that we can configure internal URL of outlook anywhere per server and assuming we need the 2x CAS servers in Site B, we can configure the internal OA URL for site A to be CasArray01.intenal.net & site B to be CasArray02.intenal.net. My question around this, is this how we can ensure that Mailbox users located in Site B will always use CAS servers in Site B to connect to their mailboxes? and Mailbox Users in Site A will always connect to CAS Servers in Site A?
There is not a lot of documentation on the web around how the Clients connect to the CAS Servers from internal, and across AD sites with CAS & mailbox servers and how to ensure SITE A only connects to SITE A Cas Servers and SITE B only connects to SITE B CAS Servers.
3. Does the Outlook Client use the SCP value in AD to determine which CAS server to connect to?
Your response would be highly appreciated.
July 27th, 2013 at 12:33 am
Please see this presentation from 9th minute 🙂
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/OUC-B313#fbid=KGhuKQslbjD
August 10th, 2013 at 9:20 am
hey,
in exchange 2010 we create CAS Arry and in that array we add CAS servers of the Site so that user connect to that array for RPC/outlook and then we configure out mailbox databases to use that array for high avilibility.
in exchange 2013 what we have to do because after running the command
Get-MailboxDatabase | select name,rpcclientaccessserver | ft -auto
i only see one CAS server which mean if that CAS server goes down my client will not connect to
exchange any more.as you know there is not more CAS array and exchange use outlook anywhere for communication with client.
do we have other method to make this work ?
Regards
October 3rd, 2013 at 4:37 am
Hi
I’ve followed this guide and it works for Outlook 2013.
But for our Outlook 2010sp1 users, we got this issue.
Outlook does not save password. 🙁
Is this becuse of Negotiate?
October 4th, 2013 at 5:45 am
I solved it!! 🙂
I changed OutlookAnywhere to
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
🙂 🙂
November 11th, 2013 at 5:10 am
Hi All,
Please see the below Scenario:
I have Exchange server 2013 installed on Two server with DAG and Both Roles(Mailbox and Client) are installed on each both server. So how do I configured Outlook Anywhere setting.
Also one more issue is that while configuring Outlook, In server name it is showing different server E.g. fbee18a1-87c2-41fc-80eb-2e7495ffc80c@sitename
November 13th, 2013 at 9:05 am
@Pravin
Outlook anywhere configuration is explained above.
Server name is correct. Exchange 2013 has replaced server name with mailbox guid.
Exchange 2013 automatically configures outlook anywhere so you don’t need to do it manually if your outlook is configured
Outlook can only work with outlook anywhere with exchange 2013, there is no mapi/rpc client connectivity.
December 11th, 2013 at 2:25 pm
My LAN connected users keep getting prompted for credentials. I noticed that my Outlook Anywhere proxy settings is ticking the box “on fast networks, use http first…” I suspect this is the cause. How do I remove this from being ticked automatically? I see that you settings doesn’t have it and that’s the way i want mine to appear.
Thank you.
December 12th, 2013 at 2:39 pm
Whats the version of exchange youre running ?
January 13th, 2014 at 5:34 pm
Hello Ratish,
We are running Exchange 2013 in co-existence with Exchange 2010.
We are going to point our Outlook Anywhere and OWA towards Exchange 2013. Mailboxes are still going to remain on Exchange 2010.
Currently Exchange 2010 CAS client and IIS authentication methods for Outlook Anywhere is “Basic”.
So what would be the authentication I need to set for Exchange 2013 Outlook Anywhere for the following: –
ExternalClientAuthenticationMethod
InternalClientAuthenticationMethod
IISAuthenticationMethods
We would like to keep the credential prompts for users as minimum as possible. All our Outlook clients are 2010.
Thanks.
March 19th, 2014 at 2:36 pm
Hello Raman,
any update in your post? I have similar problem. Did you resolved this issue?
March 22nd, 2014 at 4:55 pm
Hello Patrick,
I never had an issue I was just confirming. Now we have the following authentication for Outlook Anywhere: –
Exchange 2013 CAS Servers Outlook Anywhere
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Exchange 2010 CAS server Outlook Anywhere
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
All our production mailboxes are still on Exchange 2010 although connections are coming via Exchange 2013 CAS servers since we have moved our External URL towards Exchange 2013.
Once I start moving mailboxes to exchange 2013 I am thinking to change Exchange 2010 CAS server Outlook Anywhere “ExternalClientAuthenticationMethod: NTLM” since Exchange 2010 CAS is a proxy server now since all the connections are first reaching Exchange 2013. I tried it in Test environment and it worked fine. Even in our current configuration it asks for ID and password once because Exchange 2013 CAS is “ExternalClientAuthenticationMethod: BASIC” that is expected behavior.
What exact problem are you facing? Is Outlook constantly prompting for credentials? Your Outlook Anywhere is also coming via Exchange 2013 and then proxy to Exchange 2010?
April 14th, 2014 at 10:33 am
Hi All,
I had an issue on Exchange 2013 SP1. domain connected computer automatically configuring outlook with settings NTLM and same user if try to access from outside the LAN then keeps asking for the password( never accept the password). If changes to Basic then able to connect from outside LAN. And again connects to LAN reverting back to NTLM.
urgent help would be greatly appreciated.
Thanks,
April 17th, 2014 at 2:22 pm
Hello. I have issue: one CAS server 2013 and one mailbox server 2013. Outlook clients successfully get autodiscover configuration, but can’t connect to CAS server. https://testconnectivity.microsoft.com talk me, that I have HTTP error 500 on https://exch.domain.name/rpc/rpcproxy.dll Ifound, that I have no MSExchangeRPC service on CAS, but have it on MBX. It’s normal?
April 21st, 2014 at 2:37 pm
@Sergey
Please post the error here and we will have a look and try to help you.
July 31st, 2014 at 7:09 pm
Ratish – I am trying to disable Outlook Anywhere for external users. Problem is that my internal namespace is publicly resolvable by DNS and needs to stay that way. I have left the External URL value blank, but that didn’t stop it from working. I would imagine a fake name wouldn’t break it, either. I would like to keep RPC over HTTP internally, so running “Set-CASMailbox –Identity John –MAPIBlockOutlookRpcHttp $True” isn’t desirable. I don’t use TMG, but have a web proxy, so maybe trying to block the port, but not sure, as I need 80/443 for OWA. Any other ideas?
August 1st, 2014 at 11:56 am
I tried leaving external blank it does not disable OA externally.
August 2nd, 2014 at 12:42 pm
Reverse proxy (TMG/UAG) seems to be the only option. We have a Netscaler, so that will work too. Just a lot of config on my end. http://blogs.citrix.com/2013/12/19/tmg-replacement-for-exchange-2013-with-netscaler/
August 2nd, 2014 at 12:48 pm
@Ian and Ninad
Could you share your Exchange and outlook version.
August 2nd, 2014 at 12:50 pm
Outlook is a mix of 2010 & 2013, Exchange 2013.
August 5th, 2014 at 3:28 pm
Outlook 2010, Exchange 2013 and 2007 co-existence. Also tested it in pure Exchange 2013 LAB.
August 13th, 2014 at 5:12 pm
I was able to block outlook for external users by setting IIS IP Domain restrictions on the Servers by allowing only internal IP ranges and denying ALL on the RPC Website. Webmail still works for external.
August 14th, 2014 at 12:13 pm
Thank you for the update Ninad.
August 14th, 2014 at 12:30 pm
Very interesting, thanks for the idea. I was looking to do something like this, as I have done it for EWS in the past and that works well, too. Has anyone else tried this?
August 19th, 2014 at 11:07 pm
I have put this into production; it does the trick for sure! MUCH easier than a reverse proxy!
Thanks, Ninad.
December 4th, 2014 at 11:10 pm
I have problem when using exchange remote connectivities test. it show me that test connect to wrong address https://domain.com/autodiscover/autodiscover.xml. my address is https://mail.domain.com/autodiscover/autodiscover.xml. please adivse for the problem. thanks
January 8th, 2015 at 8:37 am
hi Ratish,
thanks a lot for sharing. Exchange 2013 /ECP is a big difference compared to EMC within the older Exchange versions like 2010 or 2007. Usually I had to do this by commands in EMS or in the EMC. Thanks to your article I now know where to find this setting in 2013.
January 10th, 2015 at 2:01 pm
AutoDiscover address should be auto discover.domain.com
Please change the internaluri on the clientaccessserver properties
January 16th, 2015 at 2:30 pm
[…] Exchange 2013: Configuring Outlook anywhere […]
October 13th, 2015 at 2:42 am
Hi Dear,
i am currently test exchange 2 CAS NLB and 2 DAG Exchange 2013 coexist with exchange server 2007SP3 (single server), i have face the problem facing that outlook is always ask for username and password anytime it connect to email server (mail.contoso.com). From your experience could you let me know how to solve this problem. (client connect to exchange 2007 is ok but for 2013 CAS always alert for password). Appreciate for your answer on my comment. Best Regards, SAM.
October 13th, 2015 at 3:18 am
Sam,
Check the coexistence urls and authentication blog of mine.
It seems authentication issue. Frontend should be basic and backend should be basic and nltm. I guess u are missing ntlm at some point.
October 13th, 2015 at 11:18 am
Dear Prabhat, thank for blog and feedback, now i apply NTLM for clients internal connectivities, seem there is no alert for password.
October 15th, 2015 at 1:07 am
Dear Prabhat, I would like to ask you bit more question related to Exchange 2007 and 2013 coexist. when i check on outlook client connectivities, it show client access CAS (mail.contoso.com) and also trying to connect to (legacy.contoso.com). sometime it show NTLM, and sometime show Negotiation. I already change on exchange 2007 to NTLM alreeady. please kindly advise for idea. thanks
October 28th, 2015 at 5:38 pm
legacy.contoso.com is only required for OWA and EWS on Exchange 2007.
June 22nd, 2016 at 11:09 am
[…] Exchange 2013, Outlook Anywhere is enabled by default, because all Outlook connectivity takes place via Outlook Anywhere […]